From 58192df7746231fbc82e248b5ddfc7cab95ab1e7 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 5 Aug 2010 10:26:24 -0700 Subject: lib: add TCP_CORK wrapper * sockunion.{c,h}: (sockopt_cork) wrapper for TCP_CORK socket option for those platforms that provide it. For other platforms, it is just a nop. --- lib/sockunion.c | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'lib/sockunion.c') diff --git a/lib/sockunion.c b/lib/sockunion.c index 6a40f332..f6c060f5 100644 --- a/lib/sockunion.c +++ b/lib/sockunion.c @@ -527,6 +527,16 @@ sockopt_ttl (int family, int sock, int ttl) return 0; } +int +sockopt_cork (int sock, int onoff) +{ +#ifdef TCP_CORK + return setsockopt (sock, IPPROTO_TCP, TCP_CORK, &onoff, sizeof(onoff)); +#else + return 0; +#endif +} + /* If same family and same prefix return 1. */ int sockunion_same (union sockunion *su1, union sockunion *su2) -- cgit v1.2.3 From fa411a212b55bba650d68fd0456686f3e47b7395 Mon Sep 17 00:00:00 2001 From: Nick Hilliard Date: Wed, 23 Mar 2011 15:33:17 +0000 Subject: bgpd: RFC 5082 Generalized TTL Security Mechanism support * bgpd: Add support for RFC 5082 GTSM, which allows the TTL field to be used to verify that incoming packets have been sent from neighbours no more than X IP hops away. In other words, this allows packets that were sent from further away (i.e. not by the neighbour with known distance, and so possibly a miscreant) to be filtered out. * lib/sockunion.{c,h}: (sockopt_minttl) new function, to set a minimum TTL using the IP_MINTTL socket opt. * bgpd.h: (BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK) define for command error for minttl. (struct peer) add a config variable, to store the configured minttl. (peer_ttl_security_hops_{set,unset}) configuration handlers * bgpd.c: (peer_group_get) init gtsm_hops (peer_ebgp_multihop_{un,}set) check for conflicts with GTSM. Multihop and GTSM can't both be active for a peer at the same time. (peer_ttl_security_hops_set) set minttl, taking care to avoid conflicts with ebgp_multihop. (bgp_config_write_peer) write out minttl as "neighbor .. ttl-security hops X". * bgp_vty.c: (bgp_vty_return) message for BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK (peer_ebgp_multihop_{un,}set_vty) * bgp_network.c: (bgp_accept) set minttl on accepted sockets if appropriate. (bgp_connect) ditto for outbound. --- lib/sockunion.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'lib/sockunion.c') diff --git a/lib/sockunion.c b/lib/sockunion.c index f6c060f5..a32809c1 100644 --- a/lib/sockunion.c +++ b/lib/sockunion.c @@ -537,6 +537,28 @@ sockopt_cork (int sock, int onoff) #endif } +int +sockopt_minttl (int family, int sock, int minttl) +{ + int ret; + + zlog_debug ("sockopt_minttl: set minttl to %d", minttl); + +#ifdef IP_MINTTL + ret = setsockopt (sock, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl)); +#else + ret = -1; + errno = EOPNOTSUPP; +#endif /* IP_MINTTL */ + if (ret < 0) + { + zlog (NULL, LOG_WARNING, "can't set sockopt IP_MINTTL to %d on socket %d: %s", minttl, sock, safe_strerror (errno)); + return -1; + } + + return 0; +} + /* If same family and same prefix return 1. */ int sockunion_same (union sockunion *su1, union sockunion *su2) -- cgit v1.2.3 From 89b6d1f8e2759cc38bc768067abe3a296d93f454 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 24 Mar 2011 10:51:59 +0000 Subject: bgpd: Cleanups & fixes for minttl / GTSM * bgp_vty.c: (peer_ebgp_multihop_{un,}set_vty) tail-call cleanup. ({no_,}neighbor_ttl_security) ditto. * bgpd.c: (peer_ttl_security_hops_set) Peer group checks and TTL set only need to be done on transition. * sockunion.c: (sockopt_minttl) remove always-on debug and improve readability. --- lib/sockunion.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'lib/sockunion.c') diff --git a/lib/sockunion.c b/lib/sockunion.c index a32809c1..df05acb3 100644 --- a/lib/sockunion.c +++ b/lib/sockunion.c @@ -540,23 +540,23 @@ sockopt_cork (int sock, int onoff) int sockopt_minttl (int family, int sock, int minttl) { +#ifdef IP_MINTTL int ret; - zlog_debug ("sockopt_minttl: set minttl to %d", minttl); - -#ifdef IP_MINTTL ret = setsockopt (sock, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl)); -#else - ret = -1; - errno = EOPNOTSUPP; -#endif /* IP_MINTTL */ if (ret < 0) { - zlog (NULL, LOG_WARNING, "can't set sockopt IP_MINTTL to %d on socket %d: %s", minttl, sock, safe_strerror (errno)); + zlog (NULL, LOG_WARNING, + "can't set sockopt IP_MINTTL to %d on socket %d: %s", + minttl, sock, safe_strerror (errno)); return -1; } return 0; +#else + errno = EOPNOTSUPP; + return -1; +#endif /* IP_MINTTL */ } /* If same family and same prefix return 1. */ -- cgit v1.2.3 From d876bdf4a84f40ac3f9bec8d5040858b3725db3e Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 5 Aug 2010 10:26:27 -0700 Subject: lib: Add support for IPv6 ttl security * sockunion.c: (sockopt_minttl) Add IPv6 support for min hop count. The kernel support is Linux kernel 2.6.35 or later. --- lib/sockunion.c | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) (limited to 'lib/sockunion.c') diff --git a/lib/sockunion.c b/lib/sockunion.c index df05acb3..a5382a72 100644 --- a/lib/sockunion.c +++ b/lib/sockunion.c @@ -541,22 +541,30 @@ int sockopt_minttl (int family, int sock, int minttl) { #ifdef IP_MINTTL - int ret; - - ret = setsockopt (sock, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl)); - if (ret < 0) + if (family == AF_INET) { - zlog (NULL, LOG_WARNING, - "can't set sockopt IP_MINTTL to %d on socket %d: %s", - minttl, sock, safe_strerror (errno)); - return -1; + int ret = setsockopt (sock, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl)); + if (ret < 0) + zlog (NULL, LOG_WARNING, + "can't set sockopt IP_MINTTL to %d on socket %d: %s", + minttl, sock, safe_strerror (errno)); + return ret; } +#endif /* IP_MINTTL */ +#ifdef IPV6_MINHOPCNT + if (family == AF_INET6) + { + int ret = setsockopt (sock, IPPROTO_IPV6, IPV6_MINHOPCNT, &minttl, sizeof(minttl)); + if (ret < 0) + zlog (NULL, LOG_WARNING, + "can't set sockopt IPV6_MINHOPCNT to %d on socket %d: %s", + minttl, sock, safe_strerror (errno)); + return ret; + } +#endif - return 0; -#else errno = EOPNOTSUPP; return -1; -#endif /* IP_MINTTL */ } /* If same family and same prefix return 1. */ -- cgit v1.2.3