From owner-p4-projects@FreeBSD.ORG Mon Jan 7 22:31:57 2008 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 9EFF516A46D; Mon, 7 Jan 2008 22:31:57 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 648B416A469 for ; Mon, 7 Jan 2008 22:31:57 +0000 (UTC) (envelope-from andre@freebsd.org) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.freebsd.org (Postfix) with ESMTP id B6C7813C4E7 for ; Mon, 7 Jan 2008 22:31:56 +0000 (UTC) (envelope-from andre@freebsd.org) Received: (qmail 2355 invoked from network); 7 Jan 2008 21:29:35 -0000 Received: from c00l3r.networx.ch (HELO [127.0.0.1]) ([62.48.2.2]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 7 Jan 2008 21:29:35 -0000 Message-ID: <4782A21C.2060504@freebsd.org> Date: Mon, 07 Jan 2008 23:05:16 +0100 From: Andre Oppermann User-Agent: Thunderbird 1.5.0.14 (Windows/20071210) MIME-Version: 1.0 To: Adrian Chadd References: <200801071418.m07EIwNn036146@repoman.freebsd.org> In-Reply-To: <200801071418.m07EIwNn036146@repoman.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Perforce Change Reviews Subject: Re: PERFORCE change 132710 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jan 2008 22:31:57 -0000 Adrian Chadd wrote: > http://perforce.freebsd.org/chv.cgi?CH=132710 > > Change 132710 by adrian@wendy on 2008/01/07 14:18:50 > > Bring over more of Julians' initial work. > > Affected files ... > > .. //depot/projects/adrian_spoof_clientip/src/share/man/man4/ip.4#2 edit > > Differences ... > > ==== //depot/projects/adrian_spoof_clientip/src/share/man/man4/ip.4#2 (text+ko) ==== > > @@ -292,6 +292,29 @@ > cmsg_type = IP_RECVIF > .Ed > .Pp > +If the > +.Dv IP_NONLOCALOK > +options is set then the checking of local bind addresses against addresses > +assigned to local interfaces is disabled. > +The kernel must have been compiled with the > +.Dv IP_NONLOCALBIND option, and the sysctl > +.Va net.inet.ip.nonlocalok > +should be set to 1. > +The option needs to be set on the socket before the > +.Xr bind 2 > +system call is used on it. > +.Bd -literal > +u_char spoofing = 1; /* 0 = disable (default), 1 = enable */ > + > +setsockopt(s, IPPROTO_IP, IP_NONLOCALOK, &spoofing, sizeof(spoofing)); > +ret = bind (...); > +.Ed > +.Pp > +This behaviour is not for general use and is > +included for use in servers that are implementing fully > +transparent proxies. Use of this option on general purpose > +systems is strongly discouraged. > +.Pp > .Dv IP_PORTRANGE > may be used to set the port range used for selecting a local port number > on a socket with an unspecified (zero) port number. Reinventing the wheel? Have a look at IPFIREWALL_FORWARD which supports transparent proxying as well. -- Andre