Merge pull request #283 from AkihiroSuda/pseudoloopback

Support port forwarding for privileged ports (1-1023)

Author: jandubois

README.md

@@ -77,9 +77,6 @@ $ lima nerdctl run -d --name nginx -p 127.0.0.1:8080:80 nginx:alpine
 
 http://127.0.0.1:8080 is accessible from both macOS and Linux.
 
-> **NOTE**
-> Privileged ports (1-1023) cannot be forwarded
-
 For the usage of containerd and nerdctl (contaiNERD ctl), visit https://github.com/containerd/containerd and https://github.com/containerd/nerdctl.
 
 ## Getting started
@@ -318,7 +315,11 @@ Note: **Only** on macOS versions **before** 10.15.7 you might need to add this e
 
 ### SSH
 #### "Port forwarding does not work"
-Privileged ports (1-1023) cannot be forwarded. e.g., you have to use 8080, not 80.
+Prior to Lima v0.7.0, Lima did not support forwarding privileged ports (1-1023). e.g., you had to use 8080, not 80.
+
+Lima v0.7.0 and later supports forwarding privileged ports on macOS hosts.
+
+On Linux hosts, you might have to set sysctl value `net.ipv4.ip_unprivileged_port_start=0`.
 
 #### stuck on "Waiting for the essential requirement 1 of X: "ssh"
 

pkg/hostagent/hostagent.go

@@ -26,7 +26,6 @@ import (
 	"github.com/lima-vm/lima/pkg/store"
 	"github.com/lima-vm/lima/pkg/store/filenames"
 	"github.com/lima-vm/sshocker/pkg/ssh"
-
 	"github.com/sirupsen/logrus"
 )
 

pkg/hostagent/port.go

@@ -68,7 +68,7 @@ func (pf *portForwarder) OnEvent(ctx context.Context, ev api.Event) {
 		}
 		pf.l.Infof("Stopping forwarding TCP from %s to %s", remote, local)
 		verbCancel := true
-		if err := forwardSSH(ctx, pf.sshConfig, pf.sshHostPort, local, remote, verbCancel); err != nil {
+		if err := forwardTCP(ctx, pf.l, pf.sshConfig, pf.sshHostPort, local, remote, verbCancel); err != nil {
 			if _, ok := pf.tcp[f.Port]; ok {
 				pf.l.WithError(err).Warnf("failed to stop forwarding TCP port %d", f.Port)
 			} else {
@@ -84,7 +84,7 @@ func (pf *portForwarder) OnEvent(ctx context.Context, ev api.Event) {
 			continue
 		}
 		pf.l.Infof("Forwarding TCP from %s to %s", remote, local)
-		if err := forwardSSH(ctx, pf.sshConfig, pf.sshHostPort, local, remote, false); err != nil {
+		if err := forwardTCP(ctx, pf.l, pf.sshConfig, pf.sshHostPort, local, remote, false); err != nil {
 			pf.l.WithError(err).Warnf("failed to set up forwarding TCP port %d (negligible if already forwarded)", f.Port)
 		} else {
 			pf.tcp[f.Port] = struct{}{}

pkg/hostagent/port_darwin.go

@@ -0,0 +1,161 @@
+package hostagent
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+	"strconv"
+
+	"github.com/lima-vm/sshocker/pkg/ssh"
+	"github.com/norouter/norouter/pkg/agent/bicopy"
+	"github.com/sirupsen/logrus"
+)
+
+// forwardTCP is not thread-safe
+func forwardTCP(ctx context.Context, l *logrus.Logger, sshConfig *ssh.SSHConfig, port int, local, remote string, cancel bool) error {
+	localIPStr, localPortStr, err := net.SplitHostPort(local)
+	if err != nil {
+		return err
+	}
+	localIP := net.ParseIP(localIPStr)
+	localPort, err := strconv.Atoi(localPortStr)
+	if err != nil {
+		return err
+	}
+
+	if !net.ParseIP("127.0.0.1").Equal(localIP) || localPort >= 1024 {
+		return forwardSSH(ctx, sshConfig, port, local, remote, cancel)
+	}
+
+	// on macOS, listening on 127.0.0.1:80 requires root while 0.0.0.0:80 does not require root.
+	// https://twitter.com/_AkihiroSuda_/status/1403403845842075648
+	//
+	// We use "pseudoloopback" forwarder that listens on 0.0.0.0:80 but rejects connections from non-loopback src IP.
+	l.Debugf("using pseudoloopback port forwarder for %q", local)
+
+	if cancel {
+		plf, ok := pseudoLoopbackForwarders[local]
+		if ok {
+			localUnix := plf.unixAddr.Name
+			_ = plf.Close()
+			delete(pseudoLoopbackForwarders, local)
+			if err := forwardSSH(ctx, sshConfig, port, localUnix, remote, cancel); err != nil {
+				return err
+			}
+		} else {
+			l.Warnf("forwarding for %q seems already cancelled?", local)
+		}
+		return nil
+	}
+
+	localUnixDir, err := os.MkdirTemp("/tmp", fmt.Sprintf("lima-psl-%s-%d-", localIP, localPort))
+	if err != nil {
+		return err
+	}
+	localUnix := filepath.Join(localUnixDir, "sock")
+	l.Debugf("forwarding %q to %q", localUnix, remote)
+	if err := forwardSSH(ctx, sshConfig, port, localUnix, remote, cancel); err != nil {
+		if removeErr := os.RemoveAll(localUnixDir); removeErr != nil {
+			l.WithError(removeErr).Warnf("failed to remove %q", removeErr)
+		}
+		return err
+	}
+	plf, err := newPseudoLoopbackForwarder(l, localPort, localUnix)
+	if err != nil {
+		if removeErr := os.RemoveAll(localUnixDir); removeErr != nil {
+			l.WithError(removeErr).Warnf("failed to remove %q", removeErr)
+		}
+		if cancelErr := forwardSSH(ctx, sshConfig, port, localUnix, remote, true); cancelErr != nil {
+			l.WithError(cancelErr).Warnf("failed to cancel forwarding %q to %q", localUnix, remote)
+		}
+		return err
+	}
+	plf.onClose = func() error {
+		return os.RemoveAll(localUnixDir)
+	}
+	pseudoLoopbackForwarders[local] = plf
+	go func() {
+		if plfErr := plf.Serve(); plfErr != nil {
+			l.WithError(plfErr).Warning("pseudoloopback forwarder crashed")
+		}
+	}()
+	return nil
+}
+
+var pseudoLoopbackForwarders = make(map[string]*pseudoLoopbackForwarder)
+
+type pseudoLoopbackForwarder struct {
+	l        *logrus.Logger
+	ln       *net.TCPListener
+	unixAddr *net.UnixAddr
+	onClose  func() error
+}
+
+func newPseudoLoopbackForwarder(l *logrus.Logger, localPort int, unixSock string) (*pseudoLoopbackForwarder, error) {
+	unixAddr, err := net.ResolveUnixAddr("unix", unixSock)
+	if err != nil {
+		return nil, err
+	}
+
+	lnAddr, err := net.ResolveTCPAddr("tcp4", fmt.Sprintf("0.0.0.0:%d", localPort))
+	if err != nil {
+		return nil, err
+	}
+	ln, err := net.ListenTCP("tcp4", lnAddr)
+	if err != nil {
+		return nil, err
+	}
+
+	plf := &pseudoLoopbackForwarder{
+		l:        l,
+		ln:       ln,
+		unixAddr: unixAddr,
+	}
+
+	return plf, nil
+}
+
+func (plf *pseudoLoopbackForwarder) Serve() error {
+	defer plf.ln.Close()
+	for {
+		ac, err := plf.ln.AcceptTCP()
+		if err != nil {
+			return err
+		}
+		remoteAddr := ac.RemoteAddr().String() // ip:port
+		remoteAddrIP, _, err := net.SplitHostPort(remoteAddr)
+		if err != nil {
+			plf.l.WithError(err).Debugf("pseudoloopback forwarder: rejecting non-loopback remoteAddr %q (unparsable)", remoteAddr)
+			ac.Close()
+			continue
+		}
+		if remoteAddrIP != "127.0.0.1" {
+			plf.l.WithError(err).Debugf("pseudoloopback forwarder: rejecting non-loopback remoteAddr %q", remoteAddr)
+			ac.Close()
+			continue
+		}
+		go func(ac *net.TCPConn) {
+			if fErr := plf.forward(ac); fErr != nil {
+				plf.l.Error(fErr)
+			}
+		}(ac)
+	}
+}
+
+func (plf *pseudoLoopbackForwarder) forward(ac *net.TCPConn) error {
+	defer ac.Close()
+	unixConn, err := net.DialUnix("unix", nil, plf.unixAddr)
+	if err != nil {
+		return err
+	}
+	defer unixConn.Close()
+	bicopy.Bicopy(ac, unixConn, nil)
+	return nil
+}
+
+func (plf *pseudoLoopbackForwarder) Close() error {
+	_ = plf.ln.Close()
+	return plf.onClose()
+}

pkg/hostagent/port_others.go

@@ -0,0 +1,15 @@
+//go:build !darwin
+// +build !darwin
+
+package hostagent
+
+import (
+	"context"
+
+	"github.com/lima-vm/sshocker/pkg/ssh"
+	"github.com/sirupsen/logrus"
+)
+
+func forwardTCP(ctx context.Context, l *logrus.Logger, sshConfig *ssh.SSHConfig, port int, local, remote string, cancel bool) error {
+	return forwardSSH(ctx, sshConfig, port, local, remote, cancel)
+}

pkg/limayaml/default.yaml

@@ -171,15 +171,15 @@ networks:
 #     hostPort: 8080 # overrides the default value 80
 #   - guestIP: "127.0.0.2" # overrides the default value "127.0.0.1"
 #     hostIP: "127.0.0.2" # overrides the default value "127.0.0.1"
-#   # default: guestPortRange: [1024, 65535]
-#   # default: hostPortRange: [1024, 65535]
+#   # default: guestPortRange: [1, 65535]
+#   # default: hostPortRange: [1, 65535]
 #   - guestPort: 8888
 #     ignore: true (don't forward this port)
 #   # Lima internally appends this fallback rule at the end:
 #   - guestIP: "127.0.0.1"
-#     guestPortRange: [1024, 65535]
+#     guestPortRange: [1, 65535]
 #     hostIP: "127.0.0.1"
-#     hostPortRange: [1024, 65535]
+#     hostPortRange: [1, 65535]
 #   # Any port still not matched by a rule will not be forwarded (ignored)
 
 # Extra environment variables that will be loaded into the VM at start up.

pkg/limayaml/defaults.go

@@ -140,7 +140,7 @@ func FillPortForwardDefaults(rule *PortForward) {
 	}
 	if rule.GuestPortRange[0] == 0 && rule.GuestPortRange[1] == 0 {
 		if rule.GuestPort == 0 {
-			rule.GuestPortRange[0] = 1024
+			rule.GuestPortRange[0] = 1
 			rule.GuestPortRange[1] = 65535
 		} else {
 			rule.GuestPortRange[0] = rule.GuestPort