O que o CAP_NET_RAW faz?

Citações de esta resposta do SEC de segurança :

CAP_NET_RAW: Any kind of packet can be forged, which includes faking senders, sending malformed packets, etc., this also allows to bind to any address (associated to the ability to fake a sender this allows to impersonate a device, legitimately used for "transparent proxying" as per the manpage but from an attacker point-of-view this term is a synonym for Man-in-The-Middle),

Sim.

link

Socket options

...

IP_FREEBIND (since Linux 2.4)

If enabled, this boolean option allows binding to an IP address that is nonlocal or does not (yet) exist. This per‐ mits listening on a socket, without requiring the underlying network interface or the specified dynamic IP address to be up at the time that the application is trying to bind to it. This option is the per-socket equivalent of the ip_nonlo‐ cal_bind /proc interface described below.

veja também

IP_TRANSPARENT (since Linux 2.6.24)

Setting this boolean option enables transparent proxying on this socket. This socket option allows the calling applica‐ tion to bind to a nonlocal IP address and operate both as a client and a server with the foreign address as the local end‐ point. NOTE: this requires that routing be set up in a way that packets going to the foreign address are routed through the TProxy box (i.e., the system hosting the application that employs the IP_TRANSPARENT socket option). Enabling this socket option requires superuser privileges (the CAP_NET_ADMIN capability).

TProxy redirection with the iptables TPROXY target also requires that this option be set on the redirected socket.

(baseado na outra página man, eu acho que qualquer de CAP_NET_ADMIN ou CAP_NET_RAW são suficientes. E eu realmente espero que eles sejam necessários para IP_FREEBIND também).