Add Interface socket option for binding to a network interface

[karandesai2005]

Summary

Adds an Interface option to Rex::Socket::Parameters so callers can
bind a socket to a specific network interface by name:

Rex::Socket::Udp.create('Interface' => 'eth0', ...)
Rex::Socket::Tcp.create('Interface' => 'eth0', ...)
Rex::Socket::TcpServer.create('Interface' => 'eth0', ...)

This is needed for broadcast-capable sockets (e.g. the DHCP server module)
where binding by IP address alone is insufficient — the socket must be bound
to a specific interface to send and receive broadcast frames correctly.

Changes

• lib/rex/socket/parameters.rb — adds interface attribute, parsed from
  the 'Interface' hash key, whitespace-stripped, nil by default
• lib/rex/socket/comm/local.rb — two additions inside create_by_type:
  1. Guard: raises Rex::BindFailed immediately if Interface is combined
     with a proxy (incompatible by design)
  2. Calls setsockopt(SOL_SOCKET, SO_BINDTODEVICE, interface) after the
     normal bind block, before SO_BROADCAST — Linux only. Non-Linux
     platforms raise Rex::BindFailed (macOS IP_BOUND_IF is not available
     in the current Ruby stdlib and can be added as a follow-up)
• spec/rex/socket/parameters_spec.rb — new #interface describe block
• spec/rex/socket/comm/local_spec.rb — new Interface option describe
  block covering proxy guard, invalid interface name, loopback success
  (root-guarded), and non-Linux platform

Testing

bundle exec rspec spec/ --format documentation
# 178 examples, 0 failures, 3 pending (root-only / platform-specific skips)

Notes

• All RuboCop offenses in the diff are pre-existing in these files
• macOS support can be added in a follow-up PR once IP_BOUND_IF
  availability across Ruby versions is confirmed
• Closes #21114
• Part of Support for pivoted broadcast traffic metasploit-framework#21113

[karandesai2005]

I've pushed an update addressing both points:

• Added descriptive reason: messages to all Rex::BindFailed raises so failures are clearer (proxy conflict, invalid interface, permissions, unsupported platform)
• Added a macOS branch using IP_BOUND_IF, guarded by defined?(::Socket::IP_BOUND_IF)

Would love your thoughts on whether this covers the macOS case, and any suggestions for Windows support as well.

[karandesai2005]

pushed an update addressing your feedback:

• Added descriptive reason: messages to all Rex::BindFailed raises
  (proxy conflict, interface not found, insufficient permissions, unsupported platform)
• Explicitly handle Windows as unsupported with a clear error message
• Retained macOS support using IP_BOUND_IF, guarded with defined?

Also re-ran the full test suite with elevated permissions:

• 178 examples, 0 failures (1 pending due to platform-specific skip)

[karandesai2005]

@zeroSteiner following up on our Slack discussion — pushed the
Windows implementation as agreed.

Platform matrix is now complete:

Platform	Mechanism	Root required
Linux	SO_BINDTODEVICE	Yes
macOS	IP_BOUND_IF via getifaddrs + ifindex	No
Windows	resolve interface name → IP via getifaddrs, override param.localhost	No

Also did a hardening pass:

• Replaced Socket.if_nametoindex with getifaddrs + ifindex since
  the former isn't available in all Ruby builds
• Added rescue SystemCallError to prevent socket leaks on unexpected errors
• Windows error messages now distinguish between interface not found vs
  interface exists but has no IPv4 address

Manually verified on Linux (all three cases pass), Windows approach
confirmed working via your test results.

178 tests, 0 failures. Ready for final review whenever you get a chance.

[smcintyre-r7]

Suggested change

	self.interface = hash['Interface'].to_s.strip if hash['Interface']
	self.interface = hash['Interface'].to_s.strip if hash['Interface'] && !hash['Interface'].strip.empty?

[smcintyre-r7]

The parameters has a #v6 attribute

rex-socket/lib/rex/socket/parameters.rb

Lines 206 to 215 in 146bc6b

	# Whether to force IPv6 addressing
	if hash['IPv6'].nil?
	# if IPv6 isn't specified and at least one host is an IPv6 address and the
	# other is either nil, a hostname or an IPv6 address, then use IPv6
	self.v6 = (Rex::Socket.is_ipv6?(self.localhost) || Rex::Socket.is_ipv6?(self.peerhost)) && \
	(self.localhost.nil? || !Rex::Socket.is_ipv4?(self.localhost)) && \
	(self.peerhost.nil? || !Rex::Socket.is_ipv4?(self.peerhost))
	else
	self.v6 = hash['IPv6']
	end

When that's set the address should be IPv6 and we'd want to select a v6 address not an v4 address. At this time, it's safe to assume that if it's not IPv6 that it's IPv4 because in practice we only support AF_INET and AF_INET6 nothing like AF_UNIX but maybe someday.

[smcintyre-r7]

Would you mind please adding a comment here summarizing why we're doing this? We/I will surely forget in the future how we landed on this solution.

[smcintyre-r7]

I think this approach may need to be modified ever so slightly. If we do this, then the param the caller passed us will be mutated and after this function has returned, the #localhost address the caller had originally set will be different. I think the easiest fix might be to update this to:

Suggested change

	param.localhost = iface_ip
	param = param.dup # avoid mutating the caller's instance
	param.localhost = iface_ip

Alternatively you'd need to use a localhost local variable in this scope, defaulting to param.localhost and bind to that directly.

[karandesai2005]

@smcintyre-r7 addressed all four points:

1. Interface param now guards against whitespace-only strings
2. Added comment explaining the proxy guard decision
3. Added param.dup before mutating localhost
4. Windows getifaddrs loop now selects IPv6 when param.v6
   is true, IPv4 otherwise — error message updated to match

178 tests, 0 failures.