It is possible that right before an upper level protocol dies
or is killed routes would be installed into zebra. These routes
could be on the Meta-Q for early route-processing. Leaving us with
a situation where the client is removed, and all it's routes that are
in the rib at that time, and then after that the MetaQ is run and the
routes are reprocessed leaving routes from an upper level daemon
post daemon going away from zebra's perspective. These routes will
be abandoned.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
Add definition of `TCP_MD5SIG_MAXKEYLEN` in the `sockopt.h` header so
users of it have the definition of the maximum key length for socket
authentication operations.
The following OSes reported failure in CI while building:
- NetBSD 8
- FreeBSD 11
- FreeBSD 12
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
Implement MSDP MD5 authentication connection support.
Implementation details:
- Move the MSDP socket creation code to a generic function so it can be
parametrized to be used with/without authentication.
- The MSDP peer connection will not change when the configuration is
set, instead it will only be applied next connection or when
`clear ip msdp peer A.B.C.D` is called.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
Fixes the crash:
```
(gdb) bt
0 __pthread_kill_implementation (no_tid=0, signo=11, threadid=124583315603008) at ./nptl/pthread_kill.c:44
1 __pthread_kill_internal (signo=11, threadid=124583315603008) at ./nptl/pthread_kill.c:78
2 __GI___pthread_kill (threadid=124583315603008, signo=signo@entry=11) at ./nptl/pthread_kill.c:89
3 0x0000714ed0242476 in __GI_raise (sig=11) at ../sysdeps/posix/raise.c:26
4 0x0000714ed074cfb7 in core_handler (signo=11, siginfo=0x7ffe6d9792b0, context=0x7ffe6d979180) at lib/sigevent.c:258
5 <signal handler called>
6 0x000060f55e33ffdd in route_table_get_info (table=0x0) at ./lib/table.h:177
7 0x000060f55e340053 in bgp_dest_table (dest=0x60f56dabb840) at ./bgpd/bgp_table.h:156
8 0x000060f55e340c9f in is_route_injectable_into_vpn (pi=0x60f56dbc4a60) at ./bgpd/bgp_mplsvpn.h:331
9 0x000060f55e34507c in vpn_leak_from_vrf_update (to_bgp=0x60f56da52070, from_bgp=0x60f56da75af0, path_vrf=0x60f56dbc4a60) at bgpd/bgp_mplsvpn.c:1575
10 0x000060f55e346657 in vpn_leak_from_vrf_update_all (to_bgp=0x60f56da52070, from_bgp=0x60f56da75af0, afi=AFI_IP) at bgpd/bgp_mplsvpn.c:2028
11 0x000060f55e340c10 in vpn_leak_postchange (direction=BGP_VPN_POLICY_DIR_TOVPN, afi=AFI_IP, bgp_vpn=0x60f56da52070, bgp_vrf=0x60f56da75af0) at ./bgpd/bgp_mplsvpn.h:310
12 0x000060f55e34a692 in vpn_leak_postchange_all () at bgpd/bgp_mplsvpn.c:3737
13 0x000060f55e3d91fc in router_bgp (self=0x60f55e5cbc20 <router_bgp_cmd>, vty=0x60f56e2d7660, argc=3, argv=0x60f56da19830) at bgpd/bgp_vty.c:1601
14 0x0000714ed069ddf5 in cmd_execute_command_real (vline=0x60f56da32a80, vty=0x60f56e2d7660, cmd=0x0, up_level=0) at lib/command.c:1002
15 0x0000714ed069df6e in cmd_execute_command (vline=0x60f56da32a80, vty=0x60f56e2d7660, cmd=0x0, vtysh=0) at lib/command.c:1061
16 0x0000714ed069e51e in cmd_execute (vty=0x60f56e2d7660, cmd=0x60f56dbf07d0 "router bgp 100\n", matched=0x0, vtysh=0) at lib/command.c:1227
17 0x0000714ed076faa0 in vty_command (vty=0x60f56e2d7660, buf=0x60f56dbf07d0 "router bgp 100\n") at lib/vty.c:616
18 0x0000714ed07719c4 in vty_execute (vty=0x60f56e2d7660) at lib/vty.c:1379
19 0x0000714ed07740f0 in vtysh_read (thread=0x7ffe6d97c700) at lib/vty.c:2374
20 0x0000714ed07685c4 in event_call (thread=0x7ffe6d97c700) at lib/event.c:1995
21 0x0000714ed06e3351 in frr_run (master=0x60f56d1d2e40) at lib/libfrr.c:1232
22 0x000060f55e2c4b44 in main (argc=7, argv=0x7ffe6d97c978) at bgpd/bgp_main.c:555
(gdb)
```
Fixes https://github.com/FRRouting/frr/issues/16484
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
Modify existing MSDP topology to use test SA filtering:
- Add new multicast host (so we get two sources for same group)
- Test group only filtering
- Test source / group filtering
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
Implement MSDP peer incoming/outgoing SA filter.
Note
----
Cisco extended access list has a special meaning: the first address is
the source address to filter.
Example:
! The rules below filter some LAN prefix to be leaked out
access-list filter-lan-source deny ip 192.168.0.0 0.0.255.255 224.0.0.0 0.255.255.255
access-list filter-lan-source permit any
router pim
msdp peer 192.168.0.1 sa-filter filter-lan-source out
! The rules below filter some special management group from being
! learned
access-list filter-management-group deny 230.0.0.0 0.255.255.255
access-list filter-management-group permit any
router pim
msdp peer 192.168.0.1 sa-filter filter-management-group in
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
When an NHRP server was forwarding a message, it was copying all
extensions from the originally received packet. The authentication
extension must be regenerated hop by hop per RFC2332. The copied
auth extension had an incorrect length. This fix checks for the
auth extension when copying extensions and omits the original
packet auth and instead regenerates a new auth extension.
Fix bug #16466
Signed-off-by: Dave LeRoy <dleroy@labn.net>
So the test script is making changes to a vpn configuration by
changing something fundamental about the vpn. This is causing
a window where routes we are interested in are:
present ( from pre-change ) then
withdrawn ( the test change causes this ) then
present ( with the new data )
The test code was trying to test for this by checking
to see if the prefix was there, but due to timing issues
it's not always there when we look for it.
Modify the test to get the vpn table version prior to
the change( as that it should not be moving around ) and
then change the test for the prefix to look for a version
that is later than the vpn's table version. Then we know
that it is *after* everything has stabilized again.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
So the test script is making changes to a vpn configuration by
changing something fundamental about the vpn. This is causing
a window where routes we are interested in are:
present ( from pre-change ) then
withdrawn ( the test change causes this ) then
present ( with the new data )
The test code was trying to test for this by checking
to see if the prefix was there, but due to timing issues
it's not always there when we look for it.
Modify the test to get the vpn table version prior to
the change( as that it should not be moving around ) and
then change the test for the prefix to look for a version
that is later than the vpn's table version. Then we know
that it is *after* everything has stabilized again.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
a) Make timers more aggressive for this test
b) Double run_and_expect time for one sub test.
These two changes cause this test to pass regularly for
me when this test used to fail regularly for me.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
When an color affinity is set on an interface before configuring the
flex-algorithm, the ASLA (Application Specific Link-Attribute) sub-TLV
is not build. Flex-algo fails to build the paths when a affinity
constraint is required because of the lacking of information contained
in ASLA. There are no problems when the configuration order is reversed.
For example:
> affinity-map red bit-position 1
>
> interface eth2
> link-params
> affinity red
>
> router isis 1
> mpls-te on
> flex-algo 129
> dataplane sr-mpls
> advertise-definition
> affinity include-any green
In isis_link_params_update_asla(), the ASLA sub-TLV is not build when
the list of flex-algos is empty.
Update ASLA when the first flex-algorithm is configured.
Fixes: 893882ee20 ("isisd: add isis flex-algo configuration backend")
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
Move flex_algo_delete() content into isis_instance_flex_algo_destroy()
because it is called only once.
Rename _flex_algo_delete to flex_algo_free()
Cosmetic change.
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
Let's remove the obsolete BFD control socket. If the functionality is
needed then YANG/northbound notifications / getting should be used
instead.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
If we send a notification, there is no point setting the last_reset, because
bgp_notify_send() sets last_reset to PEER_DOWN_NOTIFY_SEND (almost everywhere).
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
```
donatas.net(config-router)# do show ip bgp summary failed
IPv4 Unicast Summary:
BGP router identifier 1.1.1.1, local AS number 65001 VRF default vrf-id 0
BGP table version 0
RIB entries 0, using 0 bytes of memory
Peers 1, using 24 KiB of memory
Neighbor EstdCnt DropCnt ResetTime Reason
127.0.0.1 2 2 00:02:02 Password config change (GoBGP/3.26.0)
Displayed neighbors 1
Total number of neighbors 1
```
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
