More useful to allow arrays of IPs to bind to.

osdep/Binder.hpp

@@ -126,20 +126,20 @@ public:
 	 * @param phy Physical interface
 	 * @param ports Ports to bind on all interfaces
 	 * @param portCount Number of ports
-	 * @param bindtoWildcard If true, bind wildcard instead of per-interface IPs
+	 * @param explicitBind If present, override interface IP detection and bind to these (if possible)
 	 * @param ifChecker Interface checker function to see if an interface should be used
 	 * @tparam PHY_HANDLER_TYPE Type for Phy<> template
 	 * @tparam INTERFACE_CHECKER Type for class containing shouldBindInterface() method
 	 */
 	template<typename PHY_HANDLER_TYPE,typename INTERFACE_CHECKER>
-	void refresh(Phy<PHY_HANDLER_TYPE> &phy,unsigned int *ports,unsigned int portCount,bool bindToWildcard,INTERFACE_CHECKER &ifChecker)
+	void refresh(Phy<PHY_HANDLER_TYPE> &phy,unsigned int *ports,unsigned int portCount,const std::vector<InetAddress> explicitBind,INTERFACE_CHECKER &ifChecker)
 	{
 		std::map<InetAddress,std::string> localIfAddrs;
 		PhySocket *udps,*tcps;
 		Mutex::Lock _l(_lock);
 		bool interfacesEnumerated = true;
 
-		if (!bindToWildcard) {
+		if (explicitBind.empty()) {
 #ifdef __WINDOWS__
 
 			char aabuf[32768];
@@ -328,6 +328,9 @@ public:
 			}
 
 #endif
+		} else {
+			for(std::vector<InetAddress>::const_iterator i(explicitBind.begin());i!=explicitBind.end();++i)
+				localIfAddrs.insert(std::pair<InetAddress,std::string>(*i,std::string()));
 		}
 
 		// Default to binding to wildcard if we can't enumerate addresses

service/OneService.cpp

@@ -565,7 +565,7 @@ public:
 			}
 
 			// Read local configuration
-			bool bindToWildcard = false;
+			std::vector<InetAddress> explicitBind;
 			{
 				std::map<InetAddress,ZT_PhysicalPathConfiguration> ppc;
 
@@ -635,7 +635,17 @@ public:
 						_controllerDbPath = cdbp;
 
 					// Bind to wildcard instead of to specific interfaces (disables full tunnel capability)
-					bindToWildcard = OSUtils::jsonBool(settings["bindToWildcard"],false);
+					json &bind = settings["bind"];
+					if (bind.is_array()) {
+						for(unsigned long i=0;i<bind.size();++i) {
+							const std::string ips(OSUtils::jsonString(bind[i],""));
+							if (ips.length() > 0) {
+								InetAddress ip(ips.c_str());
+								if ((ip.ss_family == AF_INET)||(ip.ss_family == AF_INET6))
+									explicitBind.push_back(ip);
+							}
+						}
+					}
 				}
 
 				// Set trusted paths if there are any
@@ -805,7 +815,7 @@ public:
 						if (_ports[i])
 							p[pc++] = _ports[i];
 					}
-					_binder.refresh(_phy,p,pc,bindToWildcard,*this);
+					_binder.refresh(_phy,p,pc,explicitBind,*this);
 					{
 						Mutex::Lock _l(_nets_m);
 						for(std::map<uint64_t,NetworkState>::iterator n(_nets.begin());n!=_nets.end();++n) {

service/README.md

@@ -32,13 +32,12 @@ Settings available in `local.conf` (this is not valid JSON, and JSON does not al
 		"softwareUpdateDist": true|false, /* If true, distribute software updates (only really useful to ZeroTier, Inc. itself, default is false) */
 		"interfacePrefixBlacklist": [ "XXX",... ], /* Array of interface name prefixes (e.g. eth for eth#) to blacklist for ZT traffic */
 		"allowManagementFrom": "NETWORK/bits"|null, /* If non-NULL, allow JSON/HTTP management from this IP network. Default is 127.0.0.1 only. */
-		"bindToWildcard": true|false /* If true, bind to wildcard e.g. 0.0.0.0 instead of per interface */
+		"bind": [ "ip",... ] /* If present and non-null, bind to these IPs instead of to each interface (wildcard IP allowed) */
 	}
 }
 ```
 
  * **trustedPathId**: A trusted path is a physical network over which encryption and authentication are not required. This provides a performance boost but sacrifices all ZeroTier's security features when communicating over this path. Only use this if you know what you are doing and really need the performance! To set up a trusted path, all devices using it *MUST* have the *same trusted path ID* for the same network. Trusted path IDs are arbitrary positive non-zero integers. For example a group of devices on a LAN with IPs in 10.0.0.0/24 could use it as a fast trusted path if they all had the same trusted path ID of "25" defined for that network.
- * **relayPolicy**: Under what circumstances should this device relay traffic for other devices? The default is TRUSTED, meaning that we'll only relay for devices we know to be members of a network we have joined. NEVER is the default on mobile devices (iOS/Android) and tells us to never relay traffic. ALWAYS is usually only set for upstreams and roots, allowing them to act as promiscuous relays for anyone who desires it.
 
 An example `local.conf`: