From owner-freebsd-arch@FreeBSD.ORG Wed May 27 06:06:02 2009 Return-Path: Delivered-To: freebsd-arch@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6EC2A1065686 for ; Wed, 27 May 2009 06:06:02 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outO.internet-mail-service.net (outo.internet-mail-service.net [216.240.47.238]) by mx1.freebsd.org (Postfix) with ESMTP id 52B1B8FC21 for ; Wed, 27 May 2009 06:06:02 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id B760CB9888; Tue, 26 May 2009 22:53:40 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id C97E22D6012; Tue, 26 May 2009 22:53:38 -0700 (PDT) Message-ID: <4A1CD562.9040706@elischer.org> Date: Tue, 26 May 2009 22:53:38 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: Pawel Jakub Dawidek References: <20090526135547.GE1491@garage.freebsd.pl> In-Reply-To: <20090526135547.GE1491@garage.freebsd.pl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: adrian@FreeBSD.org, trasz@FreeBSD.org, freebsd-arch@FreeBSD.org Subject: Re: IP_NONLOCALOK improvements. X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2009 06:06:02 -0000 Pawel Jakub Dawidek wrote: > Now that we have IP_NONLOCALOK IP socket option (which is something I > need a lot for my company's stuff) I started to hack on it a bit. > > OpenBSD has SO_BINDANY SOL_SOCKET option for some time now. So first of > all I wanted to do the same for FreeBSD. Unfortunately we ran out of > space in so_options - it is u_short and all possible values are already > taken. As a side note there is SO_NO_DDP option that is used only in > cxgb driver and nowhere else. This seems like a waste of very important > bit (sonner or later someone will need yet another socket option). when I wrote the NONLOCAL stuff I was abstracting functionaity that IronPort have in their system. What they have though can not be turned off or disabled. That part was added just for the public version. I didn't know of the OpenBSd code or I might have tried to make it compatible. The test is done in the IP code so therefore it was easist to make it an IP option, though I implement it in a slightly non-IP specific manner. > > All in all I went with rename to make at least similar to OpenBSD's > option. I left it as IPPROTO_IP option: IP_BINDANY. well, ok, a rose by any other name would smell as sweet. As I said I was not aware of the OpenBSD code, but I don't like their choice of name as it doesn't really describe what it does. > > I also implemented support for IPv6 and raw IP sockets (based on OpenBSD > sources) (IPV6_BINDANY). ok, good idea. > > I added new privilege - PRIV_NETINET_BINDANY, because we do have to > check for privilege before allowing to use it. I am not sure about this. if a system has this enabled then I presume it is a special system and not a generally available time-sharing system. How do you allow a process to have this privilege? are you forcing them to be root for now? > > I removed kernel option to enable it, I see to reason not to have it in > GENERIC. Because it adds complexity and because some people do not want it even possible. You are eneabling NON-standard, (in fact "Standard-ignoring") behaviour. > > I also removed sysctl to enable it - we have privilege for limiting its use. I disagree very strongly about this one. I would liek to 1/ have to explicitly compile in thi snon standard behaviour and 2/ turn it on before we start doing this. I know how useful this is to have, (from my own experience) but feel strongly that this is pretty bad behaviour for most systems and can facilitate all sorts security worries. > > The patch is here: > > http://people.freebsd.org/~pjd/patches/bindany.patch > > I tested it for AF_INET TCP, UDP and RAW (ICMP) sockets, but I'm not > setup to test it for IPv6. If someone could test it for IPv6, it'd be > great. SCTP also has to be tested. > > All you need to do after creating a socket is: > > int opt = 1; > /* For IPv4. */ > setsockopt(sock, IPPROTO_IP, IP_BINDANY, &opt, sizeof(opt)); > /* For IPv6. */ > setsockopt(sock, IPPROTO_IPV6, IPV6_BINDANY, &opt, sizeof(opt)); > > Then you should be able to call bind(2) with any address you want > (doesn't have to be bound to any of your interfaces anymore). > > Once you do that you might want to send a packet to test it and observe > incoming packets on connected machine. > > For UDP/TCP testing I've a small program, which I can provide. For RAW > IP socket, I slighty modified ping (just added the above setsockopt() > call), so I was able to use -S option with any address. I notice that you don't say how to enable the priv. >