summaryrefslogtreecommitdiffhomepage
path: root/pkg/server/sockopt_linux.go
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/server/sockopt_linux.go')
-rw-r--r--pkg/server/sockopt_linux.go282
1 files changed, 282 insertions, 0 deletions
diff --git a/pkg/server/sockopt_linux.go b/pkg/server/sockopt_linux.go
new file mode 100644
index 00000000..9fe02ba5
--- /dev/null
+++ b/pkg/server/sockopt_linux.go
@@ -0,0 +1,282 @@
+// Copyright (C) 2016 Nippon Telegraph and Telephone Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+// implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// +build linux
+
+package server
+
+import (
+ "fmt"
+ "net"
+ "os"
+ "syscall"
+ "unsafe"
+)
+
+const (
+ TCP_MD5SIG = 14 // TCP MD5 Signature (RFC2385)
+ IPV6_MINHOPCOUNT = 73 // Generalized TTL Security Mechanism (RFC5082)
+)
+
+type tcpmd5sig struct {
+ ss_family uint16
+ ss [126]byte
+ // padding the struct
+ _ uint16
+ keylen uint16
+ // padding the struct
+ _ uint32
+ key [80]byte
+}
+
+func buildTcpMD5Sig(address string, key string) (tcpmd5sig, error) {
+ t := tcpmd5sig{}
+ addr := net.ParseIP(address)
+ if addr.To4() != nil {
+ t.ss_family = syscall.AF_INET
+ copy(t.ss[2:], addr.To4())
+ } else {
+ t.ss_family = syscall.AF_INET6
+ copy(t.ss[6:], addr.To16())
+ }
+
+ t.keylen = uint16(len(key))
+ copy(t.key[0:], []byte(key))
+
+ return t, nil
+}
+
+func setsockoptTcpMD5Sig(fd int, address string, key string) error {
+ t, err := buildTcpMD5Sig(address, key)
+ if err != nil {
+ return err
+ }
+ b := *(*[unsafe.Sizeof(t)]byte)(unsafe.Pointer(&t))
+ return os.NewSyscallError("setsockopt", syscall.SetsockoptString(fd, syscall.IPPROTO_TCP, TCP_MD5SIG, string(b[:])))
+}
+
+func SetTcpMD5SigSockopt(l *net.TCPListener, address string, key string) error {
+ fi, _, err := extractFileAndFamilyFromTCPListener(l)
+ if err != nil {
+ return err
+ }
+ defer fi.Close()
+
+ return setsockoptTcpMD5Sig(int(fi.Fd()), address, key)
+}
+
+func setsockoptIpTtl(fd int, family int, value int) error {
+ level := syscall.IPPROTO_IP
+ name := syscall.IP_TTL
+ if family == syscall.AF_INET6 {
+ level = syscall.IPPROTO_IPV6
+ name = syscall.IPV6_UNICAST_HOPS
+ }
+ return os.NewSyscallError("setsockopt", syscall.SetsockoptInt(fd, level, name, value))
+}
+
+func SetListenTcpTTLSockopt(l *net.TCPListener, ttl int) error {
+ fi, family, err := extractFileAndFamilyFromTCPListener(l)
+ if err != nil {
+ return err
+ }
+ defer fi.Close()
+
+ return setsockoptIpTtl(int(fi.Fd()), family, ttl)
+}
+
+func SetTcpTTLSockopt(conn *net.TCPConn, ttl int) error {
+ fi, family, err := extractFileAndFamilyFromTCPConn(conn)
+ if err != nil {
+ return err
+ }
+ defer fi.Close()
+
+ return setsockoptIpTtl(int(fi.Fd()), family, ttl)
+}
+
+func setsockoptIpMinTtl(fd int, family int, value int) error {
+ level := syscall.IPPROTO_IP
+ name := syscall.IP_MINTTL
+ if family == syscall.AF_INET6 {
+ level = syscall.IPPROTO_IPV6
+ name = IPV6_MINHOPCOUNT
+ }
+ return os.NewSyscallError("setsockopt", syscall.SetsockoptInt(fd, level, name, value))
+}
+
+func SetTcpMinTTLSockopt(conn *net.TCPConn, ttl int) error {
+ fi, family, err := extractFileAndFamilyFromTCPConn(conn)
+ if err != nil {
+ return err
+ }
+ defer fi.Close()
+
+ return setsockoptIpMinTtl(int(fi.Fd()), family, ttl)
+}
+
+type TCPDialer struct {
+ net.Dialer
+
+ // MD5 authentication password.
+ AuthPassword string
+
+ // The TTL value to set outgoing connection.
+ Ttl uint8
+
+ // The minimum TTL value for incoming packets.
+ TtlMin uint8
+}
+
+func (d *TCPDialer) DialTCP(addr string, port int) (*net.TCPConn, error) {
+ var family int
+ var ra, la syscall.Sockaddr
+
+ raddr, err := net.ResolveTCPAddr("tcp", net.JoinHostPort(addr, fmt.Sprintf("%d", port)))
+ if err != nil {
+ return nil, fmt.Errorf("invalid remote address: %s", err)
+ }
+ laddr, err := net.ResolveTCPAddr("tcp", d.LocalAddr.String())
+ if err != nil {
+ return nil, fmt.Errorf("invalid local address: %s", err)
+ }
+ if raddr.IP.To4() != nil {
+ family = syscall.AF_INET
+ rsockaddr := &syscall.SockaddrInet4{Port: port}
+ copy(rsockaddr.Addr[:], raddr.IP.To4())
+ ra = rsockaddr
+ lsockaddr := &syscall.SockaddrInet4{}
+ copy(lsockaddr.Addr[:], laddr.IP.To4())
+ la = lsockaddr
+ } else {
+ family = syscall.AF_INET6
+ rsockaddr := &syscall.SockaddrInet6{Port: port}
+ copy(rsockaddr.Addr[:], raddr.IP.To16())
+ ra = rsockaddr
+ var zone uint32
+ if laddr.Zone != "" {
+ if intf, err := net.InterfaceByName(laddr.Zone); err != nil {
+ return nil, err
+ } else {
+ zone = uint32(intf.Index)
+ }
+ }
+ lsockaddr := &syscall.SockaddrInet6{ZoneId: zone}
+ copy(lsockaddr.Addr[:], laddr.IP.To16())
+ la = lsockaddr
+ }
+
+ sockType := syscall.SOCK_STREAM | syscall.SOCK_CLOEXEC | syscall.SOCK_NONBLOCK
+ proto := 0
+ fd, err := syscall.Socket(family, sockType, proto)
+ if err != nil {
+ return nil, err
+ }
+ fi := os.NewFile(uintptr(fd), "")
+ defer fi.Close()
+ // A new socket was created so we must close it before this
+ // function returns either on failure or success. On success,
+ // net.FileConn() in newTCPConn() increases the refcount of
+ // the socket so this fi.Close() doesn't destroy the socket.
+ // The caller must call Close() with the file later.
+ // Note that the above os.NewFile() doesn't play with the
+ // refcount.
+
+ if err = syscall.SetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_BROADCAST, 1); err != nil {
+ return nil, os.NewSyscallError("setsockopt", err)
+ }
+
+ if err = syscall.SetsockoptInt(fd, syscall.IPPROTO_TCP, syscall.TCP_NODELAY, 1); err != nil {
+ return nil, os.NewSyscallError("setsockopt", err)
+ }
+
+ if d.AuthPassword != "" {
+ if err = setsockoptTcpMD5Sig(fd, addr, d.AuthPassword); err != nil {
+ return nil, err
+ }
+ }
+
+ if d.Ttl != 0 {
+ if err = setsockoptIpTtl(fd, family, int(d.Ttl)); err != nil {
+ return nil, err
+ }
+ }
+
+ if d.TtlMin != 0 {
+ if err = setsockoptIpMinTtl(fd, family, int(d.Ttl)); err != nil {
+ return nil, err
+ }
+ }
+
+ if err = syscall.Bind(fd, la); err != nil {
+ return nil, os.NewSyscallError("bind", err)
+ }
+
+ newTCPConn := func(fi *os.File) (*net.TCPConn, error) {
+ if conn, err := net.FileConn(fi); err != nil {
+ return nil, err
+ } else {
+ return conn.(*net.TCPConn), err
+ }
+ }
+
+ err = syscall.Connect(fd, ra)
+ switch err {
+ case syscall.EINPROGRESS, syscall.EALREADY, syscall.EINTR:
+ // do timeout handling
+ case nil, syscall.EISCONN:
+ return newTCPConn(fi)
+ default:
+ return nil, os.NewSyscallError("connect", err)
+ }
+
+ epfd, e := syscall.EpollCreate1(syscall.EPOLL_CLOEXEC)
+ if e != nil {
+ return nil, e
+ }
+ defer syscall.Close(epfd)
+
+ var event syscall.EpollEvent
+ events := make([]syscall.EpollEvent, 1)
+
+ event.Events = syscall.EPOLLIN | syscall.EPOLLOUT | syscall.EPOLLPRI
+ event.Fd = int32(fd)
+ if e = syscall.EpollCtl(epfd, syscall.EPOLL_CTL_ADD, fd, &event); e != nil {
+ return nil, e
+ }
+
+ for {
+ nevents, e := syscall.EpollWait(epfd, events, int(d.Timeout/1000000) /*msec*/)
+ if e != nil {
+ return nil, e
+ }
+ if nevents == 0 {
+ return nil, fmt.Errorf("timeout")
+ } else if nevents == 1 && events[0].Fd == int32(fd) {
+ nerr, err := syscall.GetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_ERROR)
+ if err != nil {
+ return nil, os.NewSyscallError("getsockopt", err)
+ }
+ switch err := syscall.Errno(nerr); err {
+ case syscall.EINPROGRESS, syscall.EALREADY, syscall.EINTR:
+ case syscall.Errno(0), syscall.EISCONN:
+ return newTCPConn(fi)
+ default:
+ return nil, os.NewSyscallError("getsockopt", err)
+ }
+ } else {
+ return nil, fmt.Errorf("unexpected epoll behavior")
+ }
+ }
+}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-15 11:28:26 +0000