diff options
| -rw-r--r-- | usr.sbin/bgpd/bgpd.conf.5 | 8 | ||||
| -rw-r--r-- | usr.sbin/bgpd/session.c | 19 |
2 files changed, 23 insertions, 4 deletions
diff --git a/usr.sbin/bgpd/bgpd.conf.5 b/usr.sbin/bgpd/bgpd.conf.5 index e1b094fa5e6..4e53c5778ea 100644 --- a/usr.sbin/bgpd/bgpd.conf.5 +++ b/usr.sbin/bgpd/bgpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: bgpd.conf.5,v 1.124 2013/01/02 15:06:46 florian Exp $ +.\" $OpenBSD: bgpd.conf.5,v 1.125 2013/05/30 10:13:58 sthen Exp $ .\" .\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org> .\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: January 2 2013 $ +.Dd $Mdocdate: May 30 2013 $ .Dt BGPD.CONF 5 .Os .Sh NAME @@ -960,6 +960,10 @@ incoming packets are required to have a TTL of 256 minus multihop distance, ensuring they have not passed through more than the expected number of hops. The default is .Ic no . +.Pp +There is currently only partial support for ttl-security with IPv6: +the TTL of outgoing packets is set, +but no check is made for the TTL of incoming packets. .El .Sh FILTER .Xr bgpd 8 diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c index 5498ed1fe65..795efad892e 100644 --- a/usr.sbin/bgpd/session.c +++ b/usr.sbin/bgpd/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.329 2013/03/20 04:01:42 deraadt Exp $ */ +/* $OpenBSD: session.c,v 1.330 2013/05/30 10:13:58 sthen Exp $ */ /* * Copyright (c) 2003, 2004, 2005 Henning Brauer <henning@openbsd.org> @@ -164,6 +164,11 @@ setup_listeners(u_int *la_cnt) log_warn("setup_listeners setsockopt TTL"); continue; } + if (la->sa.ss_family == AF_INET6 && setsockopt(la->fd, + IPPROTO_IPV6, IPV6_UNICAST_HOPS, &ttl, sizeof(ttl)) == -1) { + log_warn("setup_listeners setsockopt hoplimit"); + continue; + } session_socket_blockmode(la->fd, BM_NONBLOCK); @@ -1230,7 +1235,17 @@ session_setup_socket(struct peer *p) break; case AID_INET6: if (p->conf.ebgp) { - /* set hoplimit to foreign router's distance */ + /* set hoplimit to foreign router's distance + 1=direct n=multihop with ttlsec, we always use 255 */ + if (p->conf.ttlsec) { + /* + * XXX Kernel has no ip6 equivalent of MINTTL yet so + * we can't check incoming packets, but we can at least + * set the outgoing TTL to allow sessions configured + * with ttl-security to come up. + */ + ttl = 255; + } if (setsockopt(p->fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &ttl, sizeof(ttl)) == -1) { log_peer_warn(&p->conf, |