parent
8bf92c8b91
commit
c9bf754366
@ -0,0 +1,117 @@
|
|||||||
|
From 4b793d1eb35ab5794db12725a28fcdb4fef23af7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Igor Ryzhov <iryzhov@nfware.com>
|
||||||
|
Date: Thu, 1 Apr 2021 15:29:18 +0300
|
||||||
|
Subject: [PATCH] bfdd: remove profiles when removing bfd node
|
||||||
|
|
||||||
|
Fixes #8379.
|
||||||
|
|
||||||
|
Signed-off-by: Igor Ryzhov <iryzhov@nfware.com>
|
||||||
|
---
|
||||||
|
bfdd/bfd.c | 8 ++++++++
|
||||||
|
bfdd/bfd.h | 1 +
|
||||||
|
bfdd/bfdd_nb_config.c | 1 +
|
||||||
|
3 files changed, 10 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/bfdd/bfd.c b/bfdd/bfd.c
|
||||||
|
index c966efd8ea71..cf292a836354 100644
|
||||||
|
--- a/bfdd/bfd.c
|
||||||
|
+++ b/bfdd/bfd.c
|
||||||
|
@@ -1889,6 +1889,14 @@ void bfd_sessions_remove_manual(void)
|
||||||
|
hash_iterate(bfd_key_hash, _bfd_session_remove_manual, NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
+void bfd_profiles_remove(void)
|
||||||
|
+{
|
||||||
|
+ struct bfd_profile *bp;
|
||||||
|
+
|
||||||
|
+ while ((bp = TAILQ_FIRST(&bplist)) != NULL)
|
||||||
|
+ bfd_profile_free(bp);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Profile related hash functions.
|
||||||
|
*/
|
||||||
|
diff --git a/bfdd/bfd.h b/bfdd/bfd.h
|
||||||
|
index af3f92d6a8f8..9ee1da728717 100644
|
||||||
|
--- a/bfdd/bfd.h
|
||||||
|
+++ b/bfdd/bfd.h
|
||||||
|
@@ -596,6 +596,7 @@ void bfd_session_free(struct bfd_session *bs);
|
||||||
|
const struct bfd_session *bfd_session_next(const struct bfd_session *bs,
|
||||||
|
bool mhop);
|
||||||
|
void bfd_sessions_remove_manual(void);
|
||||||
|
+void bfd_profiles_remove(void);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Set the BFD session echo state.
|
||||||
|
diff --git a/bfdd/bfdd_nb_config.c b/bfdd/bfdd_nb_config.c
|
||||||
|
index 0046bc625b45..77f8cbd09c07 100644
|
||||||
|
--- a/bfdd/bfdd_nb_config.c
|
||||||
|
+++ b/bfdd/bfdd_nb_config.c
|
||||||
|
@@ -203,6 +203,7 @@ int bfdd_bfd_destroy(struct nb_cb_destroy_args *args)
|
||||||
|
|
||||||
|
case NB_EV_APPLY:
|
||||||
|
bfd_sessions_remove_manual();
|
||||||
|
+ bfd_profiles_remove();
|
||||||
|
break;
|
||||||
|
|
||||||
|
case NB_EV_ABORT:
|
||||||
|
diff --git a/bfdd/bfdd_nb_config.c b/bfdd/bfdd_nb_config.c
|
||||||
|
index 77f8cbd09c07..4030e2eefa50 100644
|
||||||
|
--- a/bfdd/bfdd_nb_config.c
|
||||||
|
+++ b/bfdd/bfdd_nb_config.c
|
||||||
|
@@ -186,7 +186,15 @@ static int bfd_session_destroy(enum nb_event event,
|
||||||
|
*/
|
||||||
|
int bfdd_bfd_create(struct nb_cb_create_args *args)
|
||||||
|
{
|
||||||
|
- /* NOTHING */
|
||||||
|
+ if (args->event != NB_EV_APPLY)
|
||||||
|
+ return NB_OK;
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Set any non-NULL value to be able to call
|
||||||
|
+ * nb_running_unset_entry in bfdd_bfd_destroy.
|
||||||
|
+ */
|
||||||
|
+ nb_running_set_entry(args->dnode, (void *)0x1);
|
||||||
|
+
|
||||||
|
return NB_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -202,6 +210,12 @@ int bfdd_bfd_destroy(struct nb_cb_destroy_args *args)
|
||||||
|
return NB_OK;
|
||||||
|
|
||||||
|
case NB_EV_APPLY:
|
||||||
|
+ /*
|
||||||
|
+ * We need to call this to unset pointers from
|
||||||
|
+ * the child nodes - sessions and profiles.
|
||||||
|
+ */
|
||||||
|
+ nb_running_unset_entry(args->dnode);
|
||||||
|
+
|
||||||
|
bfd_sessions_remove_manual();
|
||||||
|
bfd_profiles_remove();
|
||||||
|
break;
|
||||||
|
diff --git a/bfdd/bfdd_cli.c b/bfdd/bfdd_cli.c
|
||||||
|
index b64e36b36a44..5a844e56e121 100644
|
||||||
|
--- a/bfdd/bfdd_cli.c
|
||||||
|
+++ b/bfdd/bfdd_cli.c
|
||||||
|
@@ -486,7 +486,7 @@ void bfd_cli_show_echo_interval(struct vty *vty, struct lyd_node *dnode,
|
||||||
|
* Profile commands.
|
||||||
|
*/
|
||||||
|
DEFPY_YANG_NOSH(bfd_profile, bfd_profile_cmd,
|
||||||
|
- "profile WORD$name",
|
||||||
|
+ "profile BFDPROF$name",
|
||||||
|
BFD_PROFILE_STR
|
||||||
|
BFD_PROFILE_NAME_STR)
|
||||||
|
{
|
||||||
|
diff --git a/vtysh/vtysh.c b/vtysh/vtysh.c
|
||||||
|
index 74f13e1a44e8..cf1811bb1f2f 100644
|
||||||
|
--- a/vtysh/vtysh.c
|
||||||
|
+++ b/vtysh/vtysh.c
|
||||||
|
@@ -1959,7 +1959,7 @@ DEFUNSH(VTYSH_BFDD, bfd_peer_enter, bfd_peer_enter_cmd,
|
||||||
|
}
|
||||||
|
|
||||||
|
DEFUNSH(VTYSH_BFDD, bfd_profile_enter, bfd_profile_enter_cmd,
|
||||||
|
- "profile WORD",
|
||||||
|
+ "profile BFDPROF",
|
||||||
|
BFD_PROFILE_STR
|
||||||
|
BFD_PROFILE_NAME_STR)
|
||||||
|
{
|
@ -0,0 +1,129 @@
|
|||||||
|
From 46817adab03802355c3cce7b753c7a735bdcc5ae Mon Sep 17 00:00:00 2001
|
||||||
|
From: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||||
|
Date: Thu, 13 Jul 2023 22:32:03 +0300
|
||||||
|
Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation
|
||||||
|
attribute
|
||||||
|
|
||||||
|
Before this path we used session reset method, which is discouraged by rfc7606.
|
||||||
|
|
||||||
|
Handle this as rfc requires.
|
||||||
|
|
||||||
|
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||||
|
(cherry picked from commit bcb6b58d9530173df41d3a3cbc4c600ee0b4b186)
|
||||||
|
---
|
||||||
|
bgpd/bgp_attr.c | 61 ++++++++++++++++++++-----------------------------
|
||||||
|
1 file changed, 25 insertions(+), 36 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
|
||||||
|
index 058fae23cbd..1c0803cfd8e 100644
|
||||||
|
--- a/bgpd/bgp_attr.c
|
||||||
|
+++ b/bgpd/bgp_attr.c
|
||||||
|
@@ -1301,6 +1301,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
|
||||||
|
case BGP_ATTR_LARGE_COMMUNITIES:
|
||||||
|
case BGP_ATTR_ORIGINATOR_ID:
|
||||||
|
case BGP_ATTR_CLUSTER_LIST:
|
||||||
|
+ case BGP_ATTR_ENCAP:
|
||||||
|
return BGP_ATTR_PARSE_WITHDRAW;
|
||||||
|
case BGP_ATTR_MP_REACH_NLRI:
|
||||||
|
case BGP_ATTR_MP_UNREACH_NLRI:
|
||||||
|
@@ -2434,26 +2435,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args)
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Parse Tunnel Encap attribute in an UPDATE */
|
||||||
|
-static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
|
||||||
|
- bgp_size_t length, /* IN: attr's length field */
|
||||||
|
- struct attr *attr, /* IN: caller already allocated */
|
||||||
|
- uint8_t flag, /* IN: attr's flags field */
|
||||||
|
- uint8_t *startp)
|
||||||
|
+static int bgp_attr_encap(struct bgp_attr_parser_args *args)
|
||||||
|
{
|
||||||
|
- bgp_size_t total;
|
||||||
|
uint16_t tunneltype = 0;
|
||||||
|
-
|
||||||
|
- total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);
|
||||||
|
+ struct peer *const peer = args->peer;
|
||||||
|
+ struct attr *const attr = args->attr;
|
||||||
|
+ bgp_size_t length = args->length;
|
||||||
|
+ uint8_t type = args->type;
|
||||||
|
+ uint8_t flag = args->flags;
|
||||||
|
|
||||||
|
if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS)
|
||||||
|
|| !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) {
|
||||||
|
- zlog_info(
|
||||||
|
- "Tunnel Encap attribute flag isn't optional and transitive %d",
|
||||||
|
- flag);
|
||||||
|
- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
|
||||||
|
- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR,
|
||||||
|
- startp, total);
|
||||||
|
- return -1;
|
||||||
|
+ zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d",
|
||||||
|
+ flag);
|
||||||
|
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
|
||||||
|
+ args->total);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (BGP_ATTR_ENCAP == type) {
|
||||||
|
@@ -2461,12 +2457,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
|
||||||
|
uint16_t tlv_length;
|
||||||
|
|
||||||
|
if (length < 4) {
|
||||||
|
- zlog_info(
|
||||||
|
+ zlog_err(
|
||||||
|
"Tunnel Encap attribute not long enough to contain outer T,L");
|
||||||
|
- bgp_notify_send_with_data(
|
||||||
|
- peer, BGP_NOTIFY_UPDATE_ERR,
|
||||||
|
- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
|
||||||
|
- return -1;
|
||||||
|
+ return bgp_attr_malformed(args,
|
||||||
|
+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
|
||||||
|
+ args->total);
|
||||||
|
}
|
||||||
|
tunneltype = stream_getw(BGP_INPUT(peer));
|
||||||
|
tlv_length = stream_getw(BGP_INPUT(peer));
|
||||||
|
@@ -2496,13 +2491,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
|
||||||
|
}
|
||||||
|
|
||||||
|
if (sublength > length) {
|
||||||
|
- zlog_info(
|
||||||
|
- "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
|
||||||
|
- sublength, length);
|
||||||
|
- bgp_notify_send_with_data(
|
||||||
|
- peer, BGP_NOTIFY_UPDATE_ERR,
|
||||||
|
- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
|
||||||
|
- return -1;
|
||||||
|
+ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
|
||||||
|
+ sublength, length);
|
||||||
|
+ return bgp_attr_malformed(args,
|
||||||
|
+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
|
||||||
|
+ args->total);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* alloc and copy sub-tlv */
|
||||||
|
@@ -2550,13 +2543,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
|
||||||
|
|
||||||
|
if (length) {
|
||||||
|
/* spurious leftover data */
|
||||||
|
- zlog_info(
|
||||||
|
- "Tunnel Encap attribute length is bad: %d leftover octets",
|
||||||
|
- length);
|
||||||
|
- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
|
||||||
|
- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
|
||||||
|
- startp, total);
|
||||||
|
- return -1;
|
||||||
|
+ zlog_err("Tunnel Encap attribute length is bad: %d leftover octets",
|
||||||
|
+ length);
|
||||||
|
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
|
||||||
|
+ args->total);
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
@@ -3396,8 +3386,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
|
||||||
|
case BGP_ATTR_VNC:
|
||||||
|
#endif
|
||||||
|
case BGP_ATTR_ENCAP:
|
||||||
|
- ret = bgp_attr_encap(type, peer, length, attr, flag,
|
||||||
|
- startp);
|
||||||
|
+ ret = bgp_attr_encap(&attr_args);
|
||||||
|
break;
|
||||||
|
case BGP_ATTR_PREFIX_SID:
|
||||||
|
ret = bgp_attr_prefix_sid(&attr_args);
|
@ -0,0 +1,162 @@
|
|||||||
|
## <summary>policy for frr</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute frr_exec_t in the frr domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed to transition.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`frr_domtrans',`
|
||||||
|
gen_require(`
|
||||||
|
type frr_t, frr_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_bin($1)
|
||||||
|
domtrans_pattern($1, frr_exec_t, frr_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
######################################
|
||||||
|
## <summary>
|
||||||
|
## Execute frr in the caller domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`frr_exec',`
|
||||||
|
gen_require(`
|
||||||
|
type frr_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_bin($1)
|
||||||
|
can_exec($1, frr_exec_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read frr's log files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`frr_read_log',`
|
||||||
|
gen_require(`
|
||||||
|
type frr_log_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
read_files_pattern($1, frr_log_t, frr_log_t)
|
||||||
|
optional_policy(`
|
||||||
|
logging_search_logs($1)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Append to frr log files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`frr_append_log',`
|
||||||
|
gen_require(`
|
||||||
|
type frr_log_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
append_files_pattern($1, frr_log_t, frr_log_t)
|
||||||
|
optional_policy(`
|
||||||
|
logging_search_logs($1)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Manage frr log files
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`frr_manage_log',`
|
||||||
|
gen_require(`
|
||||||
|
type frr_log_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_dirs_pattern($1, frr_log_t, frr_log_t)
|
||||||
|
manage_files_pattern($1, frr_log_t, frr_log_t)
|
||||||
|
manage_lnk_files_pattern($1, frr_log_t, frr_log_t)
|
||||||
|
optional_policy(`
|
||||||
|
logging_search_logs($1)
|
||||||
|
')
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read frr PID files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`frr_read_pid_files',`
|
||||||
|
gen_require(`
|
||||||
|
type frr_var_run_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_pids($1)
|
||||||
|
read_files_pattern($1, frr_var_run_t, frr_var_run_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## All of the rules required to administrate
|
||||||
|
## an frr environment
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`frr_admin',`
|
||||||
|
gen_require(`
|
||||||
|
type frr_t;
|
||||||
|
type frr_log_t;
|
||||||
|
type frr_var_run_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 frr_t:process { signal_perms };
|
||||||
|
ps_process_pattern($1, frr_t)
|
||||||
|
|
||||||
|
tunable_policy(`deny_ptrace',`',`
|
||||||
|
allow $1 frr_t:process ptrace;
|
||||||
|
')
|
||||||
|
|
||||||
|
admin_pattern($1, frr_log_t)
|
||||||
|
|
||||||
|
files_search_pids($1)
|
||||||
|
admin_pattern($1, frr_var_run_t)
|
||||||
|
optional_policy(`
|
||||||
|
logging_search_logs($1)
|
||||||
|
')
|
||||||
|
optional_policy(`
|
||||||
|
systemd_passwd_agent_exec($1)
|
||||||
|
systemd_read_fifo_file_passwd_run($1)
|
||||||
|
')
|
||||||
|
')
|
Loading…
Reference in new issue