Dear Damien,
On Tue, Jul 27, 2021 at 2:55 AM Damien Miller <djm at mindrot.org> wrote:
> On Mon, 26 Jul 2021, Dmitry Belyavskiy wrote:
>
> > The solution can be made more or less portable: BSD systems support
> similar
> > functionality SO_BINDANY, which can make it more acceptable upstream.
> > FreeBSD support different flag names with the same semantics in
different
> > versions: IP_FREEBIND, IP_NONLOCALOK for older versions,
> > IP_BINDANY/IPV6_BINDANY. Using such options in FreeBSD and other BSD
> > systems may require extra privileges.
>
> I don't know whether IP_FREEBIND is exactly equivalent to SO_BINDANY.
>
> The getsockopt(2) manual page on OpenBSD talks discusses SO_BINDANY
> primarily in the context of transparent proxying and mentions that
> packet filter rules need to be configured to actually use it. It
> isn't clear whether it offers the same "prospective use" as
what you
> want from IP_FREEBIND.
>
Quoting https://man.openbsd.org/getsockopt.2
SO_BINDANY allows the socket to be bound to addresses which are not local
to the machine, so it can be used to make a transparent proxy. Note that
this option is limited to the superuser.
It looks like that it solves the problem under discussion, but has its
downsides.
>
> Couldn't you achieve the same result without modification to sshd
> by using the ip_nonlocal_bind flag in the Linux kernel?
>
Yes, it is a possible workaround, but this flag is system-level one, so it
doesn't provide any granularity.
--
Dmitry Belyavskiy