From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202512 header.b=nPMEakmD;
	dkim-atps=neutral
Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id 9DB985A06E2
	for <passt-dev@passt.top>; Mon, 05 Jan 2026 09:28:54 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202512; t=1767601732;
	bh=Kyz2053Ra0O8sWO3ruXijk5oO+IsPEXt5+0UtCNmmBU=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=nPMEakmDAeoQhLL2hais4uGhxxwgoOGUrWnjMm6rBYsp/GgrPxfLt2w/bO67Al3Ts
	 f3SF67Eg6AHp6seqjaJkRTL0kj1AVhRQBqxjvvNoA+ziLgP8v5wBJcxKamfmrn6ZKr
	 WTSPmREMveXx+olVj5drLR64BGSmAjOY+/xVnMb3fHiPCjCzjuK+xo8tTvv7RFwoae
	 3BULYOQ6+60GlrdHqIhGQskcV5s66HUv9XBOFTTJ4L8bHoBRlmAkgjmTLOCk0IvyGu
	 nrPap/7FJVJFAYnEeObHTSSiyDbUmOd7aDZSQ9zMLFq0u/1zEKcpn1uNvjYOfpnrH8
	 Xdha8e6x1B8FQ==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4dl6s025dcz4wCp; Mon, 05 Jan 2026 19:28:52 +1100 (AEDT)
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>,
	passt-dev@passt.top
Subject: [PATCH 1/3] conf: Introduce --no-bindtodevice option for testing
Date: Mon,  5 Jan 2026 19:28:48 +1100
Message-ID: <20260105082850.1985300-2-david@gibson.dropbear.id.au>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260105082850.1985300-1-david@gibson.dropbear.id.au>
References: <20260105082850.1985300-1-david@gibson.dropbear.id.au>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: 7LBS7IXLBRFEPRJLQJM7NZ7274DGJVOP
X-Message-ID-Hash: 7LBS7IXLBRFEPRJLQJM7NZ7274DGJVOP
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: David Gibson <david@gibson.dropbear.id.au>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20260105082850.1985300-2-david@gibson.dropbear.id.au/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/7LBS7IXLBRFEPRJLQJM7NZ7274DGJVOP/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

We need to support (as best we can) older kernels which don't allow
unprivilieged processes to use the SO_BINDTODEVICE socket option.
Fallcaks for that case are controlled by the c->no_bindtodevice variable.

Currently testing behaviour of those fallbacks requires setting up a test
system with a kernel that doesn't support the option, which is pretty
awkward.  We can test it almost as well and much more easily by adding a
command line option to explicitly disable use of SO_BINDTODEVICE.

Like --no-splice this is envisaged as something for developers' and
testers' convenience, not a supported option for end users.  The man page
text reflects that.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
---
 conf.c  | 2 ++
 passt.1 | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/conf.c b/conf.c
index ceb9aa55..70ea168c 100644
--- a/conf.c
+++ b/conf.c
@@ -962,6 +962,7 @@ static void usage(const char *name, FILE *f, int status)
 		"  --no-ndp		Disable NDP responses\n"
 		"  --no-dhcpv6		Disable DHCPv6 server\n"
 		"  --no-ra		Disable router advertisements\n"
+		"  --no-bindtodevice	Disable SO_BINDTODEVICE\n"
 		"  --freebind		Bind to any address for forwarding\n"
 		"  --no-map-gw		Don't map gateway address to host\n"
 		"  -4, --ipv4-only	Enable IPv4 operation only\n"
@@ -1454,6 +1455,7 @@ void conf(struct ctx *c, int argc, char **argv)
 		{"no-dhcpv6",	no_argument,		&c->no_dhcpv6,	1 },
 		{"no-ndp",	no_argument,		&c->no_ndp,	1 },
 		{"no-ra",	no_argument,		&c->no_ra,	1 },
+		{"no-bindtodevice", no_argument,	&c->no_bindtodevice, 1},
 		{"no-splice",	no_argument,		&c->no_splice,	1 },
 		{"freebind",	no_argument,		&c->freebind,	1 },
 		{"no-map-gw",	no_argument,		&no_map_gw,	1 },
diff --git a/passt.1 b/passt.1
index db0d6620..4859d9e5 100644
--- a/passt.1
+++ b/passt.1
@@ -348,6 +348,12 @@ namespace will be silently dropped.
 Disable Router Advertisements. Router Solicitations coming from guest or target
 namespace will be ignored.
 
+.TP
+.BR \-\-no-bindtodevice
+Development/testing option, do not use.  Disables use of
+SO_BINDTODEVICE socket option.  Implicitly enabled on older kernels
+which don't permit unprivileged use of SO_BINDTODEVICE.
+
 .TP
 .BR \-\-freebind
 Allow any binding address to be specified for \fB-t\fR and \fB-u\fR
-- 
2.52.0