When an incoming connection is received from a neighbor that is configured but

is not activated for any address-family, the connection is accepted without
taking further action. This causes the connection to hang in OpenSent on the
neighbor and can in turn delay the connection setup. Fix to reject incoming
connections when there is no address-family activated for the neighbor.

diff --git a/bgpd/bgp_network.c b/bgpd/bgp_network.c
index d2ccec0e7040a96937f8718a67f9850d39912b09..9388bc397b48d4426486449370dae898e6753d2f 100644 (file)
--- a/bgpd/bgp_network.c
+++ b/bgpd/bgp_network.c
@@ -282,6 +282,16 @@ bgp_accept (struct thread *thread)
       return -1;
     }
 
+  /* Check that at least one AF is activated for the peer. */
+  if (!peer_active (peer1))
+    {
+      if (bgp_debug_neighbor_events(peer1))
+        zlog_debug ("%s - incoming conn rejected - no AF activated for peer",
+                    peer1->host);
+      close (bgp_sock);
+      return -1;
+    }
+
   if (bgp_debug_neighbor_events(peer1))
     zlog_debug ("[Event] BGP connection from host %s", inet_sutop (&su, buf));