Skip to content

fix: remove TCP port probe from verify_port_forwarding after restore #558

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
claude-claude wants to merge 1 commit into from
Closed

fix: remove TCP port probe from verify_port_forwarding after restore #558

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 17 additions & 4 deletions src/network/pasta.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -668,8 +668,16 @@ impl NetworkManager for PastaNetwork {
/// existing ones. The active ping forces the namespace kernel to send an
/// ARP request that the guest replies to, creating a REACHABLE entry.
///
/// Once ARP is resolved, we probe each forwarded port to confirm pasta's
/// loopback port forwarding is end-to-end functional.
/// Once ARP is resolved, the L2 forwarding path through pasta's bridge is
/// confirmed working. We do NOT probe individual forwarded ports with
/// TcpStream::connect() here — even though the guest is alive, a bare
/// connect-then-drop creates a half-open connection in pasta's L2
/// connection tracking that can poison subsequent data connections
/// (manifesting as 0-byte HTTP responses).
///
/// The ping proves: namespace → pasta bridge → guest L2/L3 path works.
/// Pasta is already listening on the loopback ports (confirmed at startup).
/// Together these guarantee the forwarding chain is functional.
async fn verify_port_forwarding(&self) -> Result<()> {
if self.port_mappings.is_empty() {
return Ok(());
Expand Down Expand Up @@ -699,9 +707,14 @@ impl NetworkManager for PastaNetwork {
if output.status.success() {
info!(
guest_ip = GUEST_IP,
"guest reachable via ping, ARP resolved"
"guest reachable via ping, ARP resolved — port forwarding path ready"
);
self.wait_for_port_forwarding().await?;
// Do NOT call wait_for_port_forwarding() here.
// A bare TcpStream::connect() + immediate drop through pasta's
// L2 translation creates a half-open entry in pasta's connection
// tracking table that poisons subsequent connections on the same
// port (0-byte responses). The ping already confirms L2
Comment on lines +712 to +716
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Keep restore path waiting for host port forwards to bind

After snapshot restore, this method now returns success after ping/ARP and explicitly skips wait_for_port_forwarding(). Because post_start() already skips that wait when restore_mode is set, rootless restores with port_mappings now have no check that host TCP forwards are actually accepting connections before health monitoring proceeds. wait_for_port_forwarding() in the same file still documents that pasta binds ports asynchronously (PID file/bridge readiness is not enough), so this change can reintroduce post-restore races where clones look ready but 127.x.y.z:<host_port> is not yet reachable.

Useful? React with 👍 / 👎.

// reachability and pasta is listening on the loopback ports.
return Ok(());
}

Expand Down
Loading