Compare commits

..

No commits in common. 'c8' and 'c9' have entirely different histories.
c8 ... c9

@ -1 +1 @@
dfc756dfd123360d1e1a760d66821e47f9a6afed SOURCES/frr-7.5.1.tar.gz 467835eb73a6018948fd667663ce68282cf6d16b SOURCES/frr-8.3.1.tar.gz

2
.gitignore vendored

@ -1 +1 @@
SOURCES/frr-7.5.1.tar.gz SOURCES/frr-8.3.1.tar.gz

@ -1,20 +0,0 @@
diff --git a/tools/frr-reload.py b/tools/frr-reload.py
index 208fb11..0692adc 100755
--- a/tools/frr-reload.py
+++ b/tools/frr-reload.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
# Frr Reloader
# Copyright (C) 2014 Cumulus Networks, Inc.
#
diff --git a/tools/generate_support_bundle.py b/tools/generate_support_bundle.py
index 540b7a1..0876ebb 100755
--- a/tools/generate_support_bundle.py
+++ b/tools/generate_support_bundle.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
########################################################
### Python Script to generate the FRR support bundle ###

@ -10,22 +10,6 @@ index 0b7af18..0533e24 100644
lib/memory.c \ lib/memory.c \
lib/mlag.c \ lib/mlag.c \
lib/module.c \ lib/module.c \
diff --git a/lib/subdir.am b/lib/subdir.am
index 0533e24..b3d3700 100644
--- a/lib/subdir.am
+++ b/lib/subdir.am
@@ -170,7 +170,6 @@ pkginclude_HEADERS += \
lib/linklist.h \
lib/log.h \
lib/log_vty.h \
- lib/md5.h \
lib/memory.h \
lib/module.h \
lib/monotime.h \
diff --git a/lib/subdir.am b/lib/subdir.am
index 53f7115..cea866f 100644
--- a/lib/subdir.am
+++ b/lib/subdir.am
@@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \ @@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \
lib/routemap_northbound.c \ lib/routemap_northbound.c \
lib/sbuf.c \ lib/sbuf.c \
@ -34,8 +18,16 @@ index 53f7115..cea866f 100644
lib/sigevent.c \ lib/sigevent.c \
lib/skiplist.c \ lib/skiplist.c \
lib/sockopt.c \ lib/sockopt.c \
@@ -170,7 +170,6 @@ pkginclude_HEADERS += \
lib/link_state.h \
lib/log.h \
lib/log_vty.h \
- lib/md5.h \
lib/memory.h \
lib/module.h \
lib/monotime.h \
@@ -191,7 +190,6 @@ pkginclude_HEADERS += \ @@ -191,7 +190,6 @@ pkginclude_HEADERS += \
lib/routemap.h \ lib/route_opaque.h \
lib/sbuf.h \ lib/sbuf.h \
lib/seqlock.h \ lib/seqlock.h \
- lib/sha256.h \ - lib/sha256.h \

@ -101,3 +101,15 @@ index 5bb81ef..02a09ef 100644
nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY, nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
strmatch(mode, "md5") ? "md5" : "plain-text"); strmatch(mode, "md5") ? "md5" : "plain-text");
if (strmatch(mode, "md5")) if (strmatch(mode, "md5"))
diff --git a/lib/zebra.h b/lib/zebra.h
index 53ae5b4..930307f 100644
--- a/lib/zebra.h
+++ b/lib/zebra.h
@@ -114,6 +114,7 @@
#ifdef CRYPTO_OPENSSL
#include <openssl/evp.h>
#include <openssl/hmac.h>
+#include <openssl/fips.h>
#endif
#include "openbsd-tree.h"

@ -0,0 +1,25 @@
diff --git a/ospfd/ospf_spf.c b/ospfd/ospf_spf.c
index 74a5674..aec9037 100644
--- a/ospfd/ospf_spf.c
+++ b/ospfd/ospf_spf.c
@@ -48,7 +48,10 @@
#include "ospfd/ospf_sr.h"
#include "ospfd/ospf_ti_lfa.h"
#include "ospfd/ospf_errors.h"
+
+#ifdef SUPPORT_OSPF_API
#include "ospfd/ospf_apiserver.h"
+#endif
/* Variables to ensure a SPF scheduled log message is printed only once */
@@ -1897,7 +1900,9 @@ static void ospf_spf_calculate_schedule_worker(struct thread *thread)
/* Update all routers routing table */
ospf->oall_rtrs = ospf->all_rtrs;
ospf->all_rtrs = all_rtrs;
+#ifdef SUPPORT_OSPF_API
ospf_apiserver_notify_reachable(ospf->oall_rtrs, ospf->all_rtrs);
+#endif
/* Free old ABR/ASBR routing table */
if (ospf->old_rtrs)

@ -1,17 +0,0 @@
diff --git a/tools/frr.in b/tools/frr.in
index b860797..eb64a93 100755
--- a/tools/frr.in
+++ b/tools/frr.in
@@ -105,10 +105,12 @@ check_daemon()
if [ ! -r "$C_PATH/$1-$2.conf" ]; then
touch "$C_PATH/$1-$2.conf"
chownfrr "$C_PATH/$1-$2.conf"
+ chmod 0600 "$C_PATH/$1-$2.conf"
fi
elif [ ! -r "$C_PATH/$1.conf" ]; then
touch "$C_PATH/$1.conf"
chownfrr "$C_PATH/$1.conf"
+ chmod 0600 "$C_PATH/$1.conf"
fi
fi
return 0

@ -12,10 +12,10 @@ Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
1 file changed, 26 insertions(+), 9 deletions(-) 1 file changed, 26 insertions(+), 9 deletions(-)
diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
index 3d4ef7c..f8089c6 100644 index 749e46ebe9d..ae1308db423 100644
--- a/bgpd/bgpd.c --- a/bgpd/bgpd.c
+++ b/bgpd/bgpd.c +++ b/bgpd/bgpd.c
@@ -2564,11 +2564,34 @@ int peer_group_remote_as(struct bgp *bgp, const char *group_name, as_t *as, @@ -2755,11 +2755,34 @@ int peer_group_remote_as(struct bgp *bgp, const char *group_name, as_t *as,
void peer_notify_unconfig(struct peer *peer) void peer_notify_unconfig(struct peer *peer)
{ {
@ -50,7 +50,7 @@ index 3d4ef7c..f8089c6 100644
void peer_group_notify_unconfig(struct peer_group *group) void peer_group_notify_unconfig(struct peer_group *group)
{ {
struct peer *peer, *other; struct peer *peer, *other;
@@ -3380,11 +3403,8 @@ int bgp_delete(struct bgp *bgp) @@ -3676,11 +3699,8 @@ int bgp_delete(struct bgp *bgp)
} }
/* Inform peers we're going down. */ /* Inform peers we're going down. */
@ -64,16 +64,15 @@ index 3d4ef7c..f8089c6 100644
/* Delete static routes (networks). */ /* Delete static routes (networks). */
bgp_static_delete(bgp); bgp_static_delete(bgp);
@@ -7238,11 +7258,7 @@ void bgp_terminate(void) @@ -8252,10 +8272,7 @@ void bgp_terminate(void)
for (ALL_LIST_ELEMENTS(bm->bgp, mnode, mnnode, bgp)) for (ALL_LIST_ELEMENTS(bm->bgp, mnode, mnnode, bgp))
for (ALL_LIST_ELEMENTS(bgp->peer, node, nnode, peer)) for (ALL_LIST_ELEMENTS(bgp->peer, node, nnode, peer))
- if (peer->status == Established - if (peer_established(peer) || peer->status == OpenSent
- || peer->status == OpenSent
- || peer->status == OpenConfirm) - || peer->status == OpenConfirm)
- bgp_notify_send(peer, BGP_NOTIFY_CEASE, - bgp_notify_send(peer, BGP_NOTIFY_CEASE,
- BGP_NOTIFY_CEASE_PEER_UNCONFIG); - BGP_NOTIFY_CEASE_PEER_UNCONFIG);
+ peer_notify_unconfig(peer); + peer_notify_unconfig(peer);
if (bm->process_main_queue) BGP_TIMER_OFF(bm->t_rmap_update);
work_queue_free_and_null(&bm->process_main_queue);

@ -1,31 +0,0 @@
diff --git a/tools/frrinit.sh.in b/tools/frrinit.sh.in
index 539ab7d..d27d1be 100644
--- a/tools/frrinit.sh.in
+++ b/tools/frrinit.sh.in
@@ -43,7 +43,7 @@ fi
case "$1" in
start)
daemon_list daemons
- watchfrr_options="$watchfrr_options $daemons"
+ watchfrr_options="$daemons"
daemon_start watchfrr
;;
stop)
@@ -57,7 +57,7 @@ restart|force-reload)
all_stop --reallyall
daemon_list daemons
- watchfrr_options="$watchfrr_options $daemons"
+ watchfrr_options="$daemons"
daemon_start watchfrr
;;
@@ -87,7 +87,7 @@ reload)
# restart watchfrr to pick up added daemons.
# NB: This will NOT cause the other daemons to be restarted.
daemon_list daemons
- watchfrr_options="$watchfrr_options $daemons"
+ watchfrr_options="$daemons"
daemon_stop watchfrr && \
daemon_start watchfrr

@ -1,33 +0,0 @@
diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c
index 69a3e4587..57ef6029a 100644
--- a/ospfd/ospf_vty.c
+++ b/ospfd/ospf_vty.c
@@ -3737,6 +3737,28 @@ static void show_ip_ospf_interface_sub(struct vty *vty, struct ospf *ospf,
vty_out(vty,
" No backup designated router on this network\n");
} else {
+ nbr = ospf_nbr_lookup_by_addr(oi->nbrs, &DR(oi));
+ if (nbr) {
+ if (use_json) {
+ json_object_string_add(
+ json_interface_sub, "drId",
+ inet_ntoa(nbr->router_id));
+ json_object_string_add(
+ json_interface_sub, "drAddress",
+ inet_ntoa(nbr->address.u
+ .prefix4));
+ } else {
+ vty_out(vty,
+ " Designated Router (ID) %s",
+ inet_ntoa(nbr->router_id));
+ vty_out(vty,
+ " Interface Address %s\n",
+ inet_ntoa(nbr->address.u
+ .prefix4));
+ }
+ }
+ nbr = NULL;
+
nbr = ospf_nbr_lookup_by_addr(oi->nbrs, &BDR(oi));
if (nbr == NULL) {
if (!use_json)

@ -0,0 +1,67 @@
From 1d42fb941af17a29346b2af03338f8e18470f009 Mon Sep 17 00:00:00 2001
From: Michal Ruprich <michalruprich@gmail.com>
Date: Tue, 22 Nov 2022 12:38:05 +0100
Subject: [PATCH] tools: Enable start of FRR for non-root user
There might be use cases when this would make sense, for example
running FRR in a container as a designated user.
Signed-off-by: Michal Ruprich <mruprich@redhat.com>
---
tools/etc/frr/daemons | 5 +++++
tools/frrcommon.sh.in | 4 ++++
2 files changed, 9 insertions(+)
diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons
index 8aa08871e35..2427bfff777 100644
--- a/tools/etc/frr/daemons
+++ b/tools/etc/frr/daemons
@@ -91,6 +91,12 @@ pathd_options=" -A 127.0.0.1"
# say BGP.
#MAX_FDS=1024
+# Uncomment this option if you want to run FRR as a non-root user. Note that
+# you should know what you are doing since most of the daemons need root
+# to work. This could be useful if you want to run FRR in a container
+# for instance.
+# FRR_NO_ROOT="yes"
+
# The list of daemons to watch is automatically generated by the init script.
#watchfrr_options=""
diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
index 3c16c27c6df..4f095a176e4 100755
--- a/tools/frrcommon.sh.in
+++ b/tools/frrcommon.sh.in
@@ -43,6 +43,10 @@ RELOAD_SCRIPT="$D_PATH/frr-reload.py"
#
is_user_root () {
+ if [[ ! -z $FRR_NO_ROOT && "${FRR_NO_ROOT}" == "yes" ]]; then
+ return 0
+ fi
+
[ "${EUID:-$(id -u)}" -eq 0 ] || {
log_failure_msg "Only users having EUID=0 can start/stop daemons"
return 1
diff --git a/doc/user/setup.rst b/doc/user/setup.rst
index 25934df..51ffd32 100644
--- a/doc/user/setup.rst
+++ b/doc/user/setup.rst
@@ -114,6 +114,16 @@ most operating systems is 1024. If the operator plans to run bgp with
several thousands of peers than this is where we would modify FRR to
allow this to happen.
+::
+
+ FRR_NO_ROOT="yes"
+
+This option allows you to run FRR as a non-root user. Use this option
+only when you know what you are doing since most of the daemons
+in FRR will not be able to run under a regular user. This option
+is useful for example when you run FRR in a container with a designated
+user instead of root.
+
::
zebra_options=" -s 90000000 --daemon -A 127.0.0.1"

@ -0,0 +1,59 @@
From 3e46b43e3788f0f87bae56a86b54d412b4710286 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Fri, 30 Sep 2022 08:51:45 -0400
Subject: [PATCH] bgpd: Ensure FRR has enough data to read 2 bytes in
peek_for_as4_capability
In peek_for_as4_capability the code is checking that the
stream has at least 2 bytes to read ( the opt_type and the
opt_length ). However if BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
is configured then FRR is reading 3 bytes. Which is not good
since the packet could be badly formated. Ensure that
FRR has the appropriate data length to read the data.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
bgpd/bgp_open.c | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)
diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
index 7248f034a5a..a760a7ca013 100644
--- a/bgpd/bgp_open.c
+++ b/bgpd/bgp_open.c
@@ -1185,15 +1185,30 @@ as_t peek_for_as4_capability(struct peer *peer, uint16_t length)
uint8_t opt_type;
uint16_t opt_length;
- /* Check the length. */
- if (stream_get_getp(s) + 2 > end)
+ /* Ensure we can read the option type */
+ if (stream_get_getp(s) + 1 > end)
goto end;
- /* Fetch option type and length. */
+ /* Fetch the option type */
opt_type = stream_getc(s);
- opt_length = BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
- ? stream_getw(s)
- : stream_getc(s);
+
+ /*
+ * Check the length and fetch the opt_length
+ * If the peer is BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
+ * then we do a getw which is 2 bytes. So we need to
+ * ensure that we can read that as well
+ */
+ if (BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)) {
+ if (stream_get_getp(s) + 2 > end)
+ goto end;
+
+ opt_length = stream_getw(s);
+ } else {
+ if (stream_get_getp(s) + 1 > end)
+ goto end;
+
+ opt_length = stream_getc(s);
+ }
/* Option length check. */
if (stream_get_getp(s) + opt_length > end)

@ -1,25 +0,0 @@
diff --git a/lib/routemap.c b/lib/routemap.c
index a90443a..0b594b2 100644
--- a/lib/routemap.c
+++ b/lib/routemap.c
@@ -1649,9 +1649,9 @@ static struct list *route_map_get_index_list(struct route_node **rn,
*/
static struct route_map_index *
route_map_get_index(struct route_map *map, const struct prefix *prefix,
- route_map_object_t type, void *object, uint8_t *match_ret)
+ route_map_object_t type, void *object, enum route_map_cmd_result_t *match_ret)
{
- int ret = 0;
+ enum route_map_cmd_result_t ret = RMAP_NOMATCH;
struct list *candidate_rmap_list = NULL;
struct route_node *rn = NULL;
struct listnode *ln = NULL, *nn = NULL;
@@ -2399,7 +2399,7 @@ route_map_result_t route_map_apply(struct route_map *map,
if ((!map->optimization_disabled)
&& (map->ipv4_prefix_table || map->ipv6_prefix_table)) {
index = route_map_get_index(map, prefix, type, object,
- (uint8_t *)&match_ret);
+ &match_ret);
if (index) {
if (rmap_debug)
zlog_debug(

@ -0,0 +1,47 @@
From 766eec1b7accffe2c04a5c9ebb14e9f487bb9f78 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Wed, 2 Nov 2022 13:24:48 -0400
Subject: [PATCH] bgpd: Ensure that bgp open message stream has enough data to
read
If a operator receives an invalid packet that is of insufficient size
then it is possible for BGP to assert during reading of the packet
instead of gracefully resetting the connection with the peer.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
bgpd/bgp_packet.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 769f9613da8..72d6a923175 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -1386,8 +1386,27 @@ static int bgp_open_receive(struct peer *peer, bgp_size_t size)
|| CHECK_FLAG(peer->flags, PEER_FLAG_EXTENDED_OPT_PARAMS)) {
uint8_t opttype;
+ if (STREAM_READABLE(peer->curr) < 1) {
+ flog_err(
+ EC_BGP_PKT_OPEN,
+ "%s: stream does not have enough bytes for extended optional parameters",
+ peer->host);
+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
+ BGP_NOTIFY_OPEN_MALFORMED_ATTR);
+ return BGP_Stop;
+ }
+
opttype = stream_getc(peer->curr);
if (opttype == BGP_OPEN_NON_EXT_OPT_TYPE_EXTENDED_LENGTH) {
+ if (STREAM_READABLE(peer->curr) < 2) {
+ flog_err(
+ EC_BGP_PKT_OPEN,
+ "%s: stream does not have enough bytes to read the extended optional parameters optlen",
+ peer->host);
+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
+ BGP_NOTIFY_OPEN_MALFORMED_ATTR);
+ return BGP_Stop;
+ }
optlen = stream_getw(peer->curr);
SET_FLAG(peer->sflags,
PEER_STATUS_EXT_OPT_PARAMS_LENGTH);

@ -1,40 +0,0 @@
diff --git a/tools/frr.service b/tools/frr.service
index aa45f42..a3f0103 100644
--- a/tools/frr.service
+++ b/tools/frr.service
@@ -17,9 +17,9 @@ WatchdogSec=60s
RestartSec=5
Restart=on-abnormal
LimitNOFILE=1024
-ExecStart=/usr/lib/frr/frrinit.sh start
-ExecStop=/usr/lib/frr/frrinit.sh stop
-ExecReload=/usr/lib/frr/frrinit.sh reload
+ExecStart=/usr/libexec/frr/frrinit.sh start
+ExecStop=/usr/libexec/frr/frrinit.sh stop
+ExecReload=/usr/libexec/frr/frrinit.sh reload
[Install]
WantedBy=multi-user.target
diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
index 9a144b2..a334d95 100644
--- a/tools/frrcommon.sh.in
+++ b/tools/frrcommon.sh.in
@@ -59,6 +59,9 @@ chownfrr() {
[ -n "$FRR_USER" ] && chown "$FRR_USER" "$1"
[ -n "$FRR_GROUP" ] && chgrp "$FRR_GROUP" "$1"
[ -n "$FRR_CONFIG_MODE" ] && chmod "$FRR_CONFIG_MODE" "$1"
+ if [ -d "$1" ]; then
+ chmod gu+x "$1"
+ fi
}
vtysh_b () {
@@ -152,7 +155,7 @@ daemon_start() {
daemon_prep "$daemon" "$inst" || return 1
if test ! -d "$V_PATH"; then
mkdir -p "$V_PATH"
- chown frr "$V_PATH"
+ chownfrr "$V_PATH"
fi
eval wrap="\$${daemon}_wrap"

@ -0,0 +1,70 @@
From 1117baca3c592877a4d8a13ed6a1d9bd83977487 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Fri, 30 Sep 2022 08:57:43 -0400
Subject: [PATCH] bgpd: Ensure FRR has enough data to read 2 bytes in
bgp_open_option_parse
In bgp_open_option_parse the code is checking that the
stream has at least 2 bytes to read ( the opt_type and
the opt_length). However if BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
is configured then FRR is reading 3 bytes. Which is not good
since the packet could be badly formateed. Ensure that
FRR has the appropriate data length to read the data.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
bgpd/bgp_open.c | 35 ++++++++++++++++++++++++++++-------
1 file changed, 28 insertions(+), 7 deletions(-)
diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
index a760a7ca013..d1667fac261 100644
--- a/bgpd/bgp_open.c
+++ b/bgpd/bgp_open.c
@@ -1278,19 +1278,40 @@ int bgp_open_option_parse(struct peer *peer, uint16_t length,
uint8_t opt_type;
uint16_t opt_length;
- /* Must have at least an OPEN option header */
- if (STREAM_READABLE(s) < 2) {
+ /*
+ * Check that we can read the opt_type and fetch it
+ */
+ if (STREAM_READABLE(s) < 1) {
zlog_info("%s Option length error", peer->host);
bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
BGP_NOTIFY_OPEN_MALFORMED_ATTR);
return -1;
}
-
- /* Fetch option type and length. */
opt_type = stream_getc(s);
- opt_length = BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
- ? stream_getw(s)
- : stream_getc(s);
+
+ /*
+ * Check the length of the stream to ensure that
+ * FRR can properly read the opt_length. Then read it
+ */
+ if (BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)) {
+ if (STREAM_READABLE(s) < 2) {
+ zlog_info("%s Option length error", peer->host);
+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
+ BGP_NOTIFY_OPEN_MALFORMED_ATTR);
+ return -1;
+ }
+
+ opt_length = stream_getw(s);
+ } else {
+ if (STREAM_READABLE(s) < 1) {
+ zlog_info("%s Option length error", peer->host);
+ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
+ BGP_NOTIFY_OPEN_MALFORMED_ATTR);
+ return -1;
+ }
+
+ opt_length = stream_getc(s);
+ }
/* Option length check. */
if (STREAM_READABLE(s) < opt_length) {

@ -1,77 +0,0 @@
diff --git a/tools/frr-reload.py b/tools/frr-reload.py
index 9979c8b..1c24f90 100755
--- a/tools/frr-reload.py
+++ b/tools/frr-reload.py
@@ -785,6 +785,48 @@ def line_exist(lines, target_ctx_keys, target_line, exact_match=True):
return True
return False
+def delete_bgp_bfd(lines_to_add, lines_to_del):
+ """
+ When 'neighbor <peer> bfd profile <profile>' is present without a
+ 'neighbor <peer> bfd' line, FRR explicitily adds it to the running
+ configuration. When the new configuration drops the bfd profile
+ line, the user's intent is to delete any bfd configuration on the
+ peer. On reload, deleting the bfd profile line after the bfd line
+ will re-enable BFD with the default BFD profile. Move the bfd line
+ to the end, if it exists in the new configuration.
+
+ Example:
+
+ neighbor 10.0.0.1 bfd
+ neighbor 10.0.0.1 bfd profile bfd-profile-1
+
+ Move to end:
+ neighbor 10.0.0.1 bfd profile bfd-profile-1
+ ...
+
+ neighbor 10.0.0.1 bfd
+
+ """
+ lines_to_del_to_app = []
+ for (ctx_keys, line) in lines_to_del:
+ if (
+ ctx_keys[0].startswith("router bgp")
+ and line
+ and line.startswith("neighbor ")
+ ):
+ # 'no neighbor [peer] bfd>'
+ nb_bfd = "neighbor (\S+) .*bfd$"
+ re_nb_bfd = re.search(nb_bfd, line)
+ if re_nb_bfd:
+ lines_to_del_to_app.append((ctx_keys, line))
+
+ for (ctx_keys, line) in lines_to_del_to_app:
+ lines_to_del.remove((ctx_keys, line))
+ lines_to_del.append((ctx_keys, line))
+
+ return (lines_to_add, lines_to_del)
+
+
def check_for_exit_vrf(lines_to_add, lines_to_del):
# exit-vrf is a bit tricky. If the new config is missing it but we
@@ -1248,6 +1290,7 @@ def compare_context_objects(newconf, running):
for line in newconf_ctx.lines:
lines_to_add.append((newconf_ctx_keys, line))
+ (lines_to_add, lines_to_del) = delete_bgp_bfd(lines_to_add, lines_to_del)
(lines_to_add, lines_to_del) = check_for_exit_vrf(lines_to_add, lines_to_del)
(lines_to_add, lines_to_del) = ignore_delete_re_add_lines(lines_to_add, lines_to_del)
(lines_to_add, lines_to_del) = ignore_unconfigurable_lines(lines_to_add, lines_to_del)
diff --git a/bgpd/bgp_bfd.c b/bgpd/bgp_bfd.c
index b566b0e..1bd6249 100644
--- a/bgpd/bgp_bfd.c
+++ b/bgpd/bgp_bfd.c
@@ -686,9 +686,9 @@ void bgp_bfd_peer_config_write(struct vty *vty, struct peer *peer, char *addr)
if (!CHECK_FLAG(bfd_info->flags, BFD_FLAG_PARAM_CFG)
&& (bfd_info->type == BFD_TYPE_NOT_CONFIGURED)) {
- vty_out(vty, " neighbor %s bfd", addr);
+ vty_out(vty, " neighbor %s bfd\n", addr);
if (bfd_info->profile[0])
- vty_out(vty, " profile %s", bfd_info->profile);
+ vty_out(vty, " neighbor %s bfd profile %s", addr, bfd_info->profile);
vty_out(vty, "\n");
}

@ -0,0 +1,255 @@
From edc3f63167fd95e4e70287743c9b252415c9336e Mon Sep 17 00:00:00 2001
From: Philippe Guibert <philippe.guibert@6wind.com>
Date: Thu, 7 Jul 2022 14:33:48 +0200
Subject: [PATCH] bfdd: allow l3vrf bfd sessions without udp leaking
Until now, when in vrf-lite mode, the BFD implementation
creates a single UDP socket and relies on the following
sysctl value to 1:
echo 1 > /proc/sys/net/ipv4/udp_l3mdev_accept
With this setting, the incoming BFD packets from a given
vrf, would leak to the default vrf, and would match the
UDP socket.
The drawback of this solution is that udp packets received
on a given vrf may leak to an other vrf. This may be a
security concern.
The commit addresses this issue by avoiding this leak
mechanism. An UDP socket is created for each vrf, and each
socket uses new setsockopt option: SO_REUSEADDR + SO_REUSEPORT.
With this option, the incoming UDP packets are distributed on
the available sockets. The impact of those options with l3mdev
devices is unknown. It has been observed that this option is not
needed, until the default vrf sockets are created.
To ensure the BFD packets are correctly routed to the appropriate
socket, a BPF filter has been put in place and attached to the
sockets : SO_ATTACH_REUSEPORT_CBPF. This option adds a criterium
to force the packet to choose a given socket. If initial criteria
from the default distribution algorithm were not good, at least
two sockets would be available, and the CBPF would force the
selection to the same socket. This would come to the situation
where an incoming packet would be processed on a different vrf.
The bpf code is the following one:
struct sock_filter code[] = {
{ BPF_RET | BPF_K, 0, 0, 0 },
};
struct sock_fprog p = {
.len = sizeof(code)/sizeof(struct sock_filter),
.filter = code,
};
if (setsockopt(sd, SOL_SOCKET, SO_ATTACH_REUSEPORT_CBPF, &p, sizeof(p))) {
zlog_warn("unable to set SO_ATTACH_REUSEPORT_CBPF on socket: %s",
strerror(errno));
return -1;
}
Some tests have been done with by creating vrf contexts, and by using
the below vtysh configuration:
ip route 2.2.2.2/32 10.126.0.2
vrf vrf2
ip route 2.2.2.2/32 10.126.0.2
!
interface ntfp2
ip address 10.126.0.1/24
!
interface ntfp3 vrf vrf4
ip address 10.126.0.1/24
!
interface ntfp2 vrf vrf1
ip address 10.126.0.1/24
!
interface ntfp2.100 vrf vrf2
ip address 10.126.0.1/24
!
interface ntfp2.200 vrf vrf3
ip address 10.126.0.1/24
!
line vty
!
bfd
peer 10.126.0.2 vrf vrf2
!
peer 10.126.0.2 vrf vrf3
!
peer 10.126.0.2
!
peer 10.126.0.2 vrf vrf4
!
peer 2.2.2.2 multihop local-address 1.1.1.1
!
peer 2.2.2.2 multihop local-address 1.1.1.1 vrf vrf2
transmit-interval 1500
receive-interval 1500
!
The results showed no issue related to packets received by
the wrong vrf. Even changing the udp_l3mdev_accept flag to
1 did not change the test results.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
---
bfdd/bfd.c | 66 +++++++++++++++++++++++------------------------
bfdd/bfd_packet.c | 45 ++++++++++++++++++++++++++++++++
2 files changed, 77 insertions(+), 34 deletions(-)
diff --git a/bfdd/bfd.c b/bfdd/bfd.c
index 483beb1b17c..a1619263588 100644
--- a/bfdd/bfd.c
+++ b/bfdd/bfd.c
@@ -1950,40 +1950,38 @@ static int bfd_vrf_enable(struct vrf *vrf)
if (bglobal.debug_zebra)
zlog_debug("VRF enable add %s id %u", vrf->name, vrf->vrf_id);
- if (vrf->vrf_id == VRF_DEFAULT ||
- vrf_get_backend() == VRF_BACKEND_NETNS) {
- if (!bvrf->bg_shop)
- bvrf->bg_shop = bp_udp_shop(vrf);
- if (!bvrf->bg_mhop)
- bvrf->bg_mhop = bp_udp_mhop(vrf);
- if (!bvrf->bg_shop6)
- bvrf->bg_shop6 = bp_udp6_shop(vrf);
- if (!bvrf->bg_mhop6)
- bvrf->bg_mhop6 = bp_udp6_mhop(vrf);
- if (!bvrf->bg_echo)
- bvrf->bg_echo = bp_echo_socket(vrf);
- if (!bvrf->bg_echov6)
- bvrf->bg_echov6 = bp_echov6_socket(vrf);
-
- if (!bvrf->bg_ev[0] && bvrf->bg_shop != -1)
- thread_add_read(master, bfd_recv_cb, bvrf,
- bvrf->bg_shop, &bvrf->bg_ev[0]);
- if (!bvrf->bg_ev[1] && bvrf->bg_mhop != -1)
- thread_add_read(master, bfd_recv_cb, bvrf,
- bvrf->bg_mhop, &bvrf->bg_ev[1]);
- if (!bvrf->bg_ev[2] && bvrf->bg_shop6 != -1)
- thread_add_read(master, bfd_recv_cb, bvrf,
- bvrf->bg_shop6, &bvrf->bg_ev[2]);
- if (!bvrf->bg_ev[3] && bvrf->bg_mhop6 != -1)
- thread_add_read(master, bfd_recv_cb, bvrf,
- bvrf->bg_mhop6, &bvrf->bg_ev[3]);
- if (!bvrf->bg_ev[4] && bvrf->bg_echo != -1)
- thread_add_read(master, bfd_recv_cb, bvrf,
- bvrf->bg_echo, &bvrf->bg_ev[4]);
- if (!bvrf->bg_ev[5] && bvrf->bg_echov6 != -1)
- thread_add_read(master, bfd_recv_cb, bvrf,
- bvrf->bg_echov6, &bvrf->bg_ev[5]);
- }
+ if (!bvrf->bg_shop)
+ bvrf->bg_shop = bp_udp_shop(vrf);
+ if (!bvrf->bg_mhop)
+ bvrf->bg_mhop = bp_udp_mhop(vrf);
+ if (!bvrf->bg_shop6)
+ bvrf->bg_shop6 = bp_udp6_shop(vrf);
+ if (!bvrf->bg_mhop6)
+ bvrf->bg_mhop6 = bp_udp6_mhop(vrf);
+ if (!bvrf->bg_echo)
+ bvrf->bg_echo = bp_echo_socket(vrf);
+ if (!bvrf->bg_echov6)
+ bvrf->bg_echov6 = bp_echov6_socket(vrf);
+
+ if (!bvrf->bg_ev[0] && bvrf->bg_shop != -1)
+ thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_shop,
+ &bvrf->bg_ev[0]);
+ if (!bvrf->bg_ev[1] && bvrf->bg_mhop != -1)
+ thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_mhop,
+ &bvrf->bg_ev[1]);
+ if (!bvrf->bg_ev[2] && bvrf->bg_shop6 != -1)
+ thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_shop6,
+ &bvrf->bg_ev[2]);
+ if (!bvrf->bg_ev[3] && bvrf->bg_mhop6 != -1)
+ thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_mhop6,
+ &bvrf->bg_ev[3]);
+ if (!bvrf->bg_ev[4] && bvrf->bg_echo != -1)
+ thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_echo,
+ &bvrf->bg_ev[4]);
+ if (!bvrf->bg_ev[5] && bvrf->bg_echov6 != -1)
+ thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_echov6,
+ &bvrf->bg_ev[5]);
+
if (vrf->vrf_id != VRF_DEFAULT) {
bfdd_zclient_register(vrf->vrf_id);
bfdd_sessions_enable_vrf(vrf);
diff --git a/bfdd/bfd_packet.c b/bfdd/bfd_packet.c
index d34d6427628..054a9bfbf21 100644
--- a/bfdd/bfd_packet.c
+++ b/bfdd/bfd_packet.c
@@ -876,6 +876,14 @@ void bfd_recv_cb(struct thread *t)
"no session found");
return;
}
+ /*
+ * We may have a situation where received packet is on wrong vrf
+ */
+ if (bfd && bfd->vrf && bfd->vrf != bvrf->vrf) {
+ cp_debug(is_mhop, &peer, &local, ifindex, vrfid,
+ "wrong vrfid.");
+ return;
+ }
/* Ensure that existing good sessions are not overridden. */
if (!cp->discrs.remote_discr && bfd->ses_state != PTM_BFD_DOWN &&
@@ -1208,10 +1216,41 @@ int bp_set_tos(int sd, uint8_t value)
return 0;
}
+static bool bp_set_reuse_addr(int sd)
+{
+ int one = 1;
+
+ if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)) == -1) {
+ zlog_warn("set-reuse-addr: setsockopt(SO_REUSEADDR, %d): %s",
+ one, strerror(errno));
+ return false;
+ }
+ return true;
+}
+
+static bool bp_set_reuse_port(int sd)
+{
+ int one = 1;
+
+ if (setsockopt(sd, SOL_SOCKET, SO_REUSEPORT, &one, sizeof(one)) == -1) {
+ zlog_warn("set-reuse-port: setsockopt(SO_REUSEPORT, %d): %s",
+ one, strerror(errno));
+ return false;
+ }
+ return true;
+}
+
+
static void bp_set_ipopts(int sd)
{
int rcvttl = BFD_RCV_TTL_VAL;
+ if (!bp_set_reuse_addr(sd))
+ zlog_fatal("set-reuse-addr: failed");
+
+ if (!bp_set_reuse_port(sd))
+ zlog_fatal("set-reuse-port: failed");
+
if (bp_set_ttl(sd, BFD_TTL_VAL) != 0)
zlog_fatal("set-ipopts: TTL configuration failed");
@@ -1453,6 +1492,12 @@ static void bp_set_ipv6opts(int sd)
int ipv6_pktinfo = BFD_IPV6_PKT_INFO_VAL;
int ipv6_only = BFD_IPV6_ONLY_VAL;
+ if (!bp_set_reuse_addr(sd))
+ zlog_fatal("set-reuse-addr: failed");
+
+ if (!bp_set_reuse_port(sd))
+ zlog_fatal("set-reuse-port: failed");
+
if (bp_set_ttlv6(sd, BFD_TTL_VAL) == -1)
zlog_fatal(
"set-ipv6opts: setsockopt(IPV6_UNICAST_HOPS, %d): %s",

@ -1,117 +0,0 @@
From 4b793d1eb35ab5794db12725a28fcdb4fef23af7 Mon Sep 17 00:00:00 2001
From: Igor Ryzhov <iryzhov@nfware.com>
Date: Thu, 1 Apr 2021 15:29:18 +0300
Subject: [PATCH] bfdd: remove profiles when removing bfd node
Fixes #8379.
Signed-off-by: Igor Ryzhov <iryzhov@nfware.com>
---
bfdd/bfd.c | 8 ++++++++
bfdd/bfd.h | 1 +
bfdd/bfdd_nb_config.c | 1 +
3 files changed, 10 insertions(+)
diff --git a/bfdd/bfd.c b/bfdd/bfd.c
index c966efd8ea71..cf292a836354 100644
--- a/bfdd/bfd.c
+++ b/bfdd/bfd.c
@@ -1889,6 +1889,14 @@ void bfd_sessions_remove_manual(void)
hash_iterate(bfd_key_hash, _bfd_session_remove_manual, NULL);
}
+void bfd_profiles_remove(void)
+{
+ struct bfd_profile *bp;
+
+ while ((bp = TAILQ_FIRST(&bplist)) != NULL)
+ bfd_profile_free(bp);
+}
+
/*
* Profile related hash functions.
*/
diff --git a/bfdd/bfd.h b/bfdd/bfd.h
index af3f92d6a8f8..9ee1da728717 100644
--- a/bfdd/bfd.h
+++ b/bfdd/bfd.h
@@ -596,6 +596,7 @@ void bfd_session_free(struct bfd_session *bs);
const struct bfd_session *bfd_session_next(const struct bfd_session *bs,
bool mhop);
void bfd_sessions_remove_manual(void);
+void bfd_profiles_remove(void);
/**
* Set the BFD session echo state.
diff --git a/bfdd/bfdd_nb_config.c b/bfdd/bfdd_nb_config.c
index 0046bc625b45..77f8cbd09c07 100644
--- a/bfdd/bfdd_nb_config.c
+++ b/bfdd/bfdd_nb_config.c
@@ -203,6 +203,7 @@ int bfdd_bfd_destroy(struct nb_cb_destroy_args *args)
case NB_EV_APPLY:
bfd_sessions_remove_manual();
+ bfd_profiles_remove();
break;
case NB_EV_ABORT:
diff --git a/bfdd/bfdd_nb_config.c b/bfdd/bfdd_nb_config.c
index 77f8cbd09c07..4030e2eefa50 100644
--- a/bfdd/bfdd_nb_config.c
+++ b/bfdd/bfdd_nb_config.c
@@ -186,7 +186,15 @@ static int bfd_session_destroy(enum nb_event event,
*/
int bfdd_bfd_create(struct nb_cb_create_args *args)
{
- /* NOTHING */
+ if (args->event != NB_EV_APPLY)
+ return NB_OK;
+
+ /*
+ * Set any non-NULL value to be able to call
+ * nb_running_unset_entry in bfdd_bfd_destroy.
+ */
+ nb_running_set_entry(args->dnode, (void *)0x1);
+
return NB_OK;
}
@@ -202,6 +210,12 @@ int bfdd_bfd_destroy(struct nb_cb_destroy_args *args)
return NB_OK;
case NB_EV_APPLY:
+ /*
+ * We need to call this to unset pointers from
+ * the child nodes - sessions and profiles.
+ */
+ nb_running_unset_entry(args->dnode);
+
bfd_sessions_remove_manual();
bfd_profiles_remove();
break;
diff --git a/bfdd/bfdd_cli.c b/bfdd/bfdd_cli.c
index b64e36b36a44..5a844e56e121 100644
--- a/bfdd/bfdd_cli.c
+++ b/bfdd/bfdd_cli.c
@@ -486,7 +486,7 @@ void bfd_cli_show_echo_interval(struct vty *vty, struct lyd_node *dnode,
* Profile commands.
*/
DEFPY_YANG_NOSH(bfd_profile, bfd_profile_cmd,
- "profile WORD$name",
+ "profile BFDPROF$name",
BFD_PROFILE_STR
BFD_PROFILE_NAME_STR)
{
diff --git a/vtysh/vtysh.c b/vtysh/vtysh.c
index 74f13e1a44e8..cf1811bb1f2f 100644
--- a/vtysh/vtysh.c
+++ b/vtysh/vtysh.c
@@ -1959,7 +1959,7 @@ DEFUNSH(VTYSH_BFDD, bfd_peer_enter, bfd_peer_enter_cmd,
}
DEFUNSH(VTYSH_BFDD, bfd_profile_enter, bfd_profile_enter_cmd,
- "profile WORD",
+ "profile BFDPROF",
BFD_PROFILE_STR
BFD_PROFILE_NAME_STR)
{

@ -1,7 +1,7 @@
From 6814f2e0138a6ea5e1f83bdd9085d9a77999900b Mon Sep 17 00:00:00 2001 From 71422bfe269e34b69d78f9fb02f30426f2fdef48 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org> From: rpm-build <rpm-build>
Date: Fri, 27 Oct 2023 11:56:45 +0300 Date: Wed, 13 Dec 2023 16:59:46 +0100
Subject: [PATCH] bgpd: Treat EOR as withdrawn to avoid unwanted handling of Subject: [PATCH] bgpd: Treat EOR as withdrawn to avoid unwanted handling of
malformed attrs malformed attrs
Treat-as-withdraw, otherwise if we just ignore it, we will pass it to be Treat-as-withdraw, otherwise if we just ignore it, we will pass it to be
@ -65,15 +65,17 @@ s.close()
Reported-by: Iggy Frankovic <iggyfran@amazon.com> Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit 6814f2e0138a6ea5e1f83bdd9085d9a77999900b)
--- ---
bgpd/bgp_attr.c | 15 ++++++++++++--- bgpd/bgp_attr.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-) 1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index cf2dbe65b805..1473dc772502 100644 index a121911..12a6953 100644
--- a/bgpd/bgp_attr.c --- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c +++ b/bgpd/bgp_attr.c
@@ -3391,9 +3391,12 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, @@ -3079,9 +3079,12 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
uint8_t type = 0; uint8_t type = 0;
/* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an /* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an
@ -86,20 +88,23 @@ index cf2dbe65b805..1473dc772502 100644
- return BGP_ATTR_PARSE_PROCEED; - return BGP_ATTR_PARSE_PROCEED;
+ return BGP_ATTR_PARSE_WITHDRAW; + return BGP_ATTR_PARSE_WITHDRAW;
if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN))) /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
type = BGP_ATTR_ORIGIN; to carry any other path attributes.", though if MP_REACH_NLRI or NLRI
@@ -3273,7 +3276,13 @@ done: @@ -3507,7 +3510,13 @@ done:
aspath_unintern(&as4_path); aspath_unintern(&as4_path);
}
transit = bgp_attr_get_transit(attr);
- if (ret != BGP_ATTR_PARSE_ERROR) { - if (ret != BGP_ATTR_PARSE_ERROR) {
+ /* If we received an UPDATE with mandatory attributes, then + /* If we received an UPDATE with mandatory attributes, then
+ * the unrecognized transitive optional attribute of that + * the unrecognized transitive optional attribute of that
+ * path MUST be passed. Otherwise, it's an error, and from + * path MUST be passed. Otherwise, it's an error, and from
+ * security perspective it might be very harmful if we continue + * security perspective it might be very harmful if we continue
+ * here with the unrecognized attributes. + * here with the unrecognized attributes.
+ */ + */
+ if (ret == BGP_ATTR_PARSE_PROCEED) { + if (ret == BGP_ATTR_PARSE_PROCEED) {
/* Finally intern unknown attribute. */ /* Finally intern unknown attribute. */
if (attr->transit) if (transit)
attr->transit = transit_intern(attr->transit); bgp_attr_set_transit(attr, transit_intern(transit));
--
2.43.0

@ -1,6 +1,6 @@
From c37119df45bbf4ef713bc10475af2ee06e12f3bf Mon Sep 17 00:00:00 2001 From 7fe95b24333cceb6cd04595694cd502fcd3666f6 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org> From: rpm-build <rpm-build>
Date: Sun, 29 Oct 2023 22:44:45 +0200 Date: Wed, 13 Dec 2023 18:25:48 +0100
Subject: [PATCH] bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI Subject: [PATCH] bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI
If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if
@ -14,6 +14,9 @@ handle that.
Reported-by: Iggy Frankovic <iggyfran@amazon.com> Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
Signed-off-by: Christian Breunig <christian@breunig.cc>
(cherry picked from commit c37119df45bbf4ef713bc10475af2ee06e12f3bf)
--- ---
bgpd/bgp_attr.c | 19 ++++++++++--------- bgpd/bgp_attr.c | 19 ++++++++++---------
bgpd/bgp_attr.h | 1 + bgpd/bgp_attr.h | 1 +
@ -21,12 +24,12 @@ Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
3 files changed, 17 insertions(+), 10 deletions(-) 3 files changed, 17 insertions(+), 10 deletions(-)
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 1473dc772502..75aa2ac7cce6 100644 index 12a6953..8b02f2c 100644
--- a/bgpd/bgp_attr.c --- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c +++ b/bgpd/bgp_attr.c
@@ -3399,15 +3399,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, @@ -3086,15 +3086,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag) if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
return BGP_ATTR_PARSE_PROCEED; return BGP_ATTR_PARSE_WITHDRAW;
- /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required - /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
- to carry any other path attributes.", though if MP_REACH_NLRI or NLRI - to carry any other path attributes.", though if MP_REACH_NLRI or NLRI
@ -40,7 +43,7 @@ index 1473dc772502..75aa2ac7cce6 100644
if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN))) if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
type = BGP_ATTR_ORIGIN; type = BGP_ATTR_ORIGIN;
@@ -3426,6 +3417,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, @@ -3113,6 +3104,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
&& !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF))) && !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF)))
type = BGP_ATTR_LOCAL_PREF; type = BGP_ATTR_LOCAL_PREF;
@ -58,22 +61,22 @@ index 1473dc772502..75aa2ac7cce6 100644
* in an UPDATE message, then "treat-as-withdraw" MUST be used. * in an UPDATE message, then "treat-as-withdraw" MUST be used.
*/ */
diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
index fc347e7a1b4b..d30155e6dba0 100644 index 06f350b..b9dfec9 100644
--- a/bgpd/bgp_attr.h --- a/bgpd/bgp_attr.h
+++ b/bgpd/bgp_attr.h +++ b/bgpd/bgp_attr.h
@@ -364,6 +364,7 @@ enum bgp_attr_parse_ret { @@ -379,6 +379,7 @@ enum bgp_attr_parse_ret {
*/ */
BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3, BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
BGP_ATTR_PARSE_EOR = -4, BGP_ATTR_PARSE_EOR = -4,
+ BGP_ATTR_PARSE_MISSING_MANDATORY = -4, + BGP_ATTR_PARSE_MISSING_MANDATORY = -5,
} bgp_attr_parse_ret_t; };
struct bpacket_attr_vec_arr; struct bpacket_attr_vec_arr;
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index a7514a26aa64..5dc35157ebf6 100644 index a5f065a..cdf0734 100644
--- a/bgpd/bgp_packet.c --- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c +++ b/bgpd/bgp_packet.c
@@ -2359,7 +2359,12 @@ static int bgp_update_receive(struct peer_connection *connection, @@ -1873,7 +1873,12 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
/* Network Layer Reachability Information. */ /* Network Layer Reachability Information. */
update_len = end - stream_pnt(s); update_len = end - stream_pnt(s);
@ -87,3 +90,6 @@ index a7514a26aa64..5dc35157ebf6 100644
/* Set NLRI portion to structure. */ /* Set NLRI portion to structure. */
nlris[NLRI_UPDATE].afi = AFI_IP; nlris[NLRI_UPDATE].afi = AFI_IP;
nlris[NLRI_UPDATE].safi = SAFI_UNICAST; nlris[NLRI_UPDATE].safi = SAFI_UNICAST;
--
2.43.0

@ -1,48 +0,0 @@
From 0f9e4c4a36cf2b0dd585a7ef97acccb8eebdf7bd Mon Sep 17 00:00:00 2001
From: Chirag Shah <chirag@nvidia.com>
Date: Mon, 25 Jan 2021 11:44:56 -0800
Subject: [PATCH] lib: fix a crash in plist update
Problem:
Prefix-list with mulitiple rules, an update to
a rule/sequence with different prefix/prefixlen
reset prefix-list next-base pointer to avoid
having stale value.
In some case the old next-bast's reference leads
to an assert in tri (trie_install_fn ) add.
bt:
(object=0x55576a4c8a00, updptr=0x55576a4b97e0) at lib/plist.c:560
(plist=0x55576a4a1770, pentry=0x55576a4c8a00) at lib/plist.c:585
(ple=0x55576a4c8a00) at lib/plist.c:745
(args=0x7fffe04beb50) at lib/filter_nb.c:1181
Solution:
Reset prefix-list next-base pointer whenver a
sequence/rule is updated.
Ticket:CM-33109
Testing Done:
Signed-off-by: Chirag Shah <chirag@nvidia.com>
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
(cherry picked from commit f7f101156eb0e225f375f12cf4f863ebbe3fed03)
---
lib/plist.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/plist.c b/lib/plist.c
index 981e86e2a..c746d1946 100644
--- a/lib/plist.c
+++ b/lib/plist.c
@@ -684,6 +684,7 @@ void prefix_list_entry_update_start(struct prefix_list_entry *ple)
if (pl->head || pl->tail || pl->desc)
pl->master->recent = pl;
+ ple->next_best = NULL;
ple->installed = false;
}
--
2.41.0

@ -1,267 +0,0 @@
From 2cf7651f0b1b0123dc5568ebad00ac84a9b3c348 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Wed, 2 Feb 2022 13:28:42 -0500
Subject: [PATCH] zebra: Make netlink buffer reads resizeable when needed
Currently when the kernel sends netlink messages to FRR
the buffers to receive this data is of fixed length.
The kernel, with certain configurations, will send
netlink messages that are larger than this fixed length.
This leads to situations where, on startup, zebra gets
really confused about the state of the kernel. Effectively
the current algorithm is this:
read up to buffer in size
while (data to parse)
get netlink message header, look at size
parse if you can
The problem is that there is a 32k buffer we read.
We get the first message that is say 1k in size,
subtract that 1k to 31k left to parse. We then
get the next header and notice that the length
of the message is 33k. Which is obviously larger
than what we read in. FRR has no recover mechanism
nor is there a way to know, a priori, what the maximum
size the kernel will send us.
Modify FRR to look at the kernel message and see if the
buffer is large enough, if not, make it large enough to
read in the message.
This code has to be per netlink socket because of the usage
of pthreads. So add to `struct nlsock` the buffer and current
buffer length. Growing it as necessary.
Fixes: #10404
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
zebra/kernel_netlink.c | 68 +++++++++++++++++++++++++-----------------
zebra/kernel_netlink.h | 2 +-
zebra/zebra_dplane.c | 4 +++
zebra/zebra_ns.h | 3 ++
4 files changed, 49 insertions(+), 28 deletions(-)
diff --git a/zebra/kernel_netlink.h b/zebra/kernel_netlink.h
index ae88f3372b1c..9421ea1c611a 100644
--- a/zebra/kernel_netlink.h
+++ b/zebra/kernel_netlink.h
@@ -96,7 +96,7 @@ extern const char *nl_family_to_str(uint8_t family);
extern const char *nl_rttype_to_str(uint8_t rttype);
extern int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int),
- const struct nlsock *nl,
+ struct nlsock *nl,
const struct zebra_dplane_info *dp_info,
int count, int startup);
extern int netlink_talk_filter(struct nlmsghdr *h, ns_id_t ns, int startup);
diff --git a/zebra/zebra_ns.h b/zebra/zebra_ns.h
index 0519e1d5b33d..7a0ffbc1ee6f 100644
--- a/zebra/zebra_ns.h
+++ b/zebra/zebra_ns.h
@@ -39,6 +39,9 @@ struct nlsock {
int seq;
struct sockaddr_nl snl;
char name[64];
+
+ uint8_t *buf;
+ size_t buflen;
};
#endif
diff --git a/zebra/kernel_netlink.c b/zebra/kernel_netlink.c
index b8eaeb1..14a40a9 100644
--- a/zebra/kernel_netlink.c
+++ b/zebra/kernel_netlink.c
@@ -90,8 +90,6 @@
*/
#define NL_DEFAULT_BATCH_SEND_THRESHOLD (15 * NL_PKT_BUF_SIZE)
-#define NL_BATCH_RX_BUFSIZE NL_RCV_PKT_BUF_SIZE
-
static const struct message nlmsg_str[] = {{RTM_NEWROUTE, "RTM_NEWROUTE"},
{RTM_DELROUTE, "RTM_DELROUTE"},
{RTM_GETROUTE, "RTM_GETROUTE"},
@@ -164,8 +162,6 @@ DEFINE_MTYPE_STATIC(ZEBRA, NL_BUF, "Zebra Netlink buffers")
size_t nl_batch_tx_bufsize;
char *nl_batch_tx_buf;
-char nl_batch_rx_buf[NL_BATCH_RX_BUFSIZE];
-
_Atomic uint32_t nl_batch_bufsize = NL_DEFAULT_BATCH_BUFSIZE;
_Atomic uint32_t nl_batch_send_threshold = NL_DEFAULT_BATCH_SEND_THRESHOLD;
@@ -322,6 +318,9 @@ static int netlink_socket(struct nlsock *nl, unsigned long groups,
nl->snl = snl;
nl->sock = sock;
+ nl->buflen = NL_RCV_PKT_BUF_SIZE;
+ nl->buf = XMALLOC(MTYPE_NL_BUF, nl->buflen);
+
return ret;
}
@@ -729,19 +728,29 @@ static ssize_t netlink_send_msg(const struct nlsock *nl, void *buf,
*
* Returns -1 on error, 0 if read would block or the number of bytes received.
*/
-static int netlink_recv_msg(const struct nlsock *nl, struct msghdr msg,
- void *buf, size_t buflen)
+static int netlink_recv_msg(struct nlsock *nl, struct msghdr *msg)
{
struct iovec iov;
int status;
- iov.iov_base = buf;
- iov.iov_len = buflen;
- msg.msg_iov = &iov;
- msg.msg_iovlen = 1;
+ iov.iov_base = nl->buf;
+ iov.iov_len = nl->buflen;
+ msg->msg_iov = &iov;
+ msg->msg_iovlen = 1;
do {
- status = recvmsg(nl->sock, &msg, 0);
+ int bytes;
+
+ bytes = recv(nl->sock, NULL, 0, MSG_PEEK | MSG_TRUNC);
+
+ if (bytes >= 0 && (size_t)bytes > nl->buflen) {
+ nl->buf = XREALLOC(MTYPE_NL_BUF, nl->buf, bytes);
+ nl->buflen = bytes;
+ iov.iov_base = nl->buf;
+ iov.iov_len = nl->buflen;
+ }
+
+ status = recvmsg(nl->sock, msg, 0);
} while (status == -1 && errno == EINTR);
if (status == -1) {
@@ -761,10 +770,10 @@ static int netlink_recv_msg(const struct nlsock *nl, struct msghdr msg,
return -1;
}
- if (msg.msg_namelen != sizeof(struct sockaddr_nl)) {
+ if (msg->msg_namelen != sizeof(struct sockaddr_nl)) {
flog_err(EC_ZEBRA_NETLINK_LENGTH_ERROR,
"%s sender address length error: length %d", nl->name,
- msg.msg_namelen);
+ msg->msg_namelen);
return -1;
}
@@ -873,8 +882,7 @@ static int netlink_parse_error(const struct nlsock *nl, struct nlmsghdr *h,
* the filter.
*/
int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int),
- const struct nlsock *nl,
- const struct zebra_dplane_info *zns,
+ struct nlsock *nl, const struct zebra_dplane_info *zns,
int count, int startup)
{
int status;
@@ -883,7 +891,6 @@ int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int),
int read_in = 0;
while (1) {
- char buf[NL_RCV_PKT_BUF_SIZE];
struct sockaddr_nl snl;
struct msghdr msg = {.msg_name = (void *)&snl,
.msg_namelen = sizeof(snl)};
@@ -892,14 +899,14 @@ int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int),
if (count && read_in >= count)
return 0;
- status = netlink_recv_msg(nl, msg, buf, sizeof(buf));
+ status = netlink_recv_msg(nl, &msg);
if (status == -1)
return -1;
else if (status == 0)
break;
read_in++;
- for (h = (struct nlmsghdr *)buf;
+ for (h = (struct nlmsghdr *)nl->buf;
(status >= 0 && NLMSG_OK(h, (unsigned int)status));
h = NLMSG_NEXT(h, status)) {
/* Finish of reading. */
@@ -976,10 +983,10 @@ int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int),
*/
static int
netlink_talk_info(int (*filter)(struct nlmsghdr *, ns_id_t, int startup),
- struct nlmsghdr *n, const struct zebra_dplane_info *dp_info,
+ struct nlmsghdr *n, struct zebra_dplane_info *dp_info,
int startup)
{
- const struct nlsock *nl;
+ struct nlsock *nl;
nl = &(dp_info->nls);
n->nlmsg_seq = nl->seq;
@@ -1067,12 +1074,11 @@ static int nl_batch_read_resp(struct nl_batch *bth)
* message at a time.
*/
while (true) {
- status = netlink_recv_msg(nl, msg, nl_batch_rx_buf,
- sizeof(nl_batch_rx_buf));
+ status = netlink_recv_msg(nl, &msg);
if (status == -1 || status == 0)
return status;
- h = (struct nlmsghdr *)nl_batch_rx_buf;
+ h = (struct nlmsghdr *)nl->buf;
ignore_msg = false;
seq = h->nlmsg_seq;
/*
@@ -1506,11 +1512,15 @@ void kernel_terminate(struct zebra_ns *zns, bool complete)
if (zns->netlink.sock >= 0) {
close(zns->netlink.sock);
zns->netlink.sock = -1;
+ XFREE(MTYPE_NL_BUF, zns->netlink.buf);
+ zns->netlink.buflen = 0;
}
if (zns->netlink_cmd.sock >= 0) {
close(zns->netlink_cmd.sock);
zns->netlink_cmd.sock = -1;
+ XFREE(MTYPE_NL_BUF, zns->netlink_cmd.buf);
+ zns->netlink_cmd.buflen = 0;
}
/* During zebra shutdown, we need to leave the dataplane socket
@@ -1520,6 +1530,8 @@ void kernel_terminate(struct zebra_ns *zns, bool complete)
if (zns->netlink_dplane.sock >= 0) {
close(zns->netlink_dplane.sock);
zns->netlink_dplane.sock = -1;
+ XFREE(MTYPE_NL_BUF, zns->netlink_dplane.buf);
+ zns->netlink_dplane.buflen = 0;
}
}
}
diff --git a/zebra/kernel_netlink.c b/zebra/kernel_netlink.c
index 14a40a9..2b566d4 100644
--- a/zebra/kernel_netlink.c
+++ b/zebra/kernel_netlink.c
@@ -779,7 +779,7 @@ static int netlink_recv_msg(struct nlsock *nl, struct msghdr *msg)
if (IS_ZEBRA_DEBUG_KERNEL_MSGDUMP_RECV) {
zlog_debug("%s: << netlink message dump [recv]", __func__);
- zlog_hexdump(buf, status);
+ zlog_hexdump(nl->buf, status);
}
return status;
diff --git a/zebra/kernel_netlink.c b/zebra/kernel_netlink.c
index 2b566d4..0564a6b 100644
--- a/zebra/kernel_netlink.c
+++ b/zebra/kernel_netlink.c
@@ -1060,7 +1060,7 @@ static int nl_batch_read_resp(struct nl_batch *bth)
struct sockaddr_nl snl;
struct msghdr msg = {};
int status, seq;
- const struct nlsock *nl;
+ struct nlsock *nl;
struct zebra_dplane_ctx *ctx;
bool ignore_msg;

@ -0,0 +1,4 @@
#Type Name ID GECOS Home directory Shell
g frrvty -
u frr - "FRRouting routing suite" /var/run/frr /sbin/nologin
m frr frrvty

@ -1,4 +1,4 @@
/usr/libexec/frr/(.*)? gen_context(system_u:object_r:frr_exec_t,s0) /usr/libexec/frr/(.*)? gen_context(system_u:object_r:frr_exec_t,s0)
/usr/lib/systemd/system/frr.* gen_context(system_u:object_r:frr_unit_file_t,s0) /usr/lib/systemd/system/frr.* gen_context(system_u:object_r:frr_unit_file_t,s0)
@ -22,6 +22,7 @@
/var/lock/subsys/staticd -- gen_context(system_u:object_r:frr_lock_t,s0) /var/lock/subsys/staticd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/zebra -- gen_context(system_u:object_r:frr_lock_t,s0) /var/lock/subsys/zebra -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/vrrpd -- gen_context(system_u:object_r:frr_lock_t,s0) /var/lock/subsys/vrrpd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/pathd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/run/frr(/.*)? gen_context(system_u:object_r:frr_var_run_t,s0) /var/run/frr(/.*)? gen_context(system_u:object_r:frr_var_run_t,s0)

@ -162,45 +162,53 @@ interface(`frr_admin',`
') ')
######################################## ########################################
#
# Interface compatibility blocks
#
# The following definitions ensure compatibility with distribution policy
# versions that do not contain given interfaces (epel, or older Fedora
# releases).
# Each block tests for existence of given interface and defines it if needed.
#
######################################
## <summary> ## <summary>
## Read ifconfig_var_run_t files and link files ## Watch ifconfig_var_run_t directories
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## Domain allowed access. ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
# #
ifndef(`sysnet_read_ifconfig_run',` ifndef(`sysnet_watch_ifconfig_run',`
interface(`sysnet_read_ifconfig_run',` interface(`sysnet_watch_ifconfig_run',`
gen_require(` gen_require(`
type ifconfig_var_run_t; type ifconfig_var_run_t;
') ')
manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) watch_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) ')
read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
')
') ')
######################################## ########################################
## <summary> ## <summary>
## Read unconfined_t files and dirs ## Read ifconfig_var_run_t files and link files
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## Domain allowed access. ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
# #
ifndef(`unconfined_read_files',` ifndef(`sysnet_read_ifconfig_run',`
interface(`unconfined_read_files',` interface(`sysnet_read_ifconfig_run',`
gen_require(` gen_require(`
type unconfined_t; type ifconfig_var_run_t;
') ')
allow $1 unconfined_t:file read_file_perms; list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
allow $1 unconfined_t:dir list_dir_perms; read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
') read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
')
') ')

@ -31,9 +31,9 @@ files_pid_file(frr_var_run_t)
# #
# frr local policy # frr local policy
# #
allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin }; allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
allow frr_t self:netlink_route_socket rw_netlink_socket_perms; allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
allow frr_t self:packet_socket create; allow frr_t self:packet_socket create_socket_perms;
allow frr_t self:process { setcap setpgid }; allow frr_t self:process { setcap setpgid };
allow frr_t self:rawip_socket create_socket_perms; allow frr_t self:rawip_socket create_socket_perms;
allow frr_t self:tcp_socket { connect connected_stream_socket_perms }; allow frr_t self:tcp_socket { connect connected_stream_socket_perms };
@ -93,25 +93,23 @@ corenet_tcp_bind_zebra_port(frr_t)
domain_use_interactive_fds(frr_t) domain_use_interactive_fds(frr_t)
fs_read_nsfs_files(frr_t) fs_read_nsfs_files(frr_t)
fs_search_cgroup_dirs(frr_t)
sysnet_exec_ifconfig(frr_t) sysnet_exec_ifconfig(frr_t)
sysnet_read_ifconfig_run(frr_t) sysnet_read_ifconfig_run(frr_t)
sysnet_watch_ifconfig_run(frr_t)
ipsec_domtrans_mgmt(frr_t)
userdom_read_admin_home_files(frr_t) userdom_read_admin_home_files(frr_t)
init_signal(frr_t) init_signal(frr_t)
init_signal_script(frr_t) unconfined_server_signull(frr_t)
init_signull_script(frr_t) allow frr_t unconfined_service_t:process signal;
optional_policy(` optional_policy(`
logging_send_syslog_msg(frr_t) logging_send_syslog_msg(frr_t)
') ')
optional_policy(`
unconfined_read_files(frr_t)
')
optional_policy(` optional_policy(`
modutils_exec_kmod(frr_t) modutils_exec_kmod(frr_t)
modutils_getattr_module_deps(frr_t) modutils_getattr_module_deps(frr_t)

@ -0,0 +1,16 @@
#!/bin/sh
#this script is used to remove babled and ldpd from the tar sources
#Usage: sh remove-babeld-ldpd.sh <VERSION>
#Example: sh remove-babeld-ldpd.sh 7.3.1 - this is for frr-7.3.1.tar.gz file
VERSION=$1
TAR=frr-${VERSION}.tar.gz
DIR=frr-${VERSION}
echo ${VERSION}
echo ${TAR}
echo ${DIR}
tar -xzf ${TAR}
rm -rf ${DIR}/babeld ${DIR}/ldpd
tar -czf ${TAR} ${DIR}

@ -1,67 +1,86 @@
%global frrversion 7.5.1 %global frr_libdir %{_libexecdir}/frr
%global frr_libdir /usr/libexec/frr
%global _hardened_build 1 %global _hardened_build 1
%define _legacy_common_support 1
%global selinuxtype targeted %global selinuxtype targeted
%bcond_without selinux %bcond_without selinux
Name: frr Name: frr
Version: 7.5.1 Version: 8.3.1
Release: 13%{?checkout}%{?dist}.4 Release: 11%{?checkout}%{?dist}.2
Summary: Routing daemon Summary: Routing daemon
License: GPLv2+ License: GPLv2+
URL: http://www.frrouting.org URL: http://www.frrouting.org
Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{frrversion}/%{name}-%{frrversion}.tar.gz Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
Source1: %{name}-tmpfiles.conf Source1: %{name}-tmpfiles.conf
Source2: frr.fc Source2: frr-sysusers.conf
Source3: frr.te Source3: frr.fc
Source4: frr.if Source4: frr.te
BuildRequires: perl-generators Source5: frr.if
BuildRequires: gcc Source6: remove-babeld-ldpd.sh
BuildRequires: net-snmp-devel BuildRequires: autoconf
BuildRequires: texinfo libcap-devel autoconf automake libtool patch groff BuildRequires: automake
BuildRequires: readline readline-devel ncurses ncurses-devel BuildRequires: bison >= 2.7
BuildRequires: git pam-devel c-ares-devel BuildRequires: c-ares-devel
BuildRequires: json-c-devel bison >= 2.7 flex perl-XML-LibXML BuildRequires: flex
BuildRequires: python3-devel python3-sphinx python3-pytest BuildRequires: gcc
BuildRequires: systemd systemd-devel BuildRequires: gcc-c++
BuildRequires: libyang-devel >= 1.0.184 BuildRequires: git-core
Requires: net-snmp ncurses BuildRequires: groff
Requires(post): systemd /sbin/install-info BuildRequires: json-c-devel
Requires(preun): systemd /sbin/install-info BuildRequires: libcap-devel
BuildRequires: libtool
BuildRequires: libyang-devel >= 2.0.0
BuildRequires: make
BuildRequires: ncurses
BuildRequires: ncurses-devel
BuildRequires: net-snmp-devel
BuildRequires: pam-devel
BuildRequires: patch
BuildRequires: perl-XML-LibXML
BuildRequires: perl-generators
BuildRequires: python3-devel
BuildRequires: python3-pytest
BuildRequires: python3-sphinx
BuildRequires: readline-devel
BuildRequires: systemd-devel
BuildRequires: systemd-rpm-macros
BuildRequires: texinfo
Requires: net-snmp
Requires: ncurses
Requires(post): systemd
Requires(post): /sbin/install-info
Requires(post): hostname
Requires(preun): systemd
Requires(preun): /sbin/install-info
Requires(postun): systemd Requires(postun): systemd
Requires: iproute
Requires: initscripts
%if 0%{?with_selinux} %if 0%{?with_selinux}
Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype}) Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
%endif %endif
Conflicts: quagga
Provides: routingdaemon = %{version}-%{release} Provides: routingdaemon = %{version}-%{release}
Obsoletes: frr-sysvinit quagga frr-contrib
Patch0000: 0000-remove-babeld-and-ldpd.patch Patch0000: 0000-remove-babeld-and-ldpd.patch
Patch0001: 0001-use-python3.patch
Patch0002: 0002-enable-openssl.patch Patch0002: 0002-enable-openssl.patch
Patch0003: 0003-disable-eigrp-crypto.patch Patch0003: 0003-disable-eigrp-crypto.patch
Patch0004: 0004-fips-mode.patch Patch0004: 0004-fips-mode.patch
Patch0006: 0006-CVE-2020-12831.patch Patch0005: 0005-ospf-api.patch
Patch0007: 0007-frrinit.patch Patch0006: 0006-graceful-restart.patch
Patch0008: 0008-designated-router.patch Patch0007: 0007-cve-2022-37032.patch
Patch0009: 0009-routemap.patch Patch0008: 0008-frr-non-root-user.patch
Patch0010: 0010-moving-executables.patch Patch0009: 0009-CVE-2022-36440-40302.patch
Patch0011: 0011-reload-bfd-profile.patch Patch0010: 0010-CVE-2022-43681.patch
Patch0012: 0012-graceful-restart.patch Patch0011: 0011-CVE-2022-40318.patch
Patch0013: 0013-CVE-2022-37032.patch Patch0012: 0012-bfd-not-working-in-vrf.patch
Patch0014: 0014-bfd-profile-crash.patch Patch0013: 0013-CVE-2023-38802.patch
Patch0015: 0015-CVE-2023-38802.patch Patch0014: 0014-max-ttl-reload.patch
Patch0016: 0016-max-ttl-reload.patch Patch0015: 0015-CVE-2023-47235.patch
Patch0017: 0017-fix-crash-in-plist-update.patch Patch0016: 0016-CVE-2023-47234.patch
Patch0018: 0018-CVE-2023-38406.patch Patch0017: 0017-CVE-2023-38406.patch
Patch0019: 0019-CVE-2023-38407.patch Patch0018: 0018-CVE-2023-38407.patch
Patch0020: 0020-CVE-2023-47234.patch
Patch0021: 0021-CVE-2023-47235.patch
Patch0022: 0022-dynamic-netlink-buffer.patch
%description %description
FRRouting is free software that manages TCP/IP based routing protocols. It takes FRRouting is free software that manages TCP/IP based routing protocols. It takes
@ -74,11 +93,11 @@ FRRouting is a fork of Quagga.
%if 0%{?with_selinux} %if 0%{?with_selinux}
%package selinux %package selinux
Summary: Selinux policy for FRR Summary: Selinux policy for FRR
BuildArch: noarch BuildArch: noarch
Requires: selinux-policy-%{selinuxtype} Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-%{selinuxtype} Requires(post): selinux-policy-%{selinuxtype}
BuildRequires: selinux-policy-devel BuildRequires: selinux-policy-devel
%{?selinux_requires} %{?selinux_requires}
%description selinux %description selinux
@ -88,9 +107,8 @@ SELinux policy modules for FRR package
%prep %prep
%autosetup -S git %autosetup -S git
#SELinux
mkdir selinux mkdir selinux
cp -p %{SOURCE2} %{SOURCE3} %{SOURCE4} selinux cp -p %{SOURCE3} %{SOURCE4} %{SOURCE5} selinux
%build %build
autoreconf -ivf autoreconf -ivf
@ -101,11 +119,11 @@ autoreconf -ivf
--libdir=%{_libdir}/frr \ --libdir=%{_libdir}/frr \
--libexecdir=%{_libexecdir}/frr \ --libexecdir=%{_libexecdir}/frr \
--localstatedir=%{_localstatedir}/run/frr \ --localstatedir=%{_localstatedir}/run/frr \
--enable-snmp=agentx \
--enable-multipath=64 \ --enable-multipath=64 \
--enable-vtysh=yes \ --enable-vtysh=yes \
--enable-ospfclient=no \ --disable-ospfclient \
--enable-ospfapi=no \ --disable-ospfapi \
--enable-snmp=agentx \
--enable-user=frr \ --enable-user=frr \
--enable-group=frr \ --enable-group=frr \
--enable-vty-group=frrvty \ --enable-vty-group=frrvty \
@ -125,7 +143,6 @@ pushd doc
make info make info
popd popd
#SELinux policy
%if 0%{?with_selinux} %if 0%{?with_selinux}
make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp
bzip2 -9 selinux/%{name}.pp bzip2 -9 selinux/%{name}.pp
@ -145,39 +162,36 @@ mkdir -p %{buildroot}%{_tmpfilesdir}
rm -rf %{buildroot}/usr/share/info/dir rm -rf %{buildroot}/usr/share/info/dir
install -p -m 644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf install -p -m 644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf
install -p -m 644 %{_builddir}/%{name}-%{frrversion}/tools/etc/frr/daemons %{buildroot}/etc/frr/daemons install -p -m 644 tools/etc/frr/daemons %{buildroot}/etc/frr/daemons
install -p -m 644 %{_builddir}/%{name}-%{frrversion}/tools/frr.service %{buildroot}%{_unitdir}/frr.service install -p -m 644 tools/frr.service %{buildroot}%{_unitdir}/frr.service
install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/frrinit.sh %{buildroot}%{frr_libdir}/frr install -p -m 755 tools/frrinit.sh %{buildroot}%{frr_libdir}/frr
install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/frrcommon.sh %{buildroot}%{frr_libdir}/frrcommon.sh install -p -m 755 tools/frrcommon.sh %{buildroot}%{frr_libdir}/frrcommon.sh
install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/watchfrr.sh %{buildroot}%{frr_libdir}/watchfrr.sh install -p -m 755 tools/watchfrr.sh %{buildroot}%{frr_libdir}/watchfrr.sh
install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.logrotate %{buildroot}/etc/logrotate.d/frr install -p -m 644 redhat/frr.logrotate %{buildroot}/etc/logrotate.d/frr
install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.pam %{buildroot}/etc/pam.d/frr install -p -m 644 redhat/frr.pam %{buildroot}/etc/pam.d/frr
install -d -m 775 %{buildroot}/run/frr install -d -m 775 %{buildroot}/run/frr
install -p -D -m 0644 %{SOURCE2} ${RPM_BUILD_ROOT}/%{_sysusersdir}/frr.conf
%if 0%{?with_selinux} %if 0%{?with_selinux}
install -D -m 644 selinux/%{name}.pp.bz2 \ install -D -m 644 selinux/%{name}.pp.bz2 \
%{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
%endif %endif
rm %{buildroot}%{_libdir}/frr/*.la # Delete libtool archives
rm %{buildroot}%{_libdir}/frr/modules/*.la find %{buildroot} -type f -name "*.la" -delete -print
#Upstream does not maintain a stable API, these headers from -devel subpackage are no longer needed #Upstream does not maintain a stable API, these headers from -devel subpackage are no longer needed
rm %{buildroot}%{_libdir}/frr/*.so rm %{buildroot}%{_libdir}/frr/*.so
rm -r %{buildroot}%{_includedir}/frr/ rm -r %{buildroot}%{_includedir}/frr/
%pre %pre
getent group fttvty >/dev/null 2>&1 || groupadd -r frrvty >/dev/null 2>&1 || : %sysusers_create_compat %{SOURCE2}
getent group frr >/dev/null 2>&1 || groupadd -r frr >/dev/null 2>&1 || : exit 0
getent passwd frr >/dev/null 2>&1 || useradd -M -r -g frr -s /sbin/nologin \
-c "FRRouting suite" -d %{_localstatedir}/run/frr frr || :
usermod -aG frrvty frr
%post %post
#Because we move files to /usr/libexec, we need to reload .service files as well
/usr/bin/systemctl daemon-reload
%systemd_post frr.service %systemd_post frr.service
if [ -f %{_infodir}/%{name}.inf* ]; then if [ -f %{_infodir}/%{name}.inf* ]; then
@ -185,39 +199,37 @@ if [ -f %{_infodir}/%{name}.inf* ]; then
fi fi
# Create dummy files if they don't exist so basic functions can be used. # Create dummy files if they don't exist so basic functions can be used.
if [ ! -e %{_sysconfdir}/frr/zebra.conf ]; then # Only create frr.conf when first installing, otherwise it can change
echo "hostname `hostname`" > %{_sysconfdir}/frr/zebra.conf # the behavior of the package
chown frr:frr %{_sysconfdir}/frr/zebra.conf if [ $1 -eq 1 ]; then
chmod 640 %{_sysconfdir}/frr/zebra.conf if [ ! -e %{_sysconfdir}/frr/frr.conf ]; then
echo "hostname `hostname`" > %{_sysconfdir}/frr/frr.conf
chown frr:frr %{_sysconfdir}/frr/frr.conf
chmod 640 %{_sysconfdir}/frr/frr.conf
fi
fi fi
#still used by vtysh, this way no error is produced when using vtysh
if [ ! -e %{_sysconfdir}/frr/vtysh.conf ]; then if [ ! -e %{_sysconfdir}/frr/vtysh.conf ]; then
echo 'no service integrated-vtysh-config' > %{_sysconfdir}/frr/vtysh.conf touch %{_sysconfdir}/frr/vtysh.conf
chmod 640 %{_sysconfdir}/frr/vtysh.conf chmod 640 %{_sysconfdir}/frr/vtysh.conf
chown frr:frrvty %{_sysconfdir}/frr/vtysh.conf chown frr:frrvty %{_sysconfdir}/frr/vtysh.conf
fi fi
#Making sure that the old format of config file still works
#Checking whether .rpmnew conf file is present - in that case I want to change the old config
if [ -e %{_sysconfdir}/frr/daemons.rpmnew ]; then
sed -i s'/watchfrr_/#watchfrr_/g' %{_sysconfdir}/frr/daemons
sed -i s'/zebra=/#zebra=/g' %{_sysconfdir}/frr/daemons
fi
%postun %postun
%systemd_postun_with_restart frr.service %systemd_postun_with_restart frr.service
#only when removing the package %preun
if [ $1 -ge 0 ]; then %systemd_preun frr.service
#only when removing frr
if [ $1 -eq 0 ]; then
if [ -f %{_infodir}/%{name}.inf* ]; then if [ -f %{_infodir}/%{name}.inf* ]; then
install-info --delete %{_infodir}/frr.info %{_infodir}/dir || : install-info --delete %{_infodir}/frr.info %{_infodir}/dir || :
fi fi
fi fi
%preun
%systemd_preun frr.service
#SELinux
%if 0%{?with_selinux} %if 0%{?with_selinux}
%pre selinux %pre selinux
%selinux_relabel_pre -s %{selinuxtype} %selinux_relabel_pre -s %{selinuxtype}
@ -227,8 +239,8 @@ fi
%selinux_relabel_post -s %{selinuxtype} %selinux_relabel_post -s %{selinuxtype}
#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade #/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade
if [ $1 == 2 ]; then if [ $1 == 2 ]; then
%{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null %{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null
%{_sbindir}/restorecon -R /var/run/frr &> /dev/null %{_sbindir}/restorecon -R /var/run/frr &> /dev/null
fi fi
%postun selinux %postun selinux
@ -236,7 +248,6 @@ if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} %{name} %selinux_modules_uninstall -s %{selinuxtype} %{name}
%selinux_relabel_post -s %{selinuxtype} %selinux_relabel_post -s %{selinuxtype}
fi fi
%endif %endif
%check %check
@ -245,16 +256,8 @@ make check PYTHON=%{__python3}
%files %files
%defattr(-,root,root) %defattr(-,root,root)
%license COPYING %license COPYING
%doc zebra/zebra.conf.sample
%doc isisd/isisd.conf.sample
%doc ripd/ripd.conf.sample
%doc bgpd/bgpd.conf.sample*
%doc ospfd/ospfd.conf.sample
%doc ospf6d/ospf6d.conf.sample
%doc ripngd/ripngd.conf.sample
%doc pimd/pimd.conf.sample
%doc doc/mpls %doc doc/mpls
%dir %attr(740,frr,frr) %{_sysconfdir}/frr %dir %attr(750,frr,frr) %{_sysconfdir}/frr
%dir %attr(755,frr,frr) /var/log/frr %dir %attr(755,frr,frr) /var/log/frr
%dir %attr(755,frr,frr) /run/frr %dir %attr(755,frr,frr) /run/frr
%{_infodir}/*info* %{_infodir}/*info*
@ -264,7 +267,7 @@ make check PYTHON=%{__python3}
%{_bindir}/* %{_bindir}/*
%dir %{_libdir}/frr %dir %{_libdir}/frr
%{_libdir}/frr/*.so.* %{_libdir}/frr/*.so.*
%dir %{_libdir}/frr/modules/ %dir %{_libdir}/frr/modules
%{_libdir}/frr/modules/* %{_libdir}/frr/modules/*
%config(noreplace) %attr(644,root,root) /etc/logrotate.d/frr %config(noreplace) %attr(644,root,root) /etc/logrotate.d/frr
%config(noreplace) %attr(644,frr,frr) /etc/frr/daemons %config(noreplace) %attr(644,frr,frr) /etc/frr/daemons
@ -273,6 +276,7 @@ make check PYTHON=%{__python3}
%dir /usr/share/yang %dir /usr/share/yang
/usr/share/yang/*.yang /usr/share/yang/*.yang
%{_tmpfilesdir}/%{name}.conf %{_tmpfilesdir}/%{name}.conf
%{_sysusersdir}/frr.conf
%if 0%{?with_selinux} %if 0%{?with_selinux}
%files selinux %files selinux
@ -282,131 +286,176 @@ make check PYTHON=%{__python3}
%endif %endif
%changelog %changelog
* Fri Feb 09 2024 Michal Ruprich <mruprich@redhat.com> - 7.5.1-13.4 * Thu Dec 21 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-11.2
- Resolves: RHEL-24697 - Zebra not fetching host routes - Resolves: RHEL-17480 - Out of bounds read in bgpd/bgp_label.c
* Thu Dec 21 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-11.2
- Resolves: RHEL-17474 - Flowspec overflow in bgpd/bgp_flowspec.c
* Tue Dec 19 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-11.2
- Resolves: RHEL-17471 - crash from specially crafted MP_UNREACH_NLRI-containing BGP UPDATE message
* Mon Dec 18 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-11.2
- Resolves: RHEL-17477 - crash from malformed EOR-containing BGP UPDATE message
* Wed Oct 11 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-11.1
- Resolves: RHEL-11665 - eBGP multihop peer flapping due to delta miscalculation of new configuration
* Wed Sep 13 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-11
- Resolves: #2231001 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router
* Thu Aug 10 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-10
- Related: #2216912 - adding sys_admin to capabilities
* Tue Aug 08 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-9
- Resolves: #2215346 - frr policy does not allow the execution of /usr/sbin/ipsec
* Mon Aug 07 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-8
- Resolves: #2216912 - SELinux is preventing FRR-Zebra to access to network namespaces
* Wed Jun 07 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-7
- Resolves: #2168855 - BFD not working through VRF
* Tue May 23 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-6
- Resolves: #2184870 - Reachable assertion in peek_for_as4_capability function
- Resolves: #2196795 - denial of service by crafting a BGP OPEN message with an option of type 0xff
- Resolves: #2196796 - denial of service by crafting a BGP OPEN message with an option of type 0xff
- Resolves: #2196794 - out-of-bounds read exists in the BGP daemon of FRRouting
* Mon Nov 28 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5
- Resolves: #2147522 - It is not possible to run FRR as a non-root user
* Thu Nov 24 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-4
- Resolves: #2144500 - AVC error when reloading FRR with provided reload script
* Tue Dec 19 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-13.3 * Wed Oct 19 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-3
- Resolves: RHEL-17529 - crash from malformed EOR-containing BGP UPDATE message - Related: #2129743 - Adding missing rules for vtysh and other daemons
* Tue Dec 19 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-13.3 * Mon Oct 17 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-2
- Resolves: RHEL-17535 - crash from specially crafted MP_UNREACH_NLRI-containing BGP UPDATE message - Resolves: #2128738 - out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service
* Tue Dec 19 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-13.3 * Thu Oct 13 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-1
- Resolves: RHEL-17547 - Out of bounds read in bgpd/bgp_label.c - Resolves: #2129731 - Rebase FRR to the latest version
- Resolves: #2129743 - Add targeted SELinux policy for FRR
- Resolves: #2127494 - BGP incorrectly withdraws routes on graceful restart capable routers
* Tue Dec 19 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-13.3 * Tue Jun 14 2022 Michal Ruprich - 8.2.2-4
- Resolves: RHEL-17541 - Flowspec overflow in bgpd/bgp_flowspec.c - Resolves: #2095404 - frr use systemd-sysusers
* Wed Oct 25 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-13.2 * Tue May 24 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-3
- Related: RHEL-13873 - Fixing test results in the test database - Resolves: #2081304 - Enhanced TMT testing for centos-stream
* Tue Oct 24 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-13.2 * Mon May 02 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-2
- Resolves: RHEL-13873 - crash in plist update - Resolves: #2069571 - the dynamic routing setup does not work any more
* Wed Oct 11 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-13.1 * Mon May 02 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-1
- Resolves: RHEL-11671 - eBGP multihop peer flapping due to delta miscalculation of new configuration - Resolves: #2069563 - Rebase frr to version 8.2.2
* Wed Sep 13 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-13 * Tue Nov 16 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-5
- Resolves: #2231000 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router - Resolves: #2023318 - Rebuilding for the new json-c library
* Wed Aug 23 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-12 * Wed Sep 01 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-4
- Resolves: #2216911 - Adding missing sys_admin SELinux call - Resolves: #1997603 - ospfd not running with ospf opaque-lsa option used
* Mon Aug 21 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-11 * Mon Aug 16 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-3
- Related: #2216911 - Adding unconfined_t type to access namespaces - Related: #1990858 - Fixing prefix-list duplication check
* Thu Aug 17 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-10 * Thu Aug 12 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-2
- Related: #2226803 - Adding patch - Related: #1990858 - Frr needs higher version of libyang
* Wed Aug 16 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-9 * Tue Aug 10 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-1
- Resolves: #2226803 - BFD crash in FRR running in MetalLB - Resolves: #1990858 - Possible rebase of frr to version 8.0
* Fri Aug 11 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-8 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 7.5.1-7
- Resolves: #2216911 - SELinux is preventing FRR-Zebra to access to network namespaces - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Nov 30 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-7 * Wed Jul 21 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-6
- Resolves: #2128737 - out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service - Resolves: #1983967 - ospfd crashes in route_node_delete with assertion fail
* Tue Nov 29 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-6 * Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 7.5.1-5
- Resolves: #1939516 - frr service cannot reload itself, due to executing in the wrong SELinux context - Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Mon Nov 14 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-5 * Fri Jun 04 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-4
- Resolves: #2127140 - Frr is unable to push routes to the system routing table - Resolves: #1958155 - Upgrading frr unconditionally creates /etc/frr/frr.conf, breaking existing configuration
* Mon Nov 14 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-4 * Fri Apr 23 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-3
- Resolves: #1948422 - BGP incorrectly withdraws routes on graceful restart capable routers - Resolves: #1939456 - /etc/frr permissions are bogus
- Resolves: #1951303 - FTBFS in CentOS Stream
* Thu Aug 25 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-3 * Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 7.5.1-2
- Resolves: #2054160 - FRR reloader does not disable BFD when unsetting BFD profile - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Aug 24 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-2 * Tue Mar 16 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-1
- Resolves: #1941765 - AVCs while running frr tests on RHEL 8.4.0 Beta-1.2 - New version 7.5.1
- Resolves: #1714984 - SELinux policy (daemons) changes required for package - Enabling grpc, adding hostname for post scriptlet
- Moving files to libexec due to selinux issues
* Wed May 11 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-1 * Tue Feb 16 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-3
- Resolves: #2018451 - Rebase of frr to version 7.5.1 - Fixing FTBS - icc options are confusing the new gcc
- Resolves: #1975361 - the dynamic routing setup does not work any more
* Wed Jan 05 2022 Michal Ruprich <mruprich@redhat.com> - 7.5-11 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.5-2
- Resolves: #2034328 - Bfdd crash in metallb CI - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jan 04 2022 Michal Ruprich <mruprich@redhat.com> - 7.5-10 * Fri Jan 01 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-1
- Resolves: #2020878 - frr ospfd show ip ospf interface does not show designated router info - New version 7.5
* Fri Dec 10 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-9 * Mon Sep 21 2020 Michal Ruprich <mruprich@redhat.com> - 7.4-1
- Resolves: #2029958 - FRR reloader generating invalid BFD configurations, exits with error - New version 7.4
* Tue Nov 16 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-8 * Thu Aug 27 2020 Josef Řídký <jridky@redhat.com> - 7.3.1-4
- Resolves: #2021819 - Rebuilding for the new json-c - Rebuilt for new net-snmp release
* Thu Sep 30 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-7 * Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.3.1-3
- Related: #1917269 - Wrong value in gating file - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Fri Sep 17 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-6 * Thu Jun 18 2020 Michal Ruprich <mruprich@redhat.com> - 7.3.1-1
- Related: #1917269 - Incomplete patch, adding gating rules - New version 7.3.1
- Fixes a couple of bugs(#1832259, #1835039, #1830815, #1830808, #1830806, #1830800, #1830798, #1814773)
* Thu Sep 16 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-5 * Tue May 19 2020 Michal Ruprich <mruprich@redhat.com> - 7.3-6
- Resolves: #1979426 - Unable to configure OSPF in multi-instance mode - Removing texi2html, it is not available in Rawhide anymore
- Resolves: #1917269 - vtysh running-config output not showing bgp ttl-security hops option
* Tue Jan 12 2021 root - 7.5-4 * Mon May 18 2020 Michal Ruprich <mruprich@redhat.com> - 7.3-5
- Related: #1889323 - Fixing start-up with old config file - Rebuild for new version of libyang
* Mon Jan 11 2021 root - 7.5-3 * Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 7.3-4
- Related: #1889323 - Reverting to non-integrated cofiguration - Rebuild (json-c)
* Thu Jan 07 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-2 * Mon Apr 13 2020 Björn Esser <besser82@fedoraproject.org> - 7.3-3
- Related: #1889323 - Obsoleting frr-contrib - Update json-c-0.14 patch with a solution from upstream
* Thu Jan 07 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-1 * Mon Apr 13 2020 Björn Esser <besser82@fedoraproject.org> - 7.3-2
- Resolves: #1889323 - [RFE] Rebase FRR to 7.5 - Add support for upcoming json-c 0.14.0
* Thu Aug 20 2020 Michal Ruprich <mruprich@redhat.com> - 7.0-10 * Wed Feb 19 2020 Michal Ruprich <mruprich@redhat.com> - 7.3-1
- Resolves: #1867793 - FRR does not conform to the source port range specified in RFC5881 - New version 7.3
* Thu Aug 20 2020 Michal Ruprich <mruprich@redhat.com> - 7.0-9 * Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.2-2
- Resolves: #1852476 - default permission issue eases information leaks - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Tue May 05 2020 Michal Ruprich <mruprich@redhat.com> - 7.0-8 * Mon Dec 16 2019 Michal Ruprich <mruprich@redhat.com> - 7.2-1
- Resolves: #1819319 - frr fails to start start if the initscripts package is missing - New version 7.2
* Mon May 04 2020 Michal Ruprich <mruprich@redhat.com> - 7.0-7 * Tue Nov 12 2019 Michal Ruprich <mruprich@redhat.com> - 7.1-5
- Resolves: #1758544 - IGMPv3 queries may lead to DoS - Rebuilding for new version of libyang
* Tue Mar 10 2020 Michal Ruprich <mruprich@redhat.com> - 7.0-6 * Mon Oct 07 2019 Michal Ruprich <mruprich@redhat.com> - 7.1-4
- Resolves: #1776342 - frr has missing dependency on iproute - Adding noreplace to the /etc/frr/daemons file
* Tue Sep 03 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-5 * Fri Sep 13 2019 Michal Ruprich <mruprich@redhat.com> - 7.1-3
- Resolves: #1719465 - Removal of component Frr or its crypto - New way of finding python version during build
- Replacing crypto of all routing daemons with openssl
- Disabling EIGRP crypto because it is broken
- Disabling crypto in FIPS mode
* Wed Jun 19 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-4 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.1-2
- Related: #1657029 - frr-contrib is back, it is breaking the rpmdeplint test - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Jun 19 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-3 * Tue Jun 25 2019 Michal Ruprich <mruprich@redhat.com> - 7.1-1
- Related: #1657029 - more cleanup, removed frr-contrib, frrvt changed to frrvty - New version 7.1
* Wed Jun 19 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-2 * Wed Jun 19 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-2
- Related: #1657029 - cleaning specfile, adding Requires on libyang-devel - Initial build
* Wed May 29 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-1
- Resolves: #1657029 - Add FRR as a replacement of Quagga in RHEL 8

Loading…
Cancel
Save