The series looks good to me in general, except that:
On Wed, 19 Nov 2025 16:22:57 +1100
David Gibson
Currently, outbound forwards (-T, -U) are handled by sockets bound to the loopback address. Typically we create two sockets, one for 127.0.0.1 and one for ::1.
This has some disadvantages: * The guest can't connect via 127.0.0.0/8 addresses other than 127.0.0.1 * We can't use dual-stack sockets, we have to have separate sockets for IPv4 and IPv6.
The restriction exists for a reason though. If the guest has any interfaces other than pasta (e.g. a VPN tunnel) external hosts could reach the host via the forwards. Especially combined with -T auto / -U auto this would make it very easy to make a mistake with nasty security implications.
We can achieve this a different way, however. Don't bind to a specific address, but _do_ use SO_BINDTODEVICE to restrict the sockets to the "lo" interface.
...this means, as I pointed out on: https://archives.passt.top/passt-dev/20251022105916.53925523@elisabeth/ that we might break functionality for a number of pasta(1) users. I don't have a complete version of the SO_BINDTODEVICE fallback I sketched there, so I can't just add one on top of this series at the moment, but we need something like that before I can merge this. -- Stefano