PATCH: IO: Avoid calling SO_BINDTODEVICE if not needed

Alexander Zubkov green at qrator.net
Sat Jul 27 14:05:17 CEST 2024


Hi Christian and all!

I wonder if it is necessary at all to set a vrf on an accepted connection?
It seems to me that setting or checking vrf should be avoided instead for
an accepted connection. What do you think?

On Sat, Jul 27, 2024, 11:54 Christian Svensson via Bird-users <
bird-users at network.cz> wrote:

> Since Linux 5.7 (see linux/c427bfec18f21) non-root users are allowed to
> bind a socket using SO_BINDTODEVICE as long as the socket is not already
> bound.
>
> When using BGP with VRFs, BIRD correctly binds the listening socket to
> the VRF but also re-binds the accept()'d socket to the same VRF.
> This is not needed as the interface bind is inherited in this case, and
> indeed this redundant bind causes an -EPERM if BIRD is running as non-root
> making BIRD close the connection and reject the peer.
>
> We change the behaviour of the generic sk_setup to first query the socket
> and see if the socket is already correctly bound, and call
> setsockopt(SO_BINDTODEVICE) iff it is truly needed. In addition,
> since the getsockopt(SO_BINDTODEVICE) was implemented in Linux 3.8 or
> otherwise might be blocked in existing installations, we quietly fall
> back to the previous behavior if the getsockopt call fails.
>
> Test case:
>  Run BIRD as a non-root user (and no extra capabilities) using passive
>  BGP inside a VRF. Before the patch observe the error:
>  "<ERR> SOCK: Incoming connection: SO_BINDTODEVICE: Operation not
> permitted"
>
>   protocol bgp AS1234_1 {
>     [..]
>     vrf "VrfTest";
>     passive on;
>   }
>
>  After the patch this works as expected.
>
> Patch is attached to this message but if it falls off it can also be found
> at:
>
> https://github.com/sonix-network/bird/blob/33a0ac4b5af38d3bf75c78ca62472fff1663945e/patches/0001-IO-Avoid-calling-SO_BINDTODEVICE-if-not-needed.patch
>
> There is also a simple utility to test the behavior of rebinding sockets
> at:
>
> https://github.com/sonix-network/bird/blob/33a0ac4b5af38d3bf75c78ca62472fff1663945e/patches/0001-IO-Avoid-calling-SO_BINDTODEVICE-if-not-needed.repro.c
>
> Thanks for your consideration,
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20240727/04c2e876/attachment.htm>


More information about the Bird-users mailing list