Donald Sharp [Thu, 11 Nov 2021 18:25:35 +0000 (13:25 -0500)]
ospfd: Prevent use after free on shutdown
Running ospf_topo_vrf1 leads us to this valgrind issue:
==2386518== Invalid read of size 8
==2386518== at 0x4971520: route_top (table.c:401)
==2386518== by 0x181F08: ospf_interface_bfd_apply (ospf_bfd.c:126)
==2386518== by 0x182069: ospf_interface_disable_bfd (ospf_bfd.c:158)
==2386518== by 0x18BF51: ospf_del_if_params (ospf_interface.c:557)
==2386518== by 0x18C584: ospf_if_delete_hook (ospf_interface.c:712)
==2386518== by 0x490CA0B: hook_call_if_del (if.c:61)
==2386518== by 0x490D1F3: if_delete_retain (if.c:286)
==2386518== by 0x490D337: if_delete (if.c:309)
==2386518== by 0x490CDED: if_destroy_via_zapi (if.c:200)
==2386518== by 0x49940A9: zclient_interface_delete (zclient.c:2237)
==2386518== by 0x4998062: zclient_read (zclient.c:3969)
==2386518== by 0x4979529: thread_call (thread.c:1908)
==2386518== by 0x4919918: frr_run (libfrr.c:1164)
==2386518== by 0x181AC7: main (ospf_main.c:235)
==2386518== Address 0x5df39a0 is 0 bytes inside a block of size 56 free'd
==2386518== at 0x48399AB: free (vg_replace_malloc.c:538)
==2386518== by 0x492A03E: qfree (memory.c:141)
==2386518== by 0x4970C6F: route_table_free (table.c:141)
==2386518== by 0x4970A36: route_table_finish (table.c:61)
==2386518== by 0x18C543: ospf_if_delete_hook (ospf_interface.c:708)
==2386518== by 0x490CA0B: hook_call_if_del (if.c:61)
==2386518== by 0x490D1F3: if_delete_retain (if.c:286)
==2386518== by 0x490D337: if_delete (if.c:309)
==2386518== by 0x490CDED: if_destroy_via_zapi (if.c:200)
==2386518== by 0x49940A9: zclient_interface_delete (zclient.c:2237)
==2386518== by 0x4998062: zclient_read (zclient.c:3969)
==2386518== by 0x4979529: thread_call (thread.c:1908)
==2386518== by 0x4919918: frr_run (libfrr.c:1164)
==2386518== by 0x181AC7: main (ospf_main.c:235)
==2386518== Block was alloc'd at
==2386518== at 0x483AB65: calloc (vg_replace_malloc.c:760)
==2386518== by 0x4929EFC: qcalloc (memory.c:116)
==2386518== by 0x49709F8: route_table_init_with_delegate (table.c:53)
==2386518== by 0x49717F4: route_table_init (table.c:528)
==2386518== by 0x18C328: ospf_if_new_hook (ospf_interface.c:659)
==2386518== by 0x490C97D: hook_call_if_add (if.c:60)
==2386518== by 0x490CE85: if_create_name (if.c:223)
==2386518== by 0x490DF32: if_get_by_name (if.c:622)
==2386518== by 0x4993F73: zclient_interface_add (zclient.c:2186)
==2386518== by 0x4998062: zclient_read (zclient.c:3969)
==2386518== by 0x4979529: thread_call (thread.c:1908)
==2386518== by 0x4919918: frr_run (libfrr.c:1164)
==2386518== by 0x181AC7: main (ospf_main.c:235)
==2386518==
Fix the ordering to do the individual node tree cleanup after we delete
the data we care about.
FRR 8.1 brings a long list of enhancements and fixes with 1200 commits from
75 developers. Thanks to all contributers.
* New Features
- Lua hooks are now feature complete, with one hook available for use
(http://docs.frrouting.org/en/latest/scripting.html)
- Improvements to SRv6 (Segment Routing over IPv6)
(http://docs.frrouting.org/en/latest/zebra.html#segment-routing-ipv6)
- Improvements to Prefix-SID (Type 5)
- EVPN route type-5 gateway IP overlay Index
(http://docs.frrouting.org/en/latest/bgp.html#evpn-overlay-index-gateway-ip)
- OSPFv3 NSSA and NSSA totally stub areas
(http://docs.frrouting.org/en/latest/ospf6d.html#ospf6-area)
- OSPFv3 ASBR summarization
(http://docs.frrouting.org/en/latest/ospf6d.html#asbr-summarisation-support-in-ospfv3)
- OSPFv3 Graceful Restart
(http://docs.frrouting.org/en/latest/ospf6d.html#graceful-restart)
- OSPFv2 Graceful Restart (restarting mode added, helper was already implemented)
(http://docs.frrouting.org/en/latest/ospfd.html#graceful-restart)
* FRRouting 2021 GSOC Project
FRRouting's GSOC student implemented the infrastructure needed to add the
ability to call out to user provided Lua scripts from within FRR. Keep an eye
out for developments in this area.
And its presentation at Netdev 0x15:
https://www.youtube.com/watch?v=_8R1MYP7M48&t=1051s
Thank you @dlqs!
* Behavior Changes
- Every node in running config now has an explicit "exit" tag
- Link bandwidth in BGP is now correctly encoded according to IEEE 754.
To stay with old incorrect encoding use:
`neighbor PEER disable-link-bw-encoding-ieee`
* Changelog
alpine
Fix path for daemons file install
bgpd
Add "json" option to "show bgp as-path-access-list"
Add `disable-addpath-rx` knob
Add an ability to set extcommunity to none in route-maps
Add counter of displayed show bgp summary when filtering
Add knob to config cond-adv scanner period
Add route-map `match alias` command
Add rpki source address configuration
Add show bgp summary filter by neighbor or as
Add terse display option on show bgp summary
Allow for auto-completion of community alias's created
Bgp knob to teardown session immediately when peer is unreachable
Expand 'bgp default <afi>-<safi>' cmds
Extend evpn next hop tracking to type-1 and type-4 routes
Fix "no router bgp x vrf default"
Flowspec redirect vrf uses vrf table instead of allocated table id
Handle quick flaps of an evpn prefix properly
Initial batch of evpn lttng tracepoints
Limit processing to what is needed in rpki validation
Modify vrf/view display in show bgp summary
Set 4096 instead of 65535 as new max packet size for a new peer
Set extended msg size only if we advertised and received capability
Show bgp community alias in json community list output
Show bgp prefixes by community alias
Show max packet size per update-group
Split soft reconfigure table task into several jobs to not block vtysh
Store distance received from a redistribute statement
Update route-type-1 legend to match output
isis
Fix sending of lsp with null seqno
lib
Add "json" option to "show ip[v6] access-list"
Add "json" option to "show ip[v6] prefix-list"
Add "json" option to "show route-map"
Prevent grpc assert on missing yang node
nhrp
Clear cache when shortcuts are cleared
Fix corrupt address being shown for shortcuts with no cache entry
Set prefix correctly in resolution request
ospf6
Add debug commands for lsa all and route all
Add warning log for late hello packets
Add write-multiplier configuration
Don't update router-id if at least one adjacency is full
Extend the "redistribute" command with more options
Fix issue when displaying the redistribute command
Fix logging of border router routes
Json output for database dump show command
Link state id in lsa database json output
Send lsa update immediately when ospf instance is deleted
ospfd
Fix crash when creating vlink in unknown vrf
Gr conformance fix for hello packet dr election
Print extra lsa information in some log messages
Rfc conformance test case 25.23 issue fix
Show ip ospf route json does not shown metric and tag
Summary lsa is not originated when process is reset
pathd
Handle pcinitiated configuration, main thread
Handle pcinitiated messages, thread controller
Handle srp_id correctly
If pce ret no-path to pcreq don't retry pcreq nor delegate
pbrd
Add `match ip-protocol [tcp|udp]`
Add ability to set/unset src and dest ports
Nhg "add" edge case for last in table range
Start inclusion of src and dst ports for pbrd
pimd
Add tos/ttl check for igmp conformance
Allow join prune intervals to be as small as 5 seconds
Allow msdp group name 'default'
Fix register suppress timer code
Fix uaf/heap corruption in bsm code
Fix command "no ip msdp mesh-group member"
Igmp groups are not getting timeout
Igmp memberships are not querier specific
Igmp sockets need to be iface-bound too
Prevent uninited usage of nexthop
Support msdp global timers configuration
vtysh
Add cli timestamp '-t' flag
Add error code if daemon is not running
Fix searching commands in parent nodes
yang
Add msdp timer configuration
Fix bgp multicast prefix type
Mark a couple of prefix-list/access-list leafs as mandatory
Move multicast prefix type definition
Replace an empty pattern with a zero-length restriction
Rework pim msdp mesh group
Simplify msdp peer handling
zebra
Add "json" option to "show interface"
Various improvment to dataplane interface
Add message counts for `show zebra client`
Add nhg id to show ip route json
Add show command for ra interface lists
Fix ipv4 routes with ipv6 link local next hops install in fpm
Handle bridge mac address update in evpn contexts
Move individual lines to table in `show zebra client` command
Refresh vxlan evpn contexts, when bridge interface goes up
Update zl3vni when bridge link refreshed in other namespaces
* Contributers
Aaron Pereira <pereiraaa@vmware.com>
Abhinay Ramesh <rabhinay@vmware.com>
Abhishek Naik <bhini@amazon.com>
Adriano Marto Reis <adrianomarto@gmail.com>
Alexander Chernavin <achernavin@netgate.com>
Alexander Skorichenko <askorichenko@netgate.com>
Ameya Dharkar <adharkar@vmware.com>
Amol Lad <amol.lad@4rf.com>
anlan_cs <anlan_cs@tom.com>
Anuradha Karuppiah <anuradhak@nvidia.com>
Basha Mougamadou <b.mougamadou@criteo.com>
batmancn <batmanustc@gmail.com>
Chirag Shah <chirag@nvidia.com>
Christian Hopps <chopps@gmail.com>
Colin Sames <colin.sames@haw-hamburg.de>
David Lamparter <equinox@diac24.net>
Dmitrii Turlupov <dturlupov@factor-ts.ru>
Donald Lee <dlqs@gmx.com>
Donald Sharp <sharpd@nvidia.com>
Donatas Abraitis <donatas.abraitis@gmail.com>
Don Slice <dslice@nvidia.com>
Emanuele Di Pascale <emanuele@voltanet.io>
enigamict <mochienper@gmail.com>
ewlumpkin <ewlumpkin@gmail.com>
GalaxyGorilla <sascha@netdef.org>
github login name <ranjany@vmware.com>
gord_chen <gord_chen@edge-core.com>
G. Paul Ziemba <p-fbsd-bugs@ziemba.us>
Guillaume Solignac <guillaume.solignac@orange.com>
Hiroki Shirokura <slank.dev@gmail.com>
Igor Ryzhov <iryzhov@nfware.com>
Jafar Al-Gharaibeh <jafar@atcorp.com>
Javier Garcia <javier.garcia@voltanet.io>
John W. O'Brien <john@saltant.com>
Kantesh Mundaragi <kmundaragi@vmware.com>
Karen Schoener <karen@voltanet.io>
Kaushik <kaushiknath.null@gmail.com>
Kuldeep Kashyap <kashyapk@vmware.com>
Lars Seipel <ls@slrz.net>
Lou Berger <lberger@labn.net>
Louis Scalbert <louis.scalbert@6wind.com>
lynne <lynne@voltanet.io>
Mark Stapp <mstapp@nvidia.com>
Martin Buck <mb-tmp-tvguho.pbz@gromit.dyndns.org>
Martin Winter <mwinter@opensourcerouting.org>
Mobashshera Rasool <mrasool@vmware.com>
nguggarigoud <nguggarigoud@vmware.com>
Nikhil Kelapure <nikhil.kelapure@broadcom.com>
Olivier Dugeon <olivier.dugeon@orange.com>
Ondřej Surý <ondrej@sury.org>
Pat Ruddy <pat@voltanet.io>
Pavel Ivashchenko <pivashchenko@nfware.com>
Philippe Guibert <philippe.guibert@6wind.com>
Prerana GB <prerana@vmware.com>
Quentin Young <qlyoung@nvidia.com>
Rafael Zalamena <rzalamena@opensourcerouting.org>
Renato Westphal <renato@opensourcerouting.org>
Reuben Dowle <reuben.dowle@4rf.com>
rgirada <rgirada@vmware.com>
Ryoga <contact@proelbtn.com>
Sai Gomathi <nsaigomathi@vmware.com>
schylar <schylarutley@hotmail.com>
Soman K.S <somanks@gmail.com>
Steffen Neubauer <s.neubauer@syseleven.de>
Stephen Worley <sworley@nvidia.com>
Takemasa Imada <takemasa.imada@gmail.com>
Tomáš Szaniszlo <tomaxuser@gmail.com>
Trey Aspelund <taspelund@nvidia.com>
vivek <vivek@cumulusnetworks.com>
Wesley Coakley <wcoakley@nvidia.com>
Xiao Liang <shaw.leon@gmail.com>
Yaroslav Fedoriachenko <yar.fed99@gmail.com>
Yash Ranjan <ranjany@vmware.com>
Yuan Yuan <yyuanam@amazon.com>
zyxwvu Shi <shiyuchen.syc@bytedance.com>
Donald Sharp [Thu, 4 Nov 2021 12:01:14 +0000 (08:01 -0400)]
zebra: Send up ifindex for redistribution when appropriate
Currently the NEXTHOP_TYPE_IPV4 and NEXTHOP_TYPE_IPV6 are
not sending up the resolved ifindex for the route. This
is causing upper level protocols that have something like
this:
route-map FOO permit 10
match interface swp13
!
router ospf
redistribute static
!
ip route 4.5.6.7/32 10.10.10.10
where 10.10.10.10 resolves to interface swp13. The route-map
will never match in this case.
Since FRR has the resolved nexthop interface, FRR might as
well send it up to be selected on by the upper level protocol
as needed.
Rafael Zalamena [Tue, 2 Nov 2021 21:54:23 +0000 (18:54 -0300)]
bgpd: fix BFD configuration update on TTL change
When altering the TTL of a eBGP peer also update the BFD
configuration. This was only working when the configuration happened
after the peer connection had been established.
pimd: In Prune Pending state, the holdtime change is not taking effect
Problem Statement:
In Prune pending state, when Join is received, and there is hold timer change
the Expiry timer is not getting updated with new Hold timer.
Root Cause:
When thread_add_timer function is called and the thread is already in the list
the thread api just returns, it does not modify the timer value.
So when we want to change the timer, we need to first call THREAD_OFF and then
call thread_add_timer.
The Expiry timer thread is not cancelled in PIM_IFJOIN_PRUNE_PENDING state,
therefore the timer change is not taking effect.
Hiroki Shirokura [Mon, 25 Oct 2021 23:36:14 +0000 (23:36 +0000)]
lib: fix srv6 route hardcode with BGP
zclient_send_localsid is called by various routing protocol daemons. To set the
srv6 endpoint function. Fix a hard-coded error in the initial implementation.
Before this PR, the srv6 function will be registered to zebra as a BGP route
even if isisd executes zclient_send_localsid.
Abhishek Naik [Tue, 19 Oct 2021 23:45:26 +0000 (23:45 +0000)]
bgpd: Reset dynamic peer counter
Dynamic peer count is inconsistent in
"show bgp summary json" and "show bgp summary failed json" due to
dynamic peer counter 'dn_count' being reused without resetting
Igor Ryzhov [Mon, 18 Oct 2021 14:16:35 +0000 (17:16 +0300)]
ospfd: fix crash when creating vlink in unknown vrf
if_create_name crashes when vrf_id is VRF_UNKNOWN:
```
nfware# conf t
nfware(config)# router ospf vrf doesnt-exist
nfware(config-router)# area 1.1.1.1 virtual-link 2.2.2.2
vtysh: error reading from ospfd: Success (0)Warning: closing connection to ospfd because of an I/O error!
```
Rafael Zalamena [Mon, 4 Oct 2021 21:10:58 +0000 (18:10 -0300)]
lib: prevent gRPC assert on missing YANG node
`yang_dnode_get` will `assert` if no YANG node/model exist, so lets test for
its existence first before trying to access it.
This `assert` is only acceptable for internal FRR usage otherwise we
might miss typos or unmatching YANG models nodes/leaves. For gRPC usage
we should let users attempt to use non existing models without
`assert`ing.
In startup, zebra would dump interface information from Kernel in 3
steps w/o lock: step1, get interface information; step2, get interface
ipv4 address; step3, get interface ipv6 address.
If any interface gets added after step1, but before step2/3, zebra
would get extra interface addresses in step2/3 that has not been added
into zebra in step1. Returning error in the referenced interface lookup
would cause the startup interface retrieval to be incomplete.
Igor Ryzhov [Fri, 8 Oct 2021 21:22:31 +0000 (00:22 +0300)]
lib: set type for newly created interfaces
Currently, the ll_type is set only in `netlink_interface` which is
executed only during startup. If the interface is created when the FRR
is already running, the type is not stored.
Igor Ryzhov [Tue, 5 Oct 2021 10:27:39 +0000 (13:27 +0300)]
yang: replace an empty pattern with a zero-length restriction
No functional difference, but `length "0"` is more comprehensible.
Suggested-by: Christian Hopps <chopps@labn.net> Signed-off-by: Igor Ryzhov <iryzhov@nfware.com>
(cherry picked from commit 405ebe45cf111376fe33bad45b4ec836e0157d9f)
rgirada [Tue, 5 Oct 2021 07:52:36 +0000 (00:52 -0700)]
ospf6d: ospf6d is crashing upon receiving duplicated Grace LSA.
Description:
When grace lsa received, DUT is adding
the copy of the lsas to all nbrs retransmission list as part of
flooding procedure and subsequently incrementing the rmt counter in
the original the LSA. This counter is supposed to be decremented
when ack is received by nbr and the lsa will be removed from retransmission list.
But in our current scenario,
Step-1:
When GR helper is disabled, if DUT receives the grace lsa
it adds the lsa copy to nbrs retransmission list but original
LSA will be discarded since GR helper disabled.
Step-2:
GR helper enabled and DUT receives the grace lsa, as part
of flooding process all nbrs have same copy of lsa in their
corresponding rmt list which was added in step -1 due to this
the corresponding rmt counter in the original lsa is not getting
incremented.
Step-3:
If the same copy of the grace lsa received by DUT, It considers
as implicit ack from nbr if the same copy of the lsa exits in its
rmt list and subsequently decrement the rmt counter.
Since counter is zero (because of step-1 and 2) , it is asserting while decrement.
Mark Stapp [Mon, 9 Aug 2021 15:57:17 +0000 (11:57 -0400)]
lib: avoid double-free in zmq wrapper callbacks
There were paths where the zmq wrapper lib could call user
callbacks that would free the internal context struct, but the
context was then used in the lib code. Use a boolean to avoid
freeing the context within an application callback.
Restore logic that frees the context within the 'cancel' api.
Mark Stapp [Mon, 9 Aug 2021 15:55:15 +0000 (11:55 -0400)]
lib: clear caller's pointer when freeing context struct
The zeromq lib wrapper uses an internal context struct to help
interact with the libfrr event mechanism. When freeing that
context struct, ensure the caller's pointer is also cleared.
Igor Ryzhov [Tue, 5 Oct 2021 14:38:21 +0000 (17:38 +0300)]
isisd: fix redistribute CLI
Currently, it is possible to configure IPv6 protocols for IPv4
redistribution and vice versa in CLI. The YANG model doesn't allow this
so the user receives the following error:
```
nfware(config-router)# redistribute ipv4 ospf6 level-1
% Failed to edit configuration.
YANG error(s):
Invalid enumeration value "ospf6".
Invalid enumeration value "ospf6".
Invalid enumeration value "ospf6".
YANG path: Schema location /frr-isisd:isis/instance/redistribute/ipv4/protocol.
```
Let's make CLI more user-friendly and allow only supported protocols in
redistribution commands.
Donald Sharp [Mon, 4 Oct 2021 12:37:16 +0000 (08:37 -0400)]
ospf6d: Ensure expire thread is properly stopped
The lsa->expire thread is for keeping track of when we
are expecting to expire(remove/delete) a lsa. There
are situations where we just decide to straight up
delete the lsa, but we are not ensuring that the
lsa is not already setup for expiration.
In that case just stop the expiry thread and
do the deletion.
Additionally there was a case where ospf6d was
just dropping the fact that a thread was already
scheduled for expiration. In that case we
should just setup the timer again and it will
reset it appropriately.
Fixes: #9721 Signed-off-by: Donald Sharp <sharpd@nvidia.com>
Low overhead bgp-evpn TPs have been added which push data out in a binary
format -
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
root@switch:~# lttng list --userspace |grep "frr_bgp:evpn"
frr_bgp:evpn_mh_nh_rmac_zsend (loglevel: TRACE_DEBUG_LINE (13)) (type: tracepoint)
frr_bgp:evpn_mh_nh_zsend (loglevel: TRACE_INFO (6)) (type: tracepoint)
frr_bgp:evpn_mh_nhg_zsend (loglevel: TRACE_INFO (6)) (type: tracepoint)
frr_bgp:evpn_mh_vtep_zsend (loglevel: TRACE_INFO (6)) (type: tracepoint)
frr_bgp:evpn_bum_vtep_zsend (loglevel: TRACE_INFO (6)) (type: tracepoint)
frr_bgp:evpn_mac_ip_zsend (loglevel: TRACE_INFO (6)) (type: tracepoint)
root@switch:~#
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
In addition to the tracepoints a babeltrace python plugin for pretty
printing (binary data is converted into grepable strings). Sample usage -
frr_babeltrace.py trace_path
David Lamparter [Mon, 27 Sep 2021 08:33:33 +0000 (10:33 +0200)]
pimd: fix UAF/heap corruption in BSM code
This `XFREE()` call is in plainly in the wrong spot. `rp_all` (the
224.0.0.0/4 entry) isn't supposed to be free'd ever, and the
conditional above makes quite clear that it remains in use.
It may be possible to exploit this as a heap corruption bug, maybe even
as RCE. I haven't tried; I randomly noticed this while working on the
BSM code. Luckily this code is only run by the CLI for the clear
command, so the surface is very small.
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
Donald Sharp [Sun, 26 Sep 2021 23:36:03 +0000 (19:36 -0400)]
bgpd: Don't lookup paf structure get straight to the point
The paf data structure is stored based upon an internal
bgp enum. The code is looking over all AFI/SAFI's and
doing a paf_af_find which then calls afindex to find
the right paf structure. Let's just loop over the
peer->peer_af_array[] and cut straight to the chase.
Under some loads the paf_af_find was taking up 6%
of the run time. This removes it entirely.
Converting bgp_dest_lock_node/bgp_dest_unlock_node to non-inlined function
because LTTng can't work properly with inlined and the compiler does not like
it.
Not sure how it would be with the performance, but let's see.
projects / mirror / frr.git / log