diff options
| author | Nick Hilliard <nick@inex.ie> | 2011-03-23 15:33:17 +0000 |
|---|---|---|
| committer | Paul Jakma <paul@quagga.net> | 2011-03-23 15:33:17 +0000 |
| commit | fa411a212b55bba650d68fd0456686f3e47b7395 (patch) | |
| tree | 4d7ef846c2cbc154631a5901747b3384854d497c /lib | |
| parent | db07ad7358cb5e26358326332629ffb658f5747a (diff) | |
bgpd: RFC 5082 Generalized TTL Security Mechanism support
* bgpd: Add support for RFC 5082 GTSM, which allows the TTL field to be used
to verify that incoming packets have been sent from neighbours no more
than X IP hops away. In other words, this allows packets that were sent from
further away (i.e. not by the neighbour with known distance, and so possibly
a miscreant) to be filtered out.
* lib/sockunion.{c,h}: (sockopt_minttl) new function, to set a minimum TTL
using the IP_MINTTL socket opt.
* bgpd.h: (BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK) define for command
error for minttl.
(struct peer) add a config variable, to store the configured minttl.
(peer_ttl_security_hops_{set,unset}) configuration handlers
* bgpd.c: (peer_group_get) init gtsm_hops
(peer_ebgp_multihop_{un,}set) check for conflicts with GTSM. Multihop and
GTSM can't both be active for a peer at the same time.
(peer_ttl_security_hops_set) set minttl, taking care to avoid conflicts with
ebgp_multihop.
(bgp_config_write_peer) write out minttl as "neighbor .. ttl-security hops X".
* bgp_vty.c: (bgp_vty_return) message for
BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK
(peer_ebgp_multihop_{un,}set_vty)
* bgp_network.c: (bgp_accept) set minttl on accepted sockets if appropriate.
(bgp_connect) ditto for outbound.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/sockunion.c | 22 | ||||
| -rw-r--r-- | lib/sockunion.h | 1 |
2 files changed, 23 insertions, 0 deletions
diff --git a/lib/sockunion.c b/lib/sockunion.c index f6c060f5..a32809c1 100644 --- a/lib/sockunion.c +++ b/lib/sockunion.c @@ -537,6 +537,28 @@ sockopt_cork (int sock, int onoff) #endif } +int +sockopt_minttl (int family, int sock, int minttl) +{ + int ret; + + zlog_debug ("sockopt_minttl: set minttl to %d", minttl); + +#ifdef IP_MINTTL + ret = setsockopt (sock, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl)); +#else + ret = -1; + errno = EOPNOTSUPP; +#endif /* IP_MINTTL */ + if (ret < 0) + { + zlog (NULL, LOG_WARNING, "can't set sockopt IP_MINTTL to %d on socket %d: %s", minttl, sock, safe_strerror (errno)); + return -1; + } + + return 0; +} + /* If same family and same prefix return 1. */ int sockunion_same (union sockunion *su1, union sockunion *su2) diff --git a/lib/sockunion.h b/lib/sockunion.h index 91bfbc7f..0ee2d63b 100644 --- a/lib/sockunion.h +++ b/lib/sockunion.h @@ -102,6 +102,7 @@ extern int sockopt_reuseport (int); extern int sockunion_bind (int sock, union sockunion *, unsigned short, union sockunion *); extern int sockopt_ttl (int family, int sock, int ttl); +extern int sockopt_minttl (int family, int sock, int minttl); extern int sockopt_cork (int sock, int onoff); extern int sockunion_socket (union sockunion *su); extern const char *inet_sutop (union sockunion *su, char *str); |