- Rename IP_NONLOCALOK IP socket option to IP_BINDANY, to be more consistent

  with OpenBSD (and BSD/OS originally). We can't easly do it SOL_SOCKET option
  as there is no more space for more SOL_SOCKET options, but this option also
  fits better as an IP socket option, it seems.
- Implement this functionality also for IPv6 and RAW IP sockets.
- Always compile it in (don't use additional kernel options).
- Remove sysctl to turn this functionality on and off.
- Introduce new privilege - PRIV_NETINET_BINDANY, which allows to use this
  functionality (currently only unjail root can use it).

Discussed with:	julian, adrian, jhb, rwatson, kmacy

2 files changed, 0 insertions, 9 deletions

diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index 4770064..2402802 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -639,14 +639,6 @@ options 	ALTQ_PRIQ	# Priority Queueing
 options 	ALTQ_NOPCC	# Required if the TSC is unusable
 options 	ALTQ_DEBUG
 
-# IP optional behaviour.
-# IP_NONLOCALBIND disables the check that bind() usually makes that the
-# address is one that is assigned to an interface on this machine.
-# It allows transparent proxies to pretend to be other machines.
-# How the packet GET to that machine is a problem solved elsewhere,
-# smart routers, ipfw fwd, etc.
-options 	IP_NONLOCALBIND		# Allow impersonation for proxies.
-
 # netgraph(4). Enable the base netgraph code with the NETGRAPH option.
 # Individual node types can be enabled with the corresponding option
 # listed below; however, this is not strictly necessary as netgraph
diff --git a/sys/conf/options b/sys/conf/options
index a668ea5..426d983 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -400,7 +400,6 @@ IPFIREWALL_VERBOSE	opt_ipfw.h
 IPFIREWALL_VERBOSE_LIMIT	opt_ipfw.h
 IPSEC			opt_ipsec.h
 IPSEC_DEBUG		opt_ipsec.h
-IP_NONLOCALBIND		opt_inet.h
 IPSEC_FILTERTUNNEL	opt_ipsec.h
 IPSTEALTH
 IPX