Bugzilla – Attachment 3061 Details for
Bug 2784
Add native support for routing domains / VRF
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
Add-support-for-SO_BINDTODEVICE-via-B-options.patch (text/plain), 11.39 KB, created by
Luca Boccassi
on 2017-09-26 03:33:35 AEST
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Luca Boccassi
Created:
2017-09-26 03:33:35 AEST
Size:
11.39 KB
patch
obsolete
>From f9ecbe3f503a4e6fdb134cd633ef6fe41dee383f Mon Sep 17 00:00:00 2001 >From: Luca Boccassi <luca.boccassi@gmail.com> >Date: Fri, 22 Sep 2017 17:09:05 +0100 >Subject: [PATCH] Add support for SO_BINDTODEVICE via -B options > >In the past couple of years the Linux kernel gained support for VRF. >Applications can bind to a specific VRF via the SO_BINDTODEVICE socket >option. >Add a new -B option that takes a string as a parameter to both ssh and >sshd, and use it to bind the socket. > >https://www.kernel.org/doc/Documentation/networking/vrf.txt > >Original mailing list thread asking for this feature: >https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-November/034525.html >--- > readconf.c | 9 ++++++++- > readconf.h | 2 ++ > servconf.c | 13 ++++++++++++- > servconf.h | 2 ++ > ssh.1 | 8 ++++++++ > ssh.c | 7 +++++-- > ssh_config.5 | 4 ++++ > sshconnect.c | 20 ++++++++++++++++++++ > sshd.8 | 7 +++++++ > sshd.c | 34 +++++++++++++++++++++++++++++++--- > sshd_config.5 | 4 ++++ > 11 files changed, 103 insertions(+), 7 deletions(-) > >diff --git a/readconf.c b/readconf.c >index f63894f9..f7331b43 100644 >--- a/readconf.c >+++ b/readconf.c >@@ -156,7 +156,7 @@ typedef enum { > oPubkeyAuthentication, > oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, > oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, >- oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, >+ oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, oBindDevice, > oClearAllForwardings, oNoHostAuthenticationForLocalhost, > oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, > oAddressFamily, oGssAuthentication, oGssDelegateCreds, >@@ -305,6 +305,7 @@ static struct { > { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, > { "ignoreunknown", oIgnoreUnknown }, > { "proxyjump", oProxyJump }, >+ { "binddevice", oBindDevice }, > > { NULL, oBadOption } > }; >@@ -1669,6 +1670,10 @@ parse_keytypes: > charptr = &options->identity_agent; > goto parse_string; > >+ case oBindDevice: >+ charptr = &options->bind_device; >+ goto parse_string; >+ > case oDeprecated: > debug("%s line %d: Deprecated option \"%s\"", > filename, linenum, keyword); >@@ -1869,6 +1874,7 @@ initialize_options(Options * options) > options->update_hostkeys = -1; > options->hostbased_key_types = NULL; > options->pubkey_key_types = NULL; >+ options->bind_device = NULL; > } > > /* >@@ -2544,6 +2550,7 @@ dump_client_config(Options *o, const char *host) > dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types); > dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys); > dump_cfg_string(oXAuthLocation, o->xauth_location); >+ dump_cfg_string(oBindDevice, o->bind_device); > > /* Forwards */ > dump_cfg_forwards(oDynamicForward, o->num_local_forwards, o->local_forwards); >diff --git a/readconf.h b/readconf.h >index 22fe5c18..a486ffa5 100644 >--- a/readconf.h >+++ b/readconf.h >@@ -163,6 +163,8 @@ typedef struct { > int jump_port; > char *jump_extra; > >+ char *bind_device; /* network device to bind to */ >+ > char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ > } Options; > >diff --git a/servconf.c b/servconf.c >index 16436512..75425218 100644 >--- a/servconf.c >+++ b/servconf.c >@@ -165,6 +165,7 @@ initialize_server_options(ServerOptions *options) > options->fingerprint_hash = -1; > options->disable_forwarding = -1; > options->expose_userauth_info = -1; >+ options->bind_device = NULL; > } > > /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ >@@ -396,7 +397,7 @@ typedef enum { > sKerberosGetAFSToken, > sKerberosTgtPassing, sChallengeResponseAuthentication, > sPasswordAuthentication, sKbdInteractiveAuthentication, >- sListenAddress, sAddressFamily, >+ sListenAddress, sAddressFamily, sBindDevice, > sPrintMotd, sPrintLastLog, sIgnoreRhosts, > sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, > sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, >@@ -566,6 +567,7 @@ static struct { > { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, > { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, > { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, >+ { "binddevice", sBindDevice }, > { NULL, sBadOption, 0 } > }; > >@@ -1879,6 +1881,14 @@ process_server_config_line(ServerOptions *options, char *line, > options->fingerprint_hash = value; > break; > >+ case sBindDevice: >+ arg = strdelim(&cp); >+ if (!arg || *arg == '\0') >+ fatal("%s line %d: Missing argument.", filename, linenum); >+ if (options->bind_device == NULL) >+ options->bind_device = xstrdup(arg); >+ break; >+ > case sExposeAuthInfo: > intptr = &options->expose_userauth_info; > goto parse_flag; >@@ -2350,6 +2360,7 @@ dump_config(ServerOptions *o) > o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); > dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? > o->pubkey_key_types : KEX_DEFAULT_PK_ALG); >+ dump_cfg_string(sBindDevice, o->bind_device); > > /* string arguments requiring a lookup */ > dump_cfg_string(sLogLevel, log_level_name(o->log_level)); >diff --git a/servconf.h b/servconf.h >index ffcbc331..e5450b4f 100644 >--- a/servconf.h >+++ b/servconf.h >@@ -198,6 +198,8 @@ typedef struct { > > int fingerprint_hash; > int expose_userauth_info; >+ >+ char *bind_device; /* network device to bind to */ > } ServerOptions; > > /* Information about the incoming connection as used by Match */ >diff --git a/ssh.1 b/ssh.1 >index 2ab1697f..f818ea3f 100644 >--- a/ssh.1 >+++ b/ssh.1 >@@ -45,6 +45,7 @@ > .Bk -words > .Op Fl 46AaCfGgKkMNnqsTtVvXxYy > .Op Fl b Ar bind_address >+.Op Fl B Ar bind_device > .Op Fl c Ar cipher_spec > .Op Fl D Oo Ar bind_address : Oc Ns Ar port > .Op Fl E Ar log_file >@@ -128,6 +129,13 @@ on the local machine as the source address > of the connection. > Only useful on systems with more than one address. > .Pp >+.It Fl B Ar bind_device >+Bind the connecting socket to >+.Ar bind_device >+on the local machine. >+Useful on systems that use >+.Cm VRF . >+.Pp > .It Fl C > Requests compression of all data (including stdin, stdout, stderr, and > data for forwarded X11, TCP and >diff --git a/ssh.c b/ssh.c >index ae37432b..b3305575 100644 >--- a/ssh.c >+++ b/ssh.c >@@ -197,7 +197,7 @@ static void > usage(void) > { > fprintf(stderr, >-"usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" >+"usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-B bind_device] [-c cipher_spec]\n" > " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" > " [-F configfile] [-I pkcs11] [-i identity_file]\n" > " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n" >@@ -612,7 +612,7 @@ main(int ac, char **av) > > again: > while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" >- "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { >+ "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { > switch (opt) { > case '1': > fatal("SSH protocol v.1 is no longer supported"); >@@ -918,6 +918,9 @@ main(int ac, char **av) > case 'b': > options.bind_address = optarg; > break; >+ case 'B': >+ options.bind_device = optarg; >+ break; > case 'F': > config = optarg; > break; >diff --git a/ssh_config.5 b/ssh_config.5 >index eab8dd01..489a21dc 100644 >--- a/ssh_config.5 >+++ b/ssh_config.5 >@@ -262,6 +262,10 @@ Note that this option does not work if > .Cm UsePrivilegedPort > is set to > .Cm yes . >+.It Cm BindDevice >+Bind the connecting socket to the specified device on the local machine. >+Useful on systems that use >+.Cm VRF . > .It Cm CanonicalDomains > When > .Cm CanonicalizeHostname >diff --git a/sshconnect.c b/sshconnect.c >index dc7a704d..8cb7108b 100644 >--- a/sshconnect.c >+++ b/sshconnect.c >@@ -286,6 +286,26 @@ ssh_create_socket(int privileged, struct addrinfo *ai) > } > fcntl(sock, F_SETFD, FD_CLOEXEC); > >+ if (options.bind_device != NULL) { >+#ifdef SO_BINDTODEVICE >+ r = setsockopt(sock, SOL_SOCKET, SO_BINDTODEVICE, >+ options.bind_device, strlen(options.bind_device)); >+ if (r != 0) { >+ error("Bind to: %s failed %s", options.bind_device, >+ strerror(errno)); >+ close(sock); >+ return -1; >+ } >+ debug("Bound to device: %s", options.bind_device); >+#else >+ error("No SO_BINDTODEVICE, unable to bind to: %s", >+ options.bind_device); >+ close(sock); >+ return -1; >+#endif >+ } >+ >+ > /* Bind the socket to an alternative local IP address */ > if (options.bind_address == NULL && !privileged) > return sock; >diff --git a/sshd.8 b/sshd.8 >index a4201146..9023c1c5 100644 >--- a/sshd.8 >+++ b/sshd.8 >@@ -44,6 +44,7 @@ > .Nm sshd > .Bk -words > .Op Fl 46DdeiqTt >+.Op Fl B Ar bind_device > .Op Fl C Ar connection_spec > .Op Fl c Ar host_certificate_file > .Op Fl E Ar log_file >@@ -94,6 +95,12 @@ to use IPv4 addresses only. > Forces > .Nm > to use IPv6 addresses only. >+.It Fl B Ar bind_device >+Bind the listening sockets to >+.Ar bind_device >+on the local machine. >+Useful on systems that use >+.Cm VRF . > .It Fl C Ar connection_spec > Specify the connection parameters to use for the > .Fl T >diff --git a/sshd.c b/sshd.c >index 51a1aaf6..baa8a18b 100644 >--- a/sshd.c >+++ b/sshd.c >@@ -908,7 +908,7 @@ usage(void) > #endif > ); > fprintf(stderr, >-"usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n" >+"usage: sshd [-46DdeiqTt] [-B bind_device] [-C connection_spec] [-c host_cert_file]\n" > " [-E log_file] [-f config_file] [-g login_grace_time]\n" > " [-h host_key_file] [-o option] [-p port] [-u len]\n" > ); >@@ -1062,6 +1062,26 @@ server_listen(void) > if (ai->ai_family == AF_INET6) > sock_set_v6only(listen_sock); > >+ if (options.bind_device != NULL) { >+#ifdef SO_BINDTODEVICE >+ ret = setsockopt(listen_sock, SOL_SOCKET, >+ SO_BINDTODEVICE, options.bind_device, >+ strlen(options.bind_device)); >+ if (ret != 0) { >+ error("Bind to: %s failed: %s", >+ options.bind_device, strerror(errno)); >+ close(listen_sock); >+ continue; >+ } >+ debug("Bind to device %s", options.bind_device); >+#else >+ error("No SO_BINDTODEVICE, unable to bind to: %s", >+ options.bind_device); >+ close(listen_sock); >+ continue; >+#endif >+ } >+ > debug("Bind to port %s on %s.", strport, ntop); > > /* Bind the socket to the desired port. */ >@@ -1078,7 +1098,12 @@ server_listen(void) > if (listen(listen_sock, SSH_LISTEN_BACKLOG) < 0) > fatal("listen on [%s]:%s: %.100s", > ntop, strport, strerror(errno)); >- logit("Server listening on %s port %s.", ntop, strport); >+ if (options.bind_device == NULL) { >+ logit("Server listening on %s port %s.", ntop, strport); >+ } else { >+ logit("Server listening on %s port %s device %s.", ntop, >+ strport, options.bind_device); >+ } > } > freeaddrinfo(options.listen_addrs); > >@@ -1404,7 +1429,7 @@ main(int ac, char **av) > > /* Parse command-line arguments. */ > while ((opt = getopt(ac, av, >- "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) { >+ "C:E:b:c:B:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) { > switch (opt) { > case '4': > options.address_family = AF_INET; >@@ -1512,6 +1537,9 @@ main(int ac, char **av) > exit(1); > free(line); > break; >+ case 'B': >+ options.bind_device = optarg; >+ break; > case '?': > default: > usage(); >diff --git a/sshd_config.5 b/sshd_config.5 >index 136601d6..f2924c3c 100644 >--- a/sshd_config.5 >+++ b/sshd_config.5 >@@ -380,6 +380,10 @@ If the argument is > .Cm none > then no banner is displayed. > By default, no banner is displayed. >+.It Cm BindDevice >+Bind the listening sockets to the specified device on the local machine. >+Useful on systems that use >+.Cm VRF . > .It Cm ChallengeResponseAuthentication > Specifies whether challenge-response authentication is allowed (e.g. via > PAM or through authentication styles supported in >-- >2.11.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2784
:
3061
|
3064
|
3070
|
3071
|
3072
|
3075
|
3076
|
3077
|
3078
|
3079
|
3080
|
3081
|
3082