bfdd: bind VRF sockets to devices

Always bind the created sockets to their respective VRF devices. With
this it should be possible to run BFD on VRFs without needing to weaken
the security setting `net.ipv4.udp_l3mdev_accept=1`.

Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>

diff --git a/bfdd/bfd.c b/bfdd/bfd.c
index a7ca85aa9814e748de7156d5db21e2aad37b2964..948a94007d12465596f9e3201a9b47911650764f 100644 (file)
--- a/bfdd/bfd.c
+++ b/bfdd/bfd.c
@@ -1649,17 +1649,17 @@ static int bfd_vrf_enable(struct vrf *vrf)
        if (vrf->vrf_id == VRF_DEFAULT ||
            vrf_get_backend() == VRF_BACKEND_NETNS) {
                if (!bvrf->bg_shop)
-                       bvrf->bg_shop = bp_udp_shop(vrf->vrf_id);
+                       bvrf->bg_shop = bp_udp_shop(vrf);
                if (!bvrf->bg_mhop)
-                       bvrf->bg_mhop = bp_udp_mhop(vrf->vrf_id);
+                       bvrf->bg_mhop = bp_udp_mhop(vrf);
                if (!bvrf->bg_shop6)
-                       bvrf->bg_shop6 = bp_udp6_shop(vrf->vrf_id);
+                       bvrf->bg_shop6 = bp_udp6_shop(vrf);
                if (!bvrf->bg_mhop6)
-                       bvrf->bg_mhop6 = bp_udp6_mhop(vrf->vrf_id);
+                       bvrf->bg_mhop6 = bp_udp6_mhop(vrf);
                if (!bvrf->bg_echo)
-                       bvrf->bg_echo = bp_echo_socket(vrf->vrf_id);
+                       bvrf->bg_echo = bp_echo_socket(vrf);
                if (!bvrf->bg_echov6)
-                       bvrf->bg_echov6 = bp_echov6_socket(vrf->vrf_id);
+                       bvrf->bg_echov6 = bp_echov6_socket(vrf);
 
                /* Add descriptors to the event loop. */
                if (!bvrf->bg_ev[0])

diff --git a/bfdd/bfd.h b/bfdd/bfd.h
index a817014c75a018b6b1b79a85331c421ee008c3fc..3b81d7e12f6ef7097d2ad840d901fa0ed047fe25 100644 (file)
--- a/bfdd/bfd.h
+++ b/bfdd/bfd.h
@@ -461,14 +461,14 @@ int bp_set_tosv6(int sd, uint8_t value);
 int bp_set_tos(int sd, uint8_t value);
 int bp_bind_dev(int sd, const char *dev);
 
-int bp_udp_shop(vrf_id_t vrf_id);
-int bp_udp_mhop(vrf_id_t vrf_id);
-int bp_udp6_shop(vrf_id_t vrf_id);
-int bp_udp6_mhop(vrf_id_t vrf_id);
+int bp_udp_shop(const struct vrf *vrf);
+int bp_udp_mhop(const struct vrf *vrf);
+int bp_udp6_shop(const struct vrf *vrf);
+int bp_udp6_mhop(const struct vrf *vrf);
 int bp_peer_socket(const struct bfd_session *bs);
 int bp_peer_socketv6(const struct bfd_session *bs);
-int bp_echo_socket(vrf_id_t vrf_id);
-int bp_echov6_socket(vrf_id_t vrf_id);
+int bp_echo_socket(const struct vrf *vrf);
+int bp_echov6_socket(const struct vrf *vrf);
 
 void ptm_bfd_snd(struct bfd_session *bfd, int fbit);
 void ptm_bfd_echo_snd(struct bfd_session *bfd);

diff --git a/bfdd/bfd_packet.c b/bfdd/bfd_packet.c
index 7fbe6db163ac95ee446efec8af283540caff709e..2de3bb47070820562409a103921cbc36ae68b48b 100644 (file)
--- a/bfdd/bfd_packet.c
+++ b/bfdd/bfd_packet.c
@@ -890,12 +890,13 @@ static void bp_bind_ip(int sd, uint16_t port)
                log_fatal("bind-ip: bind: %s", strerror(errno));
 }
 
-int bp_udp_shop(vrf_id_t vrf_id)
+int bp_udp_shop(const struct vrf *vrf)
 {
        int sd;
 
        frr_with_privs(&bglobal.bfdd_privs) {
-               sd = vrf_socket(AF_INET, SOCK_DGRAM, PF_UNSPEC, vrf_id, NULL);
+               sd = vrf_socket(AF_INET, SOCK_DGRAM, PF_UNSPEC, vrf->vrf_id,
+                               vrf->name);
        }
        if (sd == -1)
                log_fatal("udp-shop: socket: %s", strerror(errno));
@@ -905,12 +906,13 @@ int bp_udp_shop(vrf_id_t vrf_id)
        return sd;
 }
 
-int bp_udp_mhop(vrf_id_t vrf_id)
+int bp_udp_mhop(const struct vrf *vrf)
 {
        int sd;
 
        frr_with_privs(&bglobal.bfdd_privs) {
-               sd = vrf_socket(AF_INET, SOCK_DGRAM, PF_UNSPEC, vrf_id, NULL);
+               sd = vrf_socket(AF_INET, SOCK_DGRAM, PF_UNSPEC, vrf->vrf_id,
+                               vrf->name);
        }
        if (sd == -1)
                log_fatal("udp-mhop: socket: %s", strerror(errno));
@@ -1117,12 +1119,13 @@ static void bp_bind_ipv6(int sd, uint16_t port)
                log_fatal("bind-ipv6: bind: %s", strerror(errno));
 }
 
-int bp_udp6_shop(vrf_id_t vrf_id)
+int bp_udp6_shop(const struct vrf *vrf)
 {
        int sd;
 
        frr_with_privs(&bglobal.bfdd_privs) {
-               sd = vrf_socket(AF_INET6, SOCK_DGRAM, PF_UNSPEC, vrf_id, NULL);
+               sd = vrf_socket(AF_INET6, SOCK_DGRAM, PF_UNSPEC, vrf->vrf_id,
+                               vrf->name);
        }
        if (sd == -1)
                log_fatal("udp6-shop: socket: %s", strerror(errno));
@@ -1133,12 +1136,13 @@ int bp_udp6_shop(vrf_id_t vrf_id)
        return sd;
 }
 
-int bp_udp6_mhop(vrf_id_t vrf_id)
+int bp_udp6_mhop(const struct vrf *vrf)
 {
        int sd;
 
        frr_with_privs(&bglobal.bfdd_privs) {
-               sd = vrf_socket(AF_INET6, SOCK_DGRAM, PF_UNSPEC, vrf_id, NULL);
+               sd = vrf_socket(AF_INET6, SOCK_DGRAM, PF_UNSPEC, vrf->vrf_id,
+                               vrf->name);
        }
        if (sd == -1)
                log_fatal("udp6-mhop: socket: %s", strerror(errno));
@@ -1149,12 +1153,12 @@ int bp_udp6_mhop(vrf_id_t vrf_id)
        return sd;
 }
 
-int bp_echo_socket(vrf_id_t vrf_id)
+int bp_echo_socket(const struct vrf *vrf)
 {
        int s;
 
        frr_with_privs(&bglobal.bfdd_privs) {
-               s = vrf_socket(AF_INET, SOCK_DGRAM, 0, vrf_id, NULL);
+               s = vrf_socket(AF_INET, SOCK_DGRAM, 0, vrf->vrf_id, vrf->name);
        }
        if (s == -1)
                log_fatal("echo-socket: socket: %s", strerror(errno));
@@ -1165,12 +1169,12 @@ int bp_echo_socket(vrf_id_t vrf_id)
        return s;
 }
 
-int bp_echov6_socket(vrf_id_t vrf_id)
+int bp_echov6_socket(const struct vrf *vrf)
 {
        int s;
 
        frr_with_privs(&bglobal.bfdd_privs) {
-               s = vrf_socket(AF_INET6, SOCK_DGRAM, 0, vrf_id, NULL);
+               s = vrf_socket(AF_INET6, SOCK_DGRAM, 0, vrf->vrf_id, vrf->name);
        }
        if (s == -1)
                log_fatal("echov6-socket: socket: %s", strerror(errno));