From e3655a61c528c7fbe1550d41bab24ab3687d866a Mon Sep 17 00:00:00 2001
From: "claude[bot]" <claude[bot]@users.noreply.github.com>
Date: Wed, 4 Mar 2026 03:22:13 +0000
Subject: [PATCH] fix: propagate ping spawn errors in verify_port_forwarding
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The new ping-based ARP check used `if let Ok(...)` which silently
swallowed command spawn failures (nsenter/ping not found, permission
denied). This could cause a 5-second busy loop with a misleading
"ARP not resolved" error. Propagate spawn errors immediately with
`.context()?` to match the old code's behavior.

Also update stale comment in snapshot.rs to reflect the ping-based
ARP resolution approach.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 src/commands/snapshot.rs |  7 ++++---
 src/network/pasta.rs     | 18 ++++++++++--------
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/src/commands/snapshot.rs b/src/commands/snapshot.rs
index 5ac0dda7..7c044c3e 100644
--- a/src/commands/snapshot.rs
+++ b/src/commands/snapshot.rs
@@ -1082,10 +1082,11 @@ pub async fn cmd_snapshot_run(args: SnapshotRunArgs) -> Result<()> {
         }
     }
 
-    // Verify pasta's L2 forwarding path has ARP resolved before starting health monitor.
+    // Verify pasta's L2 forwarding path is ready before starting health monitor.
     // After snapshot restore, pasta may not have learned the guest's MAC yet.
-    // This probes each forwarded port to trigger and verify ARP resolution —
-    // no guest service needs to be running, just the guest's kernel.
+    // This pings the guest to trigger ARP resolution, then probes each forwarded
+    // port to confirm end-to-end forwarding works. Only the guest kernel needs
+    // to be running (no guest services required for the ARP/ping step).
     network
         .verify_port_forwarding()
         .await
diff --git a/src/network/pasta.rs b/src/network/pasta.rs
index fd82c542..77430602 100644
--- a/src/network/pasta.rs
+++ b/src/network/pasta.rs
@@ -687,20 +687,22 @@ impl NetworkManager for PastaNetwork {
             // Ping the guest to trigger ARP resolution. A successful ping (exit 0)
             // proves ARP resolved AND the guest is reachable — skip the ip neigh check.
             // Use 200ms timeout for ~16 retries within the 5s deadline.
-            let ping_result = Command::new(&nsenter_prefix[0])
+            let output = Command::new(&nsenter_prefix[0])
                 .args(&nsenter_prefix[1..])
                 .args(["ping", "-c", "1", "-W", "0.2", GUEST_IP])
                 .stdout(Stdio::null())
                 .stderr(Stdio::null())
                 .output()
-                .await;
+                .await
+                .context("running ping via nsenter in namespace")?;
 
-            if let Ok(ref out) = ping_result {
-                if out.status.success() {
-                    info!(guest_ip = GUEST_IP, "guest reachable via ping, ARP resolved");
-                    self.wait_for_port_forwarding().await?;
-                    return Ok(());
-                }
+            if output.status.success() {
+                info!(
+                    guest_ip = GUEST_IP,
+                    "guest reachable via ping, ARP resolved"
+                );
+                self.wait_for_port_forwarding().await?;
+                return Ok(());
             }
 
             if std::time::Instant::now() > deadline {