From 976cbf73571b97a021f1863e8910152e59a7152e Mon Sep 17 00:00:00 2001 From: Robert Keizer Date: Wed, 18 Sep 2024 02:25:16 -0500 Subject: [PATCH 01/14] Starting to split out OpenBSD tcpmd5. --- stages/util_openbsd.go | 34 ++++++++++++++++++++++++++++++++++ stages/util_unsupported.go | 2 +- 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 stages/util_openbsd.go diff --git a/stages/util_openbsd.go b/stages/util_openbsd.go new file mode 100644 index 0000000..18b5806 --- /dev/null +++ b/stages/util_openbsd.go @@ -0,0 +1,34 @@ +//go:build openbsd + +package stages + +import ( + "syscall" + "golang.org/x/sys/unix" +) + +func tcp_md5(md5pass string) func(net, addr string, c syscall.RawConn) error { + if len(md5pass) == 0 { + return nil + } + + return func(net, addr string, c syscall.RawConn) error { + + // * Check whether the tcpmd5 SA already exists + // * If it doesn't, create a temporary file that can be used to load rules + // * Execute ipsecctl -f /path/to/file to load the sa + + // setsockopt + var err error + c.Control(func(fd uintptr) { + + /* + Future: 0x04 comes from https://github.com/openbsd/src/blob/master/sys/netinet/tcp.h#L217 + While it is unlikely to change, looking it up would be better rather than having it hardcoded. + */ + + err = unix.SetsockoptString(int(fd), unix.IPPROTO_TCP, 0x04, string("tcpmd5string")) + }) + return err + } +} diff --git a/stages/util_unsupported.go b/stages/util_unsupported.go index 4760d85..358bd24 100644 --- a/stages/util_unsupported.go +++ b/stages/util_unsupported.go @@ -1,4 +1,4 @@ -//go:build !linux +//go:build (!linux && !openbsd) package stages From 17538023dba26de8e5680cbef9277a7035fc6d39 Mon Sep 17 00:00:00 2001 From: Robert Keizer Date: Wed, 18 Sep 2024 02:32:25 -0500 Subject: [PATCH 02/14] Some minor comments as I work through this. --- stages/util_openbsd.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/stages/util_openbsd.go b/stages/util_openbsd.go index 18b5806..fe8d3a4 100644 --- a/stages/util_openbsd.go +++ b/stages/util_openbsd.go @@ -15,8 +15,13 @@ func tcp_md5(md5pass string) func(net, addr string, c syscall.RawConn) error { return func(net, addr string, c syscall.RawConn) error { // * Check whether the tcpmd5 SA already exists - // * If it doesn't, create a temporary file that can be used to load rules - // * Execute ipsecctl -f /path/to/file to load the sa + // * If it doesn't, depending on flags: + // * return an error and docs around setting up the sa. + // or + // * create a temporary file that can be used to load rules + // * Execute ipsecctl -f /path/to/file to load the sa + + // https://blog.habets.se/2019/11/TCP-MD5.html // setsockopt var err error From 8288fda7375440d1814dc5191ca79a4fe633613b Mon Sep 17 00:00:00 2001 From: Robert Keizer Date: Mon, 14 Oct 2024 20:29:28 -0500 Subject: [PATCH 03/14] Adding .build.yml for sr.ht pipeline. --- .build.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .build.yml diff --git a/.build.yml b/.build.yml new file mode 100644 index 0000000..f914a7a --- /dev/null +++ b/.build.yml @@ -0,0 +1,12 @@ +image: openbsd/7.5 +shell: false +secrets: + - b2b00838-c8a8-441d-baaa-da121489d0bd +sources: + - git@git.sr.ht:~robertkeizer/bgpipe +packages: + - go +tasks: + - test: | + cd bgpipe + go install . From 17d6881b83aa6e3016af313ed46e46f8423ba996 Mon Sep 17 00:00:00 2001 From: Robert Keizer Date: Mon, 14 Oct 2024 20:34:28 -0500 Subject: [PATCH 04/14] Pulling in bgpfix as well. --- .build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.build.yml b/.build.yml index f914a7a..b11f5a7 100644 --- a/.build.yml +++ b/.build.yml @@ -4,6 +4,7 @@ secrets: - b2b00838-c8a8-441d-baaa-da121489d0bd sources: - git@git.sr.ht:~robertkeizer/bgpipe + - https://github.com/bgpfix/bgpfix.git packages: - go tasks: From 691602ee8d6b7e500621aff780ce760078a4c89c Mon Sep 17 00:00:00 2001 From: Robert Keizer Date: Tue, 15 Oct 2024 14:05:58 -0500 Subject: [PATCH 05/14] Adding some basic openbgpd setup in build yaml. --- .build.yml | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/.build.yml b/.build.yml index b11f5a7..987e70c 100644 --- a/.build.yml +++ b/.build.yml @@ -1,5 +1,5 @@ image: openbsd/7.5 -shell: false +shell: true secrets: - b2b00838-c8a8-441d-baaa-da121489d0bd sources: @@ -8,6 +8,27 @@ sources: packages: - go tasks: - - test: | + - install: | cd bgpipe go install . + - setup_vether: | + ifconfig vether0 198.51.100.1 255.255.255.255 up + - setup_bgpd: | + cat </etc/bgpd.conf + AS 65001 + router-id 198.51.100.1 + + listen on 198.51.100.1 port 179 + network 198.51.100.0/24 + + neighbor 192.0.2.1 { + remote-as 65002 + } + + allow from 192.0.2.1 + allow to 192.0.2.1 + EOF + + bgpd -vnf /etc/bgpd.conf + rcctl enable bgpd + rcctl start bgpd From 6265928882f119c626ac1e84185a8f446809dcfc Mon Sep 17 00:00:00 2001 From: Robert Keizer Date: Tue, 15 Oct 2024 14:09:59 -0500 Subject: [PATCH 06/14] doas for ifconfig. --- .build.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.build.yml b/.build.yml index 987e70c..faa62da 100644 --- a/.build.yml +++ b/.build.yml @@ -12,9 +12,9 @@ tasks: cd bgpipe go install . - setup_vether: | - ifconfig vether0 198.51.100.1 255.255.255.255 up + doas ifconfig vether0 198.51.100.1 255.255.255.0 up - setup_bgpd: | - cat </etc/bgpd.conf + doas cat </etc/bgpd.conf AS 65001 router-id 198.51.100.1 @@ -29,6 +29,6 @@ tasks: allow to 192.0.2.1 EOF - bgpd -vnf /etc/bgpd.conf - rcctl enable bgpd - rcctl start bgpd + doas bgpd -vnf /etc/bgpd.conf + doas rcctl enable bgpd + doas rcctl start bgpd From f4729c5da8f4a59408e76d3a547d1b654e04fdcd Mon Sep 17 00:00:00 2001 From: Robert Keizer Date: Tue, 15 Oct 2024 14:15:13 -0500 Subject: [PATCH 07/14] write the file, then mv with doas. --- .build.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.build.yml b/.build.yml index faa62da..f6e2c9e 100644 --- a/.build.yml +++ b/.build.yml @@ -8,13 +8,14 @@ sources: packages: - go tasks: - - install: | + - install_bgpipe: | cd bgpipe go install . - - setup_vether: | + - setup_vethers: | doas ifconfig vether0 198.51.100.1 255.255.255.0 up + doas ifconfig vether1 192.0.2.1 255.255.255.0 up - setup_bgpd: | - doas cat </etc/bgpd.conf + cat </tmp/bgpd.conf AS 65001 router-id 198.51.100.1 @@ -29,6 +30,7 @@ tasks: allow to 192.0.2.1 EOF + doas mv /tmp/bgpd.conf /etc doas bgpd -vnf /etc/bgpd.conf doas rcctl enable bgpd doas rcctl start bgpd From d247163dd2961494389a9d20e0de22921dcf44cf Mon Sep 17 00:00:00 2001 From: Robert Keizer Date: Tue, 15 Oct 2024 14:39:19 -0500 Subject: [PATCH 08/14] More automated testing work. --- .build.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.build.yml b/.build.yml index f6e2c9e..8e1e17b 100644 --- a/.build.yml +++ b/.build.yml @@ -11,9 +11,11 @@ tasks: - install_bgpipe: | cd bgpipe go install . - - setup_vethers: | + - setup_networking: | doas ifconfig vether0 198.51.100.1 255.255.255.0 up doas ifconfig vether1 192.0.2.1 255.255.255.0 up + doas route -T1 add 198.51.100.0/24 192.0.2.1 + doas route -T1 sourceaddr 192.0.2.1 - setup_bgpd: | cat </tmp/bgpd.conf AS 65001 @@ -34,3 +36,5 @@ tasks: doas bgpd -vnf /etc/bgpd.conf doas rcctl enable bgpd doas rcctl start bgpd + - test: | + doas route -T1 exec /root/go/bin/bgpipe connect 198.51.100.1 stdout From 00d7d2706dd05287f91901d08a96b4c59657e133 Mon Sep 17 00:00:00 2001 From: Robert Keizer Date: Tue, 15 Oct 2024 15:16:30 -0500 Subject: [PATCH 09/14] Slight naming changes on the interfaces; Specify right path. --- .build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.build.yml b/.build.yml index 8e1e17b..7bea643 100644 --- a/.build.yml +++ b/.build.yml @@ -12,9 +12,9 @@ tasks: cd bgpipe go install . - setup_networking: | - doas ifconfig vether0 198.51.100.1 255.255.255.0 up - doas ifconfig vether1 192.0.2.1 255.255.255.0 up - doas route -T1 add 198.51.100.0/24 192.0.2.1 + doas ifconfig vether1 198.51.100.1 255.255.255.0 up + doas ifconfig vether2 192.0.2.1 255.255.255.0 up + doas route -T1 add default 198.51.100.1 doas route -T1 sourceaddr 192.0.2.1 - setup_bgpd: | cat </tmp/bgpd.conf @@ -37,4 +37,4 @@ tasks: doas rcctl enable bgpd doas rcctl start bgpd - test: | - doas route -T1 exec /root/go/bin/bgpipe connect 198.51.100.1 stdout + doas route -T1 exec /home/build/go/bin/bgpipe connect 198.51.100.1 stdout From 9cc42b2fab27d5c9819aa657a626897aca3ea5ec Mon Sep 17 00:00:00 2001 From: Robert Keizer Date: Tue, 15 Oct 2024 15:38:14 -0500 Subject: [PATCH 10/14] Simplifying things, just using a different port. --- .build.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.build.yml b/.build.yml index 7bea643..c61d010 100644 --- a/.build.yml +++ b/.build.yml @@ -13,18 +13,15 @@ tasks: go install . - setup_networking: | doas ifconfig vether1 198.51.100.1 255.255.255.0 up - doas ifconfig vether2 192.0.2.1 255.255.255.0 up - doas route -T1 add default 198.51.100.1 - doas route -T1 sourceaddr 192.0.2.1 - setup_bgpd: | cat </tmp/bgpd.conf AS 65001 router-id 198.51.100.1 - listen on 198.51.100.1 port 179 + listen on 198.51.100.1 port 1790 network 198.51.100.0/24 - neighbor 192.0.2.1 { + neighbor 198.51.100.1 { remote-as 65002 } @@ -37,4 +34,4 @@ tasks: doas rcctl enable bgpd doas rcctl start bgpd - test: | - doas route -T1 exec /home/build/go/bin/bgpipe connect 198.51.100.1 stdout + /home/build/go/bin/bgpipe connect 198.51.100.1:1790 stdout From c417b29953040a6be44158c72154d7f5ca0b3093 Mon Sep 17 00:00:00 2001 From: Robert Keizer Date: Tue, 15 Oct 2024 15:38:41 -0500 Subject: [PATCH 11/14] Fixing indent. I hate yaml. --- .build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.build.yml b/.build.yml index c61d010..f5830c5 100644 --- a/.build.yml +++ b/.build.yml @@ -34,4 +34,4 @@ tasks: doas rcctl enable bgpd doas rcctl start bgpd - test: | - /home/build/go/bin/bgpipe connect 198.51.100.1:1790 stdout + /home/build/go/bin/bgpipe connect 198.51.100.1:1790 stdout From 602683405350cc2949638f688c9ee1c7843c728e Mon Sep 17 00:00:00 2001 From: Robert Keizer Date: Tue, 15 Oct 2024 15:40:05 -0500 Subject: [PATCH 12/14] Don't need shell. --- .build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.build.yml b/.build.yml index f5830c5..1f998a6 100644 --- a/.build.yml +++ b/.build.yml @@ -1,5 +1,5 @@ image: openbsd/7.5 -shell: true +shell: false secrets: - b2b00838-c8a8-441d-baaa-da121489d0bd sources: From 8b19a56b464d225fee46bdb95f105af4da5ccd33 Mon Sep 17 00:00:00 2001 From: Robert Keizer Date: Tue, 15 Oct 2024 15:40:41 -0500 Subject: [PATCH 13/14] Use proper IP in all locations. --- .build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.build.yml b/.build.yml index 1f998a6..9375e65 100644 --- a/.build.yml +++ b/.build.yml @@ -25,8 +25,8 @@ tasks: remote-as 65002 } - allow from 192.0.2.1 - allow to 192.0.2.1 + allow from 198.51.100.1 + allow to 198.51.100.1 EOF doas mv /tmp/bgpd.conf /etc From 6aca99be0fd35adfb0bdd7ee5e26e6847e5a52b8 Mon Sep 17 00:00:00 2001 From: Robert Keizer Date: Tue, 15 Oct 2024 15:43:20 -0500 Subject: [PATCH 14/14] Didn't need the port after all.. duh. --- .build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.build.yml b/.build.yml index 9375e65..de5ede4 100644 --- a/.build.yml +++ b/.build.yml @@ -18,7 +18,7 @@ tasks: AS 65001 router-id 198.51.100.1 - listen on 198.51.100.1 port 1790 + listen on 198.51.100.1 network 198.51.100.0/24 neighbor 198.51.100.1 { @@ -34,4 +34,4 @@ tasks: doas rcctl enable bgpd doas rcctl start bgpd - test: | - /home/build/go/bin/bgpipe connect 198.51.100.1:1790 stdout + /home/build/go/bin/bgpipe connect 198.51.100.1 stdout