From 5f5302e59535c988188e3857469c5414014d62c4 Mon Sep 17 00:00:00 2001
From: Adam Ierymenko <adam.ierymenko@gmail.com>
Date: Thu, 25 Jan 2018 17:27:08 -0500
Subject: [PATCH] More useful to allow arrays of IPs to bind to.

---
 osdep/Binder.hpp       |  9 ++++++---
 service/OneService.cpp | 16 +++++++++++++---
 service/README.md      |  3 +--
 3 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/osdep/Binder.hpp b/osdep/Binder.hpp
index f5fc32e36..d7c3f03c7 100644
--- a/osdep/Binder.hpp
+++ b/osdep/Binder.hpp
@@ -126,20 +126,20 @@ public:
 	 * @param phy Physical interface
 	 * @param ports Ports to bind on all interfaces
 	 * @param portCount Number of ports
-	 * @param bindtoWildcard If true, bind wildcard instead of per-interface IPs
+	 * @param explicitBind If present, override interface IP detection and bind to these (if possible)
 	 * @param ifChecker Interface checker function to see if an interface should be used
 	 * @tparam PHY_HANDLER_TYPE Type for Phy<> template
 	 * @tparam INTERFACE_CHECKER Type for class containing shouldBindInterface() method
 	 */
 	template<typename PHY_HANDLER_TYPE,typename INTERFACE_CHECKER>
-	void refresh(Phy<PHY_HANDLER_TYPE> &phy,unsigned int *ports,unsigned int portCount,bool bindToWildcard,INTERFACE_CHECKER &ifChecker)
+	void refresh(Phy<PHY_HANDLER_TYPE> &phy,unsigned int *ports,unsigned int portCount,const std::vector<InetAddress> explicitBind,INTERFACE_CHECKER &ifChecker)
 	{
 		std::map<InetAddress,std::string> localIfAddrs;
 		PhySocket *udps,*tcps;
 		Mutex::Lock _l(_lock);
 		bool interfacesEnumerated = true;
 
-		if (!bindToWildcard) {
+		if (explicitBind.empty()) {
 #ifdef __WINDOWS__
 
 			char aabuf[32768];
@@ -328,6 +328,9 @@ public:
 			}
 
 #endif
+		} else {
+			for(std::vector<InetAddress>::const_iterator i(explicitBind.begin());i!=explicitBind.end();++i)
+				localIfAddrs.insert(std::pair<InetAddress,std::string>(*i,std::string()));
 		}
 
 		// Default to binding to wildcard if we can't enumerate addresses
diff --git a/service/OneService.cpp b/service/OneService.cpp
index a9a8171cc..bcdef04f4 100644
--- a/service/OneService.cpp
+++ b/service/OneService.cpp
@@ -565,7 +565,7 @@ public:
 			}
 
 			// Read local configuration
-			bool bindToWildcard = false;
+			std::vector<InetAddress> explicitBind;
 			{
 				std::map<InetAddress,ZT_PhysicalPathConfiguration> ppc;
 
@@ -635,7 +635,17 @@ public:
 						_controllerDbPath = cdbp;
 
 					// Bind to wildcard instead of to specific interfaces (disables full tunnel capability)
-					bindToWildcard = OSUtils::jsonBool(settings["bindToWildcard"],false);
+					json &bind = settings["bind"];
+					if (bind.is_array()) {
+						for(unsigned long i=0;i<bind.size();++i) {
+							const std::string ips(OSUtils::jsonString(bind[i],""));
+							if (ips.length() > 0) {
+								InetAddress ip(ips.c_str());
+								if ((ip.ss_family == AF_INET)||(ip.ss_family == AF_INET6))
+									explicitBind.push_back(ip);
+							}
+						}
+					}
 				}
 
 				// Set trusted paths if there are any
@@ -805,7 +815,7 @@ public:
 						if (_ports[i])
 							p[pc++] = _ports[i];
 					}
-					_binder.refresh(_phy,p,pc,bindToWildcard,*this);
+					_binder.refresh(_phy,p,pc,explicitBind,*this);
 					{
 						Mutex::Lock _l(_nets_m);
 						for(std::map<uint64_t,NetworkState>::iterator n(_nets.begin());n!=_nets.end();++n) {
diff --git a/service/README.md b/service/README.md
index 2a6cb1540..9ac097ab8 100644
--- a/service/README.md
+++ b/service/README.md
@@ -32,13 +32,12 @@ Settings available in `local.conf` (this is not valid JSON, and JSON does not al
 		"softwareUpdateDist": true|false, /* If true, distribute software updates (only really useful to ZeroTier, Inc. itself, default is false) */
 		"interfacePrefixBlacklist": [ "XXX",... ], /* Array of interface name prefixes (e.g. eth for eth#) to blacklist for ZT traffic */
 		"allowManagementFrom": "NETWORK/bits"|null, /* If non-NULL, allow JSON/HTTP management from this IP network. Default is 127.0.0.1 only. */
-		"bindToWildcard": true|false /* If true, bind to wildcard e.g. 0.0.0.0 instead of per interface */
+		"bind": [ "ip",... ] /* If present and non-null, bind to these IPs instead of to each interface (wildcard IP allowed) */
 	}
 }
 ```
 
  * **trustedPathId**: A trusted path is a physical network over which encryption and authentication are not required. This provides a performance boost but sacrifices all ZeroTier's security features when communicating over this path. Only use this if you know what you are doing and really need the performance! To set up a trusted path, all devices using it *MUST* have the *same trusted path ID* for the same network. Trusted path IDs are arbitrary positive non-zero integers. For example a group of devices on a LAN with IPs in 10.0.0.0/24 could use it as a fast trusted path if they all had the same trusted path ID of "25" defined for that network.
- * **relayPolicy**: Under what circumstances should this device relay traffic for other devices? The default is TRUSTED, meaning that we'll only relay for devices we know to be members of a network we have joined. NEVER is the default on mobile devices (iOS/Android) and tells us to never relay traffic. ALWAYS is usually only set for upstreams and roots, allowing them to act as promiscuous relays for anyone who desires it.
 
 An example `local.conf`: