Attachment #3080 for bug #2784




#endif
}

/* Returns nonzero if the routing domain name is valid */
int
valid_rdomain(const char *name)
{
#if defined(HAVE_SYS_VALID_RDOMAIN)
	return sys_valid_rdomain(name);
#elif defined(__OpenBSD__)
	const char *errstr;
	long long num;
	struct rt_tableinfo info;
	int mib[6];
	size_t miblen = sizeof(mib);

	if (name == NULL)
		return 1;

	num = strtonum(name, 0, 255, &errstr);
	if (errstr != NULL)
		return 0;

	/* Check whether the table actually exists */
	memset(mib, 0, sizeof(mib));
	mib[0] = CTL_NET;
	mib[1] = PF_ROUTE;
	mib[4] = NET_RT_TABLE;
	mib[5] = (int)num;
	if (sysctl(mib, 6, &info, &miblen, NULL, 0) == -1)
		return 0;

	return 1;
#else /* defined(__OpenBSD__) */
	error("Routing domains are not supported on this platform");
	return 0;
#endif
}

/* Characters considered whitespace in strsep calls. */
#define WHITESPACE " \t\r\n"
#define QUOTE	"\""

Lines 51-56 void set_nodelay(int); Link Here

(-)a/misc.h (+1 lines)
51	int set_reuseaddr(int);	51	int set_reuseaddr(int);
52	char *get_rdomain(int);	52	char *get_rdomain(int);
53	int set_rdomain(int, const char *);	53	int set_rdomain(int, const char *);
		54	int valid_rdomain(const char *name);
54	int a2port(const char *);	55	int a2port(const char *);
55	int a2tun(const char , int );	56	int a2tun(const char , int );
56	char put_host_port(const char , u_short);	57	char put_host_port(const char , u_short);

Lines 78-83 sys_valid_rdomain(const char *name) Link Here

(-)a/openbsd-compat/port-net.c (-1 / +6 lines)
78	{	78	{
79	int fd;	79	int fd;
80		80
		81	if (!strlen(name))
		82	return 0;
		83
81	/*	84	/*
82	* This is a pretty crappy way to test. It would be better to	85	* This is a pretty crappy way to test. It would be better to
83	* check whether "name" represents a VRF device, but apparently	86	* check whether "name" represents a VRF device, but apparently
Lines 87-92 sys_valid_rdomain(const char *name) Link Here
87	return 0;	90	return 0;
88	if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE,	91	if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE,
89	name, strlen(name)) == -1) {	92	name, strlen(name)) == -1) {
		93	error("%s: setsockopt(%d, SO_BINDTODEVICE, %s): %s",
		94	__func__, fd, name, strerror(errno));
90	close(fd);	95	close(fd);
91	return 0;	96	return 0;
92	}	97	}
Lines 108-114 sys_set_rdomain(int fd, const char *name) Link Here
108	}	113	}
109		114
110	int	115	int
111	valid_rdomain(const char *name)	116	sys_valid_rdomain(const char *name)
112	{	117	{
113	return 0;	118	return 0;
114	}	119	}

Lines 156-162 typedef enum { Link Here

(-)a/readconf.c (-1 / +8 lines)
156	oPubkeyAuthentication,	156	oPubkeyAuthentication,
157	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,	157	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
158	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,	158	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
159	oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,	159	oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, oRDomain,
160	oClearAllForwardings, oNoHostAuthenticationForLocalhost,	160	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
161	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,	161	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
162	oAddressFamily, oGssAuthentication, oGssDelegateCreds,	162	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
Lines 305-310 static struct { Link Here
305	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },	305	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
306	{ "ignoreunknown", oIgnoreUnknown },	306	{ "ignoreunknown", oIgnoreUnknown },
307	{ "proxyjump", oProxyJump },	307	{ "proxyjump", oProxyJump },
		308	{ "rdomain", oRDomain },
308		309
309	{ NULL, oBadOption }	310	{ NULL, oBadOption }
310	};	311	};
Lines 1645-1650 parse_keytypes: Link Here
1645	charptr = &options->identity_agent;	1646	charptr = &options->identity_agent;
1646	goto parse_string;	1647	goto parse_string;
1647		1648
		1649	case oRDomain:
		1650	charptr = &options->rdomain;
		1651	goto parse_string;
		1652
1648	case oDeprecated:	1653	case oDeprecated:
1649	debug("%s line %d: Deprecated option \"%s\"",	1654	debug("%s line %d: Deprecated option \"%s\"",
1650	filename, linenum, keyword);	1655	filename, linenum, keyword);
Lines 1845-1850 initialize_options(Options * options) Link Here
1845	options->update_hostkeys = -1;	1850	options->update_hostkeys = -1;
1846	options->hostbased_key_types = NULL;	1851	options->hostbased_key_types = NULL;
1847	options->pubkey_key_types = NULL;	1852	options->pubkey_key_types = NULL;
		1853	options->rdomain = NULL;
1848	}	1854	}
1849		1855
1850	/*	1856	/*
Lines 2534-2539 dump_client_config(Options o, const char host) Link Here
2534	dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types);	2540	dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types);
2535	dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys);	2541	dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys);
2536	dump_cfg_string(oXAuthLocation, o->xauth_location);	2542	dump_cfg_string(oXAuthLocation, o->xauth_location);
		2543	dump_cfg_string(oRDomain, o->rdomain);
2537		2544
2538	/* Forwards */	2545	/* Forwards */
2539	dump_cfg_forwards(oDynamicForward, o->num_local_forwards, o->local_forwards);	2546	dump_cfg_forwards(oDynamicForward, o->num_local_forwards, o->local_forwards);

Lines 163-168 typedef struct { Link Here

(-)a/readconf.h (+2 lines)
163	int jump_port;	163	int jump_port;
164	char *jump_extra;	164	char *jump_extra;
165		165
		166	char rdomain; / routing domain to bind to */
		167
166	char ignored_unknown; / Pattern list of unknown tokens to ignore */	168	char ignored_unknown; / Pattern list of unknown tokens to ignore */
167	} Options;	169	} Options;
168		170




	options->listen_addrs[i].addrs = aitop;
}

/* Returns nonzero if the routing domain name is valid */
static int
valid_rdomain(const char *name)
{
#if defined(HAVE_SYS_VALID_RDOMAIN)
	return sys_valid_rdomain(name);
#elif defined(__OpenBSD__)
	const char *errstr;
	long long num;
	struct rt_tableinfo info;
	int mib[6];
	size_t miblen = sizeof(mib);

	if (name == NULL)
		return 1;

	num = strtonum(name, 0, 255, &errstr);
	if (errstr != NULL)
		return 0;

	/* Check whether the table actually exists */
	memset(mib, 0, sizeof(mib));
	mib[0] = CTL_NET;
	mib[1] = PF_ROUTE;
	mib[4] = NET_RT_TABLE;
	mib[5] = (int)num;
	if (sysctl(mib, 6, &info, &miblen, NULL, 0) == -1)
		return 0;

	return 1;
#else /* defined(__OpenBSD__) */
	error("Routing domains are not supported on this platform");
	return 0;
#endif
}

/*
 * Queue a ListenAddress to be processed once we have all of the Ports
 * and AddressFamily options.

Lines 45-50 Link Here

(-)a/ssh.1 (+6 lines)
45	.Bk -words	45	.Bk -words
46	.Op Fl 46AaCfGgKkMNnqsTtVvXxYy	46	.Op Fl 46AaCfGgKkMNnqsTtVvXxYy
47	.Op Fl b Ar bind_address	47	.Op Fl b Ar bind_address
		48	.Op Fl r Ar routing_domain
48	.Op Fl c Ar cipher_spec	49	.Op Fl c Ar cipher_spec
49	.Op Fl D Oo Ar bind_address : Oc Ns Ar port	50	.Op Fl D Oo Ar bind_address : Oc Ns Ar port
50	.Op Fl E Ar log_file	51	.Op Fl E Ar log_file
Lines 650-655 When used together with Link Here
650	.Ic -O forward	651	.Ic -O forward
651	the allocated port will be printed to the standard output.	652	the allocated port will be printed to the standard output.
652	.Pp	653	.Pp
		654	.It Fl r Ar routing_domain
		655	Specifies an explicit routing domain (BSD) or VRF (Linux - NOTE: requires cap_net_raw) that is applied to the connection.
		656	The user session will be bound to this
		657	.Xr rdomain 4 .
		658	.Pp
653	.It Fl S Ar ctl_path	659	.It Fl S Ar ctl_path
654	Specifies the location of a control socket for connection sharing,	660	Specifies the location of a control socket for connection sharing,
655	or the string	661	or the string




usage(void)
{
	fprintf(stderr,
"usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-r routing_domain] [-c cipher_spec]\n"
"           [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
"           [-F configfile] [-I pkcs11] [-i identity_file]\n"
"           [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"

	argv0 = av[0];

 again:
	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qr:stvx"
	    "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
		switch (opt) {
		case '1':

		case 'b':
			options.bind_address = optarg;
			break;
		case 'r':
			if (!valid_rdomain(optarg)) {
				fprintf(stderr, "Bad remote routing domain "
				    "'%s'\n", optarg);
				exit(255);
			}
			options.rdomain = optarg;
			break;
		case 'F':
			config = optarg;
			break;

Lines 1261-1266 The argument to this keyword must be Link Here

(-)a/ssh_config.5 (+4 lines)
1261	(the default)	1261	(the default)
1262	or	1262	or
1263	.Cm no .	1263	.Cm no .
		1264	.It Cm RDomain
		1265	Specifies an explicit routing domain (BSD) or VRF (Linux - NOTE: requires cap_net_raw) that is applied to the connection.
		1266	The user session will be bound to this
		1267	.Xr rdomain 4 .
1264	.It Cm RekeyLimit	1268	.It Cm RekeyLimit
1265	Specifies the maximum amount of data that may be transmitted before the	1269	Specifies the maximum amount of data that may be transmitted before the
1266	session key is renegotiated, optionally followed a maximum amount of	1270	session key is renegotiated, optionally followed a maximum amount of

Lines 286-291 ssh_create_socket(int privileged, struct addrinfo *ai) Link Here

(-)a/sshconnect.c (-1 / +6 lines)
286	}	286	}
287	fcntl(sock, F_SETFD, FD_CLOEXEC);	287	fcntl(sock, F_SETFD, FD_CLOEXEC);
288		288
		289	if (options.rdomain != NULL &&
		290	set_rdomain(sock, options.rdomain) == -1) {
		291	close(sock);
		292	return -1;
		293	}
		294
289	/* Bind the socket to an alternative local IP address */	295	/* Bind the socket to an alternative local IP address */
290	if (options.bind_address == NULL && !privileged)	296	if (options.bind_address == NULL && !privileged)
291	return sock;	297	return sock;
292	-

Return to bug 2784

Lines 731-772 add_one_listen_addr(ServerOptions options, const char addr, Link Here

(-)a/servconf.c (-36 lines)
731	options->listen_addrs[i].addrs = aitop;	731	options->listen_addrs[i].addrs = aitop;
732	}	732	}
733		733
734	/* Returns nonzero if the routing domain name is valid */
735	static int
736	valid_rdomain(const char *name)
737	{
738	#if defined(HAVE_SYS_VALID_RDOMAIN)
739	return sys_valid_rdomain(name);
740	#elif defined(__OpenBSD__)
741	const char *errstr;
742	long long num;
743	struct rt_tableinfo info;
744	int mib[6];
745	size_t miblen = sizeof(mib);
746
747	if (name == NULL)
748	return 1;
749
750	num = strtonum(name, 0, 255, &errstr);
751	if (errstr != NULL)
752	return 0;
753
754	/* Check whether the table actually exists */
755	memset(mib, 0, sizeof(mib));
756	mib[0] = CTL_NET;
757	mib[1] = PF_ROUTE;
758	mib[4] = NET_RT_TABLE;
759	mib[5] = (int)num;
760	if (sysctl(mib, 6, &info, &miblen, NULL, 0) == -1)
761	return 0;
762
763	return 1;
764	#else /* defined(__OpenBSD__) */
765	error("Routing domains are not supported on this platform");
766	return 0;
767	#endif
768	}
769
770	/*	734	/*
771	* Queue a ListenAddress to be processed once we have all of the Ports	735	* Queue a ListenAddress to be processed once we have all of the Ports
772	* and AddressFamily options.	736	* and AddressFamily options.

Lines 201-207 static void Link Here

(-)a/ssh.c (-2 / +10 lines)
201	usage(void)	201	usage(void)
202	{	202	{
203	fprintf(stderr,	203	fprintf(stderr,
204	"usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"	204	"usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-r routing_domain] [-c cipher_spec]\n"
205	" [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"	205	" [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
206	" [-F configfile] [-I pkcs11] [-i identity_file]\n"	206	" [-F configfile] [-I pkcs11] [-i identity_file]\n"
207	" [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"	207	" [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"
Lines 614-620 main(int ac, char **av) Link Here
614	argv0 = av[0];	614	argv0 = av[0];
615		615
616	again:	616	again:
617	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"	617	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qr:stvx"
618	"ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {	618	"ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
619	switch (opt) {	619	switch (opt) {
620	case '1':	620	case '1':
Lines 925-930 main(int ac, char **av) Link Here
925	case 'b':	925	case 'b':
926	options.bind_address = optarg;	926	options.bind_address = optarg;
927	break;	927	break;
		928	case 'r':
		929	if (!valid_rdomain(optarg)) {
		930	fprintf(stderr, "Bad remote routing domain "
		931	"'%s'\n", optarg);
		932	exit(255);
		933	}
		934	options.rdomain = optarg;
		935	break;
928	case 'F':	936	case 'F':
929	config = optarg;	937	config = optarg;
930	break;	938	break;

Lines 234-239 set_rdomain(int fd, const char *name) Link Here

(-)a/misc.c (+36 lines)
234	#endif	234	#endif
235	}	235	}
236		236
		237	/* Returns nonzero if the routing domain name is valid */
		238	int
		239	valid_rdomain(const char *name)
		240	{
		241	#if defined(HAVE_SYS_VALID_RDOMAIN)
		242	return sys_valid_rdomain(name);
		243	#elif defined(__OpenBSD__)
		244	const char *errstr;
		245	long long num;
		246	struct rt_tableinfo info;
		247	int mib[6];
		248	size_t miblen = sizeof(mib);
		249
		250	if (name == NULL)
		251	return 1;
		252
		253	num = strtonum(name, 0, 255, &errstr);
		254	if (errstr != NULL)
		255	return 0;
		256
		257	/* Check whether the table actually exists */
		258	memset(mib, 0, sizeof(mib));
		259	mib[0] = CTL_NET;
		260	mib[1] = PF_ROUTE;
		261	mib[4] = NET_RT_TABLE;
		262	mib[5] = (int)num;
		263	if (sysctl(mib, 6, &info, &miblen, NULL, 0) == -1)
		264	return 0;
		265
		266	return 1;
		267	#else /* defined(__OpenBSD__) */
		268	error("Routing domains are not supported on this platform");
		269	return 0;
		270	#endif
		271	}
		272
237	/* Characters considered whitespace in strsep calls. */	273	/* Characters considered whitespace in strsep calls. */
238	#define WHITESPACE " \t\r\n"	274	#define WHITESPACE " \t\r\n"
239	#define QUOTE "\""	275	#define QUOTE "\""