Adding --source-port command line option

gershnik · gershnik · commit f9a47a6e5500 · 2025-01-10T17:23:58.000-08:00
This eases interoperability with firewalls. Without this option,
the port used as a local source of multicast messages is chosen
randomly by the OS. Replies are sent to this port as well. Using
a fixed port, enables users or firewall configurations to open
that port permanently for wsddn.
diff --git a/doc/wsddn.8 b/doc/wsddn.8
@@ -178,6 +178,13 @@ Set the hop limit for multicast packets.
 The default is 1 which should prevent packets from leaving the local
 network segment.
 The equivalent config file option is \f[CR]hoplimit\f[R]
+.TP
+\f[CR]\-\-source\-port\f[R] \f[I]number\f[R]
+Set the source port for outgoing multicast messages, so that replies
+will use this as the destination port.
+This is useful for firewalls that do not detect incoming unicast replies
+to a multicast as part of the flow, so the port needs to be fixed in
+order to be allowed manually.
 .SS Machine information options
 .TP
 \f[CR]\-\-uuid\f[R] \f[I]uuid\f[R]
@@ -288,6 +295,9 @@ Same as \f[CR]\-\-chroot\f[R] command line option
 \f[CR]hoplimit\f[R] = \f[I]number\f[R]
 Same as \f[CR]\-\-hoplimit\f[R] command line option
 .TP
+\f[CR]source\-port\f[R] = \f[I]number\f[R]
+Same as \f[CR]\-\-source\-port\f[R] command line option
+.TP
 \f[CR]hostname\f[R] = \[lq]\f[I]name\f[R]\[rq]
 Same as \f[CR]\-\-hostname\f[R] command line option
 .TP
diff --git a/doc/wsddn.8.html b/doc/wsddn.8.html
diff --git a/doc/wsddn.8.md b/doc/wsddn.8.md
@@ -94,6 +94,9 @@ exploits into wsddn. If not specified the behavior is as follows
 `--hoplimit` _number_
 :   Set the hop limit for multicast packets. The default is 1 which should prevent packets from leaving the local network segment. The equivalent config file option is `hoplimit`
 
+`--source-port` _number_
+:   Set the source port for outgoing multicast messages, so that replies will use this as the destination port. This is useful for firewalls that do not detect incoming unicast replies to a multicast as part of the flow, so the port needs to be fixed in order to be allowed manually.
+
 ## Machine information options
 
 `--uuid` _uuid_
@@ -154,6 +157,9 @@ Any options specified on command line take precedence over options in the config
 `hoplimit` = _number_
 : Same as `--hoplimit` command line option
 
+`source-port` = _number_
+: Same as `--source-port` command line option
+
 `hostname` = "_name_"
 : Same as `--hostname` command line option
 
diff --git a/installers/wsddn.conf b/installers/wsddn.conf
@@ -33,6 +33,14 @@
 
 #hoplimit=1
 
+# Set the source port for outgoing multicast messages, so that replies will
+# use this as the destination port.
+# This is useful for firewalls that do not detect incoming unicast replies
+# to a multicast as part of the flow, so the port needs to be fixed in order
+# to be allowed manually.
+
+#source-port=12345
+
 ###############################################################################
 #
 #        Machine information
diff --git a/src/command_line.cpp b/src/command_line.cpp
@@ -269,6 +269,11 @@ void CommandLine::parse(int argc, char * argv[]) {
                handler([this](std::string_view val){
         this->hoplimit = Argum::parseIntegral<unsigned>(val);
     }));
+    parser.add(Option("--source-port").
+               help("send multicast traffic and receive replies on this port.").
+               handler([this](std::string_view val){
+        this->sourcePort = Argum::parseIntegral<unsigned>(val);
+    }));
     
     //Machine info
     parser.add(Option("--uuid").
@@ -419,6 +424,14 @@ void CommandLine::parseConfigKey(std::string_view keyName, const toml::node & va
             this->hoplimit = int((unsigned short)*val);
         });
         
+    } else if (keyName == "source-port"sv) {
+        
+        setConfigValue<int64_t>(bool(this->sourcePort), keyName, value, [this](const toml::value<int64_t> & val) {
+            if (*val < 0 || *val >= 65536)
+                throw ConfigFileError("source-port value must be in [0, 65536) range", spdlog::level::err, val.source());
+            this->sourcePort = uint16_t(*val);
+        });
+        
     } else
         
     //Machine info
diff --git a/src/command_line.h b/src/command_line.h
@@ -14,6 +14,7 @@ struct CommandLine {
     std::vector<sys_string> interfaces;
     std::optional<AllowedAddressFamily> allowedAddressFamily;
     std::optional<int> hoplimit;
+    std::optional<uint16_t> sourcePort;
     
     std::optional<Uuid> uuid;
     std::optional<sys_string> hostname;
diff --git a/src/config.cpp b/src/config.cpp
@@ -11,6 +11,7 @@ Config::Config(const CommandLine & cmdline):
     m_hopLimit = cmdline.hoplimit.value_or(1);
     m_allowedAddressFamily = cmdline.allowedAddressFamily.value_or(BothIPv4AndIPv6);
     m_interfaceWhitelist.insert(cmdline.interfaces.begin(), cmdline.interfaces.end());
+    m_sourcePort = cmdline.sourcePort.value_or(0);
 
     m_fullHostName = getHostName();
     m_simpleHostName = m_fullHostName.prefix_before_first(U'.').value_or(m_fullHostName);
diff --git a/src/config.h b/src/config.h
@@ -44,6 +44,7 @@ class Config : public ref_counted<Config> {
     auto isAllowedInterface(const sys_string & name) const -> bool {
         return m_interfaceWhitelist.empty() || m_interfaceWhitelist.contains(name);
     }
+    auto sourcePort() const -> uint16_t                     { return m_sourcePort; }
     
     auto pageSize() const -> size_t                         { return m_pageSize; }
 
@@ -73,6 +74,7 @@ class Config : public ref_counted<Config> {
     AllowedAddressFamily m_allowedAddressFamily = BothIPv4AndIPv6;
     int m_hopLimit = 1;
     std::set<sys_string> m_interfaceWhitelist;
+    uint16_t m_sourcePort;
     
     size_t m_pageSize;
 };
diff --git a/src/udp_server.cpp b/src/udp_server.cpp
@@ -83,14 +83,17 @@ class UdpServerImpl : public UdpServer {
 
         m_recvSocket.bind(ip::udp::endpoint(multicastGroupAddress, g_WsdUdpPort));
         m_unicastSendSocket.bind(ip::udp::endpoint(addr, g_WsdUdpPort));
-
+        
     #if !defined(__NetBSD__) && !defined(__sun)
         setSocketOption(m_multicastSendSocket, ptl::SockOptIPv4MulticastIface, multicastGroupRequest);
     #else
         setSocketOption(m_multicastSendSocket, ptl::SockOptIPv4MulticastIface, multicastGroupRequest.imr_interface);
     #endif
         setSocketOption(m_multicastSendSocket, ptl::SockOptIPv4MulticastLoop, false);
         setSocketOption(m_multicastSendSocket, ptl::SockOptIPv4MulticastTtl, uint8_t(m_config->hopLimit()));
+
+        if (m_config->sourcePort() != 0)
+            m_multicastSendSocket.bind(ip::udp::endpoint(addr, m_config->sourcePort()));
     }
 
     void initAddresses(const ip::address_v6 & addr, const NetworkInterface & iface) {
@@ -114,6 +117,10 @@ class UdpServerImpl : public UdpServer {
         setSocketOption(m_multicastSendSocket, ptl::SockOptIPv6MulticastLoop, false);
         m_multicastSendSocket.set_option(ip::multicast::hops(m_config->hopLimit()));
         setSocketOption(m_multicastSendSocket, ptl::SockOptIPv6MulticastIface, iface.index);
+
+        if (m_config->sourcePort() != 0)
+            m_multicastSendSocket.bind(ip::udp::endpoint(ip::udp::endpoint(ip::address_v6(addr.to_bytes(), iface.index), m_config->sourcePort())));
+
     }
 
     void read() {
