bgpd: refine the setting up of GTSM

* bgpd.h: Add error code for setting GTSM on iBGP
* bgpd.c: (peer_ttl_security_hops_set) use previous error code and signal
  incompatibility of GTSM+iBGP to vty.
  Consider the session state when setting GTSM, and reset Open/Active peers
  to let them pick up new TTL from start.

diff --git a/bgpd/bgp_vty.c b/bgpd/bgp_vty.c
index d93c5d361fafa0f9a549c53250d29144ef93dd45..e7e7dba103a51513fe3141a241e922e33eeb9b05 100644 (file)
--- a/bgpd/bgp_vty.c
+++ b/bgpd/bgp_vty.c
@@ -216,6 +216,9 @@ bgp_vty_return (struct vty *vty, int ret)
     case BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK:
       str = "ebgp-multihop and ttl-security cannot be configured together";
       break;
+    case BGP_ERR_NO_IBGP_WITH_TTLHACK:
+      str = "ttl-security only allowed for EBGP peers";
+      break;
     }
   if (str)
     {
@@ -7643,10 +7646,16 @@ bgp_show_peer (struct vty *vty, struct peer *p)
                 p->host, VTY_NEWLINE);
     }
 
-  /* EBGP Multihop */
-  if (peer_sort (p) != BGP_PEER_IBGP && p->ttl > 1)
-    vty_out (vty, "  External BGP neighbor may be up to %d hops away.%s",
-            p->ttl, VTY_NEWLINE);
+  /* EBGP Multihop and GTSM */
+  if (peer_sort (p) != BGP_PEER_IBGP)
+    {
+      if (p->gtsm_hops > 0)
+       vty_out (vty, "  External BGP neighbor may be up to %d hops away.%s",
+                p->gtsm_hops, VTY_NEWLINE);
+      else if (p->ttl > 1)
+       vty_out (vty, "  External BGP neighbor may be up to %d hops away.%s",
+                p->ttl, VTY_NEWLINE);
+    }
 
   /* Local address. */
   if (p->su_local)

diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
index 5a412f235538d7a7ec09ed7f255d244a697c7a4a..ee0cc5da65ecb91b057a4d9f5a93d15c45688f6e 100644 (file)
--- a/bgpd/bgpd.c
+++ b/bgpd/bgpd.c
@@ -4376,7 +4376,7 @@ peer_ttl_security_hops_set (struct peer *peer, int gtsm_hops)
   zlog_debug ("peer_ttl_security_hops_set: set gtsm_hops to %d for %s", gtsm_hops, peer->host);
 
   if (peer_sort (peer) == BGP_PEER_IBGP)
-    return 0;
+    return BGP_ERR_NO_IBGP_WITH_TTLHACK;
 
   /* We cannot configure ttl-security hops when ebgp-multihop is already
      set.  For non peer-groups, the check is simple.  For peer-groups, it's
@@ -4430,8 +4430,23 @@ peer_ttl_security_hops_set (struct peer *peer, int gtsm_hops)
 
          peer->gtsm_hops = group->conf->gtsm_hops;
 
-         if (peer->fd >= 0 && peer->gtsm_hops != 0)
-            sockopt_minttl (peer->su.sa.sa_family, peer->fd, MAXTTL + 1 - peer->gtsm_hops);
+         /* Change setting of existing peer
+          *   established then change value (may break connectivity)
+          *   not established yet (teardown session and restart)
+          *   no session then do nothing (will get handled by next connection)
+          */
+         if (peer->status == Established)
+           {
+             if (peer->fd >= 0 && peer->gtsm_hops != 0)
+               sockopt_minttl (peer->su.sa.sa_family, peer->fd,
+                               MAXTTL + 1 - peer->gtsm_hops);
+           }
+         else if (peer->status < Established)
+           {
+             if (BGP_DEBUG (events, EVENTS))
+               zlog_debug ("%s Min-ttl changed", peer->host);
+             BGP_EVENT_ADD (peer, BGP_Stop);
+           }
        }
     }
 

diff --git a/bgpd/bgpd.h b/bgpd/bgpd.h
index 39cdf8ebaebc9b3e4bde4b29689ae80e44de40a6..4da19e71451943875b661b109669838bde09e24d 100644 (file)
--- a/bgpd/bgpd.h
+++ b/bgpd/bgpd.h
@@ -802,7 +802,8 @@ enum bgp_clear_type
 #define BGP_ERR_CANNOT_HAVE_LOCAL_AS_SAME_AS    -28
 #define BGP_ERR_TCPSIG_FAILED                  -29
 #define BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK  -30
-#define BGP_ERR_MAX                            -31
+#define BGP_ERR_NO_IBGP_WITH_TTLHACK           -31
+#define BGP_ERR_MAX                            -32
 
 extern struct bgp_master *bm;