19 files changed, 149 insertions, 40 deletions

diff --git a/ChangeLog b/ChangeLog
index 9f63b83b5..0a931a120 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -30,6 +30,12 @@
      Request roaming to be enabled if UseRoaming is true and the server
      supports it.
      ok markus@
+   - reyk@cvs.openbsd.org 2009/10/28 16:38:18
+     [ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c
+     channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1
+     sftp.1 sshd_config.5 readconf.c ssh.c misc.c]
+     Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.
+     ok markus@
 
 20091226
  - (tim) [contrib/cygwin/Makefile] Install ssh-copy-id and ssh-copy-id.1
diff --git a/channels.c b/channels.c
index 22e7f628b..884c14c99 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.296 2009/05/25 06:48:00 andreas Exp $ */
+/* $OpenBSD: channels.c,v 1.297 2009/10/28 16:38:18 reyk Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -162,6 +162,9 @@ static u_int x11_fake_data_len;
 /* AF_UNSPEC or AF_INET or AF_INET6 */
 static int IPv4or6 = AF_UNSPEC;
 
+/* Set the routing domain a.k.a. VRF */
+static int channel_rdomain = -1;
+
 /* helper */
 static void port_open_helper(Channel *c, char *rtype);
 
@@ -2461,6 +2464,12 @@ channel_set_af(int af)
         IPv4or6 = af;
 }
 
+void
+channel_set_rdomain(int rdomain)
+{
+        channel_rdomain = rdomain;
+}
+
 static int
 channel_setup_fwd_listener(int type, const char *listen_addr,
     u_short listen_port, int *allocated_listen_port,
@@ -2569,7 +2578,8 @@ channel_setup_fwd_listener(int type, const char *listen_addr,
                         continue;
                 }
                 /* Create a port to listen for the host. */
-                sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+                sock = socket_rdomain(ai->ai_family, ai->ai_socktype,
+                    ai->ai_protocol, channel_rdomain);
                 if (sock < 0) {
                         /* this is no error since kernel may not support ipv6 */
                         verbose("socket: %.100s", strerror(errno));
@@ -2910,8 +2920,9 @@ connect_next(struct channel_connect *cctx)
                         error("connect_next: getnameinfo failed");
                         continue;
                 }
-                if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype,
-                    cctx->ai->ai_protocol)) == -1) {
+                if ((sock = socket_rdomain(cctx->ai->ai_family,
+                    cctx->ai->ai_socktype, cctx->ai->ai_protocol,
+                    channel_rdomain)) == -1) {
                         if (cctx->ai->ai_next == NULL)
                                 error("socket: %.100s", strerror(errno));
                         else
@@ -3097,8 +3108,8 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
                 for (ai = aitop; ai; ai = ai->ai_next) {
                         if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
                                 continue;
-                        sock = socket(ai->ai_family, ai->ai_socktype,
-                            ai->ai_protocol);
+                        sock = socket_rdomain(ai->ai_family, ai->ai_socktype,
+                            ai->ai_protocol, channel_rdomain);
                         if (sock < 0) {
                                 if ((errno != EINVAL) && (errno != EAFNOSUPPORT)) {
                                         error("socket: %.100s", strerror(errno));
@@ -3273,7 +3284,8 @@ x11_connect_display(void)
         }
         for (ai = aitop; ai; ai = ai->ai_next) {
                 /* Create a socket. */
-                sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+                sock = socket_rdomain(ai->ai_family, ai->ai_socktype,
+                    ai->ai_protocol, channel_rdomain);
                 if (sock < 0) {
                         debug2("socket: %.100s", strerror(errno));
                         continue;
diff --git a/channels.h b/channels.h
index 1488ed7e5..b0f5dc321 100644
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.h,v 1.98 2009/02/12 03:00:56 djm Exp $ */
+/* $OpenBSD: channels.h,v 1.99 2009/10/28 16:38:18 reyk Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -231,6 +231,7 @@ int	 channel_find_open(void);
 
 /* tcp forwarding */
 void     channel_set_af(int af);
+void     channel_set_rdomain(int);
 void     channel_permit_all_opens(void);
 void     channel_add_permitted_opens(char *, int);
 int      channel_add_adm_permitted_opens(char *, int);
diff --git a/misc.c b/misc.c
index 4dc152310..f0f1fd841 100644
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.71 2009/02/21 19:32:04 tobias Exp $ */
+/* $OpenBSD: misc.c,v 1.72 2009/10/28 16:38:18 reyk Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2005,2006 Damien Miller.  All rights reserved.
@@ -151,6 +151,43 @@ set_nodelay(int fd)
                 error("setsockopt TCP_NODELAY: %.100s", strerror(errno));
 }
 
+/* open a socket in the specified routing domain */
+int
+socket_rdomain(int domain, int type, int protocol, int rdomain)
+{
+        int sock, ipproto = IPPROTO_IP;
+
+        if ((sock = socket(domain, type, protocol)) == -1)
+                return (-1);
+
+        if (rdomain == -1)
+                return (sock);
+        
+        switch (domain) {
+        case AF_INET6:
+                ipproto = IPPROTO_IPV6;
+                /* FALLTHROUGH */
+        case AF_INET:
+                debug2("socket %d af %d setting rdomain %d",
+                    sock, domain, rdomain);
+                if (setsockopt(sock, ipproto, SO_RDOMAIN, &rdomain,
+                    sizeof(rdomain)) == -1) {
+                        debug("setsockopt SO_RDOMAIN: %.100s",
+                            strerror(errno));
+                        close(sock);
+                        return (-1);
+                }
+                break;
+        default:
+                debug("socket %d af %d does not support rdomain %d",
+                    sock, domain, rdomain);
+                close(sock);
+                return (-1);
+        }
+
+        return (sock);
+}
+
 /* Characters considered whitespace in strsep calls. */
 #define WHITESPACE " \t\r\n"
 #define QUOTE   "\""
diff --git a/misc.h b/misc.h
index e26b0aaff..87b7f0edf 100644
--- a/misc.h
+++ b/misc.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.h,v 1.38 2008/06/12 20:38:28 dtucker Exp $ */
+/* $OpenBSD: misc.h,v 1.39 2009/10/28 16:38:18 reyk Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -54,6 +54,8 @@ void	 freeargs(arglist *);
 
 int      tun_open(int, int);
 
+int      socket_rdomain(int, int, int, int);
+
 /* Common definitions for ssh tunnel device forwarding */
 #define SSH_TUNMODE_NO          0x00
 #define SSH_TUNMODE_POINTOPOINT 0x01
diff --git a/readconf.c b/readconf.c
index 4a16974b8..6b2e3b21d 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.178 2009/10/08 14:03:41 markus Exp $ */
+/* $OpenBSD: readconf.c,v 1.179 2009/10/28 16:38:18 reyk Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -130,8 +130,8 @@ typedef enum {
         oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
         oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
         oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
-        oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
-        oDeprecated, oUnsupported
+        oVisualHostKey, oUseRoaming, oRDomain,
+        oZeroKnowledgePasswordAuthentication, oDeprecated, oUnsupported
 } OpCodes;
 
 /* Textual representations of the tokens. */
@@ -229,6 +229,7 @@ static struct {
         { "permitlocalcommand", oPermitLocalCommand },
         { "visualhostkey", oVisualHostKey },
         { "useroaming", oUseRoaming },
+        { "rdomain", oRDomain },
 #ifdef JPAKE
         { "zeroknowledgepasswordauthentication",
             oZeroKnowledgePasswordAuthentication },
@@ -919,6 +920,19 @@ parse_int:
                 intptr = &options->use_roaming;
                 goto parse_flag;
 
+        case oRDomain:
+                arg = strdelim(&s);
+                if (!arg || *arg == '\0')
+                        fatal("%.200s line %d: Missing argument.",
+                            filename, linenum);
+                value = a2port(arg);
+                if (value == -1)
+                        fatal("%.200s line %d: Bad rdomain.",
+                            filename, linenum);
+                if (*activep)
+                        options->rdomain = value;
+                break;
+
         case oDeprecated:
                 debug("%s line %d: Deprecated option \"%s\"",
                     filename, linenum, keyword);
@@ -1069,6 +1083,7 @@ initialize_options(Options * options)
         options->local_command = NULL;
         options->permit_local_command = -1;
         options->use_roaming = -1;
+        options->rdomain = -1;
         options->visual_host_key = -1;
         options->zero_knowledge_password_authentication = -1;
 }
@@ -1217,6 +1232,7 @@ fill_default_options(Options * options)
         /* options->hostname will be set in the main program if appropriate */
         /* options->host_key_alias should not be set by default */
         /* options->preferred_authentications will be set in ssh */
+        /* options->rdomain should not be set by default */
 }
 
 /*
diff --git a/readconf.h b/readconf.h
index 2ebfebe94..6edc2eeda 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.79 2009/06/27 09:35:06 andreas Exp $ */
+/* $OpenBSD: readconf.h,v 1.80 2009/10/28 16:38:18 reyk Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -125,6 +125,8 @@ typedef struct {
 
         int     use_roaming;
 
+        int     rdomain;        /* routing domain a.k.a. VRF */
+
 }       Options;
 
 #define SSHCTL_MASTER_NO        0
diff --git a/scp.1 b/scp.1
index 5033d84f2..b9245ea53 100644
--- a/scp.1
+++ b/scp.1
@@ -9,9 +9,9 @@
 .\"
 .\" Created: Sun May  7 00:14:37 1995 ylo
 .\"
-.\" $OpenBSD: scp.1,v 1.46 2008/07/12 05:33:41 djm Exp $
+.\" $OpenBSD: scp.1,v 1.47 2009/10/28 16:38:18 reyk Exp $
 .\"
-.Dd $Mdocdate: July 12 2008 $
+.Dd $Mdocdate: October 28 2009 $
 .Dt SCP 1
 .Os
 .Sh NAME
@@ -158,6 +158,7 @@ For full details of the options listed below, and their possible values, see
 .It Protocol
 .It ProxyCommand
 .It PubkeyAuthentication
+.It RDomain
 .It RekeyLimit
 .It RhostsRSAAuthentication
 .It RSAAuthentication
diff --git a/servconf.c b/servconf.c
index c2e5cc6f4..729f23bad 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.196 2009/10/08 14:03:41 markus Exp $ */
+/* $OpenBSD: servconf.c,v 1.197 2009/10/28 16:38:18 reyk Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -128,6 +128,7 @@ initialize_server_options(ServerOptions *options)
         options->adm_forced_command = NULL;
         options->chroot_directory = NULL;
         options->zero_knowledge_password_authentication = -1;
+        options->rdomain = -1;
 }
 
 void
@@ -304,7 +305,7 @@ typedef enum {
         sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
         sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
         sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
-        sUsePrivilegeSeparation, sAllowAgentForwarding,
+        sUsePrivilegeSeparation, sAllowAgentForwarding, sRDomain,
         sZeroKnowledgePasswordAuthentication,
         sDeprecated, sUnsupported
 } ServerOpCodes;
@@ -423,6 +424,7 @@ static struct {
         { "match", sMatch, SSHCFG_ALL },
         { "permitopen", sPermitOpen, SSHCFG_ALL },
         { "forcecommand", sForceCommand, SSHCFG_ALL },
+        { "rdomain", sRDomain, SSHCFG_GLOBAL },
         { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
         { NULL, sBadOption, 0 }
 };
@@ -1294,6 +1296,10 @@ process_server_config_line(ServerOptions *options, char *line,
                         *charptr = xstrdup(arg);
                 break;
 
+        case sRDomain:
+                intptr = &options->rdomain;
+                goto parse_int;
+
         case sDeprecated:
                 logit("%s line %d: Deprecated option %s",
                     filename, linenum, arg);
@@ -1570,6 +1576,7 @@ dump_config(ServerOptions *o)
         dump_cfg_int(sMaxSessions, o->max_sessions);
         dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
         dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
+        dump_cfg_int(sRDomain, o->rdomain);
 
         /* formatted integer arguments */
         dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
diff --git a/servconf.h b/servconf.h
index b3ac7da4b..19c7ae609 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.87 2009/01/22 10:02:34 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.88 2009/10/28 16:38:18 reyk Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -150,6 +150,8 @@ typedef struct {
 
         int     num_permitted_opens;
 
+        int     rdomain;
+
         char   *chroot_directory;
 }       ServerOptions;
 
diff --git a/sftp.1 b/sftp.1
index d1db0d6dd..b912d24e3 100644
--- a/sftp.1
+++ b/sftp.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: sftp.1,v 1.76 2009/08/19 04:56:03 jmc Exp $
+.\" $OpenBSD: sftp.1,v 1.77 2009/10/28 16:38:18 reyk Exp $
 .\"
 .\" Copyright (c) 2001 Damien Miller.  All rights reserved.
 .\"
@@ -22,7 +22,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 19 2009 $
+.Dd $Mdocdate: October 28 2009 $
 .Dt SFTP 1
 .Os
 .Sh NAME
@@ -209,6 +209,7 @@ For full details of the options listed below, and their possible values, see
 .It PubkeyAuthentication
 .It RekeyLimit
 .It RhostsRSAAuthentication
+.It RDomain
 .It RSAAuthentication
 .It SendEnv
 .It ServerAliveInterval
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index 4a5864566..c9fb597ed 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keyscan.1,v 1.26 2008/12/29 01:12:36 stevesk Exp $
+.\"     $OpenBSD: ssh-keyscan.1,v 1.27 2009/10/28 16:38:18 reyk Exp $
 .\"
 .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 .\"
@@ -6,7 +6,7 @@
 .\" permitted provided that due credit is given to the author and the
 .\" OpenBSD project by leaving this copyright notice intact.
 .\"
-.Dd $Mdocdate: December 29 2008 $
+.Dd $Mdocdate: October 28 2009 $
 .Dt SSH-KEYSCAN 1
 .Os
 .Sh NAME
@@ -20,6 +20,7 @@
 .Op Fl p Ar port
 .Op Fl T Ar timeout
 .Op Fl t Ar type
+.Op Fl V Ar rdomain
 .Op Ar host | addrlist namelist
 .Ar ...
 .Ek
@@ -95,6 +96,8 @@ for protocol version 2.
 Multiple values may be specified by separating them with commas.
 The default is
 .Dq rsa .
+.It Fl V Ar rdomain
+Set the routing domain.
 .It Fl v
 Verbose mode.
 Causes
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 9a91be499..f30e85045 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keyscan.c,v 1.78 2009/01/22 10:02:34 djm Exp $ */
+/* $OpenBSD: ssh-keyscan.c,v 1.79 2009/10/28 16:38:18 reyk Exp $ */
 /*
  * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
  *
@@ -68,6 +68,9 @@ int timeout = 5;
 int maxfd;
 #define MAXCON (maxfd - 10)
 
+/* The default routing domain */
+int scan_rdomain = -1;
+
 extern char *__progname;
 fd_set *read_wait;
 size_t read_wait_nfdset;
@@ -412,7 +415,8 @@ tcpconnect(char *host)
         if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
                 fatal("getaddrinfo %s: %s", host, ssh_gai_strerror(gaierr));
         for (ai = aitop; ai; ai = ai->ai_next) {
-                s = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+                s = socket_rdomain(ai->ai_family, ai->ai_socktype,
+                    ai->ai_protocol, scan_rdomain);
                 if (s < 0) {
                         error("socket: %s", strerror(errno));
                         continue;
@@ -715,7 +719,7 @@ usage(void)
 {
         fprintf(stderr,
             "usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]\n"
-            "\t\t   [host | addrlist namelist] ...\n",
+            "\t\t   [-V rdomain] [host | addrlist namelist] ...\n",
             __progname);
         exit(1);
 }
@@ -741,7 +745,7 @@ main(int argc, char **argv)
         if (argc <= 1)
                 usage();
 
-        while ((opt = getopt(argc, argv, "Hv46p:T:t:f:")) != -1) {
+        while ((opt = getopt(argc, argv, "Hv46p:T:t:f:V:")) != -1) {
                 switch (opt) {
                 case 'H':
                         hash_hosts = 1;
@@ -802,6 +806,11 @@ main(int argc, char **argv)
                 case '6':
                         IPv4or6 = AF_INET6;
                         break;
+                case 'V':
+                        scan_rdomain = a2port(optarg);
+                        if (scan_rdomain < 0)
+                                scan_rdomain = -1;
+                        break;
                 case '?':
                 default:
                         usage();
diff --git a/ssh.1 b/ssh.1
index 7e7f64e46..8277d0fdf 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.286 2009/10/22 15:02:12 sobrado Exp $
-.Dd $Mdocdate: October 22 2009 $
+.\" $OpenBSD: ssh.1,v 1.287 2009/10/28 16:38:18 reyk Exp $
+.Dd $Mdocdate: October 28 2009 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -475,6 +475,7 @@ For full details of the options listed below, and their possible values, see
 .It Protocol
 .It ProxyCommand
 .It PubkeyAuthentication
+.It RDomain
 .It RekeyLimit
 .It RemoteForward
 .It RhostsRSAAuthentication
diff --git a/ssh.c b/ssh.c
index 5353e235c..90dbc69e9 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.327 2009/10/24 11:23:42 andreas Exp $ */
+/* $OpenBSD: ssh.c,v 1.328 2009/10/28 16:38:18 reyk Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -630,6 +630,7 @@ main(int ac, char **av)
         fill_default_options(&options);
 
         channel_set_af(options.address_family);
+        channel_set_rdomain(options.rdomain);
 
         /* reinit */
         log_init(argv0, options.log_level, SYSLOG_FACILITY_USER, !use_syslog);
diff --git a/ssh_config.5 b/ssh_config.5
index 89f3896e6..fde899477 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.121 2009/10/08 20:42:13 jmc Exp $
-.Dd $Mdocdate: October 8 2009 $
+.\" $OpenBSD: ssh_config.5,v 1.122 2009/10/28 16:38:18 reyk Exp $
+.Dd $Mdocdate: October 28 2009 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -782,6 +782,9 @@ or
 The default is
 .Dq yes .
 This option applies to protocol version 2 only.
+.It Cm RDomain
+Set the routing domain number.
+The default routing domain is set by the system.
 .It Cm RekeyLimit
 Specifies the maximum amount of data that may be transmitted before the
 session key is renegotiated.
diff --git a/sshconnect.c b/sshconnect.c
index 3e57e859d..a09026e65 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.214 2009/05/28 16:50:16 andreas Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.215 2009/10/28 16:38:18 reyk Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -190,7 +190,8 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
                         debug("Allocated local port %d.", p);
                 return sock;
         }
-        sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+        sock = socket_rdomain(ai->ai_family, ai->ai_socktype, ai->ai_protocol,
+            options.rdomain);
         if (sock < 0)
                 error("socket: %.100s", strerror(errno));
 
diff --git a/sshd.c b/sshd.c
index 38aaa1820..e23d462ee 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.367 2009/05/28 16:50:16 andreas Exp $ */
+/* $OpenBSD: sshd.c,v 1.368 2009/10/28 16:38:18 reyk Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -960,8 +960,8 @@ server_listen(void)
                         continue;
                 }
                 /* Create socket for listening. */
-                listen_sock = socket(ai->ai_family, ai->ai_socktype,
-                    ai->ai_protocol);
+                listen_sock = socket_rdomain(ai->ai_family, ai->ai_socktype,
+                    ai->ai_protocol, options.rdomain);
                 if (listen_sock < 0) {
                         /* kernel may not support ipv6 */
                         verbose("socket: %.100s", strerror(errno));
@@ -1469,8 +1469,9 @@ main(int ac, char **av)
         if (options.challenge_response_authentication)
                 options.kbd_interactive_authentication = 1;
 
-        /* set default channel AF */
+        /* set default channel AF and routing domain */
         channel_set_af(options.address_family);
+        channel_set_rdomain(options.rdomain);
 
         /* Check that there are no remaining arguments. */
         if (optind < ac) {
diff --git a/sshd_config.5 b/sshd_config.5
index 4b3793d13..1a30f29c1 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.109 2009/10/08 20:42:13 jmc Exp $
-.Dd $Mdocdate: October 8 2009 $
+.\" $OpenBSD: sshd_config.5,v 1.110 2009/10/28 16:38:18 reyk Exp $
+.Dd $Mdocdate: October 28 2009 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -812,6 +812,9 @@ with successful RSA host authentication is allowed.
 The default is
 .Dq no .
 This option applies to protocol version 1 only.
+.It Cm RDomain
+Set the routing domain number.
+The default routing domain is set by the system.
 .It Cm RSAAuthentication
 Specifies whether pure RSA authentication is allowed.
 The default is