Currently, vxlan sockets are always bound to 0.0.0.0. For security, it is
better to bind to the specific interface on which traffic is expected.

This series adds a netlink option that makes vxlan sockets bind to their
local addresses. The option is disabled by default as it can potentially
break existing network.

This series also adds a local address option to geneve, similar to vxlan.
The geneve socket is bound to the local address by default.

v4 -> v5:
  - Fix whitespace issues
  - Fix IPv6 compilation errors
  - Add missing documentation
  - Add selftest to test localbind functionality
  - Change localbind option in VXLAN to be non-default
  - v4: https://lore.kernel.org/netdev/20250717115412.11424-1-richardbgobert@gmail.com/

v3 -> v4:
  - Fix a problem where vxlan socket is bound before its outgoing interface is up
  - v3: https://lore.kernel.org/netdev/20240711131411.10439-1-richardbgobert@gmail.com/

v2 -> v3:
  - Fix typo and nit problem (Simon)
  - v2: https://lore.kernel.org/netdev/20240708111103.9742-1-richardbgobert@gmail.com/

v1 -> v2:
  - Change runtime checking of CONFIG_IPV6 to compile time in geneve
  - Change {geneve,vxlan}_find_sock to check listening address
  - Fix incorrect usage of IFLA_VXLAN_LOCAL6 in geneve
  - Use NLA_POLICY_EXACT_LEN instead of changing strict_start_type in geneve
  - v1: https://lore.kernel.org/netdev/df300a49-7811-4126-a56a-a77100c8841b@gmail.com/

Richard Gobert (5):
  net: udp: add freebind option to udp_sock_create
  net: vxlan: add netlink option to bind vxlan sockets to local
    addresses
  net: vxlan: bind vxlan sockets to their local address if configured
  net: geneve: enable binding geneve sockets to local addresses
  selftests/net: add vxlan localbind selftest

 Documentation/netlink/specs/rt-link.yaml      |   8 +
 drivers/net/geneve.c                          |  80 ++++-
 drivers/net/vxlan/vxlan_core.c                | 102 +++++-
 include/net/geneve.h                          |   6 +
 include/net/udp_tunnel.h                      |   3 +-
 include/net/vxlan.h                           |   1 +
 include/uapi/linux/if_link.h                  |   3 +
 net/ipv4/udp_tunnel_core.c                    |   1 +
 net/ipv6/ip6_udp_tunnel.c                     |   1 +
 tools/include/uapi/linux/if_link.h            |   3 +
 tools/testing/selftests/net/Makefile          |   1 +
 .../selftests/net/test_vxlan_localbind.sh     | 306 ++++++++++++++++++
 12 files changed, 490 insertions(+), 25 deletions(-)
 create mode 100755 tools/testing/selftests/net/test_vxlan_localbind.sh

-- 
2.36.1

On Tue, Aug 12, 2025 at 02:51:50PM +0200, Richard Gobert wrote:
> Currently, vxlan sockets are always bound to 0.0.0.0. For security, it is
> better to bind to the specific interface on which traffic is expected.

s/interface/address/ ?

Ido Schimmel wrote:
> On Tue, Aug 12, 2025 at 02:51:50PM +0200, Richard Gobert wrote:
>> Currently, vxlan sockets are always bound to 0.0.0.0. For security, it is
>> better to bind to the specific interface on which traffic is expected.
> 
> s/interface/address/ ?

Sure, will change in v6.