diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
index d7a76aee8240..f8e276a1ebc6 100644
--- a/bazel/repository_locations.bzl
+++ b/bazel/repository_locations.bzl
@@ -76,7 +76,7 @@ REPOSITORY_LOCATIONS = dict(
         urls = ["https://github.com/google/protobuf/archive/v3.5.0.tar.gz"],
     ),
     envoy_api = dict(
-        commit = "e73b8264a26c909f75d38ec2c73d9f47ad1b3b57",
+        commit = "ec157d3d8b359a1bd65c22116ba4387a459cc53a",
         remote = "https://github.com/envoyproxy/data-plane-api",
     ),
     grpc_httpjson_transcoding = dict(
diff --git a/configs/freebind/README.md b/configs/freebind/README.md
new file mode 100644
index 000000000000..9e479c0753eb
--- /dev/null
+++ b/configs/freebind/README.md
@@ -0,0 +1,14 @@
+# Freebind testing
+
+To manually validate the `IP_FREEBIND` behavior in Envoy, you can launch Envoy with
+[freebind.yaml](freebind.yaml).
+
+The listener free bind behavior can be verified with:
+
+1. `envoy -c ./configs/freebind/freebind.yaml -l trace`
+2. `sudo ifconfig lo:1 192.168.42.1/30 up`
+3. `nc -v -l 0.0.0.0 10001`
+
+To cleanup run `sudo ifconfig lo:1 down`.
+
+TODO(htuch): Steps to verify upstream behavior.
diff --git a/configs/freebind/freebind.yaml b/configs/freebind/freebind.yaml
new file mode 100644
index 000000000000..9b494bd05742
--- /dev/null
+++ b/configs/freebind/freebind.yaml
@@ -0,0 +1,41 @@
+admin:
+  access_log_path: /tmp/admin_access.log
+  address:
+    socket_address: { address: 127.0.0.1, port_value: 9901 }
+
+static_resources:
+  listeners:
+  - name: listener_0
+    address:
+      socket_address: { address: 192.168.42.1, port_value: 10000 }
+    freebind: true
+    filter_chains:
+    - filters:
+      - name: envoy.http_connection_manager
+        config:
+          stat_prefix: ingress_http
+          route_config:
+            name: local_route
+            virtual_hosts:
+            - name: local_service
+              domains: ["*"]
+              routes:
+              - match: { prefix: "/" }
+                route: { cluster: service_local }
+          http_filters:
+          - name: envoy.router
+  clusters:
+  - name: service_local
+    connect_timeout: 30s
+    type: STATIC
+    lb_policy: ROUND_ROBIN
+    hosts:
+    - socket_address:
+        address: 127.0.0.1
+        port_value: 10001
+# TODO(htuch): Figure out how to do end-to-end testing with
+# outgoing connections and free bind.
+#    upstream_bind_config:
+#      source_address:
+#        address: 192.168.43.1
+#      freebind: true
diff --git a/include/envoy/api/os_sys_calls.h b/include/envoy/api/os_sys_calls.h
index 9843352ac569..ee5d4d6b7999 100644
--- a/include/envoy/api/os_sys_calls.h
+++ b/include/envoy/api/os_sys_calls.h
@@ -63,6 +63,17 @@ class OsSysCalls {
    * @see man 2 stat
    */
   virtual int stat(const char* pathname, struct stat* buf) PURE;
+
+  /**
+   * @see man 2 setsockopt
+   */
+  virtual int setsockopt(int sockfd, int level, int optname, const void* optval,
+                         socklen_t optlen) PURE;
+
+  /**
+   * @see man 2 getsockopt
+   */
+  virtual int getsockopt(int sockfd, int level, int optname, void* optval, socklen_t* optlen) PURE;
 };
 
 typedef std::unique_ptr<OsSysCalls> OsSysCallsPtr;
diff --git a/include/envoy/network/listen_socket.h b/include/envoy/network/listen_socket.h
index b8ba4700ee75..9a5a320b2d59 100644
--- a/include/envoy/network/listen_socket.h
+++ b/include/envoy/network/listen_socket.h
@@ -55,13 +55,14 @@ class Socket {
      */
     virtual void hashKey(std::vector<uint8_t>& key) const PURE;
   };
-  typedef std::unique_ptr<Option> OptionPtr;
-  typedef std::shared_ptr<std::vector<OptionPtr>> OptionsSharedPtr;
+  typedef std::shared_ptr<const Option> OptionConstSharedPtr;
+  typedef std::vector<OptionConstSharedPtr> Options;
+  typedef std::shared_ptr<Options> OptionsSharedPtr;
 
   /**
    * Add a socket option visitor for later retrieval with options().
    */
-  virtual void addOption(OptionPtr&&) PURE;
+  virtual void addOption(const OptionConstSharedPtr&) PURE;
 
   /**
    * @return the socket options stored earlier with addOption() calls, if any.
diff --git a/include/envoy/server/filter_config.h b/include/envoy/server/filter_config.h
index 8cedca06a599..14333fa8f5bf 100644
--- a/include/envoy/server/filter_config.h
+++ b/include/envoy/server/filter_config.h
@@ -135,7 +135,7 @@ class ListenerFactoryContext : public FactoryContext {
   /**
    * Store socket options to be set on the listen socket before listening.
    */
-  virtual void addListenSocketOption(Network::Socket::OptionPtr&& option) PURE;
+  virtual void addListenSocketOption(const Network::Socket::OptionConstSharedPtr& option) PURE;
 };
 
 /**
diff --git a/include/envoy/upstream/cluster_manager.h b/include/envoy/upstream/cluster_manager.h
index d945da82b231..459718aeaf65 100644
--- a/include/envoy/upstream/cluster_manager.h
+++ b/include/envoy/upstream/cluster_manager.h
@@ -145,12 +145,10 @@ class ClusterManager {
   virtual void shutdown() PURE;
 
   /**
-   * Returns an optional source address for upstream connections to bind to.
-   *
-   * @return Network::Address::InstanceConstSharedPtr a source address to bind to or nullptr if no
-   * bind need occur.
+   * @return const envoy::api::v2::core::BindConfig& cluster manager wide bind configuration for new
+   *         upstream connections.
    */
-  virtual const Network::Address::InstanceConstSharedPtr& sourceAddress() const PURE;
+  virtual const envoy::api::v2::core::BindConfig& bindConfig() const PURE;
 
   /**
    * Return a reference to the singleton ADS provider for upstream control plane muxing of xDS. This
diff --git a/include/envoy/upstream/upstream.h b/include/envoy/upstream/upstream.h
index 2df4c592d047..c3a9eb3182b4 100644
--- a/include/envoy/upstream/upstream.h
+++ b/include/envoy/upstream/upstream.h
@@ -369,6 +369,8 @@ class ClusterInfo {
     // Use the downstream protocol (HTTP1.1, HTTP2) for upstream connections as well, if available.
     // This is used when creating connection pools.
     static const uint64_t USE_DOWNSTREAM_PROTOCOL = 0x2;
+    // Use IP_FREEBIND socket option when binding.
+    static const uint64_t FREEBIND = 0x4;
   };
 
   virtual ~ClusterInfo() {}
diff --git a/source/common/api/os_sys_calls_impl.cc b/source/common/api/os_sys_calls_impl.cc
index 1c2de411d9a1..8fcd517ccd0d 100644
--- a/source/common/api/os_sys_calls_impl.cc
+++ b/source/common/api/os_sys_calls_impl.cc
@@ -35,5 +35,15 @@ void* OsSysCallsImpl::mmap(void* addr, size_t length, int prot, int flags, int f
 
 int OsSysCallsImpl::stat(const char* pathname, struct stat* buf) { return ::stat(pathname, buf); }
 
+int OsSysCallsImpl::setsockopt(int sockfd, int level, int optname, const void* optval,
+                               socklen_t optlen) {
+  return ::setsockopt(sockfd, level, optname, optval, optlen);
+}
+
+int OsSysCallsImpl::getsockopt(int sockfd, int level, int optname, void* optval,
+                               socklen_t* optlen) {
+  return ::getsockopt(sockfd, level, optname, optval, optlen);
+}
+
 } // namespace Api
 } // namespace Envoy
diff --git a/source/common/api/os_sys_calls_impl.h b/source/common/api/os_sys_calls_impl.h
index b6cdc5639428..23534e7f80d2 100644
--- a/source/common/api/os_sys_calls_impl.h
+++ b/source/common/api/os_sys_calls_impl.h
@@ -19,6 +19,8 @@ class OsSysCallsImpl : public OsSysCalls {
   int ftruncate(int fd, off_t length) override;
   void* mmap(void* addr, size_t length, int prot, int flags, int fd, off_t offset) override;
   int stat(const char* pathname, struct stat* buf) override;
+  int setsockopt(int sockfd, int level, int optname, const void* optval, socklen_t optlen) override;
+  int getsockopt(int sockfd, int level, int optname, void* optval, socklen_t* optlen) override;
 };
 
 typedef ThreadSafeSingleton<OsSysCallsImpl> OsSysCallsSingleton;
diff --git a/source/common/network/BUILD b/source/common/network/BUILD
index defbac786e67..c64a7dc248f2 100644
--- a/source/common/network/BUILD
+++ b/source/common/network/BUILD
@@ -173,6 +173,20 @@ envoy_cc_library(
     ],
 )
 
+envoy_cc_library(
+    name = "socket_option_lib",
+    srcs = ["socket_option_impl.cc"],
+    hdrs = ["socket_option_impl.h"],
+    external_deps = ["abseil_optional"],
+    deps = [
+        ":address_lib",
+        "//include/envoy/network:listen_socket_interface",
+        "//source/common/api:os_sys_calls_lib",
+        "//source/common/common:assert_lib",
+        "//source/common/common:logger_lib",
+    ],
+)
+
 envoy_cc_library(
     name = "utility_lib",
     srcs = ["utility.cc"],
diff --git a/source/common/network/listen_socket_impl.cc b/source/common/network/listen_socket_impl.cc
index 35b426041532..a9058c1cca6f 100644
--- a/source/common/network/listen_socket_impl.cc
+++ b/source/common/network/listen_socket_impl.cc
@@ -45,6 +45,7 @@ TcpListenSocket::TcpListenSocket(const Address::InstanceConstSharedPtr& address,
     : ListenSocketImpl(address->socket(Address::SocketType::Stream), address) {
   RELEASE_ASSERT(fd_ != -1);
 
+  // TODO(htuch): This might benefit from moving to SocketOptionImpl.
   int on = 1;
   int rc = setsockopt(fd_, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));
   RELEASE_ASSERT(rc != -1);
diff --git a/source/common/network/listen_socket_impl.h b/source/common/network/listen_socket_impl.h
index da9a9bdbe0cd..71effb891480 100644
--- a/source/common/network/listen_socket_impl.h
+++ b/source/common/network/listen_socket_impl.h
@@ -26,9 +26,9 @@ class SocketImpl : public virtual Socket {
       fd_ = -1;
     }
   }
-  void addOption(OptionPtr&& option) override {
+  void addOption(const OptionConstSharedPtr& option) override {
     if (!options_) {
-      options_ = std::make_shared<std::vector<OptionPtr>>();
+      options_ = std::make_shared<std::vector<OptionConstSharedPtr>>();
     }
     options_->emplace_back(std::move(option));
   }
diff --git a/source/common/network/socket_option_impl.cc b/source/common/network/socket_option_impl.cc
new file mode 100644
index 000000000000..43a7aca45425
--- /dev/null
+++ b/source/common/network/socket_option_impl.cc
@@ -0,0 +1,80 @@
+#include "common/network/socket_option_impl.h"
+
+#include "envoy/common/exception.h"
+
+#include "common/api/os_sys_calls_impl.h"
+#include "common/common/assert.h"
+#include "common/network/address_impl.h"
+
+namespace Envoy {
+namespace Network {
+
+bool SocketOptionImpl::setOption(Socket& socket, Socket::SocketState state) const {
+  if (state == Socket::SocketState::PreBind) {
+    if (freebind_.has_value()) {
+      const int should_freebind = freebind_.value() ? 1 : 0;
+      const int error =
+          setIpSocketOption(socket, ENVOY_SOCKET_IP_FREEBIND, ENVOY_SOCKET_IPV6_FREEBIND,
+                            &should_freebind, sizeof(should_freebind));
+      if (error != 0) {
+        ENVOY_LOG(warn, "Setting IP_FREEBIND on listener socket failed: {}", strerror(error));
+        return false;
+      }
+    }
+  }
+
+  return true;
+}
+
+int SocketOptionImpl::setIpSocketOption(Socket& socket, SocketOptionName ipv4_optname,
+                                        SocketOptionName ipv6_optname, const void* optval,
+                                        socklen_t optlen) {
+  auto& os_syscalls = Api::OsSysCallsSingleton::get();
+
+  // If this isn't IP, we're out of luck.
+  Address::InstanceConstSharedPtr address;
+  const Address::Ip* ip = nullptr;
+  try {
+    // We have local address when the socket is used in a listener but have to
+    // infer the IP from the socket FD when initiating connections.
+    // TODO(htuch): Figure out a way to obtain a consistent interface for IP
+    // version from socket.
+    if (socket.localAddress()) {
+      ip = socket.localAddress()->ip();
+    } else {
+      address = Address::addressFromFd(socket.fd());
+      ip = address->ip();
+    }
+  } catch (const EnvoyException&) {
+    // Ignore, we get here because we failed in getsockname().
+    // TODO(htuch): We should probably clean up this logic to avoid relying on exceptions.
+  }
+  if (ip == nullptr) {
+    ENVOY_LOG(warn, "Failed to set IP socket option on non-IP socket");
+    return ENOTSUP;
+  }
+
+  // If the FD is v4, we can only try the IPv4 variant.
+  if (ip->version() == Network::Address::IpVersion::v4) {
+    if (!ipv4_optname) {
+      ENVOY_LOG(warn, "Unsupported IPv4 socket option");
+      return ENOTSUP;
+    }
+    return os_syscalls.setsockopt(socket.fd(), IPPROTO_IP, ipv4_optname.value(), optval, optlen);
+  }
+
+  // If the FD is v6, we first try the IPv6 variant if the platfrom supports it and fallback to the
+  // IPv4 variant otherwise.
+  ASSERT(ip->version() == Network::Address::IpVersion::v6);
+  if (ipv6_optname) {
+    return os_syscalls.setsockopt(socket.fd(), IPPROTO_IPV6, ipv6_optname.value(), optval, optlen);
+  }
+  if (ipv4_optname) {
+    return os_syscalls.setsockopt(socket.fd(), IPPROTO_IP, ipv4_optname.value(), optval, optlen);
+  }
+  ENVOY_LOG(warn, "Unsupported IPv6 socket option");
+  return ENOTSUP;
+}
+
+} // namespace Network
+} // namespace Envoy
diff --git a/source/common/network/socket_option_impl.h b/source/common/network/socket_option_impl.h
new file mode 100644
index 000000000000..590dcc2e846e
--- /dev/null
+++ b/source/common/network/socket_option_impl.h
@@ -0,0 +1,64 @@
+#pragma once
+
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <sys/socket.h>
+
+#include "envoy/network/listen_socket.h"
+
+#include "common/common/logger.h"
+
+#include "absl/types/optional.h"
+
+namespace Envoy {
+namespace Network {
+
+// Optional variant of setsockopt(2) optname. The idea here is that if the option is not supported
+// on a platform, we can make this the empty value. This allows us to avoid proliferation of #ifdef.
+typedef absl::optional<int> SocketOptionName;
+
+#ifdef IP_FREEBIND
+#define ENVOY_SOCKET_IP_FREEBIND Network::SocketOptionName(IP_FREEBIND)
+#else
+#define ENVOY_SOCKET_IP_FREEBIND Network::SocketOptionName()
+#endif
+
+#ifdef IPV6_FREEBIND
+#define ENVOY_SOCKET_IPV6_FREEBIND Network::SocketOptionName(IPV6_FREEBIND)
+#else
+#define ENVOY_SOCKET_IPV6_FREEBIND Network::SocketOptionName()
+#endif
+
+class SocketOptionImpl : public Socket::Option, Logger::Loggable<Logger::Id::connection> {
+public:
+  SocketOptionImpl(absl::optional<bool> freebind) : freebind_(freebind) {}
+
+  // Socket::Option
+  bool setOption(Socket& socket, Socket::SocketState state) const override;
+  // The common socket options don't require a hash key.
+  void hashKey(std::vector<uint8_t>&) const override {}
+
+  /**
+   * Set a socket option that applies at both IPv4 and IPv6 socket levels. When the underlying FD
+   * is IPv6, this function will attempt to set at IPv6 unless the platform only supports the
+   * option at the IPv4 level.
+   * @param socket.
+   * @param ipv4_optname SocketOptionName for IPv4 level. Set to empty if not supported on
+   * platform.
+   * @param ipv6_optname SocketOptionName for IPv6 level. Set to empty if not supported on
+   * platform.
+   * @param optval as per setsockopt(2).
+   * @param optlen as per setsockopt(2).
+   * @return int as per setsockopt(2). ENOTSUP is returned if the option is not supported on the
+   * platform for fd after the above option level fallback semantics are taken into account or the
+   *         socket is non-IP.
+   */
+  static int setIpSocketOption(Socket& socket, SocketOptionName ipv4_optname,
+                               SocketOptionName ipv6_optname, const void* optval, socklen_t optlen);
+
+private:
+  const absl::optional<bool> freebind_;
+};
+
+} // namespace Network
+} // namespace Envoy
diff --git a/source/common/upstream/BUILD b/source/common/upstream/BUILD
index b72e60462c14..a92a8119d6c7 100644
--- a/source/common/upstream/BUILD
+++ b/source/common/upstream/BUILD
@@ -342,6 +342,7 @@ envoy_cc_library(
         "//source/common/http:utility_lib",
         "//source/common/network:address_lib",
         "//source/common/network:resolver_lib",
+        "//source/common/network:socket_option_lib",
         "//source/common/network:utility_lib",
         "//source/common/protobuf",
         "//source/common/protobuf:utility_lib",
diff --git a/source/common/upstream/cluster_manager_impl.cc b/source/common/upstream/cluster_manager_impl.cc
index 36ee13901154..4f5699124686 100644
--- a/source/common/upstream/cluster_manager_impl.cc
+++ b/source/common/upstream/cluster_manager_impl.cc
@@ -170,7 +170,8 @@ ClusterManagerImpl::ClusterManagerImpl(const envoy::config::bootstrap::v2::Boots
                                        AccessLog::AccessLogManager& log_manager,
                                        Event::Dispatcher& main_thread_dispatcher)
     : factory_(factory), runtime_(runtime), stats_(stats), tls_(tls.allocateSlot()),
-      random_(random), local_info_(local_info), cm_stats_(generateStats(stats)),
+      random_(random), bind_config_(bootstrap.cluster_manager().upstream_bind_config()),
+      local_info_(local_info), cm_stats_(generateStats(stats)),
       init_helper_([this](Cluster& cluster) { onClusterInit(cluster); }) {
   async_client_manager_ = std::make_unique<Grpc::AsyncClientManagerImpl>(*this, tls);
   const auto& cm_config = bootstrap.cluster_manager();
@@ -187,11 +188,6 @@ ClusterManagerImpl::ClusterManagerImpl(const envoy::config::bootstrap::v2::Boots
     eds_config_ = bootstrap.dynamic_resources().deprecated_v1().sds_config();
   }
 
-  if (bootstrap.cluster_manager().upstream_bind_config().has_source_address()) {
-    source_address_ = Network::Address::resolveProtoSocketAddress(
-        bootstrap.cluster_manager().upstream_bind_config().source_address());
-  }
-
   // Cluster loading happens in two phases: first all the primary clusters are loaded, and then all
   // the secondary clusters are loaded. As it currently stands all non-EDS clusters are primary and
   // only EDS clusters are secondary. This two phase loading is done because in v2 configuration
diff --git a/source/common/upstream/cluster_manager_impl.h b/source/common/upstream/cluster_manager_impl.h
index 80f6efe63736..9fc85bcce2dd 100644
--- a/source/common/upstream/cluster_manager_impl.h
+++ b/source/common/upstream/cluster_manager_impl.h
@@ -181,9 +181,7 @@ class ClusterManagerImpl : public ClusterManager, Logger::Loggable<Logger::Id::u
     active_clusters_.clear();
   }
 
-  const Network::Address::InstanceConstSharedPtr& sourceAddress() const override {
-    return source_address_;
-  }
+  const envoy::api::v2::core::BindConfig& bindConfig() const override { return bind_config_; }
 
   Config::GrpcMux& adsMux() override { return *ads_mux_; }
   Grpc::AsyncClientManager& grpcAsyncClientManager() override { return *async_client_manager_; }
@@ -309,7 +307,7 @@ class ClusterManagerImpl : public ClusterManager, Logger::Loggable<Logger::Id::u
   ClusterMap active_clusters_;
   ClusterMap warming_clusters_;
   absl::optional<envoy::api::v2::core::ConfigSource> eds_config_;
-  Network::Address::InstanceConstSharedPtr source_address_;
+  envoy::api::v2::core::BindConfig bind_config_;
   Outlier::EventLoggerSharedPtr outlier_event_logger_;
   const LocalInfo::LocalInfo& local_info_;
   CdsApiPtr cds_api_;
diff --git a/source/common/upstream/eds.cc b/source/common/upstream/eds.cc
index d52671959ec2..469227ee16aa 100644
--- a/source/common/upstream/eds.cc
+++ b/source/common/upstream/eds.cc
@@ -22,7 +22,7 @@ EdsClusterImpl::EdsClusterImpl(const envoy::api::v2::Cluster& cluster, Runtime::
                                const LocalInfo::LocalInfo& local_info, ClusterManager& cm,
                                Event::Dispatcher& dispatcher, Runtime::RandomGenerator& random,
                                bool added_via_api)
-    : BaseDynamicClusterImpl(cluster, cm.sourceAddress(), runtime, stats, ssl_context_manager,
+    : BaseDynamicClusterImpl(cluster, cm.bindConfig(), runtime, stats, ssl_context_manager,
                              added_via_api),
       cm_(cm), local_info_(local_info),
       cluster_name_(cluster.eds_cluster_config().service_name().empty()
diff --git a/source/common/upstream/logical_dns_cluster.cc b/source/common/upstream/logical_dns_cluster.cc
index 31458633724b..97fe972d15c1 100644
--- a/source/common/upstream/logical_dns_cluster.cc
+++ b/source/common/upstream/logical_dns_cluster.cc
@@ -21,8 +21,7 @@ LogicalDnsCluster::LogicalDnsCluster(const envoy::api::v2::Cluster& cluster,
                                      Network::DnsResolverSharedPtr dns_resolver,
                                      ThreadLocal::SlotAllocator& tls, ClusterManager& cm,
                                      Event::Dispatcher& dispatcher, bool added_via_api)
-    : ClusterImplBase(cluster, cm.sourceAddress(), runtime, stats, ssl_context_manager,
-                      added_via_api),
+    : ClusterImplBase(cluster, cm.bindConfig(), runtime, stats, ssl_context_manager, added_via_api),
       dns_resolver_(dns_resolver),
       dns_refresh_rate_ms_(
           std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(cluster, dns_refresh_rate, 5000))),
diff --git a/source/common/upstream/original_dst_cluster.cc b/source/common/upstream/original_dst_cluster.cc
index b4a0cbd80666..cdeb7e212967 100644
--- a/source/common/upstream/original_dst_cluster.cc
+++ b/source/common/upstream/original_dst_cluster.cc
@@ -95,8 +95,7 @@ OriginalDstCluster::OriginalDstCluster(const envoy::api::v2::Cluster& config,
                                        Runtime::Loader& runtime, Stats::Store& stats,
                                        Ssl::ContextManager& ssl_context_manager, ClusterManager& cm,
                                        Event::Dispatcher& dispatcher, bool added_via_api)
-    : ClusterImplBase(config, cm.sourceAddress(), runtime, stats, ssl_context_manager,
-                      added_via_api),
+    : ClusterImplBase(config, cm.bindConfig(), runtime, stats, ssl_context_manager, added_via_api),
       dispatcher_(dispatcher), cleanup_interval_ms_(std::chrono::milliseconds(
                                    PROTOBUF_GET_MS_OR_DEFAULT(config, cleanup_interval, 5000))),
       cleanup_timer_(dispatcher.createTimer([this]() -> void { cleanup(); })) {
diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc
index 4c38a8265349..2e948854626a 100644
--- a/source/common/upstream/upstream_impl.cc
+++ b/source/common/upstream/upstream_impl.cc
@@ -24,6 +24,7 @@
 #include "common/http/utility.h"
 #include "common/network/address_impl.h"
 #include "common/network/resolver_impl.h"
+#include "common/network/socket_option_impl.h"
 #include "common/network/utility.h"
 #include "common/protobuf/protobuf.h"
 #include "common/protobuf/utility.h"
@@ -38,15 +39,45 @@ namespace {
 
 const Network::Address::InstanceConstSharedPtr
 getSourceAddress(const envoy::api::v2::Cluster& cluster,
-                 const Network::Address::InstanceConstSharedPtr source_address) {
+                 const envoy::api::v2::core::BindConfig& bind_config) {
   // The source address from cluster config takes precedence.
   if (cluster.upstream_bind_config().has_source_address()) {
     return Network::Address::resolveProtoSocketAddress(
         cluster.upstream_bind_config().source_address());
   }
   // If there's no source address in the cluster config, use any default from the bootstrap proto.
-  return source_address;
+  if (bind_config.has_source_address()) {
+    return Network::Address::resolveProtoSocketAddress(bind_config.source_address());
+  }
+
+  return nullptr;
+}
+
+uint64_t parseFeatures(const envoy::api::v2::Cluster& config,
+                       const envoy::api::v2::core::BindConfig bind_config) {
+  uint64_t features = 0;
+  if (config.has_http2_protocol_options()) {
+    features |= ClusterInfoImpl::Features::HTTP2;
+  }
+  if (config.protocol_selection() == envoy::api::v2::Cluster::USE_DOWNSTREAM_PROTOCOL) {
+    features |= ClusterInfoImpl::Features::USE_DOWNSTREAM_PROTOCOL;
+  }
+  // Cluster IP_FREEBIND settings, when set, will override the cluster manager wide settings.
+  if ((bind_config.freebind().value() && !config.upstream_bind_config().has_freebind()) ||
+      config.upstream_bind_config().freebind().value()) {
+    features |= ClusterInfoImpl::Features::FREEBIND;
+  }
+  return features;
 }
+
+// Socket::Option implementation for API-defined upstream options. This same
+// object can be extended to handle additional upstream socket options.
+class UpstreamSocketOption : public Network::SocketOptionImpl {
+public:
+  UpstreamSocketOption(const ClusterInfo& cluster_info)
+      : Network::SocketOptionImpl(cluster_info.features() & ClusterInfo::Features::FREEBIND) {}
+};
+
 } // namespace
 
 Host::CreateConnectionData
@@ -59,9 +90,19 @@ Network::ClientConnectionPtr
 HostImpl::createConnection(Event::Dispatcher& dispatcher, const ClusterInfo& cluster,
                            Network::Address::InstanceConstSharedPtr address,
                            const Network::ConnectionSocket::OptionsSharedPtr& options) {
+  Network::ConnectionSocket::OptionsSharedPtr cluster_options;
+  if (cluster.features() & ClusterInfo::Features::FREEBIND) {
+    cluster_options = std::make_shared<Network::ConnectionSocket::Options>();
+    if (options) {
+      *cluster_options = *options;
+    }
+    cluster_options->emplace_back(new UpstreamSocketOption(cluster));
+  } else {
+    cluster_options = options;
+  }
   Network::ClientConnectionPtr connection = dispatcher.createClientConnection(
       address, cluster.sourceAddress(), cluster.transportSocketFactory().createTransportSocket(),
-      options);
+      cluster_options);
   connection->setBufferLimits(cluster.perConnectionBufferLimitBytes());
   return connection;
 }
@@ -110,7 +151,7 @@ ClusterLoadReportStats ClusterInfoImpl::generateLoadReportStats(Stats::Scope& sc
 }
 
 ClusterInfoImpl::ClusterInfoImpl(const envoy::api::v2::Cluster& config,
-                                 const Network::Address::InstanceConstSharedPtr source_address,
+                                 const envoy::api::v2::core::BindConfig& bind_config,
                                  Runtime::Loader& runtime, Stats::Store& stats,
                                  Ssl::ContextManager& ssl_context_manager, bool added_via_api)
     : runtime_(runtime), name_(config.name()), type_(config.type()),
@@ -125,11 +166,11 @@ ClusterInfoImpl::ClusterInfoImpl(const envoy::api::v2::Cluster& config,
           config.alt_stat_name().empty() ? name_ : std::string(config.alt_stat_name())))),
       stats_(generateStats(*stats_scope_)),
       load_report_stats_(generateLoadReportStats(load_report_stats_store_)),
-      features_(parseFeatures(config)),
+      features_(parseFeatures(config, bind_config)),
       http2_settings_(Http::Utility::parseHttp2Settings(config.http2_protocol_options())),
       resource_managers_(config, runtime, name_),
       maintenance_mode_runtime_key_(fmt::format("upstream.maintenance_mode.{}", name_)),
-      source_address_(getSourceAddress(config, source_address)),
+      source_address_(getSourceAddress(config, bind_config)),
       lb_ring_hash_config_(envoy::api::v2::Cluster::RingHashLbConfig(config.ring_hash_lb_config())),
       ssl_context_manager_(ssl_context_manager), added_via_api_(added_via_api),
       lb_subset_(LoadBalancerSubsetInfoImpl(config.lb_subset_config())),
@@ -276,10 +317,10 @@ ClusterSharedPtr ClusterImplBase::create(const envoy::api::v2::Cluster& cluster,
 }
 
 ClusterImplBase::ClusterImplBase(const envoy::api::v2::Cluster& cluster,
-                                 const Network::Address::InstanceConstSharedPtr source_address,
+                                 const envoy::api::v2::core::BindConfig& bind_config,
                                  Runtime::Loader& runtime, Stats::Store& stats,
                                  Ssl::ContextManager& ssl_context_manager, bool added_via_api)
-    : runtime_(runtime), info_(new ClusterInfoImpl(cluster, source_address, runtime, stats,
+    : runtime_(runtime), info_(new ClusterInfoImpl(cluster, bind_config, runtime, stats,
                                                    ssl_context_manager, added_via_api)) {
   // Create the default (empty) priority set before registering callbacks to
   // avoid getting an update the first time it is accessed.
@@ -321,17 +362,6 @@ bool ClusterInfoImpl::maintenanceMode() const {
   return runtime_.snapshot().featureEnabled(maintenance_mode_runtime_key_, 0);
 }
 
-uint64_t ClusterInfoImpl::parseFeatures(const envoy::api::v2::Cluster& config) {
-  uint64_t features = 0;
-  if (config.has_http2_protocol_options()) {
-    features |= Features::HTTP2;
-  }
-  if (config.protocol_selection() == envoy::api::v2::Cluster::USE_DOWNSTREAM_PROTOCOL) {
-    features |= Features::USE_DOWNSTREAM_PROTOCOL;
-  }
-  return features;
-}
-
 ResourceManager& ClusterInfoImpl::resourceManager(ResourcePriority priority) const {
   ASSERT(enumToInt(priority) < resource_managers_.managers_.size());
   return *resource_managers_.managers_[enumToInt(priority)];
@@ -497,8 +527,7 @@ StaticClusterImpl::StaticClusterImpl(const envoy::api::v2::Cluster& cluster,
                                      Runtime::Loader& runtime, Stats::Store& stats,
                                      Ssl::ContextManager& ssl_context_manager, ClusterManager& cm,
                                      bool added_via_api)
-    : ClusterImplBase(cluster, cm.sourceAddress(), runtime, stats, ssl_context_manager,
-                      added_via_api),
+    : ClusterImplBase(cluster, cm.bindConfig(), runtime, stats, ssl_context_manager, added_via_api),
       initial_hosts_(new HostVector()) {
 
   for (const auto& host : cluster.hosts()) {
@@ -617,7 +646,7 @@ StrictDnsClusterImpl::StrictDnsClusterImpl(const envoy::api::v2::Cluster& cluste
                                            Network::DnsResolverSharedPtr dns_resolver,
                                            ClusterManager& cm, Event::Dispatcher& dispatcher,
                                            bool added_via_api)
-    : BaseDynamicClusterImpl(cluster, cm.sourceAddress(), runtime, stats, ssl_context_manager,
+    : BaseDynamicClusterImpl(cluster, cm.bindConfig(), runtime, stats, ssl_context_manager,
                              added_via_api),
       dns_resolver_(dns_resolver),
       dns_refresh_rate_ms_(
diff --git a/source/common/upstream/upstream_impl.h b/source/common/upstream/upstream_impl.h
index b3a753be4b83..f92f141fa5c4 100644
--- a/source/common/upstream/upstream_impl.h
+++ b/source/common/upstream/upstream_impl.h
@@ -294,9 +294,9 @@ class ClusterInfoImpl : public ClusterInfo,
                         public Server::Configuration::TransportSocketFactoryContext {
 public:
   ClusterInfoImpl(const envoy::api::v2::Cluster& config,
-                  const Network::Address::InstanceConstSharedPtr source_address,
-                  Runtime::Loader& runtime, Stats::Store& stats,
-                  Ssl::ContextManager& ssl_context_manager, bool added_via_api);
+                  const envoy::api::v2::core::BindConfig& bind_config, Runtime::Loader& runtime,
+                  Stats::Store& stats, Ssl::ContextManager& ssl_context_manager,
+                  bool added_via_api);
 
   static ClusterStats generateStats(Stats::Scope& scope);
   static ClusterLoadReportStats generateLoadReportStats(Stats::Scope& scope);
@@ -353,8 +353,6 @@ class ClusterInfoImpl : public ClusterInfo,
     Managers managers_;
   };
 
-  static uint64_t parseFeatures(const envoy::api::v2::Cluster& config);
-
   Runtime::Loader& runtime_;
   const std::string name_;
   const envoy::api::v2::Cluster::DiscoveryType type_;
@@ -430,9 +428,9 @@ class ClusterImplBase : public Cluster, protected Logger::Loggable<Logger::Id::u
 
 protected:
   ClusterImplBase(const envoy::api::v2::Cluster& cluster,
-                  const Network::Address::InstanceConstSharedPtr source_address,
-                  Runtime::Loader& runtime, Stats::Store& stats,
-                  Ssl::ContextManager& ssl_context_manager, bool added_via_api);
+                  const envoy::api::v2::core::BindConfig& bind_config, Runtime::Loader& runtime,
+                  Stats::Store& stats, Ssl::ContextManager& ssl_context_manager,
+                  bool added_via_api);
 
   static HostVectorConstSharedPtr createHealthyHostList(const HostVector& hosts);
   static HostsPerLocalityConstSharedPtr createHealthyHostLists(const HostsPerLocality& hosts);
diff --git a/source/server/BUILD b/source/server/BUILD
index ed97687642c5..61c42c872831 100644
--- a/source/server/BUILD
+++ b/source/server/BUILD
@@ -204,6 +204,7 @@ envoy_cc_library(
         "//source/common/config:utility_lib",
         "//source/common/config:well_known_names",
         "//source/common/network:listen_socket_lib",
+        "//source/common/network:socket_option_lib",
         "//source/common/network:utility_lib",
         "//source/common/protobuf:utility_lib",
         "//source/common/ssl:context_config_lib",
diff --git a/source/server/listener_manager_impl.cc b/source/server/listener_manager_impl.cc
index e9e4ddef4a53..16bd62b23e77 100644
--- a/source/server/listener_manager_impl.cc
+++ b/source/server/listener_manager_impl.cc
@@ -8,6 +8,7 @@
 #include "common/config/utility.h"
 #include "common/config/well_known_names.h"
 #include "common/network/listen_socket_impl.h"
+#include "common/network/socket_option_impl.h"
 #include "common/network/utility.h"
 #include "common/protobuf/utility.h"
 
@@ -105,6 +106,14 @@ ProdListenerComponentFactory::createDrainManager(envoy::api::v2::Listener::Drain
   return DrainManagerPtr{new DrainManagerImpl(server_, drain_type)};
 }
 
+// Socket::Option implementation for API-defined listener socket options.
+// This same object can be extended to handle additional listener socket options.
+class ListenerSocketOption : public Network::SocketOptionImpl {
+public:
+  ListenerSocketOption(const envoy::api::v2::Listener& config)
+      : Network::SocketOptionImpl(config.freebind().value()) {}
+};
+
 ListenerImpl::ListenerImpl(const envoy::api::v2::Listener& config, ListenerManagerImpl& parent,
                            const std::string& name, bool modifiable, bool workers_started,
                            uint64_t hash)
@@ -126,6 +135,11 @@ ListenerImpl::ListenerImpl(const envoy::api::v2::Listener& config, ListenerManag
   // filter chain #1308.
   ASSERT(config.filter_chains().size() >= 1);
 
+  // Add listen socket options from the config.
+  if (config.has_freebind()) {
+    addListenSocketOption(std::make_unique<ListenerSocketOption>(config));
+  }
+
   if (!config.listener_filters().empty()) {
     listener_filter_factories_ =
         parent_.factory_.createListenerFilterFactoryList(config.listener_filters(), *this);
diff --git a/source/server/listener_manager_impl.h b/source/server/listener_manager_impl.h
index 8729c339b5f0..856b7e3877b9 100644
--- a/source/server/listener_manager_impl.h
+++ b/source/server/listener_manager_impl.h
@@ -249,9 +249,10 @@ class ListenerImpl : public Network::ListenerConfig,
   ThreadLocal::Instance& threadLocal() override { return parent_.server_.threadLocal(); }
   Admin& admin() override { return parent_.server_.admin(); }
   const envoy::api::v2::core::Metadata& listenerMetadata() const override { return metadata_; };
-  void addListenSocketOption(Network::Socket::OptionPtr&& option) override {
+  void addListenSocketOption(const Network::Socket::OptionConstSharedPtr& option) override {
     if (!listen_socket_options_) {
-      listen_socket_options_ = std::make_shared<std::vector<Network::Socket::OptionPtr>>();
+      listen_socket_options_ =
+          std::make_shared<std::vector<Network::Socket::OptionConstSharedPtr>>();
     }
     listen_socket_options_->emplace_back(std::move(option));
   }
diff --git a/test/common/network/BUILD b/test/common/network/BUILD
index c26f86708759..1af921356b70 100644
--- a/test/common/network/BUILD
+++ b/test/common/network/BUILD
@@ -168,6 +168,18 @@ envoy_cc_test(
     ],
 )
 
+envoy_cc_test(
+    name = "socket_option_impl_test",
+    srcs = ["socket_option_impl_test.cc"],
+    deps = [
+        "//source/common/network:address_lib",
+        "//source/common/network:socket_option_lib",
+        "//test/mocks/api:api_mocks",
+        "//test/mocks/network:network_mocks",
+        "//test/test_common:threadsafe_singleton_injector_lib",
+    ],
+)
+
 envoy_cc_test(
     name = "utility_test",
     srcs = ["utility_test.cc"],
diff --git a/test/common/network/listen_socket_impl_test.cc b/test/common/network/listen_socket_impl_test.cc
index 3934d0de39e0..eb71ad2a8dd6 100644
--- a/test/common/network/listen_socket_impl_test.cc
+++ b/test/common/network/listen_socket_impl_test.cc
@@ -43,7 +43,7 @@ TEST_P(ListenSocketImplTest, BindSpecificPort) {
   EXPECT_EQ(0, close(addr_fd.second));
 
   auto option = std::make_unique<MockSocketOption>();
-  auto options = std::make_shared<std::vector<Network::Socket::OptionPtr>>();
+  auto options = std::make_shared<std::vector<Network::Socket::OptionConstSharedPtr>>();
   EXPECT_CALL(*option, setOption(_, Network::Socket::SocketState::PreBind)).WillOnce(Return(true));
   options->emplace_back(std::move(option));
   TcpListenSocket socket1(addr, options, true);
@@ -52,7 +52,7 @@ TEST_P(ListenSocketImplTest, BindSpecificPort) {
   EXPECT_EQ(addr->ip()->addressAsString(), socket1.localAddress()->ip()->addressAsString());
 
   auto option2 = std::make_unique<MockSocketOption>();
-  auto options2 = std::make_shared<std::vector<Network::Socket::OptionPtr>>();
+  auto options2 = std::make_shared<std::vector<Network::Socket::OptionConstSharedPtr>>();
   EXPECT_CALL(*option2, setOption(_, Network::Socket::SocketState::PreBind)).WillOnce(Return(true));
   options2->emplace_back(std::move(option2));
   // The address and port are bound already, should throw exception.
diff --git a/test/common/network/listener_impl_test.cc b/test/common/network/listener_impl_test.cc
index 50b4d8a3c64e..9636fa5c9bc2 100644
--- a/test/common/network/listener_impl_test.cc
+++ b/test/common/network/listener_impl_test.cc
@@ -164,7 +164,7 @@ TEST_P(ListenerImplTest, WildcardListenerIpv4Compat) {
   Stats::IsolatedStoreImpl stats_store;
   Event::DispatcherImpl dispatcher;
   auto option = std::make_unique<MockSocketOption>();
-  auto options = std::make_shared<std::vector<Network::Socket::OptionPtr>>();
+  auto options = std::make_shared<std::vector<Network::Socket::OptionConstSharedPtr>>();
   EXPECT_CALL(*option, setOption(_, Network::Socket::SocketState::PreBind)).WillOnce(Return(true));
   options->emplace_back(std::move(option));
 
diff --git a/test/common/network/socket_option_impl_test.cc b/test/common/network/socket_option_impl_test.cc
new file mode 100644
index 000000000000..83343455dd63
--- /dev/null
+++ b/test/common/network/socket_option_impl_test.cc
@@ -0,0 +1,166 @@
+#include "common/network/address_impl.h"
+#include "common/network/socket_option_impl.h"
+
+#include "test/mocks/api/mocks.h"
+#include "test/mocks/network/mocks.h"
+#include "test/test_common/threadsafe_singleton_injector.h"
+
+#include "gtest/gtest.h"
+
+using testing::Invoke;
+using testing::NiceMock;
+using testing::Return;
+using testing::_;
+
+namespace Envoy {
+namespace Network {
+namespace {
+
+class SocketOptionImplTest : public testing::Test {
+public:
+  SocketOptionImplTest() { socket_.local_address_.reset(); }
+
+  NiceMock<MockListenSocket> socket_;
+  Api::MockOsSysCalls os_sys_calls_;
+  TestThreadsafeSingletonInjector<Api::OsSysCallsImpl> os_calls{&os_sys_calls_};
+};
+
+// We fail to set the option if the socket FD is bad.
+TEST_F(SocketOptionImplTest, BadFd) {
+  EXPECT_CALL(socket_, fd()).WillOnce(Return(-1));
+  EXPECT_EQ(ENOTSUP, SocketOptionImpl::setIpSocketOption(socket_, {}, {}, nullptr, 0));
+}
+
+// Nop when there are no socket options set.
+TEST_F(SocketOptionImplTest, SetOptionEmptyNop) {
+  SocketOptionImpl socket_option{{}};
+  EXPECT_TRUE(socket_option.setOption(socket_, Socket::SocketState::PreBind));
+  EXPECT_TRUE(socket_option.setOption(socket_, Socket::SocketState::PostBind));
+}
+
+// We fail to set the option when the underlying setsockopt syscall fails.
+TEST_F(SocketOptionImplTest, SetOptionFreebindFailure) {
+  SocketOptionImpl socket_option{true};
+  EXPECT_FALSE(socket_option.setOption(socket_, Socket::SocketState::PreBind));
+}
+
+// The happy path for setOpion(); IP_FREEBIND is set true.
+TEST_F(SocketOptionImplTest, SetOptionFreeebindSuccessTrue) {
+  SocketOptionImpl socket_option{true};
+  if (ENVOY_SOCKET_IP_FREEBIND.has_value()) {
+    Address::Ipv4Instance address("1.2.3.4", 5678);
+    const int fd = address.socket(Address::SocketType::Stream);
+    EXPECT_CALL(socket_, fd()).WillRepeatedly(Return(fd));
+    EXPECT_CALL(os_sys_calls_,
+                setsockopt_(_, IPPROTO_IP, ENVOY_SOCKET_IP_FREEBIND.value(), _, sizeof(int)))
+        .WillOnce(Invoke([](int, int, int, const void* optval, socklen_t) -> int {
+          EXPECT_EQ(1, *static_cast<const int*>(optval));
+          return 0;
+        }));
+    EXPECT_TRUE(socket_option.setOption(socket_, Socket::SocketState::PreBind));
+  } else {
+    EXPECT_FALSE(socket_option.setOption(socket_, Socket::SocketState::PreBind));
+  }
+}
+
+// The happy path for setOpion(); IP_FREEBIND is set false.
+TEST_F(SocketOptionImplTest, SetOptionFreeebindSuccessFalse) {
+  SocketOptionImpl socket_option{true};
+  if (ENVOY_SOCKET_IP_FREEBIND.has_value()) {
+    Address::Ipv4Instance address("1.2.3.4", 5678);
+    const int fd = address.socket(Address::SocketType::Stream);
+    EXPECT_CALL(socket_, fd()).WillRepeatedly(Return(fd));
+    EXPECT_CALL(os_sys_calls_,
+                setsockopt_(_, IPPROTO_IP, ENVOY_SOCKET_IP_FREEBIND.value(), _, sizeof(int)))
+        .WillOnce(Invoke([](int, int, int, const void* optval, socklen_t) -> int {
+          EXPECT_EQ(1, *static_cast<const int*>(optval));
+          return 0;
+        }));
+    EXPECT_TRUE(socket_option.setOption(socket_, Socket::SocketState::PreBind));
+  } else {
+    EXPECT_FALSE(socket_option.setOption(socket_, Socket::SocketState::PreBind));
+  }
+}
+
+// Freebind settings have no effect on post-bind behavior.
+TEST_F(SocketOptionImplTest, SetOptionFreebindPostBind) {
+  SocketOptionImpl socket_option{true};
+  EXPECT_TRUE(socket_option.setOption(socket_, Socket::SocketState::PostBind));
+}
+
+// If a platform doesn't suppport IPv4 socket option variant for an IPv4 address, we fail
+// SocketOptionImpl::setIpSocketOption().
+TEST_F(SocketOptionImplTest, V4EmptyOptionNames) {
+  Address::Ipv4Instance address("1.2.3.4", 5678);
+  const int fd = address.socket(Address::SocketType::Stream);
+  EXPECT_CALL(socket_, fd()).WillRepeatedly(Return(fd));
+  EXPECT_EQ(ENOTSUP, SocketOptionImpl::setIpSocketOption(socket_, {}, {}, nullptr, 0));
+}
+
+// If a platform doesn't suppport IPv4 and IPv6 socket option variants for an IPv4 address, we fail
+// SocketOptionImpl::setIpSocketOption().
+TEST_F(SocketOptionImplTest, V6EmptyOptionNames) {
+  Address::Ipv6Instance address("::1:2:3:4", 5678);
+  const int fd = address.socket(Address::SocketType::Stream);
+  EXPECT_CALL(socket_, fd()).WillRepeatedly(Return(fd));
+  EXPECT_EQ(ENOTSUP, SocketOptionImpl::setIpSocketOption(socket_, {}, {}, nullptr, 0));
+}
+
+// If a platform suppports IPv4 socket option variant for an IPv4 address,
+// SocketOptionImpl::setIpSocketOption() works.
+TEST_F(SocketOptionImplTest, V4Only) {
+  Address::Ipv4Instance address("1.2.3.4", 5678);
+  const int fd = address.socket(Address::SocketType::Stream);
+  EXPECT_CALL(socket_, fd()).WillRepeatedly(Return(fd));
+  const int option = 42;
+  EXPECT_CALL(os_sys_calls_, setsockopt_(fd, IPPROTO_IP, 123, &option, sizeof(int)));
+  EXPECT_EQ(0, SocketOptionImpl::setIpSocketOption(socket_, {123}, {}, &option, sizeof(option)));
+}
+
+// If a platform suppports IPv4 and IPv6 socket option variants for an IPv4 address,
+// SocketOptionImpl::setIpSocketOption() works with the IPv4 variant.
+TEST_F(SocketOptionImplTest, V4IgnoreV6) {
+  Address::Ipv4Instance address("1.2.3.4", 5678);
+  const int fd = address.socket(Address::SocketType::Stream);
+  EXPECT_CALL(socket_, fd()).WillRepeatedly(Return(fd));
+  const int option = 42;
+  EXPECT_CALL(os_sys_calls_, setsockopt_(fd, IPPROTO_IP, 123, &option, sizeof(int)));
+  EXPECT_EQ(0, SocketOptionImpl::setIpSocketOption(socket_, {123}, {456}, &option, sizeof(option)));
+}
+
+// If a platform suppports IPv6 socket option variant for an IPv6 address,
+// SocketOptionImpl::setIpSocketOption() works.
+TEST_F(SocketOptionImplTest, V6Only) {
+  Address::Ipv6Instance address("::1:2:3:4", 5678);
+  const int fd = address.socket(Address::SocketType::Stream);
+  EXPECT_CALL(socket_, fd()).WillRepeatedly(Return(fd));
+  const int option = 42;
+  EXPECT_CALL(os_sys_calls_, setsockopt_(fd, IPPROTO_IPV6, 456, &option, sizeof(int)));
+  EXPECT_EQ(0, SocketOptionImpl::setIpSocketOption(socket_, {}, {456}, &option, sizeof(option)));
+}
+
+// If a platform suppports only the IPv4 variant for an IPv6 address,
+// SocketOptionImpl::setIpSocketOption() works with the IPv4 variant.
+TEST_F(SocketOptionImplTest, V6OnlyV4Fallback) {
+  Address::Ipv6Instance address("::1:2:3:4", 5678);
+  const int fd = address.socket(Address::SocketType::Stream);
+  EXPECT_CALL(socket_, fd()).WillRepeatedly(Return(fd));
+  const int option = 42;
+  EXPECT_CALL(os_sys_calls_, setsockopt_(fd, IPPROTO_IP, 123, &option, sizeof(int)));
+  EXPECT_EQ(0, SocketOptionImpl::setIpSocketOption(socket_, {123}, {}, &option, sizeof(option)));
+}
+
+// If a platform suppports IPv4 and IPv6 socket option variants for an IPv6 address,
+// SocketOptionImpl::setIpSocketOption() works with the IPv6 variant.
+TEST_F(SocketOptionImplTest, V6Precedence) {
+  Address::Ipv6Instance address("::1:2:3:4", 5678);
+  const int fd = address.socket(Address::SocketType::Stream);
+  EXPECT_CALL(socket_, fd()).WillRepeatedly(Return(fd));
+  const int option = 42;
+  EXPECT_CALL(os_sys_calls_, setsockopt_(fd, IPPROTO_IPV6, 456, &option, sizeof(int)));
+  EXPECT_EQ(0, SocketOptionImpl::setIpSocketOption(socket_, {123}, {456}, &option, sizeof(option)));
+}
+
+} // namespace
+} // namespace Network
+} // namespace Envoy
diff --git a/test/common/upstream/BUILD b/test/common/upstream/BUILD
index bdeb38afed48..0f576a55f90c 100644
--- a/test/common/upstream/BUILD
+++ b/test/common/upstream/BUILD
@@ -34,6 +34,7 @@ envoy_cc_test(
         "//source/common/config:bootstrap_json_lib",
         "//source/common/config:utility_lib",
         "//source/common/event:dispatcher_lib",
+        "//source/common/network:socket_option_lib",
         "//source/common/network:utility_lib",
         "//source/common/ssl:context_lib",
         "//source/common/stats:stats_lib",
@@ -41,12 +42,14 @@ envoy_cc_test(
         "//source/server/config/network:raw_buffer_socket_lib",
         "//source/server/config/network:ssl_socket_lib",
         "//test/mocks/access_log:access_log_mocks",
+        "//test/mocks/api:api_mocks",
         "//test/mocks/http:http_mocks",
         "//test/mocks/local_info:local_info_mocks",
         "//test/mocks/network:network_mocks",
         "//test/mocks/runtime:runtime_mocks",
         "//test/mocks/thread_local:thread_local_mocks",
         "//test/mocks/upstream:upstream_mocks",
+        "//test/test_common:threadsafe_singleton_injector_lib",
         "//test/test_common:utility_lib",
     ],
 )
diff --git a/test/common/upstream/cluster_manager_impl_test.cc b/test/common/upstream/cluster_manager_impl_test.cc
index a378232d4909..2c8de84f5a0b 100644
--- a/test/common/upstream/cluster_manager_impl_test.cc
+++ b/test/common/upstream/cluster_manager_impl_test.cc
@@ -1,10 +1,12 @@
 #include <memory>
 #include <string>
 
+#include "envoy/network/listen_socket.h"
 #include "envoy/upstream/upstream.h"
 
 #include "common/config/bootstrap_json.h"
 #include "common/config/utility.h"
+#include "common/network/socket_option_impl.h"
 #include "common/network/utility.h"
 #include "common/ssl/context_manager_impl.h"
 #include "common/stats/stats_impl.h"
@@ -12,12 +14,14 @@
 
 #include "test/common/upstream/utility.h"
 #include "test/mocks/access_log/mocks.h"
+#include "test/mocks/api/mocks.h"
 #include "test/mocks/http/mocks.h"
 #include "test/mocks/local_info/mocks.h"
 #include "test/mocks/network/mocks.h"
 #include "test/mocks/runtime/mocks.h"
 #include "test/mocks/thread_local/mocks.h"
 #include "test/mocks/upstream/mocks.h"
+#include "test/test_common/threadsafe_singleton_injector.h"
 #include "test/test_common/utility.h"
 
 #include "gmock/gmock.h"
@@ -1288,6 +1292,155 @@ TEST_F(ClusterManagerInitHelperTest, RemoveClusterWithinInitLoop) {
   init_helper_.onStaticLoadComplete();
 }
 
+// Validate that when freebind is set in the ClusterManager and/or Cluster, we see the socket option
+// propagated to setsockopt(). This is as close to an end-to-end test as we have for this feature,
+// due to the complexity of creating an integration test involving the network stack. We only test
+// the IPv4 case here, as the logic around IPv4/IPv6 handling is tested generically in
+// socket_option_impl_test.cc.
+class FreebindTest : public ClusterManagerImplTest {
+public:
+  void initialize(const std::string& yaml) { create(parseBootstrapFromV2Yaml(yaml)); }
+
+  void TearDown() override { factory_.tls_.shutdownThread(); }
+
+  void expectSetsockoptFreebind() {
+    if (!ENVOY_SOCKET_IP_FREEBIND.has_value()) {
+      EXPECT_CALL(factory_.tls_.dispatcher_, createClientConnection_(_, _, _, _))
+          .WillOnce(
+              Invoke([this](Network::Address::InstanceConstSharedPtr,
+                            Network::Address::InstanceConstSharedPtr, Network::TransportSocketPtr&,
+                            const Network::ConnectionSocket::OptionsSharedPtr& options)
+                         -> Network::ClientConnection* {
+                EXPECT_NE(nullptr, options.get());
+                EXPECT_EQ(1, options->size());
+                NiceMock<Network::MockConnectionSocket> socket;
+                EXPECT_FALSE(
+                    (*options->begin())->setOption(socket, Network::Socket::SocketState::PreBind));
+                return connection_;
+              }));
+      cluster_manager_->tcpConnForCluster("FreebindCluster", nullptr);
+      return;
+    }
+    NiceMock<Api::MockOsSysCalls> os_sys_calls;
+    TestThreadsafeSingletonInjector<Api::OsSysCallsImpl> os_calls(&os_sys_calls);
+    EXPECT_CALL(factory_.tls_.dispatcher_, createClientConnection_(_, _, _, _))
+        .WillOnce(
+            Invoke([this](Network::Address::InstanceConstSharedPtr,
+                          Network::Address::InstanceConstSharedPtr, Network::TransportSocketPtr&,
+                          const Network::ConnectionSocket::OptionsSharedPtr& options)
+                       -> Network::ClientConnection* {
+              EXPECT_NE(nullptr, options.get());
+              EXPECT_EQ(1, options->size());
+              NiceMock<Network::MockConnectionSocket> socket;
+              EXPECT_TRUE(
+                  (*options->begin())->setOption(socket, Network::Socket::SocketState::PreBind));
+              return connection_;
+            }));
+    EXPECT_CALL(os_sys_calls,
+                setsockopt_(_, IPPROTO_IP, ENVOY_SOCKET_IP_FREEBIND.value(), _, sizeof(int)))
+        .WillOnce(Invoke([](int, int, int, const void* optval, socklen_t) -> int {
+          EXPECT_EQ(1, *static_cast<const int*>(optval));
+          return 0;
+        }));
+    auto conn_data = cluster_manager_->tcpConnForCluster("FreebindCluster", nullptr);
+    EXPECT_EQ(connection_, conn_data.connection_.get());
+  }
+
+  void expectNoSocketOptions() {
+    EXPECT_CALL(factory_.tls_.dispatcher_, createClientConnection_(_, _, _, _))
+        .WillOnce(
+            Invoke([this](Network::Address::InstanceConstSharedPtr,
+                          Network::Address::InstanceConstSharedPtr, Network::TransportSocketPtr&,
+                          const Network::ConnectionSocket::OptionsSharedPtr& options)
+                       -> Network::ClientConnection* {
+              EXPECT_EQ(nullptr, options.get());
+              return connection_;
+            }));
+    auto conn_data = cluster_manager_->tcpConnForCluster("FreebindCluster", nullptr);
+    EXPECT_EQ(connection_, conn_data.connection_.get());
+  }
+
+  Network::MockClientConnection* connection_ = new NiceMock<Network::MockClientConnection>();
+};
+
+TEST_F(FreebindTest, FreebindUnset) {
+  const std::string yaml = R"EOF(
+  static_resources:
+    clusters:
+    - name: FreebindCluster
+      connect_timeout: 0.250s
+      lb_policy: ROUND_ROBIN
+      type: STATIC
+      hosts:
+      - socket_address:
+          address: "127.0.0.1"
+          port_value: 11001
+  )EOF";
+  initialize(yaml);
+  expectNoSocketOptions();
+}
+
+TEST_F(FreebindTest, FreebindClusterOnly) {
+  const std::string yaml = R"EOF(
+  static_resources:
+    clusters:
+    - name: FreebindCluster
+      connect_timeout: 0.250s
+      lb_policy: ROUND_ROBIN
+      type: STATIC
+      hosts:
+      - socket_address:
+          address: "127.0.0.1"
+          port_value: 11001
+      upstream_bind_config:
+        freebind: true
+  )EOF";
+  initialize(yaml);
+  expectSetsockoptFreebind();
+}
+
+TEST_F(FreebindTest, FreebindClusterManagerOnly) {
+  const std::string yaml = R"EOF(
+  static_resources:
+    clusters:
+    - name: FreebindCluster
+      connect_timeout: 0.250s
+      lb_policy: ROUND_ROBIN
+      type: STATIC
+      hosts:
+      - socket_address:
+          address: "127.0.0.1"
+          port_value: 11001
+  cluster_manager:
+    upstream_bind_config:
+      freebind: true
+  )EOF";
+  initialize(yaml);
+  expectSetsockoptFreebind();
+}
+
+TEST_F(FreebindTest, FreebindClusterOverride) {
+  const std::string yaml = R"EOF(
+  static_resources:
+    clusters:
+    - name: FreebindCluster
+      connect_timeout: 0.250s
+      lb_policy: ROUND_ROBIN
+      type: STATIC
+      hosts:
+      - socket_address:
+          address: "127.0.0.1"
+          port_value: 11001
+      upstream_bind_config:
+        freebind: true
+  cluster_manager:
+    upstream_bind_config:
+      freebind: false
+  )EOF";
+  initialize(yaml);
+  expectSetsockoptFreebind();
+}
+
 } // namespace
 } // namespace Upstream
 } // namespace Envoy
diff --git a/test/common/upstream/upstream_impl_test.cc b/test/common/upstream/upstream_impl_test.cc
index d8e5acb9f832..5e70e443624e 100644
--- a/test/common/upstream/upstream_impl_test.cc
+++ b/test/common/upstream/upstream_impl_test.cc
@@ -672,14 +672,12 @@ TEST(StaticClusterImplTest, SourceAddressPriority) {
   config.set_name("staticcluster");
   config.mutable_connect_timeout();
 
-  Network::Address::InstanceConstSharedPtr bootstrap_address =
-      Network::Utility::parseInternetAddress("1.2.3.5");
   {
     // If the cluster manager gets a source address from the bootstrap proto, use it.
     NiceMock<MockClusterManager> cm;
-    cm.source_address_ = bootstrap_address;
+    cm.bind_config_.mutable_source_address()->set_address("1.2.3.5");
     StaticClusterImpl cluster(config, runtime, stats, ssl_context_manager, cm, false);
-    EXPECT_EQ(bootstrap_address->asString(), cluster.info()->sourceAddress()->asString());
+    EXPECT_EQ("1.2.3.5:0", cluster.info()->sourceAddress()->asString());
   }
 
   const std::string cluster_address = "5.6.7.8";
@@ -694,7 +692,7 @@ TEST(StaticClusterImplTest, SourceAddressPriority) {
   {
     // The source address from cluster config takes precedence over one from the bootstrap proto.
     NiceMock<MockClusterManager> cm;
-    cm.source_address_ = bootstrap_address;
+    cm.bind_config_.mutable_source_address()->set_address("1.2.3.5");
     StaticClusterImpl cluster(config, runtime, stats, ssl_context_manager, cm, false);
     EXPECT_EQ(cluster_address, cluster.info()->sourceAddress()->ip()->addressAsString());
   }
diff --git a/test/mocks/api/BUILD b/test/mocks/api/BUILD
index 5325b4865934..1ffcdd3a1f05 100644
--- a/test/mocks/api/BUILD
+++ b/test/mocks/api/BUILD
@@ -16,6 +16,7 @@ envoy_cc_mock(
         "//include/envoy/api:api_interface",
         "//include/envoy/api:os_sys_calls_interface",
         "//source/common/api:os_sys_calls_lib",
+        "//source/common/common:assert_lib",
         "//test/mocks/filesystem:filesystem_mocks",
     ],
 )
diff --git a/test/mocks/api/mocks.cc b/test/mocks/api/mocks.cc
index a7dfa62fa89c..ae729678ab70 100644
--- a/test/mocks/api/mocks.cc
+++ b/test/mocks/api/mocks.cc
@@ -1,5 +1,7 @@
 #include "mocks.h"
 
+#include "common/common/assert.h"
+
 #include "gmock/gmock.h"
 #include "gtest/gtest.h"
 
@@ -37,5 +39,34 @@ ssize_t MockOsSysCalls::write(int fd, const void* buffer, size_t num_bytes) {
   return result;
 }
 
+int MockOsSysCalls::setsockopt(int sockfd, int level, int optname, const void* optval,
+                               socklen_t optlen) {
+  ASSERT(optlen == sizeof(int));
+
+  // Allow mocking system call failure.
+  if (setsockopt_(sockfd, level, optname, optval, optlen) != 0) {
+    return -1;
+  }
+
+  boolsockopts_[SockOptKey(sockfd, level, optname)] = !!*reinterpret_cast<const int*>(optval);
+  return 0;
+};
+
+int MockOsSysCalls::getsockopt(int sockfd, int level, int optname, void* optval,
+                               socklen_t* optlen) {
+  ASSERT(*optlen == sizeof(int));
+  int val = 0;
+  const auto& it = boolsockopts_.find(SockOptKey(sockfd, level, optname));
+  if (it != boolsockopts_.end()) {
+    val = it->second;
+  }
+  // Allow mocking system call failure.
+  if (getsockopt_(sockfd, level, optname, optval, optlen) != 0) {
+    return -1;
+  }
+  *reinterpret_cast<int*>(optval) = val;
+  return 0;
+}
+
 } // namespace Api
 } // namespace Envoy
diff --git a/test/mocks/api/mocks.h b/test/mocks/api/mocks.h
index c7338e9501a7..26c1b993b57c 100644
--- a/test/mocks/api/mocks.h
+++ b/test/mocks/api/mocks.h
@@ -44,6 +44,8 @@ class MockOsSysCalls : public OsSysCallsImpl {
   // Api::OsSysCalls
   ssize_t write(int fd, const void* buffer, size_t num_bytes) override;
   int open(const std::string& full_path, int flags, int mode) override;
+  int setsockopt(int sockfd, int level, int optname, const void* optval, socklen_t optlen) override;
+  int getsockopt(int sockfd, int level, int optname, void* optval, socklen_t* optlen) override;
 
   MOCK_METHOD3(bind, int(int sockfd, const sockaddr* addr, socklen_t addrlen));
   MOCK_METHOD1(close, int(int));
@@ -54,6 +56,10 @@ class MockOsSysCalls : public OsSysCallsImpl {
   MOCK_METHOD2(ftruncate, int(int fd, off_t length));
   MOCK_METHOD6(mmap, void*(void* addr, size_t length, int prot, int flags, int fd, off_t offset));
   MOCK_METHOD2(stat, int(const char* name, struct stat* stat));
+  MOCK_METHOD5(setsockopt_,
+               int(int sockfd, int level, int optname, const void* optval, socklen_t optlen));
+  MOCK_METHOD5(getsockopt_,
+               int(int sockfd, int level, int optname, void* optval, socklen_t* optlen));
 
   size_t num_writes_;
   size_t num_open_;
@@ -61,6 +67,9 @@ class MockOsSysCalls : public OsSysCallsImpl {
   Thread::MutexBasicLockable open_mutex_;
   std::condition_variable_any write_event_;
   std::condition_variable_any open_event_;
+  // Map from (sockfd,level,optname) to boolean socket option.
+  using SockOptKey = std::tuple<int, int, int>;
+  std::map<SockOptKey, bool> boolsockopts_;
 };
 
 } // namespace Api
diff --git a/test/mocks/network/mocks.h b/test/mocks/network/mocks.h
index cd016bdda061..9b0d70ed699e 100644
--- a/test/mocks/network/mocks.h
+++ b/test/mocks/network/mocks.h
@@ -258,12 +258,12 @@ class MockListenSocket : public Socket {
   MockListenSocket();
   ~MockListenSocket();
 
-  void addOption(Socket::OptionPtr&& option) override { addOption_(option); }
+  void addOption(const Socket::OptionConstSharedPtr& option) override { addOption_(option); }
 
   MOCK_CONST_METHOD0(localAddress, const Address::InstanceConstSharedPtr&());
   MOCK_CONST_METHOD0(fd, int());
   MOCK_METHOD0(close, void());
-  MOCK_METHOD1(addOption_, void(Socket::OptionPtr& option));
+  MOCK_METHOD1(addOption_, void(const Socket::OptionConstSharedPtr& option));
   MOCK_CONST_METHOD0(options, const OptionsSharedPtr&());
 
   Address::InstanceConstSharedPtr local_address_;
@@ -284,14 +284,14 @@ class MockConnectionSocket : public ConnectionSocket {
   MockConnectionSocket();
   ~MockConnectionSocket();
 
-  void addOption(Socket::OptionPtr&& option) override { addOption_(option); }
+  void addOption(const Socket::OptionConstSharedPtr& option) override { addOption_(option); }
 
   MOCK_CONST_METHOD0(localAddress, const Address::InstanceConstSharedPtr&());
   MOCK_METHOD2(setLocalAddress, void(const Address::InstanceConstSharedPtr&, bool));
   MOCK_CONST_METHOD0(localAddressRestored, bool());
   MOCK_CONST_METHOD0(remoteAddress, const Address::InstanceConstSharedPtr&());
   MOCK_METHOD1(setRemoteAddress, void(const Address::InstanceConstSharedPtr&));
-  MOCK_METHOD1(addOption_, void(Socket::OptionPtr&));
+  MOCK_METHOD1(addOption_, void(const Socket::OptionConstSharedPtr&));
   MOCK_CONST_METHOD0(options, const Network::ConnectionSocket::OptionsSharedPtr&());
   MOCK_CONST_METHOD0(fd, int());
   MOCK_METHOD0(close, void());
diff --git a/test/mocks/server/mocks.h b/test/mocks/server/mocks.h
index 840ed46b3a59..7cd9680c43bc 100644
--- a/test/mocks/server/mocks.h
+++ b/test/mocks/server/mocks.h
@@ -391,10 +391,10 @@ class MockListenerFactoryContext : public virtual MockFactoryContext,
   MockListenerFactoryContext();
   ~MockListenerFactoryContext();
 
-  void addListenSocketOption(Network::Socket::OptionPtr&& option) override {
+  void addListenSocketOption(const Network::Socket::OptionConstSharedPtr& option) override {
     addListenSocketOption_(option);
   }
-  MOCK_METHOD1(addListenSocketOption_, void(Network::Socket::OptionPtr&));
+  MOCK_METHOD1(addListenSocketOption_, void(const Network::Socket::OptionConstSharedPtr&));
 };
 
 } // namespace Configuration
diff --git a/test/mocks/upstream/mocks.cc b/test/mocks/upstream/mocks.cc
index 4645c079683b..c86092d6a290 100644
--- a/test/mocks/upstream/mocks.cc
+++ b/test/mocks/upstream/mocks.cc
@@ -87,7 +87,7 @@ MockClusterManager::MockClusterManager() {
   ON_CALL(*this, httpConnPoolForCluster(_, _, _, _)).WillByDefault(Return(&conn_pool_));
   ON_CALL(*this, httpAsyncClientForCluster(_)).WillByDefault(ReturnRef(async_client_));
   ON_CALL(*this, httpAsyncClientForCluster(_)).WillByDefault((ReturnRef(async_client_)));
-  ON_CALL(*this, sourceAddress()).WillByDefault(ReturnRef(source_address_));
+  ON_CALL(*this, bindConfig()).WillByDefault(ReturnRef(bind_config_));
   ON_CALL(*this, adsMux()).WillByDefault(ReturnRef(ads_mux_));
   ON_CALL(*this, grpcAsyncClientManager()).WillByDefault(ReturnRef(async_client_manager_));
   ON_CALL(*this, localClusterName()).WillByDefault((ReturnRef(local_cluster_name_)));
diff --git a/test/mocks/upstream/mocks.h b/test/mocks/upstream/mocks.h
index 7cb4c93c9438..ae1f60f027e2 100644
--- a/test/mocks/upstream/mocks.h
+++ b/test/mocks/upstream/mocks.h
@@ -156,7 +156,7 @@ class MockClusterManager : public ClusterManager {
   MOCK_METHOD1(httpAsyncClientForCluster, Http::AsyncClient&(const std::string& cluster));
   MOCK_METHOD1(removeCluster, bool(const std::string& cluster));
   MOCK_METHOD0(shutdown, void());
-  MOCK_CONST_METHOD0(sourceAddress, const Network::Address::InstanceConstSharedPtr&());
+  MOCK_CONST_METHOD0(bindConfig, const envoy::api::v2::core::BindConfig&());
   MOCK_METHOD0(adsMux, Config::GrpcMux&());
   MOCK_METHOD0(grpcAsyncClientManager, Grpc::AsyncClientManager&());
   MOCK_CONST_METHOD0(versionInfo, const std::string());
@@ -167,7 +167,7 @@ class MockClusterManager : public ClusterManager {
   NiceMock<Http::ConnectionPool::MockInstance> conn_pool_;
   NiceMock<Http::MockAsyncClient> async_client_;
   NiceMock<MockThreadLocalCluster> thread_local_cluster_;
-  Network::Address::InstanceConstSharedPtr source_address_;
+  envoy::api::v2::core::BindConfig bind_config_;
   NiceMock<Config::MockGrpcMux> ads_mux_;
   NiceMock<Grpc::MockAsyncClientManager> async_client_manager_;
   std::string local_cluster_name_;
diff --git a/test/server/BUILD b/test/server/BUILD
index 1d300707ec03..0e22e6a6a0bc 100644
--- a/test/server/BUILD
+++ b/test/server/BUILD
@@ -129,8 +129,10 @@ envoy_cc_test(
     data = ["//test/common/ssl/test_data:certs"],
     deps = [
         ":utility_lib",
+        "//source/common/api:os_sys_calls_lib",
         "//source/common/config:metadata_lib",
         "//source/common/network:listen_socket_lib",
+        "//source/common/network:socket_option_lib",
         "//source/server:listener_manager_lib",
         "//source/server/config/listener:original_dst_lib",
         "//source/server/config/network:http_connection_manager_lib",
@@ -138,6 +140,7 @@ envoy_cc_test(
         "//source/server/config/network:ssl_socket_lib",
         "//test/mocks/server:server_mocks",
         "//test/test_common:environment_lib",
+        "//test/test_common:threadsafe_singleton_injector_lib",
     ],
 )
 
diff --git a/test/server/listener_manager_impl_test.cc b/test/server/listener_manager_impl_test.cc
index b3993f7f8a7c..396d10e55ce3 100644
--- a/test/server/listener_manager_impl_test.cc
+++ b/test/server/listener_manager_impl_test.cc
@@ -1,10 +1,12 @@
 #include "envoy/registry/registry.h"
 #include "envoy/server/filter_config.h"
 
+#include "common/api/os_sys_calls_impl.h"
 #include "common/config/metadata.h"
 #include "common/filter/listener/original_dst.h"
 #include "common/network/address_impl.h"
 #include "common/network/listen_socket_impl.h"
+#include "common/network/socket_option_impl.h"
 
 #include "server/configuration_impl.h"
 #include "server/listener_manager_impl.h"
@@ -12,6 +14,7 @@
 #include "test/mocks/server/mocks.h"
 #include "test/server/utility.h"
 #include "test/test_common/environment.h"
+#include "test/test_common/threadsafe_singleton_injector.h"
 #include "test/test_common/utility.h"
 
 #include "gtest/gtest.h"
@@ -1388,6 +1391,76 @@ TEST_F(ListenerManagerImplWithRealFiltersTest, OriginalDstTestFilterOptionFail)
   EXPECT_EQ(0U, manager_->listeners().size());
 }
 
+// Validate that when freebind is set in the Listener, we see no socket option
+// set.
+TEST_F(ListenerManagerImplWithRealFiltersTest, FreebindListenerDisabled) {
+  const std::string yaml = TestEnvironment::substitute(R"EOF(
+    name: "FreebindListener"
+    address:
+      socket_address: { address: 127.0.0.1, port_value: 1111 }
+    filter_chains:
+    - filters:
+  )EOF",
+                                                       Network::Address::IpVersion::v4);
+  EXPECT_CALL(listener_factory_, createListenSocket(_, _, true))
+      .WillOnce(Invoke([&](Network::Address::InstanceConstSharedPtr,
+                           const Network::Socket::OptionsSharedPtr& options,
+                           bool) -> Network::SocketSharedPtr {
+        EXPECT_EQ(options.get(), nullptr);
+        return listener_factory_.socket_;
+      }));
+  manager_->addOrUpdateListener(parseListenerFromV2Yaml(yaml), true);
+  EXPECT_EQ(1U, manager_->listeners().size());
+}
+
+// Validate that when freebind is set in the Listener, we see the socket option
+// propagated to setsockopt(). This is as close to an end-to-end test as we have
+// for this feature, due to the complexity of creating an integration test
+// involving the network stack. We only test the IPv4 case here, as the logic
+// around IPv4/IPv6 handling is tested generically in
+// socket_option_impl_test.cc.
+TEST_F(ListenerManagerImplWithRealFiltersTest, FreebindListenerEnabled) {
+  NiceMock<Api::MockOsSysCalls> os_sys_calls;
+  TestThreadsafeSingletonInjector<Api::OsSysCallsImpl> os_calls(&os_sys_calls);
+
+  const std::string yaml = TestEnvironment::substitute(R"EOF(
+    name: FreebindListener
+    address:
+      socket_address: { address: 127.0.0.1, port_value: 1111 }
+    filter_chains:
+    - filters:
+    freebind: true
+  )EOF",
+                                                       Network::Address::IpVersion::v4);
+  if (ENVOY_SOCKET_IP_FREEBIND.has_value()) {
+    EXPECT_CALL(listener_factory_, createListenSocket(_, _, true))
+        .WillOnce(Invoke([this](Network::Address::InstanceConstSharedPtr,
+                                const Network::Socket::OptionsSharedPtr& options,
+                                bool) -> Network::SocketSharedPtr {
+          EXPECT_NE(options.get(), nullptr);
+          EXPECT_EQ(options->size(), 1);
+          EXPECT_TRUE(
+              (*options->begin())
+                  ->setOption(*listener_factory_.socket_, Network::Socket::SocketState::PreBind));
+          return listener_factory_.socket_;
+        }));
+    EXPECT_CALL(os_sys_calls,
+                setsockopt_(_, IPPROTO_IP, ENVOY_SOCKET_IP_FREEBIND.value(), _, sizeof(int)))
+        .WillOnce(Invoke([](int, int, int, const void* optval, socklen_t) -> int {
+          EXPECT_EQ(1, *static_cast<const int*>(optval));
+          return 0;
+        }));
+    manager_->addOrUpdateListener(parseListenerFromV2Yaml(yaml), true);
+    EXPECT_EQ(1U, manager_->listeners().size());
+  } else {
+    // MockListenerSocket is not a real socket, so this always fails in testing.
+    EXPECT_THROW_WITH_MESSAGE(manager_->addOrUpdateListener(parseListenerFromV2Yaml(yaml), true),
+                              EnvoyException,
+                              "MockListenerComponentFactory: Setting socket options failed");
+    EXPECT_EQ(0U, manager_->listeners().size());
+  }
+}
+
 TEST_F(ListenerManagerImplWithRealFiltersTest, CRLFilename) {
   const std::string yaml = TestEnvironment::substitute(R"EOF(
     address: