27 changed files with 1387 additions and 981 deletions
--- a/.frr.metadata
+++ b/.frr.metadata
@ -1 +1 @@
-ae93955533d9370c136d45a3adf808d7b50284a0 SOURCES/frr-10.1.tar.gz
+467835eb73a6018948fd667663ce68282cf6d16b SOURCES/frr-8.3.1.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/frr-10.1.tar.gz
+SOURCES/frr-8.3.1.tar.gz
--- a/SOURCES/0000-remove-babeld-and-ldpd.patch
+++ b/SOURCES/0000-remove-babeld-and-ldpd.patch
@ -16,9 +16,9 @@ index 5be3264..33abc1d 100644
 	snapcraft/helpers \
 	snapcraft/snap \
 -	babeld/Makefile \
 	mgmtd/Makefile \
 	bgpd/Makefile \
 	bgpd/rfp-example/librfp/Makefile \
 	bgpd/rfp-example/rfptest/Makefile \
@@ -193,7 +190,6 @@ EXTRA_DIST += \
 	fpm/Makefile \
 	grpc/Makefile \
@ -28,13 +28,13 @@ index 5be3264..33abc1d 100644
 	nhrpd/Makefile \
 	ospf6d/Makefile \
 diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons
-index 8aa0887..c92dcca 100644
+index f6d512b..6d4831d 100644
 --- a/tools/etc/frr/daemons
 +++ b/tools/etc/frr/daemons
-@@ -22,10 +22,8 @@ ripngd=no
+@@ -21,10 +21,8 @@ ripd=no
 ripngd=no
 isisd=no
 pimd=no
 pim6d=no
 -ldpd=no
 nhrpd=no
 eigrpd=no
@ -42,10 +42,10 @@ index 8aa0887..c92dcca 100644
 sharpd=no
 pbrd=no
 bfdd=no
-@@ -48,10 +46,8 @@ ripngd_options=" -A ::1"
+@@ -45,10 +43,8 @@ ripd_options="   -A 127.0.0.1"
 ripngd_options=" -A ::1"
 isisd_options="  -A 127.0.0.1"
 pimd_options="   -A 127.0.0.1"
 pim6d_options="  -A ::1"
 -ldpd_options="   -A 127.0.0.1"
 nhrpd_options="  -A 127.0.0.1"
 eigrpd_options=" -A 127.0.0.1"
--- a/SOURCES/0002-enable-openssl.patch
+++ b/SOURCES/0002-enable-openssl.patch
@ -8,8 +8,8 @@ index 0b7af18..0533e24 100644
 	lib/log_vty.c \
 -	lib/md5.c \
 	lib/memory.c \
- 	lib/mgmt_be_client.c \
+ 	lib/mlag.c \
- 	lib/mgmt_fe_client.c \
+ 	lib/module.c \
@@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \
 	lib/routemap_northbound.c \
 	lib/sbuf.c \
@ -24,8 +24,8 @@ index 0b7af18..0533e24 100644
 	lib/log_vty.h \
 -	lib/md5.h \
 	lib/memory.h \
- 	lib/mgmt.pb-c.h \
+ 	lib/module.h \
- 	lib/mgmt_be_client.h \
+ 	lib/monotime.h \
@@ -191,7 +190,6 @@ pkginclude_HEADERS += \
 	lib/route_opaque.h \
 	lib/sbuf.h \
--- a/SOURCES/0004-fips-mode.patch
+++ b/SOURCES/0004-fips-mode.patch
@ -2,20 +2,9 @@ diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c
 index 631465f..e084ff3 100644
 --- a/ospfd/ospf_vty.c
 +++ b/ospfd/ospf_vty.c
@@ -7,6 +7,10 @@
 #include <zebra.h>
 #include <string.h>
 +#ifdef CRYPTO_OPENSSL
 +#include <openssl/fips.h>
 +#endif
 +
 #include "printfrr.h"
 #include "monotime.h"
 #include "memory.h"
@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink,
- 		vl_config.keychain = argv[idx+1]->arg;
+ 
- 	} else if (argv_find(argv, argc, "message-digest", &idx)) {
+ 	if (argv_find(argv, argc, "message-digest", &idx)) {
 		/* authentication message-digest */
 +		if(FIPS_mode())
 +		{
@ -52,7 +41,7 @@ index 631465f..e084ff3 100644
 +		}
 		SET_IF_PARAM(params, auth_type);
 		params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
- 		UNSET_IF_PARAM(params, keychain_name);
+ 		return CMD_SUCCESS;
@@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key,
        "The OSPF password (key)\n"
        "Address of interface\n")
@ -69,17 +58,6 @@ diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
 index 81b4b39..cce33d9 100644
 --- a/isisd/isis_circuit.c
 +++ b/isisd/isis_circuit.c
@@ -13,6 +13,10 @@
 #include <netinet/if_ether.h>
 #endif
 +#ifdef CRYPTO_OPENSSL
 +#include <openssl/fips.h>
 +#endif
 +
 #include "log.h"
 #include "memory.h"
 #include "vrf.h"
@@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit,
 		return ferr_code_bug(
 			"circuit password too long (max 254 chars)");
@ -95,17 +73,6 @@ diff --git a/isisd/isisd.c b/isisd/isisd.c
 index 419127c..a6c36af 100644
 --- a/isisd/isisd.c
 +++ b/isisd/isisd.c
@@ -9,6 +9,10 @@
 #include <zebra.h>
 +#ifdef CRYPTO_OPENSSL
 +#include <openssl/fips.h>
 +#endif
 +
 #include "frrevent.h"
 #include "vty.h"
 #include "command.h"
@@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
 		if (len > 254)
 			return -1;
@ -121,17 +88,6 @@ diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c
 index 5bb81ef..02a09ef 100644
 --- a/ripd/rip_cli.c
 +++ b/ripd/rip_cli.c
@@ -7,6 +7,10 @@
 #include <zebra.h>
 +#ifdef CRYPTO_OPENSSL
 +#include <openssl/fips.h>
 +#endif
 +
 #include "if.h"
 #include "if_rmap.h"
 #include "vrf.h"
@@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode,
 			value = "20";
 	}
@ -145,3 +101,15 @@ index 5bb81ef..02a09ef 100644
 	nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
 			      strmatch(mode, "md5") ? "md5" : "plain-text");
 	if (strmatch(mode, "md5"))
 diff --git a/lib/zebra.h b/lib/zebra.h
 index 53ae5b4..930307f 100644
 --- a/lib/zebra.h
 +++ b/lib/zebra.h
@@ -114,6 +114,7 @@
 #ifdef CRYPTO_OPENSSL
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 +#include <openssl/fips.h>
 #endif
 #include "openbsd-tree.h"
--- a/SOURCES/0005-ospf-api.patch
+++ b/SOURCES/0005-ospf-api.patch
@ -0,0 +1,25 @@
 diff --git a/ospfd/ospf_spf.c b/ospfd/ospf_spf.c
 index 74a5674..aec9037 100644
 --- a/ospfd/ospf_spf.c
 +++ b/ospfd/ospf_spf.c
@@ -48,7 +48,10 @@
 #include "ospfd/ospf_sr.h"
 #include "ospfd/ospf_ti_lfa.h"
 #include "ospfd/ospf_errors.h"
 +
 +#ifdef SUPPORT_OSPF_API
 #include "ospfd/ospf_apiserver.h"
 +#endif
 /* Variables to ensure a SPF scheduled log message is printed only once */
@@ -1897,7 +1900,9 @@ static void ospf_spf_calculate_schedule_worker(struct thread *thread)
 	/* Update all routers routing table */
 	ospf->oall_rtrs = ospf->all_rtrs;
 	ospf->all_rtrs = all_rtrs;
 +#ifdef SUPPORT_OSPF_API
 	ospf_apiserver_notify_reachable(ospf->oall_rtrs, ospf->all_rtrs);
 +#endif
 	/* Free old ABR/ASBR routing table */
 	if (ospf->old_rtrs)
--- a/SOURCES/0005-remove-grpc-test.patch
+++ b/SOURCES/0005-remove-grpc-test.patch
@ -1,27 +0,0 @@
 diff --git a/tests/lib/subdir.am b/tests/lib/subdir.am
 index 7b5eaa4..5c82f69 100644
 --- a/tests/lib/subdir.am
 +++ b/tests/lib/subdir.am
@@ -18,22 +18,6 @@ tests_lib_test_frrscript_SOURCES = tests/lib/test_frrscript.c
 	test -e tests/lib/script1.lua || \
 	$(INSTALL_SCRIPT) $< tests/lib/script1.lua
 -##############################################################################
 -GRPC_TESTS_LDADD = mgmtd/libmgmt_be_nb.la staticd/libstatic.a grpc/libfrrgrpc_pb.la $(GRPC_LIBS) $(ALL_TESTS_LDADD) $(LIBYANG_LIBS) -lm
 -
 -if GRPC
 -check_PROGRAMS += tests/lib/test_grpc
 -endif
 -tests_lib_test_grpc_CXXFLAGS = $(WERROR) $(TESTS_CXXFLAGS)
 -tests_lib_test_grpc_CPPFLAGS = $(TESTS_CPPFLAGS)
 -tests_lib_test_grpc_LDADD = $(GRPC_TESTS_LDADD)
 -tests_lib_test_grpc_SOURCES = tests/lib/test_grpc.cpp
 -nodist_tests_lib_test_grpc_SOURCES = \
 -	yang/frr-bfdd.yang.c \
 -	yang/frr-staticd.yang.c \
 -	# end
 -
 -
 ##############################################################################
 if ZEROMQ
 check_PROGRAMS += tests/lib/test_zmq
--- a/SOURCES/0006-graceful-restart.patch
+++ b/SOURCES/0006-graceful-restart.patch
@ -0,0 +1,78 @@
 From 12f9f8472d0f8cfc026352906b8e5342df2846cc Mon Sep 17 00:00:00 2001
 From: Donatas Abraitis <donatas@opensourcerouting.org>
 Date: Tue, 27 Sep 2022 17:30:16 +0300
 Subject: [PATCH] bgpd: Do not send Deconfig/Shutdown message when restarting
 We might disable sending unconfig/shutdown notifications when
 Graceful-Restart is enabled and negotiated.
 Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
 ---
 bgpd/bgpd.c | 35 ++++++++++++++++++++++++++---------
 1 file changed, 26 insertions(+), 9 deletions(-)
 diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
 index 749e46ebe9d..ae1308db423 100644
 --- a/bgpd/bgpd.c
 +++ b/bgpd/bgpd.c
@@ -2755,11 +2755,34 @@ int peer_group_remote_as(struct bgp *bgp, const char *group_name, as_t *as,
 void peer_notify_unconfig(struct peer *peer)
 {
 +	if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) {
 +		if (bgp_debug_neighbor_events(peer))
 +			zlog_debug(
 +				"%pBP configured Graceful-Restart, skipping unconfig notification",
 +				peer);
 +		return;
 +	}
 +
 	if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
 		bgp_notify_send(peer, BGP_NOTIFY_CEASE,
 				BGP_NOTIFY_CEASE_PEER_UNCONFIG);
 }
 +static void peer_notify_shutdown(struct peer *peer)
 +{
 +	if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) {
 +		if (bgp_debug_neighbor_events(peer))
 +			zlog_debug(
 +				"%pBP configured Graceful-Restart, skipping shutdown notification",
 +				peer);
 +		return;
 +	}
 +
 +	if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
 +		bgp_notify_send(peer, BGP_NOTIFY_CEASE,
 +				BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN);
 +}
 +
 void peer_group_notify_unconfig(struct peer_group *group)
 {
 	struct peer *peer, *other;
@@ -3676,11 +3699,8 @@ int bgp_delete(struct bgp *bgp)
 	}
 	/* Inform peers we're going down. */
 -	for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer)) {
 -		if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
 -			bgp_notify_send(peer, BGP_NOTIFY_CEASE,
 -					BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN);
 -	}
 +	for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer))
 +		peer_notify_shutdown(peer);
 	/* Delete static routes (networks). */
 	bgp_static_delete(bgp);
@@ -8252,10 +8272,7 @@ void bgp_terminate(void)
 	for (ALL_LIST_ELEMENTS(bm->bgp, mnode, mnnode, bgp))
 		for (ALL_LIST_ELEMENTS(bgp->peer, node, nnode, peer))
 -			if (peer_established(peer) || peer->status == OpenSent
 -			    || peer->status == OpenConfirm)
 -				bgp_notify_send(peer, BGP_NOTIFY_CEASE,
 -						BGP_NOTIFY_CEASE_PEER_UNCONFIG);
 +			peer_notify_unconfig(peer);
 	BGP_TIMER_OFF(bm->t_rmap_update);
--- a/SOURCES/0006-noprefixroute-network-manager.patch
+++ b/SOURCES/0006-noprefixroute-network-manager.patch
@ -1,487 +0,0 @@
 From f450e1cda41f1b7576094a0b3017ba9849cd55ae Mon Sep 17 00:00:00 2001
 From: Donald Sharp <sharpd@nvidia.com>
 Date: Fri, 7 Jun 2024 12:30:59 -0400
 Subject: [PATCH 1/5] zebra: Make p and src_p const for rib_delete
 The prefix'es p and src_p are not const.  Let's make
 them so.  Useful to signal that we will not change this
 data.
 Signed-off-by: Donald Sharp <sharpd@nvidia.com>
 ---
 zebra/rib.h       | 2 +-
 zebra/zebra_rib.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)
 diff --git a/zebra/rib.h b/zebra/rib.h
 index 84ea766c4733..7f4e3949e02d 100644
 --- a/zebra/rib.h
 +++ b/zebra/rib.h
@@ -395,7 +395,7 @@ extern int rib_add_multipath_nhe(afi_t afi, safi_t safi, struct prefix *p,
 extern void rib_delete(afi_t afi, safi_t safi, vrf_id_t vrf_id, int type,
 		       unsigned short instance, uint32_t flags,
 -		       struct prefix *p, struct prefix_ipv6 *src_p,
 +		       const struct prefix *p, const struct prefix_ipv6 *src_p,
 		       const struct nexthop *nh, uint32_t nhe_id,
 		       uint32_t table_id, uint32_t metric, uint8_t distance,
 		       bool fromkernel);
 diff --git a/zebra/zebra_rib.c b/zebra/zebra_rib.c
 index 59190e9dd330..c1bd61e1db31 100644
 --- a/zebra/zebra_rib.c
 +++ b/zebra/zebra_rib.c
@@ -4393,8 +4393,8 @@ int rib_add_multipath(afi_t afi, safi_t safi, struct prefix *p,
 }
 void rib_delete(afi_t afi, safi_t safi, vrf_id_t vrf_id, int type,
 -		unsigned short instance, uint32_t flags, struct prefix *p,
 -		struct prefix_ipv6 *src_p, const struct nexthop *nh,
 +		unsigned short instance, uint32_t flags, const struct prefix *p,
 +		const struct prefix_ipv6 *src_p, const struct nexthop *nh,
 		uint32_t nhe_id, uint32_t table_id, uint32_t metric,
 		uint8_t distance, bool fromkernel)
 {
 From bdfccf69fa128c51c45bbd3528788f72ac17d854 Mon Sep 17 00:00:00 2001
 From: Donald Sharp <sharpd@nvidia.com>
 Date: Fri, 7 Jun 2024 12:56:35 -0400
 Subject: [PATCH 2/5] zebra: Expose rib_update_handle_vrf_all
 This function will be used on interface down
 events to allow for kernel routes to be cleaned
 up.
 Signed-off-by: Donald Sharp <sharpd@nvidia.com>
 ---
 zebra/rib.h       | 2 ++
 zebra/zebra_rib.c | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)
 diff --git a/zebra/rib.h b/zebra/rib.h
 index 7f4e3949e02d..8792fb7908ac 100644
 --- a/zebra/rib.h
 +++ b/zebra/rib.h
@@ -477,6 +477,8 @@ extern uint8_t route_distance(int type);
 extern void zebra_rib_evaluate_rn_nexthops(struct route_node *rn, uint32_t seq,
 					   bool rt_delete);
 +extern void rib_update_handle_vrf_all(enum rib_update_event event, int rtype);
 +
 /*
  * rib_find_rn_from_ctx
  *
 diff --git a/zebra/zebra_rib.c b/zebra/zebra_rib.c
 index c1bd61e1db31..649450b5c63c 100644
 --- a/zebra/zebra_rib.c
 +++ b/zebra/zebra_rib.c
@@ -4543,7 +4543,7 @@ void rib_update_table(struct route_table *table, enum rib_update_event event,
 	}
 }
 -static void rib_update_handle_vrf_all(enum rib_update_event event, int rtype)
 +void rib_update_handle_vrf_all(enum rib_update_event event, int rtype)
 {
 	struct zebra_router_table *zrt;
 From d528c02a204086da0d542d5655b8724de681a65c Mon Sep 17 00:00:00 2001
 From: Donald Sharp <sharpd@nvidia.com>
 Date: Fri, 7 Jun 2024 13:50:07 -0400
 Subject: [PATCH 3/5] zebra: Handle kernel routes appropriately
 Current code intentionally ignores kernel routes.  Modify
 zebra to allow these routes to be read in on linux.  Also
 modify zebra to look to see if a route should be treated
 as a connected and mark it as such.
 Additionally this should properly handle some of the issues
 being seen with NOPREFIXROUTE.
 Signed-off-by: Donald Sharp <sharpd@nvidia.com>
 ---
 zebra/interface.c  |   2 +
 zebra/rib.h        |   1 +
 zebra/rt_netlink.c |   2 -
 zebra/zebra_rib.c  | 105 +++++++++++++++++++++++++++++++++++++++------
 4 files changed, 96 insertions(+), 14 deletions(-)
 diff --git a/zebra/interface.c b/zebra/interface.c
 index 03b710e1a0f9..d146004781a5 100644
 --- a/zebra/interface.c
 +++ b/zebra/interface.c
@@ -1058,6 +1058,8 @@ void if_down(struct interface *ifp)
 	/* Delete all neighbor addresses learnt through IPv6 RA */
 	if_down_del_nbr_connected(ifp);
 +
 +	rib_update_handle_vrf_all(RIB_UPDATE_INTERFACE_DOWN, ZEBRA_ROUTE_KERNEL);
 }
 void if_refresh(struct interface *ifp)
 diff --git a/zebra/rib.h b/zebra/rib.h
 index 8792fb7908ac..cd6efbfb36dd 100644
 --- a/zebra/rib.h
 +++ b/zebra/rib.h
@@ -326,6 +326,7 @@ typedef struct rib_tables_iter_t_ {
 /* Events/reasons triggering a RIB update. */
 enum rib_update_event {
 +	RIB_UPDATE_INTERFACE_DOWN,
 	RIB_UPDATE_KERNEL,
 	RIB_UPDATE_RMAP_CHANGE,
 	RIB_UPDATE_OTHER,
 diff --git a/zebra/rt_netlink.c b/zebra/rt_netlink.c
 index c22145be693b..ddcb83cd8ce7 100644
 --- a/zebra/rt_netlink.c
 +++ b/zebra/rt_netlink.c
@@ -799,8 +799,6 @@ int netlink_route_change_read_unicast_internal(struct nlmsghdr *h,
 		return 0;
 	if (rtm->rtm_protocol == RTPROT_REDIRECT)
 		return 0;
 -	if (rtm->rtm_protocol == RTPROT_KERNEL)
 -		return 0;
 	selfroute = is_selfroute(rtm->rtm_protocol);
 diff --git a/zebra/zebra_rib.c b/zebra/zebra_rib.c
 index 649450b5c63c..2d6c5148833a 100644
 --- a/zebra/zebra_rib.c
 +++ b/zebra/zebra_rib.c
@@ -1619,6 +1619,10 @@ static bool rib_compare_routes(const struct route_entry *re1,
 	 * v6 link-locals, and we also support multiple addresses in the same
 	 * subnet on a single interface.
 	 */
 +	if (re1->type == ZEBRA_ROUTE_CONNECT &&
 +	    (re1->nhe->nhg.nexthop->ifindex == re2->nhe->nhg.nexthop->ifindex))
 +		return true;
 +
 	if (re1->type != ZEBRA_ROUTE_CONNECT && re1->type != ZEBRA_ROUTE_LOCAL)
 		return true;
@@ -2863,10 +2867,11 @@ static void process_subq_early_route_add(struct zebra_early_route *ere)
 	/* Link new re to node.*/
 	if (IS_ZEBRA_DEBUG_RIB) {
 -		rnode_debug(
 -			rn, re->vrf_id,
 -			"Inserting route rn %p, re %p (%s) existing %p, same_count %d",
 -			rn, re, zebra_route_string(re->type), same, same_count);
 +		rnode_debug(rn, re->vrf_id,
 +			    "Inserting route rn %p, re %p (%s/%s/%s) existing %p, same_count %d",
 +			    rn, re, zebra_route_string(re->type),
 +			    afi2str(ere->afi), safi2str(ere->safi), same,
 +			    same_count);
 		if (IS_ZEBRA_DEBUG_RIB_DETAILED)
 			route_entry_dump(
@@ -4383,6 +4388,34 @@ int rib_add_multipath(afi_t afi, safi_t safi, struct prefix *p,
 		nhe.id = re->nhe_id;
 	n = zebra_nhe_copy(&nhe, 0);
 +
 +	if (re->type == ZEBRA_ROUTE_KERNEL) {
 +		struct interface *ifp;
 +		struct connected *connected;
 +
 +		if (p->family == AF_INET6 &&
 +		    IN6_IS_ADDR_LINKLOCAL(&p->u.prefix6)) {
 +			zebra_nhg_free(n);
 +			zebra_rib_route_entry_free(re);
 +			return -1;
 +		}
 +
 +		ifp = if_lookup_prefix(p, re->vrf_id);
 +		if (ifp) {
 +			connected = connected_lookup_prefix(ifp, p);
 +
 +			if (connected && !CHECK_FLAG(connected->flags,
 +						     ZEBRA_IFA_NOPREFIXROUTE)) {
 +				zebra_nhg_free(n);
 +				zebra_rib_route_entry_free(re);
 +				return -1;
 +			}
 +
 +			if (ifp->ifindex == ng->nexthop->ifindex)
 +				re->type = ZEBRA_ROUTE_CONNECT;
 +		}
 +	}
 +
 	ret = rib_add_multipath_nhe(afi, safi, p, src_p, re, n, startup);
 	/* In error cases, free the route also */
@@ -4458,6 +4491,9 @@ static const char *rib_update_event2str(enum rib_update_event event)
 	const char *ret = "UNKNOWN";
 	switch (event) {
 +	case RIB_UPDATE_INTERFACE_DOWN:
 +		ret = "RIB_UPDATE_INTERFACE_DOWN";
 +		break;
 	case RIB_UPDATE_KERNEL:
 		ret = "RIB_UPDATE_KERNEL";
 		break;
@@ -4474,15 +4510,56 @@ static const char *rib_update_event2str(enum rib_update_event event)
 	return ret;
 }
 +/*
 + * We now keep kernel routes, but we don't have any
 + * trigger events for them when they are implicitly
 + * deleted.  Since we are already walking the
 + * entire table on a down event let's look at
 + * the few kernel routes we may have
 + */
 +static void
 +rib_update_handle_kernel_route_down_possibility(struct route_node *rn,
 +						struct route_entry *re)
 +{
 +	struct nexthop *nexthop = NULL;
 +	bool alive = false;
 +
 +	for (ALL_NEXTHOPS(re->nhe->nhg, nexthop)) {
 +		struct interface *ifp = if_lookup_by_index(nexthop->ifindex,
 +							   nexthop->vrf_id);
 +
 +		if (ifp && if_is_up(ifp)) {
 +			alive = true;
 +			break;
 +		}
 +	}
 +
 +	if (!alive) {
 +		struct rib_table_info *rib_table = srcdest_rnode_table_info(rn);
 +		const struct prefix *p;
 +		const struct prefix_ipv6 *src_p;
 +
 +		srcdest_rnode_prefixes(rn, &p, (const struct prefix **)&src_p);
 +
 +		rib_delete(rib_table->afi, rib_table->safi, re->vrf_id,
 +			   re->type, re->instance, re->flags, p, src_p, NULL, 0,
 +			   re->table, re->metric, re->distance, true);
 +	}
 +}
 +
 /* Schedule route nodes to be processed if they match the type */
 -static void rib_update_route_node(struct route_node *rn, int type)
 +static void rib_update_route_node(struct route_node *rn, int type,
 +				  enum rib_update_event event)
 {
 	struct route_entry *re, *next;
 	bool re_changed = false;
 	RNODE_FOREACH_RE_SAFE (rn, re, next) {
 -		if (type == ZEBRA_ROUTE_ALL || type == re->type) {
 +		if (event == RIB_UPDATE_INTERFACE_DOWN && type == re->type &&
 +		    type == ZEBRA_ROUTE_KERNEL)
 +			rib_update_handle_kernel_route_down_possibility(rn, re);
 +		else if (type == ZEBRA_ROUTE_ALL || type == re->type) {
 			SET_FLAG(re->status, ROUTE_ENTRY_CHANGED);
 			re_changed = true;
 		}
@@ -4522,20 +4599,24 @@ void rib_update_table(struct route_table *table, enum rib_update_event event,
 		/*
 		 * If we are looking at a route node and the node
 		 * has already been queued  we don't
 -		 * need to queue it up again
 +		 * need to queue it up again, unless it is
 +		 * an interface down event as that we need
 +		 * to process this no matter what.
 		 */
 -		if (rn->info
 -		    && CHECK_FLAG(rib_dest_from_rnode(rn)->flags,
 -				  RIB_ROUTE_ANY_QUEUED))
 +		if (rn->info &&
 +		    CHECK_FLAG(rib_dest_from_rnode(rn)->flags,
 +			       RIB_ROUTE_ANY_QUEUED) &&
 +		    event != RIB_UPDATE_INTERFACE_DOWN)
 			continue;
 		switch (event) {
 +		case RIB_UPDATE_INTERFACE_DOWN:
 		case RIB_UPDATE_KERNEL:
 -			rib_update_route_node(rn, ZEBRA_ROUTE_KERNEL);
 +			rib_update_route_node(rn, ZEBRA_ROUTE_KERNEL, event);
 			break;
 		case RIB_UPDATE_RMAP_CHANGE:
 		case RIB_UPDATE_OTHER:
 -			rib_update_route_node(rn, rtype);
 +			rib_update_route_node(rn, rtype, event);
 			break;
 		case RIB_UPDATE_MAX:
 			break;
 From 9bc0cd8241f39e4fd751edfa52c09fae6db2db1c Mon Sep 17 00:00:00 2001
 From: Donald Sharp <sharpd@nvidia.com>
 Date: Wed, 26 Jun 2024 13:21:38 -0400
 Subject: [PATCH 4/5] zebra: Prevent accidental re memory leak in odd case
 There exists a path in rib_add_multipath where if a decision
 is made to not use the passed in re, we just drop the memory
 instead of freeing it.  Let's free it.
 Signed-off-by: Donald Sharp <sharpd@nvidia.com>
 ---
 zebra/zebra_rib.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/zebra/zebra_rib.c b/zebra/zebra_rib.c
 index 2d6c5148833a..b4baee148aef 100644
 --- a/zebra/zebra_rib.c
 +++ b/zebra/zebra_rib.c
@@ -4375,8 +4375,10 @@ int rib_add_multipath(afi_t afi, safi_t safi, struct prefix *p,
 		return -1;
 	/* We either need nexthop(s) or an existing nexthop id */
 -	if (ng == NULL && re->nhe_id == 0)
 +	if (ng == NULL && re->nhe_id == 0) {
 +		zebra_rib_route_entry_free(re);
 		return -1;
 +	}
 	/*
 	 * Use a temporary nhe to convey info to the common/main api.
 From 37dd51867f2b98f0fb616fc3cf9922240346fd19 Mon Sep 17 00:00:00 2001
 From: Donald Sharp <sharpd@nvidia.com>
 Date: Thu, 15 Aug 2024 16:02:55 -0400
 Subject: [PATCH 5/5] tests: Add some tests to show new behavior works as
 expected
 a) A noprefix address by itself should not create a connected route.
   This was pre-existing.
 b) A noprefix address with a corresponding route should result in a
   connected route.  This is how NetworkManager appears to work.
   This is new behavior, so a new test.
 c) A route is added to the system from someone else.
   This is new behavior, so a new test.
 Signed-off-by: Donald Sharp <sharpd@nvidia.com>
 ---
 .../r1/ip_route_connected.json                | 24 +++++++++++
 .../r1/ip_route_kernel.json                   | 24 +++++++++++
 .../test_zebra_multiple_connected.py          | 43 +++++++++++++++++++
 3 files changed, 91 insertions(+)
 create mode 100644 tests/topotests/zebra_multiple_connected/r1/ip_route_connected.json
 create mode 100644 tests/topotests/zebra_multiple_connected/r1/ip_route_kernel.json
 diff --git a/tests/topotests/zebra_multiple_connected/r1/ip_route_connected.json b/tests/topotests/zebra_multiple_connected/r1/ip_route_connected.json
 new file mode 100644
 index 000000000000..db03ce84a6a4
 --- /dev/null
 +++ b/tests/topotests/zebra_multiple_connected/r1/ip_route_connected.json
@@ -0,0 +1,24 @@
 +{
 + "192.168.44.0/24":[
 +    {
 +      "prefix":"192.168.44.0/24",
 +      "prefixLen":24,
 +      "protocol":"connected",
 +      "vrfName":"default",
 +      "selected":true,
 +      "destSelected":true,
 +      "distance":0,
 +      "metric":0,
 +      "installed":true,
 +      "table":254,
 +      "nexthops":[
 +        {
 +            "fib":true,
 +            "directlyConnected":true,
 +            "interfaceName":"r1-eth1",
 +            "active":true
 +        }
 +      ]
 +    }
 +  ]
 +}
 diff --git a/tests/topotests/zebra_multiple_connected/r1/ip_route_kernel.json b/tests/topotests/zebra_multiple_connected/r1/ip_route_kernel.json
 new file mode 100644
 index 000000000000..22465cb477d3
 --- /dev/null
 +++ b/tests/topotests/zebra_multiple_connected/r1/ip_route_kernel.json
@@ -0,0 +1,24 @@
 +{
 +  "4.5.6.7/32":[
 +    {
 +      "prefix":"4.5.6.7/32",
 +      "prefixLen":32,
 +      "protocol":"kernel",
 +      "vrfName":"default",
 +      "selected":true,
 +      "destSelected":true,
 +      "distance":0,
 +      "metric":0,
 +      "installed":true,
 +      "table":254,
 +      "nexthops":[
 +        {
 +          "fib":true,
 +          "directlyConnected":true,
 +          "interfaceName":"r1-eth1",
 +          "active":true
 +        }
 +      ]
 +    }
 +  ]
 +}
 diff --git a/tests/topotests/zebra_multiple_connected/test_zebra_multiple_connected.py b/tests/topotests/zebra_multiple_connected/test_zebra_multiple_connected.py
 index dc47527c74c2..7dbeb6f1ccb3 100644
 --- a/tests/topotests/zebra_multiple_connected/test_zebra_multiple_connected.py
 +++ b/tests/topotests/zebra_multiple_connected/test_zebra_multiple_connected.py
@@ -19,6 +19,9 @@
 import pytest
 import json
 from functools import partial
 +from lib.topolog import logger
 +
 +pytestmark = pytest.mark.random_order(disabled=True)
 # Save the Current Working Directory to find configuration files.
 CWD = os.path.dirname(os.path.realpath(__file__))
@@ -159,6 +162,46 @@ def test_zebra_noprefix_connected():
     assert result, "Connected Route should not have been added"
 +def test_zebra_noprefix_connected_add():
 +    "Test that a noprefixroute created with a manual route works as expected, this is for NetworkManager"
 +
 +    tgen = get_topogen()
 +    if tgen.routers_have_failure():
 +        pytest.skip(tgen.errors)
 +
 +    router = tgen.gears["r1"]
 +    router.run("ip route add 192.168.44.0/24 dev r1-eth1")
 +
 +    connected = "{}/{}/ip_route_connected.json".format(CWD, router.name)
 +    expected = json.loads(open(connected).read())
 +
 +    test_func = partial(
 +        topotest.router_json_cmp, router, "show ip route 192.168.44.0/24 json", expected
 +    )
 +    result, _ = topotest.run_and_expect(test_func, None, count=20, wait=1)
 +    assert result, "Connected Route should have been added\n{}".format(_)
 +
 +
 +def test_zebra_kernel_route_add():
 +    "Test that a random kernel route is properly handled as expected"
 +
 +    tgen = get_topogen()
 +    if tgen.routers_have_failure():
 +        pytest.skip(tgen.errors)
 +
 +    router = tgen.gears["r1"]
 +    router.run("ip route add 4.5.6.7/32 dev r1-eth1")
 +
 +    kernel = "{}/{}/ip_route_kernel.json".format(CWD, router.name)
 +    expected = json.loads(open(kernel).read())
 +
 +    test_func = partial(
 +        topotest.router_json_cmp, router, "show ip route 4.5.6.7/32 json", expected
 +    )
 +    result, _ = topotest.run_and_expect(test_func, None, count=20, wait=1)
 +    assert result, "Connected Route should have been added\n{}".format(_)
 +
 +
 if __name__ == "__main__":
     args = ["-s"] + sys.argv[1:]
     sys.exit(pytest.main(args))
--- a/SOURCES/0007-CVE-2024-44070.patch
+++ b/SOURCES/0007-CVE-2024-44070.patch
@ -1,48 +0,0 @@
 From 0998b38e4d61179441f90dd7e7fd6a3a8b7bd8c5 Mon Sep 17 00:00:00 2001
 From: Donatas Abraitis <donatas@opensourcerouting.org>
 Date: Wed, 31 Jul 2024 08:35:14 +0300
 Subject: [PATCH] bgpd: Check the actual remaining stream length before taking
 TLV value
 ```
    0 0xb50b9f898028 in __sanitizer_print_stack_trace (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x368028) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
    1 0xb50b9f7ed8e4 in fuzzer::PrintStackTrace() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2bd8e4) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
    2 0xb50b9f7d4d9c in fuzzer::Fuzzer::CrashCallback() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2a4d9c) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
    3 0xe0d12d7469cc  (linux-vdso.so.1+0x9cc) (BuildId: 1a77697e9d723fe22246cfd7641b140c427b7e11)
    4 0xe0d12c88f1fc in __pthread_kill_implementation nptl/pthread_kill.c:43:17
    5 0xe0d12c84a678 in gsignal signal/../sysdeps/posix/raise.c:26:13
    6 0xe0d12c83712c in abort stdlib/abort.c:79:7
    7 0xe0d12d214724 in _zlog_assert_failed /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/zlog.c:789:2
    8 0xe0d12d1285e4 in stream_get /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/stream.c:324:3
    9 0xb50b9f8e47c4 in bgp_attr_encap /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:2758:3
    10 0xb50b9f8dcd38 in bgp_attr_parse /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:3783:10
    11 0xb50b9faf74b4 in bgp_update_receive /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:2383:20
    12 0xb50b9faf1dcc in bgp_process_packet /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:4075:11
    13 0xb50b9f8c90d0 in LLVMFuzzerTestOneInput /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_main.c:582:3
 ```
 Reported-by: Iggy Frankovic <iggyfran@amazon.com>
 Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
 ---
 bgpd/bgp_attr.c | 8 ++++++++
 1 file changed, 8 insertions(+)
 diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
 index 2ed49935e52b..ac5d08b6fe6e 100644
 --- a/bgpd/bgp_attr.c
 +++ b/bgpd/bgp_attr.c
@@ -2749,6 +2749,14 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args)
 						  args->total);
 		}
 +		if (STREAM_READABLE(BGP_INPUT(peer)) < sublength) {
 +			zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining stream length %zu",
 +				 sublength, STREAM_READABLE(BGP_INPUT(peer)));
 +			return bgp_attr_malformed(args,
 +						  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
 +						  args->total);
 +		}
 +
 		/* alloc and copy sub-tlv */
 		/* TBD make sure these are freed when attributes are released */
 		tlv = XCALLOC(MTYPE_ENCAP_TLV,
--- a/SOURCES/0007-cve-2022-37032.patch
+++ b/SOURCES/0007-cve-2022-37032.patch
@ -0,0 +1,32 @@
 From ff6db1027f8f36df657ff2e5ea167773752537ed Mon Sep 17 00:00:00 2001
 From: Donald Sharp <sharpd@nvidia.com>
 Date: Thu, 21 Jul 2022 08:11:58 -0400
 Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is
 expected
 Ensure that if the capability length specified is enough data.
 Signed-off-by: Donald Sharp <sharpd@nvidia.com>
 ---
 bgpd/bgp_packet.c | 8 ++++++++
 1 file changed, 8 insertions(+)
 diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
 index dbf6c0b2e99..45752a8ab6d 100644
 --- a/bgpd/bgp_packet.c
 +++ b/bgpd/bgp_packet.c
@@ -2620,6 +2620,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
 				"%s CAPABILITY has action: %d, code: %u, length %u",
 				peer->host, action, hdr->code, hdr->length);
 +		if (hdr->length < sizeof(struct capability_mp_data)) {
 +			zlog_info(
 +				"%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d",
 +				peer, sizeof(struct capability_mp_data),
 +				hdr->length);
 +			return BGP_Stop;
 +		}
 +
 		/* Capability length check. */
 		if ((pnt + hdr->length + 3) > end) {
 			zlog_info("%s Capability length error", peer->host);
--- a/SOURCES/0008-frr-non-root-user.patch
+++ b/SOURCES/0008-frr-non-root-user.patch
@ -0,0 +1,67 @@
 From 1d42fb941af17a29346b2af03338f8e18470f009 Mon Sep 17 00:00:00 2001
 From: Michal Ruprich <michalruprich@gmail.com>
 Date: Tue, 22 Nov 2022 12:38:05 +0100
 Subject: [PATCH] tools: Enable start of FRR for non-root user
 There might be use cases when this would make sense, for example
 running FRR in a container as a designated user.
 Signed-off-by: Michal Ruprich <mruprich@redhat.com>
 ---
 tools/etc/frr/daemons | 5 +++++
 tools/frrcommon.sh.in | 4 ++++
 2 files changed, 9 insertions(+)
 diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons
 index 8aa08871e35..2427bfff777 100644
 --- a/tools/etc/frr/daemons
 +++ b/tools/etc/frr/daemons
@@ -91,6 +91,12 @@ pathd_options="  -A 127.0.0.1"
 # say BGP.
 #MAX_FDS=1024
 +# Uncomment this option if you want to run FRR as a non-root user. Note that
 +# you should know what you are doing since most of the daemons need root
 +# to work. This could be useful if you want to run FRR in a container
 +# for instance.
 +# FRR_NO_ROOT="yes"
 +
 # The list of daemons to watch is automatically generated by the init script.
 #watchfrr_options=""
 diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
 index 3c16c27c6df..4f095a176e4 100755
 --- a/tools/frrcommon.sh.in
 +++ b/tools/frrcommon.sh.in
@@ -43,6 +43,10 @@ RELOAD_SCRIPT="$D_PATH/frr-reload.py"
 #
 is_user_root () {
 +	if [[ ! -z $FRR_NO_ROOT  &&  "${FRR_NO_ROOT}" == "yes" ]]; then
 +		return 0
 +	fi
 +
 	[ "${EUID:-$(id -u)}" -eq 0 ] || {
 		log_failure_msg "Only users having EUID=0 can start/stop daemons"
 		return 1
 diff --git a/doc/user/setup.rst b/doc/user/setup.rst
 index 25934df..51ffd32 100644
 --- a/doc/user/setup.rst
 +++ b/doc/user/setup.rst
@@ -114,6 +114,16 @@ most operating systems is 1024.  If the operator plans to run bgp with
 several thousands of peers than this is where we would modify FRR to
 allow this to happen.
 +::
 +
 +  FRR_NO_ROOT="yes"
 +
 +This option allows you to run FRR as a non-root user. Use this option
 +only when you know what you are doing since most of the daemons
 +in FRR will not be able to run under a regular user. This option
 +is useful for example when you run FRR in a container with a designated
 +user instead of root.
 +
 ::
    zebra_options=" -s 90000000 --daemon -A 127.0.0.1"
--- a/SOURCES/0009-CVE-2022-36440-40302.patch
+++ b/SOURCES/0009-CVE-2022-36440-40302.patch
@ -0,0 +1,59 @@
 From 3e46b43e3788f0f87bae56a86b54d412b4710286 Mon Sep 17 00:00:00 2001
 From: Donald Sharp <sharpd@nvidia.com>
 Date: Fri, 30 Sep 2022 08:51:45 -0400
 Subject: [PATCH] bgpd: Ensure FRR has enough data to read 2 bytes in
 peek_for_as4_capability
 In peek_for_as4_capability the code is checking that the
 stream has at least 2 bytes to read ( the opt_type and the
 opt_length ).  However if BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
 is configured then FRR is reading 3 bytes.  Which is not good
 since the packet could be badly formated.  Ensure that
 FRR has the appropriate data length to read the data.
 Signed-off-by: Donald Sharp <sharpd@nvidia.com>
 ---
 bgpd/bgp_open.c | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)
 diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
 index 7248f034a5a..a760a7ca013 100644
 --- a/bgpd/bgp_open.c
 +++ b/bgpd/bgp_open.c
@@ -1185,15 +1185,30 @@ as_t peek_for_as4_capability(struct peer *peer, uint16_t length)
 		uint8_t opt_type;
 		uint16_t opt_length;
 -		/* Check the length. */
 -		if (stream_get_getp(s) + 2 > end)
 +		/* Ensure we can read the option type */
 +		if (stream_get_getp(s) + 1 > end)
 			goto end;
 -		/* Fetch option type and length. */
 +		/* Fetch the option type */
 		opt_type = stream_getc(s);
 -		opt_length = BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
 -				     ? stream_getw(s)
 -				     : stream_getc(s);
 +
 +		/*
 +		 * Check the length and fetch the opt_length
 +		 * If the peer is BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
 +		 * then we do a getw which is 2 bytes.  So we need to
 +		 * ensure that we can read that as well
 +		 */
 +		if (BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)) {
 +			if (stream_get_getp(s) + 2 > end)
 +				goto end;
 +
 +			opt_length = stream_getw(s);
 +		} else {
 +			if (stream_get_getp(s) + 1 > end)
 +				goto end;
 +
 +			opt_length = stream_getc(s);
 +		}
 		/* Option length check. */
 		if (stream_get_getp(s) + opt_length > end)
--- a/SOURCES/0010-CVE-2022-43681.patch
+++ b/SOURCES/0010-CVE-2022-43681.patch
@ -0,0 +1,47 @@
 From 766eec1b7accffe2c04a5c9ebb14e9f487bb9f78 Mon Sep 17 00:00:00 2001
 From: Donald Sharp <sharpd@nvidia.com>
 Date: Wed, 2 Nov 2022 13:24:48 -0400
 Subject: [PATCH] bgpd: Ensure that bgp open message stream has enough data to
 read
 If a operator receives an invalid packet that is of insufficient size
 then it is possible for BGP to assert during reading of the packet
 instead of gracefully resetting the connection with the peer.
 Signed-off-by: Donald Sharp <sharpd@nvidia.com>
 ---
 bgpd/bgp_packet.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
 index 769f9613da8..72d6a923175 100644
 --- a/bgpd/bgp_packet.c
 +++ b/bgpd/bgp_packet.c
@@ -1386,8 +1386,27 @@ static int bgp_open_receive(struct peer *peer, bgp_size_t size)
 	    || CHECK_FLAG(peer->flags, PEER_FLAG_EXTENDED_OPT_PARAMS)) {
 		uint8_t opttype;
 +		if (STREAM_READABLE(peer->curr) < 1) {
 +			flog_err(
 +				EC_BGP_PKT_OPEN,
 +				"%s: stream does not have enough bytes for extended optional parameters",
 +				peer->host);
 +			bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
 +					BGP_NOTIFY_OPEN_MALFORMED_ATTR);
 +			return BGP_Stop;
 +		}
 +
 		opttype = stream_getc(peer->curr);
 		if (opttype == BGP_OPEN_NON_EXT_OPT_TYPE_EXTENDED_LENGTH) {
 +			if (STREAM_READABLE(peer->curr) < 2) {
 +				flog_err(
 +					EC_BGP_PKT_OPEN,
 +					"%s: stream does not have enough bytes to read the extended optional parameters optlen",
 +					peer->host);
 +				bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
 +						BGP_NOTIFY_OPEN_MALFORMED_ATTR);
 +				return BGP_Stop;
 +			}
 			optlen = stream_getw(peer->curr);
 			SET_FLAG(peer->sflags,
 				 PEER_STATUS_EXT_OPT_PARAMS_LENGTH);
--- a/SOURCES/0011-CVE-2022-40318.patch
+++ b/SOURCES/0011-CVE-2022-40318.patch
@ -0,0 +1,70 @@
 From 1117baca3c592877a4d8a13ed6a1d9bd83977487 Mon Sep 17 00:00:00 2001
 From: Donald Sharp <sharpd@nvidia.com>
 Date: Fri, 30 Sep 2022 08:57:43 -0400
 Subject: [PATCH] bgpd: Ensure FRR has enough data to read 2 bytes in
 bgp_open_option_parse
 In bgp_open_option_parse the code is checking that the
 stream has at least 2 bytes to read ( the opt_type and
 the opt_length).  However if BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
 is configured then FRR is reading 3 bytes.  Which is not good
 since the packet could be badly formateed.  Ensure that
 FRR has the appropriate data length to read the data.
 Signed-off-by: Donald Sharp <sharpd@nvidia.com>
 ---
 bgpd/bgp_open.c | 35 ++++++++++++++++++++++++++++-------
 1 file changed, 28 insertions(+), 7 deletions(-)
 diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
 index a760a7ca013..d1667fac261 100644
 --- a/bgpd/bgp_open.c
 +++ b/bgpd/bgp_open.c
@@ -1278,19 +1278,40 @@ int bgp_open_option_parse(struct peer *peer, uint16_t length,
 		uint8_t opt_type;
 		uint16_t opt_length;
 -		/* Must have at least an OPEN option header */
 -		if (STREAM_READABLE(s) < 2) {
 +		/*
 +		 * Check that we can read the opt_type and fetch it
 +		 */
 +		if (STREAM_READABLE(s) < 1) {
 			zlog_info("%s Option length error", peer->host);
 			bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
 					BGP_NOTIFY_OPEN_MALFORMED_ATTR);
 			return -1;
 		}
 -
 -		/* Fetch option type and length. */
 		opt_type = stream_getc(s);
 -		opt_length = BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
 -				     ? stream_getw(s)
 -				     : stream_getc(s);
 +
 +		/*
 +		 * Check the length of the stream to ensure that
 +		 * FRR can properly read the opt_length. Then read it
 +		 */
 +		if (BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)) {
 +			if (STREAM_READABLE(s) < 2) {
 +				zlog_info("%s Option length error", peer->host);
 +				bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
 +						BGP_NOTIFY_OPEN_MALFORMED_ATTR);
 +				return -1;
 +			}
 +
 +			opt_length = stream_getw(s);
 +		} else {
 +			if (STREAM_READABLE(s) < 1) {
 +				zlog_info("%s Option length error", peer->host);
 +				bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
 +						BGP_NOTIFY_OPEN_MALFORMED_ATTR);
 +				return -1;
 +			}
 +
 +			opt_length = stream_getc(s);
 +		}
 		/* Option length check. */
 		if (STREAM_READABLE(s) < opt_length) {
--- a/SOURCES/0012-bfd-not-working-in-vrf.patch
+++ b/SOURCES/0012-bfd-not-working-in-vrf.patch
@ -0,0 +1,255 @@
 From edc3f63167fd95e4e70287743c9b252415c9336e Mon Sep 17 00:00:00 2001
 From: Philippe Guibert <philippe.guibert@6wind.com>
 Date: Thu, 7 Jul 2022 14:33:48 +0200
 Subject: [PATCH] bfdd: allow l3vrf bfd sessions without udp leaking
 Until now, when in vrf-lite mode, the BFD implementation
 creates a single UDP socket and relies on the following
 sysctl value to 1:
 echo 1 > /proc/sys/net/ipv4/udp_l3mdev_accept
 With this setting, the incoming BFD packets from a given
 vrf, would leak to the default vrf, and would match the
 UDP socket.
 The drawback of this solution is that udp packets received
 on a given vrf may leak to an other vrf. This may be a
 security concern.
 The commit addresses this issue by avoiding this leak
 mechanism. An UDP socket is created for each vrf, and each
 socket uses new setsockopt option: SO_REUSEADDR + SO_REUSEPORT.
 With this option, the incoming UDP packets are distributed on
 the available sockets. The impact of those options with l3mdev
 devices is unknown. It has been observed that this option is not
 needed, until the default vrf sockets are created.
 To ensure the BFD packets are correctly routed to the appropriate
 socket, a BPF filter has been put in place and attached to the
 sockets : SO_ATTACH_REUSEPORT_CBPF. This option adds a criterium
 to force the packet to choose a given socket. If initial criteria
 from the default distribution algorithm were not good, at least
 two sockets would be available, and the CBPF would force the
 selection to the same socket. This would come to the situation
 where an incoming packet would be processed on a different vrf.
 The bpf code is the following one:
 struct sock_filter code[] = {
 { BPF_RET | BPF_K, 0, 0, 0 },
 };
 struct sock_fprog p = {
          .len = sizeof(code)/sizeof(struct sock_filter),
          .filter = code,
 };
 if (setsockopt(sd, SOL_SOCKET, SO_ATTACH_REUSEPORT_CBPF, &p, sizeof(p))) {
        zlog_warn("unable to set SO_ATTACH_REUSEPORT_CBPF on socket: %s",
                  strerror(errno));
        return -1;
 }
 Some tests have been done with by creating vrf contexts, and by using
 the below vtysh configuration:
 ip route 2.2.2.2/32 10.126.0.2
 vrf vrf2
 ip route 2.2.2.2/32 10.126.0.2
 !
 interface ntfp2
 ip address 10.126.0.1/24
 !
 interface ntfp3 vrf vrf4
 ip address 10.126.0.1/24
 !
 interface ntfp2 vrf vrf1
 ip address 10.126.0.1/24
 !
 interface ntfp2.100 vrf vrf2
 ip address 10.126.0.1/24
 !
 interface ntfp2.200 vrf vrf3
 ip address 10.126.0.1/24
 !
 line vty
 !
 bfd
 peer 10.126.0.2 vrf vrf2
 !
 peer 10.126.0.2 vrf vrf3
 !
 peer 10.126.0.2
 !
 peer 10.126.0.2 vrf vrf4
 !
 peer 2.2.2.2 multihop local-address 1.1.1.1
 !
 peer 2.2.2.2 multihop local-address 1.1.1.1 vrf vrf2
  transmit-interval 1500
  receive-interval 1500
 !
 The results showed no issue related to packets received by
 the wrong vrf. Even changing the udp_l3mdev_accept flag to
 1 did not change the test results.
 Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
 ---
 bfdd/bfd.c        | 66 +++++++++++++++++++++++------------------------
 bfdd/bfd_packet.c | 45 ++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+), 34 deletions(-)
 diff --git a/bfdd/bfd.c b/bfdd/bfd.c
 index 483beb1b17c..a1619263588 100644
 --- a/bfdd/bfd.c
 +++ b/bfdd/bfd.c
@@ -1950,40 +1950,38 @@ static int bfd_vrf_enable(struct vrf *vrf)
 	if (bglobal.debug_zebra)
 		zlog_debug("VRF enable add %s id %u", vrf->name, vrf->vrf_id);
 -	if (vrf->vrf_id == VRF_DEFAULT ||
 -	    vrf_get_backend() == VRF_BACKEND_NETNS) {
 -		if (!bvrf->bg_shop)
 -			bvrf->bg_shop = bp_udp_shop(vrf);
 -		if (!bvrf->bg_mhop)
 -			bvrf->bg_mhop = bp_udp_mhop(vrf);
 -		if (!bvrf->bg_shop6)
 -			bvrf->bg_shop6 = bp_udp6_shop(vrf);
 -		if (!bvrf->bg_mhop6)
 -			bvrf->bg_mhop6 = bp_udp6_mhop(vrf);
 -		if (!bvrf->bg_echo)
 -			bvrf->bg_echo = bp_echo_socket(vrf);
 -		if (!bvrf->bg_echov6)
 -			bvrf->bg_echov6 = bp_echov6_socket(vrf);
 -
 -		if (!bvrf->bg_ev[0] && bvrf->bg_shop != -1)
 -			thread_add_read(master, bfd_recv_cb, bvrf,
 -					bvrf->bg_shop, &bvrf->bg_ev[0]);
 -		if (!bvrf->bg_ev[1] && bvrf->bg_mhop != -1)
 -			thread_add_read(master, bfd_recv_cb, bvrf,
 -					bvrf->bg_mhop, &bvrf->bg_ev[1]);
 -		if (!bvrf->bg_ev[2] && bvrf->bg_shop6 != -1)
 -			thread_add_read(master, bfd_recv_cb, bvrf,
 -					bvrf->bg_shop6, &bvrf->bg_ev[2]);
 -		if (!bvrf->bg_ev[3] && bvrf->bg_mhop6 != -1)
 -			thread_add_read(master, bfd_recv_cb, bvrf,
 -					bvrf->bg_mhop6, &bvrf->bg_ev[3]);
 -		if (!bvrf->bg_ev[4] && bvrf->bg_echo != -1)
 -			thread_add_read(master, bfd_recv_cb, bvrf,
 -					bvrf->bg_echo, &bvrf->bg_ev[4]);
 -		if (!bvrf->bg_ev[5] && bvrf->bg_echov6 != -1)
 -			thread_add_read(master, bfd_recv_cb, bvrf,
 -					bvrf->bg_echov6, &bvrf->bg_ev[5]);
 -	}
 +	if (!bvrf->bg_shop)
 +		bvrf->bg_shop = bp_udp_shop(vrf);
 +	if (!bvrf->bg_mhop)
 +		bvrf->bg_mhop = bp_udp_mhop(vrf);
 +	if (!bvrf->bg_shop6)
 +		bvrf->bg_shop6 = bp_udp6_shop(vrf);
 +	if (!bvrf->bg_mhop6)
 +		bvrf->bg_mhop6 = bp_udp6_mhop(vrf);
 +	if (!bvrf->bg_echo)
 +		bvrf->bg_echo = bp_echo_socket(vrf);
 +	if (!bvrf->bg_echov6)
 +		bvrf->bg_echov6 = bp_echov6_socket(vrf);
 +
 +	if (!bvrf->bg_ev[0] && bvrf->bg_shop != -1)
 +		thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_shop,
 +				&bvrf->bg_ev[0]);
 +	if (!bvrf->bg_ev[1] && bvrf->bg_mhop != -1)
 +		thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_mhop,
 +				&bvrf->bg_ev[1]);
 +	if (!bvrf->bg_ev[2] && bvrf->bg_shop6 != -1)
 +		thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_shop6,
 +				&bvrf->bg_ev[2]);
 +	if (!bvrf->bg_ev[3] && bvrf->bg_mhop6 != -1)
 +		thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_mhop6,
 +				&bvrf->bg_ev[3]);
 +	if (!bvrf->bg_ev[4] && bvrf->bg_echo != -1)
 +		thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_echo,
 +				&bvrf->bg_ev[4]);
 +	if (!bvrf->bg_ev[5] && bvrf->bg_echov6 != -1)
 +		thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_echov6,
 +				&bvrf->bg_ev[5]);
 +
 	if (vrf->vrf_id != VRF_DEFAULT) {
 		bfdd_zclient_register(vrf->vrf_id);
 		bfdd_sessions_enable_vrf(vrf);
 diff --git a/bfdd/bfd_packet.c b/bfdd/bfd_packet.c
 index d34d6427628..054a9bfbf21 100644
 --- a/bfdd/bfd_packet.c
 +++ b/bfdd/bfd_packet.c
@@ -876,6 +876,14 @@ void bfd_recv_cb(struct thread *t)
 			 "no session found");
 		return;
 	}
 +	/*
 +	 * We may have a situation where received packet is on wrong vrf
 +	 */
 +	if (bfd && bfd->vrf && bfd->vrf != bvrf->vrf) {
 +		cp_debug(is_mhop, &peer, &local, ifindex, vrfid,
 +			 "wrong vrfid.");
 +		return;
 +	}
 	/* Ensure that existing good sessions are not overridden. */
 	if (!cp->discrs.remote_discr && bfd->ses_state != PTM_BFD_DOWN &&
@@ -1208,10 +1216,41 @@ int bp_set_tos(int sd, uint8_t value)
 	return 0;
 }
 +static bool bp_set_reuse_addr(int sd)
 +{
 +	int one = 1;
 +
 +	if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)) == -1) {
 +		zlog_warn("set-reuse-addr: setsockopt(SO_REUSEADDR, %d): %s",
 +			  one, strerror(errno));
 +		return false;
 +	}
 +	return true;
 +}
 +
 +static bool bp_set_reuse_port(int sd)
 +{
 +	int one = 1;
 +
 +	if (setsockopt(sd, SOL_SOCKET, SO_REUSEPORT, &one, sizeof(one)) == -1) {
 +		zlog_warn("set-reuse-port: setsockopt(SO_REUSEPORT, %d): %s",
 +			  one, strerror(errno));
 +		return false;
 +	}
 +	return true;
 +}
 +
 +
 static void bp_set_ipopts(int sd)
 {
 	int rcvttl = BFD_RCV_TTL_VAL;
 +	if (!bp_set_reuse_addr(sd))
 +		zlog_fatal("set-reuse-addr: failed");
 +
 +	if (!bp_set_reuse_port(sd))
 +		zlog_fatal("set-reuse-port: failed");
 +
 	if (bp_set_ttl(sd, BFD_TTL_VAL) != 0)
 		zlog_fatal("set-ipopts: TTL configuration failed");
@@ -1453,6 +1492,12 @@ static void bp_set_ipv6opts(int sd)
 	int ipv6_pktinfo = BFD_IPV6_PKT_INFO_VAL;
 	int ipv6_only = BFD_IPV6_ONLY_VAL;
 +	if (!bp_set_reuse_addr(sd))
 +		zlog_fatal("set-reuse-addr: failed");
 +
 +	if (!bp_set_reuse_port(sd))
 +		zlog_fatal("set-reuse-port: failed");
 +
 	if (bp_set_ttlv6(sd, BFD_TTL_VAL) == -1)
 		zlog_fatal(
 			"set-ipv6opts: setsockopt(IPV6_UNICAST_HOPS, %d): %s",
--- a/SOURCES/0013-CVE-2023-38802.patch
+++ b/SOURCES/0013-CVE-2023-38802.patch
@ -0,0 +1,129 @@
 From 46817adab03802355c3cce7b753c7a735bdcc5ae Mon Sep 17 00:00:00 2001
 From: Donatas Abraitis <donatas@opensourcerouting.org>
 Date: Thu, 13 Jul 2023 22:32:03 +0300
 Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation
 attribute
 Before this path we used session reset method, which is discouraged by rfc7606.
 Handle this as rfc requires.
 Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
 (cherry picked from commit bcb6b58d9530173df41d3a3cbc4c600ee0b4b186)
 ---
 bgpd/bgp_attr.c | 61 ++++++++++++++++++++-----------------------------
 1 file changed, 25 insertions(+), 36 deletions(-)
 diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
 index 058fae23cbd..1c0803cfd8e 100644
 --- a/bgpd/bgp_attr.c
 +++ b/bgpd/bgp_attr.c
@@ -1301,6 +1301,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
 	case BGP_ATTR_LARGE_COMMUNITIES:
 	case BGP_ATTR_ORIGINATOR_ID:
 	case BGP_ATTR_CLUSTER_LIST:
 +	case BGP_ATTR_ENCAP:
 		return BGP_ATTR_PARSE_WITHDRAW;
 	case BGP_ATTR_MP_REACH_NLRI:
 	case BGP_ATTR_MP_UNREACH_NLRI:
@@ -2434,26 +2435,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args)
 }
 /* Parse Tunnel Encap attribute in an UPDATE */
 -static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
 -			  bgp_size_t length, /* IN: attr's length field */
 -			  struct attr *attr, /* IN: caller already allocated */
 -			  uint8_t flag,      /* IN: attr's flags field */
 -			  uint8_t *startp)
 +static int bgp_attr_encap(struct bgp_attr_parser_args *args)
 {
 -	bgp_size_t total;
 	uint16_t tunneltype = 0;
 -
 -	total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);
 +	struct peer *const peer = args->peer;
 +	struct attr *const attr = args->attr;
 +	bgp_size_t length = args->length;
 +	uint8_t type = args->type;
 +	uint8_t flag = args->flags;
 	if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS)
 	    || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) {
 -		zlog_info(
 -			"Tunnel Encap attribute flag isn't optional and transitive %d",
 -			flag);
 -		bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
 -					  BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR,
 -					  startp, total);
 -		return -1;
 +		zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d",
 +			 flag);
 +		return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
 +					  args->total);
 	}
 	if (BGP_ATTR_ENCAP == type) {
@@ -2461,12 +2457,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
 		uint16_t tlv_length;
 		if (length < 4) {
 -			zlog_info(
 +			zlog_err(
 				"Tunnel Encap attribute not long enough to contain outer T,L");
 -			bgp_notify_send_with_data(
 -				peer, BGP_NOTIFY_UPDATE_ERR,
 -				BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
 -			return -1;
 +			return bgp_attr_malformed(args,
 +						  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
 +						  args->total);
 		}
 		tunneltype = stream_getw(BGP_INPUT(peer));
 		tlv_length = stream_getw(BGP_INPUT(peer));
@@ -2496,13 +2491,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
 		}
 		if (sublength > length) {
 -			zlog_info(
 -				"Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
 -				sublength, length);
 -			bgp_notify_send_with_data(
 -				peer, BGP_NOTIFY_UPDATE_ERR,
 -				BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
 -			return -1;
 +			zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
 +				 sublength, length);
 +			return bgp_attr_malformed(args,
 +						  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
 +						  args->total);
 		}
 		/* alloc and copy sub-tlv */
@@ -2550,13 +2543,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
 	if (length) {
 		/* spurious leftover data */
 -		zlog_info(
 -			"Tunnel Encap attribute length is bad: %d leftover octets",
 -			length);
 -		bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
 -					  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
 -					  startp, total);
 -		return -1;
 +		zlog_err("Tunnel Encap attribute length is bad: %d leftover octets",
 +			 length);
 +		return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
 +					  args->total);
 	}
 	return 0;
@@ -3396,8 +3386,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
 		case BGP_ATTR_VNC:
 #endif
 		case BGP_ATTR_ENCAP:
 -			ret = bgp_attr_encap(type, peer, length, attr, flag,
 -					     startp);
 +			ret = bgp_attr_encap(&attr_args);
 			break;
 		case BGP_ATTR_PREFIX_SID:
 			ret = bgp_attr_prefix_sid(&attr_args);
--- a/SOURCES/0014-max-ttl-reload.patch
+++ b/SOURCES/0014-max-ttl-reload.patch
@ -0,0 +1,93 @@
 From 767aaa3a80489bfc4ff097f932fc347e3db25b89 Mon Sep 17 00:00:00 2001
 From: Donatas Abraitis <donatas@opensourcerouting.org>
 Date: Mon, 21 Aug 2023 00:01:42 +0300
 Subject: [PATCH] bgpd: Do not explicitly print MAXTTL value for ebgp-multihop
 vty output
 1. Create /etc/frr/frr.conf
 ```
 frr version 7.5
 frr defaults traditional
 hostname centos8.localdomain
 no ip forwarding
 no ipv6 forwarding
 service integrated-vtysh-config
 line vty
 router bgp 4250001000
  neighbor 192.168.122.207 remote-as 65512
  neighbor 192.168.122.207 ebgp-multihop
 ```
 2. Start FRR
 `# systemctl start frr
 `
 3. Show running configuration. Note that FRR explicitly set and shows the default TTL (225)
 ```
 Building configuration...
 Current configuration:
 !
 frr version 7.5
 frr defaults traditional
 hostname centos8.localdomain
 no ip forwarding
 no ipv6 forwarding
 service integrated-vtysh-config
 !
 router bgp 4250001000
 neighbor 192.168.122.207 remote-as 65512
 neighbor 192.168.122.207 ebgp-multihop 255
 !
 line vty
 !
 end
 ```
 4. Copy initial frr.conf to frr.conf.new (no changes)
 `# cp /etc/frr/frr.conf /root/frr.conf.new
 `
 5. Run frr-reload.sh:
 ```
 $ /usr/lib/frr/frr-reload.py --test  /root/frr.conf.new
 2023-08-20 20:15:48,050  INFO: Called via "Namespace(bindir='/usr/bin', confdir='/etc/frr', daemon='', debug=False, filename='/root/frr.conf.new', input=None, log_level='info', overwrite=False, pathspace=None, reload=False, rundir='/var/run/frr', stdout=False, test=True, vty_socket=None)"
 2023-08-20 20:15:48,050  INFO: Loading Config object from file /root/frr.conf.new
 2023-08-20 20:15:48,124  INFO: Loading Config object from vtysh show running
 Lines To Delete
 ===============
 router bgp 4250001000
 no neighbor 192.168.122.207 ebgp-multihop 255
 Lines To Add
 ============
 router bgp 4250001000
 neighbor 192.168.122.207 ebgp-multihop
 ```
 Closes https://github.com/FRRouting/frr/issues/14242
 Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
 ---
 bgpd/bgp_vty.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)
 diff --git a/bgpd/bgp_vty.c b/bgpd/bgp_vty.c
 index be0fe4283747..c9a9255f3392 100644
 --- a/bgpd/bgp_vty.c
 +++ b/bgpd/bgp_vty.c
@@ -17735,8 +17735,12 @@ static void bgp_config_write_peer_global(struct vty *vty, struct bgp *bgp,
 	    && !(peer->gtsm_hops != BGP_GTSM_HOPS_DISABLED
 		 && peer->ttl == MAXTTL)) {
 		if (!peer_group_active(peer) || g_peer->ttl != peer->ttl) {
 -			vty_out(vty, " neighbor %s ebgp-multihop %d\n", addr,
 -				peer->ttl);
 +			if (peer->ttl != MAXTTL)
 +				vty_out(vty, " neighbor %s ebgp-multihop %d\n",
 +					addr, peer->ttl);
 +			else
 +				vty_out(vty, " neighbor %s ebgp-multihop\n",
 +					addr);
 		}
 	}
--- a/SOURCES/0015-CVE-2023-47235.patch
+++ b/SOURCES/0015-CVE-2023-47235.patch
@ -0,0 +1,110 @@
 From 71422bfe269e34b69d78f9fb02f30426f2fdef48 Mon Sep 17 00:00:00 2001
 From: rpm-build <rpm-build>
 Date: Wed, 13 Dec 2023 16:59:46 +0100
 Subject: [PATCH] bgpd: Treat EOR as withdrawn to avoid unwanted handling of 
 malformed attrs
 Treat-as-withdraw, otherwise if we just ignore it, we will pass it to be
 processed as a normal UPDATE without mandatory attributes, that could lead
 to harmful behavior. In this case, a crash for route-maps with the configuration
 such as:
 ```
 router bgp 65001
 no bgp ebgp-requires-policy
 neighbor 127.0.0.1 remote-as external
 neighbor 127.0.0.1 passive
 neighbor 127.0.0.1 ebgp-multihop
 neighbor 127.0.0.1 disable-connected-check
 neighbor 127.0.0.1 update-source 127.0.0.2
 neighbor 127.0.0.1 timers 3 90
 neighbor 127.0.0.1 timers connect 1
 !
 address-family ipv4 unicast
  neighbor 127.0.0.1 addpath-tx-all-paths
  neighbor 127.0.0.1 default-originate
  neighbor 127.0.0.1 route-map RM_IN in
 exit-address-family
 exit
 !
 route-map RM_IN permit 10
 set as-path prepend 200
 exit
 ```
 Send a malformed optional transitive attribute:
 ```
 import socket
 import time
 OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
 b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02"
 b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02"
 b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00"
 b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d"
 b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01"
 b"\x80\x00\x00\x00")
 KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
 b"\xff\xff\xff\xff\xff\xff\x00\x13\x04")
 UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff002b0200000003c0ff00010100eb00ac100b0b001ad908ac100b0b")
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.connect(('127.0.0.2', 179))
 s.send(OPEN)
 data = s.recv(1024)
 s.send(KEEPALIVE)
 data = s.recv(1024)
 s.send(UPDATE)
 data = s.recv(1024)
 time.sleep(100)
 s.close()
 ```
 Reported-by: Iggy Frankovic <iggyfran@amazon.com>
 Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
 (cherry picked from commit 6814f2e0138a6ea5e1f83bdd9085d9a77999900b)
 ---
 bgpd/bgp_attr.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)
 diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
 index a121911..12a6953 100644
 --- a/bgpd/bgp_attr.c
 +++ b/bgpd/bgp_attr.c
@@ -3079,9 +3079,12 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
 	uint8_t type = 0;
 	/* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an
 -	 * empty UPDATE.  */
 +	 * empty UPDATE. Treat-as-withdraw, otherwise if we just ignore it,
 +	 * we will pass it to be processed as a normal UPDATE without mandatory
 +	 * attributes, that could lead to harmful behavior.
 +	 */
 	if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
 -		return BGP_ATTR_PARSE_PROCEED;
 +		return BGP_ATTR_PARSE_WITHDRAW;
 	/* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
 	   to carry any other path attributes.", though if MP_REACH_NLRI or NLRI
@@ -3507,7 +3510,13 @@ done:
 	aspath_unintern(&as4_path);
 	transit = bgp_attr_get_transit(attr);
 -	if (ret != BGP_ATTR_PARSE_ERROR) {
 +	/* If we received an UPDATE with mandatory attributes, then
 +	 * the unrecognized transitive optional attribute of that
 +	 * path MUST be passed. Otherwise, it's an error, and from
 +	 * security perspective it might be very harmful if we continue
 +	 * here with the unrecognized attributes.
 +	 */
 +	if (ret == BGP_ATTR_PARSE_PROCEED) {
 		/* Finally intern unknown attribute. */
 		if (transit)
 			bgp_attr_set_transit(attr, transit_intern(transit));
 -- 
 2.43.0
--- a/SOURCES/0016-CVE-2023-47234.patch
+++ b/SOURCES/0016-CVE-2023-47234.patch
@ -0,0 +1,95 @@
 From 7fe95b24333cceb6cd04595694cd502fcd3666f6 Mon Sep 17 00:00:00 2001
 From: rpm-build <rpm-build>
 Date: Wed, 13 Dec 2023 18:25:48 +0100
 Subject: [PATCH] bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI
 If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if
 no mandatory path attributes received.
 In other words, if MP_UNREACH_NLRI received, the remaining NLRIs should be handled
 as a new data, but without mandatory attributes, it's a malformed packet.
 In normal case, this MUST not happen at all, but to avoid crashing bgpd, we MUST
 handle that.
 Reported-by: Iggy Frankovic <iggyfran@amazon.com>
 Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
 Signed-off-by: Christian Breunig <christian@breunig.cc>
 (cherry picked from commit c37119df45bbf4ef713bc10475af2ee06e12f3bf)
 ---
 bgpd/bgp_attr.c   | 19 ++++++++++---------
 bgpd/bgp_attr.h   |  1 +
 bgpd/bgp_packet.c |  7 ++++++-
 3 files changed, 17 insertions(+), 10 deletions(-)
 diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
 index 12a6953..8b02f2c 100644
 --- a/bgpd/bgp_attr.c
 +++ b/bgpd/bgp_attr.c
@@ -3086,15 +3086,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
 	if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
 		return BGP_ATTR_PARSE_WITHDRAW;
 -	/* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
 -	   to carry any other path attributes.", though if MP_REACH_NLRI or NLRI
 -	   are present, it should.  Check for any other attribute being present
 -	   instead.
 -	 */
 -	if ((!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
 -	     CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI))))
 -		return BGP_ATTR_PARSE_PROCEED;
 -
 	if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
 		type = BGP_ATTR_ORIGIN;
@@ -3113,6 +3104,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
 	    && !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF)))
 		type = BGP_ATTR_LOCAL_PREF;
 +	/* An UPDATE message that contains the MP_UNREACH_NLRI is not required
 +	 * to carry any other path attributes. Though if MP_REACH_NLRI or NLRI
 +	 * are present, it should. Check for any other attribute being present
 +	 * instead.
 +	 */
 +	if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
 +	    CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI)))
 +		return type ? BGP_ATTR_PARSE_MISSING_MANDATORY
 +			    : BGP_ATTR_PARSE_PROCEED;
 +
 	/* If any of the well-known mandatory attributes are not present
 	 * in an UPDATE message, then "treat-as-withdraw" MUST be used.
 	 */
 diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
 index 06f350b..b9dfec9 100644
 --- a/bgpd/bgp_attr.h
 +++ b/bgpd/bgp_attr.h
@@ -379,6 +379,7 @@ enum bgp_attr_parse_ret {
 	 */
 	BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
 	BGP_ATTR_PARSE_EOR = -4,
 +	BGP_ATTR_PARSE_MISSING_MANDATORY = -5,
 };
 struct bpacket_attr_vec_arr;
 diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
 index a5f065a..cdf0734 100644
 --- a/bgpd/bgp_packet.c
 +++ b/bgpd/bgp_packet.c
@@ -1873,7 +1873,12 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size)
 	/* Network Layer Reachability Information. */
 	update_len = end - stream_pnt(s);
 -	if (update_len) {
 +	/* If we received MP_UNREACH_NLRI attribute, but also NLRIs, then
 +	 * NLRIs should be handled as a new data. Though, if we received
 +	 * NLRIs without mandatory attributes, they should be ignored.
 +	 */
 +	if (update_len && attribute_len &&
 +	    attr_parse_ret != BGP_ATTR_PARSE_MISSING_MANDATORY) {
 		/* Set NLRI portion to structure. */
 		nlris[NLRI_UPDATE].afi = AFI_IP;
 		nlris[NLRI_UPDATE].safi = SAFI_UNICAST;
 -- 
 2.43.0
--- a/SOURCES/0017-CVE-2023-38406.patch
+++ b/SOURCES/0017-CVE-2023-38406.patch
@ -0,0 +1,34 @@
 From 0b999c886e241c52bd1f7ef0066700e4b618ebb3 Mon Sep 17 00:00:00 2001
 From: Donald Sharp <sharpd@nvidia.com>
 Date: Thu, 23 Feb 2023 13:29:32 -0500
 Subject: [PATCH] bgpd: Flowspec overflow issue
 According to the flowspec RFC 8955 a flowspec nlri is <length, <nlri data>>
 Specifying 0 as a length makes BGP get all warm on the inside.  Which
 in this case is not a good thing at all.  Prevent warmth, stay cold
 on the inside.
 Reported-by: Iggy Frankovic <iggyfran@amazon.com>
 Signed-off-by: Donald Sharp <sharpd@nvidia.com>
 ---
 bgpd/bgp_flowspec.c | 7 +++++++
 1 file changed, 7 insertions(+)
 diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c
 index 8d5ca5e77779..f9debe43cd45 100644
 --- a/bgpd/bgp_flowspec.c
 +++ b/bgpd/bgp_flowspec.c
@@ -127,6 +127,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
 				psize);
 			return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
 		}
 +
 +		if (psize == 0) {
 +			flog_err(EC_BGP_FLOWSPEC_PACKET,
 +				 "Flowspec NLRI length 0 which makes no sense");
 +			return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
 +		}
 +
 		if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) {
 			flog_err(
 				EC_BGP_FLOWSPEC_PACKET,
--- a/SOURCES/0018-CVE-2023-38407.patch
+++ b/SOURCES/0018-CVE-2023-38407.patch
@ -0,0 +1,54 @@
 From 7404a914b0cafe046703c8381903a80d3def8f8b Mon Sep 17 00:00:00 2001
 From: Donald Sharp <sharpd@nvidia.com>
 Date: Fri, 3 Mar 2023 21:58:33 -0500
 Subject: [PATCH] bgpd: Fix use beyond end of stream of labeled unicast parsing
 Fixes a couple crashes associated with attempting to read
 beyond the end of the stream.
 Reported-by: Iggy Frankovic <iggyfran@amazon.com>
 Signed-off-by: Donald Sharp <sharpd@nvidia.com>
 ---
 bgpd/bgp_label.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 diff --git a/bgpd/bgp_label.c b/bgpd/bgp_label.c
 index 0cad119af101..c4a5277553ba 100644
 --- a/bgpd/bgp_label.c
 +++ b/bgpd/bgp_label.c
@@ -297,6 +297,9 @@ static int bgp_nlri_get_labels(struct peer *peer, uint8_t *pnt, uint8_t plen,
 	uint8_t llen = 0;
 	uint8_t label_depth = 0;
 +	if (plen < BGP_LABEL_BYTES)
 +		return 0;
 +
 	for (; data < lim; data += BGP_LABEL_BYTES) {
 		memcpy(label, data, BGP_LABEL_BYTES);
 		llen += BGP_LABEL_BYTES;
@@ -359,6 +362,9 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr,
 			memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN);
 			addpath_id = ntohl(addpath_id);
 			pnt += BGP_ADDPATH_ID_LEN;
 +
 +			if (pnt >= lim)
 +				return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
 		}
 		/* Fetch prefix length. */
@@ -377,6 +383,15 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr,
 		/* Fill in the labels */
 		llen = bgp_nlri_get_labels(peer, pnt, psize, &label);
 +		if (llen == 0) {
 +			flog_err(
 +				EC_BGP_UPDATE_RCV,
 +				"%s [Error] Update packet error (wrong label length 0)",
 +				peer->host);
 +			bgp_notify_send(peer, BGP_NOTIFY_UPDATE_ERR,
 +					BGP_NOTIFY_UPDATE_INVAL_NETWORK);
 +			return BGP_NLRI_PARSE_ERROR_LABEL_LENGTH;
 +		}
 		p.prefixlen = prefixlen - BSIZE(llen);
 		/* There needs to be at least one label */
--- a/SOURCES/frr.fc
+++ b/SOURCES/frr.fc
@ -6,25 +6,24 @@
 /var/log/frr(/.*)?              gen_context(system_u:object_r:frr_log_t,s0)
 /var/tmp/frr(/.*)?              gen_context(system_u:object_r:frr_tmp_t,s0)
 /var/lib/frr(/.*)?              gen_context(system_u:object_r:frr_var_lib_t,s0)
-/run/lock/subsys/bfdd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/bfdd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/bgpd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/bgpd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/eigrpd     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/eigrpd     --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/fabricd    --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/fabricd    --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/isisd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/isisd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/nhrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/nhrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/ospf6d     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ospf6d     --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/ospfd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ospfd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/pbrd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pbrd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/pimd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pimd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/ripd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ripd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/ripngd     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ripngd     --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/staticd    --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/staticd    --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/zebra      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/zebra      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/vrrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/vrrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/pathd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pathd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/frr(/.*)?              gen_context(system_u:object_r:frr_var_run_t,s0)
+/var/run/frr(/.*)?              gen_context(system_u:object_r:frr_var_run_t,s0)
 /usr/bin/vtysh              --  gen_context(system_u:object_r:frr_exec_t,s0)
--- a/SOURCES/frr.if
+++ b/SOURCES/frr.if
@ -181,8 +181,8 @@ interface(`frr_admin',`
 ##	</summary>
 ## </param>
 #
-ifndef(`sysnet_watch_ifconfig_run_dirs',`
+ifndef(`sysnet_watch_ifconfig_run',`
-	interface(`sysnet_watch_ifconfig_run_dirs',`
+	interface(`sysnet_watch_ifconfig_run',`
 		gen_require(`
 			type ifconfig_var_run_t;
 		')
@ -201,8 +201,8 @@ ifndef(`sysnet_watch_ifconfig_run_dirs',`
 ##	</summary>
 ## </param>
 #
-ifndef(`sysnet_read_ifconfig_run_files',`
+ifndef(`sysnet_read_ifconfig_run',`
-	interface(`sysnet_read_ifconfig_run_files',`
+	interface(`sysnet_read_ifconfig_run',`
 		gen_require(`
 			type ifconfig_var_run_t;
 		')
@ -212,23 +212,3 @@ ifndef(`sysnet_read_ifconfig_run_files',`
 		read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
 	')
 ')
 ########################################
 ## <summary>
 ##	setattr  admin_home_t files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##      Domain allowed access.
 ##	</summary>
 ## </param>
 #
 ifndef(`userdom_setattr_admin_files',`
 	interface(`userdom_setattr_admin_files',`
 		gen_require(`
 			type admin_home_t;
 		')
 		allow $1 admin_home_t:file setattr;
 	')
 ')
--- a/SOURCES/frr.te
+++ b/SOURCES/frr.te
@ -27,20 +27,12 @@ systemd_unit_file(frr_unit_file_t)
 type frr_var_run_t;
 files_pid_file(frr_var_run_t)
 type frr_var_lib_t;
 files_type(frr_var_lib_t)
 ########################################
 #
 # frr local policy
 #
 allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
 allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
 allow frr_t self:netlink_generic_socket create;
 allow frr_t self:netlink_generic_socket setopt;
 allow frr_t self:netlink_generic_socket getopt;
 allow frr_t self:netlink_generic_socket getattr;
 allow frr_t self:netlink_generic_socket bind;
 allow frr_t self:packet_socket create_socket_perms;
 allow frr_t self:process { setcap setpgid };
 allow frr_t self:rawip_socket create_socket_perms;
@ -57,10 +49,6 @@ manage_files_pattern(frr_t, frr_log_t, frr_log_t)
 manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t)
 logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file })
 manage_dirs_pattern(frr_t, frr_var_lib_t, frr_var_lib_t)
 manage_files_pattern(frr_t, frr_var_lib_t, frr_var_lib_t)
 files_var_lib_filetrans(frr_t, frr_var_lib_t, { dir file })
 allow frr_t frr_tmp_t:file map;
 manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t)
 manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t)
@ -82,7 +70,6 @@ can_exec(frr_t, frr_exec_t)
 kernel_read_network_state(frr_t)
 kernel_rw_net_sysctls(frr_t)
 kernel_read_system_state(frr_t)
 kernel_request_load_module(frr_t)
 auth_use_nsswitch(frr_t)
@ -91,13 +78,11 @@ corecmd_exec_bin(frr_t)
 corenet_tcp_bind_appswitch_emp_port(frr_t)
 corenet_udp_bind_bfd_control_port(frr_t)
 corenet_udp_bind_bfd_echo_port(frr_t)
 corenet_udp_bind_bfd_multi_port(frr_t)
 corenet_tcp_bind_bgp_port(frr_t)
 corenet_tcp_connect_bgp_port(frr_t)
-corenet_tcp_bind_cmadmin_port(frr_t)
+corenet_udp_bind_all_unreserved_ports(frr_t);
 corenet_udp_bind_cmadmin_port(frr_t)
 corenet_tcp_bind_firepower_port(frr_t)
 corenet_tcp_bind_generic_port(frr_t)
 corenet_tcp_bind_firepower_port(frr_t)
 corenet_tcp_bind_priority_e_com_port(frr_t)
 corenet_udp_bind_router_port(frr_t)
 corenet_tcp_bind_qpasa_agent_port(frr_t)
@ -110,13 +95,17 @@ domain_use_interactive_fds(frr_t)
 fs_read_nsfs_files(frr_t)
 sysnet_exec_ifconfig(frr_t)
-sysnet_read_ifconfig_run_files(frr_t)
+sysnet_read_ifconfig_run(frr_t)
-sysnet_watch_ifconfig_run_dirs(frr_t)
+sysnet_watch_ifconfig_run(frr_t)
 ipsec_domtrans_mgmt(frr_t)
 userdom_read_admin_home_files(frr_t)
 init_signal(frr_t)
 unconfined_server_signull(frr_t)
 allow frr_t unconfined_service_t:process signal;
 optional_policy(`
 	logging_send_syslog_msg(frr_t)
 ')
@ -135,5 +124,4 @@ optional_policy(`
 optional_policy(`
 	userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr")
 	userdom_inherit_append_admin_home_files(frr_t, frr_conf_t, file, ".history_frr")
 	userdom_setattr_admin_files(frr_t, frr_conf_t, file, ".history_frr")
 ')
--- a/SOURCES/remove-babeld-ldpd.sh
+++ b/SOURCES/remove-babeld-ldpd.sh
@ -0,0 +1,16 @@
 #!/bin/sh
 #this script is used to remove babled and ldpd from the tar sources
 #Usage: sh remove-babeld-ldpd.sh <VERSION>
 #Example: sh remove-babeld-ldpd.sh 7.3.1 - this is for frr-7.3.1.tar.gz file
 VERSION=$1
 TAR=frr-${VERSION}.tar.gz
 DIR=frr-${VERSION}
 echo ${VERSION}
 echo ${TAR}
 echo ${DIR}
 tar -xzf ${TAR}
 rm -rf ${DIR}/babeld ${DIR}/ldpd
 tar -czf ${TAR} ${DIR}
--- a/SPECS/frr.spec
+++ b/SPECS/frr.spec
@ -1,34 +1,23 @@
 %global frr_libdir %{_libexecdir}/frr
 %global _hardened_build 1
 %global selinuxtype targeted
 %define _legacy_common_support 1
-
+%global selinuxtype targeted
-%bcond grpc %{undefined rhel}
+%bcond_without selinux
 %bcond selinux 1
 Name: frr
-Version:        10.1
+Version: 8.3.1
-Release:        7%{?dist}
+Release: 11%{?checkout}%{?dist}.2
 Summary: Routing daemon
-License:        GPL-2.0-or-later AND ISC AND LGPL-2.0-or-later AND BSD-2-Clause AND BSD-3-Clause AND (GPL-2.0-or-later  OR ISC) AND MIT
+License: GPLv2+
 URL: http://www.frrouting.org
 Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
 Source1: %{name}-tmpfiles.conf
-Source2:        %{name}-sysusers.conf
+Source2: frr-sysusers.conf
 #Decentralized SELinux policy
 Source3: frr.fc
 Source4: frr.te
 Source5: frr.if
-
+Source6: remove-babeld-ldpd.sh
 Patch0000:      0000-remove-babeld-and-ldpd.patch
 Patch0002:      0002-enable-openssl.patch
 Patch0003:      0003-disable-eigrp-crypto.patch
 Patch0004:      0004-fips-mode.patch
 Patch0005:      0005-remove-grpc-test.patch
 Patch0006:      0006-noprefixroute-network-manager.patch
 Patch0007:      0007-CVE-2024-44070.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison >= 2.7
@ -38,14 +27,10 @@ BuildRequires:  gcc
 BuildRequires:  gcc-c++
 BuildRequires:  git-core
 BuildRequires:  groff
 %if %{with grpc}
 BuildRequires:  grpc-devel
 BuildRequires:  grpc-plugins
 %endif
 BuildRequires:  json-c-devel
 BuildRequires:  libcap-devel
 BuildRequires:  libtool
-BuildRequires:  libyang-devel >= 2.1.148
+BuildRequires:  libyang-devel >= 2.0.0
 BuildRequires:  make
 BuildRequires:  ncurses
 BuildRequires:  ncurses-devel
@ -61,30 +46,48 @@ BuildRequires:  readline-devel
 BuildRequires:  systemd-devel
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  texinfo
 BuildRequires:  protobuf-c-devel
 Requires:       ncurses
 Requires: net-snmp
-Requires(post): hostname
+Requires: ncurses
 %{?sysusers_requires_compat}
 Requires(post): systemd
-Requires(postun): systemd
+Requires(post): /sbin/install-info
 Requires(post): hostname
 Requires(preun): systemd
 Requires(preun): /sbin/install-info
 Requires(postun): systemd
 %if 0%{?with_selinux}
 Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
 %endif
-Obsoletes:      quagga < 1.2.4-17
+Conflicts: quagga
 Provides: routingdaemon = %{version}-%{release}
 Patch0000: 0000-remove-babeld-and-ldpd.patch
 Patch0002: 0002-enable-openssl.patch
 Patch0003: 0003-disable-eigrp-crypto.patch
 Patch0004: 0004-fips-mode.patch
 Patch0005: 0005-ospf-api.patch
 Patch0006: 0006-graceful-restart.patch
 Patch0007: 0007-cve-2022-37032.patch
 Patch0008: 0008-frr-non-root-user.patch
 Patch0009: 0009-CVE-2022-36440-40302.patch
 Patch0010: 0010-CVE-2022-43681.patch
 Patch0011: 0011-CVE-2022-40318.patch
 Patch0012: 0012-bfd-not-working-in-vrf.patch
 Patch0013: 0013-CVE-2023-38802.patch
 Patch0014: 0014-max-ttl-reload.patch
 Patch0015: 0015-CVE-2023-47235.patch
 Patch0016: 0016-CVE-2023-47234.patch
 Patch0017: 0017-CVE-2023-38406.patch
 Patch0018: 0018-CVE-2023-38407.patch
 %description
 FRRouting is free software that manages TCP/IP based routing protocols. It takes
 a multi-server and multi-threaded approach to resolve the current complexity
 of the Internet.
-FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR,
+FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD.
 EIGRP and BFD.
 FRRouting is a fork of Quagga.
@ -104,11 +107,8 @@ SELinux policy modules for FRR package
 %prep
 %autosetup -S git
 #Selinux
 mkdir selinux
 cp -p %{SOURCE3} %{SOURCE4} %{SOURCE5} selinux
 # C++14 or later needed for abseil-cpp 20230125; string_view needs C++17:
 sed -r -i 's/(AX_CXX_COMPILE_STDCXX\(\[)11(\])/\117\2/' configure.ac
 %build
 autoreconf -ivf
@ -118,7 +118,7 @@ autoreconf -ivf
    --sysconfdir=%{_sysconfdir}/frr \
    --libdir=%{_libdir}/frr \
    --libexecdir=%{_libexecdir}/frr \
-    --localstatedir=/var \
+    --localstatedir=%{_localstatedir}/run/frr \
    --enable-multipath=64 \
    --enable-vtysh=yes \
    --disable-ospfclient \
@ -134,48 +134,46 @@ autoreconf -ivf
    --disable-ldpd \
    --disable-babeld \
    --with-moduledir=%{_libdir}/frr/modules \
    --with-yangmodelsdir=%{_datadir}/frr-yang/ \
    --with-crypto=openssl \
-    --enable-fpm \
+    --enable-fpm
    %{?with_grpc:--enable-grpc}
 %make_build MAKEINFO="makeinfo --no-split" PYTHON=%{__python3}
-# Build info documentation
+pushd doc
-%make_build -C doc info
+make info
 popd
 #SELinux policy
 %if 0%{?with_selinux}
 make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp
 bzip2 -9 selinux/%{name}.pp
 %endif
 %install
-mkdir -p %{buildroot}%{_sysconfdir}/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \
+mkdir -p %{buildroot}/etc/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \
-         %{buildroot}%{_localstatedir}/log/frr %{buildroot}%{_infodir} \
+         %{buildroot}/var/log/frr %{buildroot}%{_infodir} \
         %{buildroot}%{_unitdir}
 mkdir -p -m 0755 %{buildroot}%{_libdir}/frr
 mkdir -p %{buildroot}%{_tmpfilesdir}
 mkdir -p %{buildroot}%{_sysusersdir}
 %make_install
 # Remove this file, as it is uninstalled and causes errors when building on RH9
-rm -rf %{buildroot}%{_infodir}/dir
+rm -rf %{buildroot}/usr/share/info/dir
 install -p -m 644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf
-install -p -m 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
+install -p -m 644 tools/etc/frr/daemons %{buildroot}/etc/frr/daemons
 install -p -m 644 tools/etc/frr/daemons %{buildroot}%{_sysconfdir}/frr/daemons
 install -p -m 644 tools/frr.service %{buildroot}%{_unitdir}/frr.service
 install -p -m 755 tools/frrinit.sh %{buildroot}%{frr_libdir}/frr
 install -p -m 755 tools/frrcommon.sh %{buildroot}%{frr_libdir}/frrcommon.sh
 install -p -m 755 tools/watchfrr.sh %{buildroot}%{frr_libdir}/watchfrr.sh
-install -p -m 644 redhat/frr.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/frr
+install -p -m 644 redhat/frr.logrotate %{buildroot}/etc/logrotate.d/frr
-install -p -m 644 redhat/frr.pam %{buildroot}%{_sysconfdir}/pam.d/frr
+install -p -m 644 redhat/frr.pam %{buildroot}/etc/pam.d/frr
 install -d -m 775 %{buildroot}/run/frr
 install -p -D -m 0644 %{SOURCE2} ${RPM_BUILD_ROOT}/%{_sysusersdir}/frr.conf
 %if 0%{?with_selinux}
 install -D -m 644 selinux/%{name}.pp.bz2 \
        %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
@ -191,16 +189,25 @@ rm -r %{buildroot}%{_includedir}/frr/
 %pre
 %sysusers_create_compat %{SOURCE2}
 exit 0
 %post
 %systemd_post frr.service
 if [ -f %{_infodir}/%{name}.inf* ]; then
    install-info %{_infodir}/frr.info %{_infodir}/dir || :
 fi
 # Create dummy files if they don't exist so basic functions can be used.
 # Only create frr.conf when first installing, otherwise it can change
 # the behavior of the package
 if [ $1 -eq 1 ]; then
    if [ ! -e %{_sysconfdir}/frr/frr.conf ]; then
        echo "hostname `hostname`" > %{_sysconfdir}/frr/frr.conf
        chown frr:frr %{_sysconfdir}/frr/frr.conf
        chmod 640 %{_sysconfdir}/frr/frr.conf
    fi
 fi
 #still used by vtysh, this way no error is produced when using vtysh
 if [ ! -e %{_sysconfdir}/frr/vtysh.conf ]; then
@ -209,13 +216,20 @@ if [ ! -e %{_sysconfdir}/frr/vtysh.conf ]; then
    chown frr:frrvty %{_sysconfdir}/frr/vtysh.conf
 fi
 %postun
 %systemd_postun_with_restart frr.service
 %preun
 %systemd_preun frr.service
-#SELinux
+#only when removing frr
 if [ $1 -eq 0 ]; then
 	if [ -f %{_infodir}/%{name}.inf* ]; then
    	install-info --delete %{_infodir}/frr.info %{_infodir}/dir || :
 	fi
 fi
 %if 0%{?with_selinux}
 %pre selinux
 %selinux_relabel_pre -s %{selinuxtype}
@ -234,41 +248,35 @@ if [ $1 -eq 0 ]; then
    %selinux_modules_uninstall -s %{selinuxtype} %{name}
    %selinux_relabel_post -s %{selinuxtype}
 fi
 %endif
 %check
-#this should be temporary, the grpc test is just badly designed
+make check PYTHON=%{__python3}
 rm tests/lib/*grpc*
 %make_build check PYTHON=%{__python3}
 %files
 %defattr(-,root,root)
 %license COPYING
 %doc doc/mpls
 %dir %attr(750,frr,frr) %{_sysconfdir}/frr
-%dir %attr(755,frr,frr) %{_localstatedir}/log/frr
+%dir %attr(755,frr,frr) /var/log/frr
 %dir %attr(755,frr,frr) /run/frr
 %{_infodir}/*info*
-%{_mandir}/man1/frr.1*
+%{_mandir}/man*/*
 %{_mandir}/man1/vtysh.1*
 %{_mandir}/man8/frr-*.8*
 %{_mandir}/man8/mtracebis.8*
 %dir %{frr_libdir}/
 %{frr_libdir}/*
-%{_bindir}/mtracebis
+%{_bindir}/*
 %{_bindir}/vtysh
 %dir %{_libdir}/frr
 %{_libdir}/frr/*.so.*
 %dir %{_libdir}/frr/modules
 %{_libdir}/frr/modules/*
-%config(noreplace) %attr(644,root,root) %{_sysconfdir}/logrotate.d/frr
+%config(noreplace) %attr(644,root,root) /etc/logrotate.d/frr
-%config(noreplace) %attr(644,frr,frr) %{_sysconfdir}/frr/daemons
+%config(noreplace) %attr(644,frr,frr) /etc/frr/daemons
-%config(noreplace) %{_sysconfdir}/pam.d/frr
+%config(noreplace) /etc/pam.d/frr
 %{_unitdir}/*.service
-%dir %{_datadir}/frr-yang/
+%dir /usr/share/yang
-%{_datadir}/frr-yang/*.yang
+/usr/share/yang/*.yang
 %{_tmpfilesdir}/%{name}.conf
-%{_sysusersdir}/%{name}.conf
+%{_sysusersdir}/frr.conf
 %if 0%{?with_selinux}
 %files selinux
@ -278,252 +286,112 @@ rm tests/lib/*grpc*
 %endif
 %changelog
-* Tue Nov 05 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-7
+* Thu Dec 21 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-11.2
- Resolves: RHEL-54674 - Function bgpd/bgp_attr.c does not check the actual remaining stream length
+- Resolves: RHEL-17480 - Out of bounds read in bgpd/bgp_label.c
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 10.1-6
 - Bump release for October 2024 mass rebuild:
  Resolves: RHEL-64018
 * Wed Oct 23 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-5
 - Resolves: RHEL-59899 - Replace NetworkManager patch in the current version
 * Mon Sep 09 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-4
 - Resolves: RHEL-56074 - frr AVCs after rebase to 10.1
 * Mon Aug 26 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-3
 - Related: RHEL-55747 - Adding libs_manage_lib_dirs for handling lib_t
 * Sun Aug 25 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-2
 - Related: RHEL-55747 - Adding new selinux rules
 * Thu Aug 22 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-1
 - New version 10.1
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 9.1-11
 - Bump release for June 2024 mass rebuild
 * Wed Jun 12 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-10
 - Resolves: RHEL-32134 - buffer overflow and daemon crash in ospf_te_parse_ri
-* Wed Jun 12 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-9
+* Thu Dec 21 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-11.2
- Resolves: RHEL-32138 - buffer overflow in ospf_te_parse_ext_link
+- Resolves: RHEL-17474 - Flowspec overflow in bgpd/bgp_flowspec.c
-* Wed Jun 12 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-8
+* Tue Dec 19 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-11.2
- Resolves: RHEL-34911 - null pointer via get_edge() function can trigger a denial of service
+- Resolves: RHEL-17471 - crash from specially crafted MP_UNREACH_NLRI-containing BGP UPDATE message
-* Mon May 27 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-7
+* Mon Dec 18 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-11.2
- Resolves: RHEL-38834 - Missing selinux rules for .history_frr file for FRR
+- Resolves: RHEL-17477 - crash from malformed EOR-containing BGP UPDATE message
-* Thu Apr 18 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-6
+* Wed Oct 11 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-11.1
- Resolves: RHEL-32128 - infinite loop
+- Resolves: RHEL-11665 - eBGP multihop peer flapping due to delta miscalculation of new configuration
-* Thu Apr 18 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-5
+* Wed Sep 13 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-11
- Resolves: RHEL-32125 - bgpd daemon crash
+- Resolves: #2231001 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router
-* Tue Apr 16 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-4
+* Thu Aug 10 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-10
- Moving yang modules to an frr specific directory to avoid conflicts
+- Related: #2216912 - adding sys_admin to capabilities
 - Adding rpminspect.yaml
-* Thu Apr 11 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-3
+* Tue Aug 08 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-9
- Resolves: RHEL-32502 - frr fails to start: SELinux is preventing watchfrr from create access on the sock_file
+- Resolves: #2215346 - frr policy does not allow the execution of /usr/sbin/ipsec
-* Sun Feb 04 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 9.1-2
+* Mon Aug 07 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-8
- Rebuilt for abseil-cpp-20240116.0
+- Resolves: #2216912 - SELinux is preventing FRR-Zebra to access to network namespaces
-* Thu Jan 25 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-1
+* Wed Jun 07 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-7
- New version 9.1
+- Resolves: #2168855 - BFD not working through VRF
-* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 9.0.1-3
+* Tue May 23 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+- Resolves: #2184870 - Reachable assertion in peek_for_as4_capability function
 - Resolves: #2196795 - denial of service by crafting a BGP OPEN message with an option of type 0xff
 - Resolves: #2196796 - denial of service by crafting a BGP OPEN message with an option of type 0xff
 - Resolves: #2196794 - out-of-bounds read exists in the BGP daemon of FRRouting
-* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 9.0.1-2
+* Mon Nov 28 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+- Resolves: #2147522 - It is not possible to run FRR as a non-root user
-* Mon Oct 16 2023 Michal Ruprich <mruprich@redhat.com> - 9.0.1-1
+* Thu Nov 24 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-4
- New version 9.0.1
+- Resolves: #2144500 - AVC error when reloading FRR with provided reload script
-* Fri Sep 01 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.2-4
+* Wed Oct 19 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-3
- Adding a couple of SELinux rules, includes fix for rhbz#2149299
+- Related: #2129743 - Adding missing rules for vtysh and other daemons
-* Wed Aug 30 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 8.5.2-3
+* Mon Oct 17 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-2
- Rebuilt for abseil-cpp 20230802.0
+- Resolves: #2128738 - out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service
-* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 8.5.2-2
+* Thu Oct 13 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+- Resolves: #2129731 - Rebase FRR to the latest version
 - Resolves: #2129743 - Add targeted SELinux policy for FRR
 - Resolves: #2127494 - BGP incorrectly withdraws routes on graceful restart capable routers 
-* Fri Jun 30 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.2-1
+* Tue Jun 14 2022 Michal Ruprich - 8.2.2-4
- New version 8.5.2
+- Resolves: #2095404 - frr use systemd-sysusers
 - Fixing some rpmlint warnings
-* Mon Jun 26 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.1-4
+* Tue May 24 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-3
- Resolves: #2216073 - SELinux is preventing FRR-Zebra to access to network namespaces.
+- Resolves: #2081304 - Enhanced TMT testing for centos-stream
-* Mon Jun 05 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 8.5.1-3
+* Mon May 02 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-2
- Disable grpc in RHEL builds
+- Resolves: #2069571 - the dynamic routing setup does not work any more
-* Fri May 19 2023 Petr Pisar <ppisar@redhat.com> - 8.5.1-2
+* Mon May 02 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-1
- Rebuild against rpm-4.19 (https://fedoraproject.org/wiki/Changes/RPM-4.19)
+- Resolves: #2069563 - Rebase frr to version 8.2.2
-* Wed Apr 26 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.1-1
+* Tue Nov 16 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-5
- New version 8.5.1
+- Resolves: #2023318 - Rebuilding for the new json-c library
-* Wed Apr 12 2023 Michal Ruprich <mruprich@redhat.com> - 8.5-1
+* Wed Sep 01 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-4
- New version 8.5
+- Resolves: #1997603 - ospfd not running with ospf opaque-lsa option used
-* Thu Mar 23 2023 Michal Ruprich <mruprich@redhat.com> - 8.4.2-5
+* Mon Aug 16 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-3
- Rebuilding for new abseil-cpp version
+- Related: #1990858 - Fixing prefix-list duplication check
-* Wed Mar 22 2023 Michal Ruprich <mruprich@redhat.com> - 8.4.2-4
+* Thu Aug 12 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-2
- SPDX migration
+- Related: #1990858 - Frr needs higher version of libyang
-* Wed Mar 08 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 8.4.2-3
+* Tue Aug 10 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-1
- Build as C++17, required by abseil-cpp 20230125
+- Resolves: #1990858 - Possible rebase of frr to version 8.0
-* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 8.4.2-2
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 7.5.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688
-* Thu Jan 12 2023 Michal Ruprich <mruprich@redhat.com> - 8.4.2-1
+* Wed Jul 21 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-6
- New version 8.4.2
+- Resolves: #1983967 - ospfd crashes in route_node_delete with assertion fail
-* Fri Nov 25 2022 Michal Ruprich <mruprich@redhat.com> - 8.4.1-1
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 7.5.1-5
- New version 8.4.1
+- Rebuilt for RHEL 9 BETA for openssl 3.0
- Fix for rhbz #2140705
+  Related: rhbz#1971065
-* Thu Nov 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.4-1
+* Fri Jun 04 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-4
- New version 8.4
+- Resolves: #1958155 - Upgrading frr unconditionally creates /etc/frr/frr.conf, breaking existing configuration
-* Fri Sep 16 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5
+* Fri Apr 23 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-3
- Adding SELinux rule to enable zebra to write to sysctl_net_t
+- Resolves: #1939456 - /etc/frr permissions are bogus
- Adding SELinux rule to enable bgpd to call name_connect to bgp_port_t
+- Resolves: #1951303 - FTBFS in CentOS Stream
-* Fri Sep 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-4
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 7.5.1-2
- Fixing an error in post scriptlet
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-* Fri Sep 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-3
+* Tue Mar 16 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-1
 - Resolves: #2124254 - frr can no longer update routes
 * Wed Sep 07 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-2
 - Resolves: #2124253 - SELinux is preventing zebra from setattr access on the directory frr
 - Better handling FRR files during upgrade
 * Tue Sep 06 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-1
 - New version 8.3.1
 * Mon Aug 22 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-10
 - Rebuilding for new abseil-cpp and grpc updates
 * Wed Aug 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-9
 - Adding vrrpd and pathd as daemons to the policy
 * Wed Aug 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-8
 - Finalizing SELinux policy
 * Tue Aug 02 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-7
 - Fixing wrong path for vtysh in frr.fc
 * Fri Jul 29 2022 Benjamin A. Beasley <code@musicinmybrain.net> - 8.2.2-6
 - Rebuild with abseil-cpp-20211102.0-4.fc37 (RHBZ#2108658)
 * Wed Jul 27 2022 Michal Ruprich - 8.2.2-5
 - Packaging SELinux policy for FRR
 * Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 8.2.2-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 * Tue May 17 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-3
 - Rebuild for grpc-1.46.1
 * Mon Apr 11 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-2
 - Fix for CVE-2022-16126
 * Tue Mar 15 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-1
 - New version 8.2.2
 * Thu Mar 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2-2
 - Rebuild for abseil-cpp 20211102.0
 * Wed Mar 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.2-1
 - New version 8.2 (rhbz#2020439)
 - Resolves: #2011868 - systemctl frr reload does not stop daemons that are not enabled in /etc/frr/daemons
 * Tue Feb 01 2022 Michal Ruprich <mruprich@redhat.com> - 8.0.1-11
 - Rebuilding for FTBFS in Rawhide(rhbz#2045399)
 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 8.0.1-10
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 * Sat Jan 08 2022 Miro Hrončok <mhroncok@redhat.com> - 8.0.1-9
 - Rebuilt for libre2.so.9
 * Sat Nov 06 2021 Adrian Reber <adrian@lisas.de> - 8.0.1-8
 - Rebuilt for protobuf 3.19.0
 * Mon Oct 25 2021 Adrian Reber <adrian@lisas.de> - 8.0.1-7
 - Rebuilt for protobuf 3.18.1
 * Fri Oct 15 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-6
 - Obsoleting quagga so that it may be retired
 * Thu Oct 07 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-5
 - Rebuilding for grpc 1.41
 * Thu Sep 30 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-4
 - Rebuild for new version of libyang
 * Sat Sep 18 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 8.0.1-3
 - Rebuild for grpc 1.40
 * Thu Sep 16 2021 Sahana Prasad <sahana@redhat.com> - 8.0.1-2
 - Rebuilt with OpenSSL 3.0.0
 * Thu Sep 16 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-1
 - New version 8.0.1
 * Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 8.0-2
 - Rebuilt with OpenSSL 3.0.0
 * Wed Aug 11 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-1
 - New version 8.0
 * Wed Aug 04 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 7.5.1-9
 - Rebuild for grpc 1.39
 * Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.5.1-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
 * Tue Jul 20 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-7
 - Resolves: #1983278 - ospfd crashes in route_node_delete with assertion fail
 * Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 7.5.1-6
 - Rebuild for versioned symbols in json-c
 * Wed Jul 07 2021 Neal Gompa <ngompa@datto.com> - 7.5.1-5
 - Clean up the spec file for legibility and modern spec standards
 - Remove unneeded info scriptlets
 - Use systemd-sysusers for frr user and frrvty group
 - Use git-core instead of git for applying patches
 - Drop redundant build dependencies
 * Wed Jul 07 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-4
 - Rebuild for newer abseil-cpp
 * Tue May 11 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 7.5.1-3
 - Rebuild for grpc 1.37
 * Fri Apr 23 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-2
 - Fixing permissions on config files in /etc/frr
 - Enabling integrated configuration option for frr
 * Fri Mar 12 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-1
 - New version 7.5.1
 - Enabling grpc, adding hostname for post scriptlet
 - Moving files to libexec due to selinux issues
 * Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 7.5-4
 - Rebuilt for updated systemd-rpm-macros
  See https://pagure.io/fesco/issue/2583.
 * Tue Feb 16 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-3
 - Fixing FTBS - icc options are confusing the new gcc
@ -590,3 +458,4 @@ rm tests/lib/*grpc*
 * Wed Jun 19 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-2
 - Initial build
`@ -1 +1 @@`
	`ae93955533d9370c136d45a3adf808d7b50284a0 SOURCES/frr-10.1.tar.gz`	`467835eb73a6018948fd667663ce68282cf6d16b SOURCES/frr-8.3.1.tar.gz`
`@ -1 +1 @@`
	`SOURCES/frr-10.1.tar.gz`	`SOURCES/frr-8.3.1.tar.gz`