Skip to content

Review default portforwarding rules #4193

New issue
New issue
Closed
#4221
Closed
Review default portforwarding rules#4193
#4221
Assignees
jandubois
Labels
area/portfwd
Milestone
v2.0.0
@jandubois

Description

@jandubois
jandubois
opened on Oct 13, 2025

@norio-nomura wrote on Slack:

Why is the default portforward rule's guestIP "127.0.0.1"?

The simple (unhelpful) answer is: it is a rule with all fields filled in by defaults:

portForwards:
- {}

Background

When I originally implemented portForwards I made a mistake: I interpreted guestIP: 0.0.0.0 as matching the binding to any interface, not just binding to net.IPv4zero.

Obviously this should not be the default guestIP for forwarding.

In hindsight I wish I had used * for this extreme wildcard behaviour (or not implemented it at all, as it does not seem useful).

But to keep backwards compatibility I later added the GuestIPMustBeZero boolean to the rules to mean "only match ports listening on 0.0.0.0". I use it like this:

portForwards:
- guestIPMustBeZero: true
  hostIP: 0.0.0.0

That way when a container binds to 127.0.0.1 inside the VM it forwards to 127.0.0.1 on the host, but if it binds to 0.0.0.0 in the VM, then it also binds to 0.0.0.0 on the host. But no other interfaces have their port bindings forwarded.

Should the default forwarding rule (to 127.0.0.1) change?

@norio-nomura suggested:

"0.0.0.0" or "::"?

I don't think we should forward all bound ports, just 0.0.0.0 and 127.0.0.1. And by default we should only forward to localhost, not to the external interfaces on the host. So I would support using this as the default rules (added some default values for clarity):

portForwards:
- guestIPMustBeZero: true
  guestIP: 0.0.0.0
  hostIP: 127.0.0.1
- guestIP: 127.0.0.1
  hostIP: 127.0.0.1

These are the lowest priority rules, so the user can always override them in their lima.yaml.

Should we fix the weird matching of guestIP: 0.0.0.0?

I would like the useful semantics be the default. We can keep the original semantics as an option, just in case I'm wrong that nobody uses them.

Option 1: with a deprecation cycle

We can make GuestIPMustBeZero into a *bool, so we can know if it was explicitly set to false, or not specified.

Then we can issue a warning if lima.yaml contains a rule guestIP: 0.0.0.0 and does not explicitly set GuestIPMustBeZero:

portForwards[1].guestIP is 0.0.0.0 semantic will change in Lima 3.0 see https://...

Then we add guestIP: * as a shortcut (that will not warn) for

portForwards:
- guestIP: 0.0.0.0
  guestIPMustBeZero: false

In Lima 3.0 we get rid of the warning and switch the default of guestIPMustBeZero from false to true.

Option 2: Incompatible change

We can decide that the current semantics are unlikely to be used by anyone. So we could announce it in the release notes and make the switch to the final state from Option 1 already for Lima 2.0.

Metadata

Metadata

Assignees

Labels

area/portfwd

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions