summaryrefslogtreecommitdiffhomepage
path: root/server
diff options
context:
space:
mode:
authorISHIDA Wataru <ishida.wataru@lab.ntt.co.jp>2016-02-28 14:51:24 +0900
committerFUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>2016-02-29 15:41:37 -0800
commit53c5bc0258cede44d3544270309b6dd2e83cf058 (patch)
tree2e6c9bcc1e75f53cd219d3b18259b3dc634b2eef /server
parent7dd4813776f4ef12b2b76d42e519d7193956fe3a (diff)
server: support active connection with md5 protection
Signed-off-by: ISHIDA Wataru <ishida.wataru@lab.ntt.co.jp>
Diffstat (limited to 'server')
-rw-r--r--server/fsm.go9
-rw-r--r--server/sockopt.go20
-rw-r--r--server/sockopt_linux.go132
-rw-r--r--server/sockopt_nonlinux.go27
4 files changed, 186 insertions, 2 deletions
diff --git a/server/fsm.go b/server/fsm.go
index a18901a5..e4007764 100644
--- a/server/fsm.go
+++ b/server/fsm.go
@@ -313,7 +313,14 @@ func (fsm *FSM) connectLoop() error {
}
} else {
- conn, err := net.DialTimeout("tcp", host, time.Duration(MIN_CONNECT_RETRY-1)*time.Second)
+ var conn net.Conn
+ var err error
+ if fsm.pConf.Config.AuthPassword != "" {
+ deadline := (MIN_CONNECT_RETRY - 1) * 1000 // msec
+ conn, err = DialTCPTimeoutWithMD5Sig(addr, bgp.BGP_PORT, fsm.pConf.Config.AuthPassword, deadline)
+ } else {
+ conn, err = net.DialTimeout("tcp", host, time.Duration(MIN_CONNECT_RETRY-1)*time.Second)
+ }
if err == nil {
fsm.connCh <- conn
} else {
diff --git a/server/sockopt.go b/server/sockopt.go
index 43602036..6361a7ae 100644
--- a/server/sockopt.go
+++ b/server/sockopt.go
@@ -1,3 +1,18 @@
+// Copyright (C) 2016 Nippon Telegraph and Telephone Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+// implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
package server
import (
@@ -51,7 +66,10 @@ func SetTcpMD5SigSockopts(l *net.TCPListener, address string, key string) error
_, _, e := syscall.Syscall6(syscall.SYS_SETSOCKOPT, fi.Fd(),
uintptr(syscall.IPPROTO_TCP), uintptr(TCP_MD5SIG),
uintptr(unsafe.Pointer(&t)), unsafe.Sizeof(t), 0)
- return e
+ if e > 0 {
+ return e
+ }
+ return nil
}
func SetTcpTTLSockopts(conn *net.TCPConn, ttl int) error {
diff --git a/server/sockopt_linux.go b/server/sockopt_linux.go
new file mode 100644
index 00000000..d238823c
--- /dev/null
+++ b/server/sockopt_linux.go
@@ -0,0 +1,132 @@
+// Copyright (C) 2016 Nippon Telegraph and Telephone Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+// implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// +build linux
+
+package server
+
+import (
+ "fmt"
+ "net"
+ "os"
+ "syscall"
+ "unsafe"
+)
+
+func DialTCPTimeoutWithMD5Sig(host string, port int, key string, msec int) (*net.TCPConn, error) {
+ var family int
+ var ra syscall.Sockaddr
+
+ ip := net.ParseIP(host)
+ if ip == nil {
+ return nil, fmt.Errorf("invalid ip: %s", host)
+ }
+ switch {
+ case ip.To4() != nil:
+ family = syscall.AF_INET
+ i := &syscall.SockaddrInet4{
+ Port: port,
+ }
+ for idx, _ := range i.Addr {
+ i.Addr[idx] = ip.To4()[idx]
+ }
+ ra = i
+ default:
+ family = syscall.AF_INET6
+ i := &syscall.SockaddrInet6{
+ Port: port,
+ }
+ for idx, _ := range i.Addr {
+ i.Addr[idx] = ip[idx]
+ }
+ ra = i
+ }
+ sotype := syscall.SOCK_STREAM | syscall.SOCK_CLOEXEC
+ proto := 0
+ fd, err := syscall.Socket(family, sotype, proto)
+ if err != nil {
+ return nil, err
+ }
+ t, err := buildTcpMD5Sig(host, key)
+ if err != nil {
+ return nil, err
+ }
+ if _, _, e := syscall.Syscall6(syscall.SYS_SETSOCKOPT, uintptr(fd),
+ uintptr(syscall.IPPROTO_TCP), uintptr(TCP_MD5SIG),
+ uintptr(unsafe.Pointer(&t)), unsafe.Sizeof(t), 0); e > 0 {
+ return nil, os.NewSyscallError("setsockopt", e)
+ }
+ if err = syscall.SetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_BROADCAST, 1); err != nil {
+ return nil, os.NewSyscallError("setsockopt", err)
+ }
+ if err = syscall.SetsockoptInt(fd, syscall.IPPROTO_TCP, syscall.TCP_NODELAY, 1); err != nil {
+ return nil, os.NewSyscallError("setsockopt", err)
+ }
+
+ tcpconn := func(fd uintptr) (*net.TCPConn, error) {
+ fi := os.NewFile(uintptr(fd), "")
+ defer fi.Close()
+ conn, err := net.FileConn(fi)
+ return conn.(*net.TCPConn), err
+ }
+
+ err = syscall.Connect(fd, ra)
+ switch err {
+ case syscall.EINPROGRESS, syscall.EALREADY, syscall.EINTR:
+ // do timeout handling
+ case nil, syscall.EISCONN:
+ return tcpconn(uintptr(fd))
+ default:
+ return nil, os.NewSyscallError("connect", err)
+ }
+
+ epfd, e := syscall.EpollCreate1(syscall.EPOLL_CLOEXEC)
+ if e != nil {
+ return nil, e
+ }
+ defer syscall.Close(epfd)
+
+ var event syscall.EpollEvent
+ events := make([]syscall.EpollEvent, 1)
+
+ event.Events = syscall.EPOLLIN
+ event.Fd = int32(fd)
+ if e = syscall.EpollCtl(epfd, syscall.EPOLL_CTL_ADD, fd, &event); e != nil {
+ return nil, e
+ }
+
+ for {
+ nevents, e := syscall.EpollWait(epfd, events, msec)
+ if e != nil {
+ return nil, e
+ }
+ if nevents == 0 {
+ return nil, fmt.Errorf("timeout")
+ } else if nevents == 1 && events[0].Fd == int32(fd) {
+ nerr, err := syscall.GetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_ERROR)
+ if err != nil {
+ return nil, os.NewSyscallError("getsockopt", err)
+ }
+ switch err := syscall.Errno(nerr); err {
+ case syscall.EINPROGRESS, syscall.EALREADY, syscall.EINTR:
+ case syscall.Errno(0), syscall.EISCONN:
+ return tcpconn(uintptr(fd))
+ default:
+ return nil, os.NewSyscallError("getsockopt", err)
+ }
+ } else {
+ return nil, fmt.Errorf("unexpected epoll behavior")
+ }
+ }
+}
diff --git a/server/sockopt_nonlinux.go b/server/sockopt_nonlinux.go
new file mode 100644
index 00000000..14128f57
--- /dev/null
+++ b/server/sockopt_nonlinux.go
@@ -0,0 +1,27 @@
+// Copyright (C) 2016 Nippon Telegraph and Telephone Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+// implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// +build !linux
+
+package server
+
+import (
+ "fmt"
+ "net"
+)
+
+func DialTCPTimeoutWithMD5Sig(host string, port int, key string, msec int) (*net.TCPConn, error) {
+ return nil, fmt.Errorf("md5 active connection unsupported")
+}