mkj · mkj · Jul 18, 2023 · Apr 11, 2023 · Jul 18, 2023
diff --git a/src/netio.c b/src/netio.c
@@ -467,7 +467,7 @@ int get_sock_port(int sock) {
  * failure, if errstring wasn't NULL, it'll be a newly malloced error
  * string.*/
 int dropbear_listen(const char* address, const char* port,
-		int *socks, unsigned int sockcount, char **errstring, int *maxfd) {
+		int *socks, unsigned int sockcount, char **errstring, int *maxfd, const char* interface) {
 
 	struct addrinfo hints, *res = NULL, *res0 = NULL;
 	int err;
@@ -497,7 +497,11 @@ int dropbear_listen(const char* address, const char* port,
 		TRACE(("dropbear_listen: local loopback"))
 	} else {
 		if (address[0] == '\0') {
-			TRACE(("dropbear_listen: all interfaces"))
+			if (interface) {
+				TRACE(("dropbear_listen: %s", interface))
+			} else {
+				TRACE(("dropbear_listen: all interfaces"))
+			}
 			address = NULL;
 		}
 		hints.ai_flags = AI_PASSIVE;
@@ -551,6 +555,11 @@ int dropbear_listen(const char* address, const char* port,
 		/* set to reuse, quick timeout */
 		setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void*) &val, sizeof(val));
 
+		if(interface && setsockopt(sock, SOL_SOCKET, SO_BINDTODEVICE, interface, strlen(interface)) < 0) {
+			dropbear_log(LOG_WARNING, "Couldn't set SO_BINDTODEVICE");
+			TRACE(("Failed setsockopt with errno failure, %d %s", errno, strerror(errno)))
+		}
+
 #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
 		if (res->ai_family == AF_INET6) {
 			int on = 1;

diff --git a/src/netio.h b/src/netio.h
@@ -19,7 +19,7 @@ void get_socket_address(int fd, char **local_host, char **local_port,
 void getaddrstring(struct sockaddr_storage* addr, 
 		char **ret_host, char **ret_port, int host_lookup);
 int dropbear_listen(const char* address, const char* port,
-		int *socks, unsigned int sockcount, char **errstring, int *maxfd);
+		int *socks, unsigned int sockcount, char **errstring, int *maxfd, const char* interface);
 
 struct dropbear_progress_connection;
 

diff --git a/src/runopts.h b/src/runopts.h
@@ -128,6 +128,7 @@ typedef struct svr_runopts {
 	char * pidfile;
 
 	char * forced_command;
+	char* interface;
 
 #if DROPBEAR_PLUGIN 
 	/* malloced */

diff --git a/src/svr-main.c b/src/svr-main.c
@@ -488,7 +488,7 @@ static size_t listensockets(int *socks, size_t sockcount, int *maxfd) {
 
 		nsock = dropbear_listen(svr_opts.addresses[i], svr_opts.ports[i], &socks[sockpos], 
 				sockcount - sockpos,
-				&errstring, maxfd);
+				&errstring, maxfd, svr_opts.interface);
 
 		if (nsock < 0) {
 			dropbear_log(LOG_WARNING, "Failed listening on '%s': %s", 

diff --git a/src/svr-runopts.c b/src/svr-runopts.c
@@ -98,6 +98,8 @@ static void printhelp(const char * progname) {
 					"		(default port is %s if none specified)\n"
 					"-P PidFile	Create pid file PidFile\n"
 					"		(default %s)\n"
+					"-l <interface>\n"
+					"		interface to bind on\n"
 #if INETD_MODE
 					"-i		Start for inetd\n"
 #endif
@@ -265,6 +267,9 @@ void svr_getopts(int argc, char ** argv) {
 				case 'P':
 					next = &svr_opts.pidfile;
 					break;
+				case 'l':
+					next = &svr_opts.interface;
+					break;
 #if DO_MOTD
 				/* motd is displayed by default, -m turns it off */
 				case 'm':
@@ -438,6 +443,10 @@ void svr_getopts(int argc, char ** argv) {
 		dropbear_log(LOG_INFO, "Forced command set to '%s'", svr_opts.forced_command);
 	}
 
+	if (svr_opts.interface) {
+		dropbear_log(LOG_INFO, "Binding to interface '%s'", svr_opts.interface);
+	}
+
 	if (reexec_fd_arg) {
 		if (m_str_to_uint(reexec_fd_arg, &svr_opts.reexec_childpipe) == DROPBEAR_FAILURE
 			|| svr_opts.reexec_childpipe < 0) {

diff --git a/src/svr-tcpfwd.c b/src/svr-tcpfwd.c
@@ -205,6 +205,7 @@ static int svr_remotetcpreq(int *allocated_listen_port) {
 	tcpinfo->listenport = port;
 	tcpinfo->chantype = &svr_chan_tcpremote;
 	tcpinfo->tcp_type = forwarded;
+	tcpinfo->interface = svr_opts.interface;
 
 	tcpinfo->request_listenaddr = request_addr;
 	if (!opts.listen_fwd_all || (strcmp(request_addr, "localhost") == 0) ) {

diff --git a/src/tcp-accept.c b/src/tcp-accept.c
@@ -117,7 +117,7 @@ int listen_tcpfwd(struct TCPListener* tcpinfo, struct Listener **ret_listener) {
 	snprintf(portstring, sizeof(portstring), "%u", tcpinfo->listenport);
 
 	nsocks = dropbear_listen(tcpinfo->listenaddr, portstring, socks, 
-			DROPBEAR_MAX_SOCKS, &errstring, &ses.maxfd);
+			DROPBEAR_MAX_SOCKS, &errstring, &ses.maxfd, tcpinfo->interface);
 	if (nsocks < 0) {
 		dropbear_log(LOG_INFO, "TCP forward failed: %s", errstring);
 		m_free(errstring);

diff --git a/src/tcpfwd.h b/src/tcpfwd.h
@@ -42,6 +42,7 @@ struct TCPListener {
 	unsigned int listenport;
 	/* The address that the remote host asked to listen on */
 	char *request_listenaddr;
+	char* interface;
 
 	const struct ChanType *chantype;
 	enum {direct, forwarded} tcp_type;