xddxdd · xddxdd · Feb 4, 2026 · Feb 2, 2026 · Feb 2, 2026
diff --git a/frontend/go.mod b/frontend/go.mod
@@ -9,6 +9,7 @@ require (
 	github.com/magiconair/properties v1.8.10
 	github.com/spf13/pflag v1.0.10
 	github.com/spf13/viper v1.21.0
+	golang.org/x/sys v0.29.0
 )
 
 require (
@@ -22,6 +23,5 @@ require (
 	github.com/spf13/cast v1.10.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/text v0.28.0 // indirect
 )
diff --git a/frontend/lgproxy.go b/frontend/lgproxy.go
@@ -20,6 +20,7 @@ type channelData struct {
 func createConnectionTimeoutRoundTripper(timeout int) http.RoundTripper {
 	context := net.Dialer{
 		Timeout: time.Duration(timeout) * time.Second,
+		Control: vrfControl(setting.vrf),
 	}
 
 	// Prefer httpmock's transport if activated, so unit tests can work

diff --git a/frontend/main.go b/frontend/main.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"net"
 	"os"
 	"strings"
@@ -27,6 +28,7 @@ type settingType struct {
 	timeOut           int
 	connectionTimeOut int
 	trustProxyHeaders bool
+	vrf               string
 }
 
 var setting settingType
@@ -48,7 +50,8 @@ func main() {
 				if !strings.Contains(listenAddr, ":") {
 					listenAddr = ":" + listenAddr
 				}
-				l, err = net.Listen("tcp", listenAddr)
+				lc := net.ListenConfig{Control: vrfControl(setting.vrf)}
+				l, err = lc.Listen(context.Background(), "tcp", listenAddr)
 			}
 
 			if err != nil {

diff --git a/frontend/settings.go b/frontend/settings.go
@@ -28,6 +28,7 @@ type viperSettingType struct {
 	TimeOut           int      `mapstructure:"timeout"`
 	ConnectionTimeOut int      `mapstructure:"connection_timeout"`
 	TrustProxyHeaders bool     `mapstructure:"trust_proxy_headers"`
+	Vrf               string   `mapstructure:"vrf"`
 }
 
 // Parse settings with viper, and convert to legacy setting format
@@ -104,6 +105,9 @@ func parseSettings() {
 	pflag.Bool("trust-proxy-headers", false, "Trust X-Forwared-For, X-Real-IP, X-Forwarded-Proto, X-Forwarded-Scheme and X-Forwarded-Host sent by the client")
 	viper.BindPFlag("trust_proxy_headers", pflag.Lookup("trust-proxy-headers"))
 
+	pflag.String("vrf", "", "VRF device to bind TCP sockets to (Linux only)")
+	viper.BindPFlag("vrf", pflag.Lookup("vrf"))
+
 	pflag.Parse()
 
 	if err := viper.ReadInConfig(); err != nil {
@@ -155,6 +159,7 @@ func parseSettings() {
 	setting.timeOut = viperSettings.TimeOut
 	setting.connectionTimeOut = viperSettings.ConnectionTimeOut
 	setting.trustProxyHeaders = viperSettings.TrustProxyHeaders
+	setting.vrf = viperSettings.Vrf
 
 	fmt.Printf("%#v\n", setting)
 }
diff --git a/frontend/vrf_linux.go b/frontend/vrf_linux.go
@@ -0,0 +1,27 @@
+//go:build linux
+
+package main
+
+import (
+	"syscall"
+
+	"golang.org/x/sys/unix"
+)
+
+// vrfControl returns a Control function that binds sockets to a VRF device
+// via SO_BINDTODEVICE. Returns nil when vrfName is empty.
+func vrfControl(vrfName string) func(network, address string, c syscall.RawConn) error {
+	if vrfName == "" {
+		return nil
+	}
+	return func(network, address string, c syscall.RawConn) error {
+		var sysErr error
+		err := c.Control(func(fd uintptr) {
+			sysErr = unix.SetsockoptString(int(fd), unix.SOL_SOCKET, unix.SO_BINDTODEVICE, vrfName)
+		})
+		if err != nil {
+			return err
+		}
+		return sysErr
+	}
+}
diff --git a/frontend/vrf_other.go b/frontend/vrf_other.go
@@ -0,0 +1,14 @@
+//go:build !linux
+
+package main
+
+import "syscall"
+
+// vrfControl returns a Control function that binds sockets to a VRF device.
+// On non-Linux platforms, VRF is not supported; panics if vrfName is non-empty.
+func vrfControl(vrfName string) func(network, address string, c syscall.RawConn) error {
+	if vrfName == "" {
+		return nil
+	}
+	panic("VRF binding is only supported on Linux")
+}
diff --git a/frontend/whois.go b/frontend/whois.go
@@ -53,7 +53,7 @@ func whois(s string) string {
 
 		whoisServer := addDefaultWhoisPort(setting.whoisServer)
 
-		conn, err := net.DialTimeout("tcp", whoisServer, 5*time.Second)
+		conn, err := (&net.Dialer{Timeout: 5 * time.Second, Control: vrfControl(setting.vrf)}).Dial("tcp", whoisServer)
 		if err != nil {
 			return err.Error()
 		}

diff --git a/proxy/go.mod b/proxy/go.mod
@@ -8,6 +8,7 @@ require (
 	github.com/magiconair/properties v1.8.10
 	github.com/spf13/pflag v1.0.10
 	github.com/spf13/viper v1.21.0
+	golang.org/x/sys v0.29.0
 )
 
 require (
@@ -21,6 +22,5 @@ require (
 	github.com/spf13/cast v1.10.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/text v0.28.0 // indirect
 )
diff --git a/proxy/main.go b/proxy/main.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"fmt"
 	"net"
 	"net/http"
@@ -69,6 +70,7 @@ type settingType struct {
 	tr_flags          []string
 	tr_raw            bool
 	tr_max_concurrent int
+	vrf               string
 }
 
 var setting settingType
@@ -103,7 +105,8 @@ func main() {
 				if !strings.Contains(addr, ":") {
 					addr = ":" + addr
 				}
-				l, err = net.Listen("tcp", addr)
+				lc := net.ListenConfig{Control: vrfControl(setting.vrf)}
+				l, err = lc.Listen(context.Background(), "tcp", addr)
 			}
 
 			if err != nil {

diff --git a/proxy/settings.go b/proxy/settings.go
@@ -19,6 +19,7 @@ type viperSettingType struct {
 	TracerouteFlags         string   `mapstructure:"traceroute_flags"`
 	TracerouteRaw           bool     `mapstructure:"traceroute_raw"`
 	TracerouteMaxConcurrent int      `mapstructure:"traceroute_max_concurrent"`
+	Vrf                     string   `mapstructure:"vrf"`
 }
 
 // Parse settings with viper, and convert to legacy setting format
@@ -66,6 +67,9 @@ func parseSettings() {
 	pflag.Bool("bird-restrict-cmds", true, "restrict bird commands to 'show protocols' and 'show route' only")
 	viper.BindPFlag("bird_restrict_cmds", pflag.Lookup("bird-restrict-cmds"))
 
+	pflag.String("vrf", "", "VRF device to bind TCP sockets to (Linux only)")
+	viper.BindPFlag("vrf", pflag.Lookup("vrf"))
+
 	pflag.Parse()
 
 	if err := viper.ReadInConfig(); err != nil {
@@ -117,6 +121,7 @@ func parseSettings() {
 
 	setting.tr_raw = viperSettings.TracerouteRaw
 	setting.tr_max_concurrent = viperSettings.TracerouteMaxConcurrent
+	setting.vrf = viperSettings.Vrf
 
 	fmt.Printf("%#v\n", setting)
 }
diff --git a/proxy/vrf_linux.go b/proxy/vrf_linux.go
@@ -0,0 +1,27 @@
+//go:build linux
+
+package main
+
+import (
+	"syscall"
+
+	"golang.org/x/sys/unix"
+)
+
+// vrfControl returns a Control function that binds sockets to a VRF device
+// via SO_BINDTODEVICE. Returns nil when vrfName is empty.
+func vrfControl(vrfName string) func(network, address string, c syscall.RawConn) error {
+	if vrfName == "" {
+		return nil
+	}
+	return func(network, address string, c syscall.RawConn) error {
+		var sysErr error
+		err := c.Control(func(fd uintptr) {
+			sysErr = unix.SetsockoptString(int(fd), unix.SOL_SOCKET, unix.SO_BINDTODEVICE, vrfName)
+		})
+		if err != nil {
+			return err
+		}
+		return sysErr
+	}
+}
diff --git a/proxy/vrf_other.go b/proxy/vrf_other.go
@@ -0,0 +1,14 @@
+//go:build !linux
+
+package main
+
+import "syscall"
+
+// vrfControl returns a Control function that binds sockets to a VRF device.
+// On non-Linux platforms, VRF is not supported; panics if vrfName is non-empty.
+func vrfControl(vrfName string) func(network, address string, c syscall.RawConn) error {
+	if vrfName == "" {
+		return nil
+	}
+	panic("VRF binding is only supported on Linux")
+}