Index: conf/NOTES
===================================================================
--- conf/NOTES	(wersja 192595)
+++ conf/NOTES	(kopia robocza)
@@ -638,14 +638,6 @@
 options 	ALTQ_NOPCC	# Required if the TSC is unusable
 options 	ALTQ_DEBUG
 
-# IP optional behaviour.
-# IP_NONLOCALBIND disables the check that bind() usually makes that the
-# address is one that is assigned to an interface on this machine.
-# It allows transparent proxies to pretend to be other machines.
-# How the packet GET to that machine is a problem solved elsewhere,
-# smart routers, ipfw fwd, etc.
-options 	IP_NONLOCALBIND		# Allow impersonation for proxies.
-
 # netgraph(4). Enable the base netgraph code with the NETGRAPH option.
 # Individual node types can be enabled with the corresponding option
 # listed below; however, this is not strictly necessary as netgraph
Index: conf/options
===================================================================
--- conf/options	(wersja 192595)
+++ conf/options	(kopia robocza)
@@ -393,7 +393,6 @@
 IPFIREWALL_VERBOSE_LIMIT	opt_ipfw.h
 IPSEC			opt_ipsec.h
 IPSEC_DEBUG		opt_ipsec.h
-IP_NONLOCALBIND		opt_inet.h
 IPSEC_FILTERTUNNEL	opt_ipsec.h
 IPSTEALTH
 IPX
Index: kern/uipc_socket.c
===================================================================
--- kern/uipc_socket.c	(wersja 192595)
+++ kern/uipc_socket.c	(kopia robocza)
@@ -118,6 +118,7 @@
 #include <sys/event.h>
 #include <sys/eventhandler.h>
 #include <sys/poll.h>
+#include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
@@ -2211,6 +2212,11 @@
 			SOCK_UNLOCK(so);
 			break;
 
+		case SO_BINDANY:
+			error = priv_check(curthread, PRIV_NETINET_BINDANY);
+			if (error)
+				goto bad;
+			/* FALLTHROUGH */
 		case SO_DEBUG:
 		case SO_KEEPALIVE:
 		case SO_DONTROUTE:
@@ -2437,6 +2443,7 @@
 			error = sooptcopyout(sopt, &l, sizeof l);
 			break;
 
+		case SO_BINDANY:
 		case SO_USELOOPBACK:
 		case SO_DONTROUTE:
 		case SO_DEBUG:
Index: kern/uipc_debug.c
===================================================================
--- kern/uipc_debug.c	(wersja 192802)
+++ kern/uipc_debug.c	(kopia robocza)
@@ -144,6 +144,10 @@
 		db_printf("%sSO_NO_DDP", comma ? ", " : "");
 		comma = 1;
 	}
+	if (so_options & SO_BINDANY) {
+		db_printf("%sSO_BINDANY", comma ? ", " : "");
+		comma = 1;
+	}
 }
 
 static void
Index: netinet/in.h
===================================================================
--- netinet/in.h	(wersja 192595)
+++ netinet/in.h	(kopia robocza)
@@ -441,8 +441,6 @@
 #define	IP_FAITH		22   /* bool; accept FAITH'ed connections */
 
 #define	IP_ONESBCAST		23   /* bool: send all-ones broadcast */
-#define	IP_NONLOCALOK		24   /* bool: allow bind to spoof non-local addresses;
-					requires kernel compile option IP_NONLOCALBIND */
 
 #define	IP_FW_TABLE_ADD		40   /* add entry */
 #define	IP_FW_TABLE_DEL		41   /* delete entry */
Index: netinet/raw_ip.c
===================================================================
--- netinet/raw_ip.c	(wersja 192595)
+++ netinet/raw_ip.c	(kopia robocza)
@@ -856,7 +856,8 @@
 	if (TAILQ_EMPTY(&V_ifnet) ||
 	    (addr->sin_family != AF_INET && addr->sin_family != AF_IMPLINK) ||
 	    (addr->sin_addr.s_addr &&
-	     ifa_ifwithaddr((struct sockaddr *)addr) == 0))
+	     (so->so_options & SO_BINDANY) == 0 &&
+	     ifa_ifwithaddr((struct sockaddr *)addr) == NULL))
 		return (EADDRNOTAVAIL);
 
 	inp = sotoinpcb(so);
Index: netinet/in_pcb.c
===================================================================
--- netinet/in_pcb.c	(wersja 192595)
+++ netinet/in_pcb.c	(kopia robocza)
@@ -35,7 +35,6 @@
 __FBSDID("$FreeBSD$");
 
 #include "opt_ddb.h"
-#include "opt_inet.h"
 #include "opt_ipsec.h"
 #include "opt_inet6.h"
 #include "opt_mac.h"
@@ -357,14 +356,11 @@
 			bzero(&sin->sin_zero, sizeof(sin->sin_zero));
 			/*
 			 * Is the address a local IP address? 
-			 * If INP_NONLOCALOK is set, then the socket may be bound
+			 * If SO_BINDANY is set, then the socket may be bound
 			 * to any endpoint address, local or not.
 			 */
-			if (
-#if defined(IP_NONLOCALBIND)
-			    ((inp->inp_flags & INP_NONLOCALOK) == 0) &&
-#endif
-			    (ifa_ifwithaddr((struct sockaddr *)sin) == 0))
+			if ((so->so_options & SO_BINDANY) == 0 &&
+			    ifa_ifwithaddr((struct sockaddr *)sin) == 0)
 				return (EADDRNOTAVAIL);
 		}
 		laddr = sin->sin_addr;
Index: netinet/in_pcb.h
===================================================================
--- netinet/in_pcb.h	(wersja 192595)
+++ netinet/in_pcb.h	(kopia robocza)
@@ -410,8 +410,6 @@
 #define	INP_FAITH		0x00000200 /* accept FAITH'ed connections */
 #define	INP_RECVTTL		0x00000400 /* receive incoming IP TTL */
 #define	INP_DONTFRAG		0x00000800 /* don't fragment packet */
-#define	INP_NONLOCALOK		0x00001000 /* Allow bind to spoof any address */
-					/* - requires options IP_NONLOCALBIND */
 #define	INP_INHASHLIST		0x00002000 /* in_pcbinshash() has been called */
 #define	IN6P_IPV6_V6ONLY	0x00008000 /* restrict AF_INET6 socket for v6 */
 #define	IN6P_PKTINFO		0x00010000 /* receive IP6 dst and I/F */
Index: netinet/ip_output.c
===================================================================
--- netinet/ip_output.c	(wersja 192595)
+++ netinet/ip_output.c	(kopia robocza)
@@ -33,7 +33,6 @@
 __FBSDID("$FreeBSD$");
 
 #include "opt_ipfw.h"
-#include "opt_inet.h"
 #include "opt_ipsec.h"
 #include "opt_route.h"
 #include "opt_mac.h"
@@ -103,12 +102,6 @@
 	&mbuf_frag_size, 0, "Fragment outgoing mbufs to this size");
 #endif
 
-#if defined(IP_NONLOCALBIND)
-static int ip_nonlocalok = 0;
-SYSCTL_INT(_net_inet_ip, OID_AUTO, nonlocalok,
-	CTLFLAG_RW|CTLFLAG_SECURE, &ip_nonlocalok, 0, "");
-#endif
-
 static void	ip_mloopback
 	(struct ifnet *, struct mbuf *, struct sockaddr_in *, int);
 
@@ -931,14 +924,6 @@
 			return (error);
 		}
 
-#if defined(IP_NONLOCALBIND)
-		case IP_NONLOCALOK:
-			if (! ip_nonlocalok) {
-				error = ENOPROTOOPT;
-				break;
-			}
-			/* FALLTHROUGH */
-#endif
 		case IP_TOS:
 		case IP_TTL:
 		case IP_MINTTL:
@@ -1010,11 +995,6 @@
 			case IP_DONTFRAG:
 				OPTSET(INP_DONTFRAG);
 				break;
-#if defined(IP_NONLOCALBIND)
-			case IP_NONLOCALOK:
-				OPTSET(INP_NONLOCALOK);
-				break;
-#endif
 			}
 			break;
 #undef OPTSET
Index: netinet6/in6_pcb.c
===================================================================
--- netinet6/in6_pcb.c	(wersja 192595)
+++ netinet6/in6_pcb.c	(kopia robocza)
@@ -166,8 +166,10 @@
 			struct ifaddr *ia = NULL;
 
 			sin6->sin6_port = 0;		/* yech... */
-			if ((ia = ifa_ifwithaddr((struct sockaddr *)sin6)) == 0)
+			if ((so->so_options & SO_BINDANY) == 0 &&
+			    (ia = ifa_ifwithaddr((struct sockaddr *)sin6)) == NULL) {
 				return (EADDRNOTAVAIL);
+			}
 
 			/*
 			 * XXX: bind to an anycast address might accidentally
Index: sys/priv.h
===================================================================
--- sys/priv.h	(wersja 192595)
+++ sys/priv.h	(kopia robocza)
@@ -374,6 +374,7 @@
 #define	PRIV_NETINET_IPSEC	503	/* Administer IPSEC. */
 #define	PRIV_NETINET_REUSEPORT	504	/* Allow [rapid] port/address reuse. */
 #define	PRIV_NETINET_SETHDROPTS	505	/* Set certain IPv4/6 header options. */
+#define	PRIV_NETINET_BINDANY	506	/* Allow bind to any address. */
 
 /*
  * IPX/SPX privileges.
Index: sys/socket.h
===================================================================
--- sys/socket.h	(wersja 192595)
+++ sys/socket.h	(kopia robocza)
@@ -100,26 +100,27 @@
 /*
  * Option flags per-socket.
  */
-#define	SO_DEBUG	0x0001		/* turn on debugging info recording */
-#define	SO_ACCEPTCONN	0x0002		/* socket has had listen() */
-#define	SO_REUSEADDR	0x0004		/* allow local address reuse */
-#define	SO_KEEPALIVE	0x0008		/* keep connections alive */
-#define	SO_DONTROUTE	0x0010		/* just use interface addresses */
-#define	SO_BROADCAST	0x0020		/* permit sending of broadcast msgs */
+#define	SO_DEBUG	0x00000001	/* turn on debugging info recording */
+#define	SO_ACCEPTCONN	0x00000002	/* socket has had listen() */
+#define	SO_REUSEADDR	0x00000004	/* allow local address reuse */
+#define	SO_KEEPALIVE	0x00000008	/* keep connections alive */
+#define	SO_DONTROUTE	0x00000010	/* just use interface addresses */
+#define	SO_BROADCAST	0x00000020	/* permit sending of broadcast msgs */
 #if __BSD_VISIBLE
-#define	SO_USELOOPBACK	0x0040		/* bypass hardware when possible */
+#define	SO_USELOOPBACK	0x00000040	/* bypass hardware when possible */
 #endif
-#define	SO_LINGER	0x0080		/* linger on close if data present */
-#define	SO_OOBINLINE	0x0100		/* leave received OOB data in line */
+#define	SO_LINGER	0x00000080	/* linger on close if data present */
+#define	SO_OOBINLINE	0x00000100	/* leave received OOB data in line */
 #if __BSD_VISIBLE
-#define	SO_REUSEPORT	0x0200		/* allow local address & port reuse */
-#define	SO_TIMESTAMP	0x0400		/* timestamp received dgram traffic */
-#define	SO_NOSIGPIPE	0x0800		/* no SIGPIPE from EPIPE */
-#define	SO_ACCEPTFILTER	0x1000		/* there is an accept filter */
-#define	SO_BINTIME	0x2000		/* timestamp received dgram traffic */
+#define	SO_REUSEPORT	0x00000200	/* allow local address & port reuse */
+#define	SO_TIMESTAMP	0x00000400	/* timestamp received dgram traffic */
+#define	SO_NOSIGPIPE	0x00000800	/* no SIGPIPE from EPIPE */
+#define	SO_ACCEPTFILTER	0x00001000	/* there is an accept filter */
+#define	SO_BINTIME	0x00002000	/* timestamp received dgram traffic */
 #endif
-#define	SO_NO_OFFLOAD	0x4000		/* socket cannot be offloaded */
-#define	SO_NO_DDP	0x8000		/* disable direct data placement */
+#define	SO_NO_OFFLOAD	0x00004000	/* socket cannot be offloaded */
+#define	SO_NO_DDP	0x00008000	/* disable direct data placement */
+#define	SO_BINDANY	0x00010000	/* allow bind to any address */
 
 /*
  * Additional options, not kept in so_options.