diff options
| author | Ondrej Zajicek <santiago@crfreenet.org> | 2011-08-16 23:05:35 +0200 |
|---|---|---|
| committer | Ondrej Zajicek <santiago@crfreenet.org> | 2011-08-16 23:13:05 +0200 |
| commit | b1b19433602f2a2ff58cfe2c1858ff883eee7b20 (patch) | |
| tree | 29e8961d52b59a6023f21bcdc70b7c1932428cd3 /sysdep | |
| parent | a52d52fa91ffcbcea58326fc2de476ce5644256f (diff) | |
| download | bird-b1b19433602f2a2ff58cfe2c1858ff883eee7b20.tar bird-b1b19433602f2a2ff58cfe2c1858ff883eee7b20.zip | |
The generalized TTL security mechanism (RFC 5082) support.
Thanks to Alexander V. Chernikov for the patch.
Diffstat (limited to 'sysdep')
| -rw-r--r-- | sysdep/bsd/sysio.h | 31 | ||||
| -rw-r--r-- | sysdep/linux/sysio.h | 48 | ||||
| -rw-r--r-- | sysdep/unix/io.c | 24 | ||||
| -rw-r--r-- | sysdep/unix/main.c | 1 |
4 files changed, 103 insertions, 1 deletions
diff --git a/sysdep/bsd/sysio.h b/sysdep/bsd/sysio.h index 847ce26..95f7dcf 100644 --- a/sysdep/bsd/sysio.h +++ b/sysdep/bsd/sysio.h @@ -237,3 +237,34 @@ sk_set_md5_auth_int(sock *s, sockaddr *sa, char *passwd) return rv; } + + +#ifndef IPV6 + +static int +sk_set_min_ttl4(sock *s, int ttl) +{ + if (setsockopt(s->fd, IPPROTO_IP, IP_MINTTL, &ttl, sizeof(ttl)) < 0) + { + if (errno == ENOPROTOOPT) + log(L_ERR "Kernel does not support IPv4 TTL security"); + else + log(L_ERR "sk_set_min_ttl4: setsockopt: %m"); + + return -1; + } + + return 0; +} + +#else + +static int +sk_set_min_ttl6(sock *s, int ttl) +{ + log(L_ERR "IPv6 TTL security not supported"); + return -1; +} + +#endif + diff --git a/sysdep/linux/sysio.h b/sysdep/linux/sysio.h index 9c10333..bb52280 100644 --- a/sysdep/linux/sysio.h +++ b/sysdep/linux/sysio.h @@ -309,3 +309,51 @@ sysio_prepare_tx_cmsgs(sock *s, struct msghdr *msg, void *cbuf, size_t cbuflen) */ #endif + + +#ifndef IP_MINTTL +#define IP_MINTTL 21 +#endif + +#ifndef IPV6_MINHOPCOUNT +#define IPV6_MINHOPCOUNT 73 +#endif + + +#ifndef IPV6 + +static int +sk_set_min_ttl4(sock *s, int ttl) +{ + if (setsockopt(s->fd, IPPROTO_IP, IP_MINTTL, &ttl, sizeof(ttl)) < 0) + { + if (errno == ENOPROTOOPT) + log(L_ERR "Kernel does not support IPv4 TTL security"); + else + log(L_ERR "sk_set_min_ttl4: setsockopt: %m"); + + return -1; + } + + return 0; +} + +#else + +static int +sk_set_min_ttl6(sock *s, int ttl) +{ + if (setsockopt(s->fd, IPPROTO_IPV6, IPV6_MINHOPCOUNT, &ttl, sizeof(ttl)) < 0) + { + if (errno == ENOPROTOOPT) + log(L_ERR "Kernel does not support IPv6 TTL security"); + else + log(L_ERR "sk_set_min_ttl4: setsockopt: %m"); + + return -1; + } + + return 0; +} + +#endif diff --git a/sysdep/unix/io.c b/sysdep/unix/io.c index b6c1b86..815989f 100644 --- a/sysdep/unix/io.c +++ b/sysdep/unix/io.c @@ -805,7 +805,7 @@ bad: } /** - * sk_set_ttl - set TTL for given socket. + * sk_set_ttl - set transmit TTL for given socket. * @s: socket * @ttl: TTL value * @@ -828,6 +828,28 @@ sk_set_ttl(sock *s, int ttl) return (err ? -1 : 0); } +/** + * sk_set_min_ttl - set minimal accepted TTL for given socket. + * @s: socket + * @ttl: TTL value + * + * Can be used in TTL security implementation + * + * Result: 0 for success, -1 for an error. + */ + +int +sk_set_min_ttl(sock *s, int ttl) +{ + int err; +#ifdef IPV6 + err = sk_set_min_ttl6(s, ttl); +#else + err = sk_set_min_ttl4(s, ttl); +#endif + + return err; +} /** * sk_set_md5_auth - add / remove MD5 security association for given socket. diff --git a/sysdep/unix/main.c b/sysdep/unix/main.c index 610d207..5547791 100644 --- a/sysdep/unix/main.c +++ b/sysdep/unix/main.c @@ -17,6 +17,7 @@ #include <signal.h> #include <pwd.h> #include <grp.h> +#include <sys/stat.h> #include "nest/bird.h" #include "lib/lists.h" |