systemd.listen placeholder and bind interfaces subdirective

caddyconfig/httpcaddyfile/addresses.go

@@ -25,6 +25,7 @@ import (
 	"unicode"
 
 	"github.com/caddyserver/certmagic"
+	"go.uber.org/zap"
 
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
@@ -307,29 +308,75 @@ func (st *ServerType) listenersForServerBlockAddress(sblock serverBlock, addr Ad
 	}
 
 	// the bind directive specifies hosts (and potentially network), and the protocols to serve them with, but is optional
-	lnCfgVals := make([]addressesWithProtocols, 0, len(sblock.pile["bind"]))
+	lnCfgVals := make([]bindOptions, 0, len(sblock.pile["bind"]))
 	for _, cfgVal := range sblock.pile["bind"] {
-		if val, ok := cfgVal.Value.(addressesWithProtocols); ok {
+		if val, ok := cfgVal.Value.(bindOptions); ok {
 			lnCfgVals = append(lnCfgVals, val)
 		}
 	}
 	if len(lnCfgVals) == 0 {
 		if defaultBindValues, ok := options["default_bind"].([]ConfigValue); ok {
 			for _, defaultBindValue := range defaultBindValues {
-				lnCfgVals = append(lnCfgVals, defaultBindValue.Value.(addressesWithProtocols))
+				lnCfgVals = append(lnCfgVals, defaultBindValue.Value.(bindOptions))
 			}
 		} else {
-			lnCfgVals = []addressesWithProtocols{{
-				addresses: []string{""},
-				protocols: nil,
+			lnCfgVals = []bindOptions{{
+				addresses:  []string{""},
+				interfaces: nil,
+				protocols:  nil,
 			}}
 		}
 	}
 
 	// use a map to prevent duplication
+	interfaceAddresses := map[string][]string{}
 	listeners := map[string]map[string]struct{}{}
 	for _, lnCfgVal := range lnCfgVals {
-		for _, lnAddr := range lnCfgVal.addresses {
+		addresses := []string{}
+		addresses = append(addresses, lnCfgVal.addresses...)
+		for _, lnIface := range lnCfgVal.interfaces {
+			lnNetw, lnDevice, _, err := caddy.SplitNetworkAddress(lnIface)
+			if err != nil {
+				return nil, fmt.Errorf("splitting listener interface: %v", err)
+			}
+
+			ifaceAddresses, ok := interfaceAddresses[lnDevice]
+			if !ok {
+				iface, err := net.InterfaceByName(lnDevice)
+				if err != nil {
+					return nil, fmt.Errorf("querying listener interface: %v: %v", lnDevice, err)
+				}
+				if iface == nil {
+					return nil, fmt.Errorf("querying listener interface: %v", lnDevice)
+				}
+				ifaceAddrs, err := iface.Addrs()
+				if err != nil {
+					return nil, fmt.Errorf("querying listener interface addresses: %v: %v", lnDevice, err)
+				}
+				for _, ifaceAddr := range ifaceAddrs {
+					var ip net.IP
+					switch ifaceAddrValue := ifaceAddr.(type) {
+					case *net.IPAddr:
+						ip = ifaceAddrValue.IP
+					case *net.IPNet:
+						ip = ifaceAddrValue.IP
+					default:
+						caddy.Log().Error("reading listener interface address", zap.String("device", lnDevice), zap.String("address", ifaceAddr.String()))
+						continue
+					}
+
+					if len(ip) == net.IPv4len && caddy.IsIPv4Network(lnNetw) || len(ip) == net.IPv6len && caddy.IsIPv6Network(lnNetw) {
+						ifaceAddresses = append(ifaceAddresses, caddy.JoinNetworkAddress(lnNetw, ip.String(), ""))
+					}
+				}
+				if len(ifaceAddresses) == 0 {
+					return nil, fmt.Errorf("querying listener interface addresses for network: %v: %v", lnDevice, lnNetw)
+				}
+				interfaceAddresses[lnDevice] = ifaceAddresses
+			}
+			addresses = append(addresses, ifaceAddresses...)
+		}
+		for _, lnAddr := range addresses {
 			lnNetw, lnHost, _, err := caddy.SplitNetworkAddress(lnAddr)
 			if err != nil {
 				return nil, fmt.Errorf("splitting listener address: %v", err)
@@ -350,11 +397,10 @@ func (st *ServerType) listenersForServerBlockAddress(sblock serverBlock, addr Ad
 	return listeners, nil
 }
 
-// addressesWithProtocols associates a list of listen addresses
-// with a list of protocols to serve them with
-type addressesWithProtocols struct {
-	addresses []string
-	protocols []string
+type bindOptions struct {
+	addresses  []string
+	interfaces []string
+	protocols  []string
 }
 
 // Address represents a site address. It contains

caddyconfig/httpcaddyfile/builtins.go

@@ -57,16 +57,22 @@ func init() {
 
 // parseBind parses the bind directive. Syntax:
 //
-//		bind <addresses...> [{
-//	   protocols [h1|h2|h2c|h3] [...]
-//	 }]
+//	bind <addresses...> [{
+//		interfaces <devices...>
+//		protocols [h1|h2|h2c|h3] [...]
+//	}]
 func parseBind(h Helper) ([]ConfigValue, error) {
 	h.Next() // consume directive name
-	var addresses, protocols []string
+	var addresses, interfaces, protocols []string
 	addresses = h.RemainingArgs()
 
 	for h.NextBlock(0) {
 		switch h.Val() {
+		case "interfaces":
+			interfaces = h.RemainingArgs()
+			if len(interfaces) == 0 {
+				return nil, h.Errf("interfaces requires one or more arguments")
+			}
 		case "protocols":
 			protocols = h.RemainingArgs()
 			if len(protocols) == 0 {
@@ -77,9 +83,10 @@ func parseBind(h Helper) ([]ConfigValue, error) {
 		}
 	}
 
-	return []ConfigValue{{Class: "bind", Value: addressesWithProtocols{
-		addresses: addresses,
-		protocols: protocols,
+	return []ConfigValue{{Class: "bind", Value: bindOptions{
+		addresses:  addresses,
+		interfaces: interfaces,
+		protocols:  protocols,
 	}}}, nil
 }
 

caddyconfig/httpcaddyfile/options.go

@@ -307,8 +307,7 @@ func parseOptSingleString(d *caddyfile.Dispenser, _ any) (any, error) {
 
 func parseOptDefaultBind(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next() // consume option name
-
-	var addresses, protocols []string
+	var addresses, interfaces, protocols []string
 	addresses = d.RemainingArgs()
 
 	if len(addresses) == 0 {
@@ -317,6 +316,11 @@ func parseOptDefaultBind(d *caddyfile.Dispenser, _ any) (any, error) {
 
 	for d.NextBlock(0) {
 		switch d.Val() {
+		case "interfaces":
+			interfaces = d.RemainingArgs()
+			if len(interfaces) == 0 {
+				return nil, d.Errf("interfaces requires one or more arguments")
+			}
 		case "protocols":
 			protocols = d.RemainingArgs()
 			if len(protocols) == 0 {
@@ -327,9 +331,10 @@ func parseOptDefaultBind(d *caddyfile.Dispenser, _ any) (any, error) {
 		}
 	}
 
-	return []ConfigValue{{Class: "bind", Value: addressesWithProtocols{
-		addresses: addresses,
-		protocols: protocols,
+	return []ConfigValue{{Class: "bind", Value: bindOptions{
+		addresses:  addresses,
+		interfaces: interfaces,
+		protocols:  protocols,
 	}}}, nil
 }
 

caddyconfig/httpcaddyfile/tlsapp.go

@@ -221,7 +221,7 @@ func (st ServerType) buildTLSApp(
 					if acmeIssuer.Challenges.BindHost == "" {
 						// only binding to one host is supported
 						var bindHost string
-						if asserted, ok := cfgVal.Value.(addressesWithProtocols); ok && len(asserted.addresses) > 0 {
+						if asserted, ok := cfgVal.Value.(bindOptions); ok && len(asserted.addresses) > 0 {
 							bindHost = asserted.addresses[0]
 						}
 						acmeIssuer.Challenges.BindHost = bindHost
@@ -613,7 +613,7 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 	// In Linux the same call will error with EADDRINUSE whenever the listener for the automation policy is opened
 	if acmeIssuer.Challenges == nil || (acmeIssuer.Challenges.DNS == nil && acmeIssuer.Challenges.BindHost == "") {
 		if defBinds, ok := globalDefaultBind.([]ConfigValue); ok && len(defBinds) > 0 {
-			if abp, ok := defBinds[0].Value.(addressesWithProtocols); ok && len(abp.addresses) > 0 {
+			if abp, ok := defBinds[0].Value.(bindOptions); ok && len(abp.addresses) > 0 {
 				if acmeIssuer.Challenges == nil {
 					acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
 				}

listen.go

@@ -21,7 +21,6 @@ import (
 	"fmt"
 	"net"
 	"os"
-	"slices"
 	"strconv"
 	"sync"
 	"sync/atomic"
@@ -37,7 +36,7 @@ func reuseUnixSocket(_, _ string) (any, error) {
 func listenReusable(ctx context.Context, lnKey string, network, address string, config net.ListenConfig) (any, error) {
 	var socketFile *os.File
 
-	fd := slices.Contains([]string{"fd", "fdgram"}, network)
+	fd := IsFdNetwork(network)
 	if fd {
 		socketFd, err := strconv.ParseUint(address, 0, strconv.IntSize)
 		if err != nil {
@@ -66,8 +65,8 @@ func listenReusable(ctx context.Context, lnKey string, network, address string,
 		}
 	}
 
-	datagram := slices.Contains([]string{"udp", "udp4", "udp6", "unixgram", "fdgram"}, network)
-	if datagram {
+	packet := IsPacketNetwork(network)
+	if packet {
 		sharedPc, _, err := listenerPool.LoadOrNew(lnKey, func() (Destructor, error) {
 			var (
 				pc  net.PacketConn

listen_unix.go

@@ -27,7 +27,6 @@ import (
 	"io/fs"
 	"net"
 	"os"
-	"slices"
 	"strconv"
 	"sync"
 	"sync/atomic"
@@ -102,7 +101,7 @@ func listenReusable(ctx context.Context, lnKey string, network, address string,
 		socketFile *os.File
 	)
 
-	fd := slices.Contains([]string{"fd", "fdgram"}, network)
+	fd := IsFdNetwork(network)
 	if fd {
 		socketFd, err := strconv.ParseUint(address, 0, strconv.IntSize)
 		if err != nil {
@@ -142,8 +141,8 @@ func listenReusable(ctx context.Context, lnKey string, network, address string,
 		}
 	}
 
-	datagram := slices.Contains([]string{"udp", "udp4", "udp6", "unixgram", "fdgram"}, network)
-	if datagram {
+	packet := IsPacketNetwork(network)
+	if packet {
 		if fd {
 			ln, err = net.FilePacketConn(socketFile)
 		} else {
@@ -161,7 +160,7 @@ func listenReusable(ctx context.Context, lnKey string, network, address string,
 		listenerPool.LoadOrStore(lnKey, nil)
 	}
 
-	if datagram {
+	if packet {
 		if !fd {
 			// TODO: Not 100% sure this is necessary, but we do this for net.UnixListener, so...
 			if unix, ok := ln.(*net.UnixConn); ok {