Implementing IP_FREEBIND in OpenSSH

Dmitry Belyavskiy dbelyavs at redhat.com
Tue Jul 27 17:47:57 AEST 2021


Dear Damien,

On Tue, Jul 27, 2021 at 2:55 AM Damien Miller <djm at mindrot.org> wrote:

> On Mon, 26 Jul 2021, Dmitry Belyavskiy wrote:
>
> > The solution can be made more or less portable: BSD systems support
> similar
> > functionality SO_BINDANY, which can make it more acceptable upstream.
> > FreeBSD support different flag names with the same semantics in different
> > versions: IP_FREEBIND, IP_NONLOCALOK for older versions,
> > IP_BINDANY/IPV6_BINDANY. Using such options in FreeBSD and other BSD
> > systems may require extra privileges.
>
> I don't know whether IP_FREEBIND is exactly equivalent to SO_BINDANY.
>
> The getsockopt(2) manual page on OpenBSD talks discusses SO_BINDANY
> primarily in the context of transparent proxying and mentions that
> packet filter rules need to be configured to actually use it. It
> isn't clear whether it offers the same "prospective use" as what you
> want from IP_FREEBIND.
>

Quoting https://man.openbsd.org/getsockopt.2

SO_BINDANY allows the socket to be bound to addresses which are not local
to the machine, so it can be used to make a transparent proxy. Note that
this option is limited to the superuser.

It looks like that it solves the problem under discussion, but has its
downsides.


>
> Couldn't you achieve the same result without modification to sshd
> by using the ip_nonlocal_bind flag in the Linux kernel?
>

Yes, it is a possible workaround, but this flag is system-level one, so it
doesn't provide any granularity.


-- 
Dmitry Belyavskiy


More information about the openssh-unix-dev mailing list