--- sys/netinet/in.h +++ sys/netinet/in.h @@ -441,8 +441,7 @@ #define IP_FAITH 22 /* bool; accept FAITH'ed connections */ #define IP_ONESBCAST 23 /* bool: send all-ones broadcast */ -#define IP_NONLOCALOK 24 /* bool: allow bind to spoof non-local addresses; - requires kernel compile option IP_NONLOCALBIND */ +#define IP_BINDANY 24 /* bool: allow bind to any address */ #define IP_FW_TABLE_ADD 40 /* add entry */ #define IP_FW_TABLE_DEL 41 /* delete entry */ --- sys/netinet/in_pcb.c +++ sys/netinet/in_pcb.c @@ -35,7 +35,6 @@ __FBSDID("$FreeBSD: src/sys/netinet/in_pcb.c,v 1.243 2009/03/11 00:29:22 rwatson Exp $"); #include "opt_ddb.h" -#include "opt_inet.h" #include "opt_ipsec.h" #include "opt_inet6.h" #include "opt_mac.h" @@ -353,14 +352,11 @@ bzero(&sin->sin_zero, sizeof(sin->sin_zero)); /* * Is the address a local IP address? - * If INP_NONLOCALOK is set, then the socket may be bound + * If INP_BINDANY is set, then the socket may be bound * to any endpoint address, local or not. */ - if ( -#if defined(IP_NONLOCALBIND) - ((inp->inp_flags & INP_NONLOCALOK) == 0) && -#endif - (ifa_ifwithaddr((struct sockaddr *)sin) == 0)) + if ((inp->inp_flags & INP_BINDANY) == 0 && + ifa_ifwithaddr((struct sockaddr *)sin) == NULL) return (EADDRNOTAVAIL); } laddr = sin->sin_addr; --- sys/netinet/in_pcb.h +++ sys/netinet/in_pcb.h @@ -404,8 +404,7 @@ #define INP_FAITH 0x200 /* accept FAITH'ed connections */ #define INP_RECVTTL 0x400 /* receive incoming IP TTL */ #define INP_DONTFRAG 0x800 /* don't fragment packet */ -#define INP_NONLOCALOK 0x1000 /* Allow bind to spoof any address */ - /* - requires options IP_NONLOCALBIND */ +#define INP_BINDANY 0x1000 /* allow bind to any address */ #define INP_INHASHLIST 0x2000 /* in_pcbinshash() has been called */ #define IN6P_IPV6_V6ONLY 0x008000 /* restrict AF_INET6 socket for v6 */ --- sys/netinet/ip_output.c +++ sys/netinet/ip_output.c @@ -33,7 +33,6 @@ __FBSDID("$FreeBSD: src/sys/netinet/ip_output.c,v 1.300 2009/03/04 03:45:34 bms Exp $"); #include "opt_ipfw.h" -#include "opt_inet.h" #include "opt_ipsec.h" #include "opt_route.h" #include "opt_mac.h" @@ -102,12 +101,6 @@ &mbuf_frag_size, 0, "Fragment outgoing mbufs to this size"); #endif -#if defined(IP_NONLOCALBIND) -static int ip_nonlocalok = 0; -SYSCTL_INT(_net_inet_ip, OID_AUTO, nonlocalok, - CTLFLAG_RW|CTLFLAG_SECURE, &ip_nonlocalok, 0, ""); -#endif - static void ip_mloopback (struct ifnet *, struct mbuf *, struct sockaddr_in *, int); @@ -895,14 +888,14 @@ return (error); } -#if defined(IP_NONLOCALBIND) - case IP_NONLOCALOK: - if (! ip_nonlocalok) { - error = ENOPROTOOPT; - break; + case IP_BINDANY: + if (sopt->sopt_td != NULL) { + error = priv_check(sopt->sopt_td, + PRIV_NETINET_BINDANY); + if (error) + break; } /* FALLTHROUGH */ -#endif case IP_TOS: case IP_TTL: case IP_MINTTL: @@ -974,11 +967,9 @@ case IP_DONTFRAG: OPTSET(INP_DONTFRAG); break; -#if defined(IP_NONLOCALBIND) - case IP_NONLOCALOK: - OPTSET(INP_NONLOCALOK); + case IP_BINDANY: + OPTSET(INP_BINDANY); break; -#endif } break; #undef OPTSET --- sys/netinet/raw_ip.c +++ sys/netinet/raw_ip.c @@ -850,15 +850,16 @@ if (error != 0) return (error); + inp = sotoinpcb(so); + KASSERT(inp != NULL, ("rip_bind: inp == NULL")); + if (TAILQ_EMPTY(&V_ifnet) || (addr->sin_family != AF_INET && addr->sin_family != AF_IMPLINK) || (addr->sin_addr.s_addr && - ifa_ifwithaddr((struct sockaddr *)addr) == 0)) + (inp->inp_flags & INP_BINDANY) == 0 && + ifa_ifwithaddr((struct sockaddr *)addr) == NULL)) return (EADDRNOTAVAIL); - inp = sotoinpcb(so); - KASSERT(inp != NULL, ("rip_bind: inp == NULL")); - INP_INFO_WLOCK(&V_ripcbinfo); INP_WLOCK(inp); rip_delhash(inp); --- sys/netinet6/in6.h +++ sys/netinet6/in6.h @@ -472,6 +472,8 @@ * the source address. */ +#define IPV6_BINDANY 64 /* bool: allow bind to any address */ + /* * The following option is private; do not use it from user applications. * It is deliberately defined to the same value as IP_MSFILTER. --- sys/netinet6/in6_pcb.c +++ sys/netinet6/in6_pcb.c @@ -163,11 +163,13 @@ if (so->so_options & SO_REUSEADDR) reuseport = SO_REUSEADDR|SO_REUSEPORT; } else if (!IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) { - struct ifaddr *ia = NULL; + struct ifaddr *ia; sin6->sin6_port = 0; /* yech... */ - if ((ia = ifa_ifwithaddr((struct sockaddr *)sin6)) == 0) + if ((ia = ifa_ifwithaddr((struct sockaddr *)sin6)) == NULL && + (inp->inp_flags & INP_BINDANY) == 0) { return (EADDRNOTAVAIL); + } /* * XXX: bind to an anycast address might accidentally --- sys/netinet6/ip6_output.c +++ sys/netinet6/ip6_output.c @@ -1433,6 +1433,14 @@ case IPV6_RECVTCLASS: case IPV6_V6ONLY: case IPV6_AUTOFLOWLABEL: + case IPV6_BINDANY: + if (optname == IPV6_BINDANY && td != NULL) { + error = priv_check(td, + PRIV_NETINET_BINDANY); + if (error) + break; + } + if (optlen != sizeof(int)) { error = EINVAL; break; @@ -1586,6 +1594,9 @@ OPTSET(IN6P_AUTOFLOWLABEL); break; + case IPV6_BINDANY: + OPTSET(INP_BINDANY); + break; } break; @@ -1892,6 +1903,10 @@ case IPV6_AUTOFLOWLABEL: optval = OPTBIT(IN6P_AUTOFLOWLABEL); break; + + case IPV6_BINDANY: + optval = OPTBIT(INP_BINDANY); + break; } if (error) break; --- sys/sys/priv.h +++ sys/sys/priv.h @@ -372,6 +372,7 @@ #define PRIV_NETINET_IPSEC 503 /* Administer IPSEC. */ #define PRIV_NETINET_REUSEPORT 504 /* Allow [rapid] port/address reuse. */ #define PRIV_NETINET_SETHDROPTS 505 /* Set certain IPv4/6 header options. */ +#define PRIV_NETINET_BINDANY 506 /* Allow bind to any address. */ /* * IPX/SPX privileges.