diff options
author | adrian <adrian@FreeBSD.org> | 2009-01-09 16:02:19 +0000 |
---|---|---|
committer | adrian <adrian@FreeBSD.org> | 2009-01-09 16:02:19 +0000 |
commit | e2eee65f2168a3fcb7a12e27d463de4003f878c8 (patch) | |
tree | 8c07cef62e1d76619aefbcb33f9d854e35d8a18b /sys/conf | |
parent | 1a2c174bc92cc7dcd1bcd0abdc0aee5a57aeacb5 (diff) | |
download | FreeBSD-src-e2eee65f2168a3fcb7a12e27d463de4003f878c8.zip FreeBSD-src-e2eee65f2168a3fcb7a12e27d463de4003f878c8.tar.gz |
Implement a new IP option (not compiled/enabled by default) to allow
applications to specify a non-local IP address when bind()'ing a socket
to a local endpoint.
This allows applications to spoof the client IP address of connections
if (obviously!) they somehow are able to receive the traffic normally
destined to said clients.
This patch doesn't include any changes to ipfw or the bridging code to
redirect the client traffic through the PCB checks so TCP gets a shot
at it. The normal behaviour is that packets with a non-local destination
IP address are not handled locally. This can be dealth with some IPFW hackery;
modifications to IPFW to make this less hacky will occur in subsequent
commmits.
Thanks to Julian Elischer and others at Ironport. This work was approved
and donated before Cisco acquired them.
Obtained from: Julian Elischer and others
MFC after: 2 weeks
Diffstat (limited to 'sys/conf')
-rw-r--r-- | sys/conf/NOTES | 8 | ||||
-rw-r--r-- | sys/conf/options | 1 |
2 files changed, 9 insertions, 0 deletions
diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 8f176b7..3b6eb19 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -633,6 +633,14 @@ options ALTQ_PRIQ # Priority Queueing options ALTQ_NOPCC # Required if the TSC is unusable options ALTQ_DEBUG +# IP optional behaviour. +# IP_NONLOCALBIND disables the check that bind() usually makes that the +# Address is one that is assigned to an interface on this machine. +# It allows transparent proxies to pretend to be other machines. +# How the packet GET to that machine is a problem solved elsewhere, +# smart routers, ipfw fwd, etc. +options IP_NONLOCALBIND #Allow impersonation for proxies. + # netgraph(4). Enable the base netgraph code with the NETGRAPH option. # Individual node types can be enabled with the corresponding option # listed below; however, this is not strictly necessary as netgraph diff --git a/sys/conf/options b/sys/conf/options index eae3ce3..34c1d63 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -392,6 +392,7 @@ IPFIREWALL_VERBOSE opt_ipfw.h IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h IPSEC opt_ipsec.h IPSEC_DEBUG opt_ipsec.h +IP_NONLOCALBIND opt_inet.h IPSEC_FILTERTUNNEL opt_ipsec.h IPSTEALTH IPX |