Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.

ok markus@

18 files changed, 143 insertions, 40 deletions

diff --git a/usr.bin/ssh/channels.c b/usr.bin/ssh/channels.c
index 369cca24cf7..e0764067535 100644
--- a/usr.bin/ssh/channels.c
+++ b/usr.bin/ssh/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.296 2009/05/25 06:48:00 andreas Exp $ */
+/* $OpenBSD: channels.c,v 1.297 2009/10/28 16:38:18 reyk Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -158,6 +158,9 @@ static u_int x11_fake_data_len;
 /* AF_UNSPEC or AF_INET or AF_INET6 */
 static int IPv4or6 = AF_UNSPEC;
 
+/* Set the routing domain a.k.a. VRF */
+static int channel_rdomain = -1;
+
 /* helper */
 static void port_open_helper(Channel *c, char *rtype);
 
@@ -2437,6 +2440,12 @@ channel_set_af(int af)
 	IPv4or6 = af;
 }
 
+void
+channel_set_rdomain(int rdomain)
+{
+	channel_rdomain = rdomain;
+}
+
 static int
 channel_setup_fwd_listener(int type, const char *listen_addr,
     u_short listen_port, int *allocated_listen_port,
@@ -2545,7 +2554,8 @@ channel_setup_fwd_listener(int type, const char *listen_addr,
 			continue;
 		}
 		/* Create a port to listen for the host. */
-		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+		sock = socket_rdomain(ai->ai_family, ai->ai_socktype,
+		    ai->ai_protocol, channel_rdomain);
 		if (sock < 0) {
 			/* this is no error since kernel may not support ipv6 */
 			verbose("socket: %.100s", strerror(errno));
@@ -2878,8 +2888,9 @@ connect_next(struct channel_connect *cctx)
 			error("connect_next: getnameinfo failed");
 			continue;
 		}
-		if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype,
-		    cctx->ai->ai_protocol)) == -1) {
+		if ((sock = socket_rdomain(cctx->ai->ai_family,
+		    cctx->ai->ai_socktype, cctx->ai->ai_protocol,
+		    channel_rdomain)) == -1) {
 			if (cctx->ai->ai_next == NULL)
 				error("socket: %.100s", strerror(errno));
 			else
@@ -3065,8 +3076,8 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
 		for (ai = aitop; ai; ai = ai->ai_next) {
 			if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
 				continue;
-			sock = socket(ai->ai_family, ai->ai_socktype,
-			    ai->ai_protocol);
+			sock = socket_rdomain(ai->ai_family, ai->ai_socktype,
+			    ai->ai_protocol, channel_rdomain);
 			if (sock < 0) {
 				error("socket: %.100s", strerror(errno));
 				freeaddrinfo(aitop);
@@ -3213,7 +3224,8 @@ x11_connect_display(void)
 	}
 	for (ai = aitop; ai; ai = ai->ai_next) {
 		/* Create a socket. */
-		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+		sock = socket_rdomain(ai->ai_family, ai->ai_socktype,
+		    ai->ai_protocol, channel_rdomain);
 		if (sock < 0) {
 			debug2("socket: %.100s", strerror(errno));
 			continue;
diff --git a/usr.bin/ssh/channels.h b/usr.bin/ssh/channels.h
index 10b0c075a94..79fbd227e98 100644
--- a/usr.bin/ssh/channels.h
+++ b/usr.bin/ssh/channels.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.h,v 1.98 2009/02/12 03:00:56 djm Exp $ */
+/* $OpenBSD: channels.h,v 1.99 2009/10/28 16:38:18 reyk Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -230,6 +230,7 @@ int	 channel_find_open(void);
 
 /* tcp forwarding */
 void	 channel_set_af(int af);
+void	 channel_set_rdomain(int);
 void     channel_permit_all_opens(void);
 void	 channel_add_permitted_opens(char *, int);
 int	 channel_add_adm_permitted_opens(char *, int);
diff --git a/usr.bin/ssh/misc.c b/usr.bin/ssh/misc.c
index 1edaca26ead..066d90b4ed0 100644
--- a/usr.bin/ssh/misc.c
+++ b/usr.bin/ssh/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.71 2009/02/21 19:32:04 tobias Exp $ */
+/* $OpenBSD: misc.c,v 1.72 2009/10/28 16:38:18 reyk Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2005,2006 Damien Miller.  All rights reserved.
@@ -144,6 +144,43 @@ set_nodelay(int fd)
 		error("setsockopt TCP_NODELAY: %.100s", strerror(errno));
 }
 
+/* open a socket in the specified routing domain */
+int
+socket_rdomain(int domain, int type, int protocol, int rdomain)
+{
+	int sock, ipproto = IPPROTO_IP;
+
+	if ((sock = socket(domain, type, protocol)) == -1)
+		return (-1);
+
+	if (rdomain == -1)
+		return (sock);
+	
+	switch (domain) {
+	case AF_INET6:
+		ipproto = IPPROTO_IPV6;
+		/* FALLTHROUGH */
+	case AF_INET:
+		debug2("socket %d af %d setting rdomain %d",
+		    sock, domain, rdomain);
+		if (setsockopt(sock, ipproto, SO_RDOMAIN, &rdomain,
+		    sizeof(rdomain)) == -1) {
+			debug("setsockopt SO_RDOMAIN: %.100s",
+			    strerror(errno));
+			close(sock);
+			return (-1);
+		}
+		break;
+	default:
+		debug("socket %d af %d does not support rdomain %d",
+		    sock, domain, rdomain);
+		close(sock);
+		return (-1);
+	}
+
+	return (sock);
+}
+
 /* Characters considered whitespace in strsep calls. */
 #define WHITESPACE " \t\r\n"
 #define QUOTE	"\""
diff --git a/usr.bin/ssh/misc.h b/usr.bin/ssh/misc.h
index 5da170d2fd8..3d5ec0cf3a0 100644
--- a/usr.bin/ssh/misc.h
+++ b/usr.bin/ssh/misc.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.h,v 1.38 2008/06/12 20:38:28 dtucker Exp $ */
+/* $OpenBSD: misc.h,v 1.39 2009/10/28 16:38:18 reyk Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -53,6 +53,8 @@ void	 freeargs(arglist *);
 
 int	 tun_open(int, int);
 
+int	 socket_rdomain(int, int, int, int);
+
 /* Common definitions for ssh tunnel device forwarding */
 #define SSH_TUNMODE_NO		0x00
 #define SSH_TUNMODE_POINTOPOINT	0x01
diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c
index 5da7f7d5d33..ec5bb8d0b6f 100644
--- a/usr.bin/ssh/readconf.c
+++ b/usr.bin/ssh/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.178 2009/10/08 14:03:41 markus Exp $ */
+/* $OpenBSD: readconf.c,v 1.179 2009/10/28 16:38:18 reyk Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -127,8 +127,8 @@ typedef enum {
 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
 	oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
 	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
-	oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
-	oDeprecated, oUnsupported
+	oVisualHostKey, oUseRoaming, oRDomain,
+	oZeroKnowledgePasswordAuthentication, oDeprecated, oUnsupported
 } OpCodes;
 
 /* Textual representations of the tokens. */
@@ -226,6 +226,7 @@ static struct {
 	{ "permitlocalcommand", oPermitLocalCommand },
 	{ "visualhostkey", oVisualHostKey },
 	{ "useroaming", oUseRoaming },
+	{ "rdomain", oRDomain },
 #ifdef JPAKE
 	{ "zeroknowledgepasswordauthentication",
 	    oZeroKnowledgePasswordAuthentication },
@@ -914,6 +915,19 @@ parse_int:
 		intptr = &options->use_roaming;
 		goto parse_flag;
 
+	case oRDomain:
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing argument.",
+			    filename, linenum);
+		value = a2port(arg);
+		if (value == -1)
+			fatal("%.200s line %d: Bad rdomain.",
+			    filename, linenum);
+		if (*activep)
+			options->rdomain = value;
+		break;
+
 	case oDeprecated:
 		debug("%s line %d: Deprecated option \"%s\"",
 		    filename, linenum, keyword);
@@ -1064,6 +1078,7 @@ initialize_options(Options * options)
 	options->local_command = NULL;
 	options->permit_local_command = -1;
 	options->use_roaming = -1;
+	options->rdomain = -1;
 	options->visual_host_key = -1;
 	options->zero_knowledge_password_authentication = -1;
 }
@@ -1212,6 +1227,7 @@ fill_default_options(Options * options)
 	/* options->hostname will be set in the main program if appropriate */
 	/* options->host_key_alias should not be set by default */
 	/* options->preferred_authentications will be set in ssh */
+	/* options->rdomain should not be set by default */
 }
 
 /*
diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h
index 2ebfebe946a..6edc2eeda0f 100644
--- a/usr.bin/ssh/readconf.h
+++ b/usr.bin/ssh/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.79 2009/06/27 09:35:06 andreas Exp $ */
+/* $OpenBSD: readconf.h,v 1.80 2009/10/28 16:38:18 reyk Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -125,6 +125,8 @@ typedef struct {
 
 	int	use_roaming;
 
+	int	rdomain;	/* routing domain a.k.a. VRF */
+
 }       Options;
 
 #define SSHCTL_MASTER_NO	0
diff --git a/usr.bin/ssh/scp.1 b/usr.bin/ssh/scp.1
index 5033d84f222..b9245ea53bb 100644
--- a/usr.bin/ssh/scp.1
+++ b/usr.bin/ssh/scp.1
@@ -9,9 +9,9 @@
 .\"
 .\" Created: Sun May  7 00:14:37 1995 ylo
 .\"
-.\" $OpenBSD: scp.1,v 1.46 2008/07/12 05:33:41 djm Exp $
+.\" $OpenBSD: scp.1,v 1.47 2009/10/28 16:38:18 reyk Exp $
 .\"
-.Dd $Mdocdate: July 12 2008 $
+.Dd $Mdocdate: October 28 2009 $
 .Dt SCP 1
 .Os
 .Sh NAME
@@ -158,6 +158,7 @@ For full details of the options listed below, and their possible values, see
 .It Protocol
 .It ProxyCommand
 .It PubkeyAuthentication
+.It RDomain
 .It RekeyLimit
 .It RhostsRSAAuthentication
 .It RSAAuthentication
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index 12d5b44f130..3c9ca8a7eed 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.196 2009/10/08 14:03:41 markus Exp $ */
+/* $OpenBSD: servconf.c,v 1.197 2009/10/28 16:38:18 reyk Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -121,6 +121,7 @@ initialize_server_options(ServerOptions *options)
 	options->adm_forced_command = NULL;
 	options->chroot_directory = NULL;
 	options->zero_knowledge_password_authentication = -1;
+	options->rdomain = -1;
 }
 
 void
@@ -279,7 +280,7 @@ typedef enum {
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
-	sUsePrivilegeSeparation, sAllowAgentForwarding,
+	sUsePrivilegeSeparation, sAllowAgentForwarding, sRDomain,
 	sZeroKnowledgePasswordAuthentication,
 	sDeprecated, sUnsupported
 } ServerOpCodes;
@@ -386,6 +387,7 @@ static struct {
 	{ "match", sMatch, SSHCFG_ALL },
 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
+	{ "rdomain", sRDomain, SSHCFG_GLOBAL },
 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
 	{ NULL, sBadOption, 0 }
 };
@@ -1251,6 +1253,10 @@ process_server_config_line(ServerOptions *options, char *line,
 			*charptr = xstrdup(arg);
 		break;
 
+	case sRDomain:
+		intptr = &options->rdomain;
+		goto parse_int;
+
 	case sDeprecated:
 		logit("%s line %d: Deprecated option %s",
 		    filename, linenum, arg);
@@ -1524,6 +1530,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_int(sMaxSessions, o->max_sessions);
 	dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
 	dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
+	dump_cfg_int(sRDomain, o->rdomain);
 
 	/* formatted integer arguments */
 	dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h
index 101b1a4a345..93745fa787e 100644
--- a/usr.bin/ssh/servconf.h
+++ b/usr.bin/ssh/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.87 2009/01/22 10:02:34 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.88 2009/10/28 16:38:18 reyk Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -148,6 +148,8 @@ typedef struct {
 
 	int	num_permitted_opens;
 
+	int	rdomain;
+
 	char   *chroot_directory;
 }       ServerOptions;
 
diff --git a/usr.bin/ssh/sftp.1 b/usr.bin/ssh/sftp.1
index d1db0d6ddaa..b912d24e3f5 100644
--- a/usr.bin/ssh/sftp.1
+++ b/usr.bin/ssh/sftp.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: sftp.1,v 1.76 2009/08/19 04:56:03 jmc Exp $
+.\" $OpenBSD: sftp.1,v 1.77 2009/10/28 16:38:18 reyk Exp $
 .\"
 .\" Copyright (c) 2001 Damien Miller.  All rights reserved.
 .\"
@@ -22,7 +22,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 19 2009 $
+.Dd $Mdocdate: October 28 2009 $
 .Dt SFTP 1
 .Os
 .Sh NAME
@@ -209,6 +209,7 @@ For full details of the options listed below, and their possible values, see
 .It PubkeyAuthentication
 .It RekeyLimit
 .It RhostsRSAAuthentication
+.It RDomain
 .It RSAAuthentication
 .It SendEnv
 .It ServerAliveInterval
diff --git a/usr.bin/ssh/ssh-keyscan.1 b/usr.bin/ssh/ssh-keyscan.1
index 4a58645665e..c9fb597ede6 100644
--- a/usr.bin/ssh/ssh-keyscan.1
+++ b/usr.bin/ssh/ssh-keyscan.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keyscan.1,v 1.26 2008/12/29 01:12:36 stevesk Exp $
+.\"	$OpenBSD: ssh-keyscan.1,v 1.27 2009/10/28 16:38:18 reyk Exp $
 .\"
 .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 .\"
@@ -6,7 +6,7 @@
 .\" permitted provided that due credit is given to the author and the
 .\" OpenBSD project by leaving this copyright notice intact.
 .\"
-.Dd $Mdocdate: December 29 2008 $
+.Dd $Mdocdate: October 28 2009 $
 .Dt SSH-KEYSCAN 1
 .Os
 .Sh NAME
@@ -20,6 +20,7 @@
 .Op Fl p Ar port
 .Op Fl T Ar timeout
 .Op Fl t Ar type
+.Op Fl V Ar rdomain
 .Op Ar host | addrlist namelist
 .Ar ...
 .Ek
@@ -95,6 +96,8 @@ for protocol version 2.
 Multiple values may be specified by separating them with commas.
 The default is
 .Dq rsa .
+.It Fl V Ar rdomain
+Set the routing domain.
 .It Fl v
 Verbose mode.
 Causes
diff --git a/usr.bin/ssh/ssh-keyscan.c b/usr.bin/ssh/ssh-keyscan.c
index 2edfc29db3f..8f581ba78ff 100644
--- a/usr.bin/ssh/ssh-keyscan.c
+++ b/usr.bin/ssh/ssh-keyscan.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keyscan.c,v 1.78 2009/01/22 10:02:34 djm Exp $ */
+/* $OpenBSD: ssh-keyscan.c,v 1.79 2009/10/28 16:38:18 reyk Exp $ */
 /*
  * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
  *
@@ -63,6 +63,9 @@ int timeout = 5;
 int maxfd;
 #define MAXCON (maxfd - 10)
 
+/* The default routing domain */
+int scan_rdomain = -1;
+
 extern char *__progname;
 fd_set *read_wait;
 size_t read_wait_nfdset;
@@ -397,7 +400,8 @@ tcpconnect(char *host)
 	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
 		fatal("getaddrinfo %s: %s", host, ssh_gai_strerror(gaierr));
 	for (ai = aitop; ai; ai = ai->ai_next) {
-		s = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+		s = socket_rdomain(ai->ai_family, ai->ai_socktype,
+		    ai->ai_protocol, scan_rdomain);
 		if (s < 0) {
 			error("socket: %s", strerror(errno));
 			continue;
@@ -700,7 +704,7 @@ usage(void)
 {
 	fprintf(stderr,
 	    "usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]\n"
-	    "\t\t   [host | addrlist namelist] ...\n",
+	    "\t\t   [-V rdomain] [host | addrlist namelist] ...\n",
 	    __progname);
 	exit(1);
 }
@@ -723,7 +727,7 @@ main(int argc, char **argv)
 	if (argc <= 1)
 		usage();
 
-	while ((opt = getopt(argc, argv, "Hv46p:T:t:f:")) != -1) {
+	while ((opt = getopt(argc, argv, "Hv46p:T:t:f:V:")) != -1) {
 		switch (opt) {
 		case 'H':
 			hash_hosts = 1;
@@ -784,6 +788,11 @@ main(int argc, char **argv)
 		case '6':
 			IPv4or6 = AF_INET6;
 			break;
+		case 'V':
+			scan_rdomain = a2port(optarg);
+			if (scan_rdomain < 0)
+				scan_rdomain = -1;
+			break;
 		case '?':
 		default:
 			usage();
diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1
index 7e7f64e46dd..8277d0fdf80 100644
--- a/usr.bin/ssh/ssh.1
+++ b/usr.bin/ssh/ssh.1
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.286 2009/10/22 15:02:12 sobrado Exp $
-.Dd $Mdocdate: October 22 2009 $
+.\" $OpenBSD: ssh.1,v 1.287 2009/10/28 16:38:18 reyk Exp $
+.Dd $Mdocdate: October 28 2009 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -475,6 +475,7 @@ For full details of the options listed below, and their possible values, see
 .It Protocol
 .It ProxyCommand
 .It PubkeyAuthentication
+.It RDomain
 .It RekeyLimit
 .It RemoteForward
 .It RhostsRSAAuthentication
diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c
index 79a84de819f..80ac30d4558 100644
--- a/usr.bin/ssh/ssh.c
+++ b/usr.bin/ssh/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.327 2009/10/24 11:23:42 andreas Exp $ */
+/* $OpenBSD: ssh.c,v 1.328 2009/10/28 16:38:18 reyk Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -617,6 +617,7 @@ main(int ac, char **av)
 	fill_default_options(&options);
 
 	channel_set_af(options.address_family);
+	channel_set_rdomain(options.rdomain);
 
 	/* reinit */
 	log_init(argv0, options.log_level, SYSLOG_FACILITY_USER, !use_syslog);
diff --git a/usr.bin/ssh/ssh_config.5 b/usr.bin/ssh/ssh_config.5
index 89f3896e6cd..fde899477a6 100644
--- a/usr.bin/ssh/ssh_config.5
+++ b/usr.bin/ssh/ssh_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.121 2009/10/08 20:42:13 jmc Exp $
-.Dd $Mdocdate: October 8 2009 $
+.\" $OpenBSD: ssh_config.5,v 1.122 2009/10/28 16:38:18 reyk Exp $
+.Dd $Mdocdate: October 28 2009 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -782,6 +782,9 @@ or
 The default is
 .Dq yes .
 This option applies to protocol version 2 only.
+.It Cm RDomain
+Set the routing domain number.
+The default routing domain is set by the system.
 .It Cm RekeyLimit
 Specifies the maximum amount of data that may be transmitted before the
 session key is renegotiated.
diff --git a/usr.bin/ssh/sshconnect.c b/usr.bin/ssh/sshconnect.c
index 0ea916c0f01..481d34b9a3a 100644
--- a/usr.bin/ssh/sshconnect.c
+++ b/usr.bin/ssh/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.214 2009/05/28 16:50:16 andreas Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.215 2009/10/28 16:38:18 reyk Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -181,7 +181,8 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
 			debug("Allocated local port %d.", p);
 		return sock;
 	}
-	sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+	sock = socket_rdomain(ai->ai_family, ai->ai_socktype, ai->ai_protocol,
+	    options.rdomain);
 	if (sock < 0)
 		error("socket: %.100s", strerror(errno));
 
diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c
index 0850dfb4a9e..ee7a79de981 100644
--- a/usr.bin/ssh/sshd.c
+++ b/usr.bin/ssh/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.367 2009/05/28 16:50:16 andreas Exp $ */
+/* $OpenBSD: sshd.c,v 1.368 2009/10/28 16:38:18 reyk Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -933,8 +933,8 @@ server_listen(void)
 			continue;
 		}
 		/* Create socket for listening. */
-		listen_sock = socket(ai->ai_family, ai->ai_socktype,
-		    ai->ai_protocol);
+		listen_sock = socket_rdomain(ai->ai_family, ai->ai_socktype,
+		    ai->ai_protocol, options.rdomain);
 		if (listen_sock < 0) {
 			/* kernel may not support ipv6 */
 			verbose("socket: %.100s", strerror(errno));
@@ -1399,8 +1399,9 @@ main(int ac, char **av)
 	if (options.challenge_response_authentication)
 		options.kbd_interactive_authentication = 1;
 
-	/* set default channel AF */
+	/* set default channel AF and routing domain */
 	channel_set_af(options.address_family);
+	channel_set_rdomain(options.rdomain);
 
 	/* Check that there are no remaining arguments. */
 	if (optind < ac) {
diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5
index 4ba826ee68f..e6085b8912f 100644
--- a/usr.bin/ssh/sshd_config.5
+++ b/usr.bin/ssh/sshd_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.109 2009/10/08 20:42:13 jmc Exp $
-.Dd $Mdocdate: October 8 2009 $
+.\" $OpenBSD: sshd_config.5,v 1.110 2009/10/28 16:38:18 reyk Exp $
+.Dd $Mdocdate: October 28 2009 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -813,6 +813,9 @@ with successful RSA host authentication is allowed.
 The default is
 .Dq no .
 This option applies to protocol version 1 only.
+.It Cm RDomain
+Set the routing domain number.
+The default routing domain is set by the system.
 .It Cm RSAAuthentication
 Specifies whether pure RSA authentication is allowed.
 The default is