Bugzilla – Attachment 3082 Details for
Bug 2784
Add native support for routing domains / VRF
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
rdomain support for ssh client remote-forward socket
0003-ssh-add-routing-domain-support-to-remote-forwarding.patch (text/plain), 12.05 KB, created by
Luca Boccassi
on 2017-10-28 03:25:29 AEDT
(
hide
)
Description:
rdomain support for ssh client remote-forward socket
Filename:
MIME Type:
Creator:
Luca Boccassi
Created:
2017-10-28 03:25:29 AEDT
Size:
12.05 KB
patch
obsolete
>From 644c6d79854865cfd7c5c0247c3ea6626d5cbaf7 Mon Sep 17 00:00:00 2001 >From: Luca Boccassi <luca.boccassi@gmail.com> >Date: Fri, 27 Oct 2017 16:32:59 +0100 >Subject: [PATCH 3/3] ssh: add routing domain support to remote forwarding > >Add a 5th parameter to the RemoteForward config and command line >option. It will be used as a Routing Domain to connect to the >local service that ssh is forwarding to. >--- > channels.c | 58 +++++++++++++++++++++++++++++++++++++++------------------- > channels.h | 1 + > ssh.1 | 10 ++++++++++ > ssh.c | 8 ++++++-- > ssh_config.5 | 5 +++++ > 5 files changed, 61 insertions(+), 21 deletions(-) > >diff --git a/channels.c b/channels.c >index db0b3829..cd2a6b31 100644 >--- a/channels.c >+++ b/channels.c >@@ -112,6 +112,7 @@ typedef struct { > char *listen_host; /* Remote side should listen address. */ > char *listen_path; /* Remote side should listen path. */ > int listen_port; /* Remote side should listen port. */ >+ char *rdomain; /* Routing Domain used for forwards */ > Channel *downstream; /* Downstream mux*/ > } ForwardPermission; > >@@ -448,6 +449,7 @@ fwd_perm_clear(ForwardPermission *fp) > free(fp->host_to_connect); > free(fp->listen_host); > free(fp->listen_path); >+ free(fp->rdomain); > bzero(fp, sizeof(*fp)); > } > >@@ -457,7 +459,7 @@ static int > fwd_perm_list_add(struct ssh *ssh, int which, > const char *host_to_connect, int port_to_connect, > const char *listen_host, const char *listen_path, int listen_port, >- Channel *downstream) >+ Channel *downstream, const char *rdomain) > { > ForwardPermission **fpl; > u_int n, *nfpl; >@@ -486,6 +488,7 @@ fwd_perm_list_add(struct ssh *ssh, int which, > (*fpl)[n].listen_host = MAYBE_DUP(listen_host); > (*fpl)[n].listen_path = MAYBE_DUP(listen_path); > (*fpl)[n].listen_port = listen_port; >+ (*fpl)[n].rdomain = MAYBE_DUP(rdomain); > (*fpl)[n].downstream = downstream; > #undef MAYBE_DUP > return (int)n; >@@ -2732,7 +2735,7 @@ channel_proxy_downstream(struct ssh *ssh, Channel *downstream) > } > /* Record that connection to this host/port is permitted. */ > fwd_perm_list_add(ssh, FWDPERM_USER, "<mux>", -1, >- listen_host, NULL, (int)listen_port, downstream); >+ listen_host, NULL, (int)listen_port, downstream, NULL); > listen_host = NULL; > break; > case SSH2_MSG_CHANNEL_CLOSE: >@@ -3688,7 +3691,7 @@ int > channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd) > { > int r, success = 0, idx = -1; >- char *host_to_connect, *listen_host, *listen_path; >+ char *host_to_connect, *listen_host, *listen_path, *rdomain; > int port_to_connect, listen_port; > > /* Send the forward request to the remote side. */ >@@ -3718,7 +3721,7 @@ channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd) > success = 1; > if (success) { > /* Record that connection to this host/port is permitted. */ >- host_to_connect = listen_host = listen_path = NULL; >+ host_to_connect = listen_host = listen_path = rdomain = NULL; > port_to_connect = listen_port = 0; > if (fwd->connect_path != NULL) { > host_to_connect = xstrdup(fwd->connect_path); >@@ -3726,6 +3729,8 @@ channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd) > } else { > host_to_connect = xstrdup(fwd->connect_host); > port_to_connect = fwd->connect_port; >+ if (fwd->rdomain != NULL) >+ rdomain = xstrdup(fwd->rdomain) ; > } > if (fwd->listen_path != NULL) { > listen_path = xstrdup(fwd->listen_path); >@@ -3737,7 +3742,7 @@ channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd) > } > idx = fwd_perm_list_add(ssh, FWDPERM_USER, > host_to_connect, port_to_connect, >- listen_host, listen_path, listen_port, NULL); >+ listen_host, listen_path, listen_port, NULL, rdomain); > } > return idx; > } >@@ -3904,7 +3909,8 @@ channel_add_permitted_opens(struct ssh *ssh, char *host, int port) > struct ssh_channels *sc = ssh->chanctxt; > > debug("allow port forwarding to host %s port %d", host, port); >- fwd_perm_list_add(ssh, FWDPERM_USER, host, port, NULL, NULL, 0, NULL); >+ fwd_perm_list_add(ssh, FWDPERM_USER, host, port, NULL, NULL, 0, NULL, >+ NULL); > sc->all_opens_permitted = 0; > } > >@@ -3941,14 +3947,15 @@ channel_add_adm_permitted_opens(struct ssh *ssh, char *host, int port) > { > debug("config allows port forwarding to host %s port %d", host, port); > return fwd_perm_list_add(ssh, FWDPERM_ADMIN, host, port, >- NULL, NULL, 0, NULL); >+ NULL, NULL, 0, NULL, NULL); > } > > void > channel_disable_adm_local_opens(struct ssh *ssh) > { > channel_clear_adm_permitted_opens(ssh); >- fwd_perm_list_add(ssh, FWDPERM_ADMIN, NULL, 0, NULL, NULL, 0, NULL); >+ fwd_perm_list_add(ssh, FWDPERM_ADMIN, NULL, 0, NULL, NULL, 0, NULL, >+ NULL); > } > > void >@@ -4023,10 +4030,18 @@ connect_next(struct channel_connect *cctx) > } > if (set_nonblock(sock) == -1) > fatal("%s: set_nonblock(%d)", __func__, sock); >+ if (cctx->rdomain != NULL && >+ set_rdomain(sock, cctx->rdomain) == -1) { >+ close(sock); >+ continue; >+ } >+ > if (connect(sock, cctx->ai->ai_addr, > cctx->ai->ai_addrlen) == -1 && errno != EINPROGRESS) { >- debug("connect_next: host %.100s ([%.100s]:%s): " >+ debug("connect_next: host %.100s ([%.100s]:%s%s%s): " > "%.100s", cctx->host, ntop, strport, >+ cctx->rdomain == NULL ? "" : " rdomain ", >+ cctx->rdomain == NULL ? "" : cctx->rdomain, > strerror(errno)); > saved_errno = errno; > close(sock); >@@ -4035,8 +4050,10 @@ connect_next(struct channel_connect *cctx) > } > if (cctx->ai->ai_family != AF_UNIX) > set_nodelay(sock); >- debug("connect_next: host %.100s ([%.100s]:%s) " >- "in progress, fd=%d", cctx->host, ntop, strport, sock); >+ debug("connect_next: host %.100s ([%.100s]:%s%s%s) " >+ "in progress, fd=%d", cctx->host, ntop, strport, >+ cctx->rdomain == NULL ? "" : " rdomain ", >+ cctx->rdomain == NULL ? "" : cctx->rdomain, sock); > cctx->ai = cctx->ai->ai_next; > return sock; > } >@@ -4047,6 +4064,7 @@ static void > channel_connect_ctx_free(struct channel_connect *cctx) > { > free(cctx->host); >+ free(cctx->rdomain); > if (cctx->aitop) { > if (cctx->aitop->ai_family == AF_UNIX) > free(cctx->aitop); >@@ -4063,7 +4081,7 @@ channel_connect_ctx_free(struct channel_connect *cctx) > static int > connect_to_helper(struct ssh *ssh, const char *name, int port, int socktype, > char *ctype, char *rname, struct channel_connect *cctx, >- int *reason, const char **errmsg) >+ int *reason, const char **errmsg, const char *rdomain) > { > struct addrinfo hints; > int gaierr; >@@ -4115,6 +4133,7 @@ connect_to_helper(struct ssh *ssh, const char *name, int port, int socktype, > cctx->host = xstrdup(name); > cctx->port = port; > cctx->ai = cctx->aitop; >+ cctx->rdomain = rdomain ? xstrdup(rdomain) : NULL; > > if ((sock = connect_next(cctx)) == -1) { > error("connect to %.100s port %d failed: %s", >@@ -4128,7 +4147,7 @@ connect_to_helper(struct ssh *ssh, const char *name, int port, int socktype, > /* Return CONNECTING channel to remote host:port or local socket path */ > static Channel * > connect_to(struct ssh *ssh, const char *host, int port, >- char *ctype, char *rname) >+ char *ctype, char *rname, const char *rdomain) > { > struct channel_connect cctx; > Channel *c; >@@ -4136,7 +4155,7 @@ connect_to(struct ssh *ssh, const char *host, int port, > > memset(&cctx, 0, sizeof(cctx)); > sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname, >- &cctx, NULL, NULL); >+ &cctx, NULL, NULL, rdomain); > if (sock == -1) { > channel_connect_ctx_free(&cctx); > return NULL; >@@ -4172,7 +4191,7 @@ channel_connect_by_listen_address(struct ssh *ssh, const char *listen_host, > ctype, rname); > return connect_to(ssh, > fp->host_to_connect, fp->port_to_connect, >- ctype, rname); >+ ctype, rname, fp->rdomain); > } > } > error("WARNING: Server requests forwarding for unknown listen_port %d", >@@ -4193,7 +4212,7 @@ channel_connect_by_listen_path(struct ssh *ssh, const char *path, > if (open_listen_match_streamlocal(fp, path)) { > return connect_to(ssh, > fp->host_to_connect, fp->port_to_connect, >- ctype, rname); >+ ctype, rname, NULL); > } > } > error("WARNING: Server requests forwarding for unknown path %.100s", >@@ -4245,7 +4264,7 @@ channel_connect_to_port(struct ssh *ssh, const char *host, u_short port, > > memset(&cctx, 0, sizeof(cctx)); > sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname, >- &cctx, reason, errmsg); >+ &cctx, reason, errmsg, NULL); > if (sock == -1) { > channel_connect_ctx_free(&cctx); > return NULL; >@@ -4296,7 +4315,7 @@ channel_connect_to_path(struct ssh *ssh, const char *path, > "but the request was denied.", path); > return NULL; > } >- return connect_to(ssh, path, PORT_STREAMLOCAL, ctype, rname); >+ return connect_to(ssh, path, PORT_STREAMLOCAL, ctype, rname, NULL); > } > > void >@@ -4360,7 +4379,7 @@ rdynamic_connect_finish(struct ssh *ssh, Channel *c) > > memset(&cctx, 0, sizeof(cctx)); > sock = connect_to_helper(ssh, c->path, c->host_port, SOCK_STREAM, NULL, >- NULL, &cctx, NULL, NULL); >+ NULL, &cctx, NULL, NULL, NULL); > if (sock == -1) > channel_connect_ctx_free(&cctx); > else { >@@ -4433,6 +4452,7 @@ x11_create_display_inet(struct ssh *ssh, int x11_display_offset, > sock_set_v6only(sock); > if (x11_use_localhost) > set_reuseaddr(sock); >+ > if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { > debug2("%s: bind port %d: %.100s", __func__, > port, strerror(errno)); >diff --git a/channels.h b/channels.h >index 126b0434..f8205717 100644 >--- a/channels.h >+++ b/channels.h >@@ -91,6 +91,7 @@ struct channel_connect { > char *host; > int port; > struct addrinfo *ai, *aitop; >+ char *rdomain; > }; > > /* Callbacks for mux channels back into client-specific code */ >diff --git a/ssh.1 b/ssh.1 >index a7e8beaa..ee5f7c6a 100644 >--- a/ssh.1 >+++ b/ssh.1 >@@ -591,6 +591,11 @@ Causes most warning and diagnostic messages to be suppressed. > .Xc > .It Fl R Xo > .Sm off >+.Ar bind_address : port : host : hostport : routing_domain >+.Sm on >+.Xc >+.It Fl R Xo >+.Sm off > .Oo Ar bind_address : Oc > .Ar port : local_socket > .Sm on >@@ -661,6 +666,11 @@ When used together with > .Ic -O forward > the allocated port will be printed to the standard output. > .Pp >+.Ar routing_domain >+can also be specified, which makes the >+.Ar bind_address >+mandatory, to bind the local port in a specific Routing Domain. >+.Pp > .It Fl r Ar routing_domain > Specifies an explicit routing domain (BSD) or VRF (Linux - NOTE: requires cap_net_raw) that is applied to the connection. > The user session will be bound to this >diff --git a/ssh.c b/ssh.c >index c92b7043..adbbb8f4 100644 >--- a/ssh.c >+++ b/ssh.c >@@ -1682,7 +1682,7 @@ ssh_init_forwarding(struct ssh *ssh, char **ifname) > /* Initiate remote TCP/IP port forwardings. */ > for (i = 0; i < options.num_remote_forwards; i++) { > debug("Remote connections from %.200s:%d forwarded to " >- "local address %.200s:%d", >+ "local address %.200s:%d%s%s", > (options.remote_forwards[i].listen_path != NULL) ? > options.remote_forwards[i].listen_path : > (options.remote_forwards[i].listen_host == NULL) ? >@@ -1691,7 +1691,11 @@ ssh_init_forwarding(struct ssh *ssh, char **ifname) > (options.remote_forwards[i].connect_path != NULL) ? > options.remote_forwards[i].connect_path : > options.remote_forwards[i].connect_host, >- options.remote_forwards[i].connect_port); >+ options.remote_forwards[i].connect_port, >+ options.remote_forwards[i].rdomain != NULL ? >+ " rdomain " : "", >+ options.remote_forwards[i].rdomain != NULL ? >+ options.remote_forwards[i].rdomain : ""); > options.remote_forwards[i].handle = > channel_request_remote_forwarding(ssh, > &options.remote_forwards[i]); >diff --git a/ssh_config.5 b/ssh_config.5 >index 087deb96..eb859c42 100644 >--- a/ssh_config.5 >+++ b/ssh_config.5 >@@ -1347,6 +1347,11 @@ will only succeed if the server's > .Cm GatewayPorts > option is enabled (see > .Xr sshd_config 5 ) . >+.Pp >+.Ar bind_address : Ns Ar port : Ns Ar host : Ns Ar hostport : Ns Ar routing_domain >+can also be used, which makes the >+.Ar bind_address >+mandatory, to bind the local port in a specific Routing Domain. > .It Cm RequestTTY > Specifies whether to request a pseudo-tty for the session. > The argument may be one of: >-- >2.11.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3082">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2784
:
3061
|
3064
|
3070
|
3071
|
3072
|
3075
|
3076
|
3077
|
3078
|
3079
|
3080
|
3081
| 3082