From e8400da9d53700872c9dea6b9d52af98c59022b9 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 22 Nov 2005 19:41:33 +1100 Subject: - millert@cvs.openbsd.org 2005/11/15 11:59:54 [includes.h] Include sys/queue.h explicitly instead of assuming some other header will pull it in. At the moment it gets pulled in by sys/select.h (which ssh has no business including) via event.h. OK markus@ (ID sync only in -portable) --- includes.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'includes.h') diff --git a/includes.h b/includes.h index fa65aa38d..351dd2ac0 100644 --- a/includes.h +++ b/includes.h @@ -1,4 +1,4 @@ -/* $OpenBSD: includes.h,v 1.19 2005/05/19 02:42:26 djm Exp $ */ +/* $OpenBSD: includes.h,v 1.20 2005/11/15 11:59:54 millert Exp $ */ /* * Author: Tatu Ylonen -- cgit v1.2.3 From ac0c8a533d7b79f8404f904a05655e48aa792a45 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 28 Nov 2005 22:28:59 +1100 Subject: - (dtucker) [includes.h] Bug #1122: __USE_GNU is a glibc internal macro, use _GNU_SOURCE instead. Patch from t8m at centrum.cz. --- ChangeLog | 4 +++- includes.h | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'includes.h') diff --git a/ChangeLog b/ChangeLog index 211e34634..c8c053f6d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20051128 - (dtucker) [regress/yes-head.sh] Work around breakage caused by some versions of GNU head. Based on patch from zappaman at buraphalinux.org + - (dtucker) [includes.h] Bug #1122: __USE_GNU is a glibc internal macro, use + _GNU_SOURCE instead. Patch from t8m at centrum.cz. - (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2005/11/28 05:16:53 [ssh-keygen.1 ssh-keygen.c] @@ -3373,4 +3375,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4011 2005/11/28 06:05:40 dtucker Exp $ +$Id: ChangeLog,v 1.4012 2005/11/28 11:28:59 dtucker Exp $ diff --git a/includes.h b/includes.h index 351dd2ac0..12d948b6f 100644 --- a/includes.h +++ b/includes.h @@ -21,6 +21,8 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg } #include "config.h" +#define _GNU_SOURCE /* activate extra prototypes for glibc */ + #include #include #include @@ -67,7 +69,6 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg } #ifdef HAVE_NEXT # include #endif -#define __USE_GNU /* before unistd.h, activate extra prototypes for glibc */ #include /* For STDIN_FILENO, etc */ #include /* Struct winsize */ -- cgit v1.2.3 From 7b58e800364870d05630514945687d2f26e3c065 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 13 Dec 2005 19:33:19 +1100 Subject: - reyk@cvs.openbsd.org 2005/12/08 18:34:11 [auth-options.c includes.h misc.c misc.h readconf.c servconf.c] [serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac] two changes to the new ssh tunnel support. this breaks compatibility with the initial commit but is required for a portable approach. - make the tunnel id u_int and platform friendly, use predefined types. - support configuration of layer 2 (ethernet) or layer 3 (point-to-point, default) modes. configuration is done using the Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option in sshd_config(5). ok djm@, man page bits by jmc@ --- ChangeLog | 14 ++++++++++- auth-options.c | 4 ++-- configure.ac | 3 ++- includes.h | 5 +++- misc.c | 75 ++++++++++++++++++++++++++++++++++++++++++---------------- misc.h | 16 +++++++++++-- readconf.c | 32 +++++++++++++++++++++---- servconf.c | 24 ++++++++++++++++--- serverloop.c | 25 ++++++++++++++------ ssh.c | 13 ++++++---- ssh_config.5 | 10 +++++--- sshd_config.5 | 8 ++++++- 12 files changed, 177 insertions(+), 52 deletions(-) (limited to 'includes.h') diff --git a/ChangeLog b/ChangeLog index c71d8531d..508745b89 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,6 +36,18 @@ - jmc@cvs.openbsd.org 2005/12/08 15:06:29 [ssh_config.5] keep options in order; + - reyk@cvs.openbsd.org 2005/12/08 18:34:11 + [auth-options.c includes.h misc.c misc.h readconf.c servconf.c] + [serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac] + two changes to the new ssh tunnel support. this breaks compatibility + with the initial commit but is required for a portable approach. + - make the tunnel id u_int and platform friendly, use predefined types. + - support configuration of layer 2 (ethernet) or layer 3 + (point-to-point, default) modes. configuration is done using the + Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and + restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option + in sshd_config(5). + ok djm@, man page bits by jmc@ 20051201 - (djm) [envpass.sh] Remove regress script that was accidentally committed @@ -3428,4 +3440,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4023 2005/12/13 08:30:45 djm Exp $ +$Id: ChangeLog,v 1.4024 2005/12/13 08:33:19 djm Exp $ diff --git a/auth-options.c b/auth-options.c index 54798d9ad..ad97e6129 100644 --- a/auth-options.c +++ b/auth-options.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-options.c,v 1.32 2005/12/06 22:38:27 reyk Exp $"); +RCSID("$OpenBSD: auth-options.c,v 1.33 2005/12/08 18:34:11 reyk Exp $"); #include "xmalloc.h" #include "match.h" @@ -296,7 +296,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) tun[i] = 0; forced_tun_device = a2tun(tun, NULL); xfree(tun); - if (forced_tun_device < -1) { + if (forced_tun_device == SSH_TUNID_ERR) { debug("%.100s, line %lu: invalid tun device", file, linenum); auth_debug_add("%.100s, line %lu: invalid tun device", diff --git a/configure.ac b/configure.ac index 0afb48716..b24d37178 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.312 2005/11/29 02:40:34 tim Exp $ +# $Id: configure.ac,v 1.313 2005/12/13 08:33:20 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -654,6 +654,7 @@ AC_CHECK_HEADERS( \ login_cap.h \ maillock.h \ ndir.h \ + net/if.h \ netdb.h \ netgroup.h \ netinet/in_systm.h \ diff --git a/includes.h b/includes.h index 12d948b6f..cf2d6c699 100644 --- a/includes.h +++ b/includes.h @@ -1,4 +1,4 @@ -/* $OpenBSD: includes.h,v 1.20 2005/11/15 11:59:54 millert Exp $ */ +/* $OpenBSD: includes.h,v 1.21 2005/12/08 18:34:11 reyk Exp $ */ /* * Author: Tatu Ylonen @@ -148,6 +148,9 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg } #include /* For IPv6 macros */ #include /* For IPTOS macros */ #include +#ifdef HAVE_NET_IF_H +# include +#endif #include #if defined(HAVE_NETDB_H) # include diff --git a/misc.c b/misc.c index 9b23e2c37..4f41332f9 100644 --- a/misc.c +++ b/misc.c @@ -24,7 +24,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: misc.c,v 1.36 2005/12/06 22:38:27 reyk Exp $"); +RCSID("$OpenBSD: misc.c,v 1.37 2005/12/08 18:34:11 reyk Exp $"); #include "misc.h" #include "log.h" @@ -202,7 +202,7 @@ a2tun(const char *s, int *remote) int tun; if (remote != NULL) { - *remote = -1; + *remote = SSH_TUNID_ANY; sp = xstrdup(s); if ((ep = strchr(sp, ':')) == NULL) { xfree(sp); @@ -212,15 +212,15 @@ a2tun(const char *s, int *remote) *remote = a2tun(ep, NULL); tun = a2tun(sp, NULL); xfree(sp); - return (tun); + return (*remote == SSH_TUNID_ERR ? *remote : tun); } if (strcasecmp(s, "any") == 0) - return (-1); + return (SSH_TUNID_ANY); - tun = strtonum(s, 0, INT_MAX, &errstr); - if (errstr != NULL || tun < -1) - return (-2); + tun = strtonum(s, 0, SSH_TUNID_MAX, &errstr); + if (errstr != NULL) + return (SSH_TUNID_ERR); return (tun); } @@ -539,27 +539,60 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, } int -tun_open(int tun) +tun_open(int tun, int mode) { + struct ifreq ifr; char name[100]; - int i, fd; + int fd = -1, sock; - if (tun > -1) { + /* Open the tunnel device */ + if (tun <= SSH_TUNID_MAX) { snprintf(name, sizeof(name), "/dev/tun%d", tun); - if ((fd = open(name, O_RDWR)) >= 0) { - debug("%s: %s: %d", __func__, name, fd); - return (fd); + fd = open(name, O_RDWR); + } else if (tun == SSH_TUNID_ANY) { + for (tun = 100; tun >= 0; tun--) { + snprintf(name, sizeof(name), "/dev/tun%d", tun); + if ((fd = open(name, O_RDWR)) >= 0) + break; } } else { - for (i = 100; i >= 0; i--) { - snprintf(name, sizeof(name), "/dev/tun%d", i); - if ((fd = open(name, O_RDWR)) >= 0) { - debug("%s: %s: %d", __func__, name, fd); - return (fd); - } - } + debug("%s: invalid tunnel %u\n", __func__, tun); + return (-1); + } + + if (fd < 0) { + debug("%s: %s open failed: %s", __func__, name, strerror(errno)); + return (-1); + } + + debug("%s: %s mode %d fd %d", __func__, name, mode, fd); + + /* Set the tunnel device operation mode */ + snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "tun%d", tun); + if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1) + goto failed; + + if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1) + goto failed; + if (mode == SSH_TUNMODE_ETHERNET) { + ifr.ifr_flags |= IFF_LINK0; + if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) + goto failed; } - debug("%s: %s failed: %s", __func__, name, strerror(errno)); + ifr.ifr_flags |= IFF_UP; + if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) + goto failed; + + close(sock); + return (fd); + + failed: + if (fd >= 0) + close(fd); + if (sock >= 0) + close(sock); + debug("%s: failed to set %s mode %d: %s", __func__, name, + mode, strerror(errno)); return (-1); } diff --git a/misc.h b/misc.h index ff2ba1b5a..415910686 100644 --- a/misc.h +++ b/misc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.27 2005/12/06 22:38:27 reyk Exp $ */ +/* $OpenBSD: misc.h,v 1.28 2005/12/08 18:34:11 reyk Exp $ */ /* * Author: Tatu Ylonen @@ -50,4 +50,16 @@ void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3))); char *read_passphrase(const char *, int); int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); -int tun_open(int); + +int tun_open(int, int); + +/* Common definitions for ssh tunnel device forwarding */ +#define SSH_TUNMODE_NO 0x00 +#define SSH_TUNMODE_POINTOPOINT 0x01 +#define SSH_TUNMODE_ETHERNET 0x02 +#define SSH_TUNMODE_DEFAULT SSH_TUNMODE_POINTOPOINT +#define SSH_TUNMODE_YES (SSH_TUNMODE_POINTOPOINT|SSH_TUNMODE_ETHERNET) + +#define SSH_TUNID_ANY 0x7fffffff +#define SSH_TUNID_ERR (SSH_TUNID_ANY - 1) +#define SSH_TUNID_MAX (SSH_TUNID_ANY - 2) diff --git a/readconf.c b/readconf.c index b6aad9d8d..1fbf59793 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.144 2005/12/06 22:38:27 reyk Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.145 2005/12/08 18:34:11 reyk Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -273,7 +273,7 @@ clear_forwardings(Options *options) xfree(options->remote_forwards[i].connect_host); } options->num_remote_forwards = 0; - options->tun_open = 0; + options->tun_open = SSH_TUNMODE_NO; } /* @@ -835,14 +835,32 @@ parse_int: case oTunnel: intptr = &options->tun_open; - goto parse_flag; + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing yes/point-to-point/" + "ethernet/no argument.", filename, linenum); + value = 0; /* silence compiler */ + if (strcasecmp(arg, "ethernet") == 0) + value = SSH_TUNMODE_ETHERNET; + else if (strcasecmp(arg, "point-to-point") == 0) + value = SSH_TUNMODE_POINTOPOINT; + else if (strcasecmp(arg, "yes") == 0) + value = SSH_TUNMODE_DEFAULT; + else if (strcasecmp(arg, "no") == 0) + value = SSH_TUNMODE_NO; + else + fatal("%s line %d: Bad yes/point-to-point/ethernet/" + "no argument: %s", filename, linenum, arg); + if (*activep) + *intptr = value; + break; case oTunnelDevice: arg = strdelim(&s); if (!arg || *arg == '\0') fatal("%.200s line %d: Missing argument.", filename, linenum); value = a2tun(arg, &value2); - if (value < -1) + if (value == SSH_TUNID_ERR) fatal("%.200s line %d: Bad tun device.", filename, linenum); if (*activep) { options->tun_local = value; @@ -1132,7 +1150,11 @@ fill_default_options(Options * options) if (options->hash_known_hosts == -1) options->hash_known_hosts = 0; if (options->tun_open == -1) - options->tun_open = 0; + options->tun_open = SSH_TUNMODE_NO; + if (options->tun_local == -1) + options->tun_local = SSH_TUNID_ANY; + if (options->tun_remote == -1) + options->tun_remote = SSH_TUNID_ANY; if (options->permit_local_command == -1) options->permit_local_command = 0; /* options->local_command should not be set by default */ diff --git a/servconf.c b/servconf.c index 91a0ced29..81953bb80 100644 --- a/servconf.c +++ b/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.145 2005/12/06 22:38:27 reyk Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.146 2005/12/08 18:34:11 reyk Exp $"); #include "ssh.h" #include "log.h" @@ -231,7 +231,7 @@ fill_default_server_options(ServerOptions *options) if (options->authorized_keys_file == NULL) options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; if (options->permit_tun == -1) - options->permit_tun = 0; + options->permit_tun = SSH_TUNMODE_NO; /* Turn privilege separation on by default */ if (use_privsep == -1) @@ -968,7 +968,25 @@ parse_flag: case sPermitTunnel: intptr = &options->permit_tun; - goto parse_flag; + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing yes/point-to-point/" + "ethernet/no argument.", filename, linenum); + value = 0; /* silence compiler */ + if (strcasecmp(arg, "ethernet") == 0) + value = SSH_TUNMODE_ETHERNET; + else if (strcasecmp(arg, "point-to-point") == 0) + value = SSH_TUNMODE_POINTOPOINT; + else if (strcasecmp(arg, "yes") == 0) + value = SSH_TUNMODE_YES; + else if (strcasecmp(arg, "no") == 0) + value = SSH_TUNMODE_NO; + else + fatal("%s line %d: Bad yes/point-to-point/ethernet/" + "no argument: %s", filename, linenum, arg); + if (*intptr == -1) + *intptr = value; + break; case sDeprecated: logit("%s line %d: Deprecated option %s", diff --git a/serverloop.c b/serverloop.c index 199f7696d..eff27d9d6 100644 --- a/serverloop.c +++ b/serverloop.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: serverloop.c,v 1.122 2005/12/06 22:38:27 reyk Exp $"); +RCSID("$OpenBSD: serverloop.c,v 1.123 2005/12/08 18:34:11 reyk Exp $"); #include "xmalloc.h" #include "packet.h" @@ -917,20 +917,31 @@ static Channel * server_request_tun(void) { Channel *c = NULL; - int sock, tun; + int mode, tun; + int sock; - if (!options.permit_tun) { - packet_send_debug("Server has disabled tunnel device forwarding."); + mode = packet_get_int(); + switch (mode) { + case SSH_TUNMODE_POINTOPOINT: + case SSH_TUNMODE_ETHERNET: + break; + default: + packet_send_debug("Unsupported tunnel device mode."); + return NULL; + } + if ((options.permit_tun & mode) == 0) { + packet_send_debug("Server has rejected tunnel device " + "forwarding"); return NULL; } tun = packet_get_int(); - if (forced_tun_device != -1) { - if (tun != -1 && forced_tun_device != tun) + if (forced_tun_device != SSH_TUNID_ANY) { + if (tun != SSH_TUNID_ANY && forced_tun_device != tun) goto done; tun = forced_tun_device; } - sock = tun_open(tun); + sock = tun_open(tun, mode); if (sock < 0) goto done; c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, diff --git a/ssh.c b/ssh.c index 8a4a0e4c9..dd627ce2e 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.255 2005/12/06 22:38:27 reyk Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.256 2005/12/08 18:34:11 reyk Exp $"); #include #include @@ -341,9 +341,10 @@ again: exit(0); break; case 'w': - options.tun_open = 1; + if (options.tun_open == -1) + options.tun_open = SSH_TUNMODE_DEFAULT; options.tun_local = a2tun(optarg, &options.tun_remote); - if (options.tun_local < -1) { + if (options.tun_local == SSH_TUNID_ERR) { fprintf(stderr, "Bad tun device '%s'\n", optarg); exit(1); } @@ -1067,12 +1068,13 @@ ssh_session2_setup(int id, void *arg) packet_send(); } - if (options.tun_open) { + if (options.tun_open != SSH_TUNMODE_NO) { Channel *c; int fd; debug("Requesting tun."); - if ((fd = tun_open(options.tun_local)) >= 0) { + if ((fd = tun_open(options.tun_local, + options.tun_open)) >= 0) { c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); @@ -1082,6 +1084,7 @@ ssh_session2_setup(int id, void *arg) packet_put_int(c->self); packet_put_int(c->local_window_max); packet_put_int(c->local_maxpacket); + packet_put_int(options.tun_open); packet_put_int(options.tun_remote); packet_send(); } diff --git a/ssh_config.5 b/ssh_config.5 index 281b4046b..68061182c 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.67 2005/12/08 15:06:29 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.68 2005/12/08 18:34:11 reyk Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -911,9 +911,13 @@ with older servers. .It Cm Tunnel Request starting .Xr tun 4 -device forwarding between the client and the server. +device forwarding between the client and the server. This option also +allows requesting layer 2 (ethernet) instead of layer 3 +(point-to-point) tunneling from the server. The argument must be -.Dq yes +.Dq yes , +.Dq point-to-point , +.Dq ethernet or .Dq no . The default is diff --git a/sshd_config.5 b/sshd_config.5 index 3835fcd62..a10b365d3 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.46 2005/12/06 22:38:28 reyk Exp $ +.\" $OpenBSD: sshd_config.5,v 1.47 2005/12/08 18:34:11 reyk Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -506,6 +506,12 @@ root is not allowed to log in. Specifies whether .Xr tun 4 device forwarding is allowed. +The argument must be +.Dq yes , +.Dq point-to-point , +.Dq ethernet +or +.Dq no . The default is .Dq no . .It Cm PermitUserEnvironment -- cgit v1.2.3 From 2dcddbfaf6b68bd58b5b1422ebeef7767c0c2633 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 1 Jan 2006 19:47:05 +1100 Subject: - (djm) [Makefile.in configure.ac includes.h misc.c] [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Add support for tunnel forwarding for FreeBSD and NetBSD. NetBSD's support is limited to IPv4 tunnels only, and most versions don't support the tap(4) device at all. --- ChangeLog | 9 ++++- Makefile.in | 4 +- configure.ac | 12 +++++- includes.h | 3 -- misc.c | 2 +- openbsd-compat/port-tun.c | 98 ++++++++++++++++++++++++++++++++++++++++++++++- openbsd-compat/port-tun.h | 2 +- 7 files changed, 119 insertions(+), 11 deletions(-) (limited to 'includes.h') diff --git a/ChangeLog b/ChangeLog index c8a23a2fe..de0835431 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20060101 + - (djm) [Makefile.in configure.ac includes.h misc.c] + [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Add support + for tunnel forwarding for FreeBSD and NetBSD. NetBSD's support is + limited to IPv4 tunnels only, and most versions don't support the + tap(4) device at all. + 20051229 - (djm) OpenBSD CVS Sync - stevesk@cvs.openbsd.org 2005/12/28 22:46:06 @@ -3578,4 +3585,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4059 2005/12/31 06:05:58 djm Exp $ +$Id: ChangeLog,v 1.4060 2006/01/01 08:47:05 djm Exp $ diff --git a/Makefile.in b/Makefile.in index fcbc522f2..af881c521 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.273 2005/05/29 07:22:29 dtucker Exp $ +# $Id: Makefile.in,v 1.274 2006/01/01 08:47:05 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -139,7 +139,7 @@ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o - $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) diff --git a/configure.ac b/configure.ac index 26ed218d5..2f5906667 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.319 2005/12/31 06:05:58 djm Exp $ +# $Id: configure.ac,v 1.320 2006/01/01 08:47:05 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -346,10 +346,18 @@ mips-sony-bsd|mips-sony-newsos4) if test "x$withval" != "xno" ; then need_dash_r=1 fi + AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way]) + AC_CHECK_HEADER([net/if_tap.h], , + AC_DEFINE(SSH_TUN_NO_L2, 1, [No layer 2 tunnel support])) + AC_DEFINE(SSH_TUN_PREPEND_AF, 1, + [Prepend the address family to IP tunnel traffic]) ;; *-*-freebsd*) check_for_libcrypt_later=1 AC_DEFINE(LOCKED_PASSWD_PREFIX, "*LOCKED*", [Account locked with pw(1)]) + AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way]) + AC_CHECK_HEADER([net/if_tap.h], , + AC_DEFINE(SSH_TUN_NO_L2, 1, [No layer 2 tunnel support])) ;; *-*-bsdi*) AC_DEFINE(SETEUID_BREAKS_SETUID) @@ -369,7 +377,7 @@ mips-sony-bsd|mips-sony-newsos4) *-*-openbsd*) AC_DEFINE(HAVE_ATTRIBUTE__SENTINEL__, 1, [OpenBSD's gcc has sentinel]) AC_DEFINE(HAVE_ATTRIBUTE__BOUNDED__, 1, [OpenBSD's gcc has bounded]) - AC_DEFINE(SSH_TUN_BSD, 1, [Open tunnel devices the BSD way]) + AC_DEFINE(SSH_TUN_OPENBSD, 1, [Open tunnel devices the OpenBSD way]) ;; *-*-solaris*) if test "x$withval" != "xno" ; then diff --git a/includes.h b/includes.h index cf2d6c699..808d5dc9a 100644 --- a/includes.h +++ b/includes.h @@ -148,9 +148,6 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg } #include /* For IPv6 macros */ #include /* For IPTOS macros */ #include -#ifdef HAVE_NET_IF_H -# include -#endif #include #if defined(HAVE_NETDB_H) # include diff --git a/misc.c b/misc.c index 4141e6c48..76dbf40ea 100644 --- a/misc.c +++ b/misc.c @@ -543,7 +543,7 @@ tun_open(int tun, int mode) { #if defined(CUSTOM_SYS_TUN_OPEN) return (sys_tun_open(tun, mode)); -#elif defined(SSH_TUN_BSD) +#elif defined(SSH_TUN_OPENBSD) struct ifreq ifr; char name[100]; int fd = -1, sock; diff --git a/openbsd-compat/port-tun.c b/openbsd-compat/port-tun.c index 479b46b7a..00a0442b1 100644 --- a/openbsd-compat/port-tun.c +++ b/openbsd-compat/port-tun.c @@ -89,6 +89,88 @@ sys_tun_open(int tun, int mode) } #endif /* SSH_TUN_LINUX */ +#ifdef SSH_TUN_FREEBSD +#include +#include +#include + +int +sys_tun_open(int tun, int mode) +{ + struct ifreq ifr; + char name[100]; + int fd = -1, sock, flag; + const char *tunbase = "tun"; + + if (mode == SSH_TUNMODE_ETHERNET) { +#ifdef SSH_TUN_NO_L2 + debug("%s: no layer 2 tunnelling support", __func__); + return (-1); +#else + tunbase = "tap"; +#endif + } + + /* Open the tunnel device */ + if (tun <= SSH_TUNID_MAX) { + snprintf(name, sizeof(name), "/dev/%s%d", tunbase, tun); + fd = open(name, O_RDWR); + } else if (tun == SSH_TUNID_ANY) { + for (tun = 100; tun >= 0; tun--) { + snprintf(name, sizeof(name), "/dev/%s%d", + tunbase, tun); + if ((fd = open(name, O_RDWR)) >= 0) + break; + } + } else { + debug("%s: invalid tunnel %u\n", __func__, tun); + return (-1); + } + + if (fd < 0) { + debug("%s: %s open failed: %s", __func__, name, + strerror(errno)); + return (-1); + } + + /* Turn on tunnel headers */ + flag = 1; +#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF) + if (mode != SSH_TUNMODE_ETHERNET && + ioctl(fd, TUNSIFHEAD, &flag) == -1) { + debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd, + strerror(errno)); + close(fd); + } +#endif + + debug("%s: %s mode %d fd %d", __func__, name, mode, fd); + + /* Set the tunnel device operation mode */ + snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s%d", tunbase, tun); + if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1) + goto failed; + + if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1) + goto failed; + ifr.ifr_flags |= IFF_UP; + if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) + goto failed; + + close(sock); + return (fd); + + failed: + if (fd >= 0) + close(fd); + if (sock >= 0) + close(sock); + debug("%s: failed to set %s mode %d: %s", __func__, name, + mode, strerror(errno)); + return (-1); +} +#endif /* SSH_TUN_FREEBSD */ + /* * System-specific channel filters */ @@ -102,16 +184,29 @@ sys_tun_infilter(struct Channel *c, char *buf, int len) { #if defined(SSH_TUN_PREPEND_AF) char rbuf[CHAN_RBUF]; + struct ip *iph; #endif u_int32_t *af; char *ptr = buf; #if defined(SSH_TUN_PREPEND_AF) - if (len > (int)(sizeof(rbuf) - sizeof(*af))) + if (len <= 0 || len > (int)(sizeof(rbuf) - sizeof(*af))) return (-1); ptr = (char *)&rbuf[0]; bcopy(buf, ptr + sizeof(u_int32_t), len); len += sizeof(u_int32_t); + af = (u_int32_t *)ptr; + + iph = (struct ip *)(ptr + sizeof(u_int32_t)); + switch (iph->ip_v) { + case 6: + *af = AF_INET6; + break; + case 4: + default: + *af = AF_INET; + break; + } #endif #if defined(SSH_TUN_COMPAT_AF) @@ -124,6 +219,7 @@ sys_tun_infilter(struct Channel *c, char *buf, int len) else *af = htonl(OPENBSD_AF_INET); #endif + buffer_put_string(&c->input, ptr, len); return (0); } diff --git a/openbsd-compat/port-tun.h b/openbsd-compat/port-tun.h index 942610c6d..86d9272b4 100644 --- a/openbsd-compat/port-tun.h +++ b/openbsd-compat/port-tun.h @@ -19,7 +19,7 @@ #include "channels.h" -#if defined(SSH_TUN_LINUX) +#if defined(SSH_TUN_LINUX) || defined(SSH_TUN_FREEBSD) # define CUSTOM_SYS_TUN_OPEN int sys_tun_open(int, int); #endif -- cgit v1.2.3 From 3beb852e09a1de1b6db0103b1c39e56f9dfeff09 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 2 Jan 2006 23:40:10 +1100 Subject: - stevesk@cvs.openbsd.org 2006/01/01 08:59:27 [includes.h misc.c] move ; ok djm@ --- ChangeLog | 5 ++++- includes.h | 2 +- misc.c | 6 +++++- 3 files changed, 10 insertions(+), 3 deletions(-) (limited to 'includes.h') diff --git a/ChangeLog b/ChangeLog index a1f0b7842..73203f24f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,9 @@ - jmc@cvs.openbsd.org 2005/12/31 13:45:19 [ssh.1] .Nm does not require an argument; + - stevesk@cvs.openbsd.org 2006/01/01 08:59:27 + [includes.h misc.c] + move ; ok djm@ 20060101 - (djm) [Makefile.in configure.ac includes.h misc.c] @@ -3604,4 +3607,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4066 2006/01/02 12:38:37 djm Exp $ +$Id: ChangeLog,v 1.4067 2006/01/02 12:40:10 djm Exp $ diff --git a/includes.h b/includes.h index 808d5dc9a..520817400 100644 --- a/includes.h +++ b/includes.h @@ -1,4 +1,4 @@ -/* $OpenBSD: includes.h,v 1.21 2005/12/08 18:34:11 reyk Exp $ */ +/* $OpenBSD: includes.h,v 1.22 2006/01/01 08:59:27 stevesk Exp $ */ /* * Author: Tatu Ylonen diff --git a/misc.c b/misc.c index 76dbf40ea..ac939af7e 100644 --- a/misc.c +++ b/misc.c @@ -24,7 +24,11 @@ */ #include "includes.h" -RCSID("$OpenBSD: misc.c,v 1.37 2005/12/08 18:34:11 reyk Exp $"); +RCSID("$OpenBSD: misc.c,v 1.38 2006/01/01 08:59:27 stevesk Exp $"); + +#ifdef SSH_TUN_OPENBSD +#include +#endif #include "misc.h" #include "log.h" -- cgit v1.2.3