From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202408 header.b=FwUCBjxP;
	dkim-atps=neutral
Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id 1CA765A004C
	for <passt-dev@passt.top>; Thu, 03 Oct 2024 06:48:49 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202408; t=1727930916;
	bh=08WTQDTggK0wVjm22lYV7Qq5KoYdIE0Zm32O/sggYgU=;
	h=From:To:Cc:Subject:Date:From;
	b=FwUCBjxPMezO23yjQB6lfVXd9NH1VrTX96ykXRj3DHLnd4CX1bEEAL4pGjnORCOv4
	 1i2LuxMZLGIWVG+lnlRw3EGRn8nOsNKPSkfvxC3GRFDovfCUY28Nl/KEeq4W2uPu4L
	 lMASAQzSQWFAXbO8e+YrzljN95w9She95E1KGGaPIBHsgveRzuIaZ9gJDmGuo0lKhZ
	 LsFpIfH6Xd3Agy/XjbHAFC1zVTAhQuApDU+xPloU0GWMrlNQ9q3nqVZ1CWm/7qlOVq
	 19HEPQLr82IdPJGhmCFDt5/Z0himimKnYwvpNv2bsGXew9A3R9oNWs5m33KCxAEawv
	 kXK8B/xefroaQ==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4XJzhh10tPz4wx5; Thu,  3 Oct 2024 14:48:36 +1000 (AEST)
From: David Gibson <david@gibson.dropbear.id.au>
To: passt-dev@passt.top,
	Stefano Brivio <sbrivio@redhat.com>
Subject: [PATCH v4] conf: Add command line switch to enable IP_FREEBIND socket option
Date: Thu,  3 Oct 2024 14:48:32 +1000
Message-ID: <20241003044832.2207832-1-david@gibson.dropbear.id.au>
X-Mailer: git-send-email 2.46.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: SNST4E6O7N5QBH3M5MC5Y5MY7XBU35AT
X-Message-ID-Hash: SNST4E6O7N5QBH3M5MC5Y5MY7XBU35AT
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: David Gibson <david@gibson.dropbear.id.au>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20241003044832.2207832-1-david@gibson.dropbear.id.au/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/SNST4E6O7N5QBH3M5MC5Y5MY7XBU35AT/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

In a couple of recent reports, we've seen that it can be useful for pasta
to forward ports from addresses which are not currently configured on the
host, but might be in future.  That can be done with the sysctl
net.ipv4.ip_nonlocal_bind, but that does require CAP_NET_ADMIN to set in
the first place.  We can allow the same thing on a per-socket basis with
the IP_FREEBIND (or IPV6_FREEBIND) socket option.

Add a --freebind command line argument to enable this socket option on
all listening sockets.

Link: https://bugs.passt.top/show_bug.cgi?id=101

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 conf.c  |  2 ++
 passt.1 | 10 ++++++++++
 passt.h |  2 ++
 util.c  | 16 ++++++++++++++++
 4 files changed, 30 insertions(+)

Changes since v3:
 * Rebased on the fixes for podman bug 24045, which is likely to merge
   first and has a textual conflict with this one.
Changes since v2:
 * Actually committed all the changes that were supposed to be in v2 :/
Changes since v1:
 * Reworded --help and man page additions for clarity
 * Added missing structure comment
 * Fixed some incorrect indentation


diff --git a/conf.c b/conf.c
index b5318f3..e617bb6 100644
--- a/conf.c
+++ b/conf.c
@@ -836,6 +836,7 @@ static void usage(const char *name, FILE *f, int status)
 		"  --no-ndp		Disable NDP responses\n"
 		"  --no-dhcpv6		Disable DHCPv6 server\n"
 		"  --no-ra		Disable router advertisements\n"
+		"  --freebind		Bind to any address for forwarding\n"
 		"  --no-map-gw		Don't map gateway address to host\n"
 		"  -4, --ipv4-only	Enable IPv4 operation only\n"
 		"  -6, --ipv6-only	Enable IPv6 operation only\n");
@@ -1258,6 +1259,7 @@ void conf(struct ctx *c, int argc, char **argv)
 		{"no-dhcpv6",	no_argument,		&c->no_dhcpv6,	1 },
 		{"no-ndp",	no_argument,		&c->no_ndp,	1 },
 		{"no-ra",	no_argument,		&c->no_ra,	1 },
+		{"freebind",	no_argument,		&c->freebind,	1 },
 		{"no-map-gw",	no_argument,		&no_map_gw,	1 },
 		{"ipv4-only",	no_argument,		NULL,		'4' },
 		{"ipv6-only",	no_argument,		NULL,		'6' },
diff --git a/passt.1 b/passt.1
index 332384c..1386f29 100644
--- a/passt.1
+++ b/passt.1
@@ -327,6 +327,16 @@ namespace will be silently dropped.
 Disable Router Advertisements. Router Solicitations coming from guest or target
 namespace will be ignored.
 
+.TP
+.BR \-\-freebind
+Allow any binding address to be specified for \fB-t\fR and \fB-u\fR
+options.  Usually binding addresses must be addresses currently
+configured on the host.  With \fB\-\-freebind\fR, the
+\fBIP_FREEBIND\fR or \fBIPV6_FREEBIND\fR socket option is enabled
+allowing any address to be used.  This is typically used to bind
+addresses which might be configured on the host in future, at which
+point the forwarding will immediately start operating.
+
 .TP
 .BR \-\-map-host-loopback " " \fIaddr
 Translate \fIaddr\fR to refer to the host. Packets from the guest to
diff --git a/passt.h b/passt.h
index f7b7a58..72c7f72 100644
--- a/passt.h
+++ b/passt.h
@@ -226,6 +226,7 @@ struct ip6_ctx {
  * @no_ndp:		Disable NDP handler altogether
  * @no_ra:		Disable router advertisements
  * @host_lo_to_ns_lo:	Map host loopback addresses to ns loopback addresses
+ * @freebind:		Allow binding of non-local addresses for forwarding
  * @low_wmem:		Low probed net.core.wmem_max
  * @low_rmem:		Low probed net.core.rmem_max
  */
@@ -286,6 +287,7 @@ struct ctx {
 	int no_ndp;
 	int no_ra;
 	int host_lo_to_ns_lo;
+	int freebind;
 
 	int low_wmem;
 	int low_rmem;
diff --git a/util.c b/util.c
index ebd93ed..eba7d52 100644
--- a/util.c
+++ b/util.c
@@ -52,6 +52,7 @@ int sock_l4_sa(const struct ctx *c, enum epoll_type type,
 {
 	sa_family_t af = ((const struct sockaddr *)sa)->sa_family;
 	union epoll_ref ref = { .type = type, .data = data };
+	bool freebind = false;
 	struct epoll_event ev;
 	int fd, y = 1, ret;
 	uint8_t proto;
@@ -61,8 +62,11 @@ int sock_l4_sa(const struct ctx *c, enum epoll_type type,
 	case EPOLL_TYPE_TCP_LISTEN:
 		proto = IPPROTO_TCP;
 		socktype = SOCK_STREAM | SOCK_NONBLOCK;
+		freebind = c->freebind;
 		break;
 	case EPOLL_TYPE_UDP_LISTEN:
+		freebind = c->freebind;
+		/* fallthrough */
 	case EPOLL_TYPE_UDP_REPLY:
 		proto = IPPROTO_UDP;
 		socktype = SOCK_DGRAM | SOCK_NONBLOCK;
@@ -127,6 +131,18 @@ int sock_l4_sa(const struct ctx *c, enum epoll_type type,
 		}
 	}
 
+	if (freebind) {
+		int level = af == AF_INET ? IPPROTO_IP : IPPROTO_IPV6;
+		int opt = af == AF_INET ? IP_FREEBIND : IPV6_FREEBIND;
+
+		if (setsockopt(fd, level, opt, &y, sizeof(y))) {
+			err_perror("Failed to set %s on socket %i",
+				   af == AF_INET ? "IP_FREEBIND"
+				                 : "IPV6_FREEBIND",
+				   fd);
+		}
+	}
+
 	if (bind(fd, sa, sl) < 0) {
 		/* We'll fail to bind to low ports if we don't have enough
 		 * capabilities, and we'll fail to bind on already bound ports,
-- 
2.46.2