summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremie Courreges-Anglas <jca@cvs.openbsd.org>2016-06-28 16:59:15 +0000
committerJeremie Courreges-Anglas <jca@cvs.openbsd.org>2016-06-28 16:59:15 +0000
commit998357421f5797b5d4580a685f1935a7c54f1267 (patch)
treefd25a8c40e75c133561706a0da82ed5c760a9946
parentc7f832e365623f6e1d88c64e950787ff86b4f54c (diff)
Use IPV6_MINHOPCOUNT to finish implementing ttl-security for IPv6.
ok renato@ deraadt@
-rw-r--r--usr.sbin/bgpd/bgpd.conf.58
-rw-r--r--usr.sbin/bgpd/session.c17
2 files changed, 12 insertions, 13 deletions
diff --git a/usr.sbin/bgpd/bgpd.conf.5 b/usr.sbin/bgpd/bgpd.conf.5
index 3cd14e0d261..09161d6a4fb 100644
--- a/usr.sbin/bgpd/bgpd.conf.5
+++ b/usr.sbin/bgpd/bgpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: bgpd.conf.5,v 1.143 2016/06/11 11:43:02 tobias Exp $
+.\" $OpenBSD: bgpd.conf.5,v 1.144 2016/06/28 16:59:14 jca Exp $
.\"
.\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org>
.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: June 11 2016 $
+.Dd $Mdocdate: June 28 2016 $
.Dt BGPD.CONF 5
.Os
.Sh NAME
@@ -972,10 +972,6 @@ incoming packets are required to have a TTL of 256 minus multihop distance,
ensuring they have not passed through more than the expected number of hops.
The default is
.Ic no .
-.Pp
-There is currently only partial support for ttl-security with IPv6:
-the TTL of outgoing packets is set,
-but no check is made for the TTL of incoming packets.
.El
.Sh FILTER
.Xr bgpd 8
diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c
index a71339e8da2..545347a546d 100644
--- a/usr.sbin/bgpd/session.c
+++ b/usr.sbin/bgpd/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.348 2016/06/06 15:59:10 benno Exp $ */
+/* $OpenBSD: session.c,v 1.349 2016/06/28 16:59:14 jca Exp $ */
/*
* Copyright (c) 2003, 2004, 2005 Henning Brauer <henning@openbsd.org>
@@ -1201,12 +1201,15 @@ session_setup_socket(struct peer *p)
/* set hoplimit to foreign router's distance
1=direct n=multihop with ttlsec, we always use 255 */
if (p->conf.ttlsec) {
- /*
- * XXX Kernel has no ip6 equivalent of MINTTL yet so
- * we can't check incoming packets, but we can at least
- * set the outgoing TTL to allow sessions configured
- * with ttl-security to come up.
- */
+ ttl = 256 - p->conf.distance;
+ if (setsockopt(p->fd, IPPROTO_IPV6,
+ IPV6_MINHOPCOUNT, &ttl, sizeof(ttl))
+ == -1) {
+ log_peer_warn(&p->conf,
+ "session_setup_socket: "
+ "setsockopt MINHOPCOUNT");
+ return (-1);
+ }
ttl = 255;
}
if (setsockopt(p->fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS,