man pages section 4: File Formats

tsolgateways(4)

NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | SEE ALSO

NAME

tsolgateways- Static routing configuration file

SYNOPSIS

/etc/tsolgateways

DESCRIPTION

The /etc/tsolgateways file is used to configure static routes for a host. At system start up, if /etc/tsolgateways exists, its contents are used to set up static routes. If /etc/tsolgateways does not exist, /etc/defaultrouter is checked. If /etc/defaultrouter exists, its contents are used to set up static routes. If neither /etc/tsolgateways nor /etc/defaultrouter exists, then the host uses dynamic routing. For dynamic routing, if in.rdisc(1M) exists, it is used. If the program file /usr/sbin/in.rdisc does not exist, in.routed(1M) is used.

The tsolgateways file differs from the defaultrouter file in several ways. The latter can be used only to specify default gateways along with simple metrics that indicate the hop count to the destination. tsolgateways can be used not only to specify default gateways but also to specify gateways for specific hosts and networks. Host and network routing entries in tsolgateways can be specified with an optional emetric that includes security attributes associated with the route. The emetric is used for trusted routing through the shortest route to a destination through gateways whose security level matches the sensitivity of the data being sent out. The emetric is made up of the simple metric plus additional security routing information (SRI). The SRI includes a sensitivity label range and other optional keywords described below.

The format of /etc/tsolgateways is shown below:

default [ gateway [ args ]] [ extended_metric ]
or
[ net | host ] destination [ gateway [ args ]] [ -m emetric ]
or
[ net | host ] destination [ gateway [ args ]] [ metric ]

where:

destination: Is the IP address of the network.
gateway: Is the IP address or hostname of the gateway. If a hostname is used, it must be in the /etc/hosts file. Any destination host(s), network(s), and gateway(s) must be specified with an appropriate host type and template in the local or NIS+ versions of the tnrhdb/tnrhtp databases.
metric: Is an integer representing the number of hops to the destination network. This option is supported for backward compatibility.
emetric: Combines the metric and the SRI of a route, as described below.

The first form uses the default keyword to specify a default gateway through which packets are routed if the destination does not match another route specified in the file. If no default is specified and no match can be found among the host or network entries, the packet is dropped.

The third form uses either the net or host keywords to set up a route to a specific network or host using a simple metric. This form is obsolete.

The second form is like the third form but it uses the -m option to specify the emetric. The emetric is specified in the following form (with the single line shown as two for readability):

metric= val,min_sl=val,max_sl=val,doi= val,
ripso_label= val,ripso_error=val,ripso_only,cipso_only,msix_only

If val contains a space, the space must be protected by double quotes around the value.

The keywords to be used for the emetric are described below:

metric=: Specify an integer from 0 to 15 for the number of hops to the destination. Mandatory.
min_sl, max_sl: Specify a sensitivity label in either hexadecimal or string form. Mandatory.
doi=: Specify a nonzero integer corresponding to a CIPSO domain of interpretation. If this keyword is specified, do not specify ripso_label, ripso_error, ripso_only, or msix_only.
ripso_label=: Specify the classification, followed by a space, followed by a list of protection authority flags (PAF) separated by semicolons (;). The classification and the PAF flags can be specified either in hexadecimal or string form. The supported classifications are TOP SECRET, SECRET, CONFIDENTIAL, and UNCLASSIFIED. The PAF flags (also referred to as the Send PAF) are GENSER, SIOP-ESI, SCI, NSA, and DOE. If this keyword is specified, ripso_error is required. If this keyword is specified, do not specify doi, cipso_only, or msix_only.
ripso_error=: Specify a list of protection flags separated by semicolons (;) in either hexadecimal or string form. The supported PAF flags (also referred to as the Return PAF) are GENSER, SIOP-ESI, SCI, NSA, and DOE. If this keyword is specified, ripso_label is required. If this keyword is specified, do not specify doi, cipso_only, or msix_only.
ripso_only: Specify without a value. If a SUN_RIPSO gateway is involved in a route, use this keyword to indicate that a route can only forward packets having RIPSO labels. If this keyword is specified, ripso_error and ripso_label are required. If this keyword is specified, do not specify doi, cipso_only or msix_only.
cipso_only: Specify without a value. If a SUN_CIPSO gateway is involved in a route, use this keyword to indicate that a route can only forward packets having CIPSO labels. If this keyword is specified, a doi is required. If this keyword is specified, do not specify ripso_label, ripso_error, ripso_only or msix_only.
msix_only: Specify without a value. If a SUN_MSIX gateway is involved in a route, use this keyword to indicate that a route can only forward packets having MSIX labels. If this keyword is specified, do not specify doi, ripso_label, ripso_error, ripso_only or cipso_only.

EXAMPLES

The first two lines in the following example show a default and a network entry, each with a simple metric. The third line shows an entry for a network that specifies the gateway name as chastain-118, and the metric as 2, and that assigns an SRI that specifies a label range from UNCLASSIFIED to CONFIDENTIAL, a ripso label of CONFIDENTIAL GENSER, and a ripso error of GENSER. The fourth line is an entry for a host, with an IP address 126.180.101.3. The host entry specifies a gateway called trusted, with a label range of TOP SECRET to TOP SECRET, a cipso doi of 1, and the optional keyword cipso_only. (The long lines are broken because they do not fit on a single line.)

Example 1 Sample tsolgateways file

default 126.180.117.1 1
net 126.180.113.0 chastain 1
net 126.180.116.0 chastain-118 -m metric=2,min_sl="UNCLASSIFIED",
max_sl="CONFIDENTIAL",ripso_label="CONFIDENTIAL GENSER", 
ripso_error="GENSER"
host 126.180.101.3 trusted -m metric=3,min_sl="TOP SECRET",max_sl="TOP SECRET",
doi=1,cipso_only

Trusted Solaris 8 Reference Manual

in.rdisc(1M), in.routed(1M), route(1M), Trusted Solaris Administrator's Procedures

Trusted Solaris 8 Last Revised 30 Sep 1999

NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | SEE ALSO