IP_NONLOCALOK improvements.

[Julian Elischer]

Pawel Jakub Dawidek wrote:
> Now that we have IP_NONLOCALOK IP socket option (which is something I
> need a lot for my company's stuff) I started to hack on it a bit.
> 
> OpenBSD has SO_BINDANY SOL_SOCKET option for some time now. So first of
> all I wanted to do the same for FreeBSD. Unfortunately we ran out of
> space in so_options - it is u_short and all possible values are already
> taken. As a side note there is SO_NO_DDP option that is used only in
> cxgb driver and nowhere else. This seems like a waste of very important
> bit (sonner or later someone will need yet another socket option).


when I wrote the NONLOCAL stuff I was abstracting functionaity that
IronPort have in their system. What they have though can not be
turned off or disabled. That part was added just for the public
version. I didn't know of the OpenBSd code or I might have tried to
make it compatible. The test is done in the IP code so therefore it 
was easist to make it an IP option, though I implement it in a
slightly non-IP specific manner.


> 
> All in all I went with rename to make at least similar to OpenBSD's
> option. I left it as IPPROTO_IP option: IP_BINDANY.

well, ok, a rose by any other name would smell as sweet.
As I  said I was not aware of the OpenBSD code, but I don't like
their choice of name as it doesn't really describe what it does.

> 
> I also implemented support for IPv6 and raw IP sockets (based on OpenBSD
> sources) (IPV6_BINDANY).

ok, good idea.

> 
> I added new privilege - PRIV_NETINET_BINDANY, because we do have to
> check for privilege before allowing to use it.

I am not sure about this. if a system has this enabled then I presume 
it is a special system and not a generally available time-sharing system.

How do you allow a process to have this privilege? are you forcing 
them to be root for now?

> 
> I removed kernel option to enable it, I see to reason not to have it in
> GENERIC.

Because it adds complexity and because some people do not want it even 
possible.
You are eneabling NON-standard, (in fact "Standard-ignoring")
behaviour.


> 
> I also removed sysctl to enable it - we have privilege for limiting its use.

I disagree very strongly about this one. I would liek to
1/ have to explicitly compile in thi snon standard behaviour and

2/ turn it on

before we start doing this.


I know how useful this is to have, (from my own experience)
but feel strongly that this is pretty bad behaviour for most systems
and can facilitate all sorts security worries.


> 
> The patch is here:
> 
> 	http://people.freebsd.org/~pjd/patches/bindany.patch
> 
> I tested it for AF_INET TCP, UDP and RAW (ICMP) sockets, but I'm not
> setup to test it for IPv6. If someone could test it for IPv6, it'd be
> great. SCTP also has to be tested.
> 
> All you need to do after creating a socket is:
> 
> 	int opt = 1;
> 	/* For IPv4. */
> 	setsockopt(sock, IPPROTO_IP, IP_BINDANY, &opt, sizeof(opt));
> 	/* For IPv6. */
> 	setsockopt(sock, IPPROTO_IPV6, IPV6_BINDANY, &opt, sizeof(opt));
> 
> Then you should be able to call bind(2) with any address you want
> (doesn't have to be bound to any of your interfaces anymore).
> 
> Once you do that you might want to send a packet to test it and observe
> incoming packets on connected machine.
> 
> For UDP/TCP testing I've a small program, which I can provide. For RAW
> IP socket, I slighty modified ping (just added the above setsockopt()
> call), so I was able to use -S option with any address.

I notice that you don't say how to enable the priv.

>