Make sure err isn't nil when returning failure

jandubois · jandubois · commit af3b7d66469f · 2024-11-07T16:59:15.000-08:00
Signed-off-by: Jan Dubois &lt;jan.dubois@suse.com&gt;
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -443,9 +443,9 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        template:
-        - default.yaml
-        - fedora.yaml
+        include:
+        - {template: default.yaml, ssh-port-forwarder: true}
+        - {template: fedora.yaml, ssh-port-forwarder: false}
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       with:
@@ -467,6 +467,8 @@ jobs:
       run: brew uninstall --ignore-dependencies --force qemu
     - name: Test
       run: ./hack/test-templates.sh templates/${{ matrix.template }}
+      env:
+        LIMA_SSH_PORT_FORWARDER: ${{ matrix.ssh-port-forwarder }}
     - if: failure()
       uses: ./.github/actions/upload_failure_logs_if_exists
       with:
diff --git a/hack/test-templates.sh b/hack/test-templates.sh
@@ -307,9 +307,17 @@ if [[ -n ${CHECKS["port-forwards"]} ]]; then
 			fi
 			limactl shell "$NAME" $sudo $CONTAINER_ENGINE info
 			limactl shell "$NAME" $sudo $CONTAINER_ENGINE pull --quiet ${nginx_image}
-			limactl shell "$NAME" $sudo $CONTAINER_ENGINE run -d --name nginx -p 8888:80 ${nginx_image}
 
+			limactl shell "$NAME" $sudo $CONTAINER_ENGINE run -d --name nginx -p 8888:80 ${nginx_image}
 			timeout 3m bash -euxc "until curl -f --retry 30 --retry-connrefused http://${hostip}:8888; do sleep 3; done"
+			limactl shell "$NAME" $sudo $CONTAINER_ENGINE rm -f nginx
+
+			if [ "$(uname)" = "Darwin" ]; then
+				# Only macOS can bind to port 80 without root
+				limactl shell "$NAME" $sudo $CONTAINER_ENGINE run -d --name nginx -p 127.0.0.1:80:80 ${nginx_image}
+				timeout 3m bash -euxc "until curl -f --retry 30 --retry-connrefused http://localhost:80; do sleep 3; done"
+				limactl shell "$NAME" $sudo $CONTAINER_ENGINE rm -f nginx
+			fi
 		fi
 	fi
 	set +x
diff --git a/pkg/hostagent/port_darwin.go b/pkg/hostagent/port_darwin.go
@@ -10,6 +10,7 @@ import (
 	"strings"
 
 	"github.com/lima-vm/lima/pkg/bicopy"
+	"github.com/lima-vm/lima/pkg/portfwd"
 	"github.com/lima-vm/sshocker/pkg/ssh"
 	"github.com/sirupsen/logrus"
 )
@@ -96,11 +97,12 @@ func newPseudoLoopbackForwarder(localPort int, unixSock string) (*pseudoLoopback
 		return nil, err
 	}
 
-	lnAddr, err := net.ResolveTCPAddr("tcp4", fmt.Sprintf("0.0.0.0:%d", localPort))
+	// use "tcp" network to listen on both "tcp4" and "tcp6"
+	lnAddr, err := net.ResolveTCPAddr("tcp", fmt.Sprintf("0.0.0.0:%d", localPort))
 	if err != nil {
 		return nil, err
 	}
-	ln, err := net.ListenTCP("tcp4", lnAddr)
+	ln, err := net.ListenTCP("tcp", lnAddr)
 	if err != nil {
 		return nil, err
 	}
@@ -127,7 +129,7 @@ func (plf *pseudoLoopbackForwarder) Serve() error {
 			ac.Close()
 			continue
 		}
-		if remoteAddrIP != "127.0.0.1" {
+		if !portfwd.IsLoopback(remoteAddrIP) {
 			logrus.WithError(err).Debugf("pseudoloopback forwarder: rejecting non-loopback remoteAddr %q", remoteAddr)
 			ac.Close()
 			continue
diff --git a/pkg/portfwd/listener.go b/pkg/portfwd/listener.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"strings"
 	"sync"
 
 	guestagentclient "github.com/lima-vm/lima/pkg/guestagent/api/client"
@@ -42,6 +43,7 @@ func (p *ClosableListeners) Forward(ctx context.Context, client *guestagentclien
 }
 
 func (p *ClosableListeners) Remove(_ context.Context, protocol, hostAddress, guestAddress string) {
+	logrus.Debugf("removing listener for hostAddress: %s, guestAddress: %s", hostAddress, guestAddress)
 	key := key(protocol, hostAddress, guestAddress)
 	switch protocol {
 	case "tcp", "tcp6":
@@ -65,7 +67,6 @@ func (p *ClosableListeners) Remove(_ context.Context, protocol, hostAddress, gue
 
 func (p *ClosableListeners) forwardTCP(ctx context.Context, client *guestagentclient.GuestAgentClient, hostAddress, guestAddress string) {
 	key := key("tcp", hostAddress, guestAddress)
-	defer p.Remove(ctx, "tcp", hostAddress, guestAddress)
 
 	p.listenersRW.Lock()
 	_, ok := p.listeners[key]
@@ -75,16 +76,21 @@ func (p *ClosableListeners) forwardTCP(ctx context.Context, client *guestagentcl
 	}
 	tcpLis, err := Listen(ctx, p.listenConfig, hostAddress)
 	if err != nil {
-		logrus.Errorf("failed to accept TCP connection: %v", err)
+		logrus.Errorf("failed to listen to TCP connection: %v", err)
 		p.listenersRW.Unlock()
 		return
 	}
+	defer p.Remove(ctx, "tcp", hostAddress, guestAddress)
 	p.listeners[key] = tcpLis
 	p.listenersRW.Unlock()
 	for {
 		conn, err := tcpLis.Accept()
 		if err != nil {
 			logrus.Errorf("failed to accept TCP connection: %v", err)
+			if strings.Contains(err.Error(), "pseudoloopback") {
+				// don't stop forwarding because the forwarder has rejected a non-local address
+				continue
+			}
 			return
 		}
 		go HandleTCPConnection(ctx, client, conn, guestAddress)
diff --git a/pkg/portfwd/listener_darwin.go b/pkg/portfwd/listener_darwin.go
@@ -68,10 +68,13 @@ func (p pseudoLoopbackListener) Accept() (net.Conn, error) {
 		conn.Close()
 		return nil, err
 	}
-	if remoteAddrIP != "127.0.0.1" {
-		logrus.WithError(err).Debugf("pseudoloopback forwarder: rejecting non-loopback remoteAddr %q", remoteAddr)
+	if !IsLoopback(remoteAddrIP) {
+		err := fmt.Errorf("pseudoloopback forwarder: rejecting non-loopback remoteAddr %q", remoteAddr)
+		logrus.Debug(err)
+		conn.Close()
 		return nil, err
 	}
+	logrus.Infof("pseudoloopback forwarder: accepting connection from %q", remoteAddr)
 	return conn, nil
 }
 
@@ -89,7 +92,7 @@ func (pk *pseudoLoopbackPacketConn) ReadFrom(bytes []byte) (n int, addr net.Addr
 	if err != nil {
 		return 0, nil, err
 	}
-	if remoteAddrIP != "127.0.0.1" {
+	if !IsLoopback(remoteAddrIP) {
 		return 0, nil, fmt.Errorf("pseudoloopback forwarder: rejecting non-loopback remoteAddr %q", remoteAddr)
 	}
 	return n, remoteAddr, nil
@@ -100,8 +103,12 @@ func (pk *pseudoLoopbackPacketConn) WriteTo(bytes []byte, remoteAddr net.Addr) (
 	if err != nil {
 		return 0, err
 	}
-	if remoteAddrIP != "127.0.0.1" {
+	if !IsLoopback(remoteAddrIP) {
 		return 0, fmt.Errorf("pseudoloopback forwarder: rejecting non-loopback remoteAddr %q", remoteAddr)
 	}
 	return pk.PacketConn.WriteTo(bytes, remoteAddr)
 }
+
+func IsLoopback(addr string) bool {
+	return addr == "127.0.0.1" || addr == "::1"
+}

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@ import (`
`10`	`10`	`"strings"`
`11`	`11`
`12`	`12`	`"github.com/lima-vm/lima/pkg/bicopy"`
	`13`	`+ "github.com/lima-vm/lima/pkg/portfwd"`
`13`	`14`	`"github.com/lima-vm/sshocker/pkg/ssh"`
`14`	`15`	`"github.com/sirupsen/logrus"`
`15`	`16`	`)`
`@@ -96,11 +97,12 @@ func newPseudoLoopbackForwarder(localPort int, unixSock string) (*pseudoLoopback`
`96`	`97`	`return nil, err`
`97`	`98`	`}`
`98`	`99`
`99`		`- lnAddr, err := net.ResolveTCPAddr("tcp4", fmt.Sprintf("0.0.0.0:%d", localPort))`
	`100`	`+ // use "tcp" network to listen on both "tcp4" and "tcp6"`
	`101`	`+ lnAddr, err := net.ResolveTCPAddr("tcp", fmt.Sprintf("0.0.0.0:%d", localPort))`
`100`	`102`	`if err != nil {`
`101`	`103`	`return nil, err`
`102`	`104`	`}`
`103`		`- ln, err := net.ListenTCP("tcp4", lnAddr)`
	`105`	`+ ln, err := net.ListenTCP("tcp", lnAddr)`
`104`	`106`	`if err != nil {`
`105`	`107`	`return nil, err`
`106`	`108`	`}`
`@@ -127,7 +129,7 @@ func (plf *pseudoLoopbackForwarder) Serve() error {`
`127`	`129`	`ac.Close()`
`128`	`130`	`continue`
`129`	`131`	`}`
`130`		`- if remoteAddrIP != "127.0.0.1" {`
	`132`	`+ if !portfwd.IsLoopback(remoteAddrIP) {`
`131`	`133`	`logrus.WithError(err).Debugf("pseudoloopback forwarder: rejecting non-loopback remoteAddr %q", remoteAddr)`
`132`	`134`	`ac.Close()`
`133`	`135`	`continue`
Original file line number	Diff line number	Diff line change
`@@ -68,10 +68,13 @@ func (p pseudoLoopbackListener) Accept() (net.Conn, error) {`
`68`	`68`	`conn.Close()`
`69`	`69`	`return nil, err`
`70`	`70`	`}`
`71`		`- if remoteAddrIP != "127.0.0.1" {`
`72`		`- logrus.WithError(err).Debugf("pseudoloopback forwarder: rejecting non-loopback remoteAddr %q", remoteAddr)`
	`71`	`+ if !IsLoopback(remoteAddrIP) {`
	`72`	`+ err := fmt.Errorf("pseudoloopback forwarder: rejecting non-loopback remoteAddr %q", remoteAddr)`
	`73`	`+ logrus.Debug(err)`
	`74`	`+ conn.Close()`
`73`	`75`	`return nil, err`
`74`	`76`	`}`
	`77`	`+ logrus.Infof("pseudoloopback forwarder: accepting connection from %q", remoteAddr)`
`75`	`78`	`return conn, nil`
`76`	`79`	`}`
`77`	`80`
`@@ -89,7 +92,7 @@ func (pk *pseudoLoopbackPacketConn) ReadFrom(bytes []byte) (n int, addr net.Addr`
`89`	`92`	`if err != nil {`
`90`	`93`	`return 0, nil, err`
`91`	`94`	`}`
`92`		`- if remoteAddrIP != "127.0.0.1" {`
	`95`	`+ if !IsLoopback(remoteAddrIP) {`
`93`	`96`	`return 0, nil, fmt.Errorf("pseudoloopback forwarder: rejecting non-loopback remoteAddr %q", remoteAddr)`
`94`	`97`	`}`
`95`	`98`	`return n, remoteAddr, nil`
`@@ -100,8 +103,12 @@ func (pk *pseudoLoopbackPacketConn) WriteTo(bytes []byte, remoteAddr net.Addr) (`
`100`	`103`	`if err != nil {`
`101`	`104`	`return 0, err`
`102`	`105`	`}`
`103`		`- if remoteAddrIP != "127.0.0.1" {`
	`106`	`+ if !IsLoopback(remoteAddrIP) {`
`104`	`107`	`return 0, fmt.Errorf("pseudoloopback forwarder: rejecting non-loopback remoteAddr %q", remoteAddr)`
`105`	`108`	`}`
`106`	`109`	`return pk.PacketConn.WriteTo(bytes, remoteAddr)`
`107`	`110`	`}`
	`111`	`+`
	`112`	`+func IsLoopback(addr string) bool {`
	`113`	`+ return addr == "127.0.0.1" \|\| addr == "::1"`
	`114`	`+}`