[src/trunk]: src/usr.sbin/traceroute configure IPsec policy on sending/receiv...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/usr.sbin/traceroute configure IPsec policy on sending/receiv...
From: itojun <itojun%NetBSD.org@localhost>
Date: Fri, 24 Jan 2020 06:11:48 +0000

details:   https://anonhg.NetBSD.org/src/rev/f85966c1127f
branches:  trunk
changeset: 476000:f85966c1127f
user:      itojun <itojun%NetBSD.org@localhost>
date:      Fri Sep 03 03:10:38 1999 +0000

description:
configure IPsec policy on sending/receiving socket for bypassing IPsec.

If IPsec default policy is configured for destination
traceroute will never success (because encrypted icmp timexceeded
is unrecognizable).

diffstat:

 usr.sbin/traceroute/Makefile     |   6 ++-
 usr.sbin/traceroute/traceroute.c |  85 +++++++++++++++++++++++++++++++++++++++-
 2 files changed, 88 insertions(+), 3 deletions(-)

diffs (140 lines):

diff -r 9fbe059a6198 -r f85966c1127f usr.sbin/traceroute/Makefile
--- a/usr.sbin/traceroute/Makefile      Fri Sep 03 01:49:16 1999 +0000
+++ b/usr.sbin/traceroute/Makefile      Fri Sep 03 03:10:38 1999 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: Makefile,v 1.9 1999/02/26 22:43:03 christos Exp $      
+#      $NetBSD: Makefile,v 1.10 1999/09/03 03:10:38 itojun Exp $       
 
 PROG=  traceroute
 MAN=   traceroute.8 
@@ -7,6 +7,10 @@
 CPPFLAGS+=-DHAVE_STRERROR=1 -DHAVE_SETLINEBUF=1 -DHAVE_SOCKADDR_SA_LEN=1 
 CPPFLAGS+=-DHAVE_RAW_OPTIONS=1
 
+CPPFLAGS+=-DIPSEC
+LDADD+=        -lipsec
+DPADD+=        ${LIBIPSEC}
+
 BINOWN= root
 BINMODE=4555
 
diff -r 9fbe059a6198 -r f85966c1127f usr.sbin/traceroute/traceroute.c
--- a/usr.sbin/traceroute/traceroute.c  Fri Sep 03 01:49:16 1999 +0000
+++ b/usr.sbin/traceroute/traceroute.c  Fri Sep 03 03:10:38 1999 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: traceroute.c,v 1.36 1999/06/19 05:07:44 kim Exp $      */
+/*     $NetBSD: traceroute.c,v 1.37 1999/09/03 03:10:38 itojun Exp $   */
 
 /*
  * Copyright (c) 1988, 1989, 1991, 1994, 1995, 1996, 1997
@@ -29,7 +29,7 @@
 #else
 __COPYRIGHT("@(#) Copyright (c) 1988, 1989, 1991, 1994, 1995, 1996, 1997\n\
 The Regents of the University of California.  All rights reserved.\n");
-__RCSID("$NetBSD: traceroute.c,v 1.36 1999/06/19 05:07:44 kim Exp $");
+__RCSID("$NetBSD: traceroute.c,v 1.37 1999/09/03 03:10:38 itojun Exp $");
 #endif
 #endif
 
@@ -234,6 +234,10 @@
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
+#ifdef IPSEC
+#include <net/route.h>
+#include <netinet6/ipsec.h>
+#endif
 
 #include "gnuc.h"
 #ifdef HAVE_OS_PROTO_H
@@ -619,6 +623,44 @@
        if (options & SO_DONTROUTE)
                (void)setsockopt(s, SOL_SOCKET, SO_DONTROUTE, (char *)&on,
                    sizeof(on));
+#ifdef IPSEC
+#ifdef IPSEC_POLICY_IPSEC
+    {
+       int len;
+       char buf[16];
+
+       /*
+        * do not raise error even if setsockopt fails, kernel may have ipsec
+        * turned off.
+        */
+       if ((len = ipsec_set_policy(buf, sizeof(buf), "bypass")) < 0) {
+               Fprintf(stderr, "%s: %s\n", prog, ipsec_strerror());
+               exit(1);
+       }
+       (void)setsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY, buf, len);
+    }
+#else
+    {
+       int level = IPSEC_LEVEL_AVAIL;
+
+       (void)setsockopt(s, IPPROTO_IP, IP_ESP_TRANS_LEVEL, &level,
+               sizeof(level));
+       (void)setsockopt(s, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, &level,
+               sizeof(level));
+#ifdef IP_AUTH_TRANS_LEVEL
+       (void)setsockopt(s, IPPROTO_IP, IP_AUTH_TRANS_LEVEL, &level,
+               sizeof(level));
+#else
+       (void)setsockopt(s, IPPROTO_IP, IP_AUTH_LEVEL, &level,
+               sizeof(level));
+#endif
+#ifdef IP_AUTH_NETWORK_LEVEL
+       (void)setsockopt(s, IPPROTO_IP, IP_AUTH_NETWORK_LEVEL, &level,
+               sizeof(level));
+#endif
+    }
+#endif /*IPSEC_POLICY_IPSEC*/
+#endif /*IPSEC*/
 
 #ifndef __hpux
        sndsock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
@@ -631,6 +673,45 @@
                exit(1);
        }
 
+#ifdef IPSEC
+#ifdef IPSEC_POLICY_IPSEC
+    {
+       int len;
+       char buf[16];
+
+       /*
+        * do not raise error even if setsockopt fails, kernel may have ipsec
+        * turned off.
+        */
+       if ((len = ipsec_set_policy(buf, sizeof(buf), "bypass")) < 0) {
+               Fprintf(stderr, "%s: %s\n", prog, ipsec_strerror());
+               exit(1);
+       }
+       (void)setsockopt(sndsock, IPPROTO_IP, IP_IPSEC_POLICY, buf, len);
+    }
+#else
+    {
+       int level = IPSEC_LEVEL_BYPASS;
+
+       (void)setsockopt(sndsock, IPPROTO_IP, IP_ESP_TRANS_LEVEL, &level,
+               sizeof(level));
+       (void)setsockopt(sndsock, IPPROTO_IP, IP_ESP_NETWORK_LEVEL, &level,
+               sizeof(level));
+#ifdef IP_AUTH_TRANS_LEVEL
+       (void)setsockopt(sndsock, IPPROTO_IP, IP_AUTH_TRANS_LEVEL, &level,
+               sizeof(level));
+#else
+       (void)setsockopt(sndsock, IPPROTO_IP, IP_AUTH_LEVEL, &level,
+               sizeof(level));
+#endif
+#ifdef IP_AUTH_NETWORK_LEVEL
+       (void)setsockopt(sndsock, IPPROTO_IP, IP_AUTH_NETWORK_LEVEL, &level,
+               sizeof(level));
+#endif
+    }
+#endif /*IPSEC_POLICY_IPSEC*/
+#endif /*IPSEC*/
+
        /* Revert to non-privileged user after opening sockets */
        setuid(getuid());

Prev by Date: [src/trunk]: src/sys/dev/pci Byte swap the EEPROM words on the PNIC. From St...
Next by Date: [src/trunk]: src/usr.sbin/ndp fix routing socket alignment issue on alpha.
Previous by Thread: [src/trunk]: src/sys/dev/pci Byte swap the EEPROM words on the PNIC. From St...
Next by Thread: [src/trunk]: src/usr.sbin/ndp fix routing socket alignment issue on alpha.
Indexes:

Home | Main Index | Thread Index | Old Index