IP_NONLOCALOK improvements.
Julian Elischer
julian at elischer.org
Wed May 27 06:06:02 UTC 2009
Pawel Jakub Dawidek wrote:
> Now that we have IP_NONLOCALOK IP socket option (which is something I
> need a lot for my company's stuff) I started to hack on it a bit.
>
> OpenBSD has SO_BINDANY SOL_SOCKET option for some time now. So first of
> all I wanted to do the same for FreeBSD. Unfortunately we ran out of
> space in so_options - it is u_short and all possible values are already
> taken. As a side note there is SO_NO_DDP option that is used only in
> cxgb driver and nowhere else. This seems like a waste of very important
> bit (sonner or later someone will need yet another socket option).
when I wrote the NONLOCAL stuff I was abstracting functionaity that
IronPort have in their system. What they have though can not be
turned off or disabled. That part was added just for the public
version. I didn't know of the OpenBSd code or I might have tried to
make it compatible. The test is done in the IP code so therefore it
was easist to make it an IP option, though I implement it in a
slightly non-IP specific manner.
>
> All in all I went with rename to make at least similar to OpenBSD's
> option. I left it as IPPROTO_IP option: IP_BINDANY.
well, ok, a rose by any other name would smell as sweet.
As I said I was not aware of the OpenBSD code, but I don't like
their choice of name as it doesn't really describe what it does.
>
> I also implemented support for IPv6 and raw IP sockets (based on OpenBSD
> sources) (IPV6_BINDANY).
ok, good idea.
>
> I added new privilege - PRIV_NETINET_BINDANY, because we do have to
> check for privilege before allowing to use it.
I am not sure about this. if a system has this enabled then I presume
it is a special system and not a generally available time-sharing system.
How do you allow a process to have this privilege? are you forcing
them to be root for now?
>
> I removed kernel option to enable it, I see to reason not to have it in
> GENERIC.
Because it adds complexity and because some people do not want it even
possible.
You are eneabling NON-standard, (in fact "Standard-ignoring")
behaviour.
>
> I also removed sysctl to enable it - we have privilege for limiting its use.
I disagree very strongly about this one. I would liek to
1/ have to explicitly compile in thi snon standard behaviour and
2/ turn it on
before we start doing this.
I know how useful this is to have, (from my own experience)
but feel strongly that this is pretty bad behaviour for most systems
and can facilitate all sorts security worries.
>
> The patch is here:
>
> http://people.freebsd.org/~pjd/patches/bindany.patch
>
> I tested it for AF_INET TCP, UDP and RAW (ICMP) sockets, but I'm not
> setup to test it for IPv6. If someone could test it for IPv6, it'd be
> great. SCTP also has to be tested.
>
> All you need to do after creating a socket is:
>
> int opt = 1;
> /* For IPv4. */
> setsockopt(sock, IPPROTO_IP, IP_BINDANY, &opt, sizeof(opt));
> /* For IPv6. */
> setsockopt(sock, IPPROTO_IPV6, IPV6_BINDANY, &opt, sizeof(opt));
>
> Then you should be able to call bind(2) with any address you want
> (doesn't have to be bound to any of your interfaces anymore).
>
> Once you do that you might want to send a packet to test it and observe
> incoming packets on connected machine.
>
> For UDP/TCP testing I've a small program, which I can provide. For RAW
> IP socket, I slighty modified ping (just added the above setsockopt()
> call), so I was able to use -S option with any address.
I notice that you don't say how to enable the priv.
>
More information about the freebsd-arch
mailing list