Change default for GuestIPMustBeZero when GuestIP is 0.0.0.0

It now defaults to `true`. The user must explicitly set it to false
to match any interface and not just 0.0.0.0.

The existing tests have been amended to explicitly set GuestIPMustBeZero
to `false` to continue testing the old behaviour.

This change is not backwards compatible!

Signed-off-by: Jan Dubois <jan.dubois@suse.com>

Author: jandubois

hack/test-port-forwarding.pl

@@ -303,16 +303,19 @@ sub JoinHostPort {
   ignore: true
 
 - guestIP: 0.0.0.0
+  guestIPMustBeZero: false
   guestPortRange: [3010, 3019]
   hostPortRange: [2010, 2019]
   ignore: true
 
 - guestIP: 0.0.0.0
+  guestIPMustBeZero: false
   guestPortRange: [3000, 3029]
   hostPortRange: [2000, 2029]
 
 # The following rule is completely shadowed by the previous one and has no effect
 - guestIP: 0.0.0.0
+  guestIPMustBeZero: false
   guestPortRange: [3020, 3029]
   hostPortRange: [2020, 2029]
   ignore: true
@@ -323,7 +326,7 @@ sub JoinHostPort {
   # Blocking 127.0.0.2 cannot block forwarding from 0.0.0.0
   # forward: 0.0.0.0   3002 → 127.0.0.1 2002
 
-  # Blocking 0.0.0.0 will block forwarding from any interface
+  # Blocking 0.0.0.0 will block forwarding from any interface because guestIPMustBeZero is false
   # ignore: 0.0.0.0   3010
   # ignore: 127.0.0.1 3011
 
@@ -382,6 +385,7 @@ sub JoinHostPort {
   # forward: ::1          4025 → ipv4 4025
 
 - guestIP: "0.0.0.0"
+  guestIPMustBeZero: false
   guestPortRange: [4030, 4039]
   hostIP: "ipv4"
 
@@ -396,6 +400,7 @@ sub JoinHostPort {
   guestPortRange: [4040, 4049]
 
 - guestIP: "0.0.0.0"
+  guestIPMustBeZero: false
   guestPortRange: [4040, 4049]
   ignore: true
 

pkg/hostagent/port.go

@@ -69,7 +69,7 @@ func (pf *portForwarder) forwardingAddresses(guest *api.IPPort) (hostAddr, guest
 		case guestIP.IsUnspecified():
 		case guestIP.Equal(rule.GuestIP):
 		case guestIP.Equal(net.IPv6loopback) && rule.GuestIP.Equal(IPv4loopback1):
-		case rule.GuestIP.IsUnspecified() && !rule.GuestIPMustBeZero:
+		case rule.GuestIP.IsUnspecified() && !*rule.GuestIPMustBeZero:
 			// When GuestIPMustBeZero is true, then 0.0.0.0 must be an exact match, which is already
 			// handled above by the guest.IP.IsUnspecified() condition.
 		default:

pkg/limatype/lima_yaml.go

@@ -285,7 +285,7 @@ const (
 )
 
 type PortForward struct {
-	GuestIPMustBeZero bool   `yaml:"guestIPMustBeZero,omitempty" json:"guestIPMustBeZero,omitempty"`
+	GuestIPMustBeZero *bool  `yaml:"guestIPMustBeZero,omitempty" json:"guestIPMustBeZero,omitempty"`
 	GuestIP           net.IP `yaml:"guestIP,omitempty" json:"guestIP,omitempty"`
 	GuestPort         int    `yaml:"guestPort,omitempty" json:"guestPort,omitempty"`
 	GuestPortRange    [2]int `yaml:"guestPortRange,omitempty" json:"guestPortRange,omitempty"`

pkg/limayaml/defaults.go

@@ -882,12 +882,15 @@ func FillPortForwardDefaults(rule *limatype.PortForward, instDir string, user li
 		rule.Proto = limatype.ProtoAny
 	}
 	if rule.GuestIP == nil {
-		if rule.GuestIPMustBeZero {
+		if rule.GuestIPMustBeZero != nil && *rule.GuestIPMustBeZero {
 			rule.GuestIP = net.IPv4zero
 		} else {
 			rule.GuestIP = IPv4loopback1
 		}
 	}
+	if rule.GuestIPMustBeZero == nil {
+		rule.GuestIPMustBeZero = ptr.Of(rule.GuestIP.Equal(net.IPv4zero))
+	}
 	if rule.HostIP == nil {
 		rule.HostIP = IPv4loopback1
 	}

pkg/limayaml/defaults_test.go

@@ -124,12 +124,13 @@ func TestFillDefault(t *testing.T) {
 	}
 
 	defaultPortForward := limatype.PortForward{
-		GuestIP:        IPv4loopback1,
-		GuestPortRange: [2]int{1, 65535},
-		HostIP:         IPv4loopback1,
-		HostPortRange:  [2]int{1, 65535},
-		Proto:          limatype.ProtoAny,
-		Reverse:        false,
+		GuestIP:           IPv4loopback1,
+		GuestIPMustBeZero: ptr.Of(false),
+		GuestPortRange:    [2]int{1, 65535},
+		HostIP:            IPv4loopback1,
+		HostPortRange:     [2]int{1, 65535},
+		Proto:             limatype.ProtoAny,
+		Reverse:           false,
 	}
 
 	// ------------------------------------------------------------------------------------
@@ -386,13 +387,14 @@ func TestFillDefault(t *testing.T) {
 			net.ParseIP("1.1.1.1"),
 		},
 		PortForwards: []limatype.PortForward{{
-			GuestIP:        IPv4loopback1,
-			GuestPort:      80,
-			GuestPortRange: [2]int{80, 80},
-			HostIP:         IPv4loopback1,
-			HostPort:       80,
-			HostPortRange:  [2]int{80, 80},
-			Proto:          limatype.ProtoTCP,
+			GuestIP:           IPv4loopback1,
+			GuestIPMustBeZero: ptr.Of(false),
+			GuestPort:         80,
+			GuestPortRange:    [2]int{80, 80},
+			HostIP:            IPv4loopback1,
+			HostPort:          80,
+			HostPortRange:     [2]int{80, 80},
+			Proto:             limatype.ProtoTCP,
 		}},
 		CopyToHost: []limatype.CopyToHost{{}},
 		Env: map[string]string{
@@ -599,13 +601,14 @@ func TestFillDefault(t *testing.T) {
 			net.ParseIP("2.2.2.2"),
 		},
 		PortForwards: []limatype.PortForward{{
-			GuestIP:        IPv4loopback1,
-			GuestPort:      88,
-			GuestPortRange: [2]int{88, 88},
-			HostIP:         IPv4loopback1,
-			HostPort:       8080,
-			HostPortRange:  [2]int{8080, 8080},
-			Proto:          limatype.ProtoTCP,
+			GuestIP:           IPv4loopback1,
+			GuestIPMustBeZero: ptr.Of(false),
+			GuestPort:         88,
+			GuestPortRange:    [2]int{88, 88},
+			HostIP:            IPv4loopback1,
+			HostPort:          8080,
+			HostPortRange:     [2]int{8080, 8080},
+			Proto:             limatype.ProtoTCP,
 		}},
 		CopyToHost: []limatype.CopyToHost{{}},
 		Env: map[string]string{

pkg/limayaml/validate.go

@@ -285,7 +285,7 @@ func Validate(y *limatype.LimaYAML, warn bool) error {
 	}
 	for i, rule := range y.PortForwards {
 		field := fmt.Sprintf("portForwards[%d]", i)
-		if rule.GuestIPMustBeZero && !rule.GuestIP.Equal(net.IPv4zero) {
+		if *rule.GuestIPMustBeZero && !rule.GuestIP.Equal(net.IPv4zero) {
 			errs = errors.Join(errs, fmt.Errorf("field `%s.guestIPMustBeZero` can only be true when field `%s.guestIP` is 0.0.0.0", field, field))
 		}
 		if rule.GuestPort != 0 {

pkg/portfwd/forward.go

@@ -83,9 +83,9 @@ func (fw *Forwarder) forwardingAddresses(guest *api.IPPort) (hostAddr, guestAddr
 		case guestIP.IsUnspecified():
 		case guestIP.Equal(rule.GuestIP):
 		case guestIP.Equal(net.IPv6loopback) && rule.GuestIP.Equal(IPv4loopback1):
-		case rule.GuestIP.IsUnspecified() && !rule.GuestIPMustBeZero:
+		case rule.GuestIP.IsUnspecified() && !*rule.GuestIPMustBeZero:
 			// When GuestIPMustBeZero is true, then 0.0.0.0 must be an exact match, which is already
-			// handled above by the guest.IP.IsUnspecified() condition.
+			// handled above by the guestIP.IsUnspecified() condition.
 		default:
 			continue
 		}

templates/default.yaml

@@ -491,9 +491,9 @@ networks:
 #   ignore: true     # don't forward these ports (guestPortRange, in this case 1-65535)
 #
 # - guestPort: 7443
-#   guestIP: "0.0.0.0"       # Will match *any* interface
-#   guestIPMustBeZero: true  # Restrict matching to 0.0.0.0 binds only
-#   hostIP: "0.0.0.0"        # Forwards to 0.0.0.0, exposing it externally
+#   guestIP: "0.0.0.0"        # Will match *any* interface
+#   guestIPMustBeZero: false  # 0.0.0.0 matches any bound interface, not just 0.0.0.0 itself
+#   hostIP: "0.0.0.0"         # Forwards to 0.0.0.0, exposing it externally
 #
 # - guestSocket: "/run/user/{{.UID}}/my.sock"
 #   hostSocket: mysocket