Re: [PATCH 1/3] conf: Introduce --no-bindtodevice option for testing

[Stefano Brivio <sbrivio@redhat.com>]

On Mon,  5 Jan 2026 19:28:48 +1100
David Gibson <david@gibson.dropbear.id.au> wrote:

> We need to support (as best we can) older kernels which don't allow
> unprivilieged processes to use the SO_BINDTODEVICE socket option.

Nit: unprivileged

> Fallcaks for that case are controlled by the c->no_bindtodevice variable.

Fallbacks

> Currently testing behaviour of those fallbacks requires setting up a test
> system with a kernel that doesn't support the option, which is pretty
> awkward.  We can test it almost as well and much more easily by adding a
> command line option to explicitly disable use of SO_BINDTODEVICE.

It's kind of hard to understand if this patch entirely does that, I
think.

We still have a separate, implicit probing of SO_BINDTODEVICE in
sock_l4_(), which is perhaps excluded by c->no_bindtodevice (but then
the comment is misleading?).

> Like --no-splice this is envisaged as something for developers' and
> testers' convenience, not a supported option for end users.  The man page
> text reflects that.

I never really understood the point of --no-splice, as there was no
user request whatsoever behind it, but fine, the argument was that it
added some needed functionality, even though I couldn't quite grasp
which one it was.

However, with this, the question is where we draw the line. There are
probably other options we could use to make debugging or testing
slightly simpler, but if they don't offer actual functionality, we
always kept them out so far.

That's because we already have a long list of options and making it
unnecessarily longer is a disservice to users, I think.

Would using something like this:

  sed -i 's/(\(setsockopt([a-z]*, SOL_SOCKET, SO_BINDTODEVICE\)/((errno = EPERM) || \1/g' *.c

be totally outrageous, for testing purposes?

It has the advantage of making it easier to verify if we're really
disabling the usage of SO_BINDTODEVICE on all the paths (together with
grep / git / editors), and not introducing additional command line
options.

Another trick I use sometimes to selectively disable or enable kernel
features is to handle system calls via seitan, in this case the
(simple) recipe would something like:

[
  {
    "match": [
      { "setsockopt": { "level": socket", "name": "bindtodevice" } }
    ],
    "return": { "value": "EPERM", "error": -1 }
  }
]

but I haven't implemented setsockopt() yet. :(

> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> ---
>  conf.c  | 2 ++
>  passt.1 | 6 ++++++
>  2 files changed, 8 insertions(+)
> 
> diff --git a/conf.c b/conf.c
> index ceb9aa55..70ea168c 100644
> --- a/conf.c
> +++ b/conf.c
> @@ -962,6 +962,7 @@ static void usage(const char *name, FILE *f, int status)
>  		"  --no-ndp		Disable NDP responses\n"
>  		"  --no-dhcpv6		Disable DHCPv6 server\n"
>  		"  --no-ra		Disable router advertisements\n"
> +		"  --no-bindtodevice	Disable SO_BINDTODEVICE\n"
>  		"  --freebind		Bind to any address for forwarding\n"
>  		"  --no-map-gw		Don't map gateway address to host\n"
>  		"  -4, --ipv4-only	Enable IPv4 operation only\n"
> @@ -1454,6 +1455,7 @@ void conf(struct ctx *c, int argc, char **argv)
>  		{"no-dhcpv6",	no_argument,		&c->no_dhcpv6,	1 },
>  		{"no-ndp",	no_argument,		&c->no_ndp,	1 },
>  		{"no-ra",	no_argument,		&c->no_ra,	1 },
> +		{"no-bindtodevice", no_argument,	&c->no_bindtodevice, 1},
>  		{"no-splice",	no_argument,		&c->no_splice,	1 },
>  		{"freebind",	no_argument,		&c->freebind,	1 },
>  		{"no-map-gw",	no_argument,		&no_map_gw,	1 },
> diff --git a/passt.1 b/passt.1
> index db0d6620..4859d9e5 100644
> --- a/passt.1
> +++ b/passt.1
> @@ -348,6 +348,12 @@ namespace will be silently dropped.
>  Disable Router Advertisements. Router Solicitations coming from guest or target
>  namespace will be ignored.
>  
> +.TP
> +.BR \-\-no-bindtodevice
> +Development/testing option, do not use.  Disables use of
> +SO_BINDTODEVICE socket option.  Implicitly enabled on older kernels
> +which don't permit unprivileged use of SO_BINDTODEVICE.
> +
>  .TP
>  .BR \-\-freebind
>  Allow any binding address to be specified for \fB-t\fR and \fB-u\fR

The change looks otherwise good to me... I just hope we can avoid it
somehow, but if not, so be it.

-- 
Stefano