From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ABUrtSeA;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by passt.top (Postfix) with ESMTP id 2558F5A004E
	for <passt-dev@passt.top>; Wed, 02 Oct 2024 09:17:02 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1727853420;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=KoSKnuKGOgYY9I/R4RU+uwvDbl8Ev8wv9B8s+babsvs=;
	b=ABUrtSeAhKfPWtFK80uOpatieezAoicDT2rWpXCq2gHtk0YMu8AqW+uNYtby/upfmPM+pJ
	cqV/SLmpoLF1XbgIB82x+xNwtkGnNZ4cWbCMCGZS+c5WdJnHnaK0ACPbv8KkE9bEiuuien
	RUOpzVnVp/uIylbCfKciE9pbDP3+/zM=
Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com
 [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-460-MqwmMXGlOKmo9YD6CLl-5g-1; Wed, 02 Oct 2024 03:16:59 -0400
X-MC-Unique: MqwmMXGlOKmo9YD6CLl-5g-1
Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-42cb808e9fcso39398495e9.0
        for <passt-dev@passt.top>; Wed, 02 Oct 2024 00:16:59 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1727853418; x=1728458218;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=KoSKnuKGOgYY9I/R4RU+uwvDbl8Ev8wv9B8s+babsvs=;
        b=sq3pfQVwQs/UPrsxpa5TCvA5PMDtVsGeznyLBEPCCw9O2UCiiifG+jNUgz7fXeb6Fz
         lcaLiZ0eACUyXyYcdx4ushJDO861jm8kdMSiXT1otxXtpP/M1NQsecPYLz3NCs73SD50
         cAuyBmIB68Z7vKdq/7WA4PwW7rgOuqx2+xhlRbdZ8S/5Z4vtQgLJWD/MQIl9XlOhxHRa
         XdwiMidHqW3cZA04Q6z+o2CQMo8t6SoUJEGYZe4gKKCpZDRBi1B1PznKnMmLhemup26I
         ULW5KQrlLGMswNPx8vGw+bgSeJPrjUtt8m8S77cqaOnZslP2z7UJZSFSi39fn5ECa/Hs
         8imw==
X-Gm-Message-State: AOJu0YwlZ4PFhQJiLBQBfSfcuIFlokugEyNoVbP3jCGMzd8MiAsokPhu
	pfLlIgkvFAiDxgwoL4pp5Rj4qVXWUBbYVRO11kcW1bPnsJKbvzGy+jx9HPk20AbP5SCP79dD5UA
	28w5eBvRBRssr/G5zfyFMTpzC34fIWoZMtFQYGF33+Nw/+0NM87Q1HVItKA==
X-Received: by 2002:a05:600c:1549:b0:426:5dc8:6a63 with SMTP id 5b1f17b1804b1-42f778fd9aamr13399025e9.30.1727853417781;
        Wed, 02 Oct 2024 00:16:57 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IEJ6CsuTG4sumF5grNgZ0i1Tcn2HsyeyL4eihbVWvCY9qGhV8/6gXiGfMq2+nL3y1UjA40WyQ==
X-Received: by 2002:a05:600c:1549:b0:426:5dc8:6a63 with SMTP id 5b1f17b1804b1-42f778fd9aamr13398795e9.30.1727853417283;
        Wed, 02 Oct 2024 00:16:57 -0700 (PDT)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1])
        by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-42f79eadd04sm10440815e9.20.2024.10.02.00.16.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 02 Oct 2024 00:16:55 -0700 (PDT)
Date: Wed, 2 Oct 2024 09:16:52 +0200
From: Stefano Brivio <sbrivio@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Subject: Re: [PATCH] conf: Add command line switch to enable IP_FREEBIND
 socket option
Message-ID: <20241002091652.1a94da20@elisabeth>
In-Reply-To: <20241002044716.1802209-1-david@gibson.dropbear.id.au>
References: <20241002044716.1802209-1-david@gibson.dropbear.id.au>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: DFWE5ANCUL3R5RLL3XDX2MONDRRWWYVO
X-Message-ID-Hash: DFWE5ANCUL3R5RLL3XDX2MONDRRWWYVO
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20241002091652.1a94da20@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/DFWE5ANCUL3R5RLL3XDX2MONDRRWWYVO/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Wed,  2 Oct 2024 14:47:16 +1000
David Gibson <david@gibson.dropbear.id.au> wrote:

> In a couple of recent reports, we've seen that it can be useful for pasta
> to forward ports from addresses which are not currently configured on the
> host, but might be in future.  That can be done with the sysctl
> net.ipv4.ip_nonlocal_bind, but that does require CAP_NET_ADMIN to set in
> the first place.  We can allow the same thing on a per-socket basis with
> the IP_FREEBIND (or IPV6_FREEBIND) socket option.
> 
> Add a --freebind command line argument to enable this socket option on
> all listening sockets.
> 
> Link: https://bugs.passt.top/show_bug.cgi?id=101
> 
> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> ---
>  conf.c  |  2 ++
>  passt.1 |  6 ++++++
>  passt.h |  1 +
>  util.c  | 15 +++++++++++++++
>  4 files changed, 24 insertions(+)
> 
> diff --git a/conf.c b/conf.c
> index 6e62510..84aa89d 100644
> --- a/conf.c
> +++ b/conf.c
> @@ -836,6 +836,7 @@ static void usage(const char *name, FILE *f, int status)
>  		"  --no-ndp		Disable NDP responses\n"
>  		"  --no-dhcpv6		Disable DHCPv6 server\n"
>  		"  --no-ra		Disable router advertisements\n"
> +		"  --freebind		Allow forwarding from any address\n"

I think "from any address" might be a bit ambiguous, because it could
also be read as "Allow forwarding traffic coming from any address",
which is allowed regardless.

What about:

		"  --freebind		Allow any address for forwarding\n"

?

>  		"  --no-map-gw		Don't map gateway address to host\n"
>  		"  -4, --ipv4-only	Enable IPv4 operation only\n"
>  		"  -6, --ipv6-only	Enable IPv6 operation only\n");
> @@ -1255,6 +1256,7 @@ void conf(struct ctx *c, int argc, char **argv)
>  		{"no-dhcpv6",	no_argument,		&c->no_dhcpv6,	1 },
>  		{"no-ndp",	no_argument,		&c->no_ndp,	1 },
>  		{"no-ra",	no_argument,		&c->no_ra,	1 },
> +		{"freebind",	no_argument,		&c->freebind,	1 },
>  		{"no-map-gw",	no_argument,		&no_map_gw,	1 },
>  		{"ipv4-only",	no_argument,		NULL,		'4' },
>  		{"ipv6-only",	no_argument,		NULL,		'6' },
> diff --git a/passt.1 b/passt.1
> index 79d134d..a2547f8 100644
> --- a/passt.1
> +++ b/passt.1
> @@ -327,6 +327,12 @@ namespace will be silently dropped.
>  Disable Router Advertisements. Router Solicitations coming from guest or target
>  namespace will be ignored.
>  
> +.TP
> +.BR \-\-freebind
> +Allow forwarding from addresses which are not configured on the host,

Same here, it could also be read as "Allow forwarding traffic coming
from addresses ...".

Perhaps:

Allow binding to addresses which are not configured on the host (but
might be in the future) for port forwarding.

?

> +but might be in future. This enables the \fBIP_FREEBIND\fR or
> +\fBIPB6_FREEBIND\fR option on listening sockets.
> +
>  .TP
>  .BR \-\-map-host-loopback " " \fIaddr
>  Translate \fIaddr\fR to refer to the host. Packets from the guest to
> diff --git a/passt.h b/passt.h
> index 031c9b6..e00049e 100644
> --- a/passt.h
> +++ b/passt.h
> @@ -284,6 +284,7 @@ struct ctx {
>  	int no_dhcpv6;
>  	int no_ndp;
>  	int no_ra;
> +	int freebind;

Missing update to struct comment.

>  
>  	int low_wmem;
>  	int low_rmem;
> diff --git a/util.c b/util.c
> index ebd93ed..96e3de8 100644
> --- a/util.c
> +++ b/util.c
> @@ -52,6 +52,7 @@ int sock_l4_sa(const struct ctx *c, enum epoll_type type,
>  {
>  	sa_family_t af = ((const struct sockaddr *)sa)->sa_family;
>  	union epoll_ref ref = { .type = type, .data = data };
> +	bool freebind = false;
>  	struct epoll_event ev;
>  	int fd, y = 1, ret;
>  	uint8_t proto;
> @@ -61,8 +62,11 @@ int sock_l4_sa(const struct ctx *c, enum epoll_type type,
>  	case EPOLL_TYPE_TCP_LISTEN:
>  		proto = IPPROTO_TCP;
>  		socktype = SOCK_STREAM | SOCK_NONBLOCK;
> +		freebind = c->freebind;
>  		break;
>  	case EPOLL_TYPE_UDP_LISTEN:
> +		freebind = c->freebind;
> +		/* fallthrough */
>  	case EPOLL_TYPE_UDP_REPLY:
>  		proto = IPPROTO_UDP;
>  		socktype = SOCK_DGRAM | SOCK_NONBLOCK;
> @@ -127,6 +131,17 @@ int sock_l4_sa(const struct ctx *c, enum epoll_type type,
>  		}
>  	}
>  
> +	if (freebind) {
> +		int level = af == AF_INET ? IPPROTO_IP : IPPROTO_IPV6;
> +		int opt = af == AF_INET ? IP_FREEBIND : IPV6_FREEBIND;
> +
> +		if (setsockopt(fd, level, opt, &y, sizeof(y))) {
> +		    err_perror("Failed to set %s on socket %i",

Indentation makes it look like err_perror() is part of the condition
(it should be one tab instead of spaces).

> +			       af == AF_INET ? "IP_FREEBIND" : "IPV6_FREEBIND",
> +			       fd);
> +		}
> +	}
> +
>  	if (bind(fd, sa, sl) < 0) {
>  		/* We'll fail to bind to low ports if we don't have enough
>  		 * capabilities, and we'll fail to bind on already bound ports,

-- 
Stefano