quagga/bgpd, branch master Quagga routing suite bgpd, zebra: support NEXTHOP_IPV4_IFINDEX in bgp import check 2013-08-06T10:41:46+00:00 Christian Franke chris@opensourcerouting.org 2013-05-25T14:01:36+00:00 a12afd5e8e57c95505d4d0166af234c7f19e9fe1 Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org> 
Signed-off-by: Christian Franke <chris@opensourcerouting.org>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
bgpd, zebra: Support NEXTHOP_IPV4_IFINDEX in nexthop_lookup api 2013-08-06T10:41:46+00:00 Christian Franke chris@opensourcerouting.org 2013-05-25T14:01:35+00:00 bb97e4622ed6f48e2b8e07f1f94edd03162223a1 Since commit ba281d3d040, ospfd uses NEXTHOP_IPV4_IFINDEX routes. The API between zebra and bgpd which is used to query nexthops for recursive routes did not support this nexthop type and therefore, ospf changes (or any other IGP changes which use NEXTHOP_IPV4_IFINDEX) would never trigger any recursive route update. Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org> 
Since commit ba281d3d040, ospfd uses NEXTHOP_IPV4_IFINDEX
routes. The API between zebra and bgpd which is used to query
nexthops for recursive routes did not support this nexthop
type and therefore, ospf changes (or any other IGP changes
which use NEXTHOP_IPV4_IFINDEX) would never trigger any
recursive route update.

Signed-off-by: Christian Franke <chris@opensourcerouting.org>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
bgpd: honor PEER_FLAG_DISABLE_CONNECTED_CHECK on bgp_scan 2013-07-31T16:49:50+00:00 Christian Franke chris@opensourcerouting.org 2013-04-11T08:24:30+00:00 a0f6ce5b41dcfa059074d72c8fc61896d3e996a9 When neighbor disable-connected-check was used, bgpd would accept routes with unconnected nexthop as indended, however those routes would be invalidated on the next bgp_scan run as that function did not know about disable-connected-check. Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org> 
When neighbor disable-connected-check was used, bgpd would accept routes
with unconnected nexthop as indended, however those routes would be
invalidated on the next bgp_scan run as that function did not know about
disable-connected-check.

Signed-off-by: Christian Franke <chris@opensourcerouting.org>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
bgpd: write NOTIFY non-blockingly 2013-07-31T12:44:24+00:00 David Lamparter equinox@opensourcerouting.org 2013-07-31T12:39:41+00:00 8ff202e2d3fa7ebbd6728fdd230f3ad1a20578cd switching the socket to blocking may well block the entire bgpd process for some time if our peer is overloaded (which may well be the original reason for the NOTIFY) The error handling is slightly different from the previous ML discussion on this; buffer exhaustion isn't technically a fatal TCP error, and we should probably proceed with FSM actions according to a sent NOTIFY (adjusting timers) even if we didn't manage to get the NOTIFY onto the wire. Acked-by: Leonid Rosenboim <lrosenbo@wrs.com> Signed-off-by: David Lamparter <equinox@opensourcerouting.org> 
switching the socket to blocking may well block the entire bgpd process
for some time if our peer is overloaded (which may well be the original
reason for the NOTIFY)

The error handling is slightly different from the previous ML discussion
on this;  buffer exhaustion isn't technically a fatal TCP error, and we
should probably proceed with FSM actions according to a sent NOTIFY
(adjusting timers) even if we didn't manage to get the NOTIFY onto the
wire.

Acked-by: Leonid Rosenboim <lrosenbo@wrs.com>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
bgpd: prevent double address delete on shutdown 2013-07-30T18:27:50+00:00 Rakesh Garimella rakesh.garimella@sophos.com 2013-03-11T12:38:31+00:00 9e47abd862f71847a85f330435c7b3a9b1f76099 bgp_interface_down() and bgp_exit() both proceed to delete the address from bgpd's interface representation, so the second call gets a NULL result from the hash lookup and subsequently crashes. Signed-off-by: Rakesh Garimella <rakesh.garimella@sophos.com> [reformatted] Signed-off-by: David Lamparter <equinox@opensourcerouting.org> 
bgp_interface_down() and bgp_exit() both proceed to delete the address
from bgpd's interface representation, so the second call gets a NULL
result from the hash lookup and subsequently crashes.

Signed-off-by: Rakesh Garimella <rakesh.garimella@sophos.com>
[reformatted]
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
bgpd: stricter packet handling in OpenSent 2013-07-30T18:20:07+00:00 Leonid Rosenboim lrosenbo@wrs.com 2013-07-30T18:14:25+00:00 397b5bded5654a31b4bd3b904f091fd3859aecf7 Keepalives and updates are not expected in OpenSent, prior to receiving the peer's open message. Terminate the session with the proper notification. From: Leonid Rosenboim <lrosenbo@wrs.com> [split off FSM changes, some reordering & cleanup. read handling needs to be separately addressed] Signed-off-by: David Lamparter <equinox@diac24.net> 
Keepalives and updates are not expected in OpenSent, prior to receiving
the peer's open message.  Terminate the session with the proper
notification.

From: Leonid Rosenboim <lrosenbo@wrs.com>
[split off FSM changes, some reordering & cleanup.  read handling needs
 to be separately addressed]
Signed-off-by: David Lamparter <equinox@diac24.net>
hash: force size to be a power of 2 2013-02-24T19:42:40+00:00 Stephen Hemminger shemminger@vyatta.com 2013-01-04T22:29:21+00:00 90645f5598ca8b25cd2692f2ac0d2778a3fd2755 By forcing the hash table size to be a power of 2, a potentially expensive divide can be replaced by a mask operation. Almost all usage of the hash table was using default size of 1024. Only places with different size was thread library (1011) and bgp aspath. Signed-off-by: David Lamparter <equinox@opensourcerouting.org> 
By forcing the hash table size to be a power of 2, a potentially
expensive divide can be replaced by a mask operation. Almost all
usage of the hash table was using default size of 1024. Only places
with different size was thread library (1011) and bgp aspath.

Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
bgpd: fix lost passwords of grouped neighbors 2013-02-23T17:22:34+00:00 Roman Hoog Antink rha@open.ch 2013-01-18T12:52:03+00:00 0e4303d3173ecc264b3ec39a863174670bbe2900 This patch resolves the significance of order of group and password statements. It prevents passwords from being lost in cases where all three conditions apply: 1. the peer is member of a group with or without group password 2. the peer has an individual password set 3. the peer is added to a group within an address-family ipv6 section In addition this patch prevents the same issue in cases, where an IPv4 peer's password is set first and the peer is added to a group afterwards. Adding a peer to a group cancels his individual password. Without ipv6 this is not a problem, because choosing the right order of config statements will do (set password only after adding peer to group). When adding the peer to a group within the address-family section, his password is definitely lost. The same workaround (ie. setting the password after the address-family section) can not be used, because "show run" will print the configuration statements in the wrong order. Signed-off-by: David Lamparter <equinox@opensourcerouting.org> 
This patch resolves the significance of order of group and password
statements.

It prevents passwords from being lost in cases where all
three conditions apply:
  1. the peer is member of a group with or without group password
  2. the peer has an individual password set
  3. the peer is added to a group within an address-family ipv6
     section

In addition this patch prevents the same issue in cases, where an IPv4
peer's password is set first and the peer is added to a group
afterwards.

Adding a peer to a group cancels his individual password. Without ipv6
this is not a problem, because choosing the right order of config
statements will do (set password only after adding peer to group).

When adding the peer to a group within the address-family
section, his password is definitely lost. The same workaround (ie.
setting the password after the address-family section) can not be used,
because "show run" will print the configuration statements in the wrong
order.

Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
bgpd: fix crash in soft-reconfiguration 2013-02-01T16:55:04+00:00 Christian Franke chris@opensourcerouting.org 2013-01-28T06:14:43+00:00 d53d8fda42e1ce43852d3b4cff914ce79b5c6785 Commit 8692c50652 introduced a bug where bgpd would crash on soft-reconfiguration. This happens e.g. when there are filtered unicast routes because rn->info is NULL in that case, which the code did not account for. Reported-by: Paweł Staszewski <pstaszewski@itcare.pl> Signed-off-by: Christian Franke <chris@opensourcerouting.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org> 
Commit 8692c50652 introduced a bug where bgpd would crash on
soft-reconfiguration.

This happens e.g. when there are filtered unicast routes because
rn->info is NULL in that case, which the code did not account for.

Reported-by: Paweł Staszewski <pstaszewski@itcare.pl>
Signed-off-by: Christian Franke <chris@opensourcerouting.org>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
bgpd: relax ORF capability length handling 2013-02-01T16:55:04+00:00 David Lamparter equinox@opensourcerouting.org 2013-01-23T04:50:24+00:00 5e728e929942d39ce5a4ab3d01c33f7b688c4e3f commit fe9bb64... "bgpd: CVE-2012-1820, DoS in bgp_capability_orf()" made the length test in bgp_capability_orf_entry() stricter and is now causing us to refuse (with CEASE) ORF capabilites carrying any excess data. This does not conform to the robustness principle as laid out by RFC1122 ("be liberal in what you accept"). Even worse, RFC5291 is quite unclear on how to use the ORF capability with multiple AFI/SAFIs. It can be interpreted as either "use one instance, stuff everything in" but also as "use multiple instances". So, if not for applying robustness, we end up clearing sessions from implementations going by the former interpretation. (or if anyone dares add a byte of padding...) Cc: Denis Ovsienko <infrastation@yandex.ru> Signed-off-by: David Lamparter <equinox@opensourcerouting.org> 
commit fe9bb64... "bgpd: CVE-2012-1820, DoS in bgp_capability_orf()"
made the length test in bgp_capability_orf_entry() stricter and is now
causing us to refuse (with CEASE) ORF capabilites carrying any excess
data.  This does not conform to the robustness principle as laid out by
RFC1122 ("be liberal in what you accept").

Even worse, RFC5291 is quite unclear on how to use the ORF capability
with multiple AFI/SAFIs.  It can be interpreted as either "use one
instance, stuff everything in" but also as "use multiple instances".
So, if not for applying robustness, we end up clearing sessions from
implementations going by the former interpretation.  (or if anyone dares
add a byte of padding...)

Cc: Denis Ovsienko <infrastation@yandex.ru>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>