server: support active connection with md5 protection

Signed-off-by: ISHIDA Wataru <ishida.wataru@lab.ntt.co.jp>

8 files changed, 199 insertions, 6 deletions

diff --git a/server/fsm.go b/server/fsm.go
index a18901a5..e4007764 100644
--- a/server/fsm.go
+++ b/server/fsm.go
@@ -313,7 +313,14 @@ func (fsm *FSM) connectLoop() error {
 				}
 
 			} else {
-				conn, err := net.DialTimeout("tcp", host, time.Duration(MIN_CONNECT_RETRY-1)*time.Second)
+				var conn net.Conn
+				var err error
+				if fsm.pConf.Config.AuthPassword != "" {
+					deadline := (MIN_CONNECT_RETRY - 1) * 1000 // msec
+					conn, err = DialTCPTimeoutWithMD5Sig(addr, bgp.BGP_PORT, fsm.pConf.Config.AuthPassword, deadline)
+				} else {
+					conn, err = net.DialTimeout("tcp", host, time.Duration(MIN_CONNECT_RETRY-1)*time.Second)
+				}
 				if err == nil {
 					fsm.connCh <- conn
 				} else {
diff --git a/server/sockopt.go b/server/sockopt.go
index 43602036..6361a7ae 100644
--- a/server/sockopt.go
+++ b/server/sockopt.go
@@ -1,3 +1,18 @@
+// Copyright (C) 2016 Nippon Telegraph and Telephone Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+// implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package server
 
 import (
@@ -51,7 +66,10 @@ func SetTcpMD5SigSockopts(l *net.TCPListener, address string, key string) error
 	_, _, e := syscall.Syscall6(syscall.SYS_SETSOCKOPT, fi.Fd(),
 		uintptr(syscall.IPPROTO_TCP), uintptr(TCP_MD5SIG),
 		uintptr(unsafe.Pointer(&t)), unsafe.Sizeof(t), 0)
-	return e
+	if e > 0 {
+		return e
+	}
+	return nil
 }
 
 func SetTcpTTLSockopts(conn *net.TCPConn, ttl int) error {
diff --git a/server/sockopt_linux.go b/server/sockopt_linux.go
new file mode 100644
index 00000000..d238823c
--- /dev/null
+++ b/server/sockopt_linux.go
@@ -0,0 +1,132 @@
+// Copyright (C) 2016 Nippon Telegraph and Telephone Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+// implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// +build linux
+
+package server
+
+import (
+	"fmt"
+	"net"
+	"os"
+	"syscall"
+	"unsafe"
+)
+
+func DialTCPTimeoutWithMD5Sig(host string, port int, key string, msec int) (*net.TCPConn, error) {
+	var family int
+	var ra syscall.Sockaddr
+
+	ip := net.ParseIP(host)
+	if ip == nil {
+		return nil, fmt.Errorf("invalid ip: %s", host)
+	}
+	switch {
+	case ip.To4() != nil:
+		family = syscall.AF_INET
+		i := &syscall.SockaddrInet4{
+			Port: port,
+		}
+		for idx, _ := range i.Addr {
+			i.Addr[idx] = ip.To4()[idx]
+		}
+		ra = i
+	default:
+		family = syscall.AF_INET6
+		i := &syscall.SockaddrInet6{
+			Port: port,
+		}
+		for idx, _ := range i.Addr {
+			i.Addr[idx] = ip[idx]
+		}
+		ra = i
+	}
+	sotype := syscall.SOCK_STREAM | syscall.SOCK_CLOEXEC
+	proto := 0
+	fd, err := syscall.Socket(family, sotype, proto)
+	if err != nil {
+		return nil, err
+	}
+	t, err := buildTcpMD5Sig(host, key)
+	if err != nil {
+		return nil, err
+	}
+	if _, _, e := syscall.Syscall6(syscall.SYS_SETSOCKOPT, uintptr(fd),
+		uintptr(syscall.IPPROTO_TCP), uintptr(TCP_MD5SIG),
+		uintptr(unsafe.Pointer(&t)), unsafe.Sizeof(t), 0); e > 0 {
+		return nil, os.NewSyscallError("setsockopt", e)
+	}
+	if err = syscall.SetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_BROADCAST, 1); err != nil {
+		return nil, os.NewSyscallError("setsockopt", err)
+	}
+	if err = syscall.SetsockoptInt(fd, syscall.IPPROTO_TCP, syscall.TCP_NODELAY, 1); err != nil {
+		return nil, os.NewSyscallError("setsockopt", err)
+	}
+
+	tcpconn := func(fd uintptr) (*net.TCPConn, error) {
+		fi := os.NewFile(uintptr(fd), "")
+		defer fi.Close()
+		conn, err := net.FileConn(fi)
+		return conn.(*net.TCPConn), err
+	}
+
+	err = syscall.Connect(fd, ra)
+	switch err {
+	case syscall.EINPROGRESS, syscall.EALREADY, syscall.EINTR:
+		// do timeout handling
+	case nil, syscall.EISCONN:
+		return tcpconn(uintptr(fd))
+	default:
+		return nil, os.NewSyscallError("connect", err)
+	}
+
+	epfd, e := syscall.EpollCreate1(syscall.EPOLL_CLOEXEC)
+	if e != nil {
+		return nil, e
+	}
+	defer syscall.Close(epfd)
+
+	var event syscall.EpollEvent
+	events := make([]syscall.EpollEvent, 1)
+
+	event.Events = syscall.EPOLLIN
+	event.Fd = int32(fd)
+	if e = syscall.EpollCtl(epfd, syscall.EPOLL_CTL_ADD, fd, &event); e != nil {
+		return nil, e
+	}
+
+	for {
+		nevents, e := syscall.EpollWait(epfd, events, msec)
+		if e != nil {
+			return nil, e
+		}
+		if nevents == 0 {
+			return nil, fmt.Errorf("timeout")
+		} else if nevents == 1 && events[0].Fd == int32(fd) {
+			nerr, err := syscall.GetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_ERROR)
+			if err != nil {
+				return nil, os.NewSyscallError("getsockopt", err)
+			}
+			switch err := syscall.Errno(nerr); err {
+			case syscall.EINPROGRESS, syscall.EALREADY, syscall.EINTR:
+			case syscall.Errno(0), syscall.EISCONN:
+				return tcpconn(uintptr(fd))
+			default:
+				return nil, os.NewSyscallError("getsockopt", err)
+			}
+		} else {
+			return nil, fmt.Errorf("unexpected epoll behavior")
+		}
+	}
+}
diff --git a/server/sockopt_nonlinux.go b/server/sockopt_nonlinux.go
new file mode 100644
index 00000000..14128f57
--- /dev/null
+++ b/server/sockopt_nonlinux.go
@@ -0,0 +1,27 @@
+// Copyright (C) 2016 Nippon Telegraph and Telephone Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+// implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// +build !linux
+
+package server
+
+import (
+	"fmt"
+	"net"
+)
+
+func DialTCPTimeoutWithMD5Sig(host string, port int, key string, msec int) (*net.TCPConn, error) {
+	return nil, fmt.Errorf("md5 active connection unsupported")
+}
diff --git a/test/lib/exabgp.py b/test/lib/exabgp.py
index af6b6e0c..5de3d65b 100644
--- a/test/lib/exabgp.py
+++ b/test/lib/exabgp.py
@@ -30,6 +30,7 @@ class ExaBGPContainer(BGPContainer):
     def _start_exabgp(self):
         cmd = CmdBuffer(' ')
         cmd << 'env exabgp.log.destination={0}/exabgpd.log'.format(self.SHARED_VOLUME)
+        cmd << "exabgp.tcp.bind='0.0.0.0' exabgp.tcp.port=179"
         cmd << './exabgp/sbin/exabgp {0}/exabgpd.conf'.format(self.SHARED_VOLUME)
         self.local(str(cmd), flag='-d')
 
@@ -74,6 +75,12 @@ class ExaBGPContainer(BGPContainer):
                 cmd << '        asn4 disable;'
                 cmd << '    }'
 
+            if info['passwd']:
+                cmd << '    md5 "{0}";'.format(info['passwd'])
+
+            if info['passive']:
+                cmd << '    passive;'
+
             routes = [r for r in self.routes.values() if r['rf'] == 'ipv4' or r['rf'] == 'ipv6']
 
             if len(routes) > 0:
diff --git a/test/lib/quagga.py b/test/lib/quagga.py
index 81c8f666..e76c7a8b 100644
--- a/test/lib/quagga.py
+++ b/test/lib/quagga.py
@@ -197,6 +197,8 @@ class QuaggaBGPContainer(BGPContainer):
                                                              direction)
             if info['passwd']:
                 c << 'neighbor {0} password {1}'.format(n_addr, info['passwd'])
+            if info['passive']:
+                c << 'neighbor {0} passive'.format(n_addr)
             if version == 6:
                 c << 'address-family ipv6 unicast'
                 c << 'neighbor {0} activate'.format(n_addr)
diff --git a/test/scenario_test/bgp_router_test.py b/test/scenario_test/bgp_router_test.py
index b03d0ed2..3bac02ff 100644
--- a/test/scenario_test/bgp_router_test.py
+++ b/test/scenario_test/bgp_router_test.py
@@ -53,8 +53,8 @@ class GoBGPTestBase(unittest.TestCase):
         time.sleep(initial_wait_time)
 
         for q in qs:
-            g1.add_peer(q, reload_config=False)
-            q.add_peer(g1)
+            g1.add_peer(q, reload_config=False, passwd='passwd')
+            q.add_peer(g1, passwd='passwd', passive=True)
 
         g1.create_config()
         g1.reload_config()
diff --git a/test/scenario_test/evpn_test.py b/test/scenario_test/evpn_test.py
index b718bd3d..7920bf2b 100644
--- a/test/scenario_test/evpn_test.py
+++ b/test/scenario_test/evpn_test.py
@@ -58,8 +58,8 @@ class GoBGPTestBase(unittest.TestCase):
         time.sleep(initial_wait_time)
 
         for a, b in combinations(ctns, 2):
-            a.add_peer(b, evpn=True)
-            b.add_peer(a, evpn=True)
+            a.add_peer(b, evpn=True, passwd='evpn')
+            b.add_peer(a, evpn=True, passwd='evpn')
 
         cls.g1 = g1
         cls.g2 = g2