Since Linux 5.7 (see linux/c427bfec18f21) non-root users are allowed to bind a socket using SO_BINDTODEVICE as long as the socket is not already bound. When using BGP with VRFs, BIRD correctly binds the listening socket to the VRF but also re-binds the accept()'d socket to the same VRF. This is not needed as the interface bind is inherited in this case, and indeed this redundant bind causes an -EPERM if BIRD is running as non-root making BIRD close the connection and reject the peer. We change the behaviour of the generic sk_setup to first query the socket and see if the socket is already correctly bound, and call setsockopt(SO_BINDTODEVICE) iff it is truly needed. In addition, since the getsockopt(SO_BINDTODEVICE) was implemented in Linux 3.8 or otherwise might be blocked in existing installations, we quietly fall back to the previous behavior if the getsockopt call fails. Test case: Run BIRD as a non-root user (and no extra capabilities) using passive BGP inside a VRF. Before the patch observe the error: "<ERR> SOCK: Incoming connection: SO_BINDTODEVICE: Operation not permitted" protocol bgp AS1234_1 { [..] vrf "VrfTest"; passive on; } After the patch this works as expected. Patch is attached to this message but if it falls off it can also be found at: https://github.com/sonix-network/bird/blob/33a0ac4b5af38d3bf75c78ca62472fff1... There is also a simple utility to test the behavior of rebinding sockets at: https://github.com/sonix-network/bird/blob/33a0ac4b5af38d3bf75c78ca62472fff1... Thanks for your consideration,