summaryrefslogtreecommitdiff
path: root/bgpd
diff options
context:
space:
mode:
authorChris Luke <chrisy@flirble.org>2011-10-18 17:26:51 +0400
committerDenis Ovsienko <infrastation@yandex.ru>2011-11-15 21:26:07 +0400
commit90d181bd1a7e03d41df3cb2f51530ab47d818caa (patch)
tree56b456db3e8f9f23a34433c2515ddf962e33ded2 /bgpd
parent70e3ca2ccedca2cae58bd91c968714cad0f9d5d6 (diff)
bgpd: justify capabilities for TOS setting
To set the TOS bits on TCP connections, platforms that restrict capabilities need the priv level to be raised before the sockopt is set, and this requires the ZCAP_NET_ADMIN priv. * bgp_main.c: update _caps_p to include ZCAP_NET_ADMIN * bgp_network.c * bgp_connect(): request ZPRIVS_RAISE/ZPRIVS_LOWER * bgp_listener(): request ZPRIVS_RAISE earlier
Diffstat (limited to 'bgpd')
-rw-r--r--bgpd/bgp_main.c1
-rw-r--r--bgpd/bgp_network.c14
2 files changed, 10 insertions, 5 deletions
diff --git a/bgpd/bgp_main.c b/bgpd/bgp_main.c
index 9d14683c..4a38c15a 100644
--- a/bgpd/bgp_main.c
+++ b/bgpd/bgp_main.c
@@ -119,6 +119,7 @@ static zebra_capabilities_t _caps_p [] =
{
ZCAP_BIND,
ZCAP_NET_RAW,
+ ZCAP_NET_ADMIN,
};
struct zebra_privs_t bgpd_privs =
diff --git a/bgpd/bgp_network.c b/bgpd/bgp_network.c
index b5fa948c..3355316c 100644
--- a/bgpd/bgp_network.c
+++ b/bgpd/bgp_network.c
@@ -320,12 +320,16 @@ bgp_connect (struct peer *peer)
sockopt_reuseport (peer->fd);
#ifdef IPTOS_PREC_INTERNETCONTROL
+ if (bgpd_privs.change (ZPRIVS_RAISE))
+ zlog_err ("%s: could not raise privs", __func__);
if (sockunion_family (&peer->su) == AF_INET)
setsockopt_ipv4_tos (peer->fd, IPTOS_PREC_INTERNETCONTROL);
# ifdef HAVE_IPV6
else if (sockunion_family (&peer->su) == AF_INET6)
setsockopt_ipv6_tclass (peer->fd, IPTOS_PREC_INTERNETCONTROL);
# endif
+ if (bgpd_privs.change (ZPRIVS_LOWER))
+ zlog_err ("%s: could not lower privs", __func__);
#endif
if (peer->password)
@@ -382,6 +386,9 @@ bgp_listener (int sock, struct sockaddr *sa, socklen_t salen)
sockopt_reuseaddr (sock);
sockopt_reuseport (sock);
+ if (bgpd_privs.change (ZPRIVS_RAISE))
+ zlog_err ("%s: could not raise privs", __func__);
+
#ifdef IPTOS_PREC_INTERNETCONTROL
if (sa->sa_family == AF_INET)
setsockopt_ipv4_tos (sock, IPTOS_PREC_INTERNETCONTROL);
@@ -400,13 +407,10 @@ bgp_listener (int sock, struct sockaddr *sa, socklen_t salen)
}
#endif
- if (bgpd_privs.change (ZPRIVS_RAISE) )
- zlog_err ("bgp_socket: could not raise privs");
-
ret = bind (sock, sa, salen);
en = errno;
- if (bgpd_privs.change (ZPRIVS_LOWER) )
- zlog_err ("bgp_bind_address: could not lower privs");
+ if (bgpd_privs.change (ZPRIVS_LOWER))
+ zlog_err ("%s: could not lower privs", __func__);
if (ret < 0)
{