svn commit: r186955 - in head/sys: conf netinet

Attila Nagy bra at
Fri Jan 9 13:44:30 PST 2009

Julian Elischer wrote:
> Attila Nagy wrote:
>> Hello,
>> Adrian Chadd wrote:
>>> Author: adrian
>>> Date: Fri Jan  9 16:02:19 2009
>>> New Revision: 186955
>>> URL:
>>> Log:
>>>   Implement a new IP option (not compiled/enabled by default) to allow
>>>   applications to specify a non-local IP address when bind()'ing a 
>>> socket
>>>   to a local endpoint.
>>>     This allows applications to spoof the client IP address of 
>>> connections
>>>   if (obviously!) they somehow are able to receive the traffic normally
>>>   destined to said clients.
>>>     This patch doesn't include any changes to ipfw or the bridging 
>>> code to
>>>   redirect the client traffic through the PCB checks so TCP gets a shot
>>>   at it. The normal behaviour is that packets with a non-local 
>>> destination
>>>   IP address are not handled locally. This can be dealth with some 
>>> IPFW hackery;
>>>   modifications to IPFW to make this less hacky will occur in 
>>> subsequent
>>>   commmits.
>>>     Thanks to Julian Elischer and others at Ironport. This work was 
>>> approved
>>>   and donated before Cisco acquired them.
>>>     Obtained from:    Julian Elischer and others
>>>   MFC after:    2 weeks
>> Wouldn't it be better to implement existing interfaces for that?
>> OpenBSD has a SO_BINDANY socket option and it seems it's also in BSD/OS:
> good point
BTW, it also makes easier to port OpenBSD's relayd (and of course other 
applications relying on this). pf has some related changes there too, 
which helps programs to use this feature.

More information about the svn-src-head mailing list