Pascal Mathis [Thu, 14 Jun 2018 17:40:36 +0000 (19:40 +0200)]
bgpd: Fix crash when showing filtered routes
This commit fixes the issue mentioned in #2419, which is caused by a
double-free. The problem of the current implementation is that
*bgp_input_modifier* already frees the passed attributes under specific
circumstances, which can then lead to a double-free as *bgp_attr_undup*
does not check if the attributes are set to NULL.
As it is not transparent to the function caller if the attributes get
freed or not and the similar function *bgp_output_modifier* also does
not flush the passed attributes, the line has been removed altogether.
All callers of *bgp_input_modifier* already deal by themself with
freeing/flushing/unduping BGP attributes, so it is safe to remove.
Pascal Mathis [Thu, 14 Jun 2018 16:03:33 +0000 (18:03 +0200)]
bgpd: Finalize group-overrides for peer/AF attrs
This commit finalizes the previous commits which introduced a generic
approach for making all BGP peer and address-family attributes
overrideable by keeping track of the configuration origin in separate
internal structures.
First of all, the test suite was greatly extended to also check the
internal data structures of peer/AF attributes, so that inheritance for
internal values like 'peer->weight' is also being checked in all cases.
This revealed some smaller issues in the implementation, which were also
fixed in this commit. The test suite now fully passes and covers all the
usual situations that should normally occur.
Pascal Mathis [Wed, 13 Jun 2018 17:34:17 +0000 (19:34 +0200)]
bgpd: Implement group-overrides for peer attrs
This commit introduces BGP peer-group overrides for the last set of
peer-level attrs which did not offer that feature yet. The following
attributes have been implemented: description, local-as, password and
update-source.
Each attribute, with the exception of description because it does not
offer any inheritance between peer-groups and peers, is now also setting
a peer-flag instead of just modifying the internal data structures. This
made it possible to also re-use the same implementation for attribute
overrides as already done for peer flags, AF flags and AF attrs.
The `no neighbor <neigh> description` command has been slightly changed
to support negation for no parameters, one parameter or * parameters
(LINE...). This was needed for the test suite to pass and is a small
change without any bigger impact on the CLI.
Pascal Mathis [Wed, 13 Jun 2018 00:34:43 +0000 (02:34 +0200)]
bgpd: Implement group-overrides for peer timers
This commit implements BGP peer-group overrides for the timer flags,
which control the value of the hold, keepalive, advertisement-interval
and connect connect timers. It was kept separated on purpose as the
whole timer implementation is quite complex and merging this commit
together with with the other flag implementations did not seem right.
Basically three new peer flags were introduced, namely
*PEER_FLAG_ROUTEADV*, *PEER_FLAG_TIMER* and *PEER_FLAG_TIMER_CONNECT*.
The overrides work exactly the same way as they did before, but
introducing these flags made a few conditionals simpler as they no
longer had to compare internal data structures against eachother.
Last but not least, the test suite has been adjusted accordingly to test
the newly implemented flag overrides.
Pascal Mathis [Tue, 12 Jun 2018 22:39:19 +0000 (00:39 +0200)]
bgpd: Improve test suite for peer-group overrides
This commit introduces the current test suite for BGP peer-group
overrides by adding support for custom check handlers (which can check
internal data structures more thoroughly) and by fixing several small
mistakes and issues that slipped through. Also some parts of the code
have been cleaned up to avoid duplicate and/or hard-to-read code.
Additionally a first experimental check for a BGP peer attribute with
values (advertisement-interval <value>) has been added to the test
suite. As this test suite is currently not passing, it has not been
added to the python test caller.
This commit cleans up some ugly leftovers from previous flag-override
implementation and refactors the AF-flag override implementation to
match the same behavior the newly added peer-flag override
implementation has.
Pascal Mathis [Tue, 12 Jun 2018 15:09:49 +0000 (17:09 +0200)]
bgpd: Fix AF-attribute overrides when binding peer
The current implementation of the overrides for peer address-family
attributes suffered a bug, which caused all peer-specific attributes to
be lost when the peer was added to a peer-group which already had that
specific address-family active.
This commit extends the *peer_group2peer_config_copy_af* function to
respect overridden flags properly. Additionally, the arguments of the
macros *PEER_ATTR_INHERIT* and *PEER_STR_ATTR_INHERIT* have been
reordered to be more consistent and easy to read.
This commit also adds further test cases to the BGP peer attributes test
suite, so that this kind of error is being caught in future commits. The
missing AF-attribute *distribute-list* has also been added to the test
suite.
Pascal Mathis [Mon, 11 Jun 2018 17:49:20 +0000 (19:49 +0200)]
bgpd: Implement group-overrides for peer flags
The current implementation of peer flags (e.g. shutdown, passive, ...)
only has partial support for overriding flags of a peer-group when the
peer is a member. Often settings might get lost if the user toys around
with the peer-group configuration, which can lead to disaster.
This commit introduces the same override implementation which was
previously integrated to support proper peer flag/attribute override on
the address-family level. The code is very similar and the global
attributes now use their separate state-arrays *flags_invert* and
*flags_override*.
The test suite for BGP peer attributes was extended to also check peer
global attributes, so that the newly introduced changes are covered. An
additional feature was added which allows to test an attribute with an
*interface-peer*, which can be configured by running `neighbor IF-TEST
interface`. This was introduced so that the dynamic runtime inversion of
the `extended-nexthop` flag, which is only enabled by default for
interface peers, can also be tested.
Last but not least, two small changes have been made to the current bgpd
implementation:
- The command `strict-capability-match` can now also be set on a
peer-group, it seems like this command slipped through while
implementing peer-groups in the very past.
- The macro `COND_FLAG` was introduced inside lib/zebra.h, which now
allows to either set or unset a flag based on a condition. The syntax
for using this macro is: `COND_FLAG(flag_variable, flag, condition)`
Pascal Mathis [Mon, 28 May 2018 16:50:52 +0000 (18:50 +0200)]
tests: Improve test suite for peer attributes
This commit improves the previous implementation of the peer attribute
test suite by getting rid of some really ugly macros and replacing them
with sane functions.
Additionally, the macro TEST_ASSERT was changed to TEST_ASSERT_EQ (==
comparison) which now also prints the line where the assertion has been
infringend. This should make it way more clear where a specific issue
has been spotted.
Last but not least, the multicast families for both IPv4 and IPv6 had
been added as they are working without any further changes or special
cases for all currently existing peer attributes. Other AFI/SAFI
references have been removed to keep the code clean.
Pascal Mathis [Sun, 27 May 2018 17:36:48 +0000 (19:36 +0200)]
bgpd: Fix style issues for peer-group overrides
This commit fixes all outstanding style/formatting issues as detected by
'git clang-format' or 'checkpath' for the new peer-group override
implementation, which spanned across several commits.
Pascal Mathis [Sun, 27 May 2018 17:23:57 +0000 (19:23 +0200)]
bgpd: Fix group overrides for AF flags/filters
The previous commit introduced very strict unit tests which check all
three involved components (config input, config output, internal data
structures) which revealed two more bugs in the peer-group override
implementation.
This commit fixes overrides for 'allowas-in <number>' and
'unsuppress-map', which both had a small mistake/typo causing those
issues.
Pascal Mathis [Sun, 27 May 2018 15:52:19 +0000 (17:52 +0200)]
tests: Add tests for overriding BGP peer attrs
This commit introduces unit tests for BGP peer attributes and checks all
three involved components, which are:
- CLI Configuration Input: The appropriate commands to configure the
attribute on either a peer or peer-group are being executed the same way
an end user would do it.
- CLI Configuration Output: The output of 'show running-config' is being
checked for presence/absence of expected configuration strings.
- Internal Data Structures: The internal data structures for maintaining
flag/filter states (value + override + invert) are being checked after
each operation to ensure the override has been implemented properly.
All attributes to be tested must be defined within the 'peer_attrs'
structure, which contains all peer attributes as of today and checks
them with both IPv4 Unicast and IPv6 Unicast. More address families are
supposed to be introduced at a later point in time.
Each attribute is being checked in its own 'clean' BGP environment, so
everything gets reset after each attribute to avoid any weird edge
cases. The 'correct' BGP startup and shutdown routine was taken from
'bgp_main.c' to ensure that we are not leaking any memory or acting
different than the real 'bgpd' would do.
Pascal Mathis [Sun, 27 May 2018 15:39:45 +0000 (17:39 +0200)]
bgpd: Fix group overrides for inverted AF flags
This commit fixes peer-group overrides for inverted AF flags. This
implementation is currently only being used by the three 'send-community'
flags. Commit 70ee29b4d introduced generic support for overriding AF
flags, but did not support inverted flags.
By introducing an additional array on the BGP peer structure called
'af_flags_invert' all current and future flags which should work in an
inverted way can now also be properly overridden.
The CLI commands will work exactly the same way as before, just that 'no
<command>' now sets the flag and override whereas '<command>' will unset
the flag and remove the override.
Pascal Mathis [Mon, 21 May 2018 10:09:25 +0000 (12:09 +0200)]
bgpd: Improve group overrides for AF filters
This commit adds the same peer-group override capabilites as d122d7cf7
for all filter/map options that can be enabled/disabled on each
address-family of a BGP peer.
All currently existing filter/map options are being supported:
filter-list, distribute-list, prefix-list, route-map and unsuppress-map
To implement this behavior, a new peer attribute 'filter_override' has
been added together with various PEER_FT_ (filter type) constants for
tracking the state of each filter in the same way as it is being done
with 'af_flags_override'.
Pascal Mathis [Sat, 19 May 2018 20:10:48 +0000 (22:10 +0200)]
bgpd: Improve group overrides for AF flags
The current implementation for overriding peer-group configuration on a
peer member consists of several bandaids, which introduce more issues
than they fix. A generic approach for implementing peer-group overrides
for address-family flags is clearly missing.
This commit implements a generic and sane approach to overriding
peer-group configuration on a peer-member. A separate peer attribute
called 'af_flags_override' which was introduced in 04e1c5b is being used
to keep track of all address-family flags, storing whether the
configuration is being inherited from the parent-group or overridden.
All address-family flags are being supported by this implementation
(note: flags, not filters/maps) except 'send-community', which currently
breaks due to having the three flags enabled by default, which is not
being properly handled within this commit; all flags are supposed to
have an 'off'/'false' state by default.
In the interest of readability and comprehensibility, the flag
'send-community' is being fixed in a separate commit.
The following rules apply when looking at the new peer-group override
implementation this commit provides:
- Each peer-group can enable every flag (except the limitations noted
above), which gets automatically inherited to all members.
- Each peer can enable each flag independently and/or modify their
value, if available. (e.g.: weight <value>)
- Each command executed on a neighbor/peer gets explicitely set as an
override, so even when the peer-group has the same kind of
configuration, both will show up in 'show running-configuration'.
- Executing 'no <command>' on a peer will remove the peer-specific
configuration and make the peer inherit the configuration from the
peer-group again.
- Executing 'no <command>' on a peer-group will only remove the flag
from the peer-group, however not from peers explicitely setting that
flag.
This guarantees a clean implementation which does not break, even when
constantly messing with the flags of a peer-group. The same behavior is
present in Cisco devices, so people familiar with those should feel safe
when dealing with FRRs peer-groups.
The only restriction that now applies is that single peer cannot
disable a flag which was set by a peer-group, because 'no <command>' is
already being used for disabling a peer-specific override. This is not
supported by any known vendor though, would require many specific
edge-cases and magic comparisons and will most likely only end up
confusing the user. Additionally, peer-groups should only contain flags
which are being used by all peer members.
Quentin Young [Mon, 7 May 2018 17:25:10 +0000 (13:25 -0400)]
bgpd: fix maximum-prefix + peer-group
Attribute set on peer was being overridden when set on the peer-group.
This commit also adds a parallel flags array that indicates whether a
particular flag is sourced from the peer-group or is peer-specific. It
assumes the default state of all flags is unset. This looks to be true
except in the case of PEER_FLAG_SEND_COMMUNITY,
PEER_FLAG_SEND_EXT_COMMUNITY, and PEER_FLAG_SEND_LARGE_COMMUNITY; these
flags are set by default except when the user specifies to use
config-type = cisco. However the flag field can merely be flipped to
mean the negation of those options in a future commit.
Pascal Mathis [Thu, 17 May 2018 20:51:35 +0000 (22:51 +0200)]
bgpd: Move 'enforce-first-as' from global to peer
This commit moves the command 'bgp enforce-first-as' from global BGP
instance configuration to peer/neighbor configuration, which can now be
changed by executing '[no] neighbor <neighbor> enforce-first-as'.
End users can now enforce sane first-AS checking on regular sessions
while e.g. disabling the checks on routeserver sessions, which usually
strip away their own AS number from the path.
To ensure backwards-compatibility, a migration routine was added which
automatically sets the 'enforce-first-as' flag on all configured
neighbors if the old global setting was activated. The old global
command immediately disappears after running the migration routine once.
Donald Sharp [Thu, 7 Jun 2018 21:10:38 +0000 (17:10 -0400)]
bgpd: Actually display labeled unicast routes received
The labeled unicast and unicast tables have been combined
into the unicast table. Additionally we have a restriction
where if you configure labeled unicast you cannot configure
unicast. This created a bug with 'show bgp ipv4 labeled-unicast summ'
command where we were displaying NoNeg, because v4 has been intentionally
turned off.
Modify the code so that when we are looking up if we have negotiated
a capapbility we use the correct one, while still using the appropriate
table for prefix count.
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
MasterofJOKers [Thu, 14 Jun 2018 07:09:11 +0000 (09:09 +0200)]
debianpkg: Add install-info as Build-Depends
When building the package in a clean and minimal chroot, the
"install-info" package is not available by default and not installed by
the defined build-dependencies. This commit adds "install-info" to the
Build-Depends of all control files.
Donald Sharp [Wed, 13 Jun 2018 11:47:24 +0000 (07:47 -0400)]
bgpd: Fix possible use while uninited
Certain compilers are saying that it is possible
to use some json variables before they are initialized,
which could result in using weird data. Fix to make
compiler happy even if this is never possible.
Fixes: #2423 Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
paco [Thu, 7 Jun 2018 13:28:12 +0000 (15:28 +0200)]
bgpd, doc, ldpd, lib, tests, zebra: LM fixes
Corrections so that the BGP daemon can work with the label manager properly
through a label-manager proxy. Details:
- Correction so the BGP daemon behind a proxy label manager gets the range
correctly (-I added to the BGP daemon, to set the daemon instance id)
- For the BGP case, added an asynchronous label manager connect command so
the labels get recycled in case of a BGP daemon reconnection. With this,
BGPd and LDPd would behave similarly.
Donald Sharp [Thu, 3 May 2018 00:12:31 +0000 (20:12 -0400)]
pbrd: Fix nearly impossible truncation
Since we are writing into the name field which is PBR_MAP_NAMELEN
size, we are expecting this to field to be at max 100 bytes.
Newer compilers understand that the %s portion may be up to
100 bytes( because of the size of the string. The %u portion
is expected to be 10 bytes. So in `theory` there are situations
where we might truncate. The reality this is never going to
happen( who is going to create a nexthop group name that is
over say 30 characters? ). As such we are expecting the
calling function to subtract 10 from the size_t l before
we pass it in to get around this new gcc fun.
Fixes: #2163 Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
Donald Sharp [Thu, 17 May 2018 11:58:02 +0000 (07:58 -0400)]
redhat: Make watchfrr the default
With systemd being the default on more systems now, lets
configure watchfrr to start else systemd systems on
redhat will not stay up for more than 1 minute.
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
Philippe Guibert [Wed, 23 May 2018 12:14:53 +0000 (14:14 +0200)]
bgpd: do not install BGP FS entries, while table range not obtained
Sometimes at startup, BGP Flowspec may be allocated a routing table
identifier not in the range of the predefined table range.
This issue is due to the fact that BGP peering goes up, while the BGP
did not yet retrieve the Table Range allocator.
The fix is done so that BGP PBR entries are not installed while
routing table identifier range is not obtained. Once the routing table
identifier is obtained, parse the FS entries and check that all selected
entries are installed, and if not, install it.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Philippe Guibert [Wed, 23 May 2018 10:10:00 +0000 (12:10 +0200)]
bgpd: increase buffer size to store ecomunity as a string
On the case where an ecom from FS redirect is received, the ecom may be
with the format A.B.C.D:E. On this case, the printable format of the
Flowspec redirect VRF ecom value may use more bytes in the buffer
dedicated for that. The buffer that stores the ecommunity is increased.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Philippe Guibert [Fri, 18 May 2018 15:11:50 +0000 (17:11 +0200)]
pbrd: add ZAPI_RULE_FAIL_REMOVE flag in switch
The notification handler consecutive to an add/remove of a rule in zebra
is being added the FAIL_REMOVE flag. It is mapped on REMOVE flag
behaviour for now.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Philippe Guibert [Mon, 21 May 2018 14:40:31 +0000 (16:40 +0200)]
bgpd: upon uninstalling pbr rule, update local structure
Currently, uninstall pbr rule is not handled by BGP notification
handler. So the uninstall update of the structure is done, immediately
after sending the request of uninstall to zebra.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Philippe Guibert [Fri, 18 May 2018 14:22:23 +0000 (16:22 +0200)]
zebra: add pbr objects fail_remove value into notification
After PBR or BGP sends back a request for sending a rule/ipset/ipset
entry/iptable delete, there may be issue in deleting it. A notification
is sent back with a new value indicating that the removal failed.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
zebra: PBR config and monitor IPSET/IPTABLE hooks declared
The following PBR handlers: ipset, and iptables will prioritary
call the hook from a possible plugin.
If a plugin is attached, then it will return a positive value.
That is why the return status is tested against 0 value, since that
means that there are no plugin module plugged
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bgpd: traffic rate value is ignored for searching bpa
There are cases where a redirect IP or redirect VRF stops the ecom
parsing, then ignores a subsequent rate value, letting passed value to
0. Consequently, a new table identifier may be elected, despite the
routing procedure is the same. This fix ignores the rate value in bpa
list.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Philippe Guibert [Wed, 25 Apr 2018 16:29:35 +0000 (18:29 +0200)]
bgpd: add vty command to restrict FS policy routing to a defined interface
policy routing is configurable via address-family ipv4 flowspec
subfamily node. This is then possible to restrict flowspec operation
through the BGP instance, to a single or some interfaces, but not all.
Two commands available:
[no] local-install [IFNAME]
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Philippe Guibert [Fri, 30 Mar 2018 11:01:39 +0000 (13:01 +0200)]
bgpd: add 3 fields to ipset_entry : src,dst port, and proto
Those 3 fields are read and written between zebra and bgpd.
This permits extending the ipset_entry structure.
Combinatories will be possible:
- filtering with one of the src/dst port.
- filtering with one of the range src/ range dst port
usage of src or dst is exclusive in a FS entry.
- filtering a port or a port range based on either src or dst port.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Philippe Guibert [Fri, 18 May 2018 14:14:46 +0000 (16:14 +0200)]
bgpd: do not account twice references to rule context
When rule add transaction is sent from bgpd to zebra, the reference
context must not be incremented while the confirmation message of
install has not been sent back; unless if the transaction failed to be
sent.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Philippe Guibert [Thu, 17 May 2018 07:30:28 +0000 (09:30 +0200)]
bgpd: add missing ecommunity flowspec to display
On some cases, the ecommunity flowspec for redirect vrf is not displayed
in all cases. On top of that, display the values if ecom can no be
decoded.
Also, sub_type and type are changed from int to u_int8_t, because the
values contains match the type and sub type of extended communities.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Philippe Guibert [Wed, 25 Apr 2018 16:34:27 +0000 (18:34 +0200)]
zebra: handle iptable list of interfaces
Upon reception of an iptable_add or iptable_del, a list of interface
indexes may be passed in the zapi interface. The list is converted in
interface name so that it is ready to be passed to be programmed to the
underlying system.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Philippe Guibert [Fri, 30 Mar 2018 11:01:39 +0000 (13:01 +0200)]
zebra: add 3 fields to ipset_entry : src,dst port, and proto
Those 3 fields are read and written between zebra and bgpd.
This permits extending the ipset_entry structure.
Combinatories will be possible:
- filtering with one of the src/dst port.
- filtering with one of the range src/ range dst port
usage of src or dst is exclusive in a FS entry.
- filtering a port or a port range based on either src or dst port.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Philippe Guibert [Mon, 23 Apr 2018 13:17:19 +0000 (15:17 +0200)]
zebra: pbr vty show command for ipset and iptables
Two new vty show functions available:
show pbr ipset <NAME>
show pbr iptables <NAME>
Those function dump the underlying "kernel" contexts. It relies on the
zebra pbr contexts. This helps then to know which zebra pbr
context has been configured since those contexts are mainly configured
by BGP Flowspec.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Donald Sharp [Fri, 25 May 2018 18:45:16 +0000 (14:45 -0400)]
zebra: Add a breadcrumb for when we ignore a route
When we receive a route that we think we own and we
are not in startup conditions, then add a small debug
to help debug the issue when this happens, instead
of silently just ignoring the route.
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
Donald Sharp [Fri, 25 May 2018 18:36:12 +0000 (14:36 -0400)]
tools, zebra: Use different protocol value for our statics
The re-use of RTPROT_STATIC has caused too many collisions
where other legitimate route sources are causing us to
believe we are the originator of the route. Modify
the code so that if another protocol inserts RTPROT_STATIC
we will assume it's a Kernel Route.
Fixes: #2293 Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
Pascal Mathis [Wed, 16 May 2018 19:55:55 +0000 (21:55 +0200)]
bgpd: Fix memleak, adapt adv- to recv-routes code
This commit tries to adapt a similar codeflow within the `show bgp [afi]
[safi] neighbor <neighbor> advertised-routes` command compared to its
`received-routes` and `filtered-routes` opponents. Some branching code
has been restructured to achieve this.
Additionally, this commit fixes a memory leak within `received-routes`
(and `filtered-routes`, although the issue has been present before the
previous commit!) where the previous implementation forgot to
deduplicate the BGP attributes.
When a user called `<...> received-routes route-map <RM-TEST>` and that
routemap changed any AS path or community parameters, the duplicated
memory for these parameters was never freed. This has been fixed by
ensuring to call `bgp_attr_undup()` accordingly.
Pascal Mathis [Wed, 16 May 2018 17:17:42 +0000 (19:17 +0200)]
bgpd: Implement new adjacent route show commands
This commit changes the behavior of `show bgp [afi] [safi] neighbor
<neighbor> received-routes [json]` to return all received prefixes
instead of filtering rejected/denied prefixes.
Compared to Cisco and Juniper products, this is the usual way how this
command is supposed to work, as `show bgp [afi] [safi] neighbor
<neighbor> routes` will already return all accepted prefixes.
Additionally, the new command `show bgp [afi] [safi] neighbor <neighbor>
filtered-routes` has been added, which returns a list of all prefixes
that got filtered away, so it can be roughly described as a subset of
"received prefixes - accepted prefixes".
As the already available `filtered_count` variable inside
`show_adj_route` has not been used before, the last output line
summarizing the amount of prefixes found was extended to also mention
the amount of filtered prefixes if present.
Pascal Mathis [Tue, 15 May 2018 17:22:25 +0000 (19:22 +0200)]
bgpd: Improve route-map matching for INET(6) AF
While the current implementation does pay attention to the AF
(inet/inet6) when comparing the IPv4/v6 address against an address-list
/ prefix-list inside a route-map, the AF check is being done rather
late, which leads to CPU cycles being wasted due to unnecessary list
lookups / address matching.
This commit checks the address family of a prefix right inside the
`route_match_ip(v6)_` functions before looking up any address- and/or
prefix-list, which should improve performance.
Pascal Mathis [Mon, 14 May 2018 20:52:31 +0000 (22:52 +0200)]
bgpd: Respect AFI/SAFI when hard-clearing a peer
The current implementation does not respect the AFI+SAFI combination of
a peer when executing a non-soft (hard) clear. An example would be the
command `clear bgp ipv4 unicast *`, which will clear all BGP peers, even
those that do not have IPv4-Unicast activated.
This commit fixes that behavior by applying the same rules to both soft
and hard clear commands, so that peers without a matching AFI+SAFI
combination will be no longer modified.
Additionally, this commit adds warning messages to all `clear bgp
[<afi>] [<safi>] <target>` commands when no matching peers with the given
AFI+SAFI combination could be found.
Both existing and new warning messages have been extended to also
mention the AFI+SAFI combination that is missing, which is more helpful
to the user than a generic expression 'No peer configured'.
Pascal Mathis [Sun, 13 May 2018 00:29:40 +0000 (02:29 +0200)]
bgpd: Improve JSON support for large communities
The current implementation of building JSON output is greatly different
for large communities compared to standard communities. This is mainly
noticeable by the missing 'list' attribute, which usually offers an
array of all communities present on a BGP route.
This commit adds the missing functionality of properly returning a
'list' attribute in JSON output and also tries a similar approach like
the standard communities are using to implement this feature.
Additionally, the 'format' specifier has been completely removed from
large communities string/JSON rendering, as the official RFC8092 specifies that
there is only one canonical representation:
> The canonical representation of BGP Large Communities is three
> separate unsigned integers in decimal notation in the following
> order: Global Administrator, Local Data 1, Local Data 2. Numbers
> MUST NOT contain leading zeros; a zero value MUST be represented with
> a single zero. Each number is separated from the next by a single
> colon. For example: 64496:4294967295:2, 64496:0:0.
As the 'format' specifier has not been used/checked and only one
canonical representation exists per today, there was no reason to keep
the 'format' parameter in the function signature.
Last but not least, the struct attribute 'community_entry.config' is no
longer being used for large communities and instead 'lcommunity_str' is
being called to maintain a similar approach to standard communities.
As a side effect, this also fixed a memory leak inside 'community_entry_free'
which did not free the allocated memory for the 'config' attribute when
dealing with a large community.
Pascal Mathis [Sun, 13 May 2018 17:11:43 +0000 (19:11 +0200)]
lib: Moved no-password warnings into header file
The warning string which appears when the users executes 'no (enable)
password' was moved into command.h and declared as a constant named
'NO_PASSWD_CMD_WARNING'.
This avoids duplicate code and makes it easy to change the warning
message in all places at once.
Pascal Mathis [Sat, 12 May 2018 18:19:49 +0000 (20:19 +0200)]
lib: Improved warnings for 'no (enable) password'
When the user executes one of the commands 'no password' or 'no enable
password', a warning message gets shown to inform the user of the
security implications.
While the current implementation works, a warning message gets printed
once for each daemon, which can lead to seeing the same message many
times. This does not affect functionality, but looks like an error to
the user as it can be seen within issue #1432.
This commit only prints the warning message inside lib when vtysh
dispatch is not being used. Additionally, the warning message was copied
into the vtysh command handlers, so that they get printed exactly once.
Pascal Mathis [Fri, 11 May 2018 00:54:30 +0000 (02:54 +0200)]
lib: Ported 'no (enable) password' from stable/3.0
The pull request #1545 from @donaldsharp introduced the command 'no
password' to remove an existing terminal connection password.
Additionally, warnings have been added to both 'no password' and 'no
enable password' to make the user aware of any security implications.
It seems that this specific pull request was never merged against master
and got lost. This commit is a cherry-pick of d4961273cb with fixed
conflicts and updated documentation.
Thanks to @donaldsharp and @pogojotz for the original PR.
Pascal Mathis [Thu, 10 May 2018 22:03:23 +0000 (00:03 +0200)]
debianpkg: improve VTYSH_PAGER environment check
The current post-installation scripts for all Debian packages execute
grep 'VTYSH_PAGER=/bin/cat' to check if the VTYSH_PAGER variable is
present within /etc/environment.
While presence of that environment variable should be checked, the
current implementation does not handle this line being a comment (and
therefor not active) or the user picking a different VTYSH_PAGER than
/bin/cat.
This commit ensures that the environment variable can be freely changed
by the user, while still guaranteeing that it is present in the file
without being a comment.
Pascal Mathis [Thu, 10 May 2018 21:35:37 +0000 (23:35 +0200)]
bgpd: fix and improve snmp peer lookups
The previous implementation of bgp_peer_lookup_next did not consider the
internal ordering of peers when using peer groups, which led to all
standalone peers being skipped that had a lower IP address than the
highest IP address of a peer belonging to a group.
As the ordering of peers can not be arbitrary due to SNMP requiring
increasing OIDs when walking an OID tree, this commit fixes the bug by
properly looping through all peers and detecting the next highest IP
address.
Additionally, this commit improved both bgp_peer_lookup_next and
peer_lookup_addr_ipv4 by using the socketunion stored within the peer
struct (peer->su) instead of calling inet_pton for each peer during
comparison.
Fredi Raspall [Wed, 2 May 2018 14:30:26 +0000 (16:30 +0200)]
bgpd/bgp_zebra.c: Fix process of label-chunk msg
All messages to/from the label manager include two additional
fields: protocol and instance. This patch fixes the parsing
of label chunks response used by BGPd, which did not consider
the two fields.
The current implementation did not consider multiple clients to
a label-manager acting as proxy, i.e. relaying messages to another
label manager. Specifically, upon a client's request, it checked
the socket & buffer from the actual label manager for pending
responses and directly copìed them to the client --currently--
being served. As a result, if two clients (e.g. ldpd and bgpd)
sent requests, it could happen that responses being 'on the wire'
from the real label manager towards the proxy, where relayed to
the wrong client. This patch, which requires all msgs to include
a a proto & instance pair, lookups up the zserv client that a
message (response) is to be relayed to.
Add client proto and instance number in all msg (request and
responses) to/form a label manager. This is required for a
label manager acting as 'proxy' (i.e. relaying messages towards
another label manager) to correctly deliver responses to the
requesting clients.
projects / mirror / frr.git / log