Bugzilla – Attachment 3076 Details for
Bug 2784
Add native support for routing domains / VRF
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
add RDomain option
0002-routingdomain.patch (text/plain), 8.31 KB, created by
Damien Miller
on 2017-10-23 12:28:58 AEDT
(
hide
)
Description:
add RDomain option
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2017-10-23 12:28:58 AEDT
Size:
8.31 KB
patch
obsolete
>From bde8d6b8a6bbaf1a1604f31a86deb9e22c543de9 Mon Sep 17 00:00:00 2001 >From: Damien Miller <djm@mindrot.org> >Date: Fri, 20 Oct 2017 15:40:17 +1100 >Subject: [PATCH 2/3] routingdomain > >--- > misc.c | 18 +++++++++++++++++- > misc.h | 1 + > packet.c | 12 ++++++++++++ > packet.h | 2 ++ > servconf.c | 19 ++++++++++++++++++- > servconf.h | 3 +++ > sshd.c | 28 ++++++++++++++++++++++++++++ > sshd_config.5 | 15 +++++++++++++++ > 8 files changed, 96 insertions(+), 2 deletions(-) > >diff --git a/misc.c b/misc.c >index 14b4735..3a633ab 100644 >--- a/misc.c >+++ b/misc.c >@@ -168,7 +168,23 @@ set_reuseaddr(int fd) > return 0; > } > >-/* Set routing table */ >+/* Get/set routing domain */ >+char * >+get_rdomain(int fd) >+{ >+ int rtable; >+ char *ret; >+ socklen_t len = sizeof(rtable); >+ >+ if (getsockopt(fd, SOL_SOCKET, SO_RTABLE, &rtable, &len) == -1) { >+ error("Failed to get routing domain for fd %d: %s", >+ fd, strerror(errno)); >+ return NULL; >+ } >+ xasprintf(&ret, "%d", rtable); >+ return ret; >+} >+ > int > set_rdomain(int fd, const char *name) > { >diff --git a/misc.h b/misc.h >index 14a59c8..3f14cea 100644 >--- a/misc.h >+++ b/misc.h >@@ -49,6 +49,7 @@ int set_nonblock(int); > int unset_nonblock(int); > void set_nodelay(int); > int set_reuseaddr(int); >+char *get_rdomain(int); > int set_rdomain(int, const char *); > int a2port(const char *); > int a2tun(const char *, int *); >diff --git a/packet.c b/packet.c >index 1353ccf..7d98b6e 100644 >--- a/packet.c >+++ b/packet.c >@@ -546,6 +546,18 @@ ssh_local_port(struct ssh *ssh) > return ssh->local_port; > } > >+/* Returns the routing domain of the input socket, or NULL if unavailable */ >+const char * >+ssh_packet_rdomain_in(struct ssh *ssh) >+{ >+ if (ssh->rdomain_in != NULL) >+ return ssh->rdomain_in; >+ if (!ssh_packet_connection_is_on_socket(ssh)) >+ return NULL; >+ ssh->rdomain_in = get_rdomain(ssh->state->connection_in); >+ return ssh->rdomain_in; >+} >+ > /* Closes the connection and clears and frees internal data structures. */ > > static void >diff --git a/packet.h b/packet.h >index a6b132c..a1d83b4 100644 >--- a/packet.h >+++ b/packet.h >@@ -47,6 +47,7 @@ struct ssh { > int remote_port; > char *local_ipaddr; > int local_port; >+ char *rdomain_in; > > /* Optional preamble for log messages (e.g. username) */ > char *log_preamble; >@@ -148,6 +149,7 @@ const char *ssh_remote_ipaddr(struct ssh *); > int ssh_remote_port(struct ssh *); > const char *ssh_local_ipaddr(struct ssh *); > int ssh_local_port(struct ssh *); >+const char *ssh_packet_rdomain_in(struct ssh *); > > void ssh_packet_set_rekey_limits(struct ssh *, u_int64_t, u_int32_t); > time_t ssh_packet_get_rekey_timeout(struct ssh *); >diff --git a/servconf.c b/servconf.c >index 82d6b5a..2f15900 100644 >--- a/servconf.c >+++ b/servconf.c >@@ -77,6 +77,7 @@ initialize_server_options(ServerOptions *options) > options->listen_addrs = NULL; > options->num_listen_addrs = 0; > options->address_family = -1; >+ options->routing_domain = NULL; > options->num_host_key_files = 0; > options->num_host_cert_files = 0; > options->host_key_agent = NULL; >@@ -385,6 +386,7 @@ fill_default_server_options(ServerOptions *options) > CLEAR_ON_NONE(options->authorized_principals_file); > CLEAR_ON_NONE(options->adm_forced_command); > CLEAR_ON_NONE(options->chroot_directory); >+ CLEAR_ON_NONE(options->routing_domain); > for (i = 0; i < options->num_host_key_files; i++) > CLEAR_ON_NONE(options->host_key_files[i]); > for (i = 0; i < options->num_host_cert_files; i++) >@@ -435,7 +437,7 @@ typedef enum { > sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, > sStreamLocalBindMask, sStreamLocalBindUnlink, > sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, >- sExposeAuthInfo, >+ sExposeAuthInfo, sRDomain, > sDeprecated, sIgnore, sUnsupported > } ServerOpCodes; > >@@ -564,6 +566,7 @@ static struct { > { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, > { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, > { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, >+ { "rdomain", sRDomain, SSHCFG_ALL }, > { NULL, sBadOption, 0 } > }; > >@@ -1928,6 +1931,19 @@ process_server_config_line(ServerOptions *options, char *line, > intptr = &options->expose_userauth_info; > goto parse_flag; > >+ case sRDomain: >+ charptr = &options->routing_domain; >+ arg = strdelim(&cp); >+ if (!arg || *arg == '\0') >+ fatal("%.200s line %d: Missing argument.", >+ filename, linenum); >+ if (strcasecmp(arg, "none") != 0 && strcmp(arg, "%D") != 0 && >+ !valid_rdomain(arg)) >+ fatal("%s line %d: bad routing domain", >+ filename, linenum); >+ if (*activep && *charptr == NULL) >+ *charptr = xstrdup(arg); >+ > case sDeprecated: > case sIgnore: > case sUnsupported: >@@ -2410,6 +2426,7 @@ dump_config(ServerOptions *o) > o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); > dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? > o->pubkey_key_types : KEX_DEFAULT_PK_ALG); >+ dump_cfg_string(sRDomain, o->routing_domain); > > /* string arguments requiring a lookup */ > dump_cfg_string(sLogLevel, log_level_name(o->log_level)); >diff --git a/servconf.h b/servconf.h >index cd8a097..8fc816f 100644 >--- a/servconf.h >+++ b/servconf.h >@@ -78,6 +78,8 @@ typedef struct { > u_int num_listen_addrs; > int address_family; /* Address family used by the server. */ > >+ char *routing_domain; /* Bind session to routing domain */ >+ > char **host_key_files; /* Files containing host keys. */ > u_int num_host_key_files; /* Number of files for host keys. */ > char **host_cert_files; /* Files containing host certs. */ >@@ -237,6 +239,7 @@ struct connection_info { > M_CP_STROPT(authorized_principals_command_user); \ > M_CP_STROPT(hostbased_key_types); \ > M_CP_STROPT(pubkey_key_types); \ >+ M_CP_STROPT(routing_domain); \ > M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ > M_CP_STRARRAYOPT(allow_users, num_allow_users); \ > M_CP_STRARRAYOPT(deny_users, num_deny_users); \ >diff --git a/sshd.c b/sshd.c >index cc77a1a..e417e2c 100644 >--- a/sshd.c >+++ b/sshd.c >@@ -1292,6 +1292,31 @@ check_ip_options(struct ssh *ssh) > return; > } > >+/* Set the routing domain for this process */ >+static void >+set_process_rdomain(struct ssh *ssh, const char *name) >+{ >+ int rtable, ortable = getrtable(); >+ const char *errstr; >+ >+ if (name == NULL) >+ return; /* default */ >+ >+ if (strcmp(name, "%D") == 0) { >+ /* "expands" to routing domain of connection */ >+ if ((name = ssh_packet_rdomain_in(ssh)) == NULL) >+ return; >+ } >+ >+ rtable = (int)strtonum(name, 0, 255, &errstr); >+ if (errstr != NULL) /* Shouldn't happen */ >+ fatal("Invalid routing domain \"%s\": %s", name, errstr); >+ if (rtable != ortable && setrtable(rtable) != 0) >+ fatal("Unable to set routing domain %d: %s", >+ rtable, strerror(errno)); >+ debug("%s: set routing domain %d (was %d)", __func__, rtable, ortable); >+} >+ > /* > * Main program for the daemon. > */ >@@ -1910,6 +1935,9 @@ main(int ac, char **av) > startup_pipe = -1; > } > >+ if (options.routing_domain != NULL) >+ set_process_rdomain(ssh, options.routing_domain); >+ > /* > * In privilege separation, we fork another child and prepare > * file descriptor passing. >diff --git a/sshd_config.5 b/sshd_config.5 >index 6e5b263..fcf57d4 100644 >--- a/sshd_config.5 >+++ b/sshd_config.5 >@@ -1119,6 +1119,7 @@ Available keywords are > .Cm PubkeyAuthentication , > .Cm RekeyLimit , > .Cm RevokedKeys , >+.Cm RDomain , > .Cm StreamLocalBindMask , > .Cm StreamLocalBindUnlink , > .Cm TrustedUserCAKeys , >@@ -1379,6 +1380,15 @@ an OpenSSH Key Revocation List (KRL) as generated by > .Xr ssh-keygen 1 . > For more information on KRLs, see the KEY REVOCATION LISTS section in > .Xr ssh-keygen 1 . >+.It Cm RDomain >+Specifies an explicit routing domain that is applied after authentication >+has completed. >+The user session, as well and any forwarded or listening IP sockets will >+be bound to this >+.Xr rdomain 4 . >+If the routing domain is set to >+.Cm \&%D , >+then the domain in which the incoming connection was recieved will be applied. > .It Cm StreamLocalBindMask > Sets the octal file creation mode mask > .Pq umask >@@ -1620,6 +1630,8 @@ which are expanded at runtime: > .It %% > A literal > .Sq % . >+.It \&%D >+The routing domain in which the incoming connection was received. > .It %F > The fingerprint of the CA key. > .It %f >@@ -1656,6 +1668,9 @@ accepts the tokens %%, %h, and %u. > .Pp > .Cm ChrootDirectory > accepts the tokens %%, %h, and %u. >+.Pp >+.Cm RoutingDomain >+accepts the token %D. > .Sh FILES > .Bl -tag -width Ds > .It Pa /etc/ssh/sshd_config >-- >2.14.2 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3076">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2784
:
3061
|
3064
|
3070
|
3071
|
3072
|
3075
| 3076 |
3077
|
3078
|
3079
|
3080
|
3081
|
3082