Skip to content

Bind policy completion — global `BindAddr` everywhere else, separate `WebBindAddr` for WebServer

Summary

Current main already applies the global BindAddr to the core peer/server UDP and TCP sockets, but the embedded webserver still reuses that same bind directly and ancillary socket users were not fully re-audited.

FEAT-030 finishes the policy in a low-drift way:

  • keep the global BindAddr as the single bind setting for all non-web socket paths
  • add a separate WebBindAddr override for the embedded WebServer
  • audit and close any remaining socket-open paths which were still using wildcard bind

Intended Mainline Shape

  • New persisted web setting:
  • WebBindAddr
  • Web listener semantics:
  • empty WebBindAddr = bind all interfaces
  • non-empty WebBindAddr = bind only that IPv4 address
  • Non-web sockets continue to follow the existing global BindAddr

Audited Coverage

Already under the global BindAddr:

  • incoming peer TCP listener
  • outgoing peer TCP sockets
  • outgoing server TCP sockets
  • client/Kad UDP socket
  • server UDP socket
  • proxy-backed outgoing TCP init
  • UPnP discovery source bind

Explicit follow-up in this item:

  • split WebServer listener onto WebBindAddr
  • bring ancillary socket users such as Pinger under the global bind policy

Not a separate bind target:

  • accepted child sockets that inherit from an already-bound listener
  • Kad traffic that rides the already-bound client UDP socket

Scope Boundaries

In scope:

  • bind-address policy only
  • preference persistence and WebServer settings UI
  • narrow ancillary socket fixes discovered by audit

Out of scope:

  • interface-id-based bind UI redesign
  • IPv6 bind support
  • new per-subsystem bind settings beyond WebServer
  • broader WebServer/REST changes

Acceptance Criteria

  • [x] WebBindAddr persists in the WebServer section
  • [x] WebServer binds wildcard when WebBindAddr is empty
  • [x] WebServer binds only the override IP when WebBindAddr is set
  • [x] non-web socket paths continue to use the global BindAddr
  • [x] ancillary audited socket paths no longer bypass the global bind policy

Mainline Outcome

Landed on main across commits a762ea1, ca80a00, and 6244a50:

  • split the WebServer listener onto persisted WebBindAddr
  • kept non-web socket paths on the existing global BindAddr
  • brought Pinger under the global bind policy
  • restored the status-bar bind/public-IP pane on the current UI baseline
  • expanded Kad contact and lookup metadata displays while finishing the bind-policy pass