server: support active connection with md5 protection

Signed-off-by: ISHIDA Wataru <ishida.wataru@lab.ntt.co.jp>
author: ISHIDA Wataru <ishida.wataru@lab.ntt.co.jp> 2016-02-28 14:51:24 +0900
committer: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> 2016-02-29 15:41:37 -0800
commit: 53c5bc0258cede44d3544270309b6dd2e83cf058 (patch)
tree: 2e6c9bcc1e75f53cd219d3b18259b3dc634b2eef /server
parent: 7dd4813776f4ef12b2b76d42e519d7193956fe3a (diff)
4 files changed, 186 insertions, 2 deletions
diff --git a/server/fsm.go b/server/fsm.go
index a18901a5..e4007764 100644
--- a/server/fsm.go
+++ b/server/fsm.go
@@ -313,7 +313,14 @@ func (fsm *FSM) connectLoop() error {
 				}
 
 			} else {
-				conn, err := net.DialTimeout("tcp", host, time.Duration(MIN_CONNECT_RETRY-1)*time.Second)
+				var conn net.Conn
+				var err error
+				if fsm.pConf.Config.AuthPassword != "" {
+					deadline := (MIN_CONNECT_RETRY - 1) * 1000 // msec
+					conn, err = DialTCPTimeoutWithMD5Sig(addr, bgp.BGP_PORT, fsm.pConf.Config.AuthPassword, deadline)
+				} else {
+					conn, err = net.DialTimeout("tcp", host, time.Duration(MIN_CONNECT_RETRY-1)*time.Second)
+				}
 				if err == nil {
 					fsm.connCh <- conn
 				} else {
diff --git a/server/sockopt.go b/server/sockopt.go
index 43602036..6361a7ae 100644
--- a/server/sockopt.go
+++ b/server/sockopt.go
@@ -1,3 +1,18 @@
+// Copyright (C) 2016 Nippon Telegraph and Telephone Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+// implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package server
 
 import (
@@ -51,7 +66,10 @@ func SetTcpMD5SigSockopts(l *net.TCPListener, address string, key string) error
 	_, _, e := syscall.Syscall6(syscall.SYS_SETSOCKOPT, fi.Fd(),
 		uintptr(syscall.IPPROTO_TCP), uintptr(TCP_MD5SIG),
 		uintptr(unsafe.Pointer(&t)), unsafe.Sizeof(t), 0)
-	return e
+	if e > 0 {
+		return e
+	}
+	return nil
 }
 
 func SetTcpTTLSockopts(conn *net.TCPConn, ttl int) error {
diff --git a/server/sockopt_linux.go b/server/sockopt_linux.go
new file mode 100644
index 00000000..d238823c
--- /dev/null
+++ b/server/sockopt_linux.go
@@ -0,0 +1,132 @@
+// Copyright (C) 2016 Nippon Telegraph and Telephone Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+// implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// +build linux
+
+package server
+
+import (
+	"fmt"
+	"net"
+	"os"
+	"syscall"
+	"unsafe"
+)
+
+func DialTCPTimeoutWithMD5Sig(host string, port int, key string, msec int) (*net.TCPConn, error) {
+	var family int
+	var ra syscall.Sockaddr
+
+	ip := net.ParseIP(host)
+	if ip == nil {
+		return nil, fmt.Errorf("invalid ip: %s", host)
+	}
+	switch {
+	case ip.To4() != nil:
+		family = syscall.AF_INET
+		i := &syscall.SockaddrInet4{
+			Port: port,
+		}
+		for idx, _ := range i.Addr {
+			i.Addr[idx] = ip.To4()[idx]
+		}
+		ra = i
+	default:
+		family = syscall.AF_INET6
+		i := &syscall.SockaddrInet6{
+			Port: port,
+		}
+		for idx, _ := range i.Addr {
+			i.Addr[idx] = ip[idx]
+		}
+		ra = i
+	}
+	sotype := syscall.SOCK_STREAM | syscall.SOCK_CLOEXEC
+	proto := 0
+	fd, err := syscall.Socket(family, sotype, proto)
+	if err != nil {
+		return nil, err
+	}
+	t, err := buildTcpMD5Sig(host, key)
+	if err != nil {
+		return nil, err
+	}
+	if _, _, e := syscall.Syscall6(syscall.SYS_SETSOCKOPT, uintptr(fd),
+		uintptr(syscall.IPPROTO_TCP), uintptr(TCP_MD5SIG),
+		uintptr(unsafe.Pointer(&t)), unsafe.Sizeof(t), 0); e > 0 {
+		return nil, os.NewSyscallError("setsockopt", e)
+	}
+	if err = syscall.SetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_BROADCAST, 1); err != nil {
+		return nil, os.NewSyscallError("setsockopt", err)
+	}
+	if err = syscall.SetsockoptInt(fd, syscall.IPPROTO_TCP, syscall.TCP_NODELAY, 1); err != nil {
+		return nil, os.NewSyscallError("setsockopt", err)
+	}
+
+	tcpconn := func(fd uintptr) (*net.TCPConn, error) {
+		fi := os.NewFile(uintptr(fd), "")
+		defer fi.Close()
+		conn, err := net.FileConn(fi)
+		return conn.(*net.TCPConn), err
+	}
+
+	err = syscall.Connect(fd, ra)
+	switch err {
+	case syscall.EINPROGRESS, syscall.EALREADY, syscall.EINTR:
+		// do timeout handling
+	case nil, syscall.EISCONN:
+		return tcpconn(uintptr(fd))
+	default:
+		return nil, os.NewSyscallError("connect", err)
+	}
+
+	epfd, e := syscall.EpollCreate1(syscall.EPOLL_CLOEXEC)
+	if e != nil {
+		return nil, e
+	}
+	defer syscall.Close(epfd)
+
+	var event syscall.EpollEvent
+	events := make([]syscall.EpollEvent, 1)
+
+	event.Events = syscall.EPOLLIN
+	event.Fd = int32(fd)
+	if e = syscall.EpollCtl(epfd, syscall.EPOLL_CTL_ADD, fd, &event); e != nil {
+		return nil, e
+	}
+
+	for {
+		nevents, e := syscall.EpollWait(epfd, events, msec)
+		if e != nil {
+			return nil, e
+		}
+		if nevents == 0 {
+			return nil, fmt.Errorf("timeout")
+		} else if nevents == 1 && events[0].Fd == int32(fd) {
+			nerr, err := syscall.GetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_ERROR)
+			if err != nil {
+				return nil, os.NewSyscallError("getsockopt", err)
+			}
+			switch err := syscall.Errno(nerr); err {
+			case syscall.EINPROGRESS, syscall.EALREADY, syscall.EINTR:
+			case syscall.Errno(0), syscall.EISCONN:
+				return tcpconn(uintptr(fd))
+			default:
+				return nil, os.NewSyscallError("getsockopt", err)
+			}
+		} else {
+			return nil, fmt.Errorf("unexpected epoll behavior")
+		}
+	}
+}
diff --git a/server/sockopt_nonlinux.go b/server/sockopt_nonlinux.go
new file mode 100644
index 00000000..14128f57
--- /dev/null
+++ b/server/sockopt_nonlinux.go
@@ -0,0 +1,27 @@
+// Copyright (C) 2016 Nippon Telegraph and Telephone Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+// implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// +build !linux
+
+package server
+
+import (
+	"fmt"
+	"net"
+)
+
+func DialTCPTimeoutWithMD5Sig(host string, port int, key string, msec int) (*net.TCPConn, error) {
+	return nil, fmt.Errorf("md5 active connection unsupported")
+}
author	ISHIDA Wataru <ishida.wataru@lab.ntt.co.jp>	2016-02-28 14:51:24 +0900
committer	FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>	2016-02-29 15:41:37 -0800
commit	53c5bc0258cede44d3544270309b6dd2e83cf058 (patch)
tree	2e6c9bcc1e75f53cd219d3b18259b3dc634b2eef /server
parent	7dd4813776f4ef12b2b76d42e519d7193956fe3a (diff)