Date: Tue, 26 May 2009 15:55:47 +0200 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: freebsd-arch@FreeBSD.org Cc: adrian@FreeBSD.org, trasz@FreeBSD.org, julian@elischer.org Subject: IP_NONLOCALOK improvements. Message-ID: <20090526135547.GE1491@garage.freebsd.pl>
next in thread | raw e-mail | index | archive | help
--0QFb0wBpEddLcDHQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Now that we have IP_NONLOCALOK IP socket option (which is something I need a lot for my company's stuff) I started to hack on it a bit. OpenBSD has SO_BINDANY SOL_SOCKET option for some time now. So first of all I wanted to do the same for FreeBSD. Unfortunately we ran out of space in so_options - it is u_short and all possible values are already taken. As a side note there is SO_NO_DDP option that is used only in cxgb driver and nowhere else. This seems like a waste of very important bit (sonner or later someone will need yet another socket option). All in all I went with rename to make at least similar to OpenBSD's option. I left it as IPPROTO_IP option: IP_BINDANY. I also implemented support for IPv6 and raw IP sockets (based on OpenBSD sources) (IPV6_BINDANY). I added new privilege - PRIV_NETINET_BINDANY, because we do have to check for privilege before allowing to use it. I removed kernel option to enable it, I see to reason not to have it in GENERIC. I also removed sysctl to enable it - we have privilege for limiting its use. The patch is here: http://people.freebsd.org/~pjd/patches/bindany.patch I tested it for AF_INET TCP, UDP and RAW (ICMP) sockets, but I'm not setup to test it for IPv6. If someone could test it for IPv6, it'd be great. SCTP also has to be tested. All you need to do after creating a socket is: int opt =3D 1; /* For IPv4. */ setsockopt(sock, IPPROTO_IP, IP_BINDANY, &opt, sizeof(opt)); /* For IPv6. */ setsockopt(sock, IPPROTO_IPV6, IPV6_BINDANY, &opt, sizeof(opt)); Then you should be able to call bind(2) with any address you want (doesn't have to be bound to any of your interfaces anymore). Once you do that you might want to send a packet to test it and observe incoming packets on connected machine. For UDP/TCP testing I've a small program, which I can provide. For RAW IP socket, I slighty modified ping (just added the above setsockopt() call), so I was able to use -S option with any address. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --0QFb0wBpEddLcDHQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFKG/TiForvXbEpPzQRAuqJAKCKLolVWC/KdykoqO9z5Im7NzDlSgCgmaWK W/tZK8ldH1NdHmkgBQTxXDU= =pdhY -----END PGP SIGNATURE----- --0QFb0wBpEddLcDHQ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090526135547.GE1491>