On Fri, Nov 21, 2025 at 04:56:01AM +0100, Stefano Brivio wrote: > The series looks good to me in general, except that: > > On Wed, 19 Nov 2025 16:22:57 +1100 > David Gibson wrote: > > > Currently, outbound forwards (-T, -U) are handled by sockets bound to the > > loopback address. Typically we create two sockets, one for 127.0.0.1 and > > one for ::1. > > > > This has some disadvantages: > > * The guest can't connect via 127.0.0.0/8 addresses other than 127.0.0.1 > > * We can't use dual-stack sockets, we have to have separate sockets for > > IPv4 and IPv6. > > > > The restriction exists for a reason though. If the guest has any > > interfaces other than pasta (e.g. a VPN tunnel) external hosts could reach > > the host via the forwards. Especially combined with -T auto / -U auto this > > would make it very easy to make a mistake with nasty security implications. > > > > We can achieve this a different way, however. Don't bind to a specific > > address, but _do_ use SO_BINDTODEVICE to restrict the sockets to the "lo" > > interface. > > ...this means, as I pointed out on: > > https://archives.passt.top/passt-dev/20251022105916.53925523@elisabeth/ > > that we might break functionality for a number of pasta(1) users. > > I don't have a complete version of the SO_BINDTODEVICE fallback I > sketched there, so I can't just add one on top of this series at the > moment, but we need something like that before I can merge this. I re-examined your proposed approach, but realised it doesn't quite work. The problem is that to complete it, sock_l4_sa() would need to create both an IPv4 and IPv6. That works right now, but it breaks the assumption that tcp_sock_init() and udp_sock_init() create (at most) a single socket. That wasn't the case until 8/9 in this series, but part of the reason for 8/9 is because establishing that invariant makes a bunch of stuff in the works much saner. So, I'm working to figure out a different approach for an SO_BINDTODEVICE fallback. -- David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson