diff options
| -rw-r--r-- | usr.sbin/bgpd/bgpd.8 | 15 | ||||
| -rw-r--r-- | usr.sbin/bgpd/bgpd.c | 62 | ||||
| -rw-r--r-- | usr.sbin/bgpd/bgpd.conf.5 | 12 | ||||
| -rw-r--r-- | usr.sbin/bgpd/bgpd.h | 3 | ||||
| -rw-r--r-- | usr.sbin/bgpd/config.c | 7 | ||||
| -rw-r--r-- | usr.sbin/bgpd/parse.y | 26 | ||||
| -rw-r--r-- | usr.sbin/bgpd/printconf.c | 6 | ||||
| -rw-r--r-- | usr.sbin/bgpd/session.c | 36 | ||||
| -rw-r--r-- | usr.sbin/bgpd/session.h | 4 |
9 files changed, 124 insertions, 47 deletions
diff --git a/usr.sbin/bgpd/bgpd.8 b/usr.sbin/bgpd/bgpd.8 index 44bfeea5474..de06f28aab6 100644 --- a/usr.sbin/bgpd/bgpd.8 +++ b/usr.sbin/bgpd/bgpd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: bgpd.8,v 1.37 2010/05/24 19:44:23 jmc Exp $ +.\" $OpenBSD: bgpd.8,v 1.38 2010/06/27 19:53:34 claudio Exp $ .\" .\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: May 24 2010 $ +.Dd $Mdocdate: June 27 2010 $ .Dt BGPD 8 .Os .Sh NAME @@ -26,8 +26,6 @@ .Op Fl cdnv .Op Fl D Ar macro Ns = Ns Ar value .Op Fl f Ar file -.Op Fl r Ar path -.Op Fl s Ar path .Ek .Sh DESCRIPTION .Nm @@ -119,15 +117,6 @@ instead of the default .It Fl n Configtest mode. Only check the configuration file for validity. -.It Fl r Ar path -Open a second, restricted, control socket that -.Xr bgpctl 8 -can use. -Only -.Em show -requests are allowed on this socket. -.It Fl s Ar path -Use an alternate location for the default control socket. .It Fl v Produce more verbose output. .El diff --git a/usr.sbin/bgpd/bgpd.c b/usr.sbin/bgpd/bgpd.c index dd294fb4a51..f463781546b 100644 --- a/usr.sbin/bgpd/bgpd.c +++ b/usr.sbin/bgpd/bgpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bgpd.c,v 1.163 2010/05/19 12:44:14 claudio Exp $ */ +/* $OpenBSD: bgpd.c,v 1.164 2010/06/27 19:53:34 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -44,6 +44,7 @@ int send_filterset(struct imsgbuf *, struct filter_set_head *); int reconfigure(char *, struct bgpd_config *, struct mrt_head *, struct peer **); int dispatch_imsg(struct imsgbuf *, int); +int control_setup(struct bgpd_config *); int rfd = -1; int cflags; @@ -55,6 +56,8 @@ pid_t reconfpid; struct imsgbuf *ibuf_se; struct imsgbuf *ibuf_rde; struct rib_names ribnames = SIMPLEQ_HEAD_INITIALIZER(ribnames); +char *cname; +char *rcname; void sighdlr(int sig) @@ -119,9 +122,8 @@ main(int argc, char *argv[]) bzero(&conf, sizeof(conf)); LIST_INIT(&mrt_l); peer_l = NULL; - conf.csock = SOCKET_NAME; - while ((ch = getopt(argc, argv, "cdD:f:nr:s:v")) != -1) { + while ((ch = getopt(argc, argv, "cdD:f:nv")) != -1) { switch (ch) { case 'c': conf.opts |= BGPD_OPT_FORCE_DEMOTE; @@ -146,12 +148,6 @@ main(int argc, char *argv[]) conf.opts |= BGPD_OPT_VERBOSE; log_verbose(1); break; - case 'r': - conf.rcsock = optarg; - break; - case 's': - conf.csock = optarg; - break; default: usage(); /* NOTREACHED */ @@ -212,8 +208,7 @@ main(int argc, char *argv[]) /* fork children */ rde_pid = rde_main(pipe_m2r, pipe_s2r, pipe_m2s, pipe_s2r_c, debug); - io_pid = session_main(pipe_m2s, pipe_s2r, pipe_m2r, pipe_s2r_c, - conf.csock, conf.rcsock); + io_pid = session_main(pipe_m2s, pipe_s2r, pipe_m2r, pipe_s2r_c); setproctitle("parent"); @@ -448,6 +443,9 @@ reconfigure(char *conffile, struct bgpd_config *conf, struct mrt_head *mrt_l, la->fd = -1; } + if (control_setup(conf) == -1) + return (-1); + /* adjust fib syncing on reload */ ktable_preload(); @@ -775,3 +773,45 @@ bgpd_filternexthop(struct kroute *kr, struct kroute6 *kr6) return (1); } + +int +control_setup(struct bgpd_config *conf) +{ + int fd, restricted; + + /* control socket is outside chroot */ + if (!cname || strcmp(cname, conf->csock)) { + if (cname) { + control_cleanup(cname); + free(cname); + } + if ((cname = strdup(conf->csock)) == NULL) + fatal("strdup"); + if ((fd = control_init(0, cname)) == -1) + fatalx("control socket setup failed"); + restricted = 0; + if (imsg_compose(ibuf_se, IMSG_RECONF_CTRL, 0, 0, fd, + &restricted, sizeof(restricted)) == -1) + return (-1); + } + if (!conf->rcsock) { + /* remove restricted socket */ + control_cleanup(rcname); + free(rcname); + rcname = NULL; + } else if (!rcname || strcmp(rcname, conf->rcsock)) { + if (rcname) { + control_cleanup(rcname); + free(rcname); + } + if ((rcname = strdup(conf->rcsock)) == NULL) + fatal("strdup"); + if ((fd = control_init(1, rcname)) == -1) + fatalx("control socket setup failed"); + restricted = 1; + if (imsg_compose(ibuf_se, IMSG_RECONF_CTRL, 0, 0, fd, + &restricted, sizeof(restricted)) == -1) + return (-1); + } + return (0); +} diff --git a/usr.sbin/bgpd/bgpd.conf.5 b/usr.sbin/bgpd/bgpd.conf.5 index 34e0d16594d..c4b4eaaa105 100644 --- a/usr.sbin/bgpd/bgpd.conf.5 +++ b/usr.sbin/bgpd/bgpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: bgpd.conf.5,v 1.109 2010/05/17 17:46:22 jmc Exp $ +.\" $OpenBSD: bgpd.conf.5,v 1.110 2010/06/27 19:53:34 claudio Exp $ .\" .\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org> .\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: May 17 2010 $ +.Dd $Mdocdate: June 27 2010 $ .Dt BGPD.CONF 5 .Os .Sh NAME @@ -381,6 +381,14 @@ This is the same as using the following syntax: rde rib Loc-RIB rtable number .Ed .Pp +.It Ic socket Ar path Ic Op restricted +Set the control socket location to +.Ar path . +If +.Ic restricted +is specified a restricted control socket will be created. +By default /var/run/bgpd.sock is used and no restricted socket is created. +.Pp .It Xo .Ic transparent-as .Pq Ic yes Ns \&| Ns Ic no diff --git a/usr.sbin/bgpd/bgpd.h b/usr.sbin/bgpd/bgpd.h index ea4c4bfc5f3..cfb7449635f 100644 --- a/usr.sbin/bgpd/bgpd.h +++ b/usr.sbin/bgpd/bgpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bgpd.h,v 1.261 2010/05/19 12:44:14 claudio Exp $ */ +/* $OpenBSD: bgpd.h,v 1.262 2010/06/27 19:53:34 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -357,6 +357,7 @@ enum imsg_type { IMSG_RECONF_PEER, IMSG_RECONF_FILTER, IMSG_RECONF_LISTENER, + IMSG_RECONF_CTRL, IMSG_RECONF_RDOMAIN, IMSG_RECONF_RDOMAIN_EXPORT, IMSG_RECONF_RDOMAIN_IMPORT, diff --git a/usr.sbin/bgpd/config.c b/usr.sbin/bgpd/config.c index da0be607bda..8ad8e817627 100644 --- a/usr.sbin/bgpd/config.c +++ b/usr.sbin/bgpd/config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: config.c,v 1.53 2010/05/17 15:49:29 claudio Exp $ */ +/* $OpenBSD: config.c,v 1.54 2010/06/27 19:53:34 claudio Exp $ */ /* * Copyright (c) 2003, 2004, 2005 Henning Brauer <henning@openbsd.org> @@ -50,8 +50,6 @@ merge_config(struct bgpd_config *xconf, struct bgpd_config *conf, /* preserve cmd line opts */ conf->opts = xconf->opts; - conf->csock = xconf->csock; - conf->rcsock = xconf->rcsock; if (!conf->as) { log_warnx("configuration error: AS not given"); @@ -67,6 +65,9 @@ merge_config(struct bgpd_config *xconf, struct bgpd_config *conf, if ((conf->flags & BGPD_FLAG_REFLECTOR) && conf->clusterid == 0) conf->clusterid = conf->bgpid; + free(xconf->csock); + free(xconf->rcsock); + conf->listen_addrs = xconf->listen_addrs; memcpy(xconf, conf, sizeof(struct bgpd_config)); diff --git a/usr.sbin/bgpd/parse.y b/usr.sbin/bgpd/parse.y index 6660ae92149..6ec94d8f758 100644 --- a/usr.sbin/bgpd/parse.y +++ b/usr.sbin/bgpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.255 2010/05/17 16:08:20 claudio Exp $ */ +/* $OpenBSD: parse.y,v 1.256 2010/06/27 19:53:34 claudio Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -172,7 +172,7 @@ typedef struct { %token REMOTEAS DESCR LOCALADDR MULTIHOP PASSIVE MAXPREFIX RESTART %token ANNOUNCE CAPABILITIES REFRESH AS4BYTE CONNECTRETRY %token DEMOTE ENFORCE NEIGHBORAS REFLECTOR DEPEND DOWN SOFTRECONFIG -%token DUMP IN OUT +%token DUMP IN OUT SOCKET RESTRICTED %token LOG ROUTECOLL TRANSPARENT %token TCP MD5SIG PASSWORD KEY TTLSECURITY %token ALLOW DENY MATCH @@ -190,8 +190,9 @@ typedef struct { %token NE LE GE XRANGE %token <v.string> STRING %token <v.number> NUMBER -%type <v.number> asnumber as4number optnumber yesno inout +%type <v.number> asnumber as4number optnumber %type <v.number> espah family restart origincode nettype +%type <v.number> yesno inout restricted %type <v.string> string filter_rib %type <v.addr> address %type <v.prefix> prefix addrspec @@ -558,6 +559,15 @@ conf_main : AS as4number { } conf->connectretry = $2; } + | SOCKET STRING restricted { + if ($3) { + free(conf->rcsock); + conf->rcsock = $2; + } else { + free(conf->csock); + conf->csock = $2; + } + } ; mrtdump : DUMP STRING inout STRING optnumber { @@ -627,6 +637,10 @@ inout : IN { $$ = 1; } | OUT { $$ = 0; } ; +restricted : RESTRICTED { $$ = 1; } + | /* nothing */ { $$ = 0; } + ; + address : STRING { u_int8_t len; @@ -2164,6 +2178,7 @@ lookup(char *s) { "reject", REJECT}, { "remote-as", REMOTEAS}, { "restart", RESTART}, + { "restricted", RESTRICTED}, { "rib", RIB}, { "route-collector", ROUTECOLL}, { "route-reflector", REFLECTOR}, @@ -2172,6 +2187,7 @@ lookup(char *s) { "rtlabel", RTLABEL}, { "self", SELF}, { "set", SET}, + { "socket", SOCKET }, { "softreconfig", SOFTRECONFIG}, { "source-as", SOURCEAS}, { "spi", SPI}, @@ -2539,6 +2555,7 @@ parse_config(char *filename, struct bgpd_config *xconf, if ((conf = calloc(1, sizeof(struct bgpd_config))) == NULL) fatal(NULL); conf->opts = xconf->opts; + conf->csock = strdup(SOCKET_NAME); if ((file = pushfile(filename, 1)) == NULL) { free(conf); @@ -2599,6 +2616,9 @@ parse_config(char *filename, struct bgpd_config *xconf, if (errors) { /* XXX more leaks in this case */ + free(conf->csock); + free(conf->rcsock); + while ((la = TAILQ_FIRST(listen_addrs)) != NULL) { TAILQ_REMOVE(listen_addrs, la, entry); free(la); diff --git a/usr.sbin/bgpd/printconf.c b/usr.sbin/bgpd/printconf.c index dbf03bdbae4..0ff49296c49 100644 --- a/usr.sbin/bgpd/printconf.c +++ b/usr.sbin/bgpd/printconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: printconf.c,v 1.82 2010/05/17 16:08:20 claudio Exp $ */ +/* $OpenBSD: printconf.c,v 1.83 2010/06/27 19:53:34 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -238,6 +238,10 @@ print_mainconf(struct bgpd_config *conf) printf(" %u", conf->short_as); ina.s_addr = conf->bgpid; printf("\nrouter-id %s\n", inet_ntoa(ina)); + + printf("socket \"%s\"\n", conf->csock); + if (conf->rcsock) + printf("socket \"%s\" restricted\n", conf->rcsock); if (conf->holdtime) printf("holdtime %u\n", conf->holdtime); if (conf->min_holdtime) diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c index 086cbd1ef4b..a2bbd6dd848 100644 --- a/usr.sbin/bgpd/session.c +++ b/usr.sbin/bgpd/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.309 2010/05/26 13:56:07 nicm Exp $ */ +/* $OpenBSD: session.c,v 1.310 2010/06/27 19:53:34 claudio Exp $ */ /* * Copyright (c) 2003, 2004, 2005 Henning Brauer <henning@openbsd.org> @@ -175,7 +175,7 @@ setup_listeners(u_int *la_cnt) pid_t session_main(int pipe_m2s[2], int pipe_s2r[2], int pipe_m2r[2], - int pipe_s2rctl[2], char *cname, char *rcname) + int pipe_s2rctl[2]) { int nfds, timeout; unsigned int i, j, idx_peers, idx_listeners, idx_mrts; @@ -202,12 +202,6 @@ session_main(int pipe_m2s[2], int pipe_s2r[2], int pipe_m2r[2], return (pid); } - /* control socket is outside chroot */ - if ((csock = control_init(0, cname)) == -1) - fatalx("control socket setup failed"); - if (rcname != NULL && (rcsock = control_init(1, rcname)) == -1) - fatalx("control socket setup failed"); - if ((pw = getpwnam(BGPD_USER)) == NULL) fatal(NULL); @@ -248,8 +242,6 @@ session_main(int pipe_m2s[2], int pipe_s2r[2], int pipe_m2r[2], imsg_init(ibuf_main, pipe_m2s[1]); TAILQ_INIT(&ctl_conns); - control_listen(csock); - control_listen(rcsock); LIST_INIT(&mrthead); listener_cnt = 0; peer_cnt = 0; @@ -2266,7 +2258,7 @@ session_dispatch_imsg(struct imsgbuf *ibuf, int idx, u_int *listener_cnt) struct kif *kif; u_char *data; enum reconf_action reconf; - int n, depend_ok; + int n, depend_ok, restricted; u_int8_t errcode, subcode; if ((n = imsg_read(ibuf)) == -1) @@ -2354,6 +2346,28 @@ session_dispatch_imsg(struct imsgbuf *ibuf, int idx, u_int *listener_cnt) } break; + case IMSG_RECONF_CTRL: + if (idx != PFD_PIPE_MAIN) + fatalx("reconf request not from parent"); + if (imsg.hdr.len != IMSG_HEADER_SIZE + + sizeof(restricted)) + fatalx("IFINFO imsg with wrong len"); + memcpy(&restricted, imsg.data, sizeof(restricted)); + if (imsg.fd == -1) { + log_warnx("expected to receive fd for control " + "socket but didn't receive any"); + break; + } + if (restricted) { + control_shutdown(rcsock); + rcsock = imsg.fd; + control_listen(rcsock); + } else { + control_shutdown(csock); + csock = imsg.fd; + control_listen(csock); + } + break; case IMSG_RECONF_DONE: if (idx != PFD_PIPE_MAIN) fatalx("reconf request not from parent"); diff --git a/usr.sbin/bgpd/session.h b/usr.sbin/bgpd/session.h index d2ebb003c8f..b06e69fd480 100644 --- a/usr.sbin/bgpd/session.h +++ b/usr.sbin/bgpd/session.h @@ -1,4 +1,4 @@ -/* $OpenBSD: session.h,v 1.107 2010/05/26 13:56:07 nicm Exp $ */ +/* $OpenBSD: session.h,v 1.108 2010/06/27 19:53:34 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -227,7 +227,7 @@ struct ctl_timer { /* session.c */ void session_socket_blockmode(int, enum blockmodes); -pid_t session_main(int[2], int[2], int[2], int[2], char *, char *); +pid_t session_main(int[2], int[2], int[2], int[2]); void bgp_fsm(struct peer *, enum session_events); int session_neighbor_rrefresh(struct peer *p); struct peer *getpeerbyaddr(struct bgpd_addr *); |