From ae88eb52f7bba9132a7b911be3a319204d477f99 Mon Sep 17 00:00:00 2001
From: Harvey Tuch <htuch@google.com>
Date: Mon, 26 Mar 2018 14:12:55 -0400
Subject: [PATCH] socket: IP_FREEBIND support for listeners and upstream
 connections.

This patch introduces support for setting IP_FREEBIND on both listener sockets and upstream
connection sockets prior to binding. This enables the use of IP addresses that are not currently
bound to the NIC for listening and initiating connections from. This is useful in environments with
virtualized networking.

There's also some related work on SocketOption that continues from #2734, which was needed to enable
this to work cleanly.

Risk Level: Low (no change unless enabled).
Testing: Unit tests for ListenerManager, ClusterManager and SocketOptionImpl. Manual end-to-end
validation with steps described in configs/freebind/README.md.
API Changes: https://github.com/envoyproxy/data-plane-api/pull/536

Fixes #528.

Signed-off-by: Harvey Tuch <htuch@google.com>
---
 bazel/repository_locations.bzl                |   2 +-
 configs/freebind/README.md                    |  14 ++
 configs/freebind/freebind.yaml                |  41 +++++
 include/envoy/api/os_sys_calls.h              |  11 ++
 include/envoy/network/listen_socket.h         |   7 +-
 include/envoy/server/filter_config.h          |   2 +-
 include/envoy/upstream/cluster_manager.h      |   8 +-
 include/envoy/upstream/upstream.h             |   2 +
 source/common/api/os_sys_calls_impl.cc        |  10 ++
 source/common/api/os_sys_calls_impl.h         |   2 +
 source/common/network/BUILD                   |  14 ++
 source/common/network/listen_socket_impl.cc   |   1 +
 source/common/network/listen_socket_impl.h    |   4 +-
 source/common/network/socket_option_impl.cc   |  80 +++++++++
 source/common/network/socket_option_impl.h    |  64 +++++++
 source/common/upstream/BUILD                  |   1 +
 .../common/upstream/cluster_manager_impl.cc   |   8 +-
 source/common/upstream/cluster_manager_impl.h |   6 +-
 source/common/upstream/eds.cc                 |   2 +-
 source/common/upstream/logical_dns_cluster.cc |   3 +-
 .../common/upstream/original_dst_cluster.cc   |   3 +-
 source/common/upstream/upstream_impl.cc       |  73 +++++---
 source/common/upstream/upstream_impl.h        |  14 +-
 source/server/BUILD                           |   1 +
 source/server/listener_manager_impl.cc        |  14 ++
 source/server/listener_manager_impl.h         |   5 +-
 test/common/network/BUILD                     |  12 ++
 .../common/network/listen_socket_impl_test.cc |   4 +-
 test/common/network/listener_impl_test.cc     |   2 +-
 .../common/network/socket_option_impl_test.cc | 166 ++++++++++++++++++
 test/common/upstream/BUILD                    |   3 +
 .../upstream/cluster_manager_impl_test.cc     | 153 ++++++++++++++++
 test/common/upstream/upstream_impl_test.cc    |   8 +-
 test/mocks/api/BUILD                          |   1 +
 test/mocks/api/mocks.cc                       |  31 ++++
 test/mocks/api/mocks.h                        |   9 +
 test/mocks/network/mocks.h                    |   8 +-
 test/mocks/server/mocks.h                     |   4 +-
 test/mocks/upstream/mocks.cc                  |   2 +-
 test/mocks/upstream/mocks.h                   |   4 +-
 test/server/BUILD                             |   3 +
 test/server/listener_manager_impl_test.cc     |  73 ++++++++
 42 files changed, 799 insertions(+), 76 deletions(-)
 create mode 100644 configs/freebind/README.md
 create mode 100644 configs/freebind/freebind.yaml
 create mode 100644 source/common/network/socket_option_impl.cc
 create mode 100644 source/common/network/socket_option_impl.h
 create mode 100644 test/common/network/socket_option_impl_test.cc

diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
index d7a76aee8240..f8e276a1ebc6 100644
--- a/bazel/repository_locations.bzl
+++ b/bazel/repository_locations.bzl
@@ -76,7 +76,7 @@ REPOSITORY_LOCATIONS = dict(
         urls = ["https://github.com/google/protobuf/archive/v3.5.0.tar.gz"],
     ),
     envoy_api = dict(
-        commit = "e73b8264a26c909f75d38ec2c73d9f47ad1b3b57",
+        commit = "ec157d3d8b359a1bd65c22116ba4387a459cc53a",
         remote = "https://github.com/envoyproxy/data-plane-api",
     ),
     grpc_httpjson_transcoding = dict(
diff --git a/configs/freebind/README.md b/configs/freebind/README.md
new file mode 100644
index 000000000000..9e479c0753eb
--- /dev/null
+++ b/configs/freebind/README.md
@@ -0,0 +1,14 @@
+# Freebind testing
+
+To manually validate the `IP_FREEBIND` behavior in Envoy, you can launch Envoy with
+[freebind.yaml](freebind.yaml).
+
+The listener free bind behavior can be verified with:
+
+1. `envoy -c ./configs/freebind/freebind.yaml -l trace`
+2. `sudo ifconfig lo:1 192.168.42.1/30 up`
+3. `nc -v -l 0.0.0.0 10001`
+
+To cleanup run `sudo ifconfig lo:1 down`.
+
+TODO(htuch): Steps to verify upstream behavior.
diff --git a/configs/freebind/freebind.yaml b/configs/freebind/freebind.yaml
new file mode 100644
index 000000000000..9b494bd05742
--- /dev/null
+++ b/configs/freebind/freebind.yaml
@@ -0,0 +1,41 @@
+admin:
+  access_log_path: /tmp/admin_access.log
+  address:
+    socket_address: { address: 127.0.0.1, port_value: 9901 }
+
+static_resources:
+  listeners:
+  - name: listener_0
+    address:
+      socket_address: { address: 192.168.42.1, port_value: 10000 }
+    freebind: true
+    filter_chains:
+    - filters:
+      - name: envoy.http_connection_manager
+        config:
+          stat_prefix: ingress_http
+          route_config:
+            name: local_route
+            virtual_hosts:
+            - name: local_service
+              domains: ["*"]
+              routes:
+              - match: { prefix: "/" }
+                route: { cluster: service_local }
+          http_filters:
+          - name: envoy.router
+  clusters:
+  - name: service_local
+    connect_timeout: 30s
+    type: STATIC
+    lb_policy: ROUND_ROBIN
+    hosts:
+    - socket_address:
+        address: 127.0.0.1
+        port_value: 10001
+# TODO(htuch): Figure out how to do end-to-end testing with
+# outgoing connections and free bind.
+#    upstream_bind_config:
+#      source_address:
+#        address: 192.168.43.1
+#      freebind: true
diff --git a/include/envoy/api/os_sys_calls.h b/include/envoy/api/os_sys_calls.h
index 9843352ac569..ee5d4d6b7999 100644
--- a/include/envoy/api/os_sys_calls.h
+++ b/include/envoy/api/os_sys_calls.h
@@ -63,6 +63,17 @@ class OsSysCalls {
    * @see man 2 stat
    */
   virtual int stat(const char* pathname, struct stat* buf) PURE;
+
+  /**
+   * @see man 2 setsockopt
+   */
+  virtual int setsockopt(int sockfd, int level, int optname, const void* optval,
+                         socklen_t optlen) PURE;
+
+  /**
+   * @see man 2 getsockopt
+   */
+  virtual int getsockopt(int sockfd, int level, int optname, void* optval, socklen_t* optlen) PURE;
 };
 
 typedef std::unique_ptr<OsSysCalls> OsSysCallsPtr;
diff --git a/include/envoy/network/listen_socket.h b/include/envoy/network/listen_socket.h
index b8ba4700ee75..9a5a320b2d59 100644
--- a/include/envoy/network/listen_socket.h
+++ b/include/envoy/network/listen_socket.h
@@ -55,13 +55,14 @@ class Socket {
      */
     virtual void hashKey(std::vector<uint8_t>& key) const PURE;
   };
-  typedef std::unique_ptr<Option> OptionPtr;
-  typedef std::shared_ptr<std::vector<OptionPtr>> OptionsSharedPtr;
+  typedef std::shared_ptr<const Option> OptionConstSharedPtr;
+  typedef std::vector<OptionConstSharedPtr> Options;
+  typedef std::shared_ptr<Options> OptionsSharedPtr;
 
   /**
    * Add a socket option visitor for later retrieval with options().
    */
-  virtual void addOption(OptionPtr&&) PURE;
+  virtual void addOption(const OptionConstSharedPtr&) PURE;
 
   /**
    * @return the socket options stored earlier with addOption() calls, if any.
diff --git a/include/envoy/server/filter_config.h b/include/envoy/server/filter_config.h
index 8cedca06a599..14333fa8f5bf 100644
--- a/include/envoy/server/filter_config.h
+++ b/include/envoy/server/filter_config.h
@@ -135,7 +135,7 @@ class ListenerFactoryContext : public FactoryContext {
   /**
    * Store socket options to be set on the listen socket before listening.
    */
-  virtual void addListenSocketOption(Network::Socket::OptionPtr&& option) PURE;
+  virtual void addListenSocketOption(const Network::Socket::OptionConstSharedPtr& option) PURE;
 };
 
 /**
diff --git a/include/envoy/upstream/cluster_manager.h b/include/envoy/upstream/cluster_manager.h
index d945da82b231..459718aeaf65 100644
--- a/include/envoy/upstream/cluster_manager.h
+++ b/include/envoy/upstream/cluster_manager.h
@@ -145,12 +145,10 @@ class ClusterManager {
   virtual void shutdown() PURE;
 
   /**
-   * Returns an optional source address for upstream connections to bind to.
-   *
-   * @return Network::Address::InstanceConstSharedPtr a source address to bind to or nullptr if no
-   * bind need occur.
+   * @return const envoy::api::v2::core::BindConfig& cluster manager wide bind configuration for new
+   *         upstream connections.
    */
-  virtual const Network::Address::InstanceConstSharedPtr& sourceAddress() const PURE;
+  virtual const envoy::api::v2::core::BindConfig& bindConfig() const PURE;
 
   /**
    * Return a reference to the singleton ADS provider for upstream control plane muxing of xDS. This
diff --git a/include/envoy/upstream/upstream.h b/include/envoy/upstream/upstream.h
index 2df4c592d047..c3a9eb3182b4 100644
--- a/include/envoy/upstream/upstream.h
+++ b/include/envoy/upstream/upstream.h
@@ -369,6 +369,8 @@ class ClusterInfo {
     // Use the downstream protocol (HTTP1.1, HTTP2) for upstream connections as well, if available.
     // This is used when creating connection pools.
     static const uint64_t USE_DOWNSTREAM_PROTOCOL = 0x2;
+    // Use IP_FREEBIND socket option when binding.
+    static const uint64_t FREEBIND = 0x4;
   };
 
   virtual ~ClusterInfo() {}
diff --git a/source/common/api/os_sys_calls_impl.cc b/source/common/api/os_sys_calls_impl.cc
index 1c2de411d9a1..8fcd517ccd0d 100644
--- a/source/common/api/os_sys_calls_impl.cc
+++ b/source/common/api/os_sys_calls_impl.cc
@@ -35,5 +35,15 @@ void* OsSysCallsImpl::mmap(void* addr, size_t length, int prot, int flags, int f
 
 int OsSysCallsImpl::stat(const char* pathname, struct stat* buf) { return ::stat(pathname, buf); }
 
+int OsSysCallsImpl::setsockopt(int sockfd, int level, int optname, const void* optval,
+                               socklen_t optlen) {
+  return ::setsockopt(sockfd, level, optname, optval, optlen);
+}
+
+int OsSysCallsImpl::getsockopt(int sockfd, int level, int optname, void* optval,
+                               socklen_t* optlen) {
+  return ::getsockopt(sockfd, level, optname, optval, optlen);
+}
+
 } // namespace Api
 } // namespace Envoy
diff --git a/source/common/api/os_sys_calls_impl.h b/source/common/api/os_sys_calls_impl.h
index b6cdc5639428..23534e7f80d2 100644
--- a/source/common/api/os_sys_calls_impl.h
+++ b/source/common/api/os_sys_calls_impl.h
@@ -19,6 +19,8 @@ class OsSysCallsImpl : public OsSysCalls {
   int ftruncate(int fd, off_t length) override;
   void* mmap(void* addr, size_t length, int prot, int flags, int fd, off_t offset) override;
   int stat(const char* pathname, struct stat* buf) override;
+  int setsockopt(int sockfd, int level, int optname, const void* optval, socklen_t optlen) override;
+  int getsockopt(int sockfd, int level, int optname, void* optval, socklen_t* optlen) override;
 };
 
 typedef ThreadSafeSingleton<OsSysCallsImpl> OsSysCallsSingleton;
diff --git a/source/common/network/BUILD b/source/common/network/BUILD
index defbac786e67..c64a7dc248f2 100644
--- a/source/common/network/BUILD
+++ b/source/common/network/BUILD
@@ -173,6 +173,20 @@ envoy_cc_library(
     ],
 )
 
+envoy_cc_library(
+    name = "socket_option_lib",
+    srcs = ["socket_option_impl.cc"],
+    hdrs = ["socket_option_impl.h"],
+    external_deps = ["abseil_optional"],
+    deps = [
+        ":address_lib",
+        "//include/envoy/network:listen_socket_interface",
+        "//source/common/api:os_sys_calls_lib",
+        "//source/common/common:assert_lib",
+        "//source/common/common:logger_lib",
+    ],
+)
+
 envoy_cc_library(
     name = "utility_lib",
     srcs = ["utility.cc"],
diff --git a/source/common/network/listen_socket_impl.cc b/source/common/network/listen_socket_impl.cc
index 35b426041532..a9058c1cca6f 100644
--- a/source/common/network/listen_socket_impl.cc
+++ b/source/common/network/listen_socket_impl.cc
@@ -45,6 +45,7 @@ TcpListenSocket::TcpListenSocket(const Address::InstanceConstSharedPtr& address,
     : ListenSocketImpl(address->socket(Address::SocketType::Stream), address) {
   RELEASE_ASSERT(fd_ != -1);
 
+  // TODO(htuch): This might benefit from moving to SocketOptionImpl.
   int on = 1;
   int rc = setsockopt(fd_, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));
   RELEASE_ASSERT(rc != -1);
diff --git a/source/common/network/listen_socket_impl.h b/source/common/network/listen_socket_impl.h
index da9a9bdbe0cd..71effb891480 100644
--- a/source/common/network/listen_socket_impl.h
+++ b/source/common/network/listen_socket_impl.h
@@ -26,9 +26,9 @@ class SocketImpl : public virtual Socket {
       fd_ = -1;
     }
   }
-  void addOption(OptionPtr&& option) override {
+  void addOption(const OptionConstSharedPtr& option) override {
     if (!options_) {
-      options_ = std::make_shared<std::vector<OptionPtr>>();
+      options_ = std::make_shared<std::vector<OptionConstSharedPtr>>();
     }
     options_->emplace_back(std::move(option));
   }
diff --git a/source/common/network/socket_option_impl.cc b/source/common/network/socket_option_impl.cc
new file mode 100644
index 000000000000..43a7aca45425
--- /dev/null
+++ b/source/common/network/socket_option_impl.cc
@@ -0,0 +1,80 @@
+#include "common/network/socket_option_impl.h"
+
+#include "envoy/common/exception.h"
+
+#include "common/api/os_sys_calls_impl.h"
+#include "common/common/assert.h"
+#include "common/network/address_impl.h"
+
+namespace Envoy {
+namespace Network {
+
+bool SocketOptionImpl::setOption(Socket& socket, Socket::SocketState state) const {
+  if (state == Socket::SocketState::PreBind) {
+    if (freebind_.has_value()) {
+      const int should_freebind = freebind_.value() ? 1 : 0;
+      const int error =
+          setIpSocketOption(socket, ENVOY_SOCKET_IP_FREEBIND, ENVOY_SOCKET_IPV6_FREEBIND,
+                            &should_freebind, sizeof(should_freebind));
+      if (error != 0) {
+        ENVOY_LOG(warn, "Setting IP_FREEBIND on listener socket failed: {}", strerror(error));
+        return false;
+      }
+    }
+  }
+
+  return true;
+}
+
+int SocketOptionImpl::setIpSocketOption(Socket& socket, SocketOptionName ipv4_optname,
+                                        SocketOptionName ipv6_optname, const void* optval,
+                                        socklen_t optlen) {
+  auto& os_syscalls = Api::OsSysCallsSingleton::get();
+
+  // If this isn't IP, we're out of luck.
+  Address::InstanceConstSharedPtr address;
+  const Address::Ip* ip = nullptr;
+  try {
+    // We have local address when the socket is used in a listener but have to
+    // infer the IP from the socket FD when initiating connections.
+    // TODO(htuch): Figure out a way to obtain a consistent interface for IP
+    // version from socket.
+    if (socket.localAddress()) {
+      ip = socket.localAddress()->ip();
+    } else {
+      address = Address::addressFromFd(socket.fd());
+      ip = address->ip();
+    }
+  } catch (const EnvoyException&) {
+    // Ignore, we get here because we failed in getsockname().
+    // TODO(htuch): We should probably clean up this logic to avoid relying on exceptions.
+  }
+  if (ip == nullptr) {
+    ENVOY_LOG(warn, "Failed to set IP socket option on non-IP socket");
+    return ENOTSUP;
+  }
+
+  // If the FD is v4, we can only try the IPv4 variant.
+  if (ip->version() == Network::Address::IpVersion::v4) {
+    if (!ipv4_optname) {
+      ENVOY_LOG(warn, "Unsupported IPv4 socket option");
+      return ENOTSUP;
+    }
+    return os_syscalls.setsockopt(socket.fd(), IPPROTO_IP, ipv4_optname.value(), optval, optlen);
+  }
+
+  // If the FD is v6, we first try the IPv6 variant if the platfrom supports it and fallback to the
+  // IPv4 variant otherwise.
+  ASSERT(ip->version() == Network::Address::IpVersion::v6);
+  if (ipv6_optname) {
+    return os_syscalls.setsockopt(socket.fd(), IPPROTO_IPV6, ipv6_optname.value(), optval, optlen);
+  }
+  if (ipv4_optname) {
+    return os_syscalls.setsockopt(socket.fd(), IPPROTO_IP, ipv4_optname.value(), optval, optlen);
+  }
+  ENVOY_LOG(warn, "Unsupported IPv6 socket option");
+  return ENOTSUP;
+}
+
+} // namespace Network
+} // namespace Envoy
diff --git a/source/common/network/socket_option_impl.h b/source/common/network/socket_option_impl.h
new file mode 100644
index 000000000000..590dcc2e846e
--- /dev/null
+++ b/source/common/network/socket_option_impl.h
@@ -0,0 +1,64 @@
+#pragma once
+
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <sys/socket.h>
+
+#include "envoy/network/listen_socket.h"
+
+#include "common/common/logger.h"
+
+#include "absl/types/optional.h"
+
+namespace Envoy {
+namespace Network {
+
+// Optional variant of setsockopt(2) optname. The idea here is that if the option is not supported
+// on a platform, we can make this the empty value. This allows us to avoid proliferation of #ifdef.
+typedef absl::optional<int> SocketOptionName;
+
+#ifdef IP_FREEBIND
+#define ENVOY_SOCKET_IP_FREEBIND Network::SocketOptionName(IP_FREEBIND)
+#else
+#define ENVOY_SOCKET_IP_FREEBIND Network::SocketOptionName()
+#endif
+
+#ifdef IPV6_FREEBIND
+#define ENVOY_SOCKET_IPV6_FREEBIND Network::SocketOptionName(IPV6_FREEBIND)
+#else
+#define ENVOY_SOCKET_IPV6_FREEBIND Network::SocketOptionName()
+#endif
+
+class SocketOptionImpl : public Socket::Option, Logger::Loggable<Logger::Id::connection> {
+public:
+  SocketOptionImpl(absl::optional<bool> freebind) : freebind_(freebind) {}
+
+  // Socket::Option
+  bool setOption(Socket& socket, Socket::SocketState state) const override;
+  // The common socket options don't require a hash key.
+  void hashKey(std::vector<uint8_t>&) const override {}
+
+  /**
+   * Set a socket option that applies at both IPv4 and IPv6 socket levels. When the underlying FD
+   * is IPv6, this function will attempt to set at IPv6 unless the platform only supports the
+   * option at the IPv4 level.
+   * @param socket.
+   * @param ipv4_optname SocketOptionName for IPv4 level. Set to empty if not supported on
+   * platform.
+   * @param ipv6_optname SocketOptionName for IPv6 level. Set to empty if not supported on
+   * platform.
+   * @param optval as per setsockopt(2).
+   * @param optlen as per setsockopt(2).
+   * @return int as per setsockopt(2). ENOTSUP is returned if the option is not supported on the
+   * platform for fd after the above option level fallback semantics are taken into account or the
+   *         socket is non-IP.
+   */
+  static int setIpSocketOption(Socket& socket, SocketOptionName ipv4_optname,
+                               SocketOptionName ipv6_optname, const void* optval, socklen_t optlen);
+
+private:
+  const absl::optional<bool> freebind_;
+};
+
+} // namespace Network
+} // namespace Envoy
diff --git a/source/common/upstream/BUILD b/source/common/upstream/BUILD
index b72e60462c14..a92a8119d6c7 100644
--- a/source/common/upstream/BUILD
+++ b/source/common/upstream/BUILD
@@ -342,6 +342,7 @@ envoy_cc_library(
         "//source/common/http:utility_lib",
         "//source/common/network:address_lib",
         "//source/common/network:resolver_lib",
+        "//source/common/network:socket_option_lib",
         "//source/common/network:utility_lib",
         "//source/common/protobuf",
         "//source/common/protobuf:utility_lib",
diff --git a/source/common/upstream/cluster_manager_impl.cc b/source/common/upstream/cluster_manager_impl.cc
index 36ee13901154..4f5699124686 100644
--- a/source/common/upstream/cluster_manager_impl.cc
+++ b/source/common/upstream/cluster_manager_impl.cc
@@ -170,7 +170,8 @@ ClusterManagerImpl::ClusterManagerImpl(const envoy::config::bootstrap::v2::Boots
                                        AccessLog::AccessLogManager& log_manager,
                                        Event::Dispatcher& main_thread_dispatcher)
     : factory_(factory), runtime_(runtime), stats_(stats), tls_(tls.allocateSlot()),
-      random_(random), local_info_(local_info), cm_stats_(generateStats(stats)),
+      random_(random), bind_config_(bootstrap.cluster_manager().upstream_bind_config()),
+      local_info_(local_info), cm_stats_(generateStats(stats)),
       init_helper_([this](Cluster& cluster) { onClusterInit(cluster); }) {
   async_client_manager_ = std::make_unique<Grpc::AsyncClientManagerImpl>(*this, tls);
   const auto& cm_config = bootstrap.cluster_manager();
@@ -187,11 +188,6 @@ ClusterManagerImpl::ClusterManagerImpl(const envoy::config::bootstrap::v2::Boots
     eds_config_ = bootstrap.dynamic_resources().deprecated_v1().sds_config();
   }
 
-  if (bootstrap.cluster_manager().upstream_bind_config().has_source_address()) {
-    source_address_ = Network::Address::resolveProtoSocketAddress(
-        bootstrap.cluster_manager().upstream_bind_config().source_address());
-  }
-
   // Cluster loading happens in two phases: first all the primary clusters are loaded, and then all
   // the secondary clusters are loaded. As it currently stands all non-EDS clusters are primary and
   // only EDS clusters are secondary. This two phase loading is done because in v2 configuration
diff --git a/source/common/upstream/cluster_manager_impl.h b/source/common/upstream/cluster_manager_impl.h
index 80f6efe63736..9fc85bcce2dd 100644
--- a/source/common/upstream/cluster_manager_impl.h
+++ b/source/common/upstream/cluster_manager_impl.h
@@ -181,9 +181,7 @@ class ClusterManagerImpl : public ClusterManager, Logger::Loggable<Logger::Id::u
     active_clusters_.clear();
   }
 
-  const Network::Address::InstanceConstSharedPtr& sourceAddress() const override {
-    return source_address_;
-  }
+  const envoy::api::v2::core::BindConfig& bindConfig() const override { return bind_config_; }
 
   Config::GrpcMux& adsMux() override { return *ads_mux_; }
   Grpc::AsyncClientManager& grpcAsyncClientManager() override { return *async_client_manager_; }
@@ -309,7 +307,7 @@ class ClusterManagerImpl : public ClusterManager, Logger::Loggable<Logger::Id::u
   ClusterMap active_clusters_;
   ClusterMap warming_clusters_;
   absl::optional<envoy::api::v2::core::ConfigSource> eds_config_;
-  Network::Address::InstanceConstSharedPtr source_address_;
+  envoy::api::v2::core::BindConfig bind_config_;
   Outlier::EventLoggerSharedPtr outlier_event_logger_;
   const LocalInfo::LocalInfo& local_info_;
   CdsApiPtr cds_api_;
diff --git a/source/common/upstream/eds.cc b/source/common/upstream/eds.cc
index d52671959ec2..469227ee16aa 100644
--- a/source/common/upstream/eds.cc
+++ b/source/common/upstream/eds.cc
@@ -22,7 +22,7 @@ EdsClusterImpl::EdsClusterImpl(const envoy::api::v2::Cluster& cluster, Runtime::
                                const LocalInfo::LocalInfo& local_info, ClusterManager& cm,
                                Event::Dispatcher& dispatcher, Runtime::RandomGenerator& random,
                                bool added_via_api)
-    : BaseDynamicClusterImpl(cluster, cm.sourceAddress(), runtime, stats, ssl_context_manager,
+    : BaseDynamicClusterImpl(cluster, cm.bindConfig(), runtime, stats, ssl_context_manager,
                              added_via_api),
       cm_(cm), local_info_(local_info),
       cluster_name_(cluster.eds_cluster_config().service_name().empty()
diff --git a/source/common/upstream/logical_dns_cluster.cc b/source/common/upstream/logical_dns_cluster.cc
index 31458633724b..97fe972d15c1 100644
--- a/source/common/upstream/logical_dns_cluster.cc
+++ b/source/common/upstream/logical_dns_cluster.cc
@@ -21,8 +21,7 @@ LogicalDnsCluster::LogicalDnsCluster(const envoy::api::v2::Cluster& cluster,
                                      Network::DnsResolverSharedPtr dns_resolver,
                                      ThreadLocal::SlotAllocator& tls, ClusterManager& cm,
                                      Event::Dispatcher& dispatcher, bool added_via_api)
-    : ClusterImplBase(cluster, cm.sourceAddress(), runtime, stats, ssl_context_manager,
-                      added_via_api),
+    : ClusterImplBase(cluster, cm.bindConfig(), runtime, stats, ssl_context_manager, added_via_api),
       dns_resolver_(dns_resolver),
       dns_refresh_rate_ms_(
           std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(cluster, dns_refresh_rate, 5000))),
diff --git a/source/common/upstream/original_dst_cluster.cc b/source/common/upstream/original_dst_cluster.cc
index b4a0cbd80666..cdeb7e212967 100644
--- a/source/common/upstream/original_dst_cluster.cc
+++ b/source/common/upstream/original_dst_cluster.cc
@@ -95,8 +95,7 @@ OriginalDstCluster::OriginalDstCluster(const envoy::api::v2::Cluster& config,
                                        Runtime::Loader& runtime, Stats::Store& stats,
                                        Ssl::ContextManager& ssl_context_manager, ClusterManager& cm,
                                        Event::Dispatcher& dispatcher, bool added_via_api)
-    : ClusterImplBase(config, cm.sourceAddress(), runtime, stats, ssl_context_manager,
-                      added_via_api),
+    : ClusterImplBase(config, cm.bindConfig(), runtime, stats, ssl_context_manager, added_via_api),
       dispatcher_(dispatcher), cleanup_interval_ms_(std::chrono::milliseconds(
                                    PROTOBUF_GET_MS_OR_DEFAULT(config, cleanup_interval, 5000))),
       cleanup_timer_(dispatcher.createTimer([this]() -> void { cleanup(); })) {
diff --git a/source/common/upstream/upstream_impl.cc b/source/common/upstream/upstream_impl.cc
index 4c38a8265349..2e948854626a 100644
--- a/source/common/upstream/upstream_impl.cc
+++ b/source/common/upstream/upstream_impl.cc
@@ -24,6 +24,7 @@
 #include "common/http/utility.h"
 #include "common/network/address_impl.h"
 #include "common/network/resolver_impl.h"
+#include "common/network/socket_option_impl.h"
 #include "common/network/utility.h"
 #include "common/protobuf/protobuf.h"
 #include "common/protobuf/utility.h"
@@ -38,15 +39,45 @@ namespace {
 
 const Network::Address::InstanceConstSharedPtr
 getSourceAddress(const envoy::api::v2::Cluster& cluster,
-                 const Network::Address::InstanceConstSharedPtr source_address) {
+                 const envoy::api::v2::core::BindConfig& bind_config) {
   // The source address from cluster config takes precedence.
   if (cluster.upstream_bind_config().has_source_address()) {
     return Network::Address::resolveProtoSocketAddress(
         cluster.upstream_bind_config().source_address());
   }
   // If there's no source address in the cluster config, use any default from the bootstrap proto.
-  return source_address;
+  if (bind_config.has_source_address()) {
+    return Network::Address::resolveProtoSocketAddress(bind_config.source_address());
+  }
+
+  return nullptr;
+}
+
+uint64_t parseFeatures(const envoy::api::v2::Cluster& config,
+                       const envoy::api::v2::core::BindConfig bind_config) {
+  uint64_t features = 0;
+  if (config.has_http2_protocol_options()) {
+    features |= ClusterInfoImpl::Features::HTTP2;
+  }
+  if (config.protocol_selection() == envoy::api::v2::Cluster::USE_DOWNSTREAM_PROTOCOL) {
+    features |= ClusterInfoImpl::Features::USE_DOWNSTREAM_PROTOCOL;
+  }
+  // Cluster IP_FREEBIND settings, when set, will override the cluster manager wide settings.
+  if ((bind_config.freebind().value() && !config.upstream_bind_config().has_freebind()) ||
+      config.upstream_bind_config().freebind().value()) {
+    features |= ClusterInfoImpl::Features::FREEBIND;
+  }
+  return features;
 }
+
+// Socket::Option implementation for API-defined upstream options. This same
+// object can be extended to handle additional upstream socket options.
+class UpstreamSocketOption : public Network::SocketOptionImpl {
+public:
+  UpstreamSocketOption(const ClusterInfo& cluster_info)
+      : Network::SocketOptionImpl(cluster_info.features() & ClusterInfo::Features::FREEBIND) {}
+};
+
 } // namespace
 
 Host::CreateConnectionData
@@ -59,9 +90,19 @@ Network::ClientConnectionPtr
 HostImpl::createConnection(Event::Dispatcher& dispatcher, const ClusterInfo& cluster,
                            Network::Address::InstanceConstSharedPtr address,
                            const Network::ConnectionSocket::OptionsSharedPtr& options) {
+  Network::ConnectionSocket::OptionsSharedPtr cluster_options;
+  if (cluster.features() & ClusterInfo::Features::FREEBIND) {
+    cluster_options = std::make_shared<Network::ConnectionSocket::Options>();
+    if (options) {
+      *cluster_options = *options;
+    }
+    cluster_options->emplace_back(new UpstreamSocketOption(cluster));
+  } else {
+    cluster_options = options;
+  }
   Network::ClientConnectionPtr connection = dispatcher.createClientConnection(
       address, cluster.sourceAddress(), cluster.transportSocketFactory().createTransportSocket(),
-      options);
+      cluster_options);
   connection->setBufferLimits(cluster.perConnectionBufferLimitBytes());
   return connection;
 }
@@ -110,7 +151,7 @@ ClusterLoadReportStats ClusterInfoImpl::generateLoadReportStats(Stats::Scope& sc
 }
 
 ClusterInfoImpl::ClusterInfoImpl(const envoy::api::v2::Cluster& config,
-                                 const Network::Address::InstanceConstSharedPtr source_address,
+                                 const envoy::api::v2::core::BindConfig& bind_config,
                                  Runtime::Loader& runtime, Stats::Store& stats,
                                  Ssl::ContextManager& ssl_context_manager, bool added_via_api)
     : runtime_(runtime), name_(config.name()), type_(config.type()),
@@ -125,11 +166,11 @@ ClusterInfoImpl::ClusterInfoImpl(const envoy::api::v2::Cluster& config,
           config.alt_stat_name().empty() ? name_ : std::string(config.alt_stat_name())))),
       stats_(generateStats(*stats_scope_)),
       load_report_stats_(generateLoadReportStats(load_report_stats_store_)),
-      features_(parseFeatures(config)),
+      features_(parseFeatures(config, bind_config)),
       http2_settings_(Http::Utility::parseHttp2Settings(config.http2_protocol_options())),
       resource_managers_(config, runtime, name_),
       maintenance_mode_runtime_key_(fmt::format("upstream.maintenance_mode.{}", name_)),
-      source_address_(getSourceAddress(config, source_address)),
+      source_address_(getSourceAddress(config, bind_config)),
       lb_ring_hash_config_(envoy::api::v2::Cluster::RingHashLbConfig(config.ring_hash_lb_config())),
       ssl_context_manager_(ssl_context_manager), added_via_api_(added_via_api),
       lb_subset_(LoadBalancerSubsetInfoImpl(config.lb_subset_config())),
@@ -276,10 +317,10 @@ ClusterSharedPtr ClusterImplBase::create(const envoy::api::v2::Cluster& cluster,
 }
 
 ClusterImplBase::ClusterImplBase(const envoy::api::v2::Cluster& cluster,
-                                 const Network::Address::InstanceConstSharedPtr source_address,
+                                 const envoy::api::v2::core::BindConfig& bind_config,
                                  Runtime::Loader& runtime, Stats::Store& stats,
                                  Ssl::ContextManager& ssl_context_manager, bool added_via_api)
-    : runtime_(runtime), info_(new ClusterInfoImpl(cluster, source_address, runtime, stats,
+    : runtime_(runtime), info_(new ClusterInfoImpl(cluster, bind_config, runtime, stats,
                                                    ssl_context_manager, added_via_api)) {
   // Create the default (empty) priority set before registering callbacks to
   // avoid getting an update the first time it is accessed.
@@ -321,17 +362,6 @@ bool ClusterInfoImpl::maintenanceMode() const {
   return runtime_.snapshot().featureEnabled(maintenance_mode_runtime_key_, 0);
 }
 
-uint64_t ClusterInfoImpl::parseFeatures(const envoy::api::v2::Cluster& config) {
-  uint64_t features = 0;
-  if (config.has_http2_protocol_options()) {
-    features |= Features::HTTP2;
-  }
-  if (config.protocol_selection() == envoy::api::v2::Cluster::USE_DOWNSTREAM_PROTOCOL) {
-    features |= Features::USE_DOWNSTREAM_PROTOCOL;
-  }
-  return features;
-}
-
 ResourceManager& ClusterInfoImpl::resourceManager(ResourcePriority priority) const {
   ASSERT(enumToInt(priority) < resource_managers_.managers_.size());
   return *resource_managers_.managers_[enumToInt(priority)];
@@ -497,8 +527,7 @@ StaticClusterImpl::StaticClusterImpl(const envoy::api::v2::Cluster& cluster,
                                      Runtime::Loader& runtime, Stats::Store& stats,
                                      Ssl::ContextManager& ssl_context_manager, ClusterManager& cm,
                                      bool added_via_api)
-    : ClusterImplBase(cluster, cm.sourceAddress(), runtime, stats, ssl_context_manager,
-                      added_via_api),
+    : ClusterImplBase(cluster, cm.bindConfig(), runtime, stats, ssl_context_manager, added_via_api),
       initial_hosts_(new HostVector()) {
 
   for (const auto& host : cluster.hosts()) {
@@ -617,7 +646,7 @@ StrictDnsClusterImpl::StrictDnsClusterImpl(const envoy::api::v2::Cluster& cluste
                                            Network::DnsResolverSharedPtr dns_resolver,
                                            ClusterManager& cm, Event::Dispatcher& dispatcher,
                                            bool added_via_api)
-    : BaseDynamicClusterImpl(cluster, cm.sourceAddress(), runtime, stats, ssl_context_manager,
+    : BaseDynamicClusterImpl(cluster, cm.bindConfig(), runtime, stats, ssl_context_manager,
                              added_via_api),
       dns_resolver_(dns_resolver),
       dns_refresh_rate_ms_(
diff --git a/source/common/upstream/upstream_impl.h b/source/common/upstream/upstream_impl.h
index b3a753be4b83..f92f141fa5c4 100644
--- a/source/common/upstream/upstream_impl.h
+++ b/source/common/upstream/upstream_impl.h
@@ -294,9 +294,9 @@ class ClusterInfoImpl : public ClusterInfo,
                         public Server::Configuration::TransportSocketFactoryContext {
 public:
   ClusterInfoImpl(const envoy::api::v2::Cluster& config,
-                  const Network::Address::InstanceConstSharedPtr source_address,
-                  Runtime::Loader& runtime, Stats::Store& stats,
-                  Ssl::ContextManager& ssl_context_manager, bool added_via_api);
+                  const envoy::api::v2::core::BindConfig& bind_config, Runtime::Loader& runtime,
+                  Stats::Store& stats, Ssl::ContextManager& ssl_context_manager,
+                  bool added_via_api);
 
   static ClusterStats generateStats(Stats::Scope& scope);
   static ClusterLoadReportStats generateLoadReportStats(Stats::Scope& scope);
@@ -353,8 +353,6 @@ class ClusterInfoImpl : public ClusterInfo,
     Managers managers_;
   };
 
-  static uint64_t parseFeatures(const envoy::api::v2::Cluster& config);
-
   Runtime::Loader& runtime_;
   const std::string name_;
   const envoy::api::v2::Cluster::DiscoveryType type_;
@@ -430,9 +428,9 @@ class ClusterImplBase : public Cluster, protected Logger::Loggable<Logger::Id::u
 
 protected:
   ClusterImplBase(const envoy::api::v2::Cluster& cluster,
-                  const Network::Address::InstanceConstSharedPtr source_address,
-                  Runtime::Loader& runtime, Stats::Store& stats,
-                  Ssl::ContextManager& ssl_context_manager, bool added_via_api);
+                  const envoy::api::v2::core::BindConfig& bind_config, Runtime::Loader& runtime,
+                  Stats::Store& stats, Ssl::ContextManager& ssl_context_manager,
+                  bool added_via_api);
 
   static HostVectorConstSharedPtr createHealthyHostList(const HostVector& hosts);
   static HostsPerLocalityConstSharedPtr createHealthyHostLists(const HostsPerLocality& hosts);
diff --git a/source/server/BUILD b/source/server/BUILD
index ed97687642c5..61c42c872831 100644
--- a/source/server/BUILD
+++ b/source/server/BUILD
@@ -204,6 +204,7 @@ envoy_cc_library(
         "//source/common/config:utility_lib",
         "//source/common/config:well_known_names",
         "//source/common/network:listen_socket_lib",
+        "//source/common/network:socket_option_lib",
         "//source/common/network:utility_lib",
         "//source/common/protobuf:utility_lib",
         "//source/common/ssl:context_config_lib",
diff --git a/source/server/listener_manager_impl.cc b/source/server/listener_manager_impl.cc
index e9e4ddef4a53..16bd62b23e77 100644
--- a/source/server/listener_manager_impl.cc
+++ b/source/server/listener_manager_impl.cc
@@ -8,6 +8,7 @@
 #include "common/config/utility.h"
 #include "common/config/well_known_names.h"
 #include "common/network/listen_socket_impl.h"
+#include "common/network/socket_option_impl.h"
 #include "common/network/utility.h"
 #include "common/protobuf/utility.h"
 
@@ -105,6 +106,14 @@ ProdListenerComponentFactory::createDrainManager(envoy::api::v2::Listener::Drain
   return DrainManagerPtr{new DrainManagerImpl(server_, drain_type)};
 }
 
+// Socket::Option implementation for API-defined listener socket options.
+// This same object can be extended to handle additional listener socket options.
+class ListenerSocketOption : public Network::SocketOptionImpl {
+public:
+  ListenerSocketOption(const envoy::api::v2::Listener& config)
+      : Network::SocketOptionImpl(config.freebind().value()) {}
+};
+
 ListenerImpl::ListenerImpl(const envoy::api::v2::Listener& config, ListenerManagerImpl& parent,
                            const std::string& name, bool modifiable, bool workers_started,
                            uint64_t hash)
@@ -126,6 +135,11 @@ ListenerImpl::ListenerImpl(const envoy::api::v2::Listener& config, ListenerManag
   // filter chain #1308.
   ASSERT(config.filter_chains().size() >= 1);
 
+  // Add listen socket options from the config.
+  if (config.has_freebind()) {
+    addListenSocketOption(std::make_unique<ListenerSocketOption>(config));
+  }
+
   if (!config.listener_filters().empty()) {
     listener_filter_factories_ =
         parent_.factory_.createListenerFilterFactoryList(config.listener_filters(), *this);
diff --git a/source/server/listener_manager_impl.h b/source/server/listener_manager_impl.h
index 8729c339b5f0..856b7e3877b9 100644
--- a/source/server/listener_manager_impl.h
+++ b/source/server/listener_manager_impl.h
@@ -249,9 +249,10 @@ class ListenerImpl : public Network::ListenerConfig,
   ThreadLocal::Instance& threadLocal() override { return parent_.server_.threadLocal(); }
   Admin& admin() override { return parent_.server_.admin(); }
   const envoy::api::v2::core::Metadata& listenerMetadata() const override { return metadata_; };
-  void addListenSocketOption(Network::Socket::OptionPtr&& option) override {
+  void addListenSocketOption(const Network::Socket::OptionConstSharedPtr& option) override {
     if (!listen_socket_options_) {
-      listen_socket_options_ = std::make_shared<std::vector<Network::Socket::OptionPtr>>();
+      listen_socket_options_ =
+          std::make_shared<std::vector<Network::Socket::OptionConstSharedPtr>>();
     }
     listen_socket_options_->emplace_back(std::move(option));
   }
diff --git a/test/common/network/BUILD b/test/common/network/BUILD
index c26f86708759..1af921356b70 100644
--- a/test/common/network/BUILD
+++ b/test/common/network/BUILD
@@ -168,6 +168,18 @@ envoy_cc_test(
     ],
 )
 
+envoy_cc_test(
+    name = "socket_option_impl_test",
+    srcs = ["socket_option_impl_test.cc"],
+    deps = [
+        "//source/common/network:address_lib",
+        "//source/common/network:socket_option_lib",
+        "//test/mocks/api:api_mocks",
+        "//test/mocks/network:network_mocks",
+        "//test/test_common:threadsafe_singleton_injector_lib",
+    ],
+)
+
 envoy_cc_test(
     name = "utility_test",
     srcs = ["utility_test.cc"],
diff --git a/test/common/network/listen_socket_impl_test.cc b/test/common/network/listen_socket_impl_test.cc
index 3934d0de39e0..eb71ad2a8dd6 100644
--- a/test/common/network/listen_socket_impl_test.cc
+++ b/test/common/network/listen_socket_impl_test.cc
@@ -43,7 +43,7 @@ TEST_P(ListenSocketImplTest, BindSpecificPort) {
   EXPECT_EQ(0, close(addr_fd.second));
 
   auto option = std::make_unique<MockSocketOption>();
-  auto options = std::make_shared<std::vector<Network::Socket::OptionPtr>>();
+  auto options = std::make_shared<std::vector<Network::Socket::OptionConstSharedPtr>>();
   EXPECT_CALL(*option, setOption(_, Network::Socket::SocketState::PreBind)).WillOnce(Return(true));
   options->emplace_back(std::move(option));
   TcpListenSocket socket1(addr, options, true);
@@ -52,7 +52,7 @@ TEST_P(ListenSocketImplTest, BindSpecificPort) {
   EXPECT_EQ(addr->ip()->addressAsString(), socket1.localAddress()->ip()->addressAsString());
 
   auto option2 = std::make_unique<MockSocketOption>();
-  auto options2 = std::make_shared<std::vector<Network::Socket::OptionPtr>>();
+  auto options2 = std::make_shared<std::vector<Network::Socket::OptionConstSharedPtr>>();
   EXPECT_CALL(*option2, setOption(_, Network::Socket::SocketState::PreBind)).WillOnce(Return(true));
   options2->emplace_back(std::move(option2));
   // The address and port are bound already, should throw exception.
diff --git a/test/common/network/listener_impl_test.cc b/test/common/network/listener_impl_test.cc
index 50b4d8a3c64e..9636fa5c9bc2 100644
--- a/test/common/network/listener_impl_test.cc
+++ b/test/common/network/listener_impl_test.cc
@@ -164,7 +164,7 @@ TEST_P(ListenerImplTest, WildcardListenerIpv4Compat) {
   Stats::IsolatedStoreImpl stats_store;
   Event::DispatcherImpl dispatcher;
   auto option = std::make_unique<MockSocketOption>();
-  auto options = std::make_shared<std::vector<Network::Socket::OptionPtr>>();
+  auto options = std::make_shared<std::vector<Network::Socket::OptionConstSharedPtr>>();
   EXPECT_CALL(*option, setOption(_, Network::Socket::SocketState::PreBind)).WillOnce(Return(true));
   options->emplace_back(std::move(option));
 
diff --git a/test/common/network/socket_option_impl_test.cc b/test/common/network/socket_option_impl_test.cc
new file mode 100644
index 000000000000..83343455dd63
--- /dev/null
+++ b/test/common/network/socket_option_impl_test.cc
@@ -0,0 +1,166 @@
+#include "common/network/address_impl.h"
+#include "common/network/socket_option_impl.h"
+
+#include "test/mocks/api/mocks.h"
+#include "test/mocks/network/mocks.h"
+#include "test/test_common/threadsafe_singleton_injector.h"
+
+#include "gtest/gtest.h"
+
+using testing::Invoke;
+using testing::NiceMock;
+using testing::Return;
+using testing::_;
+
+namespace Envoy {
+namespace Network {
+namespace {
+
+class SocketOptionImplTest : public testing::Test {
+public:
+  SocketOptionImplTest() { socket_.local_address_.reset(); }
+
+  NiceMock<MockListenSocket> socket_;
+  Api::MockOsSysCalls os_sys_calls_;
+  TestThreadsafeSingletonInjector<Api::OsSysCallsImpl> os_calls{&os_sys_calls_};
+};
+
+// We fail to set the option if the socket FD is bad.
+TEST_F(SocketOptionImplTest, BadFd) {
+  EXPECT_CALL(socket_, fd()).WillOnce(Return(-1));
+  EXPECT_EQ(ENOTSUP, SocketOptionImpl::setIpSocketOption(socket_, {}, {}, nullptr, 0));
+}
+
+// Nop when there are no socket options set.
+TEST_F(SocketOptionImplTest, SetOptionEmptyNop) {
+  SocketOptionImpl socket_option{{}};
+  EXPECT_TRUE(socket_option.setOption(socket_, Socket::SocketState::PreBind));
+  EXPECT_TRUE(socket_option.setOption(socket_, Socket::SocketState::PostBind));
+}
+
+// We fail to set the option when the underlying setsockopt syscall fails.
+TEST_F(SocketOptionImplTest, SetOptionFreebindFailure) {
+  SocketOptionImpl socket_option{true};
+  EXPECT_FALSE(socket_option.setOption(socket_, Socket::SocketState::PreBind));
+}
+
+// The happy path for setOpion(); IP_FREEBIND is set true.
+TEST_F(SocketOptionImplTest, SetOptionFreeebindSuccessTrue) {
+  SocketOptionImpl socket_option{true};
+  if (ENVOY_SOCKET_IP_FREEBIND.has_value()) {
+    Address::Ipv4Instance address("1.2.3.4", 5678);
+    const int fd = address.socket(Address::SocketType::Stream);
+    EXPECT_CALL(socket_, fd()).WillRepeatedly(Return(fd));
+    EXPECT_CALL(os_sys_calls_,
+                setsockopt_(_, IPPROTO_IP, ENVOY_SOCKET_IP_FREEBIND.value(), _, sizeof(int)))
+        .WillOnce(Invoke([](int, int, int, const void* optval, socklen_t) -> int {
+          EXPECT_EQ(1, *static_cast<const int*>(optval));
+          return 0;
+        }));
+    EXPECT_TRUE(socket_option.setOption(socket_, Socket::SocketState::PreBind));
+  } else {
+    EXPECT_FALSE(socket_option.setOption(socket_, Socket::SocketState::PreBind));
+  }
+}
+
+// The happy path for setOpion(); IP_FREEBIND is set false.
+TEST_F(SocketOptionImplTest, SetOptionFreeebindSuccessFalse) {
+  SocketOptionImpl socket_option{true};
+  if (ENVOY_SOCKET_IP_FREEBIND.has_value()) {
+    Address::Ipv4Instance address("1.2.3.4", 5678);
+    const int fd = address.socket(Address::SocketType::Stream);
+    EXPECT_CALL(socket_, fd()).WillRepeatedly(Return(fd));
+    EXPECT_CALL(os_sys_calls_,
+                setsockopt_(_, IPPROTO_IP, ENVOY_SOCKET_IP_FREEBIND.value(), _, sizeof(int)))
+        .WillOnce(Invoke([](int, int, int, const void* optval, socklen_t) -> int {
+          EXPECT_EQ(1, *static_cast<const int*>(optval));
+          return 0;
+        }));
+    EXPECT_TRUE(socket_option.setOption(socket_, Socket::SocketState::PreBind));
+  } else {
+    EXPECT_FALSE(socket_option.setOption(socket_, Socket::SocketState::PreBind));
+  }
+}
+
+// Freebind settings have no effect on post-bind behavior.
+TEST_F(SocketOptionImplTest, SetOptionFreebindPostBind) {
+  SocketOptionImpl socket_option{true};
+  EXPECT_TRUE(socket_option.setOption(socket_, Socket::SocketState::PostBind));
+}
+
+// If a platform doesn't suppport IPv4 socket option variant for an IPv4 address, we fail
+// SocketOptionImpl::setIpSocketOption().
+TEST_F(SocketOptionImplTest, V4EmptyOptionNames) {
+  Address::Ipv4Instance address("1.2.3.4", 5678);
+  const int fd = address.socket(Address::SocketType::Stream);
+  EXPECT_CALL(socket_, fd()).WillRepeatedly(Return(fd));
+  EXPECT_EQ(ENOTSUP, SocketOptionImpl::setIpSocketOption(socket_, {}, {}, nullptr, 0));
+}
+
+// If a platform doesn't suppport IPv4 and IPv6 socket option variants for an IPv4 address, we fail
+// SocketOptionImpl::setIpSocketOption().
+TEST_F(SocketOptionImplTest, V6EmptyOptionNames) {
+  Address::Ipv6Instance address("::1:2:3:4", 5678);
+  const int fd = address.socket(Address::SocketType::Stream);
+  EXPECT_CALL(socket_, fd()).WillRepeatedly(Return(fd));
+  EXPECT_EQ(ENOTSUP, SocketOptionImpl::setIpSocketOption(socket_, {}, {}, nullptr, 0));
+}
+
+// If a platform suppports IPv4 socket option variant for an IPv4 address,
+// SocketOptionImpl::setIpSocketOption() works.
+TEST_F(SocketOptionImplTest, V4Only) {
+  Address::Ipv4Instance address("1.2.3.4", 5678);
+  const int fd = address.socket(Address::SocketType::Stream);
+  EXPECT_CALL(socket_, fd()).WillRepeatedly(Return(fd));
+  const int option = 42;
+  EXPECT_CALL(os_sys_calls_, setsockopt_(fd, IPPROTO_IP, 123, &option, sizeof(int)));
+  EXPECT_EQ(0, SocketOptionImpl::setIpSocketOption(socket_, {123}, {}, &option, sizeof(option)));
+}
+
+// If a platform suppports IPv4 and IPv6 socket option variants for an IPv4 address,
+// SocketOptionImpl::setIpSocketOption() works with the IPv4 variant.
+TEST_F(SocketOptionImplTest, V4IgnoreV6) {
+  Address::Ipv4Instance address("1.2.3.4", 5678);
+  const int fd = address.socket(Address::SocketType::Stream);
+  EXPECT_CALL(socket_, fd()).WillRepeatedly(Return(fd));
+  const int option = 42;
+  EXPECT_CALL(os_sys_calls_, setsockopt_(fd, IPPROTO_IP, 123, &option, sizeof(int)));
+  EXPECT_EQ(0, SocketOptionImpl::setIpSocketOption(socket_, {123}, {456}, &option, sizeof(option)));
+}
+
+// If a platform suppports IPv6 socket option variant for an IPv6 address,
+// SocketOptionImpl::setIpSocketOption() works.
+TEST_F(SocketOptionImplTest, V6Only) {
+  Address::Ipv6Instance address("::1:2:3:4", 5678);
+  const int fd = address.socket(Address::SocketType::Stream);
+  EXPECT_CALL(socket_, fd()).WillRepeatedly(Return(fd));
+  const int option = 42;
+  EXPECT_CALL(os_sys_calls_, setsockopt_(fd, IPPROTO_IPV6, 456, &option, sizeof(int)));
+  EXPECT_EQ(0, SocketOptionImpl::setIpSocketOption(socket_, {}, {456}, &option, sizeof(option)));
+}
+
+// If a platform suppports only the IPv4 variant for an IPv6 address,
+// SocketOptionImpl::setIpSocketOption() works with the IPv4 variant.
+TEST_F(SocketOptionImplTest, V6OnlyV4Fallback) {
+  Address::Ipv6Instance address("::1:2:3:4", 5678);
+  const int fd = address.socket(Address::SocketType::Stream);
+  EXPECT_CALL(socket_, fd()).WillRepeatedly(Return(fd));
+  const int option = 42;
+  EXPECT_CALL(os_sys_calls_, setsockopt_(fd, IPPROTO_IP, 123, &option, sizeof(int)));
+  EXPECT_EQ(0, SocketOptionImpl::setIpSocketOption(socket_, {123}, {}, &option, sizeof(option)));
+}
+
+// If a platform suppports IPv4 and IPv6 socket option variants for an IPv6 address,
+// SocketOptionImpl::setIpSocketOption() works with the IPv6 variant.
+TEST_F(SocketOptionImplTest, V6Precedence) {
+  Address::Ipv6Instance address("::1:2:3:4", 5678);
+  const int fd = address.socket(Address::SocketType::Stream);
+  EXPECT_CALL(socket_, fd()).WillRepeatedly(Return(fd));
+  const int option = 42;
+  EXPECT_CALL(os_sys_calls_, setsockopt_(fd, IPPROTO_IPV6, 456, &option, sizeof(int)));
+  EXPECT_EQ(0, SocketOptionImpl::setIpSocketOption(socket_, {123}, {456}, &option, sizeof(option)));
+}
+
+} // namespace
+} // namespace Network
+} // namespace Envoy
diff --git a/test/common/upstream/BUILD b/test/common/upstream/BUILD
index bdeb38afed48..0f576a55f90c 100644
--- a/test/common/upstream/BUILD
+++ b/test/common/upstream/BUILD
@@ -34,6 +34,7 @@ envoy_cc_test(
         "//source/common/config:bootstrap_json_lib",
         "//source/common/config:utility_lib",
         "//source/common/event:dispatcher_lib",
+        "//source/common/network:socket_option_lib",
         "//source/common/network:utility_lib",
         "//source/common/ssl:context_lib",
         "//source/common/stats:stats_lib",
@@ -41,12 +42,14 @@ envoy_cc_test(
         "//source/server/config/network:raw_buffer_socket_lib",
         "//source/server/config/network:ssl_socket_lib",
         "//test/mocks/access_log:access_log_mocks",
+        "//test/mocks/api:api_mocks",
         "//test/mocks/http:http_mocks",
         "//test/mocks/local_info:local_info_mocks",
         "//test/mocks/network:network_mocks",
         "//test/mocks/runtime:runtime_mocks",
         "//test/mocks/thread_local:thread_local_mocks",
         "//test/mocks/upstream:upstream_mocks",
+        "//test/test_common:threadsafe_singleton_injector_lib",
         "//test/test_common:utility_lib",
     ],
 )
diff --git a/test/common/upstream/cluster_manager_impl_test.cc b/test/common/upstream/cluster_manager_impl_test.cc
index a378232d4909..2c8de84f5a0b 100644
--- a/test/common/upstream/cluster_manager_impl_test.cc
+++ b/test/common/upstream/cluster_manager_impl_test.cc
@@ -1,10 +1,12 @@
 #include <memory>
 #include <string>
 
+#include "envoy/network/listen_socket.h"
 #include "envoy/upstream/upstream.h"
 
 #include "common/config/bootstrap_json.h"
 #include "common/config/utility.h"
+#include "common/network/socket_option_impl.h"
 #include "common/network/utility.h"
 #include "common/ssl/context_manager_impl.h"
 #include "common/stats/stats_impl.h"
@@ -12,12 +14,14 @@
 
 #include "test/common/upstream/utility.h"
 #include "test/mocks/access_log/mocks.h"
+#include "test/mocks/api/mocks.h"
 #include "test/mocks/http/mocks.h"
 #include "test/mocks/local_info/mocks.h"
 #include "test/mocks/network/mocks.h"
 #include "test/mocks/runtime/mocks.h"
 #include "test/mocks/thread_local/mocks.h"
 #include "test/mocks/upstream/mocks.h"
+#include "test/test_common/threadsafe_singleton_injector.h"
 #include "test/test_common/utility.h"
 
 #include "gmock/gmock.h"
@@ -1288,6 +1292,155 @@ TEST_F(ClusterManagerInitHelperTest, RemoveClusterWithinInitLoop) {
   init_helper_.onStaticLoadComplete();
 }
 
+// Validate that when freebind is set in the ClusterManager and/or Cluster, we see the socket option
+// propagated to setsockopt(). This is as close to an end-to-end test as we have for this feature,
+// due to the complexity of creating an integration test involving the network stack. We only test
+// the IPv4 case here, as the logic around IPv4/IPv6 handling is tested generically in
+// socket_option_impl_test.cc.
+class FreebindTest : public ClusterManagerImplTest {
+public:
+  void initialize(const std::string& yaml) { create(parseBootstrapFromV2Yaml(yaml)); }
+
+  void TearDown() override { factory_.tls_.shutdownThread(); }
+
+  void expectSetsockoptFreebind() {
+    if (!ENVOY_SOCKET_IP_FREEBIND.has_value()) {
+      EXPECT_CALL(factory_.tls_.dispatcher_, createClientConnection_(_, _, _, _))
+          .WillOnce(
+              Invoke([this](Network::Address::InstanceConstSharedPtr,
+                            Network::Address::InstanceConstSharedPtr, Network::TransportSocketPtr&,
+                            const Network::ConnectionSocket::OptionsSharedPtr& options)
+                         -> Network::ClientConnection* {
+                EXPECT_NE(nullptr, options.get());
+                EXPECT_EQ(1, options->size());
+                NiceMock<Network::MockConnectionSocket> socket;
+                EXPECT_FALSE(
+                    (*options->begin())->setOption(socket, Network::Socket::SocketState::PreBind));
+                return connection_;
+              }));
+      cluster_manager_->tcpConnForCluster("FreebindCluster", nullptr);
+      return;
+    }
+    NiceMock<Api::MockOsSysCalls> os_sys_calls;
+    TestThreadsafeSingletonInjector<Api::OsSysCallsImpl> os_calls(&os_sys_calls);
+    EXPECT_CALL(factory_.tls_.dispatcher_, createClientConnection_(_, _, _, _))
+        .WillOnce(
+            Invoke([this](Network::Address::InstanceConstSharedPtr,
+                          Network::Address::InstanceConstSharedPtr, Network::TransportSocketPtr&,
+                          const Network::ConnectionSocket::OptionsSharedPtr& options)
+                       -> Network::ClientConnection* {
+              EXPECT_NE(nullptr, options.get());
+              EXPECT_EQ(1, options->size());
+              NiceMock<Network::MockConnectionSocket> socket;
+              EXPECT_TRUE(
+                  (*options->begin())->setOption(socket, Network::Socket::SocketState::PreBind));
+              return connection_;
+            }));
+    EXPECT_CALL(os_sys_calls,
+                setsockopt_(_, IPPROTO_IP, ENVOY_SOCKET_IP_FREEBIND.value(), _, sizeof(int)))
+        .WillOnce(Invoke([](int, int, int, const void* optval, socklen_t) -> int {
+          EXPECT_EQ(1, *static_cast<const int*>(optval));
+          return 0;
+        }));
+    auto conn_data = cluster_manager_->tcpConnForCluster("FreebindCluster", nullptr);
+    EXPECT_EQ(connection_, conn_data.connection_.get());
+  }
+
+  void expectNoSocketOptions() {
+    EXPECT_CALL(factory_.tls_.dispatcher_, createClientConnection_(_, _, _, _))
+        .WillOnce(
+            Invoke([this](Network::Address::InstanceConstSharedPtr,
+                          Network::Address::InstanceConstSharedPtr, Network::TransportSocketPtr&,
+                          const Network::ConnectionSocket::OptionsSharedPtr& options)
+                       -> Network::ClientConnection* {
+              EXPECT_EQ(nullptr, options.get());
+              return connection_;
+            }));
+    auto conn_data = cluster_manager_->tcpConnForCluster("FreebindCluster", nullptr);
+    EXPECT_EQ(connection_, conn_data.connection_.get());
+  }
+
+  Network::MockClientConnection* connection_ = new NiceMock<Network::MockClientConnection>();
+};
+
+TEST_F(FreebindTest, FreebindUnset) {
+  const std::string yaml = R"EOF(
+  static_resources:
+    clusters:
+    - name: FreebindCluster
+      connect_timeout: 0.250s
+      lb_policy: ROUND_ROBIN
+      type: STATIC
+      hosts:
+      - socket_address:
+          address: "127.0.0.1"
+          port_value: 11001
+  )EOF";
+  initialize(yaml);
+  expectNoSocketOptions();
+}
+
+TEST_F(FreebindTest, FreebindClusterOnly) {
+  const std::string yaml = R"EOF(
+  static_resources:
+    clusters:
+    - name: FreebindCluster
+      connect_timeout: 0.250s
+      lb_policy: ROUND_ROBIN
+      type: STATIC
+      hosts:
+      - socket_address:
+          address: "127.0.0.1"
+          port_value: 11001
+      upstream_bind_config:
+        freebind: true
+  )EOF";
+  initialize(yaml);
+  expectSetsockoptFreebind();
+}
+
+TEST_F(FreebindTest, FreebindClusterManagerOnly) {
+  const std::string yaml = R"EOF(
+  static_resources:
+    clusters:
+    - name: FreebindCluster
+      connect_timeout: 0.250s
+      lb_policy: ROUND_ROBIN
+      type: STATIC
+      hosts:
+      - socket_address:
+          address: "127.0.0.1"
+          port_value: 11001
+  cluster_manager:
+    upstream_bind_config:
+      freebind: true
+  )EOF";
+  initialize(yaml);
+  expectSetsockoptFreebind();
+}
+
+TEST_F(FreebindTest, FreebindClusterOverride) {
+  const std::string yaml = R"EOF(
+  static_resources:
+    clusters:
+    - name: FreebindCluster
+      connect_timeout: 0.250s
+      lb_policy: ROUND_ROBIN
+      type: STATIC
+      hosts:
+      - socket_address:
+          address: "127.0.0.1"
+          port_value: 11001
+      upstream_bind_config:
+        freebind: true
+  cluster_manager:
+    upstream_bind_config:
+      freebind: false
+  )EOF";
+  initialize(yaml);
+  expectSetsockoptFreebind();
+}
+
 } // namespace
 } // namespace Upstream
 } // namespace Envoy
diff --git a/test/common/upstream/upstream_impl_test.cc b/test/common/upstream/upstream_impl_test.cc
index d8e5acb9f832..5e70e443624e 100644
--- a/test/common/upstream/upstream_impl_test.cc
+++ b/test/common/upstream/upstream_impl_test.cc
@@ -672,14 +672,12 @@ TEST(StaticClusterImplTest, SourceAddressPriority) {
   config.set_name("staticcluster");
   config.mutable_connect_timeout();
 
-  Network::Address::InstanceConstSharedPtr bootstrap_address =
-      Network::Utility::parseInternetAddress("1.2.3.5");
   {
     // If the cluster manager gets a source address from the bootstrap proto, use it.
     NiceMock<MockClusterManager> cm;
-    cm.source_address_ = bootstrap_address;
+    cm.bind_config_.mutable_source_address()->set_address("1.2.3.5");
     StaticClusterImpl cluster(config, runtime, stats, ssl_context_manager, cm, false);
-    EXPECT_EQ(bootstrap_address->asString(), cluster.info()->sourceAddress()->asString());
+    EXPECT_EQ("1.2.3.5:0", cluster.info()->sourceAddress()->asString());
   }
 
   const std::string cluster_address = "5.6.7.8";
@@ -694,7 +692,7 @@ TEST(StaticClusterImplTest, SourceAddressPriority) {
   {
     // The source address from cluster config takes precedence over one from the bootstrap proto.
     NiceMock<MockClusterManager> cm;
-    cm.source_address_ = bootstrap_address;
+    cm.bind_config_.mutable_source_address()->set_address("1.2.3.5");
     StaticClusterImpl cluster(config, runtime, stats, ssl_context_manager, cm, false);
     EXPECT_EQ(cluster_address, cluster.info()->sourceAddress()->ip()->addressAsString());
   }
diff --git a/test/mocks/api/BUILD b/test/mocks/api/BUILD
index 5325b4865934..1ffcdd3a1f05 100644
--- a/test/mocks/api/BUILD
+++ b/test/mocks/api/BUILD
@@ -16,6 +16,7 @@ envoy_cc_mock(
         "//include/envoy/api:api_interface",
         "//include/envoy/api:os_sys_calls_interface",
         "//source/common/api:os_sys_calls_lib",
+        "//source/common/common:assert_lib",
         "//test/mocks/filesystem:filesystem_mocks",
     ],
 )
diff --git a/test/mocks/api/mocks.cc b/test/mocks/api/mocks.cc
index a7dfa62fa89c..ae729678ab70 100644
--- a/test/mocks/api/mocks.cc
+++ b/test/mocks/api/mocks.cc
@@ -1,5 +1,7 @@
 #include "mocks.h"
 
+#include "common/common/assert.h"
+
 #include "gmock/gmock.h"
 #include "gtest/gtest.h"
 
@@ -37,5 +39,34 @@ ssize_t MockOsSysCalls::write(int fd, const void* buffer, size_t num_bytes) {
   return result;
 }
 
+int MockOsSysCalls::setsockopt(int sockfd, int level, int optname, const void* optval,
+                               socklen_t optlen) {
+  ASSERT(optlen == sizeof(int));
+
+  // Allow mocking system call failure.
+  if (setsockopt_(sockfd, level, optname, optval, optlen) != 0) {
+    return -1;
+  }
+
+  boolsockopts_[SockOptKey(sockfd, level, optname)] = !!*reinterpret_cast<const int*>(optval);
+  return 0;
+};
+
+int MockOsSysCalls::getsockopt(int sockfd, int level, int optname, void* optval,
+                               socklen_t* optlen) {
+  ASSERT(*optlen == sizeof(int));
+  int val = 0;
+  const auto& it = boolsockopts_.find(SockOptKey(sockfd, level, optname));
+  if (it != boolsockopts_.end()) {
+    val = it->second;
+  }
+  // Allow mocking system call failure.
+  if (getsockopt_(sockfd, level, optname, optval, optlen) != 0) {
+    return -1;
+  }
+  *reinterpret_cast<int*>(optval) = val;
+  return 0;
+}
+
 } // namespace Api
 } // namespace Envoy
diff --git a/test/mocks/api/mocks.h b/test/mocks/api/mocks.h
index c7338e9501a7..26c1b993b57c 100644
--- a/test/mocks/api/mocks.h
+++ b/test/mocks/api/mocks.h
@@ -44,6 +44,8 @@ class MockOsSysCalls : public OsSysCallsImpl {
   // Api::OsSysCalls
   ssize_t write(int fd, const void* buffer, size_t num_bytes) override;
   int open(const std::string& full_path, int flags, int mode) override;
+  int setsockopt(int sockfd, int level, int optname, const void* optval, socklen_t optlen) override;
+  int getsockopt(int sockfd, int level, int optname, void* optval, socklen_t* optlen) override;
 
   MOCK_METHOD3(bind, int(int sockfd, const sockaddr* addr, socklen_t addrlen));
   MOCK_METHOD1(close, int(int));
@@ -54,6 +56,10 @@ class MockOsSysCalls : public OsSysCallsImpl {
   MOCK_METHOD2(ftruncate, int(int fd, off_t length));
   MOCK_METHOD6(mmap, void*(void* addr, size_t length, int prot, int flags, int fd, off_t offset));
   MOCK_METHOD2(stat, int(const char* name, struct stat* stat));
+  MOCK_METHOD5(setsockopt_,
+               int(int sockfd, int level, int optname, const void* optval, socklen_t optlen));
+  MOCK_METHOD5(getsockopt_,
+               int(int sockfd, int level, int optname, void* optval, socklen_t* optlen));
 
   size_t num_writes_;
   size_t num_open_;
@@ -61,6 +67,9 @@ class MockOsSysCalls : public OsSysCallsImpl {
   Thread::MutexBasicLockable open_mutex_;
   std::condition_variable_any write_event_;
   std::condition_variable_any open_event_;
+  // Map from (sockfd,level,optname) to boolean socket option.
+  using SockOptKey = std::tuple<int, int, int>;
+  std::map<SockOptKey, bool> boolsockopts_;
 };
 
 } // namespace Api
diff --git a/test/mocks/network/mocks.h b/test/mocks/network/mocks.h
index cd016bdda061..9b0d70ed699e 100644
--- a/test/mocks/network/mocks.h
+++ b/test/mocks/network/mocks.h
@@ -258,12 +258,12 @@ class MockListenSocket : public Socket {
   MockListenSocket();
   ~MockListenSocket();
 
-  void addOption(Socket::OptionPtr&& option) override { addOption_(option); }
+  void addOption(const Socket::OptionConstSharedPtr& option) override { addOption_(option); }
 
   MOCK_CONST_METHOD0(localAddress, const Address::InstanceConstSharedPtr&());
   MOCK_CONST_METHOD0(fd, int());
   MOCK_METHOD0(close, void());
-  MOCK_METHOD1(addOption_, void(Socket::OptionPtr& option));
+  MOCK_METHOD1(addOption_, void(const Socket::OptionConstSharedPtr& option));
   MOCK_CONST_METHOD0(options, const OptionsSharedPtr&());
 
   Address::InstanceConstSharedPtr local_address_;
@@ -284,14 +284,14 @@ class MockConnectionSocket : public ConnectionSocket {
   MockConnectionSocket();
   ~MockConnectionSocket();
 
-  void addOption(Socket::OptionPtr&& option) override { addOption_(option); }
+  void addOption(const Socket::OptionConstSharedPtr& option) override { addOption_(option); }
 
   MOCK_CONST_METHOD0(localAddress, const Address::InstanceConstSharedPtr&());
   MOCK_METHOD2(setLocalAddress, void(const Address::InstanceConstSharedPtr&, bool));
   MOCK_CONST_METHOD0(localAddressRestored, bool());
   MOCK_CONST_METHOD0(remoteAddress, const Address::InstanceConstSharedPtr&());
   MOCK_METHOD1(setRemoteAddress, void(const Address::InstanceConstSharedPtr&));
-  MOCK_METHOD1(addOption_, void(Socket::OptionPtr&));
+  MOCK_METHOD1(addOption_, void(const Socket::OptionConstSharedPtr&));
   MOCK_CONST_METHOD0(options, const Network::ConnectionSocket::OptionsSharedPtr&());
   MOCK_CONST_METHOD0(fd, int());
   MOCK_METHOD0(close, void());
diff --git a/test/mocks/server/mocks.h b/test/mocks/server/mocks.h
index 840ed46b3a59..7cd9680c43bc 100644
--- a/test/mocks/server/mocks.h
+++ b/test/mocks/server/mocks.h
@@ -391,10 +391,10 @@ class MockListenerFactoryContext : public virtual MockFactoryContext,
   MockListenerFactoryContext();
   ~MockListenerFactoryContext();
 
-  void addListenSocketOption(Network::Socket::OptionPtr&& option) override {
+  void addListenSocketOption(const Network::Socket::OptionConstSharedPtr& option) override {
     addListenSocketOption_(option);
   }
-  MOCK_METHOD1(addListenSocketOption_, void(Network::Socket::OptionPtr&));
+  MOCK_METHOD1(addListenSocketOption_, void(const Network::Socket::OptionConstSharedPtr&));
 };
 
 } // namespace Configuration
diff --git a/test/mocks/upstream/mocks.cc b/test/mocks/upstream/mocks.cc
index 4645c079683b..c86092d6a290 100644
--- a/test/mocks/upstream/mocks.cc
+++ b/test/mocks/upstream/mocks.cc
@@ -87,7 +87,7 @@ MockClusterManager::MockClusterManager() {
   ON_CALL(*this, httpConnPoolForCluster(_, _, _, _)).WillByDefault(Return(&conn_pool_));
   ON_CALL(*this, httpAsyncClientForCluster(_)).WillByDefault(ReturnRef(async_client_));
   ON_CALL(*this, httpAsyncClientForCluster(_)).WillByDefault((ReturnRef(async_client_)));
-  ON_CALL(*this, sourceAddress()).WillByDefault(ReturnRef(source_address_));
+  ON_CALL(*this, bindConfig()).WillByDefault(ReturnRef(bind_config_));
   ON_CALL(*this, adsMux()).WillByDefault(ReturnRef(ads_mux_));
   ON_CALL(*this, grpcAsyncClientManager()).WillByDefault(ReturnRef(async_client_manager_));
   ON_CALL(*this, localClusterName()).WillByDefault((ReturnRef(local_cluster_name_)));
diff --git a/test/mocks/upstream/mocks.h b/test/mocks/upstream/mocks.h
index 7cb4c93c9438..ae1f60f027e2 100644
--- a/test/mocks/upstream/mocks.h
+++ b/test/mocks/upstream/mocks.h
@@ -156,7 +156,7 @@ class MockClusterManager : public ClusterManager {
   MOCK_METHOD1(httpAsyncClientForCluster, Http::AsyncClient&(const std::string& cluster));
   MOCK_METHOD1(removeCluster, bool(const std::string& cluster));
   MOCK_METHOD0(shutdown, void());
-  MOCK_CONST_METHOD0(sourceAddress, const Network::Address::InstanceConstSharedPtr&());
+  MOCK_CONST_METHOD0(bindConfig, const envoy::api::v2::core::BindConfig&());
   MOCK_METHOD0(adsMux, Config::GrpcMux&());
   MOCK_METHOD0(grpcAsyncClientManager, Grpc::AsyncClientManager&());
   MOCK_CONST_METHOD0(versionInfo, const std::string());
@@ -167,7 +167,7 @@ class MockClusterManager : public ClusterManager {
   NiceMock<Http::ConnectionPool::MockInstance> conn_pool_;
   NiceMock<Http::MockAsyncClient> async_client_;
   NiceMock<MockThreadLocalCluster> thread_local_cluster_;
-  Network::Address::InstanceConstSharedPtr source_address_;
+  envoy::api::v2::core::BindConfig bind_config_;
   NiceMock<Config::MockGrpcMux> ads_mux_;
   NiceMock<Grpc::MockAsyncClientManager> async_client_manager_;
   std::string local_cluster_name_;
diff --git a/test/server/BUILD b/test/server/BUILD
index 1d300707ec03..0e22e6a6a0bc 100644
--- a/test/server/BUILD
+++ b/test/server/BUILD
@@ -129,8 +129,10 @@ envoy_cc_test(
     data = ["//test/common/ssl/test_data:certs"],
     deps = [
         ":utility_lib",
+        "//source/common/api:os_sys_calls_lib",
         "//source/common/config:metadata_lib",
         "//source/common/network:listen_socket_lib",
+        "//source/common/network:socket_option_lib",
         "//source/server:listener_manager_lib",
         "//source/server/config/listener:original_dst_lib",
         "//source/server/config/network:http_connection_manager_lib",
@@ -138,6 +140,7 @@ envoy_cc_test(
         "//source/server/config/network:ssl_socket_lib",
         "//test/mocks/server:server_mocks",
         "//test/test_common:environment_lib",
+        "//test/test_common:threadsafe_singleton_injector_lib",
     ],
 )
 
diff --git a/test/server/listener_manager_impl_test.cc b/test/server/listener_manager_impl_test.cc
index b3993f7f8a7c..396d10e55ce3 100644
--- a/test/server/listener_manager_impl_test.cc
+++ b/test/server/listener_manager_impl_test.cc
@@ -1,10 +1,12 @@
 #include "envoy/registry/registry.h"
 #include "envoy/server/filter_config.h"
 
+#include "common/api/os_sys_calls_impl.h"
 #include "common/config/metadata.h"
 #include "common/filter/listener/original_dst.h"
 #include "common/network/address_impl.h"
 #include "common/network/listen_socket_impl.h"
+#include "common/network/socket_option_impl.h"
 
 #include "server/configuration_impl.h"
 #include "server/listener_manager_impl.h"
@@ -12,6 +14,7 @@
 #include "test/mocks/server/mocks.h"
 #include "test/server/utility.h"
 #include "test/test_common/environment.h"
+#include "test/test_common/threadsafe_singleton_injector.h"
 #include "test/test_common/utility.h"
 
 #include "gtest/gtest.h"
@@ -1388,6 +1391,76 @@ TEST_F(ListenerManagerImplWithRealFiltersTest, OriginalDstTestFilterOptionFail)
   EXPECT_EQ(0U, manager_->listeners().size());
 }
 
+// Validate that when freebind is set in the Listener, we see no socket option
+// set.
+TEST_F(ListenerManagerImplWithRealFiltersTest, FreebindListenerDisabled) {
+  const std::string yaml = TestEnvironment::substitute(R"EOF(
+    name: "FreebindListener"
+    address:
+      socket_address: { address: 127.0.0.1, port_value: 1111 }
+    filter_chains:
+    - filters:
+  )EOF",
+                                                       Network::Address::IpVersion::v4);
+  EXPECT_CALL(listener_factory_, createListenSocket(_, _, true))
+      .WillOnce(Invoke([&](Network::Address::InstanceConstSharedPtr,
+                           const Network::Socket::OptionsSharedPtr& options,
+                           bool) -> Network::SocketSharedPtr {
+        EXPECT_EQ(options.get(), nullptr);
+        return listener_factory_.socket_;
+      }));
+  manager_->addOrUpdateListener(parseListenerFromV2Yaml(yaml), true);
+  EXPECT_EQ(1U, manager_->listeners().size());
+}
+
+// Validate that when freebind is set in the Listener, we see the socket option
+// propagated to setsockopt(). This is as close to an end-to-end test as we have
+// for this feature, due to the complexity of creating an integration test
+// involving the network stack. We only test the IPv4 case here, as the logic
+// around IPv4/IPv6 handling is tested generically in
+// socket_option_impl_test.cc.
+TEST_F(ListenerManagerImplWithRealFiltersTest, FreebindListenerEnabled) {
+  NiceMock<Api::MockOsSysCalls> os_sys_calls;
+  TestThreadsafeSingletonInjector<Api::OsSysCallsImpl> os_calls(&os_sys_calls);
+
+  const std::string yaml = TestEnvironment::substitute(R"EOF(
+    name: FreebindListener
+    address:
+      socket_address: { address: 127.0.0.1, port_value: 1111 }
+    filter_chains:
+    - filters:
+    freebind: true
+  )EOF",
+                                                       Network::Address::IpVersion::v4);
+  if (ENVOY_SOCKET_IP_FREEBIND.has_value()) {
+    EXPECT_CALL(listener_factory_, createListenSocket(_, _, true))
+        .WillOnce(Invoke([this](Network::Address::InstanceConstSharedPtr,
+                                const Network::Socket::OptionsSharedPtr& options,
+                                bool) -> Network::SocketSharedPtr {
+          EXPECT_NE(options.get(), nullptr);
+          EXPECT_EQ(options->size(), 1);
+          EXPECT_TRUE(
+              (*options->begin())
+                  ->setOption(*listener_factory_.socket_, Network::Socket::SocketState::PreBind));
+          return listener_factory_.socket_;
+        }));
+    EXPECT_CALL(os_sys_calls,
+                setsockopt_(_, IPPROTO_IP, ENVOY_SOCKET_IP_FREEBIND.value(), _, sizeof(int)))
+        .WillOnce(Invoke([](int, int, int, const void* optval, socklen_t) -> int {
+          EXPECT_EQ(1, *static_cast<const int*>(optval));
+          return 0;
+        }));
+    manager_->addOrUpdateListener(parseListenerFromV2Yaml(yaml), true);
+    EXPECT_EQ(1U, manager_->listeners().size());
+  } else {
+    // MockListenerSocket is not a real socket, so this always fails in testing.
+    EXPECT_THROW_WITH_MESSAGE(manager_->addOrUpdateListener(parseListenerFromV2Yaml(yaml), true),
+                              EnvoyException,
+                              "MockListenerComponentFactory: Setting socket options failed");
+    EXPECT_EQ(0U, manager_->listeners().size());
+  }
+}
+
 TEST_F(ListenerManagerImplWithRealFiltersTest, CRLFilename) {
   const std::string yaml = TestEnvironment::substitute(R"EOF(
     address: