Bypass IPsec for traceroute invoked by root.
PR: bin/17606 Submitted by: Louis Mamakos <louie@TransSys.COM
This commit is contained in:
parent
2af66d23ef
commit
497f9e5a33
@ -17,6 +17,8 @@
|
|||||||
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
|
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
|
||||||
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
|
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
|
||||||
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
*
|
||||||
|
* $FreeBSD$
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef lint
|
#ifndef lint
|
||||||
@ -24,7 +26,7 @@ static const char copyright[] =
|
|||||||
"@(#) Copyright (c) 1988, 1989, 1991, 1994, 1995, 1996\n\
|
"@(#) Copyright (c) 1988, 1989, 1991, 1994, 1995, 1996\n\
|
||||||
The Regents of the University of California. All rights reserved.\n";
|
The Regents of the University of California. All rights reserved.\n";
|
||||||
static const char rcsid[] =
|
static const char rcsid[] =
|
||||||
"@(#)$Header: /home/ncvs/src/contrib/traceroute/traceroute.c,v 1.10 1999/05/12 17:28:31 archie Exp $ (LBL)";
|
"@(#)$Header: /usr/local/FreeBSD/cvs/src/contrib/traceroute/traceroute.c,v 1.11 1999/06/25 21:48:40 archie Exp $ (LBL)";
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -217,6 +219,11 @@ static const char rcsid[] =
|
|||||||
|
|
||||||
#include <arpa/inet.h>
|
#include <arpa/inet.h>
|
||||||
|
|
||||||
|
#ifdef IPSEC
|
||||||
|
#include <net/route.h>
|
||||||
|
#include <netinet6/ipsec.h> /* XXX */
|
||||||
|
#endif /* IPSEC */
|
||||||
|
|
||||||
#include <ctype.h>
|
#include <ctype.h>
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
#ifdef HAVE_MALLOC_H
|
#ifdef HAVE_MALLOC_H
|
||||||
@ -322,6 +329,9 @@ void print(u_char *, int, struct sockaddr_in *);
|
|||||||
char *getaddr(u_int32_t *, char *);
|
char *getaddr(u_int32_t *, char *);
|
||||||
char *getsin(struct sockaddr_in *, char *);
|
char *getsin(struct sockaddr_in *, char *);
|
||||||
char *savestr(const char *);
|
char *savestr(const char *);
|
||||||
|
#ifdef IPSEC
|
||||||
|
int setpolicy __P((int so, char *policy));
|
||||||
|
#endif
|
||||||
void send_probe(int, int);
|
void send_probe(int, int);
|
||||||
void tvsub(struct timeval *, struct timeval *);
|
void tvsub(struct timeval *, struct timeval *);
|
||||||
__dead void usage(void);
|
__dead void usage(void);
|
||||||
@ -646,6 +656,14 @@ main(int argc, char **argv)
|
|||||||
(void)setsockopt(s, SOL_SOCKET, SO_DONTROUTE, (char *)&on,
|
(void)setsockopt(s, SOL_SOCKET, SO_DONTROUTE, (char *)&on,
|
||||||
sizeof(on));
|
sizeof(on));
|
||||||
|
|
||||||
|
#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
|
||||||
|
if (setpolicy(s, "in bypass") < 0)
|
||||||
|
errx(1, ipsec_strerror());
|
||||||
|
|
||||||
|
if (setpolicy(s, "out bypass") < 0)
|
||||||
|
errx(1, ipsec_strerror());
|
||||||
|
#endif /* defined(IPSEC) && defined(IPSEC_POLICY_IPSEC) */
|
||||||
|
|
||||||
if (sndsock < 0) {
|
if (sndsock < 0) {
|
||||||
errno = sockerrno;
|
errno = sockerrno;
|
||||||
Fprintf(stderr, "%s: raw socket: %s\n", prog, strerror(errno));
|
Fprintf(stderr, "%s: raw socket: %s\n", prog, strerror(errno));
|
||||||
@ -718,6 +736,14 @@ main(int argc, char **argv)
|
|||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
|
||||||
|
if (setpolicy(sndsock, "in bypass") < 0)
|
||||||
|
errx(1, ipsec_strerror());
|
||||||
|
|
||||||
|
if (setpolicy(sndsock, "out bypass") < 0)
|
||||||
|
errx(1, ipsec_strerror());
|
||||||
|
#endif /* defined(IPSEC) && defined(IPSEC_POLICY_IPSEC) */
|
||||||
|
|
||||||
Fprintf(stderr, "%s to %s (%s)",
|
Fprintf(stderr, "%s to %s (%s)",
|
||||||
prog, hostname, inet_ntoa(to->sin_addr));
|
prog, hostname, inet_ntoa(to->sin_addr));
|
||||||
if (source)
|
if (source)
|
||||||
@ -885,6 +911,28 @@ wait_for_reply(register int sock, register struct sockaddr_in *fromp,
|
|||||||
return(cc);
|
return(cc);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(IPSEC) && defined(IPSEC_POLICY_IPSEC)
|
||||||
|
int
|
||||||
|
setpolicy(so, policy)
|
||||||
|
int so;
|
||||||
|
char *policy;
|
||||||
|
{
|
||||||
|
char *buf;
|
||||||
|
|
||||||
|
buf = ipsec_set_policy(policy, strlen(policy));
|
||||||
|
if (buf == NULL) {
|
||||||
|
warnx(ipsec_strerror());
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
(void)setsockopt(so, IPPROTO_IP, IP_IPSEC_POLICY,
|
||||||
|
buf, ipsec_get_policylen(buf));
|
||||||
|
|
||||||
|
free(buf);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
void
|
void
|
||||||
send_probe(int seq, int ttl)
|
send_probe(int seq, int ttl)
|
||||||
{
|
{
|
||||||
|
@ -4,7 +4,7 @@ PROG= traceroute
|
|||||||
MAN8= traceroute.8
|
MAN8= traceroute.8
|
||||||
BINMODE=4555
|
BINMODE=4555
|
||||||
CFLAGS+=-DHAVE_SYS_SELECT_H=1 -DHAVE_SETLINEBUF=1 -DHAVE_RAW_OPTIONS=1 \
|
CFLAGS+=-DHAVE_SYS_SELECT_H=1 -DHAVE_SETLINEBUF=1 -DHAVE_RAW_OPTIONS=1 \
|
||||||
-DSTDC_HEADERS=1
|
-DSTDC_HEADERS=1 -DIPSEC
|
||||||
# RTT Jitter on the internet these days means printing 3 decimal places on
|
# RTT Jitter on the internet these days means printing 3 decimal places on
|
||||||
# > 1000ms times is plain useless. Uncomment this to enable variable precision
|
# > 1000ms times is plain useless. Uncomment this to enable variable precision
|
||||||
# reporting, ie: print a variable precision from 0.001ms through 1000ms
|
# reporting, ie: print a variable precision from 0.001ms through 1000ms
|
||||||
@ -12,6 +12,8 @@ CFLAGS+=-DHAVE_SYS_SELECT_H=1 -DHAVE_SETLINEBUF=1 -DHAVE_RAW_OPTIONS=1 \
|
|||||||
|
|
||||||
SRCS= version.c traceroute.c
|
SRCS= version.c traceroute.c
|
||||||
CLEANFILES+= version.c
|
CLEANFILES+= version.c
|
||||||
|
DPADD= ${LIBIPSEC}
|
||||||
|
LDADD= -lipsec
|
||||||
|
|
||||||
TRACEROUTE_DISTDIR?= ${.CURDIR}/../../contrib/traceroute
|
TRACEROUTE_DISTDIR?= ${.CURDIR}/../../contrib/traceroute
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user