Donald Sharp [Fri, 15 Apr 2016 13:15:21 +0000 (09:15 -0400)]
vtysh: Allow file read in to continue in more cases
When a duplicate command is read in from a file,
there are cases where daemons return CMD_WARNING
this causes the command to not be send to subsuquent
daemons( if any ).
Allow the read in of commands to continue in this
situation.
Ticket: CM-10393 Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com> Reviewed-by: Don Slice <dslice@cumulusnetworks.com>
Donald Sharp [Fri, 15 Apr 2016 17:09:58 +0000 (13:09 -0400)]
quagga: Check for existence of IFLA_INFO_SLAVE_KIND
IFLA_INFO_SLAVE_KIND is a new type of netlink message
If the kernel makes it available compile in support
else we'll just silently do the right thing.
Additionally reduce the test cases for netlink by 1 Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com> Reviewed-by: David Ahern <dsa@cumulusnetworks.com> Reviewed-by: Don Slice <dslice@cumulusnetworks.com> Reviewed-by: Vivek Venkatraman <vivek@cumulusnetworks.com>
Donald Sharp [Fri, 15 Apr 2016 01:46:44 +0000 (21:46 -0400)]
lib, bgpd: Refactor vrf handling through zclient
Protocols receive zclient vrf creation events from zebra.
This data was being handed to the protocol to decode and
then to hand back to zclient to create the vrf to then
handle appropriately. This is a bad idea.
Modify the code such that when zclient.c receives a vrf
event from zebra that it decodes the data and just creates
the vrf. Individual protocols just need to handle the
appropriate vrf events.
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com> Reviewed-by: Daniel Walton <dwalton@cumulusnetworks.com> Reviewed-by: Don Slice <dslice@cumulusnetworks.com>
Donald Sharp [Wed, 13 Apr 2016 16:21:47 +0000 (12:21 -0400)]
zebra: Refactor struct zebra_t
We were including 'extern struct zebra_t zebrad;' all
over the place. This made no sense. Refactor
into zserv.h where the definition was and remove resulting
unnecessary code.
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com> Reviewed-by: Don Slice <dslice@cumulusnetworks.com> Reviewed-by: Vivek Venkatraman <vivek@cumulusnetworks.com>
Donald Sharp [Wed, 13 Apr 2016 14:06:36 +0000 (10:06 -0400)]
lib, zebra: Rework vrf_add_update
The vrf_add_update function does not need to exist.
Move it's constituent parts into the appropriate
vrf_create/vrf_enable functionality as well as
move the zebra_vrf_add_update() function call
into zebra_vrf_enable()
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com> Reviewed-by: Don Slice <dslice@cumulusnetworks.com> Reviewed-by: Vivek Venkatraman <vivek@cumulusnetworks.com>
Daniel Walton [Thu, 14 Apr 2016 18:16:43 +0000 (18:16 +0000)]
quagga: "set community x:y" needs bounds checking
Signed-off-by: Daniel Walton <dwalton@cumulusnetworks.com> Reviewed-by: Donald Sharp <sharpd@cumulusnetworks.com>
Ticket: CM-10002
superm-redxp-05# conf t
superm-redxp-05(config)# route-map FOO permit 10
superm-redxp-05(config-route-map)# set community ?
AA:NN Community number in AA:NN format (where AA and NN are <0-65535>) or local-AS|no-advertise|no-export|internet or additive
none No community attribute
superm-redxp-05(config-route-map)# set community 2:2
superm-redxp-05(config-route-map)# set community 2:70000
% Malformed communities attribute
superm-redxp-05(config-route-map)# set community 70000:2
% Malformed communities attribute
superm-redxp-05(config-route-map)#
Key BGP 'show' commands have been expanded to support 'vrf all':
show ip bgp vrf all summary
show ip bgp vrf all neighbors
show ip bgp vrf all nexthop
show ip bgp vrf all update-group
show ip bgp vrf all
show bgp vrf all summary
show bgp vrf all update-group
show bgp vrf all
Signed-off-by: Vivek Venkatraman <vivek@cumulusnetworks.com> Reviewed-by: Donald Sharp <sharpd@cumulusnetworks.com> Reviewed-by: Don Slice <dslice@cumulusnetworks.com>
Ticket: CM-10402
Reviewed By: CCR-4466
Testing Done: Manual
Donald Sharp [Wed, 13 Apr 2016 00:44:28 +0000 (20:44 -0400)]
debian: Add the creation of the quagga user to quaggavty group
The creation of the quagga user was not the only place
to add the quagga user to the quaggavty group. If
we are reinstalling quagga over a old version of
code then we need to check to see if the quagga
user is in the quaggavty and do the right thing.
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com> Reviewed-by: Dave Olson <olson@cumulusnetworks.com>
Donald Sharp [Fri, 8 Apr 2016 19:32:53 +0000 (19:32 +0000)]
lib, zebra: Refactor vrf creation a bit more
Create the idea of a VRF_UNKNOWN, this is for a vrf where we don't
yet have the vrf_id for it yet.
Refactor the vrf_create code out of existence. We had two code
paths vrf_create and vrf_get. We should use vrf_get to create
the new vrf since XXX_get() creates the data structures now.
Signed-off-by: Donald Sharp Reviewed-by: Vivek Venkatraman <vivek@cumulusnetworks.com>
Donald Sharp [Fri, 8 Apr 2016 23:20:34 +0000 (19:20 -0400)]
lib: Fix priviledge modification for vty group specified
When attempting to switch runtime permissions over to
the correct group specified for the vty group, if the
user specified to run as does not have that vty group
then do warn about the issue and stop running
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com> Reported-by: Thomas Martin <tmartincpp@gmail.com>
Timo Teräs [Fri, 22 May 2015 10:40:56 +0000 (13:40 +0300)]
privs: fix privilege dropping to use system defined groups
It may be requred for quagga process to belong to additional
groups. E.g. nhrp module will need to talk to strongSwan using
vici and may require additional permissions. Initialize groups
from the system group database.
Signed-off-by: Timo Teräs <timo.teras@iki.fi> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
Christian Franke [Wed, 13 May 2015 11:59:18 +0000 (13:59 +0200)]
lib/privs: Don't use CAP_NET_BROADCAST
From what I can tell, CAP_NET_BROADCAST has never been required for any
functionality in the Linux kernel, so we do not really need it.
However, it causes breakage in contexts where Quagga is started with a
limited set of capabilities, e.g. in Docker, because these may not
include CAP_NET_BROADCAST and in the case of Docker do not even support
adding CAP_NET_BROADCAST.
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
Brian Bennett [Tue, 17 Feb 2015 23:24:15 +0000 (23:24 +0000)]
lib: Fix POSIX capabilities on SunOS platforms
When using POSIX capabilities on SunOS the capabilities are too
restricitve resulting in quagga processes not being able to read their
own config files. Credit goes to Oracle where this patch was originally
authored and included in OpenSolaris.
lib/privs.c: Include additional capabilities, better checking of
missing capabilities.
Fixes: #820 Acked-by: Greg Troxel <gdt@ir.bbn.com> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
Donald Sharp [Fri, 8 Apr 2016 13:16:14 +0000 (09:16 -0400)]
quagga: Remove iflist global variable
The file if.c has a iflist that had the list of interfaces
in the default vrf. Remove this variable and replace
with a vrf_iflist lookup on the default vrf where it
was used.
Additionally, modify ptm code to iterate over all vrf's
when enabling ptm.
Ticket: CM-10338 Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com> Reviewed-by: Don Slice <dslice@cumulusnetworks.com> Reviewed-by: Radhika Mahankali <radhika@cumulusnetworks.com>
Donald Sharp [Wed, 6 Apr 2016 19:51:09 +0000 (15:51 -0400)]
vtysh: Add file locking to Quagga.conf
Problem:
Systemd runs in parallel all quagga daemons after zebra is started up.
Now each command has a ExecStartPost which executes vtysh -b -n.
Each of these vtysh -b -n would blask configuration to each daemon.
This leads to the situation where vtysh process #2 is blasting
in config that is at a different spot in the Quagga.conf file
that vtysh process #1 is at.
If #1 has put itself into a different submode that #2 is at,
we will get failures and the code will not be read in properly.
This problem is especially evident for when you have more than one
protocol running at one time.
Solution:
flock Quagga.conf.
If you don't get the flock, sleep for a while, try to get flock again
go to slepp...
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com> Reviewed-by: Daniel Walton <dwalton@cumulusnetworks.com> Reviewed-by: Don Slice <dslice@cumulusnetworks.com> Reviewed-by: DAve Olson <olson@cumulusnetworks.com>
Donald Sharp [Wed, 6 Apr 2016 13:34:33 +0000 (09:34 -0400)]
lib, vtysh: Return actual problem further up
When we encounter a problem loading a config file
quantify to the end user what has gone wrong,
with a combination of err output as well as
return codes.
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com> Reviewed-by: Don Slice <dslice@cumulusnetworks.com> Reviewed-by: Daniel Walton <dwalton@cumulusnetworks.com> Reviewed-by: Dave Olson <olson@cumulusnetworks.com>
Zebra: Fix VRF-id and table for BGP unnumbered (RFC 5549)
In the case of BGP unnumbered RFC 5549 (IPv4 routes with IPv6 nexthop), the
zebra code to handle routes was not initializing the correct VRF id and
locating the correct routing table, resulting in the routes not getting
installed. Fixed with this change.
Don Slice [Wed, 6 Apr 2016 12:08:42 +0000 (12:08 +0000)]
bgpd: Resolve ability to add route-map out to peer-group member
Modified the configuration code to properly allow a peer-group member
to have a route-map out applied when one does not exist on the peer-group
itself. This capability already existed for route-map in.
Ticket: CM-10058 Signed-off-by: Don Slice Reviewed-by: Donald Sharp
isisd: ignore unknown interfaces when adjusting IS-IS mtu
For example during startup of isisd, the MTU of interfaces is not
known, since this information will only be available once the
interfaces have been learned from zebra.
It makes no sense to include the MTU 0 that is stored for interfaces
in this state in the consideration whether a new lsp-mtu for an
area is valid, so skip interfaces which are in this state.
Signed-off-by: Christian Franke <nobody@nowhere.ws>
isisd: make sure that all interface addresses are advertised
If the following configuration commands are run interactively in
succession, the ipv6 addresses of this interface won't be advertised
in the router's LSP immediately:
# interface eth0
# ip router isis test
# ipv6 router isis test
This is because the ipv6 router command won't trigger a state change
for the interface and therefore, it won't trigger a regeneration of
the LSPs.
The same thing happens if IPv4 is enabled after IPv6, or for the cases
where IPv4 is disabled and IPv6 stays enabled or vice-versa.
Fix this by explicitly calling lsp_regenerate_schedule for the cases
where it won't be called implicitly.
Signed-off-by: Christian Franke <nobody@nowhere.ws>
isisd crashed on startup if it was enabled for an interface with
a too small MTU.
To fix this, we treat this case as an invalid configuration and
disable isis on that interface if that case happens, since it is
a configuration error.
Signed-off-by: Christian Franke <nobody@nowhere.ws>
isisd: work around route table asserts for deleting node with info
The route table code in lib/table.c triggers an assertion when a route
node with rn->info != NULL reaches refcount 0, probably to avoid
memleaks. In this particular case, this is not an issue, since the
info will be freed by the destructor.
However, since removing this assertion probably requires more
discussion, just make sure that rn->info gets freed and unset before
its refcount is decremented to zero.
Signed-off-by: Christian Franke <nobody@nowhere.ws>
In function vrf_get(), an early call to vrf_get_by_name() may end up
creating the Zebra VRF structure prior to the VRF id being set,
resulting in various other misbehavior. Fix this with appropriate
changes.
Donald Sharp [Mon, 4 Apr 2016 16:44:46 +0000 (12:44 -0400)]
bgpd: Another hash_get crash fix
Basically when modifying the peer->su, we must *always*
release the hash and then re-install it, else
we will cause crashes when we go to look up data
that is not going to be there.
Ticket: CM-10212 Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com> Reviewed-by: Don Slice <dslice@cumulusnetworks.com> Reviewed-by: Daniel Walton <dwalton@cumulusnetworks.com>
Donald Sharp [Mon, 4 Apr 2016 16:40:33 +0000 (12:40 -0400)]
lib: plist should not CMD_WARNING when command has already been entered
When you startup zebra and apply a prefix list command, and then at a
later point in time start up additional daemons and then attempt to
apply the integrated-config, the prefix-list command will stop
processing after zebra.
This is because when zebra attempted to process the command, it would
notice that it already had that cli handled and print a vty warning and
then it would return CMD_WARNING. This caused the loop over all the
commands to stop and as such the command would not be sent to all the
individual daemons.
This behavior is exactly the same as it is in the 2.5.X( hell it's
upstream behavior to! ). Modify the plist command to return CMD_SUCCESS
in this case.
Ticket: CM-10248 Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com> Reviewed-by: Don Slice <dslice@cumulusnetworks.com>
Donald Sharp [Fri, 1 Apr 2016 13:18:22 +0000 (09:18 -0400)]
vtysh: Make vtysh run as quagga user
vtysh should be run as the quagga user, else when
you execute a 'wr mem' the Quagga.conf and vtysh.conf
files are owned by whomever started the process.
This can cause file ownership issues.
Ticket: CM-10217 Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com> Reviewed-by: Dave Olson <olson@cumulusnetworks.com> Reviewed-by: Daniel Walton <dwalton@cumulusnetworks.com>
Donald Sharp [Thu, 31 Mar 2016 20:31:52 +0000 (16:31 -0400)]
lib, zebra: Fix vrf new hook callback.
This commit fixes two issues:
1) The creation of a new vrf from the cli was not calling the vrf_create hook.
This is fixed.
2) The zebra_vrf_delete callback was deleting interface information that
belonged to vrf not zvrf. Remove the code as that it was not it's job
to do so.
Ticket: CM-10100 Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com> Reviewed-by: Daniel Walton <dwalton@cumulusnetworks.com>
Quagga BGP needed a config 'bgp multiple-instance' in order to be able
to configure and use VRFs. Since this support is intrinsic to the
implementation, make this configuration on by default. Corresponding
change to 'show running-config' (and write) to display only if "no" is
configured.
This change will eliminate one unnecessary step in the configuration.
Signed-off-by: Vivek Venkatraman <vivek@cumulusnetworks.com> Reviewed-by: Don Slice <dslice@cumulusnetworks.com> Reviewed-by: Donald Sharp <sharpd@cumulusnetworks.com>
Ticket: CM-10070
Reviewed By: CCR-4383
Testing Done: Manual
Donald Sharp [Thu, 31 Mar 2016 12:20:53 +0000 (08:20 -0400)]
zebra: Fix Startup with > 1k interfaces
Zebra in rt_netlink.c has a while (1) loop that handles
recvmsg from the netlink socket. In early bootup a
situation can occur whereby the netlink messages
take a long time to parse. This time starts to
take an exponential amount of time the more netlink
messages that you read in. There reaches
a point where the incoming netlink messages are
coming in at about the same rate that they are processed.
This ends up causing the while (1) loop to never exit.
Eventually this causes quagga to fail when the watchdog message
is never sent to systemd.
This patch attempts to address this deficiency in that
we allow for a pause from reading in netlink messages
to allow other work to be done. This pause drains
the work queue items created by the netlink received
data and allows zebra to respond to other system input.
I believe we will need to come back in and modify zebra
startup a bit more. There are ineffiencies that need
to be addressed as part of boot up.
Ticket: CM-9992 Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com> Reviewed-by: Don Slice <dslice@cumulusnetworks.com> Reviewed-by: Wilson Kok <wkok@cumulusnetworks.com>
Christian Franke [Tue, 10 Nov 2015 17:33:16 +0000 (18:33 +0100)]
isisd: fix misleading wording in log
The changed messages are actually located before transmission is
attempted. Therefore, the tense is somewhat misleading, especially
since transmission may not always succeed.
Signed-off-by: Christian Franke <chris@opensourcerouting.org> Acked-by: Donald Sharp <sharpd@cumulusnetworks.com>
Christian Franke [Tue, 10 Nov 2015 17:43:34 +0000 (18:43 +0100)]
isisd: add a slight delay to lsp_regenerate_schedule
isisd implements a holdoff interval and will refrain from regenerating
an lsp if the difference between the current time and its last refresh
is less than the holdoff interval. Instead, it will schedule a timer
to regenerate the lsp after the holdoff interval has passed.
This implementation has one disadvantage in the case where there is a
succession of calls to lsp_regenerate_schedule. In such a case, the
first call will trigger an immediate regeneration of the lsp, while the
other calls will only schedule the regeneration timer. This leads to
cases where it takes holdoff interval time for information to propagate,
just because the information was only available e.g. at the second call
of lsp_regenerate_schedule in such a succession of calls.
By not immediately regenerating an lsp if the last generation time
is sufficiently long ago, but instead scheduling the regeneration with a
very small delay, we allow all information from such a succession of
calls to be considered.
Signed-off-by: Christian Franke <chris@opensourcerouting.org> Acked-by: Donald Sharp <sharpd@cumulusnetworks.com>
Amritha Nambiar [Mon, 24 Aug 2015 23:40:14 +0000 (16:40 -0700)]
isisd: Attached-bit in LSP header
Set/reset attached-bit in LSP header:
This patch provides support for set/reset attached_bit in the LSP header.
In IS-IS networks, routing inter-area traffic from L1 areas is
accomplished by sending the traffic to the nearest L1/L2 router.
A L1/L2 router identifies itself by setting an attach-bit (ATT-bit) in its (LSP).
The ATT-bit in LSP can be changed using the set-attached-bit or
no-set-attached-bit commands (similar to ‘set-overload-bit’ and
'no set-overload-bit’) using telnet terminal in router configuration mode.
V2: Removed looping through area list as this well set the bit for all
areas in the list. This implementation now looks exactly like the
current overload bit implementation.
Christian Franke [Tue, 10 Nov 2015 17:04:48 +0000 (18:04 +0100)]
isisd: initialize circuit to match area is_type
New circuits should be initialized to match the is_type
of their area. Also add an additional check to make sure
that no IIHs are sent for levels which are not enabled.
Signed-off-by: Christian Franke <chris@opensourcerouting.org> Acked-by: Donald Sharp <sharpd@cumulusnetworks.com>
Christian Franke [Tue, 10 Nov 2015 17:04:47 +0000 (18:04 +0100)]
isisd: do remove ipv6 routes from Zebra
We can abort isis_zebra_route_del_ipv6 if the route in question has
ISIS_ROUTE_FLAG_ZEBRA_SYNCED unset, meaning it's not in the kernel.
Aborting the function if the flag is set prevents us from removing
any routes.
Signed-off-by: Christian Franke <chris@opensourcerouting.org> Acked-by: Donald Sharp <sharpd@cumulusnetworks.com>
Christian Franke [Tue, 10 Nov 2015 16:45:03 +0000 (17:45 +0100)]
ripd, isisd: fix warnings that make the build fail
These issues have been found by running buildtest.sh
using GCC 5.2.0 and Clang 3.7.0
Fixes pointer checks that can never be null
Signed-off-by: Christian Franke <chris@opensourcerouting.org> Tested-by: NetDEF CI System <cisystem@netdef.org> Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
Michael Zingg [Fri, 26 Oct 2012 09:18:19 +0000 (11:18 +0200)]
isisd: Fix LSPs not being regenerated after adjacency change
In isisd LSP's are not regenerated after a change in adjacency if
lsp-gen-interval has expired.
I have tested this on Debian 6.0 with zebra and level1 isisd with point
to point links. This problem is also listed in Test ISIS-18.3 on the
opensourcerouting.org wiki:
http://confluence.isc.org/display/osr/ANVL+ISIS+Compliance+Test+Plan
http://confluence.isc.org/display/osr/ANVL+ISIS+Results
Amritha Nambiar [Wed, 14 Oct 2015 05:08:46 +0000 (22:08 -0700)]
isisd: Drop packet received on multiple interfaces due to the time gap in binding socket to an interface
Due to the time window between opening socket and binding it to an interface, the same hello
packet is delivered on multiple interfaces, unique socket per circuit is not yet established.
When such hellos get processed, they form incorrect adjacencies. So, drop the packet that is
received on multiple interfaces because the socket for the circuit is yet to bind to an interface.
Don Slice [Tue, 29 Mar 2016 19:19:42 +0000 (19:19 +0000)]
zebra: Use vrf name instead of vrf-id for ipv6 static route configuration
Changed output of the "ipv6 route ... vrf red" to display and store with the
vrf name instead of the vrf_id, since the vrf_id would disappear on reboot
or quagga restart.
Ticket: CM-10126 Signed-off-by: Don Slice Reviewed-by: Donald Sharp
vivek [Mon, 28 Mar 2016 16:37:39 +0000 (09:37 -0700)]
BGP: Fix BGP unnumbered peerings across VRFs
Upon receipt of incoming connection, a peer structure (doppelganger) is
created internally and the connection processed for it. The problem is
that in the case of BGP unnumbered, the sockunion structure within BGP was
being updated (in peer_create()) prior to the peer's flags being updated,
so it didn't take into account the 'v6only' configuration. This results
in subsequent problems when bgp_bind() is done - the socket ends up being
bound to the BGP instance instead of the interface.
In the case of an incoming connection, we should just use the addresses
on which the connection was setup/accepted, there is no need to attempt to
derive it again. Further, there is no need to attempt to update addresses
at the time of peer_create() since that is done when the connection is
attempted in bgp_start().
Paul Jakma [Mon, 8 Feb 2016 14:46:28 +0000 (14:46 +0000)]
lib: zclient can overflow (struct interface) hw_addr if zebra is evil
* lib/zclient.c: (zebra_interface_if_set_value) The hw_addr_len field
is used as trusted input to read off the hw_addr and write to the
INTERFACE_HWADDR_MAX sized hw_addr field. The read from the stream is
bounds-checked by the stream abstraction, however the write out to the
heap can not be.
Tighten the supplied length to stream_get used to do the write.
Impact: a malicious zebra can overflow the heap of clients using the ZServ
IPC. Note that zebra is already fairly trusted within Quagga.
Donald Sharp [Wed, 27 Jan 2016 16:54:45 +0000 (16:54 +0000)]
bgpd: Fix VU#270232, VPNv4 NLRI parser memcpys to stack on unchecked length
Address CERT vulnerability report VU#270232, memcpy to stack data structure
based on length field from packet data whose length field upper-bound was
not properly checked.
This likely allows BGP peers that are enabled to send Labeled-VPN SAFI
routes to Quagga bgpd to remotely exploit Quagga bgpd.
Mitigation: Do not enable Labeled-VPN SAFI with untrusted neighbours.
Impact: Labeled-VPN SAFI is not enabled by default.
* bgp_mplsvpn.c: (bgp_nlri_parse_vpnv4) The prefixlen is checked for
lower-bound, but not for upper-bound against received data length.
The packet data is then memcpy'd to the stack based on the prefixlen.
Extend the prefixlen check to ensure it is within the bound of the NLRI
packet data AND the on-stack prefix structure AND the maximum size for the
address family.
Reported-by: Kostya Kortchinsky <kostyak@google.com>
This commit a joint effort between:
Lou Berger <lberger@labn.net>
Donald Sharp <sharpd@cumulusnetworks.com>
Paul Jakma <paul.jakma@hpe.com> / <paul@jakma.org>
projects / matthieu / frr.git / log