Date: Fri, 9 Jan 2009 19:08:59 +0100 From: Max Laier <max@love2party.net> To: Julian Elischer <julian@elischer.org> Cc: svn-src-head@freebsd.org, Adrian Chadd <adrian@freebsd.org>, src-committers@freebsd.org, svn-src-all@freebsd.org Subject: Re: svn commit: r186955 - in head/sys: conf netinet Message-ID: <200901091909.00457.max@love2party.net> In-Reply-To: <49678D5E.3030600@elischer.org> References: <200901091602.n09G2Jj1061164@svn.freebsd.org> <200901091802.10287.max@love2party.net> <49678D5E.3030600@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 09 January 2009 18:46:06 Julian Elischer wrote: > Max Laier wrote: > > On Friday 09 January 2009 17:02:19 Adrian Chadd wrote: > >> Author: adrian > >> Date: Fri Jan 9 16:02:19 2009 > >> New Revision: 186955 > >> URL: http://svn.freebsd.org/changeset/base/186955 > >> > >> Log: > >> Implement a new IP option (not compiled/enabled by default) to allow > >> applications to specify a non-local IP address when bind()'ing a > >> socket to a local endpoint. > > > > That's a *socket* option ... you had me very worried there for a moment > > ;) I don't quite see why you'd hide these under a build time option - > > having the sysctl defaulting to off under CTLFLAG_SECURE seems good > > enough - if people disagree - make it a boot time tuneable, but I > > certainly don't see why you should have to rebuild the kernel for a minor > > thing like this. It certainly isn't performance critical. > > because it can be a big security hole and you do not want people to > have it available on the average machine. > Also because purists complained about it. > You'll notice that the compile option enables the sysctl, > which is used to turn on and off the capacity to do this per socket. > so the admin can disable it, but I felt a lot more comfortable having > it not compiled in by default. Speaking of disabling it ... setting the sysctl to 0 is not really enough to do that. One would also have to walk through the active sockets and GC any that are bound to nonlocal addresses to really disable it ... or do we rely on tcpdrop or the like to do that manually? Of course it would make sense to have something like this: start tproxy, bind forwarding ports, disable sysctl, raise securelevel In addition, should there be a priv(9) check in ip_ctloutput? -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200901091909.00457.max>