svn commit: r186955 - in head/sys: conf netinet
adrian at freebsd.org
Fri Jan 9 10:52:06 PST 2009
2009/1/9 Max Laier <max at love2party.net>:
> Speaking of disabling it ... setting the sysctl to 0 is not really enough to
> do that. One would also have to walk through the active sockets and GC any
> that are bound to nonlocal addresses to really disable it ... or do we rely on
> tcpdrop or the like to do that manually? Of course it would make sense to
> have something like this: start tproxy, bind forwarding ports, disable
> sysctl, raise securelevel
> In addition, should there be a priv(9) check in ip_ctloutput?
For which priv? Surely you don't really want people running services as root? :)
gnn and I talked about this a bit on IRC, and I was waiting for
rwatson to come online before posting a followup. Linux's
implementation of this stuff uses the CAP_NET_ADMIN capability to
define whether a process can do this or not. So users would start
Squid as root, Squid would acquire CAP_NET_ADMIN, drop root, and then
use it whenever required.
Also, this is an option set on bind() on an outbound socket, not a
listen() socket. You'd bind() to the client IP you're pretending to
be, then connect() to the server destination. You can't raise
securelevel/disable sysctl in the way you described.
More information about the svn-src-head