IP_NONLOCALOK improvements.

Pawel Jakub Dawidek pjd at FreeBSD.org
Tue May 26 14:18:54 UTC 2009 

Now that we have IP_NONLOCALOK IP socket option (which is something I
need a lot for my company's stuff) I started to hack on it a bit.

OpenBSD has SO_BINDANY SOL_SOCKET option for some time now. So first of
all I wanted to do the same for FreeBSD. Unfortunately we ran out of
space in so_options - it is u_short and all possible values are already
taken. As a side note there is SO_NO_DDP option that is used only in
cxgb driver and nowhere else. This seems like a waste of very important
bit (sonner or later someone will need yet another socket option).

All in all I went with rename to make at least similar to OpenBSD's
option. I left it as IPPROTO_IP option: IP_BINDANY.

I also implemented support for IPv6 and raw IP sockets (based on OpenBSD
sources) (IPV6_BINDANY).

I added new privilege - PRIV_NETINET_BINDANY, because we do have to
check for privilege before allowing to use it.

I removed kernel option to enable it, I see to reason not to have it in
GENERIC.

I also removed sysctl to enable it - we have privilege for limiting its use.

The patch is here:

	http://people.freebsd.org/~pjd/patches/bindany.patch

I tested it for AF_INET TCP, UDP and RAW (ICMP) sockets, but I'm not
setup to test it for IPv6. If someone could test it for IPv6, it'd be
great. SCTP also has to be tested.

All you need to do after creating a socket is:

	int opt = 1;
	/* For IPv4. */
	setsockopt(sock, IPPROTO_IP, IP_BINDANY, &opt, sizeof(opt));
	/* For IPv6. */
	setsockopt(sock, IPPROTO_IPV6, IPV6_BINDANY, &opt, sizeof(opt));

Then you should be able to call bind(2) with any address you want
(doesn't have to be bound to any of your interfaces anymore).

Once you do that you might want to send a packet to test it and observe
incoming packets on connected machine.

For UDP/TCP testing I've a small program, which I can provide. For RAW
IP socket, I slighty modified ping (just added the above setsockopt()
call), so I was able to use -S option with any address.

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20090526/0722a07d/attachment.pgp

More information about the freebsd-arch mailing list