Implement rules for all guestIP and hostIP setting

Use net.IP internally instead of strings, and implement even
default block and forwarding rules via data instead of code.

Signed-off-by: Jan Dubois <[email protected]>

Author: jandubois

pkg/guestagent/api/api.go

@@ -11,6 +11,10 @@ type ErrorJSON struct {
 	Message string `json:"message"`
 }
 
+var (
+	IPv4loopback1 = net.IPv4(127,0,0,1)
+)
+
 type IPPort struct {
 	IP   net.IP `json:"ip"`
 	Port int    `json:"port"`

pkg/guestagent/guestagent_linux.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"encoding/binary"
 	"errors"
-	"net"
 	"reflect"
 	"time"
 
@@ -116,18 +115,13 @@ func (a *agent) LocalPorts(ctx context.Context) ([]api.IPPort, error) {
 		return res, err
 	}
 
-	ipv4Loopback1 := net.ParseIP("127.0.0.1")
 	for _, f := range tcpParsed {
 		switch f.Kind {
 		case procnettcp.TCP, procnettcp.TCP6:
 		default:
 			continue
 		}
-		isListen := f.State == procnettcp.TCPListen
-		// We do NOT use net.IP.IsLoopback() here, because we want to exclude addresses like 127.0.0.53 here.
-		isLocal := f.IP.Equal(net.IPv4zero) || f.IP.Equal(net.IPv6zero) ||
-			f.IP.Equal(ipv4Loopback1) || f.IP.Equal(net.IPv6loopback)
-		if isListen && isLocal {
+		if f.State == procnettcp.TCPListen {
 			res = append(res,
 				api.IPPort{
 					IP:   f.IP,

pkg/hostagent/hostagent.go

@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"net"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -86,17 +87,25 @@ func New(instName string, stdout, stderr io.Writer, sigintCh chan os.Signal) (*H
 		AdditionalArgs: sshArgs,
 	}
 
-	ports := make([]limayaml.Port, 0, 2+len(y.Ports))
-	ports = append(ports, limayaml.Port{GuestPort: sshGuestPort, Ignore: true})
-	ports = append(ports, limayaml.Port{GuestPort: y.SSH.LocalPort, Ignore: true})
-	ports = append(ports, y.Ports...)
+	rules := make([]limayaml.PortForward, 0, 3+len(y.PortForwards))
+	// Block ports 22 and sshLocalPort on all IPs
+	for _, port := range []int{sshGuestPort, y.SSH.LocalPort} {
+		rule := limayaml.PortForward{GuestIP: net.IPv4zero, GuestPort: port, Ignore: true}
+		limayaml.FillPortForwardDefaults(&rule)
+		rules = append(rules, rule)
+	}
+	rules = append(rules, y.PortForwards...)
+	// Default forwards for all non-privileged ports from "127.0.0.1" and "::1"
+	rule := limayaml.PortForward{GuestIP: guestagentapi.IPv4loopback1}
+	limayaml.FillPortForwardDefaults(&rule)
+	rules = append(rules, rule)
 
 	a := &HostAgent{
 		l:             l,
 		y:             y,
 		instDir:       inst.Dir,
 		sshConfig:     sshConfig,
-		portForwarder: newPortForwarder(l, sshConfig, y.SSH.LocalPort, ports),
+		portForwarder: newPortForwarder(l, sshConfig, y.SSH.LocalPort, rules),
 		qExe:          qExe,
 		qArgs:         qArgs,
 		sigintCh:      sigintCh,

pkg/hostagent/port.go

@@ -2,8 +2,7 @@ package hostagent
 
 import (
 	"context"
-	"fmt"
-	"strconv"
+	"net"
 
 	"github.com/AkihiroSuda/lima/pkg/guestagent/api"
 	"github.com/AkihiroSuda/lima/pkg/limayaml"
@@ -16,48 +15,60 @@ type portForwarder struct {
 	sshConfig   *ssh.SSHConfig
 	sshHostPort int
 	tcp         map[int]struct{} // key: int (NOTE: this might be inconsistent with the actual status of SSH master)
-	ports       []limayaml.Port
+	rules       []limayaml.PortForward
 }
 
 const sshGuestPort = 22
 
-func newPortForwarder(l *logrus.Logger, sshConfig *ssh.SSHConfig, sshHostPort int, ports []limayaml.Port) *portForwarder {
+func newPortForwarder(l *logrus.Logger, sshConfig *ssh.SSHConfig, sshHostPort int, rules []limayaml.PortForward) *portForwarder {
 	return &portForwarder{
 		l:           l,
 		sshConfig:   sshConfig,
 		sshHostPort: sshHostPort,
 		tcp:         make(map[int]struct{}),
-		ports:       ports,
+		rules:       rules,
 	}
 }
 
 func (pf *portForwarder) forwardingAddresses(guest api.IPPort) (string, string) {
-	for _, port := range pf.ports {
-		if port.GuestPortRange[0] <= guest.Port && guest.Port <= port.GuestPortRange[1] {
-			guestAddr := fmt.Sprintf("%s:%d", port.GuestIP, guest.Port)
-			if port.Ignore {
-				return guestAddr, ""
+	for _, rule := range pf.rules {
+		if guest.Port < rule.GuestPortRange[0] || guest.Port > rule.GuestPortRange[1] {
+			continue
+		}
+		switch {
+		case guest.IP.IsUnspecified():
+		case guest.IP.Equal(rule.GuestIP):
+		case guest.IP.Equal(net.IPv6loopback) && rule.GuestIP.Equal(api.IPv4loopback1):
+		case rule.GuestIP.IsUnspecified():
+		default:
+			continue
+		}
+		if rule.Ignore {
+			if guest.IP.IsUnspecified() && !rule.GuestIP.IsUnspecified() {
+				continue
 			}
-			offset := port.HostPortRange[0] - port.GuestPortRange[0]
-			hostAddr := fmt.Sprintf("%s:%d", port.HostIP, guest.Port + offset)
-			return guestAddr, hostAddr
+			break
+		}
+		host := api.IPPort{
+			IP:   rule.HostIP,
+			Port: guest.Port + rule.HostPortRange[0] - rule.GuestPortRange[0],
 		}
+		return host.String(), guest.String()
 	}
-	addr := "127.0.0.1:" + strconv.Itoa(guest.Port)
-	return addr, addr
+	return "", guest.String()
 }
 
 func (pf *portForwarder) OnEvent(ctx context.Context, ev api.Event) {
 	for _, f := range ev.LocalPortsRemoved {
 		// pf.tcp might be inconsistent with the actual state of the SSH master,
 		// so we always attempt to cancel forwarding, even when f.Port is not tracked in pf.tcp.
-		guestAddr, hostAddr := pf.forwardingAddresses(f)
-		if hostAddr == "" {
+		local, remote := pf.forwardingAddresses(f)
+		if local == "" {
 			continue
 		}
-		pf.l.Infof("Stopping forwarding TCP from %s to %s", guestAddr, hostAddr)
+		pf.l.Infof("Stopping forwarding TCP from %s to %s", remote, local)
 		verbCancel := true
-		if err := forwardSSH(ctx, pf.sshConfig, pf.sshHostPort, hostAddr, guestAddr, verbCancel); err != nil {
+		if err := forwardSSH(ctx, pf.sshConfig, pf.sshHostPort, local, remote, verbCancel); err != nil {
 			if _, ok := pf.tcp[f.Port]; ok {
 				pf.l.WithError(err).Warnf("failed to stop forwarding TCP port %d", f.Port)
 			} else {
@@ -67,14 +78,14 @@ func (pf *portForwarder) OnEvent(ctx context.Context, ev api.Event) {
 		delete(pf.tcp, f.Port)
 	}
 	for _, f := range ev.LocalPortsAdded {
-		guestAddr, hostAddr := pf.forwardingAddresses(f)
-		if hostAddr == "" {
-			pf.l.Infof("Not forwarding TCP from %s", guestAddr)
+		local, remote := pf.forwardingAddresses(f)
+		if local == "" {
+			pf.l.Infof("Not forwarding TCP %s", remote)
 			continue
 		}
-		pf.l.Infof("Forwarding TCP from %s to %s", guestAddr, hostAddr)
-		if err := forwardSSH(ctx, pf.sshConfig, pf.sshHostPort, hostAddr, guestAddr, false); err != nil {
-			pf.l.WithError(err).Warnf("failed to setting up forward TCP port %d (negligible if already forwarded)", f.Port)
+		pf.l.Infof("Forwarding TCP from %s to %s", remote, local)
+		if err := forwardSSH(ctx, pf.sshConfig, pf.sshHostPort, local, remote, false); err != nil {
+			pf.l.WithError(err).Warnf("failed to set up forwarding TCP port %d (negligible if already forwarded)", f.Port)
 		} else {
 			pf.tcp[f.Port] = struct{}{}
 		}

pkg/limayaml/default.yaml

@@ -73,25 +73,31 @@ containerd:
   # Default: true
   user: true
 
-# port forwarding rules.
-# By default guest ports are forwarded to the same port on the 127.0.0.1 interface on the host.
-# ports:
-
+# Port forwarding rules. Forwarding between ports 22 and ssh.localPort cannot be overridden.
+# Rules are checked sequentially until the first one matches.
+# portForwards:
 #   - guestPort: 443
-#     hostIP: "0.0.0.0" # overrides the default value "127.0.0.1"
-#   # default: hostPort: 443
-#   # default: guestIP: "127.0.0.1" (only valid value right now)
+#     hostIP: "0.0.0.0" # overrides the default value "127.0.0.1"; allows privileged port forwarding
+#   # default: hostPort: 443 (same as guestPort)
+#   # default: guestIP: "127.0.0.1" (also matches bind addresses "0.0.0.0", "::", and "::1")
 #   # default: proto: "tcp" (only valid value right now)
-
 #   - guestPortRange: [4000, 4999]
 #     hostIP:  "0.0.0.0" # overrides the default value "127.0.0.1"
 #   # default: hostPortRange: [4000, 4999] (must specify same number of ports as guestPortRange)
-
 #   - guestPort: 80
 #     hostPort: 8080 # overrides the default value 80
-
+#   - guestIP: "127.0.0.2" # overrides the default value "127.0.0.1"
+#     hostIP: "127.0.0.2" # overrides the default value "127.0.0.1"
+#   # default: guestPortRange: [1024, 65535]
+#   # default: hostPortRange: [1024, 65535]
 #   - guestPort: 8888
 #     ignore: true (don't forward this port)
+#   # Lima internally appends this fallback rule at the end:
+#   - guestIP: "127.0.0.1"
+#     guestPortRange: [1024, 65535]
+#     hostIP: "127.0.0.1"
+#     hostPortRange: [1024, 65535]
+#   # Any port still not matched by a rule will not be forwarded (ignored)
 
 # Provisioning scripts need to be idempotent because they might be called
 # multiple times, e.g. when the host VM is being restarted.

pkg/limayaml/defaults.go

@@ -3,6 +3,8 @@ package limayaml
 import (
 	"fmt"
 	"runtime"
+
+	"github.com/AkihiroSuda/lima/pkg/guestagent/api"
 )
 
 func FillDefault(y *LimaYAML) {
@@ -49,27 +51,37 @@ func FillDefault(y *LimaYAML) {
 			probe.Description = fmt.Sprintf("user probe %d/%d", i+1, len(y.Probes))
 		}
 	}
-	for i := range y.Ports {
-		port := &y.Ports[i]
-		if port.GuestIP == "" {
-			port.GuestIP = "127.0.0.1"
-		}
-		if port.GuestPortRange[0] == 0 && port.GuestPortRange[1] == 0 {
-			port.GuestPortRange[0] = port.GuestPort
-			port.GuestPortRange[1] = port.GuestPort
-		}
-		if port.HostIP == "" {
-			port.HostIP = "127.0.0.1"
-		}
-		if port.HostPortRange[0] == 0 && port.HostPortRange[1] == 0 {
-			if port.HostPort == 0 {
-				port.HostPort = port.GuestPortRange[0]
-			}
-			port.HostPortRange[0] = port.HostPort
-			port.HostPortRange[1] = port.HostPort
+	for i := range y.PortForwards {
+		FillPortForwardDefaults(&y.PortForwards[i])
+		// After defaults processing the singular HostPort and GuestPort values should not be used again.
+	}
+}
+
+func FillPortForwardDefaults(rule *PortForward) {
+	if rule.Proto == "" {
+		rule.Proto = TCP
+	}
+	if rule.GuestIP == nil {
+		rule.GuestIP = api.IPv4loopback1
+	}
+	if rule.HostIP == nil {
+		rule.HostIP = api.IPv4loopback1
+	}
+	if rule.GuestPortRange[0] == 0 && rule.GuestPortRange[1] == 0 {
+		if rule.GuestPort == 0 {
+			rule.GuestPortRange[0] = 1024
+			rule.GuestPortRange[1] = 65535
+		} else {
+			rule.GuestPortRange[0] = rule.GuestPort
+			rule.GuestPortRange[1] = rule.GuestPort
 		}
-		if port.Proto == "" {
-			port.Proto = TCP
+	}
+	if rule.HostPortRange[0] == 0 && rule.HostPortRange[1] == 0 {
+		if rule.HostPort == 0 {
+			rule.HostPortRange = rule.GuestPortRange
+		} else {
+			rule.HostPortRange[0] = rule.HostPort
+			rule.HostPortRange[1] = rule.HostPort
 		}
 	}
 }

pkg/limayaml/limayaml.go

@@ -1,21 +1,25 @@
 package limayaml
 
-import "github.com/opencontainers/go-digest"
+import (
+	"net"
+
+	"github.com/opencontainers/go-digest"
+)
 
 type LimaYAML struct {
-	Arch       Arch        `yaml:"arch,omitempty"`
-	Images     []File      `yaml:"images"` // REQUIRED
-	CPUs       int         `yaml:"cpus,omitempty"`
-	Memory     string      `yaml:"memory,omitempty"` // go-units.RAMInBytes
-	Disk       string      `yaml:"disk,omitempty"`   // go-units.RAMInBytes
-	Mounts     []Mount     `yaml:"mounts,omitempty"`
-	SSH        SSH         `yaml:"ssh,omitempty"` // REQUIRED (FIXME)
-	Firmware   Firmware    `yaml:"firmware,omitempty"`
-	Video      Video       `yaml:"video,omitempty"`
-	Provision  []Provision `yaml:"provision,omitempty"`
-	Containerd Containerd  `yaml:"containerd,omitempty"`
-	Probes     []Probe     `yaml:"probes,omitempty"`
-	Ports      []Port      `yaml:"ports,omitempty"`
+	Arch         Arch          `yaml:"arch,omitempty"`
+	Images       []File        `yaml:"images"` // REQUIRED
+	CPUs         int           `yaml:"cpus,omitempty"`
+	Memory       string        `yaml:"memory,omitempty"` // go-units.RAMInBytes
+	Disk         string        `yaml:"disk,omitempty"`   // go-units.RAMInBytes
+	Mounts       []Mount       `yaml:"mounts,omitempty"`
+	SSH          SSH           `yaml:"ssh,omitempty"` // REQUIRED (FIXME)
+	Firmware     Firmware      `yaml:"firmware,omitempty"`
+	Video        Video         `yaml:"video,omitempty"`
+	Provision    []Provision   `yaml:"provision,omitempty"`
+	Containerd   Containerd    `yaml:"containerd,omitempty"`
+	Probes       []Probe       `yaml:"probes,omitempty"`
+	PortForwards []PortForward `yaml:"portForwards,omitempty"`
 }
 
 type Arch = string
@@ -91,11 +95,11 @@ const (
 	TCP Proto = "tcp"
 )
 
-type Port struct {
-	GuestIP        string `yaml:"guestIP,omitempty"`
+type PortForward struct {
+	GuestIP        net.IP `yaml:"guestIP,omitempty"`
 	GuestPort      int    `yaml:"guestPort,omitempty"`
 	GuestPortRange [2]int `yaml:"guestPortRange,omitempty"`
-	HostIP         string `yaml:"hostIP,omitempty"`
+	HostIP         net.IP `yaml:"hostIP,omitempty"`
 	HostPort       int    `yaml:"hostPort,omitempty"`
 	HostPortRange  [2]int `yaml:"hostPortRange,omitempty"`
 	Proto          Proto  `yaml:"proto,omitempty"`