diff options
-rw-r--r-- | bgpd/bgp_main.c | 1 | ||||
-rw-r--r-- | bgpd/bgp_network.c | 14 |
2 files changed, 10 insertions, 5 deletions
diff --git a/bgpd/bgp_main.c b/bgpd/bgp_main.c index 9d14683c..4a38c15a 100644 --- a/bgpd/bgp_main.c +++ b/bgpd/bgp_main.c @@ -119,6 +119,7 @@ static zebra_capabilities_t _caps_p [] = { ZCAP_BIND, ZCAP_NET_RAW, + ZCAP_NET_ADMIN, }; struct zebra_privs_t bgpd_privs = diff --git a/bgpd/bgp_network.c b/bgpd/bgp_network.c index b5fa948c..3355316c 100644 --- a/bgpd/bgp_network.c +++ b/bgpd/bgp_network.c @@ -320,12 +320,16 @@ bgp_connect (struct peer *peer) sockopt_reuseport (peer->fd); #ifdef IPTOS_PREC_INTERNETCONTROL + if (bgpd_privs.change (ZPRIVS_RAISE)) + zlog_err ("%s: could not raise privs", __func__); if (sockunion_family (&peer->su) == AF_INET) setsockopt_ipv4_tos (peer->fd, IPTOS_PREC_INTERNETCONTROL); # ifdef HAVE_IPV6 else if (sockunion_family (&peer->su) == AF_INET6) setsockopt_ipv6_tclass (peer->fd, IPTOS_PREC_INTERNETCONTROL); # endif + if (bgpd_privs.change (ZPRIVS_LOWER)) + zlog_err ("%s: could not lower privs", __func__); #endif if (peer->password) @@ -382,6 +386,9 @@ bgp_listener (int sock, struct sockaddr *sa, socklen_t salen) sockopt_reuseaddr (sock); sockopt_reuseport (sock); + if (bgpd_privs.change (ZPRIVS_RAISE)) + zlog_err ("%s: could not raise privs", __func__); + #ifdef IPTOS_PREC_INTERNETCONTROL if (sa->sa_family == AF_INET) setsockopt_ipv4_tos (sock, IPTOS_PREC_INTERNETCONTROL); @@ -400,13 +407,10 @@ bgp_listener (int sock, struct sockaddr *sa, socklen_t salen) } #endif - if (bgpd_privs.change (ZPRIVS_RAISE) ) - zlog_err ("bgp_socket: could not raise privs"); - ret = bind (sock, sa, salen); en = errno; - if (bgpd_privs.change (ZPRIVS_LOWER) ) - zlog_err ("bgp_bind_address: could not lower privs"); + if (bgpd_privs.change (ZPRIVS_LOWER)) + zlog_err ("%s: could not lower privs", __func__); if (ret < 0) { |