net: use -bind address for outgoing connections #35027

1. 
   8144225309 commented at 9:48 pm on April 7, 2026: none

   Closes #6476

   -bind only affected the listening socket. Outgoing connections used whatever source address the OS chose, so on multi-homed nodes traffic could originate from an unintended interface.

   Store one -bind address per address family and bind() the socket before connect() for direct connections. Proxied and CJDNS connections are unaffected. Loopback bind addresses are skipped.

   A functional test verifies the source IP seen by the receiving node matches the -bind address.

   Based on vasild’s approach in #6476 (comment).

2. DrahtBot added the label P2P on Apr 7, 2026
3. 
   DrahtBot commented at 9:49 pm on April 7, 2026: contributor

   The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

   Reviews

   See the guideline for information on the review process. A summary of reviews will appear here.

   Conflicts

   Reviewers, this pull request conflicts with the following ones:

   • #34839 (doc: remove unshipped doc references from help and warning text by AgusR7)
   • #31974 (Drop testnet3 by Sjors)
   • #17783 (common: Disallow calling IsArgSet() on ALLOW_LIST options by ryanofsky)
   • #17581 (refactor: Remove settings merge reverse precedence code by ryanofsky)
   • #17580 (refactor: Add ALLOW_LIST flags and enforce usage in CheckArgFlags by ryanofsky)
   • #17493 (util: Forbid ambiguous multiple assignments in config file by ryanofsky)

   If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

4. 8144225309 force-pushed on Apr 7, 2026
5. 8144225309 force-pushed on Apr 7, 2026
6. 
   luke-jr commented at 5:12 pm on April 9, 2026: member

   This might break a scenario where someone wants to listen on one IP, but load balance outgoing connections. A new option might be better?
7. 
   8144225309 commented at 6:38 pm on April 9, 2026: none

   The original issue asks for -bind to control outgoing connections, and users who want listen-only can omit -bind. Outbound is capped at 11 (8 full relay + 2 block-only + 1 feeler) so there isn’t much to load balance. A separate option could work but users already expect -bind to cover both directions.
8. DrahtBot added the label Needs rebase on Apr 9, 2026
9. net: use -bind address for outgoing connections

   Previously -bind only affected the listening socket. Outgoing
   connections used whatever source address the OS selected, which on
   multi-homed nodes meant traffic could originate from an unintended
   interface.
   
   Only clearnet (IPv4/IPv6) direct connections are bound. Proxied
   connections (Tor, I2P, SOCKS5) are unaffected since the proxy
   determines the source address. CJDNS connections without a proxy
   are also excluded to avoid binding a regular address to a socket
   routed through the CJDNS tun device. Local (loopback) bind addresses
   are skipped so that -bind=127.0.0.1 is not affected.
   
   Closes #6476

   ae9dc431de
10. test: add tests for outbound bind address selection

    Unit test verifying that CConnman::Init() stores the first non-local
    -bind address per address family, skips loopback addresses, and
    confirms that CJDNS addresses are neither IPv4 nor IPv6 (ensuring
    the outbound bind selection in ConnectNode correctly skips them).
    
    Functional test (feature_bind_outgoing.py) verifying that outbound
    connections originate from the -bind address. Requires two routable
    IPs on the machine (skipped otherwise).

    f91b44711d
11. doc: add release notes for outbound bind 13879e1dd0
12. 8144225309 force-pushed on Apr 10, 2026
13. DrahtBot removed the label Needs rebase on Apr 10, 2026

Contributors
8144225309 DrahtBot luke-jr

Labels
P2P