search

google / gvisor

Application Kernel for Containers
https://gvisor.dev
Apache License 2.0
15.77k stars 1.3k forks source link

SO_BINDTODEVICE does not affect TCP connect #8276

Open akonradi opened 1 year ago

akonradi commented 1 year ago

Description

Setting SO_BINDTODEVICE on a bound TCP socket does not restrict the routes considered when initiating a connection with that socket.

With two interfaces set up with routes to the same destination subnet, and a TCP socket bound on * (all-zeroes address), setting the bound device for the socket before connecting does not restrict which interface the connection is attempted on.

The code in question is here; it checks e.boundNICID, which comes from the scope of the bound address, but not e.boundBindToDevice.

Steps to reproduce

With two interfaces set up with routes to the same destination subnet,

  1. Create a TCP socket
  2. Set SO_BINDTODEVICE on it with one of the interfaces
  3. Then bind the socket to some port on the all-zeroes address
  4. Call connect on the socket with some destination address
  5. Observe that the connection is not necessarily performed over the requested interface (though it might be, since one of the interfaces is chosen arbitrarily).

runsc version

No response

docker version (if using docker)

No response

uname

No response

kubectl (if using Kubernetes)

No response

repo state (if built from source)

No response

runsc debug logs (if available)

No response

akonradi commented 1 year ago

Found while writing tests for Fuchsia. This test fails for Netstack2 (which is based on gVisor): https://fxrev.dev/c/fuchsia/+/729942/6/src/connectivity/network/tests/integration/socket/src/lib.rs#2205

github-actions[bot] commented 1 year ago

A friendly reminder that this issue had no activity for 120 days.