linux,ssh: set IP_BIND_ADDRESS_NO_PORT on connected socket

if binding to a local address (ssh -b ...) the source port is taken at bind() time when the kernel does not know if the socket will be connect()ed or listen()ed on. It also does not know the destination host or port so it has to reserve the port until the socket is closed, effectively limiting the number of useful source ports to ~32k. a very small number in the modern era. Set IP_BIND_ADDRESS_NO_PORT, which delays source port allocation to connect() time allowing a few million connections out from the same -b address.
openssh · Dec 6, 2024 · 93ab609 · 93ab609
1 parent 6b9cd09
commit 93ab609
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/sshconnect.c b/sshconnect.c
@@ -415,6 +415,9 @@ ssh_create_socket(struct addrinfo *ai)
 		error_f("getnameinfo failed: %s", ssh_gai_strerror(r));
 		goto fail;
 	}
+#ifdef IP_BIND_ADDRESS_NO_PORT
+	(void) setsockopt(sock, SOL_IP, IP_BIND_ADDRESS_NO_PORT, &(int) {1}, sizeof(int));
+#endif
 	if (bind(sock, (struct sockaddr *)&bindaddr, bindaddrlen) != 0) {
 		error("bind %s: %s", ntop, strerror(errno));
 		goto fail;