Re: [PATCH v4 9/9] tcp, udp: Bind outbound listening sockets by interface instead of address

26 Nov 2025

      On Fri, Nov 21, 2025 at 04:56:01AM +0100, Stefano Brivio wrote:
...
The series looks good to me in general, except that:
On Wed, 19 Nov 2025 16:22:57 +1100
David Gibson  wrote:
...
Currently, outbound forwards (-T, -U) are handled by sockets bound to the
loopback address.  Typically we create two sockets, one for 127.0.0.1 and
one for ::1.
This has some disadvantages:
 * The guest can't connect via 127.0.0.0/8 addresses other than 127.0.0.1
 * We can't use dual-stack sockets, we have to have separate sockets for
   IPv4 and IPv6.
The restriction exists for a reason though.  If the guest has any
interfaces other than pasta (e.g. a VPN tunnel) external hosts could reach
the host via the forwards.  Especially combined with -T auto / -U auto this
would make it very easy to make a mistake with nasty security implications.
We can achieve this a different way, however.  Don't bind to a specific
address, but _do_ use SO_BINDTODEVICE to restrict the sockets to the "lo"
interface.
...this means, as I pointed out on:
https://archives.passt.top/passt-dev/20251022105916.53925523@elisabeth/
that we might break functionality for a number of pasta(1) users.
I don't have a complete version of the SO_BINDTODEVICE fallback I
sketched there, so I can't just add one on top of this series at the
moment, but we need something like that before I can merge this.
I re-examined your proposed approach, but realised it doesn't quite
work.  The problem is that to complete it, sock_l4_sa() would need to
create both an IPv4 and IPv6.  That works right now, but it breaks the
assumption that tcp_sock_init() and udp_sock_init() create (at most) a
single socket.  That wasn't the case until 8/9 in this series, but
part of the reason for 8/9 is because establishing that invariant
makes a bunch of stuff in the works much saner.

So, I'm working to figure out a different approach for an
SO_BINDTODEVICE fallback.

-- 
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson