diff options
| author | Stefano Brivio <sbrivio@redhat.com> | 2022-10-07 04:53:40 +0200 |
|---|---|---|
| committer | Stefano Brivio <sbrivio@redhat.com> | 2022-10-15 02:10:36 +0200 |
| commit | c1eff9a3c622516c7bb9194a1df50dfe01281c56 (patch) | |
| tree | 01dc155f0b38022a511f37e3760b0844ffa195e2 /util.c | |
| parent | a62ed181db9ba7d85d057365d5331dd35026247f (diff) | |
| download | passt-c1eff9a3c622516c7bb9194a1df50dfe01281c56.tar passt-c1eff9a3c622516c7bb9194a1df50dfe01281c56.tar.gz passt-c1eff9a3c622516c7bb9194a1df50dfe01281c56.tar.bz2 passt-c1eff9a3c622516c7bb9194a1df50dfe01281c56.tar.lz passt-c1eff9a3c622516c7bb9194a1df50dfe01281c56.tar.xz passt-c1eff9a3c622516c7bb9194a1df50dfe01281c56.tar.zst passt-c1eff9a3c622516c7bb9194a1df50dfe01281c56.zip | |
conf, tcp, udp: Allow specification of interface to bind to
Since kernel version 5.7, commit c427bfec18f2 ("net: core: enable
SO_BINDTODEVICE for non-root users"), we can bind sockets to
interfaces, if they haven't been bound yet (as in bind()).
Introduce an optional interface specification for forwarded ports,
prefixed by %, that can be passed together with an address.
Reported use case: running local services that use ports we want
to have externally forwarded:
https://github.com/containers/podman/issues/14425
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Diffstat (limited to 'util.c')
| -rw-r--r-- | util.c | 19 |
1 files changed, 18 insertions, 1 deletions
@@ -90,13 +90,15 @@ found: * @af: Address family, AF_INET or AF_INET6 * @proto: Protocol number * @bind_addr: Address for binding, NULL for any + * @ifname: Interface for binding, NULL for any * @port: Port, host order * @data: epoll reference portion for protocol handlers * * Return: newly created socket, -1 on error */ int sock_l4(const struct ctx *c, int af, uint8_t proto, - const void *bind_addr, uint16_t port, uint32_t data) + const void *bind_addr, const char *ifname, uint16_t port, + uint32_t data) { union epoll_ref ref = { .r.proto = proto, .r.p.data = data }; struct sockaddr_in addr4 = { @@ -163,6 +165,21 @@ int sock_l4(const struct ctx *c, int af, uint8_t proto, if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &y, sizeof(y))) debug("Failed to set SO_REUSEADDR on socket %i", fd); + if (ifname) { + /* Supported since kernel version 5.7, commit c427bfec18f2 + * ("net: core: enable SO_BINDTODEVICE for non-root users"). If + * it's unsupported, don't bind the socket at all, because the + * user might rely on this to filter incoming connections. + */ + if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, + ifname, strlen(ifname))) { + warn("Can't bind socket for %s port %u to %s, closing", + ip_proto_str[proto], port, ifname); + close(fd); + return -1; + } + } + if (bind(fd, sa, sl) < 0) { /* We'll fail to bind to low ports if we don't have enough * capabilities, and we'll fail to bind on already bound ports, |