svn commit: r186955 - in head/sys: conf netinet

Adrian Chadd adrian at
Fri Jan 9 10:52:06 PST 2009

2009/1/9 Max Laier <max at>:

> Speaking of disabling it ... setting the sysctl to 0 is not really enough to
> do that.  One would also have to walk through the active sockets and GC any
> that are bound to nonlocal addresses to really disable it ... or do we rely on
> tcpdrop or the like to do that manually?  Of course it would make sense to
> have something like this:  start tproxy, bind forwarding ports, disable
> sysctl, raise securelevel
> In addition, should there be a priv(9) check in ip_ctloutput?

For which priv? Surely you don't really want people running services as root? :)

gnn and I talked about this a bit on IRC, and I was waiting for
rwatson to come online before posting a followup. Linux's
implementation of this stuff uses the CAP_NET_ADMIN capability to
define whether a process can do this or not. So users would start
Squid as root, Squid would acquire CAP_NET_ADMIN, drop root, and then
use it whenever required.

Also, this is an option set on bind() on an outbound socket, not a
listen() socket. You'd bind() to the client IP you're pretending to
be, then connect() to the server destination. You can't raise
securelevel/disable sysctl in the way you described.


More information about the svn-src-head mailing list