summaryrefslogtreecommitdiffstats
path: root/sysdep
diff options
context:
space:
mode:
authorOndrej Zajicek <santiago@crfreenet.org>2011-08-16 23:05:35 +0200
committerOndrej Zajicek <santiago@crfreenet.org>2011-08-16 23:13:05 +0200
commitb1b19433602f2a2ff58cfe2c1858ff883eee7b20 (patch)
tree29e8961d52b59a6023f21bcdc70b7c1932428cd3 /sysdep
parenta52d52fa91ffcbcea58326fc2de476ce5644256f (diff)
downloadbird-b1b19433602f2a2ff58cfe2c1858ff883eee7b20.tar
bird-b1b19433602f2a2ff58cfe2c1858ff883eee7b20.zip
The generalized TTL security mechanism (RFC 5082) support.
Thanks to Alexander V. Chernikov for the patch.
Diffstat (limited to 'sysdep')
-rw-r--r--sysdep/bsd/sysio.h31
-rw-r--r--sysdep/linux/sysio.h48
-rw-r--r--sysdep/unix/io.c24
-rw-r--r--sysdep/unix/main.c1
4 files changed, 103 insertions, 1 deletions
diff --git a/sysdep/bsd/sysio.h b/sysdep/bsd/sysio.h
index 847ce26..95f7dcf 100644
--- a/sysdep/bsd/sysio.h
+++ b/sysdep/bsd/sysio.h
@@ -237,3 +237,34 @@ sk_set_md5_auth_int(sock *s, sockaddr *sa, char *passwd)
return rv;
}
+
+
+#ifndef IPV6
+
+static int
+sk_set_min_ttl4(sock *s, int ttl)
+{
+ if (setsockopt(s->fd, IPPROTO_IP, IP_MINTTL, &ttl, sizeof(ttl)) < 0)
+ {
+ if (errno == ENOPROTOOPT)
+ log(L_ERR "Kernel does not support IPv4 TTL security");
+ else
+ log(L_ERR "sk_set_min_ttl4: setsockopt: %m");
+
+ return -1;
+ }
+
+ return 0;
+}
+
+#else
+
+static int
+sk_set_min_ttl6(sock *s, int ttl)
+{
+ log(L_ERR "IPv6 TTL security not supported");
+ return -1;
+}
+
+#endif
+
diff --git a/sysdep/linux/sysio.h b/sysdep/linux/sysio.h
index 9c10333..bb52280 100644
--- a/sysdep/linux/sysio.h
+++ b/sysdep/linux/sysio.h
@@ -309,3 +309,51 @@ sysio_prepare_tx_cmsgs(sock *s, struct msghdr *msg, void *cbuf, size_t cbuflen)
*/
#endif
+
+
+#ifndef IP_MINTTL
+#define IP_MINTTL 21
+#endif
+
+#ifndef IPV6_MINHOPCOUNT
+#define IPV6_MINHOPCOUNT 73
+#endif
+
+
+#ifndef IPV6
+
+static int
+sk_set_min_ttl4(sock *s, int ttl)
+{
+ if (setsockopt(s->fd, IPPROTO_IP, IP_MINTTL, &ttl, sizeof(ttl)) < 0)
+ {
+ if (errno == ENOPROTOOPT)
+ log(L_ERR "Kernel does not support IPv4 TTL security");
+ else
+ log(L_ERR "sk_set_min_ttl4: setsockopt: %m");
+
+ return -1;
+ }
+
+ return 0;
+}
+
+#else
+
+static int
+sk_set_min_ttl6(sock *s, int ttl)
+{
+ if (setsockopt(s->fd, IPPROTO_IPV6, IPV6_MINHOPCOUNT, &ttl, sizeof(ttl)) < 0)
+ {
+ if (errno == ENOPROTOOPT)
+ log(L_ERR "Kernel does not support IPv6 TTL security");
+ else
+ log(L_ERR "sk_set_min_ttl4: setsockopt: %m");
+
+ return -1;
+ }
+
+ return 0;
+}
+
+#endif
diff --git a/sysdep/unix/io.c b/sysdep/unix/io.c
index b6c1b86..815989f 100644
--- a/sysdep/unix/io.c
+++ b/sysdep/unix/io.c
@@ -805,7 +805,7 @@ bad:
}
/**
- * sk_set_ttl - set TTL for given socket.
+ * sk_set_ttl - set transmit TTL for given socket.
* @s: socket
* @ttl: TTL value
*
@@ -828,6 +828,28 @@ sk_set_ttl(sock *s, int ttl)
return (err ? -1 : 0);
}
+/**
+ * sk_set_min_ttl - set minimal accepted TTL for given socket.
+ * @s: socket
+ * @ttl: TTL value
+ *
+ * Can be used in TTL security implementation
+ *
+ * Result: 0 for success, -1 for an error.
+ */
+
+int
+sk_set_min_ttl(sock *s, int ttl)
+{
+ int err;
+#ifdef IPV6
+ err = sk_set_min_ttl6(s, ttl);
+#else
+ err = sk_set_min_ttl4(s, ttl);
+#endif
+
+ return err;
+}
/**
* sk_set_md5_auth - add / remove MD5 security association for given socket.
diff --git a/sysdep/unix/main.c b/sysdep/unix/main.c
index 610d207..5547791 100644
--- a/sysdep/unix/main.c
+++ b/sysdep/unix/main.c
@@ -17,6 +17,7 @@
#include <signal.h>
#include <pwd.h>
#include <grp.h>
+#include <sys/stat.h>
#include "nest/bird.h"
#include "lib/lists.h"