Date: Fri, 6 Dec 2013 16:16:25 GMT From: Antoine Beaupré <anarcat@koumbit.org> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/184545: OpenBGPd fails to initiate TCP MD5 sig connexions Message-ID: <201312061616.rB6GGPmk023927@oldred.freebsd.org> Resent-Message-ID: <201312061620.rB6GK2HY096717@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 184545 >Category: ports >Synopsis: OpenBGPd fails to initiate TCP MD5 sig connexions >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Dec 06 16:20:02 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Antoine Beaupré >Release: FreeBSD 9.1 >Organization: Koumbit >Environment: FreeBSD rtr0.koumbit.net 9.1-RELEASE-p7 FreeBSD 9.1-RELEASE-p7 #0: Mon Sep 9 21:34:37 UTC 2013 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 >Description: This stems from a discussion that started here: http://lists.freebsd.org/pipermail/freebsd-net/2013-November/037133.html Basically, while it is possible to hack your way through it, the FreeBSD port of OpenBGPd doesn't support MD5 passwords. The way to hack around it is to add SPD policies with setkey, but then it doesn't work when initiating connexions. This was also reported here first: http://lists.freebsd.org/pipermail/freebsd-net/2012-January/030921.html >How-To-Repeat: Configure two FreeBSD OpenBGPd routers, set a ipsec policy as such: add -n 38.104.152.101 38.104.152.102 tcp 0x1000 -A tcp-md5 "[...]"; add -n 38.104.152.102 38.104.152.101 tcp 0x1000 -A tcp-md5 "[...]"; and with the following kernel config: options IPSEC #IP security options TCP_SIGNATURE device crypto options DEVICE_POLLING device carp It will work with netcat: nc -v -S 10.0.0.2 179 .. but not with openbgpd. >Fix: The fix is to use pfSense's OpenBGPd port. I built a patch which imports from both ports and figures out the best of both worlds, attached. Patch attached with submission follows: diff --git a/Makefile b/Makefile old mode 100644 new mode 100755 index d39d87d..5c0513a --- a/Makefile +++ b/Makefile @@ -1,4 +1,5 @@ -# $FreeBSD: net/openbgpd/Makefile 330656 2013-10-17 16:47:58Z ohauer $ +# Created by: Florent Thoumie <flz@FreeBSD.org> +# $FreeBSD: ports/net/openbgpd/Makefile,v 1.35 2012/12/24 12:56:29 svnexp Exp $ PORTNAME= openbgpd PORTVERSION= 5.2.20121209 @@ -8,6 +9,7 @@ MASTER_SITE_SUBDIR= OpenBGPD DISTNAME= ${PORTNAME}-4.6 EXTRACT_SUFX= .tgz DIST_SUBDIR= ${PORTNAME} +NO_STAGE= yes MAINTAINER= hrs@FreeBSD.org COMMENT= Free implementation of the Border Gateway Protocol, Version 4 @@ -15,13 +17,16 @@ COMMENT= Free implementation of the Border Gateway Protocol, Version 4 CONFLICTS= zebra-[0-9]* quagga-[0-9]* WRKSRC= ${WRKDIR} +MANCOMPRESSED= yes USE_RC_SUBR= ${PORTNAME} -PLIST_FILES= sbin/bgpctl sbin/bgpd man/man5/bgpd.conf.5.gz \ - man/man8/bgpctl.8.gz man/man8/bgpd.8.gz +PLIST_FILES= sbin/bgpctl sbin/bgpd SUB_FILES= pkg-message USERS= _bgpd GROUPS= _bgpd +MAN5= bgpd.conf.5 +MAN8= bgpctl.8 bgpd.8 + OPTIONS_DEFINE= IPV6LLPEER OPTIONS_DEFAULT=IPV6LLPEER IPV6LLPEER_DESC=Support nexthop using IPv6 link-local address diff --git a/files/openbgpd.in b/files/openbgpd.in index f1b904e..fc6642e 100644 --- a/files/openbgpd.in +++ b/files/openbgpd.in @@ -1,6 +1,6 @@ #!/bin/sh # -# $FreeBSD: net/openbgpd/files/openbgpd.in 302141 2012-08-05 23:19:36Z dougb $ +# $FreeBSD: ports/net/openbgpd/files/openbgpd.in,v 1.2 2012/11/17 06:00:08 svnexp Exp $ # # PROVIDE: bgpd diff --git a/files/patch-bgpd_Makefile b/files/patch-bgpd_Makefile index f946c92..fc27014 100644 --- a/files/patch-bgpd_Makefile +++ b/files/patch-bgpd_Makefile @@ -1,11 +1,5 @@ -Index: bgpd/Makefile -=================================================================== -RCS file: /home/cvs/private/hrs/openbgpd/bgpd/Makefile,v -retrieving revision 1.1.1.2 -retrieving revision 1.9 -diff -u -p -r1.1.1.2 -r1.9 ---- bgpd/Makefile 9 Jul 2009 16:49:54 -0000 1.1.1.2 -+++ bgpd/Makefile 13 Oct 2012 18:36:00 -0000 1.9 +--- bgpd/Makefile.orig 2013-02-21 19:20:05.000000000 +0000 ++++ bgpd/Makefile 2013-02-21 19:20:54.000000000 +0000 @@ -1,15 +1,25 @@ # $OpenBSD: Makefile,v 1.28 2009/06/25 14:14:54 deraadt Exp $ @@ -17,9 +11,8 @@ diff -u -p -r1.1.1.2 -r1.9 -SRCS= bgpd.c buffer.c session.c log.c parse.y config.c imsg.c \ +SRCS= bgpd.c session.c log.c parse.y config.c \ rde.c rde_rib.c rde_decide.c rde_prefix.c mrt.c kroute.c \ -- control.c pfkey.c rde_update.c rde_attr.c printconf.c \ + control.c pfkey.c rde_update.c rde_attr.c printconf.c \ - rde_filter.c pftable.c name2id.c util.c carp.c timer.c -+ control.c pfkey_compat.c rde_update.c rde_attr.c printconf.c \ + rde_filter.c pftable.c name2id.c util.c carp.c timer.c \ + imsg.c imsg-buffer.c CFLAGS+= -Wall -I${.CURDIR} diff --git a/files/patch-bgpd_pfkey.c b/files/patch-bgpd_pfkey.c index 7ad7548..224298f 100644 --- a/files/patch-bgpd_pfkey.c +++ b/files/patch-bgpd_pfkey.c @@ -1,26 +1,41 @@ -Index: bgpd/pfkey.c -=================================================================== -RCS file: /home/cvs/private/hrs/openbgpd/bgpd/pfkey.c,v -retrieving revision 1.1.1.6 -retrieving revision 1.1.1.9 -diff -u -p -r1.1.1.6 -r1.1.1.9 ---- bgpd/pfkey.c 14 Feb 2010 20:19:57 -0000 1.1.1.6 -+++ bgpd/pfkey.c 13 Oct 2012 18:22:44 -0000 1.1.1.9 +diff -ur bgpd.orig/pfkey.c bgpd/pfkey.c +--- bgpd.orig/pfkey.c 2013-03-15 12:07:16.000000000 +0000 ++++ bgpd/pfkey.c 2013-03-15 12:07:47.000000000 +0000 @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.37 2009/04/21 15:25:52 henning Exp $ */ +/* $OpenBSD: pfkey.c,v 1.40 2009/12/14 17:38:18 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> -@@ -74,6 +74,7 @@ pfkey_send(int sd, uint8_t satype, uint8 +@@ -21,7 +21,7 @@ + #include <sys/socket.h> + #include <sys/uio.h> + #include <net/pfkeyv2.h> +-#include <netinet/ip_ipsp.h> ++//#include <netinet/ip_ipsp.h> + #include <ctype.h> + #include <errno.h> + #include <limits.h> +@@ -65,15 +65,15 @@ + { + struct sadb_msg smsg; + struct sadb_sa sa; +- struct sadb_address sa_src, sa_dst, sa_peer, sa_smask, sa_dmask; ++ struct sadb_address sa_src, sa_dst; + struct sadb_key sa_akey, sa_ekey; + struct sadb_spirange sa_spirange; +- struct sadb_protocol sa_flowtype, sa_protocol; + struct iovec iov[IOV_CNT]; + ssize_t n; int len = 0; int iov_cnt; - struct sockaddr_storage ssrc, sdst, speer, smask, dmask; +- struct sockaddr_storage ssrc, sdst, speer, smask, dmask; ++ struct sockaddr_storage ssrc, sdst, smask, dmask; + struct sockaddr *saptr; if (!pid) pid = getpid(); -@@ -81,22 +82,17 @@ pfkey_send(int sd, uint8_t satype, uint8 +@@ -81,22 +81,17 @@ /* we need clean sockaddr... no ports set */ bzero(&ssrc, sizeof(ssrc)); bzero(&smask, sizeof(smask)); @@ -49,7 +64,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9 ssrc.ss_len = sizeof(struct sockaddr); break; default: -@@ -107,22 +103,17 @@ pfkey_send(int sd, uint8_t satype, uint8 +@@ -107,22 +102,17 @@ bzero(&sdst, sizeof(sdst)); bzero(&dmask, sizeof(dmask)); @@ -78,7 +93,84 @@ diff -u -p -r1.1.1.6 -r1.1.1.9 sdst.ss_len = sizeof(struct sockaddr); break; default: -@@ -220,8 +211,8 @@ pfkey_send(int sd, uint8_t satype, uint8 +@@ -135,7 +125,7 @@ + smsg.sadb_msg_version = PF_KEY_V2; + smsg.sadb_msg_seq = ++sadb_msg_seq; + smsg.sadb_msg_pid = pid; +- smsg.sadb_msg_len = sizeof(smsg) / 8; ++ smsg.sadb_msg_len = PFKEY_UNIT64(sizeof(smsg)); + smsg.sadb_msg_type = mtype; + smsg.sadb_msg_satype = satype; + +@@ -143,7 +133,7 @@ + case SADB_GETSPI: + bzero(&sa_spirange, sizeof(sa_spirange)); + sa_spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE; +- sa_spirange.sadb_spirange_len = sizeof(sa_spirange) / 8; ++ sa_spirange.sadb_spirange_len = PFKEY_UNIT64(sizeof(sa_spirange)); + sa_spirange.sadb_spirange_min = 0x100; + sa_spirange.sadb_spirange_max = 0xffffffff; + sa_spirange.sadb_spirange_reserved = 0; +@@ -153,11 +143,12 @@ + case SADB_DELETE: + bzero(&sa, sizeof(sa)); + sa.sadb_sa_exttype = SADB_EXT_SA; +- sa.sadb_sa_len = sizeof(sa) / 8; ++ sa.sadb_sa_len = PFKEY_UNIT64(sizeof(sa)); + sa.sadb_sa_replay = 0; + sa.sadb_sa_spi = spi; + sa.sadb_sa_state = SADB_SASTATE_MATURE; + break; ++#if 0 + case SADB_X_ADDFLOW: + case SADB_X_DELFLOW: + bzero(&sa_flowtype, sizeof(sa_flowtype)); +@@ -172,35 +163,37 @@ + sa_protocol.sadb_protocol_direction = 0; + sa_protocol.sadb_protocol_proto = 6; + break; ++#endif + } + + bzero(&sa_src, sizeof(sa_src)); + sa_src.sadb_address_exttype = SADB_EXT_ADDRESS_SRC; +- sa_src.sadb_address_len = (sizeof(sa_src) + ROUNDUP(ssrc.ss_len)) / 8; ++ sa_src.sadb_address_len = PFKEY_UNIT64(sizeof(sa_src) + ROUNDUP(ssrc.ss_len)); + + bzero(&sa_dst, sizeof(sa_dst)); + sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST; +- sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8; ++ sa_dst.sadb_address_len = PFKEY_UNIT64(sizeof(sa_dst) + ROUNDUP(sdst.ss_len)); + + sa.sadb_sa_auth = aalg; +- sa.sadb_sa_encrypt = SADB_X_EALG_AES; /* XXX */ ++ sa.sadb_sa_encrypt = ealg; /* XXX */ + + switch (mtype) { + case SADB_ADD: + case SADB_UPDATE: + bzero(&sa_akey, sizeof(sa_akey)); + sa_akey.sadb_key_exttype = SADB_EXT_KEY_AUTH; +- sa_akey.sadb_key_len = (sizeof(sa_akey) + +- ((alen + 7) / 8) * 8) / 8; ++ sa_akey.sadb_key_len = PFKEY_UNIT64(sizeof(sa_akey) + ++ (PFKEY_ALIGN8(alen))); + sa_akey.sadb_key_bits = 8 * alen; + + bzero(&sa_ekey, sizeof(sa_ekey)); + sa_ekey.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; +- sa_ekey.sadb_key_len = (sizeof(sa_ekey) + +- ((elen + 7) / 8) * 8) / 8; ++ sa_ekey.sadb_key_len = PFKEY_UNIT64(sizeof(sa_ekey) + ++ (PFKEY_ALIGN8(elen))); + sa_ekey.sadb_key_bits = 8 * elen; + + break; ++#if 0 + case SADB_X_ADDFLOW: + case SADB_X_DELFLOW: + /* sa_peer always points to the remote machine */ +@@ -220,8 +213,8 @@ sa_dst.sadb_address_exttype = SADB_X_EXT_DST_FLOW; bzero(&smask, sizeof(smask)); @@ -89,7 +181,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9 smask.ss_len = sizeof(struct sockaddr_in); smask.ss_family = AF_INET; memset(&((struct sockaddr_in *)&smask)->sin_addr, -@@ -233,7 +224,7 @@ pfkey_send(int sd, uint8_t satype, uint8 +@@ -233,7 +226,7 @@ htons(0xffff); } break; @@ -98,7 +190,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9 smask.ss_len = sizeof(struct sockaddr_in6); smask.ss_family = AF_INET6; memset(&((struct sockaddr_in6 *)&smask)->sin6_addr, -@@ -247,8 +238,8 @@ pfkey_send(int sd, uint8_t satype, uint8 +@@ -247,8 +240,8 @@ break; } bzero(&dmask, sizeof(dmask)); @@ -109,7 +201,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9 dmask.ss_len = sizeof(struct sockaddr_in); dmask.ss_family = AF_INET; memset(&((struct sockaddr_in *)&dmask)->sin_addr, -@@ -260,7 +251,7 @@ pfkey_send(int sd, uint8_t satype, uint8 +@@ -260,7 +253,7 @@ htons(0xffff); } break; @@ -118,7 +210,57 @@ diff -u -p -r1.1.1.6 -r1.1.1.9 dmask.ss_len = sizeof(struct sockaddr_in6); dmask.ss_family = AF_INET6; memset(&((struct sockaddr_in6 *)&dmask)->sin6_addr, -@@ -411,6 +402,33 @@ pfkey_send(int sd, uint8_t satype, uint8 +@@ -284,6 +277,7 @@ + sa_dmask.sadb_address_len = + (sizeof(sa_dmask) + ROUNDUP(dmask.ss_len)) / 8; + break; ++#endif + } + + iov_cnt = 0; +@@ -310,6 +304,7 @@ + smsg.sadb_msg_len += sa_spirange.sadb_spirange_len; + iov_cnt++; + break; ++#if 0 + case SADB_X_ADDFLOW: + /* sa_peer always points to the remote machine */ + iov[iov_cnt].iov_base = &sa_peer; +@@ -351,6 +346,7 @@ + smsg.sadb_msg_len += sa_dmask.sadb_address_len; + iov_cnt++; + break; ++#endif + } + + /* dest addr */ +@@ -380,7 +376,7 @@ + iov[iov_cnt].iov_len = sizeof(sa_akey); + iov_cnt++; + iov[iov_cnt].iov_base = akey; +- iov[iov_cnt].iov_len = ((alen + 7) / 8) * 8; ++ iov[iov_cnt].iov_len = PFKEY_ALIGN8(alen); + smsg.sadb_msg_len += sa_akey.sadb_key_len; + iov_cnt++; + } +@@ -390,14 +386,14 @@ + iov[iov_cnt].iov_len = sizeof(sa_ekey); + iov_cnt++; + iov[iov_cnt].iov_base = ekey; +- iov[iov_cnt].iov_len = ((elen + 7) / 8) * 8; ++ iov[iov_cnt].iov_len = PFKEY_ALIGN8(elen); + smsg.sadb_msg_len += sa_ekey.sadb_key_len; + iov_cnt++; + } + break; + } + +- len = smsg.sadb_msg_len * 8; ++ len = PFKEY_UNUNIT64(smsg.sadb_msg_len); + do { + n = writev(sd, iov, iov_cnt); + } while (n == -1 && (errno == EAGAIN || errno == EINTR)); +@@ -411,6 +407,33 @@ } int @@ -152,7 +294,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9 pfkey_reply(int sd, u_int32_t *spip) { struct sadb_msg hdr, *msg; -@@ -418,23 +436,13 @@ pfkey_reply(int sd, u_int32_t *spip) +@@ -418,27 +441,17 @@ struct sadb_sa *sa; u_int8_t *data; ssize_t len; @@ -161,10 +303,7 @@ diff -u -p -r1.1.1.6 -r1.1.1.9 - for (;;) { - if (recv(sd, &hdr, sizeof(hdr), MSG_PEEK) != sizeof(hdr)) { - log_warn("pfkey peek"); -+ do { -+ rv = pfkey_read(sd, &hdr); -+ if (rv == -1) - return (-1); +- return (-1); - } - - if (hdr.sadb_msg_seq == sadb_msg_seq && @@ -174,14 +313,148 @@ diff -u -p -r1.1.1.6 -r1.1.1.9 - /* not ours, discard */ - if (read(sd, &hdr, sizeof(hdr)) == -1) { - log_warn("pfkey read"); -- return (-1); ++ do { ++ rv = pfkey_read(sd, &hdr); ++ if (rv == -1) + return (-1); - } - } + } while (rv); if (hdr.sadb_msg_errno != 0) { errno = hdr.sadb_msg_errno; -@@ -730,11 +738,9 @@ pfkey_init(struct bgpd_sysdep *sysdep) +- if (errno == ESRCH) ++ if (errno == ESRCH || errno == EEXIST) + return (0); + else { + log_warn("pfkey"); +@@ -486,13 +499,8 @@ + pfkey_sa_add(struct bgpd_addr *src, struct bgpd_addr *dst, u_int8_t keylen, + char *key, u_int32_t *spi) + { +- if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_GETSPI, 0, +- src, dst, 0, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0) +- return (-1); +- if (pfkey_reply(fd, spi) < 0) +- return (-1); +- if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_UPDATE, 0, +- src, dst, *spi, 0, keylen, key, 0, 0, NULL, 0, 0) < 0) ++ if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_ADD, 0, ++ src, dst, *spi, SADB_X_AALG_TCP_MD5, keylen, key, SADB_EALG_NONE, 0, NULL, 0, 0) < 0) + return (-1); + if (pfkey_reply(fd, NULL) < 0) + return (-1); +@@ -503,7 +511,7 @@ + pfkey_sa_remove(struct bgpd_addr *src, struct bgpd_addr *dst, u_int32_t *spi) + { + if (pfkey_send(fd, SADB_X_SATYPE_TCPSIGNATURE, SADB_DELETE, 0, +- src, dst, *spi, 0, 0, NULL, 0, 0, NULL, 0, 0) < 0) ++ src, dst, *spi, SADB_X_AALG_TCP_MD5, 0, NULL, 0, 0, NULL, 0, 0) < 0) + return (-1); + if (pfkey_reply(fd, NULL) < 0) + return (-1); +@@ -511,37 +519,37 @@ + return (0); + } + ++#define TCP_SIG_SPI 0x1000 + int + pfkey_md5sig_establish(struct peer *p) + { + sleep(1); + +- if (!p->auth.spi_out) +- if (pfkey_sa_add(&p->auth.local_addr, &p->conf.remote_addr, +- p->conf.auth.md5key_len, p->conf.auth.md5key, +- &p->auth.spi_out) == -1) +- return (-1); +- if (!p->auth.spi_in) +- if (pfkey_sa_add(&p->conf.remote_addr, &p->auth.local_addr, +- p->conf.auth.md5key_len, p->conf.auth.md5key, +- &p->auth.spi_in) == -1) +- return (-1); ++ p->auth.spi_out = htonl(TCP_SIG_SPI); ++ if (pfkey_sa_add(&p->auth.local_addr, &p->conf.remote_addr, ++ p->conf.auth.md5key_len, p->conf.auth.md5key, ++ &p->auth.spi_out) == -1) ++ return (-1); ++ p->auth.spi_in = htonl(TCP_SIG_SPI); ++ if (pfkey_sa_add(&p->conf.remote_addr, &p->auth.local_addr, ++ p->conf.auth.md5key_len, p->conf.auth.md5key, ++ &p->auth.spi_out) == -1) ++ return (-1); + + p->auth.established = 1; + return (0); + } ++#undef TCP_SIG_SPI + + int + pfkey_md5sig_remove(struct peer *p) + { +- if (p->auth.spi_out) +- if (pfkey_sa_remove(&p->auth.local_addr, &p->conf.remote_addr, +- &p->auth.spi_out) == -1) +- return (-1); +- if (p->auth.spi_in) +- if (pfkey_sa_remove(&p->conf.remote_addr, &p->auth.local_addr, +- &p->auth.spi_in) == -1) +- return (-1); ++ if (pfkey_sa_remove(&p->auth.local_addr, &p->conf.remote_addr, ++ &p->auth.spi_out) == -1) ++ return (-1); ++ if (pfkey_sa_remove(&p->conf.remote_addr, &p->auth.local_addr, ++ &p->auth.spi_in) == -1) ++ return (-1); + + p->auth.established = 0; + return (0); +@@ -550,6 +558,7 @@ + int + pfkey_ipsec_establish(struct peer *p) + { ++#if 0 + uint8_t satype = SADB_SATYPE_ESP; + + switch (p->auth.method) { +@@ -621,6 +630,9 @@ + + p->auth.established = 1; + return (0); ++#else ++ return (-1); ++#endif + } + + int +@@ -660,6 +672,7 @@ + break; + } + ++#if 0 + if (pfkey_flow(fd, satype, SADB_X_DELFLOW, IPSP_DIRECTION_OUT, + &p->auth.local_addr, &p->conf.remote_addr, 0, BGP_PORT) < 0) + return (-1); +@@ -681,6 +694,7 @@ + if (pfkey_flow(fd, satype, SADB_X_DELFLOW, IPSP_DIRECTION_IN, + &p->conf.remote_addr, &p->auth.local_addr, BGP_PORT, 0) < 0) + return (-1); ++#endif + if (pfkey_reply(fd, NULL) < 0) + return (-1); + +@@ -715,9 +729,7 @@ + int + pfkey_remove(struct peer *p) + { +- if (!p->auth.established) +- return (0); +- else if (p->auth.method == AUTH_MD5SIG) ++ if (p->auth.method == AUTH_MD5SIG) + return (pfkey_md5sig_remove(p)); + else + return (pfkey_ipsec_remove(p)); +@@ -730,11 +742,9 @@ if (errno == EPROTONOSUPPORT) { log_warnx("PF_KEY not available, disabling ipsec"); sysdep->no_pfkey = 1; diff --git a/files/patch-bgpd_session.c b/files/patch-bgpd_session.c index d043c44..66c05a9 100644 --- a/files/patch-bgpd_session.c +++ b/files/patch-bgpd_session.c @@ -123,7 +123,7 @@ diff -u -p -r1.1.1.8 -r1.13 + int s; + + /* Check if TCP_MD5SIG is supported. */ -+ s = socket(PF_LOCAL, SOCK_STREAM, 0); ++ s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); + if (s < 0) + fatal("socket open for TCP_MD5SIG check"); + opt = TF_SIGNATURE; >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201312061616.rB6GGPmk023927>