Martin Winter [Tue, 8 Jan 2019 08:29:22 +0000 (00:29 -0800)]
FRRouting Release 6.0.2
This is a maintenance release for a security (Denial of Service) issue
found with the expermimental BGP VNC Attribute (255).
Other experiments using the same attribute may bring down BGP peers
if they are malformed for the VNC parsing. (As required by RFC).
The update disables the parsing of the VNC attribute by default
to avoid this.
Beside this change, this release is similar to 6.0.1
Major Changes since 6.0 (already in 6.0.1)
- New Debian Package structure without backports
- Fix Memory Leak on FreeBSD
- Fix BGP unnumbered peer setup
- Various fixes for label manager
- Various other fixes
Signed-off-by: Martin Winter <mwinter@opensourcerouting.org>
Martin Winter [Sat, 29 Dec 2018 12:27:16 +0000 (04:27 -0800)]
FRRouting Release 6.0.1
This is a maintenance release. Main change is the Debian Package format
which is cleaned up as part of getting into the official Debian Packages
Major Changes since 6.0:
- New Debian Package structure without backports
- Fix Memory Leak on FreeBSD
- Fix BGP unnumbered peer setup
- Various fixes for label manager
- Various other fixes
Signed-off-by: Martin Winter <mwinter@opensourcerouting.org>
David Lamparter [Fri, 21 Dec 2018 16:00:42 +0000 (17:00 +0100)]
tools: don't watch nonexistent daemons
If we try to monitor a nonexisting daemon in watchfrr, it will
(currently) forever wait at startup since the vty connection will never
come up. Just drop the daemon from the daemon list in such a case.
Signed-off-by: David Lamparter <equinox@diac24.net>
Depending on tool versions used, "autoreconf -i" may not update all
Autoconf-generated files, which in turn may result in build errors.
Make autogen.sh call autoreconf with the "-f" command line argument to
ensure all Autoconf-generated files are updated when autogen.sh is run.
Signed-off-by: Emanuele Di Pascale <emanuele@voltanet.io>
David Lamparter [Mon, 17 Dec 2018 17:55:31 +0000 (18:55 +0100)]
debian: rework autopkgtests
Ditch the old non-working one and add 3 new ones to check:
- that zebra can talk to the kernel at least somewhat
- that SNMP and RPKI modules can be loaded
- that frr-reload.py works
This should catch most build environment SNAFUs.
Signed-off-by: David Lamparter <equinox@diac24.net>
David Lamparter [Fri, 14 Dec 2018 15:08:25 +0000 (16:08 +0100)]
debian: cleanly split off from dist tarball
The debian/ directory is distributed separately for tarballs in 3.0
(quilt) format. Including it in the dist tarball causes problems with
automake when the separately distributed debian directory is unpacked on
top of the dist tarball; the clean and correct thing to do here is to
not include the debian/ directory in dist tarballs.
Users have two choices for building FRR Debian packages:
- build straight off git
- build from a "frr.tar" + "frr-debian.tar"
The tarsource.sh tool does the right thing when invoked with the -D
("Debian") option.
Signed-off-by: David Lamparter <equinox@diac24.net>
David Lamparter [Mon, 10 Dec 2018 21:46:55 +0000 (22:46 +0100)]
debian: clean up debian/ directory for git build
Running `dpkg-buildpackage` with source-format "git" complains about
newly created files under debian/. Remove the build-created frr.init &
frr.service to avoid the build erroring out due to this.
Signed-off-by: David Lamparter <equinox@diac24.net>
David Lamparter [Sun, 28 Oct 2018 17:54:14 +0000 (18:54 +0100)]
debianpkg: install libraries to /usr/lib64/frr
This makes them "private libraries" (which they are, since we don't
maintain a proper versioned ABI on libfrr.) This also properly fixes
another few lintian warnings.
Signed-off-by: David Lamparter <equinox@diac24.net>
David Lamparter [Tue, 23 Oct 2018 11:55:36 +0000 (13:55 +0200)]
debianpkg: add -0 to version
We need a -something suffix since otherwise part of our version number
(e.g. -dev or -DATE) will get taken as Debian sub-version. (Everything
after the last -)
Signed-off-by: David Lamparter <equinox@diac24.net>
David Lamparter [Thu, 25 Oct 2018 13:37:28 +0000 (15:37 +0200)]
debianpkg: always install /etc/init.d/frr
There is no point in making this conditional, systemd correctly prefers
the service file over the init script when it is present. Also, people
can install an init system that doesn't match their distribution and
even change init systems on an installation.
Signed-off-by: David Lamparter <equinox@diac24.net>
David Lamparter [Thu, 25 Oct 2018 13:00:55 +0000 (15:00 +0200)]
debianpkg: ditch development-only files
It is currently impossible to build external stuff that links against
installed FRR headers or libraries. Such projects need to directly
reference an FRR source tree until we revamp the library installation
semantics.
In any case these files would then be in a frr-dev Debian package.
Signed-off-by: David Lamparter <equinox@diac24.net>
David Lamparter [Wed, 24 Oct 2018 18:57:32 +0000 (20:57 +0200)]
debianpkg: raise debhelper compat level to 9
Compat level 7 has long been deprecated. 9 works fine for us, though it
does change the library installation directories to multi-arch. (Which
is not a problem.)
Signed-off-by: David Lamparter <equinox@diac24.net>
David Lamparter [Wed, 24 Oct 2018 15:20:29 +0000 (17:20 +0200)]
debianpkg: make frr-pythontools a "Recommends:"
From the Debian policy:
Recommends:
This declares a strong, but not absolute, dependency.
The Recommends field should list packages that would be found
together with this one in all but unusual installations.
I'd say, yes, we do want the python-based reload functionality in all
but unusual installations.
Signed-off-by: David Lamparter <equinox@diac24.net>
David Lamparter [Wed, 3 Oct 2018 17:14:27 +0000 (19:14 +0200)]
debianpkg: create frr-snmp and frr-rpki-rtrlib
This splits off SNMP and RPKI support so that users can install these
packages (with the appropriate dependencies) independently of main FRR.
It also obsoletes out the weird multi-variant package distribution we've
been doing for RPKI support.
The snmpd dependency is also changed to Recommends: on frr-snmp since
the frr-snmp package is essentially useless without snmpd.
Signed-off-by: David Lamparter <equinox@diac24.net>
David Lamparter [Tue, 23 Oct 2018 11:54:07 +0000 (13:54 +0200)]
debianpkg: use better dependency for pythontools
As described in https://wiki.debian.org/binNMU, arch-indep packages
should have an "almost identical" dependency so "+..." changes can be
made to arch-dep packages without breaking the arch-indep pkgs.
Signed-off-by: David Lamparter <equinox@diac24.net>
David Lamparter [Wed, 24 Oct 2018 15:01:11 +0000 (17:01 +0200)]
tools: add new tarsource.sh helper
It cleans your house and cooks dinner. Or maybe it creates a clean dist
tarball for you, plus a Debian .dsc if you have dpkg installed - and
GPG-signs the result appropriately if requested.
In any case the resulting tarball should be distributed for our
releases.
Signed-off-by: David Lamparter <equinox@diac24.net>
David Lamparter [Mon, 22 Oct 2018 11:37:53 +0000 (13:37 +0200)]
debianpkg: kill backports
The debianpkg/backports system is rather complicated and actually slows
down Debian package building quite a lot since the backports/rules file
is evaluated a zillion times during a normal build.
This just folds up everything into a single Debian package build that
works on all OSes. The only real difference that the backports stuff
was used for is switching between systemd and init.d, the latter for
Ubuntu 12.04 and 14.04.
With this, that switch is controlled by the pkg.frr.nosystemd
Build-Profile instead. Package builds for Ubuntu 14.04 need to supply
the -Ppkg.frr.nosystemd option to dpkg-buildpackage. (12.04 isn't
supported anymore anyway.)
Note that the update-rc.d step that was previously coded into
postinst/postrm is now handled by the dh_installinit magic.
Other than this, there were some minor build dependency differences, all
of which are now just handled as | in the central deps.
Signed-off-by: David Lamparter <equinox@diac24.net>
Renato Westphal [Fri, 19 Oct 2018 18:55:47 +0000 (15:55 -0300)]
ospfd: fix issue with the "no segment-routing prefix A.B.C.D/M" command
Add a missing check to bail out earlier when SR is not configured. The
same command without the "no" prefix has the same check as it prevents
unexpected things (i.e. crashes) from happening.
Fixes the following segfaults:
ospfd aborted: vtysh -c "configure terminal" -c "router ospf" -c "no segment-routing prefix 1.1.1.1/32"
ospfd aborted: vtysh -c "configure terminal" -c "router ospf" -c "no segment-routing prefix 1.1.1.1/32 index 65535 no-php-flag"
Renato Westphal [Fri, 19 Oct 2018 18:55:22 +0000 (15:55 -0300)]
bgpd: use the vrf_bitmap_*() helper functions when necessary
zclient->redist[afi][type] is a hash table and not an integer since a
while ago when VRF support was introduced. As such, zclient->redist[][]
should never be manipulated directly, the vrf_bitmap_*() helper functions
should be used instead. This fixes a few crashes found by the CLI fuzzer.
Renato Westphal [Fri, 19 Oct 2018 18:55:12 +0000 (15:55 -0300)]
bgpd: fix bug while iterating over VPN table
The routing table data structure can create intermediate route nodes
during its normal operation, so we always need to check if the 'info'
pointer of a route node is NULL or not before dereferencing it.
Renato Westphal [Fri, 19 Oct 2018 18:55:08 +0000 (15:55 -0300)]
bgpd: remove wrong assert
The vnc_direct_del_rn_group_rd() function can be called with the 'afi'
parameter set to AFI_L2VPN on some specific cases. Remove the assert to
fix the crash.
Renato Westphal [Fri, 19 Oct 2018 18:55:03 +0000 (15:55 -0300)]
bgpd: fix NULL pointer dereference bug
Other parts of the rfapi code check if the 'rfg->rfapi_import_table'
pointer is NULL or not before using it. Do the same here to fix a crash
detected by the CLI fuzzer.
Renato Westphal [Fri, 19 Oct 2018 18:54:57 +0000 (15:54 -0300)]
bgpd: add a NULL check to prevent a crash in the rfapi code
The rfapiDeleteRemotePrefixesIt() function checks on several places if
'p' is NULL or not. Introduce an additional NULL check to prevent a
crash from happening.
Renato Westphal [Fri, 19 Oct 2018 18:54:47 +0000 (15:54 -0300)]
bgpd: fix crashes caused by missing input validation
The rfapi code wasn't checking if strtoul() succeeded or not when parsing
the list of labels. Fix the affected commands by not allowing the user
to enter a non-numeric input.
Renato Westphal [Fri, 19 Oct 2018 18:53:55 +0000 (15:53 -0300)]
bgpd: handle NULL pointers in lcommunity_cmp()
Like community_cmp() and ecommunity_cmp(), the lcommunity_cmp() function
also needs to handle NULL pointers for correct operation.
Without this fix, bgpd can crash when entering the following commands:
vtysh -c "configure terminal" -c "ip large-community-list standard WORD deny"
vtysh -c "configure terminal" -c "no ip large-community-list expanded WORD"
Renato Westphal [Fri, 19 Oct 2018 18:53:46 +0000 (15:53 -0300)]
bgpd: fix cleanup of dampening configuration
The bgp_damp_config_clean() function was deallocating some arrays without
resetting the variables that represent their sizes. This was leading to
some crashes because other parts of the code iterate over these arrays
by looking at their corresponding sizes, which could be invalid.
Fixes the following segfaults (which only happen under certain
circumstances):
vtysh -c "configure terminal" -c "router bgp 1" -c "bgp dampening"
vtysh -c "configure terminal" -c "router bgp 1" -c "no bgp dampening"
vtysh -c "configure terminal" -c "router bgp 1" -c "no bgp dampening 45"
vtysh -c "" -c "clear ip bgp dampening"
Renato Westphal [Fri, 19 Oct 2018 18:53:33 +0000 (15:53 -0300)]
bfdd: do not allow multihop peers without a local-address
The BFD code assumes that multihop peers have a local address
configured. When that doesn't happen, the BFD client daemons fail to
decode some BFD ZAPI messages and abort. To fix this, do not accept the
configuration of multhop peers unless a local-address is configured.
projects / matthieu / frr.git / log