From c1eff9a3c622516c7bb9194a1df50dfe01281c56 Mon Sep 17 00:00:00 2001
From: Stefano Brivio <sbrivio@redhat.com>
Date: Fri, 7 Oct 2022 04:53:40 +0200
Subject: conf, tcp, udp: Allow specification of interface to bind to

Since kernel version 5.7, commit c427bfec18f2 ("net: core: enable
SO_BINDTODEVICE for non-root users"), we can bind sockets to
interfaces, if they haven't been bound yet (as in bind()).

Introduce an optional interface specification for forwarded ports,
prefixed by %, that can be passed together with an address.

Reported use case: running local services that use ports we want
to have externally forwarded:
  https://github.com/containers/podman/issues/14425

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
---
 passt.1 | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'passt.1')

diff --git a/passt.1 b/passt.1
index 555a50c..7d113f2 100644
--- a/passt.1
+++ b/passt.1
@@ -325,7 +325,8 @@ For low (< 1024) ports, see \fBNOTES\fR.
 .BR ports
 A comma-separated list of ports, optionally ranged with \fI-\fR, and,
 optionally, with target ports after \fI:\fR, if they differ. Specific addresses
-can be bound as well, separated by \fI/\fR. Within given ranges, selected ports
+can be bound as well, separated by \fI/\fR, and also, since Linux 5.7, limited
+to specific interfaces, prefixed by \fI%\fR. Within given ranges, selected ports
 and ranges can be excluded by an additional specification prefixed by \fI~\fR.
 Specifying excluded ranges only implies that all other ports are forwarded.
 Examples:
@@ -349,6 +350,9 @@ Forward local ports 22 to 80 to corresponding ports on the guest plus 10
 -t 192.0.2.1/22
 Forward local port 22, bound to 192.0.2.1, to port 22 on the guest
 .TP
+-t 192.0.2.1%eth0/22
+Forward local port 22, bound to 192.0.2.1 and interface eth0, to port 22
+.TP
 -t 2000-5000,~3000-3010
 Forward local ports 2000 to 5000, but not 3000 to 3010
 .TP
@@ -399,7 +403,8 @@ periodically derived (every second) from listening sockets reported by
 .BR ports
 A comma-separated list of ports, optionally ranged with \fI-\fR, and,
 optionally, with target ports after \fI:\fR, if they differ. Specific addresses
-can be bound as well, separated by \fI/\fR. Within given ranges, selected ports
+can be bound as well, separated by \fI/\fR, and also, since Linux 5.7, limited
+to specific interfaces, prefixed by \fI%\fR. Within given ranges, selected ports
 and ranges can be excluded by an additional specification prefixed by \fI~\fR.
 Specifying excluded ranges only implies that all other ports are forwarded.
 Examples:
@@ -424,6 +429,9 @@ namespace
 -t 192.0.2.1/22
 Forward local port 22, bound to 192.0.2.1, to port 22 in the target namespace
 .TP
+-t 192.0.2.1%eth0/22
+Forward local port 22, bound to 192.0.2.1 and interface eth0, to port 22
+.TP
 -t 2000-5000,~3000-3010
 Forward local ports 2000 to 5000, but not 3000 to 3010
 .TP
-- 
cgit v1.2.3