Bypass IPsec for traceroute invoked by root.
PR: bin/17606 Submitted by: Louis Mamakos <louie@TransSys.COM
This commit is contained in:
parent
2af66d23ef
commit
497f9e5a33
@ -17,6 +17,8 @@
|
||||
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
|
||||
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
#ifndef lint
|
||||
@ -24,7 +26,7 @@ static const char copyright[] =
|
||||
"@(#) Copyright (c) 1988, 1989, 1991, 1994, 1995, 1996\n\
|
||||
The Regents of the University of California. All rights reserved.\n";
|
||||
static const char rcsid[] =
|
||||
"@(#)$Header: /home/ncvs/src/contrib/traceroute/traceroute.c,v 1.10 1999/05/12 17:28:31 archie Exp $ (LBL)";
|
||||
"@(#)$Header: /usr/local/FreeBSD/cvs/src/contrib/traceroute/traceroute.c,v 1.11 1999/06/25 21:48:40 archie Exp $ (LBL)";
|
||||
#endif
|
||||
|
||||
/*
|
||||
@ -217,6 +219,11 @@ static const char rcsid[] =
|
||||
|
||||
#include <arpa/inet.h>
|
||||
|
||||
#ifdef IPSEC
|
||||
#include <net/route.h>
|
||||
#include <netinet6/ipsec.h> /* XXX */
|
||||
#endif /* IPSEC */
|
||||
|
||||
#include <ctype.h>
|
||||
#include <errno.h>
|
||||
#ifdef HAVE_MALLOC_H
|
||||
@ -322,6 +329,9 @@ void print(u_char *, int, struct sockaddr_in *);
|
||||
char *getaddr(u_int32_t *, char *);
|
||||
char *getsin(struct sockaddr_in *, char *);
|
||||
char *savestr(const char *);
|
||||
#ifdef IPSEC
|
||||
int setpolicy __P((int so, char *policy));
|
||||
#endif
|
||||
void send_probe(int, int);
|
||||
void tvsub(struct timeval *, struct timeval *);
|
||||
__dead void usage(void);
|
||||
@ -646,6 +656,14 @@ main(int argc, char **argv)
|
||||
(void)setsockopt(s, SOL_SOCKET, SO_DONTROUTE, (char *)&on,
|
||||
sizeof(on));
|
||||
|
||||
#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
|
||||
if (setpolicy(s, "in bypass") < 0)
|
||||
errx(1, ipsec_strerror());
|
||||
|
||||
if (setpolicy(s, "out bypass") < 0)
|
||||
errx(1, ipsec_strerror());
|
||||
#endif /* defined(IPSEC) && defined(IPSEC_POLICY_IPSEC) */
|
||||
|
||||
if (sndsock < 0) {
|
||||
errno = sockerrno;
|
||||
Fprintf(stderr, "%s: raw socket: %s\n", prog, strerror(errno));
|
||||
@ -718,6 +736,14 @@ main(int argc, char **argv)
|
||||
#endif
|
||||
}
|
||||
|
||||
#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
|
||||
if (setpolicy(sndsock, "in bypass") < 0)
|
||||
errx(1, ipsec_strerror());
|
||||
|
||||
if (setpolicy(sndsock, "out bypass") < 0)
|
||||
errx(1, ipsec_strerror());
|
||||
#endif /* defined(IPSEC) && defined(IPSEC_POLICY_IPSEC) */
|
||||
|
||||
Fprintf(stderr, "%s to %s (%s)",
|
||||
prog, hostname, inet_ntoa(to->sin_addr));
|
||||
if (source)
|
||||
@ -885,6 +911,28 @@ wait_for_reply(register int sock, register struct sockaddr_in *fromp,
|
||||
return(cc);
|
||||
}
|
||||
|
||||
#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
|
||||
int
|
||||
setpolicy(so, policy)
|
||||
int so;
|
||||
char *policy;
|
||||
{
|
||||
char *buf;
|
||||
|
||||
buf = ipsec_set_policy(policy, strlen(policy));
|
||||
if (buf == NULL) {
|
||||
warnx(ipsec_strerror());
|
||||
return -1;
|
||||
}
|
||||
(void)setsockopt(so, IPPROTO_IP, IP_IPSEC_POLICY,
|
||||
buf, ipsec_get_policylen(buf));
|
||||
|
||||
free(buf);
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
void
|
||||
send_probe(int seq, int ttl)
|
||||
{
|
||||
|
@ -4,7 +4,7 @@ PROG= traceroute
|
||||
MAN8= traceroute.8
|
||||
BINMODE=4555
|
||||
CFLAGS+=-DHAVE_SYS_SELECT_H=1 -DHAVE_SETLINEBUF=1 -DHAVE_RAW_OPTIONS=1 \
|
||||
-DSTDC_HEADERS=1
|
||||
-DSTDC_HEADERS=1 -DIPSEC
|
||||
# RTT Jitter on the internet these days means printing 3 decimal places on
|
||||
# > 1000ms times is plain useless. Uncomment this to enable variable precision
|
||||
# reporting, ie: print a variable precision from 0.001ms through 1000ms
|
||||
@ -12,6 +12,8 @@ CFLAGS+=-DHAVE_SYS_SELECT_H=1 -DHAVE_SETLINEBUF=1 -DHAVE_RAW_OPTIONS=1 \
|
||||
|
||||
SRCS= version.c traceroute.c
|
||||
CLEANFILES+= version.c
|
||||
DPADD= ${LIBIPSEC}
|
||||
LDADD= -lipsec
|
||||
|
||||
TRACEROUTE_DISTDIR?= ${.CURDIR}/../../contrib/traceroute
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user