Index: sys/conf/NOTES
===================================================================
--- sys/conf/NOTES	(wersja 192959)
+++ sys/conf/NOTES	(kopia robocza)
@@ -639,14 +639,6 @@
 options 	ALTQ_NOPCC	# Required if the TSC is unusable
 options 	ALTQ_DEBUG
 
-# IP optional behaviour.
-# IP_NONLOCALBIND disables the check that bind() usually makes that the
-# address is one that is assigned to an interface on this machine.
-# It allows transparent proxies to pretend to be other machines.
-# How the packet GET to that machine is a problem solved elsewhere,
-# smart routers, ipfw fwd, etc.
-options 	IP_NONLOCALBIND		# Allow impersonation for proxies.
-
 # netgraph(4). Enable the base netgraph code with the NETGRAPH option.
 # Individual node types can be enabled with the corresponding option
 # listed below; however, this is not strictly necessary as netgraph
Index: sys/conf/options
===================================================================
--- sys/conf/options	(wersja 192959)
+++ sys/conf/options	(kopia robocza)
@@ -393,7 +393,6 @@
 IPFIREWALL_VERBOSE_LIMIT	opt_ipfw.h
 IPSEC			opt_ipsec.h
 IPSEC_DEBUG		opt_ipsec.h
-IP_NONLOCALBIND		opt_inet.h
 IPSEC_FILTERTUNNEL	opt_ipsec.h
 IPSTEALTH
 IPX
Index: sys/netinet/in.h
===================================================================
--- sys/netinet/in.h	(wersja 193202)
+++ sys/netinet/in.h	(kopia robocza)
@@ -441,8 +441,7 @@
 #define	IP_FAITH		22   /* bool; accept FAITH'ed connections */
 
 #define	IP_ONESBCAST		23   /* bool: send all-ones broadcast */
-#define	IP_NONLOCALOK		24   /* bool: allow bind to spoof non-local addresses;
-					requires kernel compile option IP_NONLOCALBIND */
+#define	IP_BINDANY		24   /* bool: allow bind to any address */
 
 #define	IP_FW_TABLE_ADD		40   /* add entry */
 #define	IP_FW_TABLE_DEL		41   /* delete entry */
Index: sys/netinet/raw_ip.c
===================================================================
--- sys/netinet/raw_ip.c	(wersja 193202)
+++ sys/netinet/raw_ip.c	(kopia robocza)
@@ -853,15 +853,16 @@
 	if (error != 0)
 		return (error);
 
+	inp = sotoinpcb(so);
+	KASSERT(inp != NULL, ("rip_bind: inp == NULL"));
+
 	if (TAILQ_EMPTY(&V_ifnet) ||
 	    (addr->sin_family != AF_INET && addr->sin_family != AF_IMPLINK) ||
 	    (addr->sin_addr.s_addr &&
-	     ifa_ifwithaddr((struct sockaddr *)addr) == 0))
+	     (inp->inp_flags & INP_BINDANY) == 0 &&
+	     ifa_ifwithaddr((struct sockaddr *)addr) == NULL))
 		return (EADDRNOTAVAIL);
 
-	inp = sotoinpcb(so);
-	KASSERT(inp != NULL, ("rip_bind: inp == NULL"));
-
 	INP_INFO_WLOCK(&V_ripcbinfo);
 	INP_WLOCK(inp);
 	rip_delhash(inp);
Index: sys/netinet/in_pcb.c
===================================================================
--- sys/netinet/in_pcb.c	(wersja 193202)
+++ sys/netinet/in_pcb.c	(kopia robocza)
@@ -35,7 +35,6 @@
 __FBSDID("$FreeBSD$");
 
 #include "opt_ddb.h"
-#include "opt_inet.h"
 #include "opt_ipsec.h"
 #include "opt_inet6.h"
 #include "opt_mac.h"
@@ -357,14 +356,11 @@
 			bzero(&sin->sin_zero, sizeof(sin->sin_zero));
 			/*
 			 * Is the address a local IP address? 
-			 * If INP_NONLOCALOK is set, then the socket may be bound
+			 * If INP_BINDANY is set, then the socket may be bound
 			 * to any endpoint address, local or not.
 			 */
-			if (
-#if defined(IP_NONLOCALBIND)
-			    ((inp->inp_flags & INP_NONLOCALOK) == 0) &&
-#endif
-			    (ifa_ifwithaddr((struct sockaddr *)sin) == 0))
+			if ((inp->inp_flags & INP_BINDANY) == 0 &&
+			    ifa_ifwithaddr((struct sockaddr *)sin) == NULL)
 				return (EADDRNOTAVAIL);
 		}
 		laddr = sin->sin_addr;
Index: sys/netinet/in_pcb.h
===================================================================
--- sys/netinet/in_pcb.h	(wersja 193202)
+++ sys/netinet/in_pcb.h	(kopia robocza)
@@ -410,8 +410,7 @@
 #define	INP_FAITH		0x00000200 /* accept FAITH'ed connections */
 #define	INP_RECVTTL		0x00000400 /* receive incoming IP TTL */
 #define	INP_DONTFRAG		0x00000800 /* don't fragment packet */
-#define	INP_NONLOCALOK		0x00001000 /* Allow bind to spoof any address */
-					/* - requires options IP_NONLOCALBIND */
+#define	INP_BINDANY		0x00001000 /* allow bind to any address */
 #define	INP_INHASHLIST		0x00002000 /* in_pcbinshash() has been called */
 #define	IN6P_IPV6_V6ONLY	0x00008000 /* restrict AF_INET6 socket for v6 */
 #define	IN6P_PKTINFO		0x00010000 /* receive IP6 dst and I/F */
Index: sys/netinet/ip_output.c
===================================================================
--- sys/netinet/ip_output.c	(wersja 193202)
+++ sys/netinet/ip_output.c	(kopia robocza)
@@ -33,7 +33,6 @@
 __FBSDID("$FreeBSD$");
 
 #include "opt_ipfw.h"
-#include "opt_inet.h"
 #include "opt_ipsec.h"
 #include "opt_route.h"
 #include "opt_mac.h"
@@ -103,12 +102,6 @@
 	&mbuf_frag_size, 0, "Fragment outgoing mbufs to this size");
 #endif
 
-#if defined(IP_NONLOCALBIND)
-static int ip_nonlocalok = 0;
-SYSCTL_INT(_net_inet_ip, OID_AUTO, nonlocalok,
-	CTLFLAG_RW|CTLFLAG_SECURE, &ip_nonlocalok, 0, "");
-#endif
-
 static void	ip_mloopback
 	(struct ifnet *, struct mbuf *, struct sockaddr_in *, int);
 
@@ -931,14 +924,14 @@
 			return (error);
 		}
 
-#if defined(IP_NONLOCALBIND)
-		case IP_NONLOCALOK:
-			if (! ip_nonlocalok) {
-				error = ENOPROTOOPT;
-				break;
+		case IP_BINDANY:
+			if (sopt->sopt_td != NULL) {
+				error = priv_check(sopt->sopt_td,
+				    PRIV_NETINET_BINDANY);
+				if (error)
+					break;
 			}
 			/* FALLTHROUGH */
-#endif
 		case IP_TOS:
 		case IP_TTL:
 		case IP_MINTTL:
@@ -1010,11 +1003,9 @@
 			case IP_DONTFRAG:
 				OPTSET(INP_DONTFRAG);
 				break;
-#if defined(IP_NONLOCALBIND)
-			case IP_NONLOCALOK:
-				OPTSET(INP_NONLOCALOK);
+			case IP_BINDANY:
+				OPTSET(INP_BINDANY);
 				break;
-#endif
 			}
 			break;
 #undef OPTSET
Index: sys/netinet6/ip6_output.c
===================================================================
--- sys/netinet6/ip6_output.c	(wersja 193202)
+++ sys/netinet6/ip6_output.c	(kopia robocza)
@@ -1405,6 +1405,14 @@
 			case IPV6_RECVTCLASS:
 			case IPV6_V6ONLY:
 			case IPV6_AUTOFLOWLABEL:
+			case IPV6_BINDANY:
+				if (optname == IPV6_BINDANY && td != NULL) {
+					error = priv_check(td,
+					    PRIV_NETINET_BINDANY);
+					if (error)
+						break;
+				}
+
 				if (optlen != sizeof(int)) {
 					error = EINVAL;
 					break;
@@ -1558,6 +1566,9 @@
 					OPTSET(IN6P_AUTOFLOWLABEL);
 					break;
 
+				case IPV6_BINDANY:
+					OPTSET(INP_BINDANY);
+					break;
 				}
 				break;
 
@@ -1831,6 +1842,10 @@
 				case IPV6_AUTOFLOWLABEL:
 					optval = OPTBIT(IN6P_AUTOFLOWLABEL);
 					break;
+
+				case IPV6_BINDANY:
+					optval = OPTBIT(INP_BINDANY);
+					break;
 				}
 				if (error)
 					break;
Index: sys/netinet6/in6.h
===================================================================
--- sys/netinet6/in6.h	(wersja 193202)
+++ sys/netinet6/in6.h	(kopia robocza)
@@ -477,6 +477,8 @@
 				    * the source address.
 				    */
 
+#define	IPV6_BINDANY		64 /* bool: allow bind to any address */
+
 /*
  * The following option is private; do not use it from user applications.
  * It is deliberately defined to the same value as IP_MSFILTER.
Index: sys/netinet6/in6_pcb.c
===================================================================
--- sys/netinet6/in6_pcb.c	(wersja 193202)
+++ sys/netinet6/in6_pcb.c	(kopia robocza)
@@ -163,11 +163,13 @@
 			if (so->so_options & SO_REUSEADDR)
 				reuseport = SO_REUSEADDR|SO_REUSEPORT;
 		} else if (!IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) {
-			struct ifaddr *ia = NULL;
+			struct ifaddr *ia;
 
 			sin6->sin6_port = 0;		/* yech... */
-			if ((ia = ifa_ifwithaddr((struct sockaddr *)sin6)) == 0)
+			if ((ia = ifa_ifwithaddr((struct sockaddr *)sin6)) == NULL &&
+			    (inp->inp_flags & INP_BINDANY) == 0) {
 				return (EADDRNOTAVAIL);
+			}
 
 			/*
 			 * XXX: bind to an anycast address might accidentally
Index: sys/sys/priv.h
===================================================================
--- sys/sys/priv.h	(wersja 192959)
+++ sys/sys/priv.h	(kopia robocza)
@@ -374,6 +374,7 @@
 #define	PRIV_NETINET_IPSEC	503	/* Administer IPSEC. */
 #define	PRIV_NETINET_REUSEPORT	504	/* Allow [rapid] port/address reuse. */
 #define	PRIV_NETINET_SETHDROPTS	505	/* Set certain IPv4/6 header options. */
+#define	PRIV_NETINET_BINDANY	506	/* Allow bind to any address. */
 
 /*
  * IPX/SPX privileges.
Index: share/man/man4/ip.4
===================================================================
--- share/man/man4/ip.4	(wersja 192959)
+++ share/man/man4/ip.4	(kopia robocza)
@@ -243,6 +243,23 @@
 .Dv IP_ONESBCAST option has no effect.
 .Pp
 If the
+.Dv IP_BINDANY
+option is enabled on a
+.Dv SOCK_STREAM ,
+.Dv SOCK_DGRAM
+or a
+.Dv SOCK_RAW
+socket, one can
+.Xr bind 2
+to any address, even one not bound to any available network interface in the
+system.
+This functionality (in conjunction with special firewall rules) can be used for
+transparent proxy implementation.
+The
+.Dv PRIV_NETINET_BINDANY
+privilege is needed to set this option.
+.Pp
+If the
 .Dv IP_RECVTTL
 option is enabled on a
 .Dv SOCK_DGRAM