Use the specified path to open the zebra API socket on.
The default is \fB\fI@CFG_STATE@/zserv.api\fR. This option must be given with
the same value to all FRR protocol daemons.
-
-For debugging purposes (using tcpdump or wireshark to trace cross-daemon
-communication), a TCP socket can be used by specifying \fI@tcp[46][:port]\fR.
-It is intentionally not possible to bind this to anything other than localhost
-since zebra and the other daemons need to be running on the same host. Using
-this feature \fBCREATES A SECURITY ISSUE\fR since nothing prevents other users
-on the local system from connecting to zebra and injecting bogus routing
-information.
.TP
\fB\-v\fR, \fB\-\-version\fR
Print the version and exit.
path = ZEBRA_SERV_PATH;
if (!strncmp(path, ZAPI_TCP_PATHNAME, strlen(ZAPI_TCP_PATHNAME))) {
+ /* note: this functionality is disabled at bottom */
int af;
int port = ZEBRA_PORT;
char *err = NULL;
#endif
break;
}
+
+#if 1
+ /* force-disable this path, because tcp-zebra is a
+ * SECURITY ISSUE. there are no checks at all against
+ * untrusted users on the local system connecting on TCP
+ * and injecting bogus routing data into the entire routing
+ * domain.
+ *
+ * The functionality is only left here because it may be
+ * useful during development, in order to be able to get
+ * tcpdump or wireshark watching ZAPI as TCP. If you want
+ * to do that, flip the #if 1 above to #if 0. */
+ memset(sa, 0, sizeof(*sa));
+ return false;
+#endif
} else {
/* "sun" is a #define on solaris */
struct sockaddr_un *suna = (struct sockaddr_un *)sa;