From 3377413b2b5aaca180b68a20738e0f16f54b3c52 Mon Sep 17 00:00:00 2001 From: jca Date: Tue, 28 Jun 2016 16:59:14 +0000 Subject: [PATCH] Use IPV6_MINHOPCOUNT to finish implementing ttl-security for IPv6. ok renato@ deraadt@ --- usr.sbin/bgpd/bgpd.conf.5 | 8 ++------ usr.sbin/bgpd/session.c | 17 ++++++++++------- 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/usr.sbin/bgpd/bgpd.conf.5 b/usr.sbin/bgpd/bgpd.conf.5 index 3cd14e0d261..09161d6a4fb 100644 --- a/usr.sbin/bgpd/bgpd.conf.5 +++ b/usr.sbin/bgpd/bgpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: bgpd.conf.5,v 1.143 2016/06/11 11:43:02 tobias Exp $ +.\" $OpenBSD: bgpd.conf.5,v 1.144 2016/06/28 16:59:14 jca Exp $ .\" .\" Copyright (c) 2004 Claudio Jeker .\" Copyright (c) 2003, 2004 Henning Brauer @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: June 11 2016 $ +.Dd $Mdocdate: June 28 2016 $ .Dt BGPD.CONF 5 .Os .Sh NAME @@ -972,10 +972,6 @@ incoming packets are required to have a TTL of 256 minus multihop distance, ensuring they have not passed through more than the expected number of hops. The default is .Ic no . -.Pp -There is currently only partial support for ttl-security with IPv6: -the TTL of outgoing packets is set, -but no check is made for the TTL of incoming packets. .El .Sh FILTER .Xr bgpd 8 diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c index a71339e8da2..545347a546d 100644 --- a/usr.sbin/bgpd/session.c +++ b/usr.sbin/bgpd/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.348 2016/06/06 15:59:10 benno Exp $ */ +/* $OpenBSD: session.c,v 1.349 2016/06/28 16:59:14 jca Exp $ */ /* * Copyright (c) 2003, 2004, 2005 Henning Brauer @@ -1201,12 +1201,15 @@ session_setup_socket(struct peer *p) /* set hoplimit to foreign router's distance 1=direct n=multihop with ttlsec, we always use 255 */ if (p->conf.ttlsec) { - /* - * XXX Kernel has no ip6 equivalent of MINTTL yet so - * we can't check incoming packets, but we can at least - * set the outgoing TTL to allow sessions configured - * with ttl-security to come up. - */ + ttl = 256 - p->conf.distance; + if (setsockopt(p->fd, IPPROTO_IPV6, + IPV6_MINHOPCOUNT, &ttl, sizeof(ttl)) + == -1) { + log_peer_warn(&p->conf, + "session_setup_socket: " + "setsockopt MINHOPCOUNT"); + return (-1); + } ttl = 255; } if (setsockopt(p->fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, -- 2.20.1