refactor(vsock): more permissive binding for make public scope (#13)

appcypher · web-flow · commit 8e0efd3f28f6 · 2025-04-20T00:18:22.000+01:00
Combine scope 2 (Public) and scope 3 (Any) to have the same behavior,
both allowing binding to any IP address. This simplifies the logic
by removing the public IP check since both scopes now permit unrestricted
IP binding.
diff --git a/src/devices/src/virtio/vsock/ip_filter.rs b/src/devices/src/virtio/vsock/ip_filter.rs
@@ -85,10 +85,8 @@ impl IpFilterConfig {
             // Scope 1: Group - Allow binding within the subnet if no specific IP given
             // If no subnet is specified, behaves like scope 0 (deny all)
             1 => self.subnet.map_or(false, |subnet| subnet.contains(bind_ip)),
-            // Scope 2: Public - Allow binding to public IPs if no specific IP given
-            2 => !Self::is_private(bind_ip),
-            // Scope 3: Any - Allow binding to any IP if no specific IP given
-            3 => true,
+            // Scope 2 & 3: Any & Public - Allow binding to any IP if no specific IP given
+            2 | 3 => true,
             _ => false, // Invalid scope (scope 0 already handled)
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -85,10 +85,8 @@ impl IpFilterConfig {`
`85`	`85`	`// Scope 1: Group - Allow binding within the subnet if no specific IP given`
`86`	`86`	`// If no subnet is specified, behaves like scope 0 (deny all)`
`87`	`87`	`1 => self.subnet.map_or(false, \|subnet\| subnet.contains(bind_ip)),`
`88`		`- // Scope 2: Public - Allow binding to public IPs if no specific IP given`
`89`		`- 2 => !Self::is_private(bind_ip),`
`90`		`- // Scope 3: Any - Allow binding to any IP if no specific IP given`
`91`		`- 3 => true,`
	`88`	`+ // Scope 2 & 3: Any & Public - Allow binding to any IP if no specific IP given`
	`89`	`+ 2 \| 3 => true,`
`92`	`90`	`_ => false, // Invalid scope (scope 0 already handled)`
`93`	`91`	`}`
`94`	`92`	`}`