Implementing IP_FREEBIND in OpenSSH

Damien Miller djm at mindrot.org
Tue Jul 27 10:53:45 AEST 2021


On Mon, 26 Jul 2021, Dmitry Belyavskiy wrote:

> The solution can be made more or less portable: BSD systems support similar
> functionality SO_BINDANY, which can make it more acceptable upstream.
> FreeBSD support different flag names with the same semantics in different
> versions: IP_FREEBIND, IP_NONLOCALOK for older versions,
> IP_BINDANY/IPV6_BINDANY. Using such options in FreeBSD and other BSD
> systems may require extra privileges.

I don't know whether IP_FREEBIND is exactly equivalent to SO_BINDANY.

The getsockopt(2) manual page on OpenBSD talks discusses SO_BINDANY
primarily in the context of transparent proxying and mentions that
packet filter rules need to be configured to actually use it. It
isn't clear whether it offers the same "prospective use" as what you
want from IP_FREEBIND.

Couldn't you achieve the same result without modification to sshd
by using the ip_nonlocal_bind flag in the Linux kernel?

-d


More information about the openssh-unix-dev mailing list