summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2014-01-07isisd: do remove ipv6 routes from ZebraChristian Franke
We can abort isis_zebra_route_del_ipv6 if the route in question has ISIS_ROUTE_FLAG_ZEBRA_SYNCED unset, meaning it's not in the kernel. Aborting the function if the flag is set prevents us from removing any routes. Signed-off-by: Christian Franke <chris@opensourcerouting.org>
2013-10-22build: fix tests/prng.h missing from distHEADmasterDavid Lamparter
broken by fa713d9... "zebra: rework recursive route resolution", and I forgot to squash the fix into that. Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-10-22zebra: make rib_dump() compatible with IPv6 RIBVincent Bernat
[DL: resolved conflicts in zebra_rib.c] [DL: fix usage with --disable-ipv6] Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-09-19zebra: apply route-maps for interface routesChristian Franke
Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-09-19zebra: fix recursive-routes via ifindex routesChristian Franke
Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-09-19zebra: implement NEXTHOP_FLAG_ONLINKChristian Franke
On Linux, the kernel will only allow for a route to be installed when its gateway is directly attached according the kernel fib. There are cases when this restriction by the kernel is too strong, in those cases, we deploy the RTNH_F_ONLINK netlink flag. Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-09-19zebra: handle blackholes encountered in recursive resolutionChristian Franke
Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-09-19zebra: rework recursive route resolutionChristian Franke
Change the datastructure for recursive routes. This brings the following benefits: By using struct nexthop also to store nexthops obtained by recursive resolution, we can get rid of quite a bit of code duplication in the fib management. (rt_netlink, rt_socket, ...) With the new datastructure we can make use of all available paths when recursive routes are resolved with multipath routes. Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-09-19zebra: improve interface shutdown behaviourChristian Franke
Linux removes IPv6 addresses when the interface is set down. Those addresses need to be readded when the interface is set up again. Also, an interface should not be reactivated from shutdown by configuring an ip address. Finally, remove the three-state logic for the shutdown setting as its sole current use may be mild confusion. Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-09-19zebra: don't change connected state from zebra/interface.cChristian Franke
Try to avoid changing connected state from zebra/interface.c as this means making assumptions about kernel behaviour which may be or may become wrong. This state should rather be updated by events from the kernel. Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-09-19zebra: add ZEBRA_IFC_QUEUED to keep track of kernel stateChristian Franke
As there are timeframes when we don't get a notification from the kernel about new addresses. (e.g. while Linux performs IPv6 DAD), we need to have some information whether an address has been sent to the kernel or not. One case where this is relevant would be a user adding an IPv6 address, but deleting it before DAD has been complete. With the next patch which removes some (ill assuming) synchronous parts in address setup, ipv6_address_uninstall would not know whether or not it has to actually delete the prefix from the kernel. Resolving these windows where we lack information is what the flag ZEBRA_IFC_QUEUED is intended for. Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-09-19zebra: warn if advertising connected with _REAL unsetChristian Franke
The implementation in zebra and the zclient protocol allow to communicate addresses to clients which are not yet in the kernel. This is usually not done and most clients seem to expect an address to be configured in the kernel when they receive it. Therefore, it seems reasonable to issue a warning when advertising an address to the clients that is not yet in the kernel. Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-09-19zebra: consolidate connected_implicit_withdrawChristian Franke
connected_implicit_withdraw is used at two places and followed by exactly the same code. Move that code into connected_implicit_withdraw and give that function a more descriptive name. Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-09-19zebra: clear ZEBRA_IFC_CONFIGURED on "no ipv6 addr"Christian Franke
To match the semantics of IPv4, the ZEBRA_IFC_CONFIGURED flag should be cleared when an IPv6 connected is uninstalled via vty. Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-09-19zebra: make if_subnet_delete a bit more strictChristian Franke
Enhance if_subnet_delete so it will complain about improper use. Also, fix one occurence of improper use where it was called for IPv6 as well. Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-09-19zebra: process information about new addresses (BZ#486)Christian Franke
Because of a change of semantics in the Linux kernel, information about changes made by zebra itself was not considered for updates. This change should fix this by accounting for the new semantics. It is based on a patch by lich posted to the bugzilla #486 Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-08-06ospfd: protect vs. VU#229804 (malformed Router-LSA)David Lamparter
VU#229804 reports that, by injecting Router LSAs with the Advertising Router ID different from the Link State ID, OSPF implementations can be tricked into retaining and using invalid information. Quagga is not vulnerable to this because it looks up Router LSAs by (Router-ID, LS-ID) pair. The relevant code is in ospf_lsa.c l.3140. Note the double "id" parameter at the end. Still, we can provide an improvement here by discarding such malformed LSAs and providing a warning to the administrator. While we cannot prevent such malformed LSAs from entering the OSPF domain, we can certainly try to limit their distribution. cf. http://www.kb.cert.org/vuls/id/229804 for the vulnerability report. This issue is a specification issue in the OSPF protocol that was discovered by Dr. Gabi Nakibly. Reported-by: CERT Coordination Center <cert@cert.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-08-06bgpd, zebra: support NEXTHOP_IPV4_IFINDEX in bgp import checkChristian Franke
Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-08-06bgpd, zebra: Support NEXTHOP_IPV4_IFINDEX in nexthop_lookup apiChristian Franke
Since commit ba281d3d040, ospfd uses NEXTHOP_IPV4_IFINDEX routes. The API between zebra and bgpd which is used to query nexthops for recursive routes did not support this nexthop type and therefore, ospf changes (or any other IGP changes which use NEXTHOP_IPV4_IFINDEX) would never trigger any recursive route update. Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-08-06zebra: improve display of NEXTHOP_IPV4_IFINDEX in show ip routeChristian Franke
Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-07-31bgpd: honor PEER_FLAG_DISABLE_CONNECTED_CHECK on bgp_scanChristian Franke
When neighbor disable-connected-check was used, bgpd would accept routes with unconnected nexthop as indended, however those routes would be invalidated on the next bgp_scan run as that function did not know about disable-connected-check. Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-07-31isisd, ospf6d: use bug-report information from autoconfChristian Franke
Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-07-31zebra: don't printf to stdout on ZEBRA_IPV6_NEXTHOP_LOOKUPChristian Franke
Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-07-31vtysh: don't append superflous spaces (BZ#750)Christian Franke
rl_completion_append_character is reset to space every time the completion function is entered. So we would have to set it to '\0' every time new_completion() is called. We can make this conditional and avoid using rl_pending_input. This code path is most relevant when there are multiple completion matches with the same prefix, e.g. in router bgp context: "neighbor 1.2.3.4 pa"<ssive|ssword> would have been completed to "neighbor 1.2.3.4 pass " instead of "neighbor 1.2.3.4 pass". Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-07-31bgpd: write NOTIFY non-blockinglyDavid Lamparter
switching the socket to blocking may well block the entire bgpd process for some time if our peer is overloaded (which may well be the original reason for the NOTIFY) The error handling is slightly different from the previous ML discussion on this; buffer exhaustion isn't technically a fatal TCP error, and we should probably proceed with FSM actions according to a sent NOTIFY (adjusting timers) even if we didn't manage to get the NOTIFY onto the wire. Acked-by: Leonid Rosenboim <lrosenbo@wrs.com> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-07-30bgpd: prevent double address delete on shutdownRakesh Garimella
bgp_interface_down() and bgp_exit() both proceed to delete the address from bgpd's interface representation, so the second call gets a NULL result from the hash lookup and subsequently crashes. Signed-off-by: Rakesh Garimella <rakesh.garimella@sophos.com> [reformatted] Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-07-30bgpd: stricter packet handling in OpenSentLeonid Rosenboim
Keepalives and updates are not expected in OpenSent, prior to receiving the peer's open message. Terminate the session with the proper notification. From: Leonid Rosenboim <lrosenbo@wrs.com> [split off FSM changes, some reordering & cleanup. read handling needs to be separately addressed] Signed-off-by: David Lamparter <equinox@diac24.net>
2013-07-30lib: unconditionally include stddef.hDavid Lamparter
I've used offsetof() in the previous commit to paper over the security problems in ospf_api.c. This blows the build on FreeBSD 7.0, missing offsetof(). Let's add that to zebra's generally used includes. stddef.h (and offsetof) is defined in C89 section 4.1.5 (and not deprecated/removed by any later standard). If this causes problems, the bug report should go against the host OS/compiler... Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-07-28ospfd: CVE-2013-2236, stack overrun in apiserverDavid Lamparter
the OSPF API-server (exporting the LSDB and allowing announcement of Opaque-LSAs) writes past the end of fixed on-stack buffers. This leads to an exploitable stack overflow. For this condition to occur, the following two conditions must be true: - Quagga is configured with --enable-opaque-lsa - ospfd is started with the "-a" command line option If either of these does not hold, the relevant code is not executed and the issue does not get triggered. Since the issue occurs on receiving large LSAs (larger than 1488 bytes), it is possible for this to happen during normal operation of a network. In particular, if there is an OSPF router with a large number of interfaces, the Router-LSA of that router may exceed 1488 bytes and trigger this, leading to an ospfd crash. For an attacker to exploit this, s/he must be able to inject valid LSAs into the OSPF domain. Any best-practice protection measure (using crypto authentication, restricting OSPF to internal interfaces, packet filtering protocol 89, etc.) will prevent exploitation. On top of that, remote (not on an OSPF-speaking network segment) attackers will have difficulties bringing up the adjacency needed to inject a LSA. This patch only performs minimal changes to remove the possibility of a stack overrun. The OSPF API in general is quite ugly and needs a rewrite. Reported-by: Ricky Charlet <ricky.charlet@hp.com> Cc: Florian Weimer <fweimer@redhat.com> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-07-15doc: Modernize INSTALL.quagga.txt.Greg Troxel
Note that list of prereq versions is out of date. Add DejaGnu for testing. Change references to CVS to git. Signed-off-by: Greg Troxel <gdt@ir.bbn.com>
2013-07-15tests: don't build tests unless make check is runChristian Franke
Use check_PROGRAMS instead of noinst_PROGRAMS in tests/Makefile.am to build the tests only when make check is actually run. Signed-off-by: Christian Franke <chris@opensourcerouting.org>
2013-07-09tests: fix Makefile.am so it works with BSD makeChristian Franke
The export statement is specific to GNU make and breaks the build with BSD make. I couldn't observe any difference in behaviour between having the export present and absent, therefore, just remove it. Signed-off-by: Christian Franke <chris@opensourcerouting.org>
2013-04-20ospfd: fix flooding procedureChristian Franke
An ospf router should accept a new maxage LSA into its lsdb if it has any neighbors in state Exchange or Loading. ospfd would however only account for neighbors on the same interface which does not seem to be a valid optimization. Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: Joachim Nilsson <troglobit@gmail.com> Signed-off-by: David Lamparter <equinox@diac24.net>
2013-04-20ospfd: make ospf_maxage_lsa_remover actually yieldChristian Franke
ospf_maxage_lsa_remover whould check whether to yield, but run on anyway. Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: Joachim Nilsson <troglobit@gmail.com> Signed-off-by: David Lamparter <equinox@diac24.net>
2013-04-16doc: update TODO for ospf6d work & bgp multipathDinesh G Dutt
This is work in progress at Cumulus Networks.
2013-04-14tests: DejaGNU libzebraDavid Lamparter
Wrap the few libzebra test programs we have up for DejaGNU. Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-04-14tests: DejaGNU bgpdDavid Lamparter
this just wraps the existing test programs in expect wrappers that make their results usable to DejaGNU. Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-04-14tests: add DejaGNU frameworkDavid Lamparter
DejaGNU seems to be the 'standard' GNU test framework (which by itself doesn't say much), but it seems relatively usable and the "remote system" capabilities might come in handy for virtualisation-based tests for kernel interactions or something. Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-04-09ospfd: restore nexthop IP for p2p interfacesChristian Franke
commit c81ee5c... "ospfd: Optimize and improve SPF nexthop calculation" subtly changed semantics of routes calculated over pointopoint links by removing the nexthop IP address and instead using an ifindex route. This breaks calculation of AS-Ext routes with a forwarding address since in ospf_ase_complete_direct_routes() this will be hit: if (op->nexthop.s_addr == 0) op->nexthop.s_addr = nexthop.s_addr; thus turning the route unusable by having an invalid nexthop. Fix by restoring the nexthop IP on routes over PtP links. This also allows running multi-access (Ethernet) interfaces in PtP mode again. This bug is a regression against 0.99.21 and only present in 0.99.22. Signed-off-by: Christian Franke <chris@opensourcerouting.org> [patch description and code comments rewritten] Acked-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se> Acked-by: James Li <jli@cumulusnetworks.com> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-04-09lib/vty: register vtysh socket in server socket vector (BZ#754)Christian Franke
Register the vtysh socket in Vvty_serv_thread so it will be correctly closed on vty_reset instead of being leaked. Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-04-09ripd: correctly redistribute ifindex routes (BZ#664)David Lamparter
ripd had a check to restrict metric 0 to only directly connected routes. This check was implemented by checking against Connected as route type. This is, however, incorrect -- all routes that directly use an interface without a nexthop should be treated as directly connected and passed off with metric 0. ripngd does not posess such a check and was not touched. Reported-by: Sean Fulton <sean@gcnpublishing.com> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-04-09build: reference libcap from libzebra (BZ#393,626)David Lamparter
While the actual build failures have been fixed independently by d1d3ac9 "build: reorder libraries to address linker error", libzebra still does not reference libcap. This will lead to more build failures if someone else tries to use libzebra and doesn't add libcap. Let's just add libcap here and be done with it. I've not added libcap to the _DEPENDENCIES variable above since libcap is a system library. Actually, the whole _DEPENDENCIES thing is rather fishy; automake automatically sets _DEPENDENCIES from _LIBADD. For the sake of not breaking stuff that works (especially since most autotools stuff is arcane magic), I'm leaving it alone... Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-04-09ospfd: fix LSA initialization for build without opaque LSAChristian Franke
If configured without opaque LSA support, the old code would incorrectly associate type 5 LSAs with an area. Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-04-09tests: make --disable-bgpd kill bgpd tests tooDavid Lamparter
bgpd tests don't compile or run with --disable-bgpd, let's catch this in the Makefile. Reported-by: Joachim Nilsson <troglobit@gmail.com> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-04-09build: fix minimal mixup in gitinfo suffixDavid Lamparter
the original version of this had issues with tagless repositories; to fix that I removed the "-g" part from one of the regexes. I then failed to add those 2 characters back, leading to version numbers like "0.99.220123456" instead of "0.99.22-ga123456". Let's put the "-g" back... Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-04-09doc: fix makeinfo errors and one warningTimo Teräs
commit 4afa50b added few lines that are syntactically incorrect with leading plus sign. Cc: Denis Ovsienko <infrastation@yandex.ru> Signed-off-by: Timo Teräs <timo.teras@iki.fi> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-03-29doc: add OSPFv3 homenet to TODODavid Lamparter
The homenet OSPFv3 extensions are not only relevant TODO items, but also suitable for GSoC students. Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-03-29doc: update TODODavid Lamparter
the TODO was last touched in 2006. This is a first pass at cleaning it up, motivated primarily by the need for an up-to-date idea list for the Google Summer of Code 2013. Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-03-03build: Update supported versions.Greg Troxel
INSTALL.quagga.tex: Given the statement that it's viewed as a bug if quagga doesn't build on OS versions on the list, prune the list to the set for which there would be near-universal agreement that it's a bug. Clarify that the response to a system on the list not building might be dropping it from the list. (Time marches on, and these lists are not necessarily maintained. As an example, the comment saying FreeBSD4 support was iffy is now 6 years old.) Delete old discussion of ancient texinfo. Delete discussion of NetBSD versions before 4 (as no longer relevant).
2013-02-24hash: dynamically grow hash tableStephen Hemminger
Dynamically grow the hash table index if the chains get too long. If expansion doesn't help keep chain length short, then stop expanding, to avoid bad behavior if there is a poor hash function. Not a new idea, based on concepts in uthash. Depends on my previous patch to restrict hash to power of 2. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> [profiling results: sum of cycles spent in hash_get/jhash with RIPE RIS test data (single simple BGP peer) improved to 69% of previously spent] Signed-off-by: David Lamparter <equinox@opensourcerouting.org>