From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202408 header.b=RxRmO9p8;
	dkim-atps=neutral
Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])
	by passt.top (Postfix) with ESMTPS id 23B7D5A004E
	for <passt-dev@passt.top>; Thu, 03 Oct 2024 05:42:59 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202408; t=1727926961;
	bh=RxjjSA+kYmb+AtexuHo4gORfcTBOF5PRbXtD0sIH5d0=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=RxRmO9p8EZsGtUQCV1BiNFso+X52EuhbZu0H345XsHfRm/6nXrbJU6NKIl4HNJosM
	 ZuwU8tGrqSYpjt91vCqOdEl5D28FH85BH9Ix+IgFPMC+5dTNKUFhLZZf6UyD2TtF6x
	 0ebLwPQZcgDZjRtFv/0iytWae4/f72hNxLMVKpbxLtmiwleQTEEFo8L/p4jtT5PpUl
	 WiWHFRt7aIQgjh07C+7NSohfLY0E+xIY6eTmZCNwVdrIGxsCZZvxJpyRSIrbKvgwLK
	 CyUbJXqzidO1+Emlv0JDFa2AdplLIwHtVDtv0Xm8aTTCkCjUkZxOFtT8lfYDWW63RK
	 hNWKxykS52lWg==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4XJyDd64HCz4wx5; Thu,  3 Oct 2024 13:42:41 +1000 (AEST)
Date: Thu, 3 Oct 2024 13:25:42 +1000
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Subject: Re: [PATCH] conf: Add command line switch to enable IP_FREEBIND
 socket option
Message-ID: <Zv4OtkTGrZMyp938@zatzit.fritz.box>
References: <20241002044716.1802209-1-david@gibson.dropbear.id.au>
 <20241002091652.1a94da20@elisabeth>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="rTiGEI8jDt2vKoZf"
Content-Disposition: inline
In-Reply-To: <20241002091652.1a94da20@elisabeth>
Message-ID-Hash: XHJEYO3FZHLGHIULVKG5AR3UHGEYNWXT
X-Message-ID-Hash: XHJEYO3FZHLGHIULVKG5AR3UHGEYNWXT
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/Zv4OtkTGrZMyp938@zatzit.fritz.box/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/XHJEYO3FZHLGHIULVKG5AR3UHGEYNWXT/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--rTiGEI8jDt2vKoZf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Oct 02, 2024 at 09:16:52AM +0200, Stefano Brivio wrote:
> On Wed,  2 Oct 2024 14:47:16 +1000
> David Gibson <david@gibson.dropbear.id.au> wrote:
>=20
> > In a couple of recent reports, we've seen that it can be useful for pas=
ta
> > to forward ports from addresses which are not currently configured on t=
he
> > host, but might be in future.  That can be done with the sysctl
> > net.ipv4.ip_nonlocal_bind, but that does require CAP_NET_ADMIN to set in
> > the first place.  We can allow the same thing on a per-socket basis with
> > the IP_FREEBIND (or IPV6_FREEBIND) socket option.
> >=20
> > Add a --freebind command line argument to enable this socket option on
> > all listening sockets.
> >=20
> > Link: https://bugs.passt.top/show_bug.cgi?id=3D101
> >=20
> > Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> > ---
> >  conf.c  |  2 ++
> >  passt.1 |  6 ++++++
> >  passt.h |  1 +
> >  util.c  | 15 +++++++++++++++
> >  4 files changed, 24 insertions(+)
> >=20
> > diff --git a/conf.c b/conf.c
> > index 6e62510..84aa89d 100644
> > --- a/conf.c
> > +++ b/conf.c
> > @@ -836,6 +836,7 @@ static void usage(const char *name, FILE *f, int st=
atus)
> >  		"  --no-ndp		Disable NDP responses\n"
> >  		"  --no-dhcpv6		Disable DHCPv6 server\n"
> >  		"  --no-ra		Disable router advertisements\n"
> > +		"  --freebind		Allow forwarding from any address\n"
>=20
> I think "from any address" might be a bit ambiguous, because it could
> also be read as "Allow forwarding traffic coming from any address",
> which is allowed regardless.

Good point.

> What about:
>=20
> 		"  --freebind		Allow any address for forwarding\n"
>=20
> ?

Not sure that's notably better, though.  I've gone with "Bind to any
address for forwarding".

> >  		"  --no-map-gw		Don't map gateway address to host\n"
> >  		"  -4, --ipv4-only	Enable IPv4 operation only\n"
> >  		"  -6, --ipv6-only	Enable IPv6 operation only\n");
> > @@ -1255,6 +1256,7 @@ void conf(struct ctx *c, int argc, char **argv)
> >  		{"no-dhcpv6",	no_argument,		&c->no_dhcpv6,	1 },
> >  		{"no-ndp",	no_argument,		&c->no_ndp,	1 },
> >  		{"no-ra",	no_argument,		&c->no_ra,	1 },
> > +		{"freebind",	no_argument,		&c->freebind,	1 },
> >  		{"no-map-gw",	no_argument,		&no_map_gw,	1 },
> >  		{"ipv4-only",	no_argument,		NULL,		'4' },
> >  		{"ipv6-only",	no_argument,		NULL,		'6' },
> > diff --git a/passt.1 b/passt.1
> > index 79d134d..a2547f8 100644
> > --- a/passt.1
> > +++ b/passt.1
> > @@ -327,6 +327,12 @@ namespace will be silently dropped.
> >  Disable Router Advertisements. Router Solicitations coming from guest =
or target
> >  namespace will be ignored.
> > =20
> > +.TP
> > +.BR \-\-freebind
> > +Allow forwarding from addresses which are not configured on the host,
>=20
> Same here, it could also be read as "Allow forwarding traffic coming
> from addresses ...".
>=20
> Perhaps:
>=20
> Allow binding to addresses which are not configured on the host (but
> might be in the future) for port forwarding.
>=20
> ?

I've done a bit of rewording of this.

> > +but might be in future. This enables the \fBIP_FREEBIND\fR or
> > +\fBIPB6_FREEBIND\fR option on listening sockets.
> > +
> >  .TP
> >  .BR \-\-map-host-loopback " " \fIaddr
> >  Translate \fIaddr\fR to refer to the host. Packets from the guest to
> > diff --git a/passt.h b/passt.h
> > index 031c9b6..e00049e 100644
> > --- a/passt.h
> > +++ b/passt.h
> > @@ -284,6 +284,7 @@ struct ctx {
> >  	int no_dhcpv6;
> >  	int no_ndp;
> >  	int no_ra;
> > +	int freebind;
>=20
> Missing update to struct comment.

Dangit, thought I'd done that after missing it on the last series.

> > =20
> >  	int low_wmem;
> >  	int low_rmem;
> > diff --git a/util.c b/util.c
> > index ebd93ed..96e3de8 100644
> > --- a/util.c
> > +++ b/util.c
> > @@ -52,6 +52,7 @@ int sock_l4_sa(const struct ctx *c, enum epoll_type t=
ype,
> >  {
> >  	sa_family_t af =3D ((const struct sockaddr *)sa)->sa_family;
> >  	union epoll_ref ref =3D { .type =3D type, .data =3D data };
> > +	bool freebind =3D false;
> >  	struct epoll_event ev;
> >  	int fd, y =3D 1, ret;
> >  	uint8_t proto;
> > @@ -61,8 +62,11 @@ int sock_l4_sa(const struct ctx *c, enum epoll_type =
type,
> >  	case EPOLL_TYPE_TCP_LISTEN:
> >  		proto =3D IPPROTO_TCP;
> >  		socktype =3D SOCK_STREAM | SOCK_NONBLOCK;
> > +		freebind =3D c->freebind;
> >  		break;
> >  	case EPOLL_TYPE_UDP_LISTEN:
> > +		freebind =3D c->freebind;
> > +		/* fallthrough */
> >  	case EPOLL_TYPE_UDP_REPLY:
> >  		proto =3D IPPROTO_UDP;
> >  		socktype =3D SOCK_DGRAM | SOCK_NONBLOCK;
> > @@ -127,6 +131,17 @@ int sock_l4_sa(const struct ctx *c, enum epoll_typ=
e type,
> >  		}
> >  	}
> > =20
> > +	if (freebind) {
> > +		int level =3D af =3D=3D AF_INET ? IPPROTO_IP : IPPROTO_IPV6;
> > +		int opt =3D af =3D=3D AF_INET ? IP_FREEBIND : IPV6_FREEBIND;
> > +
> > +		if (setsockopt(fd, level, opt, &y, sizeof(y))) {
> > +		    err_perror("Failed to set %s on socket %i",
>=20
> Indentation makes it look like err_perror() is part of the condition
> (it should be one tab instead of spaces).

Oops, corrected.

> > +			       af =3D=3D AF_INET ? "IP_FREEBIND" : "IPV6_FREEBIND",
> > +			       fd);
> > +		}
> > +	}
> > +
> >  	if (bind(fd, sa, sl) < 0) {
> >  		/* We'll fail to bind to low ports if we don't have enough
> >  		 * capabilities, and we'll fail to bind on already bound ports,
>=20

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--rTiGEI8jDt2vKoZf
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmb+DrEACgkQzQJF27ox
2GecPg/+JjkBc91w/gFCY6bUO/v8QrnuKZqYK+An1W+7dheuQC0CziJb6l52rXS2
mjIuWO7P6V/PJACxE9O7bJJMAGyCmWzOhdiyQUtdjIr5Htx+EMF5KphTX8HM2na1
AfcZiRrvm7P267NSQXutvLiwZ6A4x7KPNCu1UKyNFeKlXgTCjD/8qvlIp6mTVlGc
gHNwNpNtBvIVSdvB2KivbCxGPaxOlaa8faP2j1huKF20MakFU68ZxGuEdTyBwa/d
4ebfhhsNo0LgCZAwoumEwZFb4LiGd++C+V5AP48rTfRUeAZYiY8n6VPkXd982YEE
OMTPoLcfruQXbpPuJBuHn/JX1YZsCz4AcpO8M150iSGPwhHQS6ihqk5qz+0vCk5P
zzhgICZ650Iun4YzJxtbeWL+eBQC1s3acxPeg01O3TNjQuc6W8Cz+ebA87GddVvB
sDqvMWHeA4KnVTropcoWHswb8z2Y+ARp4i+S2AutyhthVw9/4DukP5tWru5PXrNS
/NcgxoLpcGwP8Atgxpe9azdYhdzRYYyYaIF4cae1+VDB8k9bfGCXR/7CmPFJTSDS
asKWhcAsQQjT0J6Eq9eCjREYwPHKCAf5/faLeavZA0mOA9+IjDfnQyeIyUPJD4ul
aAr6Lz9zi/LxnrFB1kiMuhDREkw1X3WarJb2q2gcDHjQcuZIwoA=
=fx0k
-----END PGP SIGNATURE-----

--rTiGEI8jDt2vKoZf--