svn commit: r186955 - in head/sys: conf netinet

Julian Elischer julian at elischer.org
Fri Jan 9 10:28:09 PST 2009 

Max Laier wrote:
> On Friday 09 January 2009 18:46:06 Julian Elischer wrote:
>> Max Laier wrote:
>>> On Friday 09 January 2009 17:02:19 Adrian Chadd wrote:
>>>> Author: adrian
>>>> Date: Fri Jan  9 16:02:19 2009
>>>> New Revision: 186955
>>>> URL: http://svn.freebsd.org/changeset/base/186955
>>>>
>>>> Log:
>>>>   Implement a new IP option (not compiled/enabled by default) to allow
>>>>   applications to specify a non-local IP address when bind()'ing a
>>>> socket to a local endpoint.
>>> That's a *socket* option ... you had me very worried there for a moment
>>> ;)  I don't quite see why you'd hide these under a build time option -
>>> having the sysctl defaulting to off under CTLFLAG_SECURE seems good
>>> enough - if people disagree - make it a boot time tuneable, but I
>>> certainly don't see why you should have to rebuild the kernel for a minor
>>> thing like this.  It certainly isn't performance critical.
>> because it can be a big security hole and you do not want people to
>> have it available on the average machine.
>> Also because purists complained about it.
>> You'll notice that the compile option enables the sysctl,
>> which is used to turn on and off the capacity to do this per socket.
>> so the admin can disable it, but I felt a lot more comfortable having
>> it not compiled in by default.
> 
> Speaking of disabling it ... setting the sysctl to 0 is not really enough to 
> do that.  One would also have to walk through the active sockets and GC any 
> that are bound to nonlocal addresses to really disable it ... or do we rely on 
> tcpdrop or the like to do that manually?  Of course it would make sense to 
> have something like this:  start tproxy, bind forwarding ports, disable 
> sysctl, raise securelevel

exactly, we disable NEW connections.  It's not done with securelevel
but possibly because I didn't think of it..

I'm not worried about existing connections...

> 
> In addition, should there be a priv(9) check in ip_ctloutput?

I was thinking about that..
possibly. (in fact probably)


>

More information about the svn-src-head mailing list