From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=HACYSsYz;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by passt.top (Postfix) with ESMTPS id CE01D5A0271
	for <passt-dev@passt.top>; Fri, 21 Nov 2025 06:39:20 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1763703559;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=j1FbynOYlqpKThzN8oVT1UBKrl7o7pElzm3P7SIHarY=;
	b=HACYSsYzTukYULpq1pOBQKEbxJrVz6rf4eR7C/dlUGsT/axA0iMlTqHiePktoR2VBgbtmM
	8XluyS6eAZSHIcS4SwEULwcZfTHgcHajqhmBmvTUomb5omopXVjxCTrniFF6SuPXM44C4f
	POcW2ay4fG5ul7dtIE3IV9UqTKQXOXo=
Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com
 [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-611-CzcMEsgGPxGxzuTTuuFb0w-1; Fri, 21 Nov 2025 00:39:18 -0500
X-MC-Unique: CzcMEsgGPxGxzuTTuuFb0w-1
X-Mimecast-MFC-AGG-ID: CzcMEsgGPxGxzuTTuuFb0w_1763703557
Received: by mail-wr1-f70.google.com with SMTP id ffacd0b85a97d-42b56125e77so854804f8f.3
        for <passt-dev@passt.top>; Thu, 20 Nov 2025 21:39:17 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1763703557; x=1764308357;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=j1FbynOYlqpKThzN8oVT1UBKrl7o7pElzm3P7SIHarY=;
        b=NWprg5NdrTACgOHrr5nDE+HGNWCYGnT4Nji1T0M6812isV2abBbpoTHLMQKPK7hkGC
         ybkk6uF6HLUcGJ63STRvyeiOSDX2obaTe6EfzFIdny3ukbBLob7sl0XMK9ovlDx6IeHm
         MID52ZDoYb5spnz88MpBtNAjcL3NHyXisDsmalhIaoj9myt0mm+uOA6lcClRqaWm6BPC
         waiFyhY6J9Os8HSHymuxG9UtJHG0uQcFpWV9B4fsUl1Ut9yYTFUkKY5J2LW/dlIGSu5Z
         LVTfHTDnZARpFKiosuKtJTzy2xQzGjE/GQ0IL9hf8PwNzWRYc3Vtpm1+rfrNaISp7tgi
         Uptg==
X-Gm-Message-State: AOJu0Yw4tIvLVB9crhFToheYnOQj6rrDGrJEbNx8/Kdyy5+e1d1DGF1e
	uv8Rtl0NeCNDZy2D9JS7hKXuUguNuN4w9H1Q6ikL8EVhSlEfN6+avH63uPpb6dVKZJMTl9vrGOx
	j2B86KmAFXNxA9s+c48nCL0Ya8WWqVEkf/RFWquLDTWl3P0bhrTGulQ==
X-Gm-Gg: ASbGnctNQXBtFiOMkEp3jFIcioqhVWBD8HKVrLWBmXSbNWEenGWoQNBQcb4DEi6dFU4
	0ckhnq+dPAmoG0yNyDK+D5p4wNS/6+ttVoywDYpgBL2XzSuS/Rm6Qcnl9beuyaAoUh3pum48pwE
	WObXbMspHSUy5QOOW6i7jXHtdHYIjtHsAdPswZE5XLyPfsIj4tSVGP8w1THsfxiXORKB6PFzNyl
	immyPC0rwQsMnrOisIzFCAkcRNtn3HE2ndcyV2quKyjM1n9MCOaRS1ICO18u3qzAswRGILwjcer
	Go1be6FlQpLR7sdmSgLKj5FwcbUwBkVIV/mSAUeXcuNQUKV2z3FDuSlYt4tAgp0SZdwTWlGg6x7
	96gqv4348x0Qtqgj9JrsX
X-Received: by 2002:a05:6000:40e0:b0:429:b525:6dc2 with SMTP id ffacd0b85a97d-42cc1cbb56cmr757372f8f.17.1763703556623;
        Thu, 20 Nov 2025 21:39:16 -0800 (PST)
X-Google-Smtp-Source: AGHT+IGOupUIIkYB0Gh+iWC833K3mgDn1YqxkxnqkDG0HRtr1VfOCDs7ERv2biZPJ7q0pjY1IDlDHw==
X-Received: by 2002:a05:6000:40e0:b0:429:b525:6dc2 with SMTP id ffacd0b85a97d-42cc1cbb56cmr757353f8f.17.1763703556077;
        Thu, 20 Nov 2025 21:39:16 -0800 (PST)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-42cb7f2e454sm9212072f8f.2.2025.11.20.21.39.15
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 20 Nov 2025 21:39:15 -0800 (PST)
Date: Fri, 21 Nov 2025 06:39:13 +0100
From: Stefano Brivio <sbrivio@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Subject: Re: [PATCH v4 9/9] tcp, udp: Bind outbound listening sockets by
 interface instead of address
Message-ID: <20251121063913.488de102@elisabeth>
In-Reply-To: <aR_3hGDQyoE2t2kR@zatzit>
References: <20251119052257.3004500-1-david@gibson.dropbear.id.au>
	<20251119052257.3004500-10-david@gibson.dropbear.id.au>
	<20251121045601.021b1793@elisabeth>
	<aR_3hGDQyoE2t2kR@zatzit>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: _nbDDmCVft23F9LzuOy0FgLJVzz0QR-T8ZMDiscZ6PQ_1763703557
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: XZXNNSSE6YS2RMHZH6V6XSYAXZEIKL66
X-Message-ID-Hash: XZXNNSSE6YS2RMHZH6V6XSYAXZEIKL66
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20251121063913.488de102@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/XZXNNSSE6YS2RMHZH6V6XSYAXZEIKL66/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Fri, 21 Nov 2025 16:24:20 +1100
David Gibson <david@gibson.dropbear.id.au> wrote:

> On Fri, Nov 21, 2025 at 04:56:01AM +0100, Stefano Brivio wrote:
> > The series looks good to me in general, except that:
> > 
> > On Wed, 19 Nov 2025 16:22:57 +1100
> > David Gibson <david@gibson.dropbear.id.au> wrote:
> >   
> > > Currently, outbound forwards (-T, -U) are handled by sockets bound to the
> > > loopback address.  Typically we create two sockets, one for 127.0.0.1 and
> > > one for ::1.
> > > 
> > > This has some disadvantages:
> > >  * The guest can't connect via 127.0.0.0/8 addresses other than 127.0.0.1
> > >  * We can't use dual-stack sockets, we have to have separate sockets for
> > >    IPv4 and IPv6.
> > > 
> > > The restriction exists for a reason though.  If the guest has any
> > > interfaces other than pasta (e.g. a VPN tunnel) external hosts could reach
> > > the host via the forwards.  Especially combined with -T auto / -U auto this
> > > would make it very easy to make a mistake with nasty security implications.
> > > 
> > > We can achieve this a different way, however.  Don't bind to a specific
> > > address, but _do_ use SO_BINDTODEVICE to restrict the sockets to the "lo"
> > > interface.  
> > 
> > ...this means, as I pointed out on:
> > 
> >   https://archives.passt.top/passt-dev/20251022105916.53925523@elisabeth/
> > 
> > that we might break functionality for a number of pasta(1) users.
> > 
> > I don't have a complete version of the SO_BINDTODEVICE fallback I
> > sketched there, so I can't just add one on top of this series at the
> > moment, but we need something like that before I can merge this.  
> 
> Yes, I was intending to make that change, but just forgot.  I'll fix
> this patch and resend.  Are you intending to merge the rest of the
> series, or should I respin it?

I guess it's marginally easier if you respin so that we have a single
link to the series, eventually, and I would run tests on the series as
a whole, not just up to 8/9.

-- 
Stefano