|
| 1 | +# SPDX-FileCopyrightText: Copyright The Lima Authors |
| 2 | +# SPDX-License-Identifier: Apache-2.0 |
| 3 | + |
| 4 | +# Verify that a Lima instance configured with ignore:true proto:any rules does |
| 5 | +# not forward guest ports back to the host, even when services listen on the |
| 6 | +# guest. |
| 7 | + |
| 8 | +load "../helpers/load" |
| 9 | + |
| 10 | +NAME="pf-ignore" |
| 11 | +CONFIG_PATH="${BATS_TEST_TMPDIR}/no-port-forwarding.yaml" |
| 12 | + |
| 13 | +local_setup() { |
| 14 | + limactl delete --force "${NAME}" || : |
| 15 | + cat <<'EOF' >"${CONFIG_PATH}" |
| 16 | +minimumLimaVersion: 2.0.0 |
| 17 | +base: |
| 18 | +- template:default |
| 19 | +portForwards: |
| 20 | +- guestIP: "0.0.0.0" |
| 21 | + guestIPMustBeZero: false |
| 22 | + proto: "any" |
| 23 | + ignore: true |
| 24 | +- guestIP: "::" |
| 25 | + proto: "any" |
| 26 | + ignore: true |
| 27 | +EOF |
| 28 | + limactl start --tty=false --name "${NAME}" "${CONFIG_PATH}" 3>&- 4>&- |
| 29 | + for _ in $(seq 1 30); do |
| 30 | + if limactl shell "${NAME}" -- true 3>&- 4>&-; then |
| 31 | + return 0 |
| 32 | + fi |
| 33 | + sleep 5 |
| 34 | + done |
| 35 | + echo "instance did not become reachable" >&2 |
| 36 | + return 1 |
| 37 | +} |
| 38 | + |
| 39 | +local_teardown() { |
| 40 | + limactl delete --force "${NAME}" || : |
| 41 | +} |
| 42 | + |
| 43 | +start_guest_services() { |
| 44 | + limactl shell "${NAME}" -- bash -lc 'nohup python3 -m http.server 31080 --bind 0.0.0.0 >/tmp/http.log 2>&1 &' 3>&- 4>&- |
| 45 | + limactl shell "${NAME}" -- bash -lc 'nohup python3 - <<"PY" >/tmp/udp.log 2>&1 & |
| 46 | +import socket |
| 47 | +
|
| 48 | +sock = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) |
| 49 | +sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) |
| 50 | +try: |
| 51 | + sock.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, 0) |
| 52 | +except (AttributeError, OSError): |
| 53 | + pass |
| 54 | +sock.bind(("::", 32053, 0, 0)) |
| 55 | +while True: |
| 56 | + data, addr = sock.recvfrom(1024) |
| 57 | + if not data: |
| 58 | + continue |
| 59 | + sock.sendto(b"guest", addr) |
| 60 | +PY |
| 61 | +' 3>&- 4>&- |
| 62 | + limactl shell "${NAME}" -- bash -lc 'for i in $(seq 1 10); do curl --silent --fail http://127.0.0.1:31080 >/dev/null 2>&1 && exit 0; sleep 1; done; exit 1' |
| 63 | +} |
| 64 | + |
| 65 | +@test 'Host cannot reach guest services when forwarding is ignored' { |
| 66 | + start_guest_services |
| 67 | + |
| 68 | + run curl --fail --silent --show-error --connect-timeout 5 --max-time 10 http://127.0.0.1:31080 |
| 69 | + assert_failure |
| 70 | + |
| 71 | + run python3 - <<'PY' |
| 72 | +import socket |
| 73 | +import sys |
| 74 | +
|
| 75 | +sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) |
| 76 | +sock.settimeout(2.0) |
| 77 | +destination = ("127.0.0.1", 32053) |
| 78 | +
|
| 79 | +try: |
| 80 | + sock.sendto(b"ping", destination) |
| 81 | + data, _ = sock.recvfrom(16) |
| 82 | +except (ConnectionRefusedError, TimeoutError, socket.timeout, OSError): |
| 83 | + sys.exit(0) |
| 84 | +else: |
| 85 | + sys.exit(1 if data == b"guest" else 0) |
| 86 | +PY |
| 87 | + assert_success |
| 88 | + |
| 89 | + instance_dir=$(limactl list "${NAME}" --format '{{.Dir}}') |
| 90 | + run grep -n "Forwarding " "${instance_dir}/ha.stderr.log" |
| 91 | + assert_failure |
| 92 | +} |
0 commit comments