Date: Tue, 26 May 2009 22:53:38 -0700 From: Julian Elischer <julian@elischer.org> To: Pawel Jakub Dawidek <pjd@FreeBSD.org> Cc: adrian@FreeBSD.org, trasz@FreeBSD.org, freebsd-arch@FreeBSD.org Subject: Re: IP_NONLOCALOK improvements. Message-ID: <4A1CD562.9040706@elischer.org> In-Reply-To: <20090526135547.GE1491@garage.freebsd.pl> References: <20090526135547.GE1491@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
Pawel Jakub Dawidek wrote: > Now that we have IP_NONLOCALOK IP socket option (which is something I > need a lot for my company's stuff) I started to hack on it a bit. > > OpenBSD has SO_BINDANY SOL_SOCKET option for some time now. So first of > all I wanted to do the same for FreeBSD. Unfortunately we ran out of > space in so_options - it is u_short and all possible values are already > taken. As a side note there is SO_NO_DDP option that is used only in > cxgb driver and nowhere else. This seems like a waste of very important > bit (sonner or later someone will need yet another socket option). when I wrote the NONLOCAL stuff I was abstracting functionaity that IronPort have in their system. What they have though can not be turned off or disabled. That part was added just for the public version. I didn't know of the OpenBSd code or I might have tried to make it compatible. The test is done in the IP code so therefore it was easist to make it an IP option, though I implement it in a slightly non-IP specific manner. > > All in all I went with rename to make at least similar to OpenBSD's > option. I left it as IPPROTO_IP option: IP_BINDANY. well, ok, a rose by any other name would smell as sweet. As I said I was not aware of the OpenBSD code, but I don't like their choice of name as it doesn't really describe what it does. > > I also implemented support for IPv6 and raw IP sockets (based on OpenBSD > sources) (IPV6_BINDANY). ok, good idea. > > I added new privilege - PRIV_NETINET_BINDANY, because we do have to > check for privilege before allowing to use it. I am not sure about this. if a system has this enabled then I presume it is a special system and not a generally available time-sharing system. How do you allow a process to have this privilege? are you forcing them to be root for now? > > I removed kernel option to enable it, I see to reason not to have it in > GENERIC. Because it adds complexity and because some people do not want it even possible. You are eneabling NON-standard, (in fact "Standard-ignoring") behaviour. > > I also removed sysctl to enable it - we have privilege for limiting its use. I disagree very strongly about this one. I would liek to 1/ have to explicitly compile in thi snon standard behaviour and 2/ turn it on before we start doing this. I know how useful this is to have, (from my own experience) but feel strongly that this is pretty bad behaviour for most systems and can facilitate all sorts security worries. > > The patch is here: > > http://people.freebsd.org/~pjd/patches/bindany.patch > > I tested it for AF_INET TCP, UDP and RAW (ICMP) sockets, but I'm not > setup to test it for IPv6. If someone could test it for IPv6, it'd be > great. SCTP also has to be tested. > > All you need to do after creating a socket is: > > int opt = 1; > /* For IPv4. */ > setsockopt(sock, IPPROTO_IP, IP_BINDANY, &opt, sizeof(opt)); > /* For IPv6. */ > setsockopt(sock, IPPROTO_IPV6, IPV6_BINDANY, &opt, sizeof(opt)); > > Then you should be able to call bind(2) with any address you want > (doesn't have to be bound to any of your interfaces anymore). > > Once you do that you might want to send a packet to test it and observe > incoming packets on connected machine. > > For UDP/TCP testing I've a small program, which I can provide. For RAW > IP socket, I slighty modified ping (just added the above setsockopt() > call), so I was able to use -S option with any address. I notice that you don't say how to enable the priv. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A1CD562.9040706>