diff options
| author | David Gibson <david@gibson.dropbear.id.au> | 2024-10-03 14:48:32 +1000 |
|---|---|---|
| committer | Stefano Brivio <sbrivio@redhat.com> | 2024-10-04 19:04:29 +0200 |
| commit | 9d66df9a9a45b9305a2daff8a3c09a28f2c78d83 (patch) | |
| tree | f627f8309045423bf05257549b8061dadc10b532 /util.c | |
| parent | 151dbe0d3d3690978a0a5cf3b8fa9808bd708668 (diff) | |
| download | passt-9d66df9a9a45b9305a2daff8a3c09a28f2c78d83.tar passt-9d66df9a9a45b9305a2daff8a3c09a28f2c78d83.tar.gz passt-9d66df9a9a45b9305a2daff8a3c09a28f2c78d83.tar.bz2 passt-9d66df9a9a45b9305a2daff8a3c09a28f2c78d83.tar.lz passt-9d66df9a9a45b9305a2daff8a3c09a28f2c78d83.tar.xz passt-9d66df9a9a45b9305a2daff8a3c09a28f2c78d83.tar.zst passt-9d66df9a9a45b9305a2daff8a3c09a28f2c78d83.zip | |
conf: Add command line switch to enable IP_FREEBIND socket option
In a couple of recent reports, we've seen that it can be useful for pasta
to forward ports from addresses which are not currently configured on the
host, but might be in future. That can be done with the sysctl
net.ipv4.ip_nonlocal_bind, but that does require CAP_NET_ADMIN to set in
the first place. We can allow the same thing on a per-socket basis with
the IP_FREEBIND (or IPV6_FREEBIND) socket option.
Add a --freebind command line argument to enable this socket option on
all listening sockets.
Link: https://bugs.passt.top/show_bug.cgi?id=101
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'util.c')
| -rw-r--r-- | util.c | 16 |
1 files changed, 16 insertions, 0 deletions
@@ -52,6 +52,7 @@ int sock_l4_sa(const struct ctx *c, enum epoll_type type, { sa_family_t af = ((const struct sockaddr *)sa)->sa_family; union epoll_ref ref = { .type = type, .data = data }; + bool freebind = false; struct epoll_event ev; int fd, y = 1, ret; uint8_t proto; @@ -61,8 +62,11 @@ int sock_l4_sa(const struct ctx *c, enum epoll_type type, case EPOLL_TYPE_TCP_LISTEN: proto = IPPROTO_TCP; socktype = SOCK_STREAM | SOCK_NONBLOCK; + freebind = c->freebind; break; case EPOLL_TYPE_UDP_LISTEN: + freebind = c->freebind; + /* fallthrough */ case EPOLL_TYPE_UDP_REPLY: proto = IPPROTO_UDP; socktype = SOCK_DGRAM | SOCK_NONBLOCK; @@ -127,6 +131,18 @@ int sock_l4_sa(const struct ctx *c, enum epoll_type type, } } + if (freebind) { + int level = af == AF_INET ? IPPROTO_IP : IPPROTO_IPV6; + int opt = af == AF_INET ? IP_FREEBIND : IPV6_FREEBIND; + + if (setsockopt(fd, level, opt, &y, sizeof(y))) { + err_perror("Failed to set %s on socket %i", + af == AF_INET ? "IP_FREEBIND" + : "IPV6_FREEBIND", + fd); + } + } + if (bind(fd, sa, sl) < 0) { /* We'll fail to bind to low ports if we don't have enough * capabilities, and we'll fail to bind on already bound ports, |