diff options
| -rw-r--r-- | docs/sources/configuration.md | 6 | ||||
| -rw-r--r-- | server/fsm.go | 28 |
2 files changed, 30 insertions, 4 deletions
diff --git a/docs/sources/configuration.md b/docs/sources/configuration.md index 441cade2..e308b3ab 100644 --- a/docs/sources/configuration.md +++ b/docs/sources/configuration.md @@ -131,6 +131,12 @@ default-in-policy = "reject-route" [neighbors.route-server.config] route-server-client = true + # To enable TTL Security, uncomment the following. + # Please note that this feature is mututally exclusive with + # "neighbors.ebgp-multihop.config". + #[neighbors.ttl-security.config] + # enabled = true + # ttl-min = 255 # 255 means directly connected [[peer-groups]] [peer-groups.config] diff --git a/server/fsm.go b/server/fsm.go index 2c01c14d..4f19bc39 100644 --- a/server/fsm.go +++ b/server/fsm.go @@ -487,13 +487,33 @@ func (h *FSMHandler) active() (bgp.FSMState, FsmStateReason) { break } fsm.conn = conn - if fsm.pConf.Config.PeerAs != 0 && fsm.pConf.Config.PeerType == config.PEER_TYPE_EXTERNAL { - ttl := 1 + ttl := 0 + ttlMin := 0 + if fsm.pConf.TtlSecurity.Config.Enabled { + ttl = 255 + ttlMin = int(fsm.pConf.TtlSecurity.Config.TtlMin) + } else if fsm.pConf.Config.PeerAs != 0 && fsm.pConf.Config.PeerType == config.PEER_TYPE_EXTERNAL { + ttl = 1 if fsm.pConf.EbgpMultihop.Config.Enabled { ttl = int(fsm.pConf.EbgpMultihop.Config.MultihopTtl) } - if ttl != 0 { - SetTcpTTLSockopts(conn.(*net.TCPConn), ttl) + } + if ttl != 0 { + if err := SetTcpTTLSockopts(conn.(*net.TCPConn), ttl); err != nil { + log.WithFields(log.Fields{ + "Topic": "Peer", + "Key": fsm.pConf.Config.NeighborAddress, + "State": fsm.state.String(), + }).Warnf("cannot set TTL(=%d) for peer: %s", ttl, err) + } + } + if ttlMin != 0 { + if err := SetTcpMinTTLSockopts(conn.(*net.TCPConn), ttlMin); err != nil { + log.WithFields(log.Fields{ + "Topic": "Peer", + "Key": fsm.pConf.Config.NeighborAddress, + "State": fsm.state.String(), + }).Warnf("cannot set minimal TTL(=%d) for peer: %s", ttl, err) } } // we don't implement delayed open timer so move to opensent right |