mirror of
https://git.proxmox.com/git/mirror_frr
synced 2025-08-06 00:41:20 +00:00
BGP: Only accept prefixes for negotiated address families
When handling a received Update message, only process and store the prefixes if the corresponding address family has been negotiated with the peer. Prior to this change, the receive processing only checked whether the address family was locally configured, trusting to the peer to not advertise prefixes for an address family that has not been negotiated. Most implementations conform to this but a misbehavior could result in processing and memory overhead. Signed-off-by: Vivek Venkatraman <vivek@cumulusnetworks.com> Reviewed-by: Donald Sharp <sharpd@cumulusnetworks.com> Reviewed-by: Daniel Walton <dwalton@cumulusnetworks.com> Ticket: CM-5594 Reviewed By: CCR-3946 Testing Done: Sanity test (good case)
This commit is contained in:
parent
a656dafaf2
commit
4b150ae78a
@ -1499,9 +1499,10 @@ bgp_update_receive (struct peer *peer, bgp_size_t size)
|
||||
}
|
||||
}
|
||||
|
||||
/* NLRI is processed only when the peer is configured specific
|
||||
Address Family and Subsequent Address Family. */
|
||||
if (peer->afc[AFI_IP][SAFI_UNICAST])
|
||||
/* NLRI is processed only when the the corresponding address-family
|
||||
* has been negotiated with the peer.
|
||||
*/
|
||||
if (peer->afc_nego[AFI_IP][SAFI_UNICAST])
|
||||
{
|
||||
if (withdraw.length)
|
||||
bgp_nlri_parse (peer, NULL, &withdraw);
|
||||
@ -1538,7 +1539,7 @@ bgp_update_receive (struct peer *peer, bgp_size_t size)
|
||||
zlog_debug ("rcvd End-of-RIB for IPv4 Unicast from %s", peer->host);
|
||||
}
|
||||
}
|
||||
if (peer->afc[AFI_IP][SAFI_MULTICAST])
|
||||
if (peer->afc_nego[AFI_IP][SAFI_MULTICAST])
|
||||
{
|
||||
if (mp_update.length
|
||||
&& mp_update.afi == AFI_IP
|
||||
@ -1572,7 +1573,7 @@ bgp_update_receive (struct peer *peer, bgp_size_t size)
|
||||
zlog_debug ("rcvd End-of-RIB for IPv4 Multicast from %s", peer->host);
|
||||
}
|
||||
}
|
||||
if (peer->afc[AFI_IP6][SAFI_UNICAST])
|
||||
if (peer->afc_nego[AFI_IP6][SAFI_UNICAST])
|
||||
{
|
||||
if (mp_update.length
|
||||
&& mp_update.afi == AFI_IP6
|
||||
@ -1605,7 +1606,7 @@ bgp_update_receive (struct peer *peer, bgp_size_t size)
|
||||
zlog_debug ("rcvd End-of-RIB for IPv6 Unicast from %s", peer->host);
|
||||
}
|
||||
}
|
||||
if (peer->afc[AFI_IP6][SAFI_MULTICAST])
|
||||
if (peer->afc_nego[AFI_IP6][SAFI_MULTICAST])
|
||||
{
|
||||
if (mp_update.length
|
||||
&& mp_update.afi == AFI_IP6
|
||||
@ -1639,7 +1640,7 @@ bgp_update_receive (struct peer *peer, bgp_size_t size)
|
||||
zlog_debug ("rcvd End-of-RIB for IPv6 Multicast from %s", peer->host);
|
||||
}
|
||||
}
|
||||
if (peer->afc[AFI_IP][SAFI_MPLS_VPN])
|
||||
if (peer->afc_nego[AFI_IP][SAFI_MPLS_VPN])
|
||||
{
|
||||
if (mp_update.length
|
||||
&& mp_update.afi == AFI_IP
|
||||
|
Loading…
Reference in New Issue
Block a user