diff options
| author | Ondrej Zajicek (work) <santiago@crfreenet.org> | 2016-11-08 19:27:58 +0100 |
|---|---|---|
| committer | Ondrej Zajicek (work) <santiago@crfreenet.org> | 2016-11-08 19:27:58 +0100 |
| commit | 8860e991f6650e47cfe6c1af595fe4fe92a4edfd (patch) | |
| tree | 18f49bb3a21739a1a596b54d9f65e82cff4fc09f | |
| parent | cc5b93f72db80abd1262a0a5e1d8400ceef54385 (diff) | |
| parent | c8cafc8ebb5320ac7c6117c17e6460036f0fdf62 (diff) | |
Merge branch 'master' into int-new
89 files changed, 2701 insertions, 1633 deletions
diff --git a/client/birdcl.c b/client/birdcl.c index 7b567a9f..4508185c 100644 --- a/client/birdcl.c +++ b/client/birdcl.c @@ -125,7 +125,7 @@ more_end(void) } static void -sig_handler(int signal) +sig_handler(int signal UNUSED) { cleanup(); exit(0); diff --git a/client/util.c b/client/util.c index 2d6c074d..1d83e518 100644 --- a/client/util.c +++ b/client/util.c @@ -24,7 +24,7 @@ vlog(const char *msg, va_list args) int n = vsnprintf(buf, sizeof(buf), msg, args); if (n < 0) snprintf(buf, sizeof(buf), "???"); - if (n >= sizeof(buf)) + else if (n >= (int) sizeof(buf)) snprintf(buf + sizeof(buf) - 100, 100, " ... <too long>"); fputs(buf, stderr); fputc('\n', stderr); diff --git a/conf/Makefile b/conf/Makefile index c1a906e3..e5828538 100644 --- a/conf/Makefile +++ b/conf/Makefile @@ -24,6 +24,7 @@ $(o)cf-lex.c: $(s)cf-lex.l $(FLEX) $(FLEX_DEBUG) -s -B -8 -Pcf_ -o$@ $< $(o)cf-lex.o: $(o)cf-parse.tab.h $(o)keywords.h +$(o)cf-lex.o: CFLAGS+=-Wno-sign-compare -Wno-unused-function $(addprefix $(o), cf-parse.y keywords.h commands.h cf-parse.tab.h cf-parse.tab.c cf-lex.c): $(objdir)/.dir-stamp diff --git a/conf/cf-lex.l b/conf/cf-lex.l index 9eb4f116..ad9aa10a 100644 --- a/conf/cf-lex.l +++ b/conf/cf-lex.l @@ -577,7 +577,7 @@ cf_lex_init(int is_cli, struct config *c) cf_lex_init_kh(); ifs_head = ifs = push_ifs(NULL); - if (!is_cli) + if (!is_cli) { ifs->file_name = c->file_name; ifs->fd = c->file_fd; diff --git a/conf/conf.c b/conf/conf.c index 175e223b..b6f41b2c 100644 --- a/conf/conf.c +++ b/conf/conf.c @@ -85,7 +85,7 @@ int undo_available; /* Undo was not requested from last reconfiguration */ * further use. Returns a pointer to the structure. */ struct config * -config_alloc(byte *name) +config_alloc(const byte *name) { pool *p = rp_new(&root_pool, "Config"); linpool *l = lp_new(p, 4080); @@ -405,7 +405,7 @@ config_confirm(void) * if it's been queued due to another reconfiguration being in progress now, * %CONF_UNQUEUED if a scheduled reconfiguration is removed, %CONF_NOTHING * if there is no relevant configuration to undo (the previous config request - * was config_undo() too) or %CONF_SHUTDOWN if BIRD is in shutdown mode and + * was config_undo() too) or %CONF_SHUTDOWN if BIRD is in shutdown mode and * no new configuration changes are accepted. */ int @@ -450,7 +450,7 @@ config_undo(void) extern void cmd_reconfig_undo_notify(void); static void -config_timeout(struct timer *t) +config_timeout(struct timer *t UNUSED) { log(L_INFO "Config timeout expired, starting undo"); cmd_reconfig_undo_notify(); @@ -530,7 +530,7 @@ cf_error(const char *msg, ...) * and we want to preserve it for further use. */ char * -cfg_strdup(char *c) +cfg_strdup(const char *c) { int l = strlen(c) + 1; char *z = cfg_allocu(l); diff --git a/conf/conf.h b/conf/conf.h index 03fecd32..593a5f13 100644 --- a/conf/conf.h +++ b/conf/conf.h @@ -20,7 +20,7 @@ struct config { linpool *mem; /* Linear pool containing configuration data */ list protos; /* Configured protocol instances (struct proto_config) */ list tables; /* Configured routing tables (struct rtable_config) */ - list logfiles; /* Configured log fils (sysdep) */ + list logfiles; /* Configured log files (sysdep) */ int mrtdump_file; /* Configured MRTDump file (sysdep, fd in unix) */ char *syslog_name; /* Name used for syslog (NULL -> no syslog) */ @@ -60,7 +60,7 @@ struct config { extern struct config *config; /* Currently active configuration */ extern struct config *new_config; /* Configuration being parsed */ -struct config *config_alloc(byte *name); +struct config *config_alloc(const byte *name); int config_parse(struct config *); int cli_parse(struct config *); void config_free(struct config *); @@ -94,7 +94,7 @@ extern linpool *cfg_mem; #define cfg_alloc(size) lp_alloc(cfg_mem, size) #define cfg_allocu(size) lp_allocu(cfg_mem, size) #define cfg_allocz(size) lp_allocz(cfg_mem, size) -char *cfg_strdup(char *c); +char *cfg_strdup(const char *c); void cfg_copy_list(list *dest, list *src, unsigned node_size); /* Lexer */ diff --git a/conf/confbase.Y b/conf/confbase.Y index 22edbdfd..094c81b5 100644 --- a/conf/confbase.Y +++ b/conf/confbase.Y @@ -143,7 +143,7 @@ expr_us: /* Switches */ bool: - expr {$$ = !!$1; } + expr { $$ = !!$1; } | ON { $$ = 1; } | YES { $$ = 1; } | OFF { $$ = 0; } @@ -202,7 +202,7 @@ net_roa4_: net_ip4_ MAX NUM AS NUM { $$ = cfg_alloc(sizeof(net_addr_roa4)); net_fill_roa4($$, net4_prefix(&$1), net4_pxlen(&$1), $3, $5); - if ($3 < net4_pxlen(&$1) || $3 > IP4_MAX_PREFIX_LENGTH) + if ($3 < (int) net4_pxlen(&$1) || $3 > IP4_MAX_PREFIX_LENGTH) cf_error("Invalid max prefix length %d", $3); }; @@ -210,7 +210,7 @@ net_roa6_: net_ip6_ MAX NUM AS NUM { $$ = cfg_alloc(sizeof(net_addr_roa6)); net_fill_roa6($$, net6_prefix(&$1), net6_pxlen(&$1), $3, $5); - if ($3 < net6_pxlen(&$1) || $3 > IP6_MAX_PREFIX_LENGTH) + if ($3 < (int) net6_pxlen(&$1) || $3 > IP6_MAX_PREFIX_LENGTH) cf_error("Invalid max prefix length %d", $3); }; diff --git a/configure.in b/configure.in index a0db0fbd..58f865c4 100644 --- a/configure.in +++ b/configure.in @@ -88,11 +88,13 @@ fi if test "$bird_cflags_default" = yes ; then BIRD_CHECK_GCC_OPTION(bird_cv_c_option_wno_pointer_sign, -Wno-pointer-sign, -Wall) + BIRD_CHECK_GCC_OPTION(bird_cv_c_option_wno_missing_init, -Wno-missing-field-initializers, -Wall -Wextra) BIRD_CHECK_GCC_OPTION(bird_cv_c_option_fno_strict_aliasing, -fno-strict-aliasing) BIRD_CHECK_GCC_OPTION(bird_cv_c_option_fno_strict_overflow, -fno-strict-overflow) - CFLAGS="$CFLAGS -Wall -Wstrict-prototypes -Wno-parentheses" + CFLAGS="$CFLAGS -Wall -Wextra -Wstrict-prototypes -Wno-parentheses" BIRD_ADD_GCC_OPTION(bird_cv_c_option_wno_pointer_sign, -Wno-pointer-sign) + BIRD_ADD_GCC_OPTION(bird_cv_c_option_wno_missing_init, -Wno-missing-field-initializers) BIRD_ADD_GCC_OPTION(bird_cv_c_option_fno_strict_aliasing, -fno-strict-aliasing) BIRD_ADD_GCC_OPTION(bird_cv_c_option_fno_strict_overflow, -fno-strict-overflow) fi diff --git a/doc/Makefile b/doc/Makefile index 3ff73389..4e7e91eb 100644 --- a/doc/Makefile +++ b/doc/Makefile @@ -25,6 +25,9 @@ $(o)%.sgml: $(s)%.sgml $(objdir)/.dir-stamp $(o)%.html: $(o)%.sgml cd $(dir $@) && $(sgml2)html $(notdir $<) +$(o)%.tex: $(o)%.sgml + cd $(dir $@) && $(sgml2)latex --output=tex $(notdir $<) + $(o)%.dvi: $(o)%.tex cd $(dir $@) && TEXINPUTS=$(TEXINPUTS):$(doc-srcdir)/tex latex $(notdir $<) cd $(dir $@) && TEXINPUTS=$(TEXINPUTS):$(doc-srcdir)/tex latex $(notdir $<) @@ -32,11 +35,9 @@ $(o)%.dvi: $(o)%.tex $(o)%.ps: $(o)%.dvi dvips -D600 -ta4 -o $@ $< -$(o)%.pdf: $(o)%.ps - ps2pdf $< $@ - -$(o)%.tex: $(o)%.sgml - cd $(dir $@) && $(sgml2)latex --output=tex $(notdir $<) +$(o)%.pdf: $(o)%.tex + pdflatex -output-directory=$(dir $@) $< + pdflatex -output-directory=$(dir $@) $< $(o)%.txt: $(o)%.sgml cd $(dir $@) && $(sgml2)txt $(notdir $<) diff --git a/doc/bird.sgml b/doc/bird.sgml index 26673f03..6af0e0f6 100644 --- a/doc/bird.sgml +++ b/doc/bird.sgml @@ -39,11 +39,12 @@ This document contains user documentation for the BIRD Internet Routing Daemon p <chapt>Introduction +<label id="intro"> <sect>What is BIRD +<label id="what-is-bird"> -<p><label id="intro"> -The name `BIRD' is actually an acronym standing for `BIRD Internet Routing +<p>The name `BIRD' is actually an acronym standing for `BIRD Internet Routing Daemon'. Let's take a closer look at the meaning of the name: <p><em/BIRD/: Well, we think we have already explained that. It's an acronym @@ -72,8 +73,8 @@ running on background which does the dynamic part of Internet routing, that is it communicates with the other routers, calculates routing tables and sends them to the OS kernel which does the actual packet forwarding. There already exist other such routing daemons: routed (RIP only), GateD (non-free), -Zebra <HTMLURL URL="http://www.zebra.org"> and -MRTD <HTMLURL URL="http://sourceforge.net/projects/mrt">, +<HTMLURL URL="http://www.zebra.org" name="Zebra"> and +<HTMLURL URL="http://sourceforge.net/projects/mrt" name="MRTD">, but their capabilities are limited and they are relatively hard to configure and maintain. @@ -118,6 +119,7 @@ files, tools ...). <sect>Installing BIRD +<label id="install"> <p>On a recent UNIX system with GNU development tools (GCC, binutils, m4, make) and Perl, installing BIRD should be as easy as: @@ -138,52 +140,60 @@ BIRD executable by configuring out routing protocols you don't use, and <sect>Running BIRD +<label id="argv"> <p>You can pass several command-line options to bird: <descrip> - <tag>-c <m/config name/</tag> + <tag><label id="argv-config">-c <m/config name/</tag> use given configuration file instead of <it/prefix/<file>/etc/bird.conf</file>. - <tag>-d</tag> + <tag><label id="argv-debug">-d</tag> enable debug messages and run bird in foreground. - <tag>-D <m/filename of debug log/</tag> + <tag><label id="argv-log-file">-D <m/filename of debug log/</tag> log debugging information to given file instead of stderr. - <tag>-p</tag> - just parse the config file and exit. Return value is zero if the config - file is valid, nonzero if there are some errors. - - <tag>-s <m/name of communication socket/</tag> - use given filename for a socket for communications with the client, - default is <it/prefix/<file>/var/run/bird.ctl</file>. - - <tag>-P <m/name of PID file/</tag> - create a PID file with given filename. - - <tag>-u <m/user/</tag> - drop privileges and use that user ID, see the next section for details. + <tag><label id="argv-foreground">-f</tag> + run bird in foreground. - <tag>-g <m/group/</tag> + <tag><label id="argv-group">-g <m/group/</tag> use that group ID, see the next section for details. - <tag>-f</tag> - run bird in foreground. + <tag><label id="argv-help">-h, --help</tag> + display command-line options to bird. - <tag>-l</tag> + <tag><label id="argv-local">-l</tag> look for a configuration file and a communication socket in the current working directory instead of in default system locations. However, paths specified by options <cf/-c/, <cf/-s/ have higher priority. - <tag>-R</tag> + <tag><label id="argv-parse">-p</tag> + just parse the config file and exit. Return value is zero if the config + file is valid, nonzero if there are some errors. + + <tag><label id="argv-pid">-P <m/name of PID file/</tag> + create a PID file with given filename. + + <tag><label id="argv-recovery">-R</tag> apply graceful restart recovery after start. + + <tag><label id="argv-socket">-s <m/name of communication socket/</tag> + use given filename for a socket for communications with the client, + default is <it/prefix/<file>/var/run/bird.ctl</file>. + + <tag><label id="argv-user">-u <m/user/</tag> + drop privileges and use that user ID, see the next section for details. + + <tag><label id="argv-version">--version</tag> + display bird version. </descrip> <p>BIRD writes messages about its work to log files or syslog (according to config). <sect>Privileges +<label id="privileges"> <p>BIRD, as a routing daemon, uses several privileged operations (like setting routing table and using raw sockets). Traditionally, BIRD is executed and runs @@ -208,6 +218,7 @@ the config file and create the control socket and the CAP_NET_* capabilities. <chapt>About routing tables +<label id="routing-tables"> <p>BIRD has one or more routing tables which may or may not be synchronized with OS kernel and which may or may not be synchronized with each other (see the Pipe @@ -245,7 +256,7 @@ network. Note that although most protocols are interested in receiving just selected routes, some protocols (e.g. the <cf/Pipe/ protocol) receive and process all entries in routing tables (accepted by filters). -<p><label id="dsc-sorted">Usually, a routing table just chooses a selected route +<p><label id="dsc-table-sorted">Usually, a routing table just chooses a selected route from a list of entries for one network. But if the <cf/sorted/ option is activated, these lists of entries are kept completely sorted (according to preference or some protocol-dependent metric). This is needed for some features @@ -259,6 +270,7 @@ is that it is slightly more computationally expensive. <sect>Graceful restart +<label id="graceful-restart"> <p>When BIRD is started after restart or crash, it repopulates routing tables in an uncoordinated manner, like after clean start. This may be impractical in some @@ -274,8 +286,10 @@ particular boot by option <cf/-R/. <chapt>Configuration +<label id="config"> <sect>Introduction +<label id="config-intro"> <p>BIRD is configured using a text configuration file. Upon startup, BIRD reads <it/prefix/<file>/etc/bird.conf</file> (unless the <tt/-c/ command line option @@ -319,17 +333,18 @@ protocol rip { <sect>Global options +<label id="global-opts"> <p><descrip> - <tag>include "<m/filename/"</tag> + <tag><label id="opt-include">include "<m/filename/"</tag> This statement causes inclusion of a new file. <m/Filename/ could also be a wildcard, in that case matching files are included in alphabetic order. The maximal depth is 8. Note that this statement could be used anywhere in the config file, not just as a top-level option. - <tag><label id="dsc-log">log "<m/filename/"|syslog [name <m/name/]|stderr all|{ <m/list of classes/ }</tag> + <tag><label id="opt-log">log "<m/filename/"|syslog [name <m/name/]|stderr all|{ <m/list of classes/ }</tag> Set logging of messages having the given class (either <cf/all/ or - <cf/{ error, trace }/ etc.) into selected destination (a file specified + <cf/{ error|trace [, <m/.../] }/ etc.) into selected destination (a file specified as a filename string, syslog with optional name argument, or the stderr output). Classes are: <cf/info/, <cf/warning/, <cf/error/ and <cf/fatal/ for messages about local problems, @@ -341,48 +356,48 @@ protocol rip { You may specify more than one <cf/log/ line to establish logging to multiple destinations. Default: log everything to the system log. - <tag>debug protocols all|off|{ states, routes, filters, interfaces, events, packets }</tag> + <tag><label id="opt-debug-protocols">debug protocols all|off|{ states|routes|filters|interfaces|events|packets [, <m/.../] }</tag> Set global defaults of protocol debugging options. See <cf/debug/ in the following section. Default: off. - <tag>debug commands <m/number/</tag> + <tag><label id="opt-debug-commands">debug commands <m/number/</tag> Control logging of client connections (0 for no logging, 1 for logging of connects and disconnects, 2 and higher for logging of all client commands). Default: 0. - <tag>debug latency <m/switch/</tag> + <tag><label id="opt-debug-latency">debug latency <m/switch/</tag> Activate tracking of elapsed time for internal events. Recent events could be examined using <cf/dump events/ command. Default: off. - <tag>debug latency limit <m/time/</tag> + <tag><label id="opt-debug-latency-limit">debug latency limit <m/time/</tag> If <cf/debug latency/ is enabled, this option allows to specify a limit for elapsed time. Events exceeding the limit are logged. Default: 1 s. - <tag>watchdog warning <m/time/</tag> + <tag><label id="opt-watchdog-warn">watchdog warning <m/time/</tag> Set time limit for I/O loop cycle. If one iteration took more time to complete, a warning is logged. Default: 5 s. - <tag>watchdog timeout <m/time/</tag> + <tag><label id="opt-watchdog-timeout">watchdog timeout <m/time/</tag> Set time limit for I/O loop cycle. If the limit is breached, BIRD is killed by abort signal. The timeout has effective granularity of seconds, zero means disabled. Default: disabled (0). - <tag>mrtdump "<m/filename/"</tag> + <tag><label id="opt-mrtdump">mrtdump "<m/filename/"</tag> Set MRTdump file name. This option must be specified to allow MRTdump feature. Default: no dump file. - <tag>mrtdump protocols all|off|{ states, messages }</tag> + <tag><label id="opt-mrtdump-protocols">mrtdump protocols all|off|{ states|messages [, <m/.../] }</tag> Set global defaults of MRTdump options. See <cf/mrtdump/ in the following section. Default: off. - <tag>filter <m/name local variables/{ <m/commands/ }</tag> + <tag><label id="opt-filter">filter <m/name local variables/{ <m/commands/ }</tag> Define a filter. You can learn more about filters in the following chapter. - <tag>function <m/name/ (<m/parameters/) <m/local variables/ { <m/commands/ }</tag> + <tag><label id="opt-function">function <m/name/ (<m/parameters/) <m/local variables/ { <m/commands/ }</tag> Define a function. You can learn more about functions in the following chapter. - <tag>protocol rip|ospf|bgp|... [<m/name/ [from <m/name2/]] { <m>protocol options</m> }</tag> + <tag><label id="opt-protocol">protocol rip|ospf|bgp|<m/.../ [<m/name/ [from <m/name2/]] { <m>protocol options</m> }</tag> Define a protocol instance called <cf><m/name/</cf> (or with a name like "rip5" generated automatically if you don't specify any <cf><m/name/</cf>). You can learn more about configuring protocols in @@ -391,7 +406,7 @@ protocol rip { <cf><m/name2/</cf> You can run more than one instance of most protocols (like RIP or BGP). By default, no instances are configured. - <tag>template rip|bgp|... [<m/name/ [from <m/name2/]] { <m>protocol options</m> }</tag> + <tag><label id="opt-template">template rip|bgp|<m/.../ [<m/name/ [from <m/name2/]] { <m>protocol options</m> }</tag> Define a protocol template instance called <m/name/ (or with a name like "bgp1" generated automatically if you don't specify any <m/name/). Protocol templates can be used to group common options when many @@ -400,25 +415,25 @@ protocol rip { expression and the name of the template. At the moment templates (and <cf/from/ expression) are not implemented for OSPF protocol. - <tag>define <m/constant/ = <m/expression/</tag> + <tag><label id="opt-define">define <m/constant/ = <m/expression/</tag> Define a constant. You can use it later in every place you could use a value of the same type. Besides, there are some predefined numeric constants based on /etc/iproute2/rt_* files. A list of defined constants can be seen (together with other symbols) using 'show symbols' command. - <tag>router id <m/IPv4 address/</tag> - Set BIRD's router ID. It's a world-wide unique identification of your + <tag><label id="opt-router-id">router id <m/IPv4 address/</tag> + Set BIRD's router ID. It's a world-wide unique identification of your router, usually one of router's IPv4 addresses. Default: in IPv4 version, the lowest IP address of a non-loopback interface. In IPv6 version, this option is mandatory. - <tag>router id from [-] [ "<m/mask/" ] [ <m/prefix/ ] [, ...]</tag> + <tag><label id="opt-router-id-from">router id from [-] [ "<m/mask/" ] [ <m/prefix/ ] [, <m/.../]</tag> Set BIRD's router ID based on an IP address of an interface specified by an interface pattern. The option is applicable for IPv4 version only. - See <ref id="dsc-iface" name="interface"> section for detailed + See <ref id="proto-iface" name="interface"> section for detailed description of interface patterns with extended clauses. - <tag>listen bgp [address <m/address/] [port <m/port/] [dual]</tag> + <tag><label id="opt-listen-bgp">listen bgp [address <m/address/] [port <m/port/] [dual]</tag> This option allows to specify address and port where BGP protocol should listen. It is global option as listening socket is common to all BGP instances. Default is to listen on all addresses (0.0.0.0) and port 179. @@ -427,13 +442,13 @@ protocol rip { BIRD would accept IPv6 routes only). Such behavior was default in older versions of BIRD. - <tag>graceful restart wait <m/number/</tag> + <tag><label id="opt-graceful-restart">graceful restart wait <m/number/</tag> During graceful restart recovery, BIRD waits for convergence of routing protocols. This option allows to specify a timeout for the recovery to prevent waiting indefinitely if some protocols cannot converge. Default: 240 seconds. - <tag>timeformat route|protocol|base|log "<m/format1/" [<m/limit/ "<m/format2/"]</tag> + <tag><label id="opt-timeformat">timeformat route|protocol|base|log "<m/format1/" [<m/limit/ "<m/format2/"]</tag> This option allows to specify a format of date/time used by BIRD. The first argument specifies for which purpose such format is used. <cf/route/ is a format used in 'show route' command output, @@ -459,32 +474,33 @@ protocol rip { hh:mm:ss) for <cf/base/ and <cf/log/. These timeformats could be set by <cf/old short/ and <cf/old long/ compatibility shorthands. - <tag>table <m/name/ [sorted]</tag> + <tag><label id="opt-table">table <m/name/ [sorted]</tag> Create a new routing table. The default routing table is created implicitly, other routing tables have to be added by this command. Option <cf/sorted/ can be used to enable sorting of routes, see - <ref id="dsc-sorted" name="sorted table"> description for details. + <ref id="dsc-table-sorted" name="sorted table"> description for details. - <tag>roa table <m/name/ [ { roa table options ... } ]</tag> + <tag><label id="opt-roa-table">roa table <m/name/ [ { <m/roa table options .../ } ]</tag> Create a new ROA (Route Origin Authorization) table. ROA tables can be used to validate route origination of BGP routes. A ROA table contains ROA entries, each consist of a network prefix, a max prefix length and an AS number. A ROA entry specifies prefixes which could be originated - by that AS number. ROA tables could be filled with data from RPKI (RFC - 6480) or from public databases like Whois. ROA tables are examined by - <cf/roa_check()/ operator in filters. + by that AS number. ROA tables could be filled with data from RPKI (<rfc + id="6480">) or from public databases like Whois. ROA tables are + examined by <cf/roa_check()/ operator in filters. Currently, there is just one option, <cf>roa <m/prefix/ max <m/num/ as <m/num/</cf>, which can be used to populate the ROA table with static ROA entries. The option may be used multiple times. Other entries can be added dynamically by <cf/add roa/ command. - <tag>eval <m/expr/</tag> + <tag><label id="opt-eval">eval <m/expr/</tag> Evaluates given filter expression. It is used by us for testing of filters. </descrip> <sect>Protocol options +<label id="protocol-opts"> <p>For each protocol instance, you can configure a bunch of options. Some of them (those described in this section) are generic, some are specific to the @@ -497,16 +513,16 @@ disable it. An empty <m/switch/ is equivalent to <cf/on/ ("silence means agreement"). <descrip> - <tag>preference <m/expr/</tag> + <tag><label id="proto-preference">preference <m/expr/</tag> Sets the preference of routes generated by this protocol. Default: protocol dependent. - <tag>disabled <m/switch/</tag> + <tag><label id="proto-disabled">disabled <m/switch/</tag> Disables the protocol. You can change the disable/enable status from the command line interface without needing to touch the configuration. Disabled protocols are not activated. Default: protocol is enabled. - <tag>debug all|off|{ states, routes, filters, interfaces, events, packets }</tag> + <tag><label id="proto-debug">debug all|off|{ states|routes|filters|interfaces|events|packets [, <m/.../] }</tag> Set protocol debugging options. If asked, each protocol is capable of writing trace messages about its work to the log (with category <cf/trace/). You can either request printing of <cf/all/ trace messages @@ -517,7 +533,7 @@ agreement"). protocol, <cf/events/ for events internal to the protocol and <cf/packets/ for packets sent and received by the protocol. Default: off. - <tag>mrtdump all|off|{ states, messages }</tag> + <tag><label id="proto-mrtdump">mrtdump all|off|{ states|messages [, <m/.../] }</tag> Set protocol MRTdump flags. MRTdump is a standard binary format for logging information from routing protocols and daemons. These flags control what kind of information is logged from the protocol to the @@ -527,27 +543,27 @@ agreement"). BGP protocol, <cf/states/ logs BGP state changes and <cf/messages/ logs received BGP messages. Other protocols does not support MRTdump yet. - <tag>router id <m/IPv4 address/</tag> + <tag><label id="proto-router-id">router id <m/IPv4 address/</tag> This option can be used to override global router id for a given protocol. Default: uses global router id. - <tag>import all | none | filter <m/name/ | filter { <m/filter commands/ } | where <m/filter expression/</tag> + <tag><label id="proto-import">import all | none | filter <m/name/ | filter { <m/filter commands/ } | where <m/filter expression/</tag> Specify a filter to be used for filtering routes coming from the protocol to the routing table. <cf/all/ is shorthand for <cf/where true/ and <cf/none/ is shorthand for <cf/where false/. Default: <cf/all/. - <tag>export <m/filter/</tag> + <tag><label id="proto-export">export <m/filter/</tag> This is similar to the <cf>import</cf> keyword, except that it works in the direction from the routing table to the protocol. Default: <cf/none/. - <tag>import keep filtered <m/switch/</tag> + <tag><label id="proto-import-keep-filtered">import keep filtered <m/switch/</tag> Usually, if an import filter rejects a route, the route is forgotten. When this option is active, these routes are kept in the routing table, but they are hidden and not propagated to other protocols. But it is possible to show them using <cf/show route filtered/. Note that this option does not work for the pipe protocol. Default: off. - <tag><label id="import-limit">import limit [<m/number/ | off ] [action warn | block | restart | disable]</tag> + <tag><label id="proto-import-limit">import limit [<m/number/ | off ] [action warn | block | restart | disable]</tag> Specify an import route limit (a maximum number of routes imported from the protocol) and optionally the action to be taken when the limit is hit. Warn action just prints warning log message. Block action discards @@ -556,7 +572,7 @@ agreement"). action if an action is not explicitly specified. Note that limits are reset during protocol reconfigure, reload or restart. Default: <cf/off/. - <tag>receive limit [<m/number/ | off ] [action warn | block | restart | disable]</tag> + <tag><label id="proto-receive-limit">receive limit [<m/number/ | off ] [action warn | block | restart | disable]</tag> Specify an receive route limit (a maximum number of routes received from the protocol and remembered). It works almost identically to <cf>import limit</cf> option, the only difference is that if <cf/import keep @@ -566,7 +582,7 @@ agreement"). on the contrary, counts accepted routes only and routes blocked by the limit are handled like filtered routes. Default: <cf/off/. - <tag>export limit [ <m/number/ | off ] [action warn | block | restart | disable]</tag> + <tag><label id="proto-export-limit">export limit [ <m/number/ | off ] [action warn | block | restart | disable]</tag> Specify an export route limit, works similarly to the <cf>import limit</cf> option, but for the routes exported to the protocol. This option is experimental, there are some problems in details of its @@ -576,18 +592,18 @@ agreement"). updates of already accepted routes -- and these details will probably change in the future. Default: <cf/off/. - <tag>description "<m/text/"</tag> + <tag><label id="proto-description">description "<m/text/"</tag> This is an optional description of the protocol. It is displayed as a part of the output of 'show route all' command. - <tag>table <m/name/</tag> + <tag><label id="proto-table">table <m/name/</tag> Connect this protocol to a non-default routing table. </descrip> <p>There are several options that give sense only with certain protocols: <descrip> - <tag><label id="dsc-iface">interface [-] [ "<m/mask/" ] [ <m/prefix/ ] [, ...] [ { <m/option/ ; [...] } ]</tag> + <tag><label id="proto-iface">interface [-] [ "<m/mask/" ] [ <m/prefix/ ] [, <m/.../] [ { <m/option/; [<m/.../] } ]</tag> Specifies a set of interfaces on which the protocol is activated with given interface-specific options. A set of interfaces specified by one interface option is described using an interface pattern. The interface @@ -634,7 +650,7 @@ agreement"). <cf>interface "eth*" 192.168.1.0/24;</cf> - start the protocol on all ethernet interfaces that have address from 192.168.1.0/24. - <tag><label id="dsc-prio">tx class|dscp <m/num/</tag> + <tag><label id="proto-tx-class">tx class|dscp <m/num/</tag> This option specifies the value of ToS/DS/Class field in IP headers of the outgoing protocol packets. This may affect how the protocol packets are processed by the network relative to the other network traffic. With @@ -643,51 +659,64 @@ agreement"). keyword, the value (0-63) is used just for the DS field in the octet. Default value is 0xc0 (DSCP 0x30 - CS6). - <tag>tx priority <m/num/</tag> + <tag><label id="proto-tx-priority">tx priority <m/num/</tag> This option specifies the local packet priority. This may affect how the protocol packets are processed in the local TX queues. This option is Linux specific. Default value is 7 (highest priority, privileged traffic). - <tag><label id="dsc-pass">password "<m/password/" [ { id <m/num/; generate from <m/time/; generate to <m/time/; accept from <m/time/; accept to <m/time/; } ]</tag> - Specifies a password that can be used by the protocol. Password option - can be used more times to specify more passwords. If more passwords are - specified, it is a protocol-dependent decision which one is really - used. Specifying passwords does not mean that authentication is enabled, - authentication can be enabled by separate, protocol-dependent - <cf/authentication/ option. + <tag><label id="proto-pass">password "<m/password/" [ { <m>password options</m> } ]</tag> + Specifies a password that can be used by the protocol as a shared secret + key. Password option can be used more times to specify more passwords. + If more passwords are specified, it is a protocol-dependent decision + which one is really used. Specifying passwords does not mean that + authentication is enabled, authentication can be enabled by separate, + protocol-dependent <cf/authentication/ option. - This option is allowed in OSPF and RIP protocols. BGP has also + This option is allowed in BFD, OSPF and RIP protocols. BGP has also <cf/password/ option, but it is slightly different and described separately. - Default: none. </descrip> <p>Password option can contain section with some (not necessary all) password sub-options: <descrip> - <tag>id <M>num</M></tag> + <tag><label id="proto-pass-id">id <M>num</M></tag> ID of the password, (1-255). If it is not used, BIRD will choose ID based on an order of the password item in the interface. For example, second password item in one interface will have default ID 2. ID is used by some routing protocols to identify which password was used to authenticate protocol packets. - <tag>generate from "<m/time/"</tag> + <tag><label id="proto-pass-gen-from">generate from "<m/time/"</tag> The start time of the usage of the password for packet signing. The format of <cf><m/time/</cf> is <tt>dd-mm-yyyy HH:MM:SS</tt>. - <tag>generate to "<m/time/"</tag> + <tag><label id="proto-pass-gen-to">generate to "<m/time/"</tag> The last time of the usage of the password for packet signing. - <tag>accept from "<m/time/"</tag> + <tag><label id="proto-pass-accept-from">accept from "<m/time/"</tag> The start time of the usage of the password for packet verification. - <tag>accept to "<m/time/"</tag> + <tag><label id="proto-pass-accept-to">accept to "<m/time/"</tag> The last time of the usage of the password for packet verification. + + <tag><label id="proto-pass-from">from "<m/time/"</tag> + Shorthand for setting both <cf/generate from/ and <cf/accept from/. + + <tag><label id="proto-pass-to">to "<m/time/"</tag> + Shorthand for setting both <cf/generate to/ and <cf/accept to/. + + <tag><label id="proto-pass-algorithm">algorithm ( keyed md5 | keyed sha1 | hmac sha1 | hmac sha256 | hmac sha384 | hmac sha512 )</tag> + The message authentication algorithm for the password when cryptographic + authentication is enabled. The default value depends on the protocol. + For RIP and OSPFv2 it is Keyed-MD5 (for compatibility), for OSPFv3 + protocol it is HMAC-SHA-256. + </descrip> <chapt>Remote control +<label id="remote-control"> <p>You can use the command-line client <file>birdc</file> to talk with a running BIRD. Communication is done using a <file/bird.ctl/ UNIX domain socket (unless @@ -713,26 +742,26 @@ This argument can be omitted if there exists only a single instance. <p>Here is a brief list of supported functions: <descrip> - <tag>show status</tag> + <tag><label id="cli-show-status">show status</tag> Show router status, that is BIRD version, uptime and time from last reconfiguration. - <tag>show interfaces [summary]</tag> + <tag><label id="cli-show-interfaces">show interfaces [summary]</tag> Show the list of interfaces. For each interface, print its type, state, MTU and addresses assigned. - <tag>show protocols [all]</tag> + <tag><label id="cli-show-protocols">show protocols [all]</tag> Show list of protocol instances along with tables they are connected to and protocol status, possibly giving verbose information, if <cf/all/ is specified. - <tag>show ospf interface [<m/name/] ["<m/interface/"]</tag> + <tag><label id="cli-show-ospf-iface">show ospf interface [<m/name/] ["<m/interface/"]</tag> Show detailed information about OSPF interfaces. - <tag>show ospf neighbors [<m/name/] ["<m/interface/"]</tag> + <tag><label id="cli-show-ospf-neighbors">show ospf neighbors [<m/name/] ["<m/interface/"]</tag> Show a list of OSPF neighbors and a state of adjacency to them. - <tag>show ospf state [all] [<m/name/]</tag> + <tag><label id="cli-show-ospf-state">show ospf state [all] [<m/name/]</tag> Show detailed information about OSPF areas based on a content of the link-state database. It shows network topology, stub networks, aggregated networks and routers from other areas and external routes. @@ -740,31 +769,31 @@ This argument can be omitted if there exists only a single instance. <cf/all/ to show information about all network nodes in the link-state database. - <tag>show ospf topology [all] [<m/name/]</tag> + <tag><label id="cli-show-ospf-topology">show ospf topology [all] [<m/name/]</tag> Show a topology of OSPF areas based on a content of the link-state database. It is just a stripped-down version of 'show ospf state'. - <tag>show ospf lsadb [global | area <m/id/ | link] [type <m/num/] [lsid <m/id/] [self | router <m/id/] [<m/name/] </tag> + <tag><label id="cli-show-ospf-lsadb">show ospf lsadb [global | area <m/id/ | link] [type <m/num/] [lsid <m/id/] [self | router <m/id/] [<m/name/] </tag> Show contents of an OSPF LSA database. Options could be used to filter entries. - <tag>show rip interfaces [<m/name/] ["<m/interface/"]</tag> + <tag><label id="cli-show-rip-interfaces">show rip interfaces [<m/name/] ["<m/interface/"]</tag> Show detailed information about RIP interfaces. - <tag>show rip neighbors [<m/name/] ["<m/interface/"]</tag> + <tag><label id="cli-show-rip-neighbors">show rip neighbors [<m/name/] ["<m/interface/"]</tag> Show a list of RIP neighbors and associated state. - <tag>show static [<m/name/]</tag> + <tag><label id="cli-show-static">show static [<m/name/]</tag> Show detailed information about static routes. - <tag>show bfd sessions [<m/name/]</tag> + <tag><label id="cli-show-bfd-sessions">show bfd sessions [<m/name/]</tag> Show information about BFD sessions. - <tag>show symbols [table|filter|function|protocol|template|roa|<m/symbol/]</tag> + <tag><label id="cli-show-symbols">show symbols [table|filter|function|protocol|template|roa|<m/symbol/]</tag> Show the list of symbols defined in the configuration (names of protocols, routing tables etc.). - <tag>show route [[for] <m/prefix/|<m/IP/] [table <m/sym/] [filter <m/f/|where <m/c/] [(export|preexport|noexport) <m/p/] [protocol <m/p/] [<m/options/]</tag> + <tag><label id="cli-show-route">show route [[for] <m/prefix/|<m/IP/] [table <m/t/] [filter <m/f/|where <m/c/] [(export|preexport|noexport) <m/p/] [protocol <m/p/] [<m/options/]</tag> Show contents of a routing table (by default of the main one or the table attached to a respective protocol), that is routes, their metrics and (in case the <cf/all/ switch is given) all their attributes. @@ -799,7 +828,7 @@ This argument can be omitted if there exists only a single instance. number of networks, number of routes before and after filtering). If you use <cf/count/ instead, only the statistics will be printed. - <tag>show roa [<m/prefix/ | in <m/prefix/ | for <m/prefix/] [as <m/num/] [table <m/t/>]</tag> + <tag><label id="cli-show-roa">show roa [<m/prefix/ | in <m/prefix/ | for <m/prefix/] [as <m/num/] [table <m/t/]</tag> Show contents of a ROA table (by default of the first one). You can specify a <m/prefix/ to print ROA entries for a specific network. If you use <cf>for <m/prefix/</cf>, you'll get all entries relevant for route @@ -808,19 +837,19 @@ This argument can be omitted if there exists only a single instance. entries covered by the network prefix. You could also use <cf/as/ option to show just entries for given AS. - <tag>add roa <m/prefix/ max <m/num/] as <m/num/ [table <m/t/>]</tag> + <tag><label id="cli-add-roa">add roa <m/prefix/ max <m/num/ as <m/num/ [table <m/t/]</tag> Add a new ROA entry to a ROA table. Such entry is called <it/dynamic/ compared to <it/static/ entries specified in the config file. These dynamic entries survive reconfiguration. - <tag>delete roa <m/prefix/ max <m/num/] as <m/num/ [table <m/t/>]</tag> + <tag><label id="cli-delete-roa">delete roa <m/prefix/ max <m/num/ as <m/num/ [table <m/t/]</tag> Delete the specified ROA entry from a ROA table. Only dynamic ROA entries (i.e., the ones added by <cf/add roa/ command) can be deleted. - <tag>flush roa [table <m/t/>]</tag> + <tag><label id="cli-flush-roa">flush roa [table <m/t/]</tag> Remove all dynamic ROA entries from a ROA table. - <tag>configure [soft] ["<m/config file/"] [timeout [<m/num/]]</tag> + <tag><label id="cli-configure">configure [soft] ["<m/config file/"] [timeout [<m/num/]]</tag> Reload configuration from a given file. BIRD will smoothly switch itself to the new configuration, protocols are reconfigured if possible, restarted otherwise. Changes in filters usually lead to restart of @@ -839,11 +868,11 @@ This argument can be omitted if there exists only a single instance. config timeout expiration is equivalent to <cf/configure undo/ command. The timeout duration could be specified, default is 300 s. - <tag>configure confirm</tag> + <tag><label id="cli-configure-confirm">configure confirm</tag> Deactivate the config undo timer and therefore confirm the current configuration. - <tag>configure undo</tag> + <tag><label id="cli-configure-undo">configure undo</tag> Undo the last configuration change and smoothly switch back to the previous (stored) configuration. If the last configuration change was soft, the undo change is also soft. There is only one level of undo, but @@ -851,15 +880,15 @@ This argument can be omitted if there exists only a single instance. immediately in a row and the intermediate ones are skipped then the undo also skips them back. - <tag>configure check ["<m/config file/"]</tag> + <tag><label id="cli-configure-check">configure check ["<m/config file/"]</tag> Read and parse given config file, but do not use it. useful for checking syntactic and some semantic validity of an config file. - <tag>enable|disable|restart <m/name/|"<m/pattern/"|all</tag> + <tag><label id="cli-enable-disable-restart">enable|disable|restart <m/name/|"<m/pattern/"|all</tag> Enable, disable or restart a given protocol instance, instances matching the <cf><m/pattern/</cf> or <cf/all/ instances. - <tag>reload [in|out] <m/name/|"<m/pattern/"|all</tag> + <tag><label id="cli-reload">reload [in|out] <m/name/|"<m/pattern/"|all</tag> Reload a given protocol instance, that means re-import routes from the protocol instance and re-export preferred routes to the instance. If <cf/in/ or <cf/out/ options are used, the command is restricted to one @@ -876,27 +905,29 @@ This argument can be omitted if there exists only a single instance. pipe protocol, both directions are always reloaded together (<cf/in/ or <cf/out/ options are ignored in that case). - <tag/down/ + <tag><label id="cli-down">down</tag> Shut BIRD down. - <tag>debug <m/protocol/|<m/pattern/|all all|off|{ states | routes | filters | events | packets }</tag> + <tag><label id="cli-debug">debug <m/protocol/|<m/pattern/|all all|off|{ states|routes|filters|events|packets [, <m/.../] }</tag> Control protocol debugging. - <tag>dump resources|sockets|interfaces|neighbors|attributes|routes|protocols</tag> + <tag><label id="cli-dump">dump resources|sockets|interfaces|neighbors|attributes|routes|protocols</tag> Dump contents of internal data structures to the debugging output. - <tag>echo all|off|{ <m/list of log classes/ } [ <m/buffer-size/ ]</tag> + <tag><label id="cli-echo">echo all|off|{ <m/list of log classes/ } [ <m/buffer-size/ ]</tag> Control echoing of log messages to the command-line output. - See <ref id="dsc-log" name="log option"> for a list of log classes. + See <ref id="opt-log" name="log option"> for a list of log classes. - <tag>eval <m/expr/</tag> + <tag><label id="cli-eval">eval <m/expr/</tag> Evaluate given expression. </descrip> <chapt>Filters +<label id="filters"> <sect>Introduction +<label id="filters-intro"> <p>BIRD contains a simple programming language. (No, it can't yet read mail :-). There are two objects in this language: filters and functions. Filters are @@ -984,33 +1015,34 @@ bird> <sect>Data types +<label id="data-types"> <p>Each variable and each value has certain type. Booleans, integers and enums are incompatible with each other (that is to prevent you from shooting in the foot). <descrip> - <tag/bool/ + <tag><label id="type-bool">bool</tag> This is a boolean type, it can have only two values, <cf/true/ and <cf/false/. Boolean is the only type you can use in <cf/if/ statements. - <tag/int/ + <tag><label id="type-int">int</tag> This is a general integer type. It is an unsigned 32bit type; i.e., you can expect it to store values from 0 to 4294967295. Overflows are not checked. You can use <cf/0x1234/ syntax to write hexadecimal values. - <tag/pair/ + <tag><label id="type-pair">pair</tag> This is a pair of two short integers. Each component can have values from 0 to 65535. Literals of this type are written as <cf/(1234,5678)/. The same syntax can also be used to construct a pair from two arbitrary integer expressions (for example <cf/(1+2,a)/). - <tag/quad/ + <tag><label id="type-quad">quad</tag> This is a dotted quad of numbers used to represent router IDs (and others). Each component can have a value from 0 to 255. Literals of this type are written like IPv4 addresses. - <tag/string/ + <tag><label id="type-string">string</tag> This is a string of characters. There are no ways to modify strings in filters. You can pass them between functions, assign them to variables of type <cf/string/, print such variables, use standard string @@ -1020,7 +1052,7 @@ foot). !˜/) operators could be used to match a string value against a shell pattern (represented also as a string). - <tag/ip/ + <tag><label id="type-ip">ip</tag> This type can hold a single IP address. Depending on the compile-time configuration of BIRD you are using, it is either an IPv4 or IPv6 address. IP addresses are written in the standard notation @@ -1029,7 +1061,7 @@ foot). first <cf><M>num</M></cf> bits from the IP address. So <cf/1.2.3.4.mask(8) = 1.0.0.0/ is true. - <tag/prefix/ + <tag><label id="type-prefix">prefix</tag> This type can hold a network prefix consisting of IP address and prefix length. Prefix literals are written as <cf><m/ipaddress//<m/pxlen/</cf>, or <cf><m>ipaddress</m>/<m>netmask</m></cf>. There are two special @@ -1037,7 +1069,7 @@ foot). pair, and <cf/.len/, which separates prefix length from the pair. So <cf>1.2.0.0/16.len = 16</cf> is true. - <tag/ec/ + <tag><label id="type-ec">ec</tag> This is a specialized type used to represent BGP extended community values. It is essentially a 64bit value, literals of this type are usually written as <cf>(<m/kind/, <m/key/, <m/value/)</cf>, where @@ -1048,7 +1080,16 @@ foot). for <cf/key/ and <cf/value/ parts, (e.g. <cf/(ro, myas, 3*10)/, where <cf/myas/ is an integer variable). - <tag/int|pair|quad|ip|prefix|ec|enum set/ + <tag><label id="type-lc">lc</tag> + This is a specialized type used to represent BGP large community + values. It is essentially a triplet of 32bit values, where the first + value is reserved for the AS number of the issuer, while meaning of + remaining parts is defined by the issuer. Literals of this type are + written as <cf/(123, 456, 789)/, with any integer values. Similarly to + pairs, LCs can be constructed using expressions for its parts, (e.g. + <cf/(myas, 10+20, 3*10)/, where <cf/myas/ is an integer variable). + + <tag><label id="type-set">int|pair|quad|ip|prefix|ec|lc|enum set</tag> Filters recognize four types of sets. Sets are similar to strings: you can pass them around but you can't modify them. Literals of type <cf>int set</cf> look like <cf> [ 1, 2, 5..7 ]</cf>. As you can see, both simple @@ -1067,9 +1108,15 @@ foot). (like <cf/(rt, *, 3)/) are not allowed (as they usually have 4B range for ASNs). - You can also use expressions for int, pair and EC set values. However it - must be possible to evaluate these expressions before daemon boots. So - you can use only constants inside them. E.g. + Also LC sets use similar expressions like pair sets. You can use ranges + and wildcards, but if one field uses that, more specific (later) fields + must be wildcards. E.g., <cf/(10, 20..30, *)/ or <cf/(10, 20, 30..40)/ + is valid, while <cf/(10, *, 20..30)/ or <cf/(10, 20..30, 40)/ is not + valid. + + You can also use expressions for int, pair, EC and LC set values. + However, it must be possible to evaluate these expressions before daemon + boots. So you can use only constants inside them. E.g. <code> define one=1; @@ -1118,12 +1165,12 @@ foot). <cf>192.168.0.0/16{16,24}</cf> and <cf>192.168.0.0/16 ge 24</cf> as <cf>192.168.0.0/16{24,32}</cf>. - <tag/enum/ + <tag><label id="type-enum">enum</tag> Enumeration types are fixed sets of possibilities. You can't define your own variables of such type, but some route attributes are of enumeration type. Enumeration types are incompatible with each other. - <tag/bgppath/ + <tag><label id="type-bgppath">bgppath</tag> BGP path is a list of autonomous system numbers. You can't write literals of this type. There are several special operators on bgppaths: @@ -1156,7 +1203,7 @@ foot). <cf><m/P/.prepend(<m/A/);</cf> if <m/P/ is appropriate route attribute (for example <cf/bgp_path/). Similarly for <cf/delete/ and <cf/filter/. - <tag/bgpmask/ + <tag><label id="type-bgpmask">bgpmask</tag> BGP masks are patterns used for BGP path matching (using <cf>path ˜ [= 2 3 5 * =]</cf> syntax). The masks resemble wildcard patterns as used by UNIX shells. Autonomous system numbers match themselves, @@ -1170,7 +1217,7 @@ foot). There is also old (deprecated) syntax that uses / .. / instead of [= .. =] and ? instead of *. - <tag/clist/ + <tag><label id="type-clist">clist</tag> Clist is similar to a set, except that unlike other sets, it can be modified. The type is used for community list (a set of pairs) and for cluster list (a set of quads). There exist no literals of this type. @@ -1199,16 +1246,24 @@ foot). <cf><m/C/.add(<m/P/);</cf> if <m/C/ is appropriate route attribute (for example <cf/bgp_community/). Similarly for <cf/delete/ and <cf/filter/. - <tag/eclist/ + <tag><label id="type-eclist">eclist</tag> Eclist is a data type used for BGP extended community lists. Eclists are very similar to clists, but they are sets of ECs instead of pairs. The same operations (like <cf/add/, <cf/delete/ or <cf/˜/ and <cf/!˜/ membership operators) can be used to modify or test eclists, with ECs instead of pairs as arguments. + + <tag/lclist/ + Lclist is a data type used for BGP large community lists. Like eclists, + lclists are very similar to clists, but they are sets of LCs instead of + pairs. The same operations (like <cf/add/, <cf/delete/ or <cf/˜/ + and <cf/!˜/ membership operators) can be used to modify or test + lclists, with LCs instead of pairs as arguments. </descrip> <sect>Operators +<label id="operators"> <p>The filter language supports common integer operators <cf>(+,-,*,/)</cf>, parentheses <cf/(a*(b+c))/, comparison <cf/(a=b, a!=b, a<b, a>=b)/. @@ -1228,9 +1283,9 @@ clist) or on clist and pair/quad set (returning true if there is an element of the clist that is also a member of the pair/quad set). <p>There is one operator related to ROA infrastructure - <cf/roa_check()/. It -examines a ROA table and does RFC 6483 route origin validation for a given -network prefix. The basic usage is <cf>roa_check(<m/table/)</cf>, which checks -current route (which should be from BGP to have AS_PATH argument) in the +examines a ROA table and does <rfc id="6483"> route origin validation for a +given network prefix. The basic usage is <cf>roa_check(<m/table/)</cf>, which +checks current route (which should be from BGP to have AS_PATH argument) in the specified ROA table and returns ROA_UNKNOWN if there is no relevant ROA, ROA_VALID if there is a matching ROA, or ROA_INVALID if there are some relevant ROAs but none of them match. There is also an extended variant @@ -1239,6 +1294,7 @@ prefix and an ASN as arguments. <sect>Control structures +<label id="control-structures"> <p>Filters support two control structures: conditions and case switches. @@ -1274,6 +1330,7 @@ if 1234 = i then printn "."; else { <sect>Route attributes +<label id="route-attributes"> <p>A filter is implicitly passed a route, and it can access its attributes just like it accesses variables. Attempts to access undefined attribute result in a @@ -1283,11 +1340,11 @@ rule are attributes of clist type, where undefined value is regarded as empty clist for most purposes. <descrip> - <tag><m/prefix/ net</tag> + <tag><label id="rta-net"><m/prefix/ net</tag> Network the route is talking about. Read-only. (See the chapter about routing tables.) - <tag><m/enum/ scope</tag> + <tag><label id="rta-scope"><m/enum/ scope</tag> The scope of the route. Possible values: <cf/SCOPE_HOST/ for routes local to this host, <cf/SCOPE_LINK/ for those specific for a physical link, <cf/SCOPE_SITE/ and <cf/SCOPE_ORGANIZATION/ for private routes and @@ -1295,33 +1352,33 @@ clist for most purposes. interpreted by BIRD and can be used to mark routes in filters. The default value for new routes is <cf/SCOPE_UNIVERSE/. - <tag><m/int/ preference</tag> + <tag><label id="rta-preference"><m/int/ preference</tag> Preference of the route. Valid values are 0-65535. (See the chapter about routing tables.) - <tag><m/ip/ from</tag> + <tag><label id="rta-from"><m/ip/ from</tag> The router which the route has originated from. - <tag><m/ip/ gw</tag> + <tag><label id="rta-gw"><m/ip/ gw</tag> Next hop packets routed using this route should be forwarded to. - <tag><m/string/ proto</tag> + <tag><label id="rta-proto"><m/string/ proto</tag> The name of the protocol which the route has been imported from. Read-only. - <tag><m/enum/ source</tag> + <tag><label id="rta-source"><m/enum/ source</tag> what protocol has told me about this route. Possible values: <cf/RTS_DUMMY/, <cf/RTS_STATIC/, <cf/RTS_INHERIT/, <cf/RTS_DEVICE/, <cf/RTS_STATIC_DEVICE/, <cf/RTS_REDIRECT/, <cf/RTS_RIP/, <cf/RTS_OSPF/, <cf/RTS_OSPF_IA/, <cf/RTS_OSPF_EXT1/, <cf/RTS_OSPF_EXT2/, <cf/RTS_BGP/, <cf/RTS_PIPE/, <cf/RTS_BABEL/. - <tag><m/enum/ cast</tag> + <tag><label id="rta-cast"><m/enum/ cast</tag> Route type (Currently <cf/RTC_UNICAST/ for normal routes, <cf/RTC_BROADCAST/, <cf/RTC_MULTICAST/, <cf/RTC_ANYCAST/ will be used in the future for broadcast, multicast and anycast routes). Read-only. - <tag><m/enum/ dest</tag> + <tag><label id="rta-dest"><m/enum/ dest</tag> Type of destination the packets should be sent to (<cf/RTD_ROUTER/ for forwarding to a neighboring router, <cf/RTD_DEVICE/ for routing to a directly-connected network, @@ -1332,18 +1389,18 @@ clist for most purposes. messages). Can be changed, but only to <cf/RTD_BLACKHOLE/, <cf/RTD_UNREACHABLE/ or <cf/RTD_PROHIBIT/. - <tag><m/string/ ifname</tag> + <tag><label id="rta-ifname"><m/string/ ifname</tag> Name of the outgoing interface. Sink routes (like blackhole, unreachable or prohibit) and multipath routes have no interface associated with them, so <cf/ifname/ returns an empty string for such routes. Read-only. - <tag><m/int/ ifindex</tag> + <tag><label id="rta-ifindex"><m/int/ ifindex</tag> Index of the outgoing interface. System wide index of the interface. May be used for interface matching, however indexes might change on interface creation/removal. Zero is returned for routes with undefined outgoing interfaces. Read-only. - <tag><m/int/ igp_metric</tag> + <tag><label id="rta-igp-metric"><m/int/ igp_metric</tag> The optional attribute that can be used to specify a distance to the network for routes that do not have a native protocol metric attribute (like <cf/ospf_metric1/ for OSPF routes). It is used mainly by BGP to @@ -1357,40 +1414,45 @@ corresponding protocol sections. <sect>Other statements +<label id="other-statements"> <p>The following statements are available: <descrip> - <tag><m/variable/ = <m/expr/</tag> + <tag><label id="assignment"><m/variable/ = <m/expr/</tag> Set variable to a given value. - <tag>accept|reject [ <m/expr/ ]</tag> + <tag><label id="filter-accept-reject">accept|reject [ <m/expr/ ]</tag> Accept or reject the route, possibly printing <cf><m>expr</m></cf>. - <tag>return <m/expr/</tag> + <tag><label id="return">return <m/expr/</tag> Return <cf><m>expr</m></cf> from the current function, the function ends at this point. - <tag>print|printn <m/expr/ [<m/, expr.../]</tag> + <tag><label id="print">print|printn <m/expr/ [<m/, expr.../]</tag> Prints given expressions; useful mainly while debugging filters. The <cf/printn/ variant does not terminate the line. - <tag>quitbird</tag> + <tag><label id="quitbird">quitbird</tag> Terminates BIRD. Useful when debugging the filter interpreter. </descrip> <chapt>Protocols +<label id="protocols"> <sect>Babel +<label id="babel"> <sect1>Introduction +<label id="babel-intro"> -<p>The Babel protocol (RFC6126) is a loop-avoiding distance-vector routing -protocol that is robust and efficient both in ordinary wired networks and in -wireless mesh networks. Babel is conceptually very simple in its operation and -"just works" in its default configuration, though some configuration is possible -and in some cases desirable. +<p>The Babel protocol +(<rfc id="6126">) is a loop-avoiding distance-vector routing protocol that is +robust and efficient both in ordinary wired networks and in wireless mesh +networks. Babel is conceptually very simple in its operation and "just works" +in its default configuration, though some configuration is possible and in some +cases desirable. <p>While the Babel protocol is dual stack (i.e., can carry both IPv4 and IPv6 routes over the same IPv6 transport), BIRD presently implements only the IPv6 @@ -1401,6 +1463,7 @@ just ignore extension messages). <p>The Babel protocol implementation in BIRD is currently in alpha stage. <sect1>Configuration +<label id="babel-config"> <p>Babel supports no global configuration options apart from those common to all other protocols, but supports the following per-interface configuration options: @@ -1423,7 +1486,7 @@ protocol babel [<name>] { </code> <descrip> - <tag>type wired|wireless </tag> + <tag><label id="babel-type">type wired|wireless </tag> This option specifies the interface type: Wired or wireless. Wired interfaces are considered more reliable, and so the default hello interval is higher, and a neighbour is considered unreachable after only @@ -1434,41 +1497,41 @@ protocol babel [<name>] { when packets are lost rather than the more binary up/down mechanism of wired type links. Default: <cf/wired/. - <tag>rxcost <m/num/</tag> + <tag><label id="babel-rxcost">rxcost <m/num/</tag> This specifies the RX cost of the interface. The route metrics will be computed from this value with a mechanism determined by the interface <cf/type/. Default: 96 for wired interfaces, 256 for wireless. - <tag>hello interval <m/num/</tag> + <tag><label id="babel-hello">hello interval <m/num/</tag> Interval at which periodic "hello" messages are sent on this interface, in seconds. Default: 4 seconds. - <tag>update interval <m/num/</tag> + <tag><label id="babel-update">update interval <m/num/</tag> Interval at which periodic (full) updates are sent. Default: 4 times the hello interval. - <tag>port <m/number/</tag> + <tag><label id="babel-port">port <m/number/</tag> This option selects an UDP port to operate on. The default is to operate on port 6696 as specified in the Babel RFC. - <tag>tx class|dscp|priority <m/number/</tag> + <tag><label id="babel-tx-class">tx class|dscp|priority <m/number/</tag> These options specify the ToS/DiffServ/Traffic class/Priority of the - outgoing Babel packets. See <ref id="dsc-prio" name="tx class"> common + outgoing Babel packets. See <ref id="proto-tx-class" name="tx class"> common option for detailed description. - <tag>rx buffer <m/number/</tag> + <tag><label id="babel-rx-buffer">rx buffer <m/number/</tag> This option specifies the size of buffers used for packet processing. The buffer size should be bigger than maximal size of received packets. The default value is the interface MTU, and the value will be clamped to a minimum of 512 bytes + IP packet overhead. - <tag>tx length <m/number/</tag> + <tag><label id="babel-tx-length">tx length <m/number/</tag> This option specifies the maximum length of generated Babel packets. To avoid IP fragmentation, it should not exceed the interface MTU value. The default value is the interface MTU value, and the value will be clamped to a minimum of 512 bytes + IP packet overhead. - <tag>check link <m/switch/</tag> + <tag><label id="babel-check-link">check link <m/switch/</tag> If set, the hardware link state (as reported by OS) is taken into consideration. When the link disappears (e.g. an ethernet cable is unplugged), neighbors are immediately considered unreachable and all @@ -1478,12 +1541,14 @@ protocol babel [<name>] { </descrip> <sect1>Attributes +<label id="babel-attr"> <p>Babel defines just one attribute: the internal babel metric of the route. It is exposed as the <cf/babel_metric/ attribute and has range from 1 to infinity (65535). <sect1>Example +<label id="babel-exam"> <p><code> protocol babel { @@ -1507,9 +1572,10 @@ protocol babel { <sect>BFD -<label id="sect-bfd"> +<label id="bfd"> <sect1>Introduction +<label id="bfd-intro"> <p>Bidirectional Forwarding Detection (BFD) is not a routing protocol itself, it is an independent tool providing liveness and failure detection. Routing @@ -1528,14 +1594,10 @@ addresses and associated interfaces. When a session changes its state, these protocols are notified and act accordingly (e.g. break an OSPF adjacency when the BFD session went down). -<p>BIRD implements basic BFD behavior as defined in -RFC 5880<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5880.txt"> -(some advanced features like the echo mode or authentication are not implemented), -IP transport for BFD as defined in -RFC 5881<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5881.txt"> and -RFC 5883<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5883.txt"> -and interaction with client protocols as defined in -RFC 5882<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5882.txt">. +<p>BIRD implements basic BFD behavior as defined in <rfc id="5880"> (some +advanced features like the echo mode or authentication are not implemented), IP +transport for BFD as defined in <rfc id="5881"> and <rfc id="5883"> and +interaction with client protocols as defined in <rfc id="5882">. <p>Note that BFD implementation in BIRD is currently a new feature in development, expect some rough edges and possible UI and configuration changes @@ -1547,6 +1609,7 @@ default a bit different dynamic port range than the IANA approved one <cf>/proc/sys/net/ipv4/ip_local_port_range</cf> <sect1>Configuration +<label id="bfd-config"> <p>BFD configuration consists mainly of multiple definitions of interfaces. Most BFD config options are session specific. When a new session is requested @@ -1574,6 +1637,19 @@ protocol bfd [<name>] { idle tx interval <time>; multiplier <num>; passive <switch>; + authentication none; + authentication simple; + authentication [meticulous] keyed md5|sha1; + password "<text>"; + password "<text>" { + id <num>; + generate from "<date>"; + generate to "<date>"; + accept from "<date>"; + accept to "<date>"; + from "<date>"; + to "<date>"; + }; }; multihop { interval <time>; @@ -1588,22 +1664,22 @@ protocol bfd [<name>] { </code> <descrip> - <tag>interface <m/pattern [, ...]/ { <m/options/ }</tag> + <tag><label id="bfd-iface">interface <m/pattern/ [, <m/.../] { <m/options/ }</tag> Interface definitions allow to specify options for sessions associated with such interfaces and also may contain interface specific options. - See <ref id="dsc-iface" name="interface"> common option for a detailed + See <ref id="proto-iface" name="interface"> common option for a detailed description of interface patterns. Note that contrary to the behavior of <cf/interface/ definitions of other protocols, BFD protocol would accept sessions (in default configuration) even on interfaces not covered by such definitions. - <tag>multihop { <m/options/ }</tag> + <tag><label id="bfd-multihop">multihop { <m/options/ }</tag> Multihop definitions allow to specify options for multihop BFD sessions, in the same manner as <cf/interface/ definitions are used for directly connected sessions. Currently only one such definition (for all multihop sessions) could be used. - <tag>neighbor <m/ip/ [dev "<m/interface/"] [local <m/ip/] [multihop <m/switch/]</tag> + <tag><label id="bfd-neighbor">neighbor <m/ip/ [dev "<m/interface/"] [local <m/ip/] [multihop <m/switch/]</tag> BFD sessions are usually created on demand as requested by other protocols (like OSPF or BGP). This option allows to explicitly add a BFD session to the specified neighbor regardless of such requests. @@ -1618,33 +1694,33 @@ protocol bfd [<name>] { <p>Session specific options (part of <cf/interface/ and <cf/multihop/ definitions): <descrip> - <tag>interval <m/time/</tag> + <tag><label id="bfd-interval">interval <m/time/</tag> BFD ensures availability of the forwarding path associated with the session by periodically sending BFD control packets in both directions. The rate of such packets is controlled by two options, <cf/min rx interval/ and <cf/min tx interval/ (see below). This option is just a shorthand to set both of these options together. - <tag>min rx interval <m/time/</tag> + <tag><label id="bfd-min-rx-interval">min rx interval <m/time/</tag> This option specifies the minimum RX interval, which is announced to the neighbor and used there to limit the neighbor's rate of generated BFD control packets. Default: 10 ms. - <tag>min tx interval <m/time/</tag> + <tag><label id="bfd-min-tx-interval">min tx interval <m/time/</tag> This option specifies the desired TX interval, which controls the rate of generated BFD control packets (together with <cf/min rx interval/ announced by the neighbor). Note that this value is used only if the BFD session is up, otherwise the value of <cf/idle tx interval/ is used instead. Default: 100 ms. - <tag>idle tx interval <m/time/</tag> + <tag><label id="bfd-idle-tx-interval">idle tx interval <m/time/</tag> In order to limit unnecessary traffic in cases where a neighbor is not available or not running BFD, the rate of generated BFD control packets is lower when the BFD session is not up. This option specifies the desired TX interval in such cases instead of <cf/min tx interval/. Default: 1 s. - <tag>multiplier <m/num/</tag> + <tag><label id="bfd-multiplier">multiplier <m/num/</tag> Failure detection time for BFD sessions is based on established rate of BFD control packets (<cf>min rx/tx interval</cf>) multiplied by this multiplier, which is essentially (ignoring jitter) a number of missed @@ -1652,14 +1728,41 @@ protocol bfd [<name>] { multipliers could be different in each direction of a BFD session. Default: 5. - <tag>passive <m/switch/</tag> + <tag><label id="bfd-passive">passive <m/switch/</tag> Generally, both BFD session endpoints try to establish the session by sending control packets to the other side. This option allows to enable passive mode, which means that the router does not send BFD packets until it has received one from the other side. Default: disabled. + + <tag>authentication none</tag> + No passwords are sent in BFD packets. This is the default value. + + <tag>authentication simple</tag> + Every packet carries 16 bytes of password. Received packets lacking this + password are ignored. This authentication mechanism is very weak. + + <tag>authentication [meticulous] keyed md5|sha1</tag> + An authentication code is appended to each packet. The cryptographic + algorithm is keyed MD5 or keyed SHA-1. Note that the algorithm is common + for all keys (on one interface), in contrast to OSPF or RIP, where it + is a per-key option. Passwords (keys) are not sent open via network. + + The <cf/meticulous/ variant means that cryptographic sequence numbers + are increased for each sent packet, while in the basic variant they are + increased about once per second. Generally, the <cf/meticulous/ variant + offers better resistance to replay attacks but may require more + computation. + + <tag>password "<M>text</M>"</tag> + Specifies a password used for authentication. See <ref id="dsc-pass" + name="password"> common option for detailed description. Note that + password option <cf/algorithm/ is not available in BFD protocol. The + algorithm is selected by <cf/authentication/ option for all passwords. + </descrip> <sect1>Example +<label id="bfd-exam"> <p><code> protocol bfd { @@ -1686,6 +1789,7 @@ protocol bfd { <sect>BGP +<label id="bgp"> <p>The Border Gateway Protocol is the routing protocol used for backbone level routing in the today's Internet. Contrary to other protocols, its convergence @@ -1709,33 +1813,19 @@ the packet will travel through if it uses the particular route) in order to avoid routing loops. <p>BIRD supports all requirements of the BGP4 standard as defined in -RFC 4271<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4271.txt"> -It also supports the community attributes -(RFC 1997<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc1997.txt">), -capability negotiation -(RFC 5492<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5492.txt">), -MD5 password authentication -(RFC 2385<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc2385.txt">), -extended communities -(RFC 4360<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4360.txt">), -route reflectors -(RFC 4456<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4456.txt">), -graceful restart -(RFC 4724<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4724.txt">), -multiprotocol extensions -(RFC 4760<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4760.txt">), -4B AS numbers -(RFC 4893<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4893.txt">), -and 4B AS numbers in extended communities -(RFC 5668<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5668.txt">). +<rfc id="4271"> It also supports the community attributes (<rfc id="1997">), +capability negotiation (<rfc id="5492">), MD5 password authentication (<rfc +id="2385">), extended communities (<rfc id="4360">), route reflectors (<rfc +id="4456">), graceful restart (<rfc id="4724">), multiprotocol extensions +(<rfc id="4760">), 4B AS numbers (<rfc id="4893">), and 4B AS numbers in +extended communities (<rfc id="5668">). For IPv6, it uses the standard multiprotocol extensions defined in -RFC 4760<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4760.txt"> -and applied to IPv6 according to -RFC 2545<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc2545.txt">. +<rfc id="4760"> and applied to IPv6 according to <rfc id="2545">. <sect1>Route selection rules +<label id="bgp-route-select-rules"> <p>BGP doesn't have any simple metric, so the rules for selection of an optimal route among multiple BGP routes with the same preference are a bit more complex @@ -1755,6 +1845,7 @@ choose among them and so on. </itemize> <sect1>IGP routing table +<label id="bgp-igp-routing-table"> <p>BGP is mainly concerned with global network reachability and with routes to other autonomous systems. When such routes are redistributed to routers in the @@ -1765,13 +1856,14 @@ boundary routers for the purpose of BGP route selection. In BIRD, there is usually one routing table used for both IGP routes and BGP routes. <sect1>Configuration +<label id="bgp-config"> <p>Each instance of the BGP corresponds to one neighboring router. This allows to set routing policy and all the other parameters differently for each neighbor using the following configuration parameters: <descrip> - <tag>local [<m/ip/] as <m/number/</tag> + <tag><label id="bgp-local">local [<m/ip/] as <m/number/</tag> Define which AS we are part of. (Note that contrary to other IP routers, BIRD is able to act as a router located in multiple AS'es simultaneously, but in such cases you need to tweak the BGP paths manually in the filters @@ -1779,7 +1871,7 @@ using the following configuration parameters: address, equivalent to the <cf/source address/ option (see below). This parameter is mandatory. - <tag>neighbor [<m/ip/] [port <m/number/] [as <m/number/]</tag> + <tag><label id="bgp-neighbor">neighbor [<m/ip/] [port <m/number/] [as <m/number/]</tag> Define neighboring router this instance will be talking to and what AS it is located in. In case the neighbor is in the same AS as we are, we automatically switch to iBGP. Optionally, the remote port may also be @@ -1788,20 +1880,20 @@ using the following configuration parameters: <cf/neighbor 10.0.0.1; neighbor as 65000;/ are valid). This parameter is mandatory. - <tag>interface <m/string/</tag> + <tag><label id="bgp-iface">interface <m/string/</tag> Define interface we should use for link-local BGP IPv6 sessions. Interface can also be specified as a part of <cf/neighbor address/ (e.g., <cf/neighbor fe80::1234%eth0 as 65000;/). It is an error to use this parameter for non link-local sessions. - <tag>direct</tag> + <tag><label id="bgp-direct">direct</tag> Specify that the neighbor is directly connected. The IP address of the neighbor must be from a directly reachable IP range (i.e. associated with one of your router's interfaces), otherwise the BGP session wouldn't start but it would wait for such interface to appear. The alternative is the <cf/multihop/ option. Default: enabled for eBGP. - <tag>multihop [<m/number/]</tag> + <tag><label id="bgp-multihop">multihop [<m/number/]</tag> Configure multihop BGP session to a neighbor that isn't directly connected. Accurately, this option should be used if the configured neighbor IP address does not match with any local network subnets. Such @@ -1813,22 +1905,22 @@ using the following configuration parameters: path is counted; i.e., if two BGP speakers are separated by one router, the number of hops is 2. Default: enabled for iBGP. - <tag>source address <m/ip/</tag> + <tag><label id="bgp-source-address">source address <m/ip/</tag> Define local address we should use for next hop calculation and as a source address for the BGP session. Default: the address of the local end of the interface our neighbor is connected to. - <tag>next hop self</tag> + <tag><label id="bgp-next-hop-self">next hop self</tag> Avoid calculation of the Next Hop attribute and always advertise our own source address as a next hop. This needs to be used only occasionally to circumvent misconfigurations of other routers. Default: disabled. - <tag>next hop keep</tag> + <tag><label id="bgp-next-hop-keep">next hop keep</tag> Forward the received Next Hop attribute even in situations where the local address should be used instead, like when the route is sent to an interface with a different subnet. Default: disabled. - <tag>missing lladdr self|drop|ignore</tag> + <tag><label id="bgp-missing-lladdr">missing lladdr self|drop|ignore</tag> Next Hop attribute in BGP-IPv6 sometimes contains just the global IPv6 address, but sometimes it has to contain both global and link-local IPv6 addresses. This option specifies what to do if BIRD have to send both @@ -1842,7 +1934,7 @@ using the following configuration parameters: route server (option <cf/rs client/), in that case default is <cf/ignore/, because route servers usually do not forward packets themselves. - <tag>gateway direct|recursive</tag> + <tag><label id="bgp-gateway">gateway direct|recursive</tag> For received routes, their <cf/gw/ (immediate next hop) attribute is computed from received <cf/bgp_next_hop/ attribute. This option specifies how it is computed. Direct mode means that the IP address from @@ -1857,45 +1949,45 @@ using the following configuration parameters: standard. Direct mode is simpler, does not require any routes in a routing table, and was used in older versions of BIRD, but does not handle well nontrivial iBGP setups and multihop. Recursive mode is - incompatible with <ref id="dsc-sorted" name="sorted tables">. Default: + incompatible with <ref id="dsc-table-sorted" name="sorted tables">. Default: <cf/direct/ for direct sessions, <cf/recursive/ for multihop sessions. - <tag>igp table <m/name/</tag> + <tag><label id="bgp-igp-table">igp table <m/name/</tag> Specifies a table that is used as an IGP routing table. Default: the same as the table BGP is connected to. - <tag>check link <M>switch</M></tag> + <tag><label id="bgp-check-link">check link <M>switch</M></tag> BGP could use hardware link state into consideration. If enabled, BIRD tracks the link state of the associated interface and when link disappears (e.g. an ethernet cable is unplugged), the BGP session is immediately shut down. Note that this option cannot be used with multihop BGP. Default: disabled. - <tag>bfd <M>switch</M></tag> + <tag><label id="bgp-bfd">bfd <M>switch</M></tag> BGP could use BFD protocol as an advisory mechanism for neighbor liveness and failure detection. If enabled, BIRD setups a BFD session for the BGP neighbor and tracks its liveness by it. This has an advantage of an order of magnitude lower detection times in case of failure. Note that BFD protocol also has to be configured, see - <ref id="sect-bfd" name="BFD"> section for details. Default: disabled. + <ref id="bfd" name="BFD"> section for details. Default: disabled. - <tag>ttl security <m/switch/</tag> - Use GTSM (RFC 5082 - the generalized TTL security mechanism). GTSM + <tag><label id="bgp-ttl-security">ttl security <m/switch/</tag> + Use GTSM (<rfc id="5082"> - the generalized TTL security mechanism). GTSM protects against spoofed packets by ignoring received packets with a smaller than expected TTL. To work properly, GTSM have to be enabled on - both sides of a BGP session. If both <cf/ttl security/ and <cf/multihop/ - options are enabled, <cf/multihop/ option should specify proper hop - value to compute expected TTL. Kernel support required: Linux: 2.6.34+ - (IPv4), 2.6.35+ (IPv6), BSD: since long ago, IPv4 only. Note that full - (ICMP protection, for example) RFC 5082 support is provided by Linux - only. Default: disabled. - - <tag>password <m/string/</tag> - Use this password for MD5 authentication of BGP sessions (RFC 2385). - When used on BSD systems, see also <cf/setkey/ option below. Default: - no authentication. - - <tag>setkey <m/switch/</tag> + both sides of a BGP session. If both <cf/ttl security/ and + <cf/multihop/ options are enabled, <cf/multihop/ option should specify + proper hop value to compute expected TTL. Kernel support required: + Linux: 2.6.34+ (IPv4), 2.6.35+ (IPv6), BSD: since long ago, IPv4 only. + Note that full (ICMP protection, for example) <rfc id="5082"> support is + provided by Linux only. Default: disabled. + + <tag><label id="bgp-pass">password <m/string/</tag> + Use this password for MD5 authentication of BGP sessions (<rfc id="2385">). When + used on BSD systems, see also <cf/setkey/ option below. Default: no + authentication. + + <tag><label id="bgp-setkey">setkey <m/switch/</tag> On BSD systems, keys for TCP MD5 authentication are stored in the global SA/SP database, which can be accessed by external utilities (e.g. setkey(8)). BIRD configures security associations in the SA/SP database @@ -1906,16 +1998,16 @@ using the following configuration parameters: set manually by an external utility on NetBSD and OpenBSD. Default: enabled (ignored on non-FreeBSD). - <tag>passive <m/switch/</tag> + <tag><label id="bgp-passive">passive <m/switch/</tag> Standard BGP behavior is both initiating outgoing connections and accepting incoming connections. In passive mode, outgoing connections are not initiated. Default: off. - <tag>rr client</tag> + <tag><label id="bgp-rr-client">rr client</tag> Be a route reflector and treat the neighbor as a route reflection client. Default: disabled. - <tag>rr cluster id <m/IPv4 address/</tag> + <tag><label id="bgp-rr-cluster-id">rr cluster id <m/IPv4 address/</tag> Route reflectors use cluster id to avoid route reflection loops. When there is one route reflector in a cluster it usually uses its router id as a cluster id, but when there are more route reflectors in a cluster, @@ -1923,26 +2015,26 @@ using the following configuration parameters: id. Clients in a cluster need not know their cluster id and this option is not allowed for them. Default: the same as router id. - <tag>rs client</tag> + <tag><label id="bgp-rs-client">rs client</tag> Be a route server and treat the neighbor as a route server client. A route server is used as a replacement for full mesh EBGP routing in Internet exchange points in a similar way to route reflectors used in - IBGP routing. BIRD does not implement obsoleted RFC 1863, but uses - ad-hoc implementation, which behaves like plain EBGP but reduces + IBGP routing. BIRD does not implement obsoleted <rfc id="1863">, but + uses ad-hoc implementation, which behaves like plain EBGP but reduces modifications to advertised route attributes to be transparent (for - example does not prepend its AS number to AS PATH attribute and keeps - MED attribute). Default: disabled. + example does not prepend its AS number to AS PATH attribute and + keeps MED attribute). Default: disabled. - <tag>secondary <m/switch/</tag> + <tag><label id="bgp-secondary">secondary <m/switch/</tag> Usually, if an export filter rejects a selected route, no other route is propagated for that network. This option allows to try the next route in order until one that is accepted is found or all routes for that network are rejected. This can be used for route servers that need to propagate different tables to each client but do not want to have these tables explicitly (to conserve memory). This option requires that the connected - routing table is <ref id="dsc-sorted" name="sorted">. Default: off. + routing table is <ref id="dsc-table-sorted" name="sorted">. Default: off. - <tag>add paths <m/switch/|rx|tx</tag> + <tag><label id="bgp-add-paths">add paths <m/switch/|rx|tx</tag> Standard BGP can propagate only one path (route) per destination network (usually the selected one). This option controls the add-path protocol extension, which allows to advertise any number of paths to a @@ -1951,7 +2043,7 @@ using the following configuration parameters: TX direction. When active, all available routes accepted by the export filter are advertised to the neighbor. Default: off. - <tag>allow local as [<m/number/]</tag> + <tag><label id="bgp-allow-local-as">allow local as [<m/number/]</tag> BGP prevents routing loops by rejecting received routes with the local AS number in the AS path. This option allows to loose or disable the check. Optional <cf/number/ argument can be used to specify the maximum @@ -1960,51 +2052,52 @@ using the following configuration parameters: completely disabled and you should ensure loop-free behavior by some other means. Default: 0 (no local AS number allowed). - <tag>enable route refresh <m/switch/</tag> + <tag><label id="bgp-enable-route-refresh">enable route refresh <m/switch/</tag> After the initial route exchange, BGP protocol uses incremental updates to keep BGP speakers synchronized. Sometimes (e.g., if BGP speaker changes its import filter, or if there is suspicion of inconsistency) it is necessary to do a new complete route exchange. BGP protocol extension - Route Refresh (RFC 2918) allows BGP speaker to request re-advertisement - of all routes from its neighbor. BGP protocol extension Enhanced Route - Refresh (RFC 7313) specifies explicit begin and end for such exchanges, - therefore the receiver can remove stale routes that were not advertised - during the exchange. This option specifies whether BIRD advertises these - capabilities and supports related procedures. Note that even when - disabled, BIRD can send route refresh requests. Default: on. - - <tag>graceful restart <m/switch/|aware</tag> + Route Refresh (<rfc id="2918">) allows BGP speaker to request + re-advertisement of all routes from its neighbor. BGP protocol + extension Enhanced Route Refresh (<rfc id="7313">) specifies explicit + begin and end for such exchanges, therefore the receiver can remove + stale routes that were not advertised during the exchange. This option + specifies whether BIRD advertises these capabilities and supports + related procedures. Note that even when disabled, BIRD can send route + refresh requests. Default: on. + + <tag><label id="bgp-graceful-restart">graceful restart <m/switch/|aware</tag> When a BGP speaker restarts or crashes, neighbors will discard all received paths from the speaker, which disrupts packet forwarding even - when the forwarding plane of the speaker remains intact. RFC 4724 - specifies an optional graceful restart mechanism to alleviate this - issue. This option controls the mechanism. It has three states: - Disabled, when no support is provided. Aware, when the graceful restart - support is announced and the support for restarting neighbors is - provided, but no local graceful restart is allowed (i.e. receiving-only - role). Enabled, when the full graceful restart support is provided - (i.e. both restarting and receiving role). Note that proper support for - local graceful restart requires also configuration of other protocols. - Default: aware. - - <tag>graceful restart time <m/number/</tag> + when the forwarding plane of the speaker remains intact. <rfc + id="4724"> specifies an optional graceful restart mechanism to + alleviate this issue. This option controls the mechanism. It has three + states: Disabled, when no support is provided. Aware, when the graceful + restart support is announced and the support for restarting neighbors + is provided, but no local graceful restart is allowed (i.e. + receiving-only role). Enabled, when the full graceful restart + support is provided (i.e. both restarting and receiving role). Note + that proper support for local graceful restart requires also + configuration of other protocols. Default: aware. + + <tag><label id="bgp-graceful-restart-time">graceful restart time <m/number/</tag> The restart time is announced in the BGP graceful restart capability and specifies how long the neighbor would wait for the BGP session to re-establish after a restart before deleting stale routes. Default: 120 seconds. - <tag>interpret communities <m/switch/</tag> - RFC 1997 demands that BGP speaker should process well-known communities - like no-export (65535, 65281) or no-advertise (65535, 65282). For - example, received route carrying a no-adverise community should not be - advertised to any of its neighbors. If this option is enabled (which is - by default), BIRD has such behavior automatically (it is evaluated when - a route is exported to the BGP protocol just before the export filter). - Otherwise, this integrated processing of well-known communities is - disabled. In that case, similar behavior can be implemented in the - export filter. Default: on. - - <tag>enable as4 <m/switch/</tag> + <tag><label id="bgp-interpret-communities">interpret communities <m/switch/</tag> + <rfc id="1997"> demands that BGP speaker should process well-known + communities like no-export (65535, 65281) or no-advertise (65535, + 65282). For example, received route carrying a no-adverise community + should not be advertised to any of its neighbors. If this option is + enabled (which is by default), BIRD has such behavior automatically (it + is evaluated when a route is exported to the BGP protocol just before + the export filter). Otherwise, this integrated processing of + well-known communities is disabled. In that case, similar behavior can + be implemented in the export filter. Default: on. + + <tag><label id="bgp-enable-as4">enable as4 <m/switch/</tag> BGP protocol was designed to use 2B AS numbers and was extended later to allow 4B AS number. BIRD supports 4B AS extension, but by disabling this option it can be persuaded not to advertise it and to maintain old-style @@ -2012,12 +2105,12 @@ using the following configuration parameters: in neighbor's implementation of 4B AS extension. Even when disabled (off), BIRD behaves internally as AS4-aware BGP router. Default: on. - <tag>enable extended messages <m/switch/</tag> + <tag><label id="bgp-enable-extended-messages">enable extended messages <m/switch/</tag> The BGP protocol uses maximum message length of 4096 bytes. This option provides an extension to allow extended messages with length up to 65535 bytes. Default: off. - <tag>capabilities <m/switch/</tag> + <tag><label id="bgp-capabilities">capabilities <m/switch/</tag> Use capability advertisement to advertise optional capabilities. This is standard behavior for newer BGP implementations, but there might be some older BGP implementations that reject such connection attempts. When @@ -2025,64 +2118,64 @@ using the following configuration parameters: disabled. Default: on, with automatic fallback to off when received capability-related error. - <tag>advertise ipv4 <m/switch/</tag> + <tag><label id="bgp-advertise-ipv4">advertise ipv4 <m/switch/</tag> Advertise IPv4 multiprotocol capability. This is not a correct behavior - according to the strict interpretation of RFC 4760, but it is widespread - and required by some BGP implementations (Cisco and Quagga). This option - is relevant to IPv4 mode with enabled capability advertisement - only. Default: on. + according to the strict interpretation of <rfc id="4760">, but it is + widespread and required by some BGP implementations (Cisco and Quagga). + This option is relevant to IPv4 mode with enabled capability + advertisement only. Default: on. - <tag>route limit <m/number/</tag> + <tag><label id="bgp-route-limit">route limit <m/number/</tag> The maximal number of routes that may be imported from the protocol. If the route limit is exceeded, the connection is closed with an error. Limit is currently implemented as <cf>import limit <m/number/ action restart</cf>. This option is obsolete and it is replaced by - <ref id="import-limit" name="import limit option">. Default: no limit. + <ref id="proto-import-limit" name="import limit option">. Default: no limit. - <tag>disable after error <m/switch/</tag> + <tag><label id="bgp-disable-after-error">disable after error <m/switch/</tag> When an error is encountered (either locally or by the other side), disable the instance automatically and wait for an administrator to fix the problem manually. Default: off. - <tag>hold time <m/number/</tag> + <tag><label id="bgp-hold-time">hold time <m/number/</tag> Time in seconds to wait for a Keepalive message from the other side before considering the connection stale. Default: depends on agreement with the neighboring router, we prefer 240 seconds if the other side is willing to accept it. - <tag>startup hold time <m/number/</tag> + <tag><label id="bgp-startup-hold-time">startup hold time <m/number/</tag> Value of the hold timer used before the routers have a chance to exchange open messages and agree on the real value. Default: 240 seconds. - <tag>keepalive time <m/number/</tag> + <tag><label id="bgp-keepalive-time">keepalive time <m/number/</tag> Delay in seconds between sending of two consecutive Keepalive messages. Default: One third of the hold time. - <tag>connect delay time <m/number/</tag> + <tag><label id="bgp-connect-delay-time">connect delay time <m/number/</tag> Delay in seconds between protocol startup and the first attempt to connect. Default: 5 seconds. - <tag>connect retry time <m/number/</tag> + <tag><label id="bgp-connect-retry-time">connect retry time <m/number/</tag> Time in seconds to wait before retrying a failed attempt to connect. Default: 120 seconds. - <tag>error wait time <m/number/,<m/number/</tag> + <tag><label id="bgp-error-wait-time">error wait time <m/number/,<m/number/</tag> Minimum and maximum delay in seconds between a protocol failure (either local or reported by the peer) and automatic restart. Doesn't apply when <cf/disable after error/ is configured. If consecutive errors happen, the delay is increased exponentially until it reaches the maximum. Default: 60, 300. - <tag>error forget time <m/number/</tag> + <tag><label id="bgp-error-forget-time">error forget time <m/number/</tag> Maximum time in seconds between two protocol failures to treat them as a error sequence which makes <cf/error wait time/ increase exponentially. Default: 300 seconds. - <tag>path metric <m/switch/</tag> + <tag><label id="bgp-path-metric">path metric <m/switch/</tag> Enable comparison of path lengths when deciding which BGP route is the best one. Default: on. - <tag>med metric <m/switch/</tag> + <tag><label id="bgp-med-metric">med metric <m/switch/</tag> Enable comparison of MED attributes (during best route selection) even between routes received from different ASes. This may be useful if all MED attributes contain some consistent metric, perhaps enforced in @@ -2090,35 +2183,35 @@ using the following configuration parameters: attributes are compared only if routes are received from the same AS (which is the standard behavior). Default: off. - <tag>deterministic med <m/switch/</tag> + <tag><label id="bgp-deterministic-med">deterministic med <m/switch/</tag> BGP route selection algorithm is often viewed as a comparison between individual routes (e.g. if a new route appears and is better than the current best one, it is chosen as the new best one). But the proper - route selection, as specified by RFC 4271, cannot be fully implemented - in that way. The problem is mainly in handling the MED attribute. BIRD, - by default, uses an simplification based on individual route comparison, - which in some cases may lead to temporally dependent behavior (i.e. the - selection is dependent on the order in which routes appeared). This - option enables a different (and slower) algorithm implementing proper - RFC 4271 route selection, which is deterministic. Alternative way how to - get deterministic behavior is to use <cf/med metric/ option. This option - is incompatible with <ref id="dsc-sorted" name="sorted tables">. - Default: off. - - <tag>igp metric <m/switch/</tag> + route selection, as specified by <rfc id="4271">, cannot be fully + implemented in that way. The problem is mainly in handling the MED + attribute. BIRD, by default, uses an simplification based on individual + route comparison, which in some cases may lead to temporally dependent + behavior (i.e. the selection is dependent on the order in which routes + appeared). This option enables a different (and slower) algorithm + implementing proper <rfc id="4271"> route selection, which is + deterministic. Alternative way how to get deterministic behavior is to + use <cf/med metric/ option. This option is incompatible with <ref + id="dsc-table-sorted" name="sorted tables">. Default: off. + + <tag><label id="bgp-igp-metric">igp metric <m/switch/</tag> Enable comparison of internal distances to boundary routers during best route selection. Default: on. - <tag>prefer older <m/switch/</tag> + <tag><label id="bgp-prefer-older">prefer older <m/switch/</tag> Standard route selection algorithm breaks ties by comparing router IDs. This changes the behavior to prefer older routes (when both are external - and from different peer). For details, see RFC 5004. Default: off. + and from different peer). For details, see <rfc id="5004">. Default: off. - <tag>default bgp_med <m/number/</tag> + <tag><label id="bgp-default-med">default bgp_med <m/number/</tag> Value of the Multiple Exit Discriminator to be used during route selection when the MED attribute is missing. Default: 0. - <tag>default bgp_local_pref <m/number/</tag> + <tag><label id="bgp-default-local-pref">default bgp_local_pref <m/number/</tag> A default value for the Local Preference attribute. It is used when a new Local Preference attribute is attached to a route by the BGP protocol itself (for example, if a route is received through eBGP and @@ -2127,23 +2220,24 @@ using the following configuration parameters: </descrip> <sect1>Attributes +<label id="bgp-attr"> <p>BGP defines several route attributes. Some of them (those marked with `<tt/I/' in the table below) are available on internal BGP connections only, some of them (marked with `<tt/O/') are optional. <descrip> - <tag>bgppath <cf/bgp_path/</tag> + <tag><label id="rta-bgp-path">bgppath bgp_path/</tag> Sequence of AS numbers describing the AS path the packet will travel through when forwarded according to the particular route. In case of internal BGP it doesn't contain the number of the local AS. - <tag>int <cf/bgp_local_pref/ [I]</tag> + <tag><label id="rta-bgp-local-pref">int bgp_local_pref/ [I]</tag> Local preference value used for selection among multiple BGP routes (see the selection rules above). It's used as an additional metric which is propagated through the whole local AS. - <tag>int <cf/bgp_med/ [O]</tag> + <tag><label id="rta-bgp-med">int bgp_med/ [O]</tag> The Multiple Exit Discriminator of the route is an optional attribute which is used on external (inter-AS) links to convey to an adjacent AS the optimal entry point into the local AS. The received attribute is @@ -2151,23 +2245,23 @@ some of them (marked with `<tt/O/') are optional. when a route is exported to an external BGP instance to ensure that the attribute received from a neighboring AS is not propagated to other neighboring ASes. A new value might be set in the export filter of an - external BGP instance. See RFC 4451<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4451.txt"> - for further discussion of BGP MED attribute. + external BGP instance. See <rfc id="4451"> for further discussion of + BGP MED attribute. - <tag>enum <cf/bgp_origin/</tag> + <tag><label id="rta-bgp-origin">enum bgp_origin/</tag> Origin of the route: either <cf/ORIGIN_IGP/ if the route has originated in an interior routing protocol or <cf/ORIGIN_EGP/ if it's been imported from the <tt>EGP</tt> protocol (nowadays it seems to be obsolete) or <cf/ORIGIN_INCOMPLETE/ if the origin is unknown. - <tag>ip <cf/bgp_next_hop/</tag> + <tag><label id="rta-bgp-next-hop">ip bgp_next_hop/</tag> Next hop to be used for forwarding of packets to this destination. On internal BGP connections, it's an address of the originating router if it's inside the local AS or a boundary router the packet will leave the AS through if it's an exterior route, so each BGP speaker within the AS has a chance to use the shortest interior path possible to this point. - <tag>void <cf/bgp_atomic_aggr/ [O]</tag> + <tag><label id="rta-bgp-atomic-aggr">void bgp_atomic_aggr/ [O]</tag> This is an optional attribute which carries no value, but the sole presence of which indicates that the route has been aggregated from multiple routes by some router on the path from the originator. @@ -2175,7 +2269,7 @@ some of them (marked with `<tt/O/') are optional. <!-- we don't handle aggregators right since they are of a very obscure type <tag>bgp_aggregator</tag> --> - <tag>clist <cf/bgp_community/ [O]</tag> + <tag><label id="rta-bgp-community">clist bgp_community/ [O]</tag> List of community values associated with the route. Each such value is a pair (represented as a <cf/pair/ data type inside the filters) of 16-bit integers, the first of them containing the number of the AS which @@ -2186,24 +2280,33 @@ some of them (marked with `<tt/O/') are optional. freedom about which community attributes it defines and what will their semantics be. - <tag>eclist <cf/bgp_ext_community/ [O]</tag> + <tag><label id="rta-bgp-ext-community">eclist bgp_ext_community/ [O]</tag> List of extended community values associated with the route. Extended communities have similar usage as plain communities, but they have an extended range (to allow 4B ASNs) and a nontrivial structure with a type field. Individual community values are represented using an <cf/ec/ data type inside the filters. - <tag>quad <cf/bgp_originator_id/ [I, O]</tag> + <tag><label id="rta-bgp-large-community">lclist <cf/bgp_large_community/ [O]</tag> + List of large community values associated with the route. Large BGP + communities is another variant of communities, but contrary to extended + communities they behave very much the same way as regular communities, + just larger -- they are uniform untyped triplets of 32bit numbers. + Individual community values are represented using an <cf/lc/ data type + inside the filters. + + <tag><label id="rta-bgp-originator-id">quad bgp_originator_id/ [I, O]</tag> This attribute is created by the route reflector when reflecting the route and contains the router ID of the originator of the route in the local AS. - <tag>clist <cf/bgp_cluster_list/ [I, O]</tag> + <tag><label id="rta-bgp-cluster-list">clist bgp_cluster_list/ [I, O]</tag> This attribute contains a list of cluster IDs of route reflectors. Each route reflector prepends its cluster ID when reflecting the route. </descrip> <sect1>Example +<label id="bgp-exam"> <p><code> protocol bgp { @@ -2229,6 +2332,7 @@ protocol bgp { <sect>Device +<label id="device"> <p>The Device protocol is not a real routing protocol. It doesn't generate any routes and it only serves as a module for getting information about network @@ -2239,17 +2343,18 @@ protocol in the configuration since almost all other protocols require network interfaces to be defined for them to work with. <sect1>Configuration +<label id="device-config"> <p><descrip> - <tag>scan time <m/number/</tag> + <tag><label id="device-scan-time">scan time <m/number/</tag> Time in seconds between two scans of the network interface list. On systems where we are notified about interface status changes asynchronously (such as newer versions of Linux), we need to scan the list only in order to avoid confusion by lost notification messages, so the default time is set to a large value. - <tag>primary [ "<m/mask/" ] <m/prefix/</tag> + <tag><label id="device-primary">primary [ "<m/mask/" ] <m/prefix/</tag> If a network interface has more than one network address, BIRD has to choose one of them as a primary one. By default, BIRD chooses the lexicographically smallest address as the primary one. @@ -2277,6 +2382,7 @@ protocol device { <sect>Direct +<label id="direct"> <p>The Direct protocol is a simple generator of device routes for all the directly connected networks according to the list of interfaces provided by the @@ -2302,16 +2408,16 @@ on Linux systems BIRD cannot change non-BIRD route in the kernel routing table. <p>There are just few configuration options for the Direct protocol: <p><descrip> - <tag>interface <m/pattern [, ...]/</tag> + <tag><label id="direct-iface">interface <m/pattern/ [, <m/.../]</tag> By default, the Direct protocol will generate device routes for all the interfaces available. If you want to restrict it to some subset of interfaces or addresses (e.g. if you're using multiple routing tables for policy routing and some of the policy domains don't contain all - interfaces), just use this clause. See <ref id="dsc-iface" name="interface"> + interfaces), just use this clause. See <ref id="proto-iface" name="interface"> common option for detailed description. The Direct protocol uses extended interface clauses. - <tag>check link <m/switch/</tag> + <tag><label id="direct-check-link">check link <m/switch/</tag> If enabled, a hardware link state (reported by OS) is taken into consideration. Routes for directly connected networks are generated only if link up is reported and they are withdrawn when link disappears @@ -2330,6 +2436,7 @@ protocol direct { <sect>Kernel +<label id="krt"> <p>The Kernel protocol is not a real routing protocol. Instead of communicating with other routers in the network, it performs synchronization of BIRD's routing @@ -2362,34 +2469,35 @@ kernel protocols to the same routing table and changing route destination limitations can be overcome using another routing table and the pipe protocol. <sect1>Configuration +<label id="krt-config"> <p><descrip> - <tag>persist <m/switch/</tag> + <tag><label id="krt-persist">persist <m/switch/</tag> Tell BIRD to leave all its routes in the routing tables when it exits (instead of cleaning them up). - <tag>scan time <m/number/</tag> + <tag><label id="krt-scan-time">scan time <m/number/</tag> Time in seconds between two consecutive scans of the kernel routing table. - <tag>learn <m/switch/</tag> + <tag><label id="krt-learn">learn <m/switch/</tag> Enable learning of routes added to the kernel routing tables by other routing daemons or by the system administrator. This is possible only on systems which support identification of route authorship. - <tag>device routes <m/switch/</tag> + <tag><label id="krt-device-routes">device routes <m/switch/</tag> Enable export of device routes to the kernel routing table. By default, such routes are rejected (with the exception of explicitly configured device routes from the static protocol) regardless of the export filter to protect device routes in kernel routing table (managed by OS itself) from accidental overwriting or erasing. - <tag>kernel table <m/number/</tag> + <tag><label id="krt-kernel-table">kernel table <m/number/</tag> Select which kernel table should this particular instance of the Kernel protocol work with. Available only on systems supporting multiple routing tables. - <tag>metric <m/number/</tag> (Linux) + <tag><label id="krt-metric">metric <m/number/</tag> (Linux) Use specified value as a kernel metric (priority) for all routes sent to the kernel. When multiple routes for the same network are in the kernel routing table, the Linux kernel chooses one with lower metric. Also, @@ -2400,13 +2508,13 @@ limitations can be overcome using another routing table and the pipe protocol. or per-route metric can be set using <cf/krt_metric/ attribute. Default: 0 (undefined). - <tag>graceful restart <m/switch/</tag> + <tag><label id="krt-graceful-restart">graceful restart <m/switch/</tag> Participate in graceful restart recovery. If this option is enabled and a graceful restart recovery is active, the Kernel protocol will defer synchronization of routing tables until the end of the recovery. Note that import of kernel routes to BIRD is not affected. - <tag>merge paths <M>switch</M> [limit <M>number</M>]</tag> + <tag><label id="krt-merge-paths">merge paths <M>switch</M> [limit <M>number</M>]</tag> Usually, only best routes are exported to the kernel protocol. With path merging enabled, both best routes and equivalent non-best routes are merged during export to generate one ECMP (equal-cost multipath) route @@ -2420,32 +2528,33 @@ limitations can be overcome using another routing table and the pipe protocol. </descrip> <sect1>Attributes +<label id="krt-attr"> <p>The Kernel protocol defines several attributes. These attributes are translated to appropriate system (and OS-specific) route attributes. We support these attributes: <descrip> - <tag>int <cf/krt_source/</tag> + <tag><label id="rta-krt-source">int krt_source/</tag> The original source of the imported kernel route. The value is system-dependent. On Linux, it is a value of the protocol field of the route. See /etc/iproute2/rt_protos for common values. On BSD, it is based on STATIC and PROTOx flags. The attribute is read-only. - <tag>int <cf/krt_metric/</tag> (Linux) + <tag><label id="rta-krt-metric">int krt_metric/</tag> (Linux) The kernel metric of the route. When multiple same routes are in a kernel routing table, the Linux kernel chooses one with lower metric. Note that preferred way to set kernel metric is to use protocol option <cf/metric/, unless per-route metric values are needed. - <tag>ip <cf/krt_prefsrc/</tag> (Linux) + <tag><label id="rta-krt-prefsrc">ip krt_prefsrc/</tag> (Linux) The preferred source address. Used in source address selection for outgoing packets. Has to be one of the IP addresses of the router. - <tag>int <cf/krt_realm/</tag> (Linux) + <tag><label id="rta-krt-realm">int krt_realm/</tag> (Linux) The realm of the route. Can be used for traffic classification. - <tag>int <cf/krt_scope/</tag> (Linux IPv4) + <tag><label id="rta-krt-scope">int krt_scope/</tag> (Linux IPv4) The scope of the route. Valid values are 0-254, although Linux kernel may reject some values depending on route type and nexthop. It is supposed to represent `indirectness' of the route, where nexthops of @@ -2470,6 +2579,7 @@ Supported attributes are: <cf/krt_feature_ecn/, <cf/krt_feature_allfrag/ <sect1>Example +<label id="krt-exam"> <p>A simple configuration can look this way: @@ -2499,19 +2609,19 @@ protocol kernel { # Secondary routing table <sect>OSPF +<label id="ospf"> <sect1>Introduction +<label id="ospf-intro"> <p>Open Shortest Path First (OSPF) is a quite complex interior gateway -protocol. The current IPv4 version (OSPFv2) is defined in RFC 2328 -<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc2328.txt"> -and the current IPv6 version (OSPFv3) is defined in RFC 5340 -<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5340.txt"> -It's a link state (a.k.a. shortest path first) protocol -- each router maintains -a database describing the autonomous system's topology. Each participating -router has an identical copy of the database and all routers run the same -algorithm calculating a shortest path tree with themselves as a root. OSPF -chooses the least cost path as the best path. +protocol. The current IPv4 version (OSPFv2) is defined in <rfc id="2328"> and +the current IPv6 version (OSPFv3) is defined in <rfc id="5340"> It's a link +state (a.k.a. shortest path first) protocol -- each router maintains a database +describing the autonomous system's topology. Each participating router has an +identical copy of the database and all routers run the same algorithm +calculating a shortest path tree with themselves as a root. OSPF chooses the +least cost path as the best path. <p>In OSPF, the autonomous system can be split to several areas in order to reduce the amount of resources consumed for exchanging the routing information @@ -2535,6 +2645,7 @@ identical by flooding updates. The flooding process is reliable and ensures that each router detects all changes. <sect1>Configuration +<label id="ospf-config"> <p>In the main part of configuration, there can be multiple definitions of OSPF areas, each with a different id. These definitions includes many other switches @@ -2600,7 +2711,7 @@ protocol ospf <name> { ttl security [<switch>; | tx only] tx class|dscp <num>; tx priority <num>; - authentication [none|simple|cryptographic]; + authentication none|simple|cryptographic; password "<text>"; password "<text>" { id <num>; @@ -2608,6 +2719,9 @@ protocol ospf <name> { generate to "<date>"; accept from "<date>"; accept to "<date>"; + from "<date>"; + to "<date>"; + algorithm ( keyed md5 | keyed sha1 | hmac sha1 | hmac sha256 | hmac sha384 | hmac sha512 ); }; neighbors { <ip>; @@ -2620,20 +2734,29 @@ protocol ospf <name> { wait <num>; dead count <num>; dead <num>; - authentication [none|simple|cryptographic]; + authentication none|simple|cryptographic; password "<text>"; + password "<text>" { + id <num>; + generate from "<date>"; + generate to "<date>"; + accept from "<date>"; + accept to "<date>"; + from "<date>"; + to "<date>"; + algorithm ( keyed md5 | keyed sha1 | hmac sha1 | hmac sha256 | hmac sha384 | hmac sha512 ); + }; }; }; } </code> <descrip> - <tag>rfc1583compat <M>switch</M></tag> + <tag><label id="ospf-rfc1583compat">rfc1583compat <M>switch</M></tag> This option controls compatibility of routing table calculation with - RFC 1583 <htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc1583.txt">. - Default value is no. + <rfc id="1583">. Default value is no. - <tag>instance id <m/num/</tag> + <tag><label id="ospf-instance-id">instance id <m/num/</tag> When multiple OSPF protocol instances are active on the same links, they should use different instance IDs to distinguish their packets. Although it could be done on per-interface basis, it is often preferred to set @@ -2643,22 +2766,21 @@ protocol ospf <name> { interfaces of the OSPF instance. Note that this option, if used, must precede interface definitions. Default value is 0. - <tag>stub router <M>switch</M></tag> + <tag><label id="ospf-stub-router">stub router <M>switch</M></tag> This option configures the router to be a stub router, i.e., a router that participates in the OSPF topology but does not allow transit traffic. In OSPFv2, this is implemented by advertising maximum metric for outgoing links. In OSPFv3, the stub router behavior is announced by - clearing the R-bit in the router LSA. See RFC 6987 - <htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc6987.txt"> for - details. Default value is no. + clearing the R-bit in the router LSA. See <rfc id="6987"> for details. + Default value is no. - <tag>tick <M>num</M></tag> + <tag><label id="ospf-tick">tick <M>num</M></tag> The routing table calculation and clean-up of areas' databases is not performed when a single link state change arrives. To lower the CPU utilization, it's processed later at periodical intervals of <m/num/ seconds. The default value is 1. - <tag>ecmp <M>switch</M> [limit <M>number</M>]</tag> + <tag><label id="ospf-ecmp">ecmp <M>switch</M> [limit <M>number</M>]</tag> This option specifies whether OSPF is allowed to generate ECMP (equal-cost multipath) routes. Such routes are used when there are several directions to the destination, each with the same (computed) @@ -2666,7 +2788,7 @@ protocol ospf <name> { nexthops in one route. By default, ECMP is disabled. If enabled, default value of the limit is 16. - <tag>merge external <M>switch</M></tag> + <tag><label id="ospf-merge-external">merge external <M>switch</M></tag> This option specifies whether OSPF should merge external routes from different routers/LSAs for the same destination. When enabled together with <cf/ecmp/, equal-cost external routes will be combined to multipath @@ -2674,18 +2796,18 @@ protocol ospf <name> { from different LSAs are treated as separate even if they represents the same destination. Default value is no. - <tag>area <M>id</M></tag> + <tag><label id="ospf-area">area <M>id</M></tag> This defines an OSPF area with given area ID (an integer or an IPv4 address, similarly to a router ID). The most important area is the backbone (ID 0) to which every other area must be connected. - <tag>stub</tag> + <tag><label id="ospf-stub">stub</tag> This option configures the area to be a stub area. External routes are not flooded into stub areas. Also summary LSAs can be limited in stub areas (see option <cf/summary/). By default, the area is not a stub area. - <tag>nssa</tag> + <tag><label id="ospf-nssa">nssa</tag> This option configures the area to be a NSSA (Not-So-Stubby Area). NSSA is a variant of a stub area which allows a limited way of external route propagation. Global external routes are not propagated into a NSSA, but @@ -2693,7 +2815,7 @@ protocol ospf <name> { (and possibly translated and/or aggregated on area boundary). By default, the area is not NSSA. - <tag>summary <M>switch</M></tag> + <tag><label id="ospf-summary">summary <M>switch</M></tag> This option controls propagation of summary LSAs into stub or NSSA areas. If enabled, summary LSAs are propagated as usual, otherwise just the default summary route (0.0.0.0/0) is propagated (this is sometimes @@ -2701,43 +2823,43 @@ protocol ospf <name> { routers, propagating summary LSAs could lead to more efficient routing at the cost of larger link state database. Default value is no. - <tag>default nssa <M>switch</M></tag> + <tag><label id="ospf-default-nssa">default nssa <M>switch</M></tag> When <cf/summary/ option is enabled, default summary route is no longer propagated to the NSSA. In that case, this option allows to originate default route as NSSA-LSA to the NSSA. Default value is no. - <tag>default cost <M>num</M></tag> + <tag><label id="ospf-default-cost">default cost <M>num</M></tag> This option controls the cost of a default route propagated to stub and NSSA areas. Default value is 1000. - <tag>default cost2 <M>num</M></tag> + <tag><label id="ospf-default-cost2">default cost2 <M>num</M></tag> When a default route is originated as NSSA-LSA, its cost can use either type 1 or type 2 metric. This option allows to specify the cost of a default route in type 2 metric. By default, type 1 metric (option <cf/default cost/) is used. - <tag>translator <M>switch</M></tag> + <tag><label id="ospf-translator">translator <M>switch</M></tag> This option controls translation of NSSA-LSAs into external LSAs. By default, one translator per NSSA is automatically elected from area boundary routers. If enabled, this area boundary router would unconditionally translate all NSSA-LSAs regardless of translator election. Default value is no. - <tag>translator stability <M>num</M></tag> + <tag><label id="ospf-translator-stability">translator stability <M>num</M></tag> This option controls the translator stability interval (in seconds). When the new translator is elected, the old one keeps translating until the interval is over. Default value is 40. - <tag>networks { <m/set/ }</tag> + <tag><label id="ospf-networks">networks { <m/set/ }</tag> Definition of area IP ranges. This is used in summary LSA origination. Hidden networks are not propagated into other areas. - <tag>external { <m/set/ }</tag> + <tag><label id="ospf-external">external { <m/set/ }</tag> Definition of external area IP ranges for NSSAs. This is used for NSSA-LSA translation. Hidden networks are not translated into external LSAs. Networks can have configured route tag. - <tag>stubnet <m/prefix/ { <m/options/ }</tag> + <tag><label id="ospf-stubnet">stubnet <m/prefix/ { <m/options/ }</tag> Stub networks are networks that are not transit networks between OSPF routers. They are also propagated through an OSPF area as a part of a link state database. By default, BIRD generates a stub network record @@ -2753,67 +2875,66 @@ protocol ospf <name> { that are subnetworks of given stub network are suppressed. This might be used, for example, to aggregate generated stub networks. - <tag>interface <M>pattern</M> [instance <m/num/]</tag> + <tag><label id="ospf-iface">interface <M>pattern</M> [instance <m/num/]</tag> Defines that the specified interfaces belong to the area being defined. - See <ref id="dsc-iface" name="interface"> common option for detailed + See <ref id="proto-iface" name="interface"> common option for detailed description. In OSPFv2, extended interface clauses are used, because each network prefix is handled as a separate virtual interface. You can specify alternative instance ID for the interface definition, therefore it is possible to have several instances of that interface - with different options or even in different areas. For OSPFv2, - instance ID support is an extension (RFC 6549 - <htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc6549.txt">) and is - supposed to be set per-protocol. For OSPFv3, it is an integral feature. + with different options or even in different areas. For OSPFv2, instance + ID support is an extension (<rfc id="6549">) and is supposed to be set + per-protocol. For OSPFv3, it is an integral feature. - <tag>virtual link <M>id</M> [instance <m/num/]</tag> + <tag><label id="ospf-virtual-link">virtual link <M>id</M> [instance <m/num/]</tag> Virtual link to router with the router id. Virtual link acts as a point-to-point interface belonging to backbone. The actual area is used as a transport area. This item cannot be in the backbone. Like with <cf/interface/ option, you could also use several virtual links to one destination with different instance IDs. - <tag>cost <M>num</M></tag> + <tag><label id="ospf-cost">cost <M>num</M></tag> Specifies output cost (metric) of an interface. Default value is 10. - <tag>stub <M>switch</M></tag> + <tag><label id="ospf-stub-iface">stub <M>switch</M></tag> If set to interface it does not listen to any packet and does not send any hello. Default value is no. - <tag>hello <M>num</M></tag> + <tag><label id="ospf-hello">hello <M>num</M></tag> Specifies interval in seconds between sending of Hello messages. Beware, all routers on the same network need to have the same hello interval. Default value is 10. - <tag>poll <M>num</M></tag> + <tag><label id="ospf-poll">poll <M>num</M></tag> Specifies interval in seconds between sending of Hello messages for some neighbors on NBMA network. Default value is 20. - <tag>retransmit <M>num</M></tag> + <tag><label id="ospf-retransmit">retransmit <M>num</M></tag> Specifies interval in seconds between retransmissions of unacknowledged updates. Default value is 5. - <tag>priority <M>num</M></tag> + <tag><label id="ospf-priority">priority <M>num</M></tag> On every multiple access network (e.g., the Ethernet) Designated Router and Backup Designated router are elected. These routers have some special functions in the flooding process. Higher priority increases preferences in this election. Routers with priority 0 are not eligible. Default value is 1. - <tag>wait <M>num</M></tag> + <tag><label id="ospf-wait">wait <M>num</M></tag> After start, router waits for the specified number of seconds between starting election and building adjacency. Default value is 4*<m/hello/. - <tag>dead count <M>num</M></tag> + <tag><label id="ospf-dead-count">dead count <M>num</M></tag> When the router does not receive any messages from a neighbor in <m/dead count/*<m/hello/ seconds, it will consider the neighbor down. - <tag>dead <M>num</M></tag> + <tag><label id="ospf-dead">dead <M>num</M></tag> When the router does not receive any messages from a neighbor in <m/dead/ seconds, it will consider the neighbor down. If both directives <cf/dead count/ and <cf/dead/ are used, <cf/dead/ has precedence. - <tag>secondary <M>switch</M></tag> + <tag><label id="ospf-secondary">secondary <M>switch</M></tag> On BSD systems, older versions of BIRD supported OSPFv2 only for the primary IP address of an interface, other IP ranges on the interface were handled as stub networks. Since v1.4.1, regular operation on @@ -2823,14 +2944,14 @@ protocol ospf <name> { behavior will be changed. On Linux systems, the option is irrelevant, as operation on non-primary addresses is already the regular behavior. - <tag>rx buffer <M>num</M></tag> + <tag><label id="ospf-rx-buffer">rx buffer <M>num</M></tag> This option allows to specify the size of buffers used for packet processing. The buffer size should be bigger than maximal size of any packets. By default, buffers are dynamically resized as needed, but a fixed value could be specified. Value <cf/large/ means maximal allowed packet size - 65535. - <tag>tx length <M>num</M></tag> + <tag><label id="ospf-tx-length">tx length <M>num</M></tag> Transmitted OSPF messages that contain large amount of information are segmented to separate OSPF packets to avoid IP fragmentation. This option specifies the soft ceiling for the length of generated OSPF @@ -2838,7 +2959,7 @@ protocol ospf <name> { larger OSPF packets may still be generated if underlying OSPF messages cannot be splitted (e.g. when one large LSA is propagated). - <tag>type broadcast|bcast</tag> + <tag><label id="ospf-type-bcast">type broadcast|bcast</tag> BIRD detects a type of a connected network automatically, but sometimes it's convenient to force use of a different type manually. On broadcast networks (like ethernet), flooding and Hello messages are sent using @@ -2848,7 +2969,7 @@ protocol ospf <name> { on physically NBMA networks and on unnumbered networks (networks without proper IP prefix). - <tag>type pointopoint|ptp</tag> + <tag><label id="ospf-type-ptp">type pointopoint|ptp</tag> Point-to-point networks connect just 2 routers together. No election is performed and no network LSA is originated, which makes it simpler and faster to establish. This network type is useful not only for physically @@ -2856,31 +2977,31 @@ protocol ospf <name> { as PtP links. This network type cannot be used on physically NBMA networks. - <tag>type nonbroadcast|nbma</tag> + <tag><label id="ospf-type-nbma">type nonbroadcast|nbma</tag> On NBMA networks, the packets are sent to each neighbor separately because of lack of multicast capabilities. Like on broadcast networks, a designated router is elected, which plays a central role in propagation of LSAs. This network type cannot be used on unnumbered networks. - <tag>type pointomultipoint|ptmp</tag> + <tag><label id="ospf-type-ptmp">type pointomultipoint|ptmp</tag> This is another network type designed to handle NBMA networks. In this case the NBMA network is treated as a collection of PtP links. This is useful if not every pair of routers on the NBMA network has direct communication, or if the NBMA network is used as an (possibly unnumbered) PtP link. - <tag>link lsa suppression <m/switch/</tag> + <tag><label id="ospf-link-lsa-suppression">link lsa suppression <m/switch/</tag> In OSPFv3, link LSAs are generated for each link, announcing link-local IPv6 address of the router to its local neighbors. These are useless on PtP or PtMP networks and this option allows to suppress the link LSA origination for such interfaces. The option is ignored on other than PtP or PtMP interfaces. Default value is no. - <tag>strict nonbroadcast <m/switch/</tag> + <tag><label id="ospf-strict-nonbroadcast">strict nonbroadcast <m/switch/</tag> If set, don't send hello to any undefined neighbor. This switch is ignored on other than NBMA or PtMP interfaces. Default value is no. - <tag>real broadcast <m/switch/</tag> + <tag><label id="ospf-real-broadcast">real broadcast <m/switch/</tag> In <cf/type broadcast/ or <cf/type ptp/ network configuration, OSPF packets are sent as IP multicast packets. This option changes the behavior to using old-fashioned IP broadcast packets. This may be useful @@ -2888,7 +3009,7 @@ protocol ospf <name> { not work reliably. This is a non-standard option and probably is not interoperable with other OSPF implementations. Default value is no. - <tag>ptp netmask <m/switch/</tag> + <tag><label id="ospf-ptp-netmask">ptp netmask <m/switch/</tag> In <cf/type ptp/ network configurations, OSPFv2 implementations should ignore received netmask field in hello packets and should send hello packets with zero netmask field on unnumbered PtP links. But some OSPFv2 @@ -2898,7 +3019,7 @@ protocol ospf <name> { compatibility problems related to this issue. Default value is no for unnumbered PtP links, yes otherwise. - <tag>check link <M>switch</M></tag> + <tag><label id="ospf-check-link">check link <M>switch</M></tag> If set, a hardware link state (reported by OS) is taken into consideration. When a link disappears (e.g. an ethernet cable is unplugged), neighbors are immediately considered unreachable and only the address of the iface @@ -2906,15 +3027,15 @@ protocol ospf <name> { some hardware drivers or platforms do not implement this feature. Default value is no. - <tag>bfd <M>switch</M></tag> + <tag><label id="ospf-bfd">bfd <M>switch</M></tag> OSPF could use BFD protocol as an advisory mechanism for neighbor liveness and failure detection. If enabled, BIRD setups a BFD session for each OSPF neighbor and tracks its liveness by it. This has an advantage of an order of magnitude lower detection times in case of failure. Note that BFD protocol also has to be configured, see - <ref id="sect-bfd" name="BFD"> section for details. Default value is no. + <ref id="bfd" name="BFD"> section for details. Default value is no. - <tag>ttl security [<m/switch/ | tx only]</tag> + <tag><label id="ospf-ttl-security">ttl security [<m/switch/ | tx only]</tag> TTL security is a feature that protects routing protocols from remote spoofed packets by using TTL 255 instead of TTL 1 for protocol packets destined to neighbors. Because TTL is decremented when packets are @@ -2927,35 +3048,38 @@ protocol ospf <name> { set to <cf/tx only/, TTL 255 is used for sent packets, but is not checked for received packets. Default value is no. - <tag>tx class|dscp|priority <m/num/</tag> + <tag><label id="ospf-tx-class">tx class|dscp|priority <m/num/</tag> These options specify the ToS/DiffServ/Traffic class/Priority of the - outgoing OSPF packets. See <ref id="dsc-prio" name="tx class"> common + outgoing OSPF packets. See <ref id="proto-tx-class" name="tx class"> common option for detailed description. - <tag>ecmp weight <M>num</M></tag> + <tag><label id="ospf-ecmp-weight">ecmp weight <M>num</M></tag> When ECMP (multipath) routes are allowed, this value specifies a relative weight used for nexthops going through the iface. Allowed values are 1-256. Default value is 1. - <tag>authentication none</tag> + <tag><label id="ospf-auth-none">authentication none</tag> No passwords are sent in OSPF packets. This is the default value. - <tag>authentication simple</tag> + <tag><label id="ospf-auth-simple">authentication simple</tag> Every packet carries 8 bytes of password. Received packets lacking this password are ignored. This authentication mechanism is very weak. - - <tag>authentication cryptographic</tag> - 16-byte long MD5 digest is appended to every packet. For the digest - generation 16-byte long passwords are used. Those passwords are not sent - via network, so this mechanism is quite secure. Packets can still be - read by an attacker. - - <tag>password "<M>text</M>"</tag> - An 8-byte or 16-byte password used for authentication. See - <ref id="dsc-pass" name="password"> common option for detailed + This option is not available in OSPFv3. + + <tag><label id="ospf-auth-cryptographic">authentication cryptographic</tag> + An authentication code is appended to every packet. The specific + cryptographic algorithm is selected by option <cf/algorithm/ for each + key. The default cryptographic algorithm for OSPFv2 keys is Keyed-MD5 + and for OSPFv3 keys is HMAC-SHA-256. Passwords are not sent open via + network, so this mechanism is quite secure. Packets can still be read by + an attacker. + + <tag><label id="ospf-pass">password "<M>text</M>"</tag> + Specifies a password used for authentication. See + <ref id="proto-pass" name="password"> common option for detailed description. - <tag>neighbors { <m/set/ } </tag> + <tag><label id="ospf-neighbors">neighbors { <m/set/ } </tag> A set of neighbors to which Hello messages on NBMA or PtMP networks are to be sent. For NBMA networks, some of them could be marked as eligible. In OSPFv3, link-local addresses should be used, using global ones is @@ -2964,6 +3088,7 @@ protocol ospf <name> { </descrip> <sect1>Attributes +<label id="ospf-attr"> <p>OSPF defines four route attributes. Each internal route has a <cf/metric/. @@ -2983,6 +3108,7 @@ network. This attribute is read-only. Default is <cf/ospf_metric2 = 10000/ and <cf/ospf_tag = 0/. <sect1>Example +<label id="ospf-exam"> <p><code> protocol ospf MyOSPF { @@ -3011,11 +3137,13 @@ protocol ospf MyOSPF { id 1; generate to "22-04-2003 11:00:06"; accept from "17-01-2001 12:01:05"; + algorithm hmac sha384; }; password "def" { id 2; generate to "22-07-2005 17:03:21"; accept from "22-02-2001 11:34:06"; + algorithm hmac sha512; }; }; interface "arc0" { @@ -3049,8 +3177,10 @@ protocol ospf MyOSPF { <sect>Pipe +<label id="pipe"> <sect1>Introduction +<label id="pipe-intro"> <p>The Pipe protocol serves as a link between two routing tables, allowing routes to be passed from a table declared as primary (i.e., the one the pipe is @@ -3085,21 +3215,24 @@ routes appear in which tables and also you can employ the Pipe protocol for exporting a selected subset of one table to another one. <sect1>Configuration +<label id="pipe-config"> <p><descrip> - <tag>peer table <m/table/</tag> + <tag><label id="pipe-peer-table">peer table <m/table/</tag> Defines secondary routing table to connect to. The primary one is selected by the <cf/table/ keyword. - <tag>mode opaque|transparent</tag> + <tag><label id="pipe-mode">mode opaque|transparent</tag> Specifies the mode for the pipe to work in. Default is transparent. </descrip> <sect1>Attributes +<label id="pipe-attr"> <p>The Pipe protocol doesn't define any route attributes. <sect1>Example +<label id="pipe-exam"> <p>Let's consider a router which serves as a boundary router of two different autonomous systems, each of them connected to a subset of interfaces of the @@ -3170,8 +3303,10 @@ protocol pipe { # The Pipe <sect>RAdv +<label id="radv"> <sect1>Introduction +<label id="radv-intro"> <p>The RAdv protocol is an implementation of Router Advertisements, which are used in the IPv6 stateless autoconfiguration. IPv6 routers send (in irregular @@ -3179,23 +3314,22 @@ time intervals or as an answer to a request) advertisement packets to connected networks. These packets contain basic information about a local network (e.g. a list of network prefixes), which allows network hosts to autoconfigure network addresses and choose a default route. BIRD implements router behavior as defined -in RFC 4861<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4861.txt"> -and also the DNS extensions from -RFC 6106<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc6106.txt">. +in <rfc id="4861"> and also the DNS extensions from <rfc id="6106">. <sect1>Configuration +<label id="radv-config"> <p>There are several classes of definitions in RAdv configuration -- interface definitions, prefix definitions and DNS definitions: <descrip> - <tag>interface <m/pattern [, ...]/ { <m/options/ }</tag> + <tag><label id="radv-iface">interface <m/pattern/ [, <m/.../] { <m/options/ }</tag> Interface definitions specify a set of interfaces on which the protocol is activated and contain interface specific options. - See <ref id="dsc-iface" name="interface"> common options for + See <ref id="proto-iface" name="interface"> common options for detailed description. - <tag>prefix <m/prefix/ { <m/options/ }</tag> + <tag><label id="radv-prefix">prefix <m/prefix/ { <m/options/ }</tag> Prefix definitions allow to modify a list of advertised prefixes. By default, the advertised prefixes are the same as the network prefixes assigned to the interface. For each network prefix, the matching prefix @@ -3209,7 +3343,7 @@ definitions, prefix definitions and DNS definitions: prefix definition is matching if the network prefix is a subnet of the prefix in prefix definition. - <tag>rdnss { <m/options/ }</tag> + <tag><label id="radv-rdnss">rdnss { <m/options/ }</tag> RDNSS definitions allow to specify a list of advertised recursive DNS servers together with their options. As options are seldom necessary, there is also a short variant <cf>rdnss <m/address/</cf> that just @@ -3217,15 +3351,15 @@ definitions, prefix definitions and DNS definitions: definitions may also be interface-specific when used inside interface options. By default, interface uses both global and interface-specific options, but that can be changed by <cf/rdnss local/ option. - - <tag>dnssl { <m/options/ }</tag> +dsc-iface + <tag><label id="radv-dnssl">dnssl { <m/options/ }</tag> DNSSL definitions allow to specify a list of advertised DNS search domains together with their options. Like <cf/rdnss/ above, multiple definitions are cumulative, they can be used also as interface-specific options and there is a short variant <cf>dnssl <m/domain/</cf> that just specifies one DNS search domain. - <label id="dsc-trigger"> <tag>trigger <m/prefix/</tag> + <tag><label id="radv-trigger">trigger <m/prefix/</tag> RAdv protocol could be configured to change its behavior based on availability of routes. When this option is used, the protocol waits in suppressed state until a <it/trigger route/ (for the specified network) @@ -3247,99 +3381,99 @@ definitions, prefix definitions and DNS definitions: <p>Interface specific options: <descrip> - <tag>max ra interval <m/expr/</tag> + <tag><label id="radv-iface-max-ra-interval">max ra interval <m/expr/</tag> Unsolicited router advertisements are sent in irregular time intervals. This option specifies the maximum length of these intervals, in seconds. Valid values are 4-1800. Default: 600 - <tag>min ra interval <m/expr/</tag> + <tag><label id="radv-iface-min-ra-interval">min ra interval <m/expr/</tag> This option specifies the minimum length of that intervals, in seconds. Must be at least 3 and at most 3/4 * <cf/max ra interval/. Default: about 1/3 * <cf/max ra interval/. - <tag>min delay <m/expr/</tag> + <tag><label id="radv-iface-min-delay">min delay <m/expr/</tag> The minimum delay between two consecutive router advertisements, in seconds. Default: 3 - <tag>managed <m/switch/</tag> + <tag><label id="radv-iface-managed">managed <m/switch/</tag> This option specifies whether hosts should use DHCPv6 for IP address configuration. Default: no - <tag>other config <m/switch/</tag> + <tag><label id="radv-iface-other-config">other config <m/switch/</tag> This option specifies whether hosts should use DHCPv6 to receive other configuration information. Default: no - <tag>link mtu <m/expr/</tag> + <tag><label id="radv-iface-link-mtu">link mtu <m/expr/</tag> This option specifies which value of MTU should be used by hosts. 0 means unspecified. Default: 0 - <tag>reachable time <m/expr/</tag> + <tag><label id="radv-iface-reachable-time">reachable time <m/expr/</tag> This option specifies the time (in milliseconds) how long hosts should assume a neighbor is reachable (from the last confirmation). Maximum is 3600000, 0 means unspecified. Default 0. - <tag>retrans timer <m/expr/</tag> + <tag><label id="radv-iface-retrans-timer">retrans timer <m/expr/</tag> This option specifies the time (in milliseconds) how long hosts should wait before retransmitting Neighbor Solicitation messages. 0 means unspecified. Default 0. - <tag>current hop limit <m/expr/</tag> + <tag><label id="radv-iface-current-hop-limit">current hop limit <m/expr/</tag> This option specifies which value of Hop Limit should be used by hosts. Valid values are 0-255, 0 means unspecified. Default: 64 - <tag>default lifetime <m/expr/ [sensitive <m/switch/]</tag> + <tag><label id="radv-iface-default-lifetime">default lifetime <m/expr/ [sensitive <m/switch/]</tag> This option specifies the time (in seconds) how long (after the receipt of RA) hosts may use the router as a default router. 0 means do not use - as a default router. For <cf/sensitive/ option, see <ref id="dsc-trigger" name="trigger">. + as a default router. For <cf/sensitive/ option, see <ref id="radv-trigger" name="trigger">. Default: 3 * <cf/max ra interval/, <cf/sensitive/ yes. - <tag>default preference low|medium|high</tag> + <tag><label id="radv-iface-default-preference-low">default preference low|medium|high</tag> This option specifies the Default Router Preference value to advertise to hosts. Default: medium. - <tag>rdnss local <m/switch/</tag> + <tag><label id="radv-iface-rdnss-local">rdnss local <m/switch/</tag> Use only local (interface-specific) RDNSS definitions for this interface. Otherwise, both global and local definitions are used. Could also be used to disable RDNSS for given interface if no local definitons are specified. Default: no. - <tag>dnssl local <m/switch/</tag> + <tag><label id="radv-iface-dnssl-local">dnssl local <m/switch/</tag> Use only local DNSSL definitions for this interface. See <cf/rdnss local/ option above. Default: no. </descrip> -<p>Prefix specific options: +<p>Prefix specific options <descrip> - <tag>skip <m/switch/</tag> + <tag><label id="radv-prefix-skip">skip <m/switch/</tag> This option allows to specify that given prefix should not be advertised. This is useful for making exceptions from a default policy of advertising all prefixes. Note that for withdrawing an already advertised prefix it is more useful to advertise it with zero valid lifetime. Default: no - <tag>onlink <m/switch/</tag> + <tag><label id="radv-prefix-onlink">onlink <m/switch/</tag> This option specifies whether hosts may use the advertised prefix for onlink determination. Default: yes - <tag>autonomous <m/switch/</tag> + <tag><label id="radv-prefix-autonomous">autonomous <m/switch/</tag> This option specifies whether hosts may use the advertised prefix for stateless autoconfiguration. Default: yes - <tag>valid lifetime <m/expr/ [sensitive <m/switch/]</tag> + <tag><label id="radv-prefix-valid-lifetime">valid lifetime <m/expr/ [sensitive <m/switch/]</tag> This option specifies the time (in seconds) how long (after the receipt of RA) the prefix information is valid, i.e., autoconfigured IP addresses can be assigned and hosts with that IP addresses are considered directly reachable. 0 means the prefix is no longer - valid. For <cf/sensitive/ option, see <ref id="dsc-trigger" name="trigger">. + valid. For <cf/sensitive/ option, see <ref id="radv-trigger" name="trigger">. Default: 86400 (1 day), <cf/sensitive/ no. - <tag>preferred lifetime <m/expr/ [sensitive <m/switch/]</tag> + <tag><label id="radv-prefix-preferred-lifetime">preferred lifetime <m/expr/ [sensitive <m/switch/]</tag> This option specifies the time (in seconds) how long (after the receipt of RA) IP addresses generated from the prefix using stateless autoconfiguration remain preferred. For <cf/sensitive/ option, - see <ref id="dsc-trigger" name="trigger">. Default: 14400 (4 hours), + see <ref id="radv-trigger" name="trigger">. Default: 14400 (4 hours), <cf/sensitive/ no. </descrip> @@ -3347,12 +3481,12 @@ definitions, prefix definitions and DNS definitions: <p>RDNSS specific options: <descrip> - <tag>ns <m/address/</tag> + <tag><label id="radv-rdnss-ns">ns <m/address/</tag> This option specifies one recursive DNS server. Can be used multiple times for multiple servers. It is mandatory to have at least one <cf/ns/ option in <cf/rdnss/ definition. - <tag>lifetime [mult] <m/expr/</tag> + <tag><label id="radv-rdnss-lifetime">lifetime [mult] <m/expr/</tag> This option specifies the time how long the RDNSS information may be used by clients after the receipt of RA. It is expressed either in seconds or (when <cf/mult/ is used) in multiples of <cf/max ra @@ -3365,12 +3499,12 @@ definitions, prefix definitions and DNS definitions: <p>DNSSL specific options: <descrip> - <tag>domain <m/address/</tag> + <tag><label id="radv-dnssl-domain">domain <m/address/</tag> This option specifies one DNS search domain. Can be used multiple times for multiple domains. It is mandatory to have at least one <cf/domain/ option in <cf/dnssl/ definition. - <tag>lifetime [mult] <m/expr/</tag> + <tag><label id="radv-dnssl-lifetime">lifetime [mult] <m/expr/</tag> This option specifies the time how long the DNSSL information may be used by clients after the receipt of RA. Details are the same as for RDNSS <cf/lifetime/ option above. Default: 3 * <cf/max ra interval/. @@ -3378,6 +3512,7 @@ definitions, prefix definitions and DNS definitions: <sect1>Example +<label id="radv-exam"> <p><code> protocol radv { @@ -3417,8 +3552,10 @@ protocol radv { <sect>RIP +<label id="rip"> <sect1>Introduction +<label id="rip-intro"> <p>The RIP protocol (also sometimes called Rest In Pieces) is a simple protocol, where each router broadcasts (to all its neighbors) distances to all networks it @@ -3432,18 +3569,15 @@ counting to infinity is necessary, because it is slow. Due to infinity being 16, you can't use RIP on networks where maximal distance is higher than 15 hosts. -<p>BIRD supports RIPv1 -(RFC 1058<htmlurl url="http://www.rfc-editor.org/rfc/rfc1058.txt">), -RIPv2 (RFC 2453<htmlurl url="http://www.rfc-editor.org/rfc/rfc2453.txt">), -RIPng (RFC 2080<htmlurl url="http://www.rfc-editor.org/rfc/rfc2080.txt">), -and RIP cryptographic authentication (SHA-1 not implemented) -(RFC 4822<htmlurl url="http://www.rfc-editor.org/rfc/rfc4822.txt">). +<p>BIRD supports RIPv1 (<rfc id="1058">), RIPv2 (<rfc id="2453">), RIPng (<rfc +id="2080">), and RIP cryptographic authentication (<rfc id="4822">). <p>RIP is a very simple protocol, and it has a lot of shortcomings. Slow convergence, big network load and inability to handle larger networks makes it pretty much obsolete. It is still usable on very small networks. <sect1>Configuration +<label id="rip-config"> <p>RIP configuration consists mainly of common protocol options and interface definitions, most RIP options are interface specific. @@ -3480,17 +3614,20 @@ protocol rip [<name>] { generate to "<date>"; accept from "<date>"; accept to "<date>"; + from "<date>"; + to "<date>"; + algorithm ( keyed md5 | keyed sha1 | hmac sha1 | hmac sha256 | hmac sha384 | hmac sha512 ); }; }; } </code> <descrip> - <tag>infinity <M>number</M></tag> + <tag><label id="rip-infinity">infinity <M>number</M></tag> Selects the distance of infinity. Bigger values will make protocol convergence even slower. The default value is 16. - <tag>ecmp <M>switch</M> [limit <M>number</M>]</tag> + <tag><label id="rip-ecmp">ecmp <M>switch</M> [limit <M>number</M>]</tag> This option specifies whether RIP is allowed to generate ECMP (equal-cost multipath) routes. Such routes are used when there are several directions to the destination, each with the same (computed) @@ -3498,42 +3635,42 @@ protocol rip [<name>] { nexthops in one route. By default, ECMP is disabled. If enabled, default value of the limit is 16. - <tag>interface <m/pattern [, ...]/ { <m/options/ }</tag> + <tag><label id="rip-iface">interface <m/pattern/ [, <m/.../] { <m/options/ }</tag> Interface definitions specify a set of interfaces on which the protocol is activated and contain interface specific options. - See <ref id="dsc-iface" name="interface"> common options for + See <ref id="proto-iface" name="interface"> common options for detailed description. </descrip> <p>Interface specific options: <descrip> - <tag>metric <m/num/</tag> + <tag><label id="rip-iface-metric">metric <m/num/</tag> This option specifies the metric of the interface. When a route is received from the interface, its metric is increased by this value before further processing. Valid values are 1-255, but values higher than infinity has no further meaning. Default: 1. - <tag>mode multicast|broadcast</tag> + <tag><label id="rip-iface-mode">mode multicast|broadcast</tag> This option selects the mode for RIP to use on the interface. The default is multicast mode for RIPv2 and broadcast mode for RIPv1. RIPng always uses the multicast mode. - <tag>passive <m/switch/</tag> + <tag><label id="rip-iface-passive">passive <m/switch/</tag> Passive interfaces receive routing updates but do not transmit any messages. Default: no. - <tag>address <m/ip/</tag> + <tag><label id="rip-iface-address">address <m/ip/</tag> This option specifies a destination address used for multicast or broadcast messages, the default is the official RIP (224.0.0.9) or RIPng (ff02::9) multicast address, or an appropriate broadcast address in the broadcast mode. - <tag>port <m/number/</tag> + <tag><label id="rip-iface-port">port <m/number/</tag> This option selects an UDP port to operate on, the default is the official RIP (520) or RIPng (521) port. - <tag>version 1|2</tag> + <tag><label id="rip-iface-version">version 1|2</tag> This option selects the version of RIP used on the interface. For RIPv1, automatic subnet aggregation is not implemented, only classful network routes and host routes are propagated. Note that BIRD allows RIPv1 to be @@ -3542,12 +3679,12 @@ protocol rip [<name>] { RIP, the option is not supported for RIPng, as no further versions are defined. - <tag>version only <m/switch/</tag> + <tag><label id="rip-iface-version-only">version only <m/switch/</tag> Regardless of RIP version configured for the interface, BIRD accepts incoming packets of any RIP version. This option restrict accepted packets to the configured version. Default: no. - <tag>split horizon <m/switch/</tag> + <tag><label id="rip-iface-split-horizon">split horizon <m/switch/</tag> Split horizon is a scheme for preventing routing loops. When split horizon is active, routes are not regularly propagated back to the interface from which they were received. They are either not propagated @@ -3556,52 +3693,54 @@ protocol rip [<name>] { on the interface will not consider the router as a part of an independent path to the destination of the route. Default: yes. - <tag>poison reverse <m/switch/</tag> + <tag><label id="rip-iface-poison-reverse">poison reverse <m/switch/</tag> When split horizon is active, this option specifies whether the poisoned reverse variant (propagating routes back with an infinity metric) is used. The poisoned reverse has some advantages in faster convergence, but uses more network traffic. Default: yes. - <tag>check zero <m/switch/</tag> + <tag><label id="rip-iface-check-zero">check zero <m/switch/</tag> Received RIPv1 packets with non-zero values in reserved fields should be discarded. This option specifies whether the check is performed or such packets are just processed as usual. Default: yes. - <tag>update time <m/number/</tag> + <tag><label id="rip-iface-update-time">update time <m/number/</tag> Specifies the number of seconds between periodic updates. A lower number will mean faster convergence but bigger network load. Default: 30. - <tag>timeout time <m/number/</tag> + <tag><label id="rip-iface-timeout-time">timeout time <m/number/</tag> Specifies the time interval (in seconds) between the last received route announcement and the route expiration. After that, the network is considered unreachable, but still is propagated with infinity distance. Default: 180. - <tag>garbage time <m/number/</tag> + <tag><label id="rip-iface-garbage-time">garbage time <m/number/</tag> Specifies the time interval (in seconds) between the route expiration and the removal of the unreachable network entry. The garbage interval, when a route with infinity metric is propagated, is used for both internal (after expiration) and external (after withdrawal) routes. Default: 120. - <tag>ecmp weight <m/number/</tag> + <tag><label id="rip-iface-ecmp-weight">ecmp weight <m/number/</tag> When ECMP (multipath) routes are allowed, this value specifies a relative weight used for nexthops going through the iface. Valid values are 1-256. Default value is 1. - <tag>authentication none|plaintext|cryptographic</tag> + <tag><label id="rip-iface-auth">authentication none|plaintext|cryptographic</tag> Selects authentication method to be used. <cf/none/ means that packets are not authenticated at all, <cf/plaintext/ means that a plaintext password is embedded into each packet, and <cf/cryptographic/ means that - packets are authenticated using a MD5 cryptographic hash. If you set + packets are authenticated using some cryptographic hash function + selected by option <cf/algorithm/ for each key. The default + cryptographic algorithm for RIP keys is Keyed-MD5. If you set authentication to not-none, it is a good idea to add <cf>password</cf> section. Default: none. - <tag>password "<m/text/"</tag> - Specifies a password used for authentication. See <ref id="dsc-pass" + <tag><label id="rip-iface-pass">password "<m/text/"</tag> + Specifies a password used for authentication. See <ref id="proto-pass" name="password"> common option for detailed description. - <tag>ttl security [<m/switch/ | tx only]</tag> + <tag><label id="rip-iface-ttl-security">ttl security [<m/switch/ | tx only]</tag> TTL security is a feature that protects routing protocols from remote spoofed packets by using TTL 255 instead of TTL 1 for protocol packets destined to neighbors. Because TTL is decremented when packets are @@ -3615,45 +3754,47 @@ protocol rip [<name>] { compatibility with neighbors regardless of whether they use ttl security. - For RIPng, TTL security is a standard behavior (required by RFC 2080) - and therefore default value is yes. For IPv4 RIP, default value is no. + For RIPng, TTL security is a standard behavior (required by <rfc + id="2080">) and therefore default value is yes. For IPv4 RIP, default + value is no. - <tag>tx class|dscp|priority <m/number/</tag> + <tag><label id="rip-iface-tx-class">tx class|dscp|priority <m/number/</tag> These options specify the ToS/DiffServ/Traffic class/Priority of the - outgoing RIP packets. See <ref id="dsc-prio" name="tx class"> common + outgoing RIP packets. See <ref id="proto-tx-class" name="tx class"> common option for detailed description. - <tag>rx buffer <m/number/</tag> + <tag><label id="rip-iface-rx-buffer">rx buffer <m/number/</tag> This option specifies the size of buffers used for packet processing. The buffer size should be bigger than maximal size of received packets. The default value is 532 for IPv4 RIP and interface MTU value for RIPng. - <tag>tx length <m/number/</tag> + <tag><label id="rip-iface-tx-length">tx length <m/number/</tag> This option specifies the maximum length of generated RIP packets. To avoid IP fragmentation, it should not exceed the interface MTU value. The default value is 532 for IPv4 RIP and interface MTU value for RIPng. - <tag>check link <m/switch/</tag> + <tag><label id="rip-iface-check-link">check link <m/switch/</tag> If set, the hardware link state (as reported by OS) is taken into consideration. When the link disappears (e.g. an ethernet cable is unplugged), neighbors are immediately considered unreachable and all routes received from them are withdrawn. It is possible that some - hardware drivers or platforms do not implement this feature. Default: - no. + hardware drivers or platforms do not implement this feature. + Default: no. </descrip> <sect1>Attributes +<label id="rip-attr"> <p>RIP defines two route attributes: <descrip> - <tag>int <cf/rip_metric/</tag> + <tag><label id="rta-rip-metric">int rip_metric/</tag> RIP metric of the route (ranging from 0 to <cf/infinity/). When routes from different RIP instances are available and all of them have the same preference, BIRD prefers the route with lowest <cf/rip_metric/. When a non-RIP route is exported to RIP, the default metric is 1. - <tag>int <cf/rip_tag/</tag> + <tag><label id="rta-rip-tag">int rip_tag/</tag> RIP route tag: a 16-bit number which can be used to carry additional information with the route (for example, an originating AS number in case of external routes). When a non-RIP route is exported to RIP, the @@ -3661,6 +3802,7 @@ protocol rip [<name>] { </descrip> <sect1>Example +<label id="rip-exam"> <p><code> protocol rip { @@ -3669,8 +3811,9 @@ protocol rip { period 12; garbage time 60; interface "eth0" { metric 3; mode multicast; }; - interface "eth*" { metric 2; mode broadcast; }; - authentication none; + interface "eth*" { metric 2; mode broadcast; }; + authentication cryptographic; + password "secret-shared-key" { algorithm hmac sha256; }; import filter { print "importing"; accept; }; export filter { print "exporting"; accept; }; } @@ -3678,6 +3821,7 @@ protocol rip { <sect>Static +<label id="static"> <p>The Static protocol doesn't communicate with other routers in the network, but instead it allows you to define routes manually. This is often used for @@ -3706,14 +3850,14 @@ definition of the protocol contains mainly a list of static routes. <p>Global options: <descrip> - <tag>check link <m/switch/</tag> + <tag><label id="static-check-link">check link <m/switch/</tag> If set, hardware link states of network interfaces are taken into consideration. When link disappears (e.g. ethernet cable is unplugged), static routes directing to that interface are removed. It is possible that some hardware drivers or platforms do not implement this feature. Default: off. - <tag>igp table <m/name/</tag> + <tag><label id="static-igp-table">igp table <m/name/</tag> Specifies a table that is used for route table lookups of recursive routes. Default: the same table as the protocol is connected to. </descrip> @@ -3721,24 +3865,24 @@ definition of the protocol contains mainly a list of static routes. <p>Route definitions (each may also contain a block of per-route options): <descrip> - <tag>route <m/prefix/ via <m/ip/</tag> + <tag><label id="static-route-via-ip">route <m/prefix/ via <m/ip/</tag> Static route through a neighboring router. For link-local next hops, interface can be specified as a part of the address (e.g., <cf/via fe80::1234%eth0/). - <tag>route <m/prefix/ multipath via <m/ip/ [weight <m/num/] [bfd <m/switch/] [via ...]</tag> + <tag><label id="static-route-via-mpath">route <m/prefix/ multipath via <m/ip/ [weight <m/num/] [bfd <m/switch/] [via <m/.../]</tag> Static multipath route. Contains several nexthops (gateways), possibly with their weights. - <tag>route <m/prefix/ via <m/"interface"/</tag> + <tag><label id="static-route-via-iface">route <m/prefix/ via <m/"interface"/</tag> Static device route through an interface to hosts on a directly connected network. - <tag>route <m/prefix/ recursive <m/ip/</tag> + <tag><label id="static-route-recursive">route <m/prefix/ recursive <m/ip/</tag> Static recursive route, its nexthop depends on a route table lookup for given IP address. - <tag>route <m/prefix/ blackhole|unreachable|prohibit</tag> + <tag><label id="static-route-drop">route <m/prefix/ blackhole|unreachable|prohibit</tag> Special routes specifying to silently drop the packet, return it as unreachable or return it as administratively prohibited. First two targets are also known as <cf/drop/ and <cf/reject/. @@ -3747,7 +3891,7 @@ definition of the protocol contains mainly a list of static routes. <p>Per-route options: <descrip> - <tag>bfd <m/switch/</tag> + <tag><label id="static-route-bfd">bfd <m/switch/</tag> The Static protocol could use BFD protocol for next hop liveness detection. If enabled, a BFD session to the route next hop is created and the static route is BFD-controlled -- the static route is announced @@ -3760,9 +3904,9 @@ definition of the protocol contains mainly a list of static routes. This option can be used for static routes with a direct next hop, or also for for individual next hops in a static multipath route (see above). Note that BFD protocol also has to be configured, see - <ref id="sect-bfd" name="BFD"> section for details. Default value is no. + <ref id="bfd" name="BFD"> section for details. Default value is no. - <tag><m/filter expression/</tag> + <tag><label id="static-route-filter"><m/filter expression/</tag> This is a special option that allows filter expressions to be configured on per-route basis. Can be used multiple times. These expressions are evaluated when the route is originated, similarly to the import filter @@ -3799,8 +3943,10 @@ protocol static { <chapt>Conclusions +<label id="conclusion"> <sect>Future work +<label id="future-work"> <p>Although BIRD supports all the commonly used routing protocols, there are still some features which would surely deserve to be implemented in future @@ -3816,6 +3962,7 @@ versions of BIRD: <sect>Getting more help +<label id="help"> <p>If you use BIRD, you're welcome to join the bird-users mailing list (<HTMLURL URL="mailto:bird-users@network.cz" name="bird-users@network.cz">) diff --git a/doc/sbase/dist/birddoc/groff/mapping b/doc/sbase/dist/birddoc/groff/mapping index 71d2c935..3861a28d 100644 --- a/doc/sbase/dist/birddoc/groff/mapping +++ b/doc/sbase/dist/birddoc/groff/mapping @@ -6,7 +6,7 @@ % Based on qwertz replacement file by Tom Gordon % linuxdoc mods by mdw -% Groff dependencies are few. To port to another roff: +% Groff dependencies are few. To port to another roff: % 1. Check and modify, if necessary, font changes. (e.g. In psroff the % same fonts have other names.) % 2. Check the code for including Encapsulated PostScript, generated @@ -19,13 +19,13 @@ % Hacked by mdw ".nr PI 3n\n" - ".ds CF \\\\n\%\n" + ".ds CF \\\\n\%\n" ".ds CH \\&\n" ".ds dR $\n" % dollar, to avoid EQN conflicts % Start with no TOC ".ds printtoc\n" - + % Footnote style ".nr FF 1\n" @@ -51,16 +51,16 @@ ".nr HM 0i\n" ".nr FM 0i\n" - % Turn off right-margin filling + % Turn off right-margin filling ".na\n" - + % h is 1 if first paragraph after heading - ".nr h 0\n" + ".nr h 0\n" % initialize heading level - - ".nr il 1\n" + + ".nr il 1\n" % Number registers for list @@ -68,20 +68,20 @@ ".nr ll 0\n" % list level, stores current level ".nr el 0\n" % current enumeration level - % Not all list levels are enumerations, as + % Not all list levels are enumerations, as % itemizations can be embedded within enumerations % and vice versa - + % type of list level is in \n(t\n(ll, where % 0 : itemize, 1 : enumerate, 2: description % enumerator for an enumeration level is in % \n(e\n(el -- i.e. \n(e1=2 means current item of % enumeration level 1 is 2 - + % context-sensitive paragraph macro -% Bug: There's some problem using this to re-start paragraphs after the +% Bug: There's some problem using this to re-start paragraphs after the % </verb> and </code>, so after verb and code I insert .LP. That's fine % except that is loses indentation when using verb or code inside of a list. @@ -95,21 +95,21 @@ % for this enumeration level ".if \\\\n(t\\\\n(ll=1 \\{.IP \\\\n+(e\\\\n(el.\\}\n" % if first par element of descrip, do nothing -".\\}\n" +".\\}\n" ".el .sp \n" % subsequent par element of item ".\\}\n" ".el \\{\\\n" % not within list -".ie \\\\nh=1 \\{\\\n" % first par after heading -".LP\n" +".ie \\\\nh=1 \\{\\\n" % first par after heading +".LP\n" ".nr h 0\n" % reset h flag -".\\}\n" +".\\}\n" ".el .LP \n" % Changed from .PP, mdw ".\\}\n" ".nh\n" -"..\n" +"..\n" + + - - % for each level, a number register is created % to store its type and current item number, where % -1=bullet of an itemized list. @@ -141,7 +141,7 @@ % set initial level of headings, in register il <article> + ".nr il 0" + -</article> + ".if '\\*[printtoc]'true' .PX\n" +</article> + ".if '\\*[printtoc]'true' .PX\n" <report> + ".nr il 1" + </report> + ".bp\n" @@ -153,23 +153,23 @@ ".bp\n" ".TC" + -<notes> +<notes> </notes> <manpage> + ".nr il -1" + -</manpage> +</manpage> <progdoc> </progdoc> % Hacked up titlepag stuff to look more reasonable. Titles and author % names are now stored in strings, printed by the end of </titlepag>. -% Wake up! This uses groff-like long string names. You must use groff +% Wake up! This uses groff-like long string names. You must use groff % to format this. <titlepag> + ".ds mdwtitle\n" ".ds mdwsubtitle\n" - ".ds mdwdate\n" + ".ds mdwdate\n" ".de printabstract\n" "..\n" + </titlepag> + "\\*[mdwtitle]\n" @@ -181,10 +181,10 @@ "\\*[mdwdate]\n" ".br\n" ".printabstract\n" - ".br\n" + ".br\n" %<title> + ".TL" + -%</title> +%</title> <title> + ".ds mdwtitle " </title> + @@ -194,13 +194,13 @@ % ".SM" + %</subtitle> + ".LG" + -<subtitle> + ".ds mdwsubtitle " +<subtitle> + ".ds mdwsubtitle " </subtitle> + -<date> + ".ds mdwdate " +<date> + ".ds mdwdate " </date> + -<abstract> + ".de printabstract\n" +<abstract> + ".de printabstract\n" ".LP\n" </abstract> + ".." + @@ -215,10 +215,10 @@ <name> + ".br" + </name> -<and> +<and> </and> -<thanks> "\\**\n" +<thanks> "\\**\n" ".FS" + </thanks> + ".FE" + @@ -229,11 +229,11 @@ <newline> + ".br" </newline> -<label> -</label> +<label> +</label> -<header> -</header> +<header> +</header> <lhead> + ".EH '" </lhead> "'''" + @@ -263,13 +263,13 @@ <toc> </toc> -<lof> +<lof> </lof> -<lot> +<lot> </lot> -<chapt> + ".bp\n" +<chapt> + ".bp\n" ".NH \\n(il " + </chapt> @@ -283,7 +283,7 @@ </sect2> <sect3> + ".NH 4+\\n(il" + -</sect3> +</sect3> <sect4> + ".NH 5+\\n(il" + </sect4> @@ -292,10 +292,10 @@ </heading> + "\\*h\n" ".XS \\n%\n" "\\*(SN \\*h\n" - ".XE\n" + ".XE\n" ".nr h 1\n" % set heading flag to true -<p> + ".Pp" + +<p> + ".Pp" + </p> <itemize> + ".nr ll +1\n" % increment list level @@ -309,9 +309,9 @@ ".af e\\n(el \\*(f\\n(el\n" % style of enumerator ".if \\n(ll>1 .RS" + </enum> + ".if \\n(ll>1 .RE\n" - ".br\n" + ".br\n" ".nr el -1\n" % decrement enumeration level - ".nr ll -1\n" % decrement list level + ".nr ll -1\n" % decrement list level <descrip> + ".RS\n" ".nr ll +1\n" % increment list level @@ -324,7 +324,7 @@ % If bi=1 then the paragraph is the first one of the item. <item> + ".nr bi 1\n.Pp" + -</item> +</item> <tag> + ".IP \"\\fB" </tag> "\\fR\"\n" @@ -337,12 +337,12 @@ </cf> "" <cite> + ".\[\n[ID]\n.\]" + -</cite> +</cite> <ncite> + ".\[\n[ID]\n.\]\n([NOTE])" </ncite> -<footnote> " (-- " +<footnote> " (-- " </footnote> "--)" + <sq> "\\*Q" @@ -353,20 +353,20 @@ </lq> + ".nr LL \\n(LL+\\n(PI\n" ".RE" + -<em> "\\fI" -</em> "\\fP" +<em> "\\fI" +</em> "\\fP" -<bf> "\\fB" -</bf> "\\fR" +<bf> "\\fB" +</bf> "\\fR" -<it> "\\fI" -</it> "\\fR" +<it> "\\fI" +</it> "\\fR" -<sf> "\\fR" -</sf> "\\fR" +<sf> "\\fR" +</sf> "\\fR" -<sl> "\\fI" -</sl> "\\fR" +<sl> "\\fI" +</sl> "\\fR" % Changed by mdw <tt> "\\fC" @@ -394,10 +394,10 @@ <pageref> "??" </pageref> -<x> +<x> </x> -<mc> +<mc> </mc> <biblio> + ".\[\n" @@ -423,7 +423,7 @@ % ".Pp" + % continue previous paragraph (changed mdw) ".LP" -% tscreen added by mdw +% tscreen added by mdw <tscreen> + ".br\n" ".po 0.75i\n" ".ll 6.0i\n" @@ -487,8 +487,8 @@ % mathematics -- this nroff version needs work. -<f> -</f> +<f> +</f> <dm> + ".DS L" + </dm> + ".DE" + @@ -496,8 +496,8 @@ <eq> + ".DS L" + </eq> + ".DE" + -<fr> -</fr> +<fr> +</fr> <nu> "{" </nu> "} over " @@ -505,7 +505,7 @@ <de> "{" </de> "}" -<lim> +<lim> </lim> <op> @@ -527,7 +527,7 @@ </in> <sum> " sum " -</sum> +</sum> % limitation: eqn only does square roots! @@ -539,7 +539,7 @@ "[ca]." + </ar> + ".TE" + -<arr> "\n" +<arr> "\n" </arr> <arc> "|" @@ -567,8 +567,8 @@ % limitation: no calligraphic characters, using helvetica italics instead. Is there a better font? -<fi> "\\fI" -</fi> "\\fP" +<fi> "\\fI" +</fi> "\\fP" <phr> " roman }" </phr> "}" @@ -584,12 +584,12 @@ <eps> + ".if t .PSPIC [file].ps\n" ".if n .sp 4" + -</eps> - +</eps> + % Are TeX units properly handled by this translation of ph? <ph> + ".sp [VSPACE]" + -</ph> +</ph> <caption> + ".sp\n.ce" + </caption> @@ -619,7 +619,7 @@ <slides> + ".nr PS 18" + </slides> -<slide> +<slide> </slide> + ".bp\n\\&" + % letters -- replacement for email, using mh format. diff --git a/doc/sbase/dist/birddoc/html/mapping b/doc/sbase/dist/birddoc/html/mapping index 353d7774..1f05070c 100644 --- a/doc/sbase/dist/birddoc/html/mapping +++ b/doc/sbase/dist/birddoc/html/mapping @@ -21,7 +21,7 @@ </notes> + "<@@enddoc>" + % Manual Pages are expected to be formatted using nroff (or groff), unless -% they are included as sections of other qwertz documents. +% they are included as sections of other qwertz documents. <manpage> </manpage> @@ -35,7 +35,7 @@ <title> + "<@@title>" </title> -<subtitle> + "<H2>" +<subtitle> + "<H2>" </subtitle> "</H2>" + <author> @@ -48,26 +48,27 @@ </and> <thanks> + "Thanks " -</thanks> +</thanks> <inst> + "<H3>" </inst> "</H3>" + <newline> "<BR>" - + <label> + "<@@label>[ID]" + - -<header> -</header> +</label> + +<header> +</header> <lhead> + "<!-- " -</lhead> " -->" + +</lhead> " -->" + <rhead> + "<!-- " </rhead> " -->" + <comment> + "<H4>Comment</H4>" + -</comment> +</comment> <abstract> + "<P><HR>\n<EM>" </abstract> "</EM>\n<HR>" + @@ -99,7 +100,7 @@ <sect3> + "<@@head>" </sect3> -<sect4> + "<@@head>" +<sect4> + "<@@head>" </sect4> <heading> @@ -134,6 +135,9 @@ <ncite> "[<I>[NOTE] ([ID])</I>]" </ncite> +<file> "<CODE>" +</file> "</CODE>" + <footnote> + "<BLOCKQUOTE>" </footnote> "</BLOCKQUOTE>" + @@ -198,12 +202,14 @@ "<@@endurl>" + </url> -<htmlurl> + "<@@url>[URL]\n" - "[NAME]</A>\n" - "<@@endurl>" + +<htmlurl> "<A HREF=\"[URL]\">[NAME]</A>" </htmlurl> -% ref modified to have an optional name field +<rfc> "<A HREF=\"http://www.rfc-editor.org/info/rfc[ID]\">RFC [ID]</A>" +</rfc> + + +% ref modified to have an optional name field <ref> + "<@@ref>[ID]\n" "[NAME]</A>\n" "<@@endref>" + @@ -228,7 +234,7 @@ </mc> "</MC>" <biblio> + "<BIBLIO STYLE=\"[STYLE]\" FILES=\"[FILES]\">" + -</biblio> +</biblio> <code> + "<HR>\n<PRE>" + </code> + "</PRE>\n<HR>" + @@ -244,28 +250,28 @@ % theorems and such -<def> + "<DEF>" +<def> + "<DEF>" </def> + "</DEF>" + -<prop> + "<PROP>" +<prop> + "<PROP>" </prop> + "</PROP>" + -<lemma> + "<LEMMA>" +<lemma> + "<LEMMA>" </lemma> + "</LEMMA>" + -<coroll> + "<COROLL>" +<coroll> + "<COROLL>" </coroll> + "</COROLL>" + -<proof> + "<PROOF>" +<proof> + "<PROOF>" </proof> + "</PROOF>" + -<theorem> + "<THEOREM>" +<theorem> + "<THEOREM>" </theorem> + "</THEOREM>" + <thtag> "<THTAG>" </thtag> "</THTAG>" -% mathematics +% mathematics <f> </f> @@ -315,11 +321,11 @@ <ar> "<AR>" </ar> "</AR>" -<arr> "<ARR>" -</arr> +<arr> "<ARR>" +</arr> <arc> "<ARC>" -</arc> +</arc> <sup> "<SUP>" </sup> "</SUP>" @@ -354,13 +360,13 @@ </figure> + "</FIGURE>" + <eps> + "<EPS FILE=\"[FILE]\">" + -</eps> - +</eps> + <img> + "<IMG SRC=\"[SRC]\">" + </img> <ph> + "<PH VSPACE=\"[VSPACE]\">" + -</ph> +</ph> <caption> + "<CAPTION>" </caption> "</CAPTION>" + @@ -403,7 +409,7 @@ </opening> "</OPENING>" + -<from> + "<FROM>" +<from> + "<FROM>" </from> + "</FROM>" + @@ -419,7 +425,7 @@ <email> + "<EMAIL>" </email> "</EMAIL>" + -<phone> + "<PHONE>" +<phone> + "<PHONE>" </phone> "</PHONE>" + @@ -430,16 +436,16 @@ </subject> "</SUBJECT>" + -<sref> + "<SREF>" +<sref> + "<SREF>" </sref> "</SREF>" + -<rref> + "<RREF>" +<rref> + "<RREF>" </rref> "</RREF>" + <rdate> + "<RDATE>" </rdate> "</RDATE>" + -<closing> + "<CLOSING>" +<closing> + "<CLOSING>" </closing> "</CLOSING>" + <cc> + "<CC>" diff --git a/doc/sbase/dist/birddoc/latex2e/mapping b/doc/sbase/dist/birddoc/latex2e/mapping index 747d0d33..f53bbbe4 100644 --- a/doc/sbase/dist/birddoc/latex2e/mapping +++ b/doc/sbase/dist/birddoc/latex2e/mapping @@ -2,7 +2,9 @@ % birddoc to LaTeX replacement file % The \relax is there to avoid sgml2latex rewriting the class -<book> + "\\relax\\documentclass\[a4paper,10pt,openany\]{book}\n" +<book> + "\\relax\\documentclass\[a4paper,10pt,openany,oneside\]{book}\n" + "\\usepackage\[colorlinks=true,linkcolor=blue,pdftitle={BIRD User's Guide}\]{hyperref}\n" + "\\usepackage{enumitem}\n" "\\usepackage{birddoc}\n" "\\usepackage{qwertz}\n" "\\usepackage{url}\n" @@ -14,7 +16,7 @@ </book> + "\\end{document}" + % Manual Pages are expected to be formatted using nroff (or groff), unless -% they are included as sections of other qwertz documents. +% they are included as sections of other qwertz documents. <manpage> </manpage> @@ -26,17 +28,17 @@ </titlepag> + "\n\n\\begin{document}\n" "\\maketitle\n" + -<title> + "\\title{" +<title> + "\\title{" </title> "}" + <subtitle> "\\\\\n" "{\\large " </subtitle> "}" + -<author> + "\\author{" +<author> + "\\author{" </author> "}" + -<name> +<name> </name> <and> "\\and " + @@ -51,14 +53,14 @@ <date> + "\\date{" </date> "}" + -<newline> "\\\\ " +<newline> "\\\\ " </newline> <label> "\\label{[ID]}" -</label> +</label> <header> + "\\markboth" -</header> +</header> <lhead> "{" </lhead> "}" @@ -73,7 +75,7 @@ </comment> "}" % Hacked by mdw to use linuxdoc-sgml \abstract{...} -<abstract> + "\\abstract{" +<abstract> + "\\abstract{" </abstract> "}" + <appendix> + "\n \\appendix \n" + @@ -101,15 +103,15 @@ </sect2> <sect3> + "\n\\paragraph" -</sect3> +</sect3> <sect4> + "\n\\subparagraph" </sect4> <heading> "{" -</heading> "}\n\n" +</heading> "}\n\n" -<p> +<p> "\\phantomsection{}" </p> "\n\n" <itemize> + "\\begin{itemize}" + @@ -121,13 +123,13 @@ <list> + "\\begin{list}{}{}\n" + </list> + "\\end{list}" + -<descrip> + "\\begin{description}" + +<descrip> + "\\begin{description}\[style=unboxed\]" + </descrip> + "\\end{description}" + <item> + "\\item " </item> -<tag> + "\\item\[{\\ttfamily " +<tag> + "\\phantomsection\\item\[{\\ttfamily " </tag> "}\] \\hfil\\break\n" + <tagp> + "\\item\[ " @@ -154,7 +156,7 @@ % The idea here is to automatically insert soft hyphens after every slash in % the filename, so long filenames will break naturally. The url{} macro is % a kluge but it works, -<file> "\\url{" +<file> "{\\tt " </file> "}" <footnote> "\\footnote{" @@ -223,29 +225,32 @@ <cparam> "\\cparam{" </cparam> "}" -<ref> "\\ref{[ID]} {([NAME])}" +<ref> "\\hyperref\[[ID]\]{[NAME]} (p.\\,\\getpagerefnumber{[ID]})" </ref> <pageref> "\\pageref{[ID]}" </pageref> %url added by HG -<url> "\\nameurl{[URL]}{[NAME]}" +<url> "\\href{[URL]}{[NAME]}" </url> -<htmlurl> "\\onlynameurl{[NAME]}" +<htmlurl> "\\href{[URL]}{[NAME]}" </htmlurl> -<x> +<rfc> "\\href{http://www.rfc-editor.org/info/rfc[ID]}{RFC [ID]}" +</rfc> + +<x> </x> -<mc> +<mc> </mc> <biblio> + "\\bibliographystyle{[STYLE]}\n" "\\bibliography{[FILES]}\n" "\\addbibtoc{}" + -</biblio> +</biblio> % <macro> + "\\macro{[ID]}{\\qw[ID]}" % </macro> @@ -300,19 +305,19 @@ <thtag> "\[" </thtag> "\]" + -% mathematics +% mathematics <f> "$" </f> "$" -<dm> + "\\\[" +<dm> + "\\\[" </dm> "\\\]" + <eq> + "\\begin{equation}" + </eq> + "\\end{equation}\n" + <fr> "\\frac" -</fr> +</fr> <nu> "{" </nu> "}" @@ -320,7 +325,7 @@ <de> "{" </de> "}" -<lim> +<lim> </lim> <op> @@ -342,7 +347,7 @@ </in> <sum> "\\sum" -</sum> +</sum> <root> "\\sqrt\[[n]\]{" </root> "}" @@ -390,11 +395,11 @@ </figure> + "\\end{figure}\n" + <eps> + "\\centerline{\\epsfig{file=[FILE],height=[HEIGHT],angle=[ANGLE]}}" + -</eps> - +</eps> + <ph> + "\\vspace{[VSPACE]}\n\\par" + -</ph> +</ph> <caption> + "\\caption{" </caption> "}" + diff --git a/doc/sbase/dist/fmt_latex2e.pl b/doc/sbase/dist/fmt_latex2e.pl index 1f121743..d0656b7d 100644 --- a/doc/sbase/dist/fmt_latex2e.pl +++ b/doc/sbase/dist/fmt_latex2e.pl @@ -284,11 +284,11 @@ $latex2e->{postASP} = sub # for nameurl if ( /\\nameurl/ ) { - ($urlid, $urlnam) = ($_ =~ /\\nameurl{(.*)}{(.*)}/); + ($urlid, $urlnam) = ($_ =~ /\\nameurl\{(.*)\}\{(.*)\}/); print $urlnum . ": " . $urlid . "\n" if ( $global->{debug} ); $urldef = latex2e_defnam($urlnum) . "url"; - s/\\nameurl{.*}{.*}/{\\em $urlnam} {\\tt \\$urldef}/; + s/\\nameurl\{.*\}\{.*\}/{\\em $urlnam} {\\tt \\$urldef}/; push @urlnames, $_; push @urldefines, "\\urldef{\\$urldef} \\url{$urlid}\n"; $urlnum++; diff --git a/doc/sbase/dtd/birddoc.dtd b/doc/sbase/dtd/birddoc.dtd index 9cedcacc..1db2af6c 100644 --- a/doc/sbase/dtd/birddoc.dtd +++ b/doc/sbase/dtd/birddoc.dtd @@ -1,6 +1,6 @@ <!-- This is a DTD, but will be read as -*- sgml -*- --> <!-- ================================================= --> -<!-- $Id$ +<!-- $Id$ This was heavilly modified for use with bird! Don't you dare to use it anywhere else. <pavel@ucw.cz> @@ -79,7 +79,7 @@ anywhere else. <pavel@ucw.cz> weren't in the original linuxdoc 1.3 DTD, and are superseded by the new if/unless facility. --> <!-- BK/97/05/09: this is the original Linuxdoc DTD, - as of SGML Tools 0.99.0. It is not longer + as of SGML Tools 0.99.0. It is not longer supported. Use only if in dire need, for backwards compabitlity. Backend support for undocumented QWERTZ leftovers not in the strict Linuxdoc DTD's @@ -92,36 +92,36 @@ anywhere else. <pavel@ucw.cz> any changes to this, just replacing. --> <!-- ================================================= --> -<!entity % emph +<!entity % emph " em|it|bf|sf|sl|tt|cf|m|cparam|const|func|struct|param|type|funcdef " > <!entity % index "idx|cdx|nidx|ncdx" > <!-- url added by HG; htmlurl added by esr --> <!entity % xref - " label|ref|pageref|cite|url|htmlurl|ncite " > + " label|ref|pageref|cite|url|htmlurl|rfc|ncite " > -<!entity % inline +<!entity % inline " (#pcdata | f| x| %emph; |sq| %xref | %index | file )* " > -<!entity % list +<!entity % list " list | itemize | enum | descrip " > -<!entity % par +<!entity % par " %list; | comment | lq | quote | tscreen | hrule " > <!entity % mathpar " dm | eq " > -<!entity % thrm +<!entity % thrm " def | prop | lemma | coroll | proof | theorem " > <!entity % litprog " code | verb " > -<!entity % sectpar - " %par; | figure | tabular | table | %mathpar; | +<!entity % sectpar + " %par; | figure | tabular | table | %mathpar; | %thrm; | %litprog; | function "> -<!element birddoc o o - (sect | chapt | article | report | +<!element birddoc o o + (sect | chapt | article | report | book | letter | telefax | slides | notes | manpage ) > <!-- `general' entity replaced with ISO entities - kwm --> @@ -150,7 +150,7 @@ anywhere else. <pavel@ucw.cz> <!element hrule - - EMPTY> <!shortref pmap - "&#RS;B" null + "&#RS;B" null "&#RS;B&#RE;" psplit "&#RS;&#RE;" psplit -- '"' qtag -- @@ -189,7 +189,7 @@ anywhere else. <pavel@ucw.cz> <!entity ftag '<f>' -- formula begin -- > <!entity qendtag '</sq>'> -<!shortref sqmap +<!shortref sqmap "&#RS;B" null -- '"' qendtag -- "[" lsqb @@ -249,7 +249,7 @@ anywhere else. <pavel@ucw.cz> <!shortref bodymap "&#RS;B&#RE;" ptag "&#RS;&#RE;" ptag - '"' qtag + '"' qtag "[" lsqb "~" nbsp "_" lowbar @@ -285,7 +285,7 @@ anywhere else. <pavel@ucw.cz> <!shortref oneline "B&#RE;" space - "&#RS;&#RE;" null + "&#RS;&#RE;" null "&#RS;B&#RE;" null -- '"' qtag -- "[" ftag @@ -302,7 +302,7 @@ anywhere else. <pavel@ucw.cz> <!usemap oneline caption> <!entity % tabrow "(%inline, (colsep, %inline)*)" > -<!element tabular - - +<!element tabular - - (hline?, %tabrow, (rowsep, hline?, %tabrow)*, caption?) > <!attlist tabular @@ -323,7 +323,7 @@ anywhere else. <pavel@ucw.cz> "B&#RE;" null "BB" space "@" rowsep - "|" colsep + "|" colsep "[" ftag -- '"' qtag -- "_" thinsp @@ -344,7 +344,7 @@ anywhere else. <pavel@ucw.cz> <!shortref ttmap -- also on one-line -- "B&#RE;" space - "&#RS;&#RE;" null + "&#RS;&#RE;" null "&#RS;B&#RE;" null "&#RS;B" null '#' num @@ -365,14 +365,14 @@ anywhere else. <pavel@ucw.cz> <!entity % limits "pr|in|sum" > <!entity % fbu "fr|lim|ar|root" > <!entity % fph "unl|ovl|sup|inf" > -<!entity % fbutxt "(%fbu;) | (%limits;) | +<!entity % fbutxt "(%fbu;) | (%limits;) | (%fcstxt;)|(%fscs;)|(%fph;)" > <!entity % fphtxt "p|#pcdata" > <!element f - - ((%fbutxt;)*) > <!entity fendtag '</f>' -- formula end -- > -<!shortref fmap +<!shortref fmap "&#RS;B" null "&#RS;B&#RE;" null "&#RS;&#RE;" null @@ -432,7 +432,7 @@ anywhere else. <pavel@ucw.cz> <!shortref arrmap "&#RE;" space "@" arr - "|" arc + "|" arc "_" thinsp "~" nbsp "#" num @@ -448,7 +448,7 @@ anywhere else. <pavel@ucw.cz> <!element ovl - - ((%fbutxt;)*) > <!element rf - o (#pcdata) > <!element phr - o ((%fphtxt;)*) > -<!element v - o ((%fcstxt;)*) +<!element v - o ((%fcstxt;)*) -(tu|%limits;|%fbu;|%fph;) > <!element fi - o (#pcdata) > <!element tu - o empty > @@ -468,7 +468,7 @@ anywhere else. <pavel@ucw.cz> <!shortref global "&#RS;B" null -- delete leading blanks -- - -- '"' qtag -- + -- '"' qtag -- "[" ftag "~" nbsp "_" lowbar @@ -485,22 +485,26 @@ anywhere else. <pavel@ucw.cz> <!-- ref modified to have an optional name field HG --> <!element ref - o empty> -<!attlist ref +<!attlist ref id cdata #required name cdata "&refnam"> <!-- url entity added to have direct url references HG --> <!element url - o empty> -<!attlist url +<!attlist url url cdata #required name cdata "&urlnam" > <!-- htmlurl entity added to have quieter url references esr --> <!element htmlurl - o empty> -<!attlist htmlurl +<!attlist htmlurl url cdata #required name cdata "&urlnam" > +<!element rfc - o empty> +<!attlist rfc + id cdata #required> + <!element pageref - o empty> <!attlist pageref id cdata #required> @@ -510,22 +514,22 @@ anywhere else. <pavel@ucw.cz> <!-- Hacked by mdw to exclude abstract; abstract now part of titlepag --> <!element article - - - (titlepag, header?, - toc?, lof?, lot?, p*, sect*, + (titlepag, header?, + toc?, lof?, lot?, p*, sect*, (appendix, sect+)?, biblio?) +(footnote)> <!attlist article opts cdata "null"> <!-- Hacked by mdw to exclude abstract; abstract now part of titlepag --> -<!element report - - +<!element report - - (titlepag, header?, toc?, lof?, lot?, p*, chapt*, (appendix, chapt+)?, biblio?) +(footnote)> <!attlist report opts cdata "null"> -<!element book - - - (titlepag, header?, toc?, lof?, lot?, p*, chapt*, +<!element book - - + (titlepag, header?, toc?, lof?, lot?, p*, chapt*, (appendix, chapt+)?, biblio?) +(footnote) > <!attlist book @@ -536,7 +540,7 @@ anywhere else. <pavel@ucw.cz> <!element title - o (%inline, subtitle?) +(newline)> <!element subtitle - o (%inline)> <!usemap oneline titlepag> -<!element author - o (name, thanks?, inst?, +<!element author - o (name, thanks?, inst?, (and, name, thanks?, inst?)*)> <!element name o o (%inline) +(newline)> <!element and - o empty> @@ -545,9 +549,9 @@ anywhere else. <pavel@ucw.cz> <!element date - o (#pcdata) > <!usemap global thanks> - + <!element newline - o empty > -<!entity nl "<newline>"> +<!entity nl "<newline>"> <!element progdoc - o empty> @@ -564,9 +568,9 @@ anywhere else. <pavel@ucw.cz> <!element rhead - o (%inline)> <!entity % sect "heading, header?, p* " > <!element heading o o (%inline)> -<!element chapt - o (%sect, sect*) +(footnote)> +<!element chapt - o (%sect, sect*) +(footnote)> <!element sect - o (%sect, sect1*) +(footnote)> -<!element sect1 - o (%sect, sect2*)> +<!element sect1 - o (%sect, sect2*) +(footnote)> <!element sect2 - o (%sect, sect3*)> <!element sect3 - o (%sect, sect4*)> <!element sect4 - o (%sect)> @@ -575,11 +579,11 @@ anywhere else. <pavel@ucw.cz> <!element footnote - - (%inline)> <!usemap global footnote> <!element cite - o empty> -<!attlist cite +<!attlist cite id cdata #required> <!element ncite - o empty> -<!attlist ncite +<!attlist ncite id cdata #required note cdata #required> @@ -599,41 +603,41 @@ anywhere else. <pavel@ucw.cz> <!attlist slides opts cdata "null"> <!element slide - o (title?, p+) > -<!entity % addr "(address?, email?, phone?, fax?)" > - -<!element letter - - +<!entity % addr "(address?, email?, phone?, fax?)" > + +<!element letter - - (from, %addr, to, %addr, cc?, subject?, sref?, rref?, rdate?, opening, p+, closing, encl?, ps?)> <!attlist letter opts cdata "null"> - + <!element from - o (#pcdata) > <!element to - o (#pcdata) > - + <!usemap oneline (from,to)> - + <!element address - o (#pcdata) +(newline) > <!element email - o (#pcdata) > <!element phone - o (#pcdata) > <!element fax - o (#pcdata) > - + <!element subject - o (%inline;) > <!element sref - o (#pcdata) > <!element rref - o (#pcdata) > <!element rdate - o (#pcdata) > - + <!element opening - o (%inline;) > <!usemap oneline opening> - + <!element closing - o (%inline;) > <!element cc - o (%inline;) +(newline) > <!element encl - o (%inline;) +(newline) > - + <!element ps - o (p+) > -<!element telefax - - - (from, %addr, to, address, email?, +<!element telefax - - + (from, %addr, to, address, email?, phone?, fax, cc?, subject?, opening, p+, closing, ps?)> @@ -644,8 +648,8 @@ anywhere else. <pavel@ucw.cz> <!element notes - - (title?, p+) > <!attlist notes opts cdata "null" > -<!element manpage - - (sect1*) - -(sect2 | f | %mathpar | figure | tabular | +<!element manpage - - (sect1*) + -(sect2 | f | %mathpar | figure | tabular | table | %xref | %thrm )> @@ -673,5 +677,5 @@ anywhere else. <pavel@ucw.cz> <!-- Local Variables: mode: sgml - End: --> + End: --> <!-- ================================================= --> diff --git a/filter/config.Y b/filter/config.Y index 3eb5b08f..8af444a3 100644 --- a/filter/config.Y +++ b/filter/config.Y @@ -36,6 +36,7 @@ f_valid_set_type(int type) case T_ENUM: case T_IP: case T_EC: + case T_LC: return 1; default: @@ -66,6 +67,14 @@ f_merge_items(struct f_tree *a, struct f_tree *b) static inline struct f_tree * f_new_pair_item(int fa, int ta, int fb, int tb) { + check_u16(fa); + check_u16(ta); + check_u16(fb); + check_u16(tb); + + if ((ta < fa) || (tb < fb)) + cf_error( "From value cannot be higher that To value in pair sets"); + struct f_tree *t = f_new_tree(); t->right = t; t->from.type = t->to.type = T_PAIR; @@ -77,22 +86,26 @@ f_new_pair_item(int fa, int ta, int fb, int tb) static inline struct f_tree * f_new_pair_set(int fa, int ta, int fb, int tb) { - struct f_tree *lst = NULL; - int i; + check_u16(fa); + check_u16(ta); + check_u16(fb); + check_u16(tb); - if ((fa == ta) || ((fb == 0) && (tb == 0xFFFF))) - return f_new_pair_item(fa, ta, fb, tb); - if ((ta < fa) || (tb < fb)) cf_error( "From value cannot be higher that To value in pair sets"); + struct f_tree *lst = NULL; + int i; + for (i = fa; i <= ta; i++) lst = f_merge_items(lst, f_new_pair_item(i, i, fb, tb)); return lst; } +#define CC_ALL 0xFFFF #define EC_ALL 0xFFFFFFFF +#define LC_ALL 0xFFFFFFFF static struct f_tree * f_new_ec_item(u32 kind, u32 ipv4_used, u32 key, u32 vf, u32 vt) @@ -132,6 +145,17 @@ f_new_ec_item(u32 kind, u32 ipv4_used, u32 key, u32 vf, u32 vt) return t; } +static struct f_tree * +f_new_lc_item(u32 f1, u32 t1, u32 f2, u32 t2, u32 f3, u32 t3) +{ + struct f_tree *t = f_new_tree(); + t->right = t; + t->from.type = t->to.type = T_LC; + t->from.val.lc = (lcomm) {f1, f2, f3}; + t->to.val.lc = (lcomm) {t1, t2, t3}; + return t; +} + static inline struct f_inst * f_generate_empty(struct f_inst *dyn) { @@ -148,6 +172,9 @@ f_generate_empty(struct f_inst *dyn) case EAF_TYPE_EC_SET: e->aux = T_ECLIST; break; + case EAF_TYPE_LC_SET: + e->aux = T_LCLIST; + break; default: cf_error("Can't empty that attribute"); } @@ -266,14 +293,44 @@ f_generate_ec(u16 kind, struct f_inst *tk, struct f_inst *tv) return rv; } +static inline struct f_inst * +f_generate_lc(struct f_inst *t1, struct f_inst *t2, struct f_inst *t3) +{ + struct f_inst *rv; + + if ((t1->code == 'c') && (t2->code == 'c') && (t3->code == 'c')) { + if ((t1->aux != T_INT) || (t2->aux != T_INT) || (t3->aux != T_INT)) + cf_error( "LC - Can't operate with value of non-integer type in tuple constructor"); + + rv = f_new_inst(); + rv->code = 'C'; + + NEW_F_VAL; + rv->a1.p = val; + val->type = T_LC; + val->val.lc = (lcomm) { t1->a2.i, t2->a2.i, t3->a2.i }; + } + else + { + rv = cfg_allocz(sizeof(struct f_inst3)); + rv->lineno = ifs->lino; + rv->code = P('m','l'); + rv->a1.p = t1; + rv->a2.p = t2; + INST3(rv).p = t3; + } + + return rv; +} + CF_DECLS CF_KEYWORDS(FUNCTION, PRINT, PRINTN, UNSET, RETURN, ACCEPT, REJECT, ERROR, QUITBIRD, - INT, BOOL, IP, PREFIX, PAIR, QUAD, EC, - SET, STRING, BGPMASK, BGPPATH, CLIST, ECLIST, + INT, BOOL, IP, PREFIX, PAIR, QUAD, EC, LC, + SET, STRING, BGPMASK, BGPPATH, CLIST, ECLIST, LCLIST, IF, THEN, ELSE, CASE, TRUE, FALSE, RT, RO, UNKNOWN, GENERIC, FROM, GW, NET, MASK, PROTO, SOURCE, SCOPE, CAST, DEST, IFNAME, IFINDEX, @@ -291,9 +348,9 @@ CF_KEYWORDS(FUNCTION, PRINT, PRINTN, UNSET, RETURN, %type <x> term block cmds cmds_int cmd function_body constant constructor print_one print_list var_list var_listn dynamic_attr static_attr function_call symbol bgp_path_expr %type <f> filter filter_body where_filter -%type <i> type break_command pair_expr ec_kind -%type <i32> pair_atom ec_expr -%type <e> pair_item ec_item set_item switch_item set_items switch_items switch_body +%type <i> type break_command ec_kind +%type <i32> cnum +%type <e> pair_item ec_item lc_item set_item switch_item set_items switch_items switch_body %type <trie> fprefix_set %type <v> set_atom switch_atom fipa %type <px> fprefix @@ -326,17 +383,20 @@ type: | PAIR { $$ = T_PAIR; } | QUAD { $$ = T_QUAD; } | EC { $$ = T_EC; } + | LC { $$ = T_LC; } | STRING { $$ = T_STRING; } | BGPMASK { $$ = T_PATH_MASK; } | BGPPATH { $$ = T_PATH; } | CLIST { $$ = T_CLIST; } | ECLIST { $$ = T_ECLIST; } - | type SET { + | LCLIST { $$ = T_LCLIST; } + | type SET { switch ($1) { case T_INT: case T_PAIR: case T_QUAD: case T_EC: + case T_LC: case T_IP: $$ = T_SET; break; @@ -445,7 +505,7 @@ function_def: } function_params function_body { $2->def = $5; $2->aux2 = $4; - DBG("Hmm, we've got one function here - %s\n", $2->name); + DBG("Hmm, we've got one function here - %s\n", $2->name); cf_pop_scope(); } ; @@ -511,30 +571,23 @@ switch_atom: | ENUM { $$.type = pair_a($1); $$.val.i = pair_b($1); } ; -pair_expr: - term { $$ = f_eval_int($1); check_u16($$); } - -pair_atom: - pair_expr { $$ = pair($1, $1); } - | pair_expr DDOT pair_expr { $$ = pair($1, $3); } - | '*' { $$ = 0xFFFF; } - ; +cnum: + term { $$ = f_eval_int($1); } pair_item: - '(' pair_atom ',' pair_atom ')' { - $$ = f_new_pair_set(pair_a($2), pair_b($2), pair_a($4), pair_b($4)); - } - | '(' pair_atom ',' pair_atom ')' DDOT '(' pair_expr ',' pair_expr ')' { - /* Hack: $2 and $4 should be pair_expr, but that would cause shift/reduce conflict */ - if ((pair_a($2) != pair_b($2)) || (pair_a($4) != pair_b($4))) - cf_error("syntax error"); - $$ = f_new_pair_item(pair_b($2), $8, pair_b($4), $10); - } + '(' cnum ',' cnum ')' { $$ = f_new_pair_item($2, $2, $4, $4); } + | '(' cnum ',' cnum DDOT cnum ')' { $$ = f_new_pair_item($2, $2, $4, $6); } + | '(' cnum ',' '*' ')' { $$ = f_new_pair_item($2, $2, 0, CC_ALL); } + | '(' cnum DDOT cnum ',' cnum ')' { $$ = f_new_pair_set($2, $4, $6, $6); } + | '(' cnum DDOT cnum ',' cnum DDOT cnum ')' { $$ = f_new_pair_set($2, $4, $6, $8); } + | '(' cnum DDOT cnum ',' '*' ')' { $$ = f_new_pair_item($2, $4, 0, CC_ALL); } + | '(' '*' ',' cnum ')' { $$ = f_new_pair_set(0, CC_ALL, $4, $4); } + | '(' '*' ',' cnum DDOT cnum ')' { $$ = f_new_pair_set(0, CC_ALL, $4, $6); } + | '(' '*' ',' '*' ')' { $$ = f_new_pair_item(0, CC_ALL, 0, CC_ALL); } + | '(' cnum ',' cnum ')' DDOT '(' cnum ',' cnum ')' + { $$ = f_new_pair_item($2, $8, $4, $10); } ; -ec_expr: - term { $$ = f_eval_int($1); } - ec_kind: RT { $$ = EC_RT; } | RO { $$ = EC_RO; } @@ -543,14 +596,27 @@ ec_kind: ; ec_item: - '(' ec_kind ',' ec_expr ',' ec_expr ')' { $$ = f_new_ec_item($2, 0, $4, $6, $6); } - | '(' ec_kind ',' ec_expr ',' ec_expr DDOT ec_expr ')' { $$ = f_new_ec_item($2, 0, $4, $6, $8); } - | '(' ec_kind ',' ec_expr ',' '*' ')' { $$ = f_new_ec_item($2, 0, $4, 0, EC_ALL); } - ; + '(' ec_kind ',' cnum ',' cnum ')' { $$ = f_new_ec_item($2, 0, $4, $6, $6); } + | '(' ec_kind ',' cnum ',' cnum DDOT cnum ')' { $$ = f_new_ec_item($2, 0, $4, $6, $8); } + | '(' ec_kind ',' cnum ',' '*' ')' { $$ = f_new_ec_item($2, 0, $4, 0, EC_ALL); } + ; + +lc_item: + '(' cnum ',' cnum ',' cnum ')' { $$ = f_new_lc_item($2, $2, $4, $4, $6, $6); } + | '(' cnum ',' cnum ',' cnum DDOT cnum ')' { $$ = f_new_lc_item($2, $2, $4, $4, $6, $8); } + | '(' cnum ',' cnum ',' '*' ')' { $$ = f_new_lc_item($2, $2, $4, $4, 0, LC_ALL); } + | '(' cnum ',' cnum DDOT cnum ',' '*' ')' { $$ = f_new_lc_item($2, $2, $4, $6, 0, LC_ALL); } + | '(' cnum ',' '*' ',' '*' ')' { $$ = f_new_lc_item($2, $2, 0, LC_ALL, 0, LC_ALL); } + | '(' cnum DDOT cnum ',' '*' ',' '*' ')' { $$ = f_new_lc_item($2, $4, 0, LC_ALL, 0, LC_ALL); } + | '(' '*' ',' '*' ',' '*' ')' { $$ = f_new_lc_item(0, LC_ALL, 0, LC_ALL, 0, LC_ALL); } + | '(' cnum ',' cnum ',' cnum ')' DDOT '(' cnum ',' cnum ',' cnum ')' + { $$ = f_new_lc_item($2, $10, $4, $12, $6, $14); } +; set_item: pair_item | ec_item + | lc_item | set_atom { $$ = f_new_item($1, $1); } | set_atom DDOT set_atom { $$ = f_new_item($1, $3); } ; @@ -558,6 +624,7 @@ set_item: switch_item: pair_item | ec_item + | lc_item | switch_atom { $$ = f_new_item($1, $1); } | switch_atom DDOT switch_atom { $$ = f_new_item($1, $3); } ; @@ -608,7 +675,7 @@ switch_body: /* EMPTY */ { $$ = NULL; } /* CONST '(' expr ')' { $$ = f_new_inst(); $$->code = 'c'; $$->aux = T_INT; $$->a2.i = $3; } */ bgp_path_expr: - symbol { $$ = $1; } + symbol { $$ = $1; } | '(' term ')' { $$ = $2; } ; @@ -648,6 +715,7 @@ constant: constructor: '(' term ',' term ')' { $$ = f_generate_dpair($2, $4); } | '(' ec_kind ',' term ',' term ')' { $$ = f_generate_ec($2, $4, $6); } + | '(' term ',' term ',' term ')' { $$ = f_generate_lc($2, $4, $6); } ; @@ -758,8 +826,9 @@ term: | '+' EMPTY '+' { $$ = f_new_inst(); $$->code = 'E'; $$->aux = T_PATH; } | '-' EMPTY '-' { $$ = f_new_inst(); $$->code = 'E'; $$->aux = T_CLIST; } | '-' '-' EMPTY '-' '-' { $$ = f_new_inst(); $$->code = 'E'; $$->aux = T_ECLIST; } - | PREPEND '(' term ',' term ')' { $$ = f_new_inst(); $$->code = P('A','p'); $$->a1.p = $3; $$->a2.p = $5; } - | ADD '(' term ',' term ')' { $$ = f_new_inst(); $$->code = P('C','a'); $$->a1.p = $3; $$->a2.p = $5; $$->aux = 'a'; } + | '-' '-' '-' EMPTY '-' '-' '-' { $$ = f_new_inst(); $$->code = 'E'; $$->aux = T_LCLIST; } + | PREPEND '(' term ',' term ')' { $$ = f_new_inst(); $$->code = P('A','p'); $$->a1.p = $3; $$->a2.p = $5; } + | ADD '(' term ',' term ')' { $$ = f_new_inst(); $$->code = P('C','a'); $$->a1.p = $3; $$->a2.p = $5; $$->aux = 'a'; } | DELETE '(' term ',' term ')' { $$ = f_new_inst(); $$->code = P('C','a'); $$->a1.p = $3; $$->a2.p = $5; $$->aux = 'd'; } | FILTER '(' term ',' term ')' { $$ = f_new_inst(); $$->code = P('C','a'); $$->a1.p = $3; $$->a2.p = $5; $$->aux = 'f'; } @@ -814,7 +883,7 @@ print_list: /* EMPTY */ { $$ = NULL; } } ; -var_listn: term { +var_listn: term { $$ = f_new_inst(); $$->code = 's'; $$->a1.p = NULL; @@ -882,7 +951,7 @@ cmd: $$ = f_new_inst(); $$->code = P('P','S'); $$->a1.p = $3; - } + } | UNSET '(' rtadot dynamic_attr ')' ';' { $$ = $4; $$->aux = EAF_TYPE_UNDEF | EAF_TEMP; diff --git a/filter/filter.c b/filter/filter.c index 3282bd50..09b89401 100644 --- a/filter/filter.c +++ b/filter/filter.c @@ -99,6 +99,18 @@ pm_format(struct f_path_mask *p, buffer *buf) static inline int val_is_ip4(const struct f_val v) { return (v.type == T_IP) && ipa_is_ip4(v.val.ip); } +static inline int +lcomm_cmp(lcomm v1, lcomm v2) +{ + if (v1.asn != v2.asn) + return (v1.asn > v2.asn) ? 1 : -1; + if (v1.ldp1 != v2.ldp1) + return (v1.ldp1 > v2.ldp1) ? 1 : -1; + if (v1.ldp2 != v2.ldp2) + return (v1.ldp2 > v2.ldp2) ? 1 : -1; + return 0; +} + /** * val_compare - compare two values * @v1: first value @@ -138,6 +150,8 @@ val_compare(struct f_val v1, struct f_val v2) return uint_cmp(v1.val.i, v2.val.i); case T_EC: return u64_cmp(v1.val.ec, v2.val.ec); + case T_LC: + return lcomm_cmp(v1.val.lc, v2.val.lc); case T_IP: return ipa_compare(v1.val.ip, v2.val.ip); case T_NET: @@ -201,6 +215,7 @@ val_same(struct f_val v1, struct f_val v2) case T_PATH: case T_CLIST: case T_ECLIST: + case T_LCLIST: return adata_same(v1.val.ad, v2.val.ad); case T_SET: return same_tree(v1.val.t, v2.val.t); @@ -241,6 +256,10 @@ static inline int eclist_set_type(struct f_tree *set) { return set->from.type == T_EC; } +static inline int +lclist_set_type(struct f_tree *set) +{ return set->from.type == T_LC; } + static int clist_match_set(struct adata *clist, struct f_tree *set) { @@ -286,6 +305,30 @@ eclist_match_set(struct adata *list, struct f_tree *set) return 0; } +static int +lclist_match_set(struct adata *list, struct f_tree *set) +{ + if (!list) + return 0; + + if (!lclist_set_type(set)) + return CMP_ERROR; + + struct f_val v; + u32 *l = int_set_get_data(list); + int len = int_set_get_size(list); + int i; + + v.type = T_LC; + for (i = 0; i < len; i += 3) { + v.val.lc = lc_get(l, i); + if (find_tree(set, v)) + return 1; + } + + return 0; +} + static struct adata * clist_filter(struct linpool *pool, struct adata *list, struct f_val set, int pos) { @@ -312,7 +355,7 @@ clist_filter(struct linpool *pool, struct adata *list, struct f_val set, int pos *k++ = v.val.i; } - int nl = (k - tmp) * 4; + uint nl = (k - tmp) * sizeof(u32); if (nl == list->length) return list; @@ -346,7 +389,39 @@ eclist_filter(struct linpool *pool, struct adata *list, struct f_val set, int po } } - int nl = (k - tmp) * 4; + uint nl = (k - tmp) * sizeof(u32); + if (nl == list->length) + return list; + + struct adata *res = adata_empty(pool, nl); + memcpy(res->data, tmp, nl); + return res; +} + +static struct adata * +lclist_filter(struct linpool *pool, struct adata *list, struct f_val set, int pos) +{ + if (!list) + return NULL; + + int tree = (set.type == T_SET); /* 1 -> set is T_SET, 0 -> set is T_CLIST */ + struct f_val v; + + int len = int_set_get_size(list); + u32 *l = int_set_get_data(list); + u32 tmp[len]; + u32 *k = tmp; + int i; + + v.type = T_LC; + for (i = 0; i < len; i += 3) { + v.val.lc = lc_get(l, i); + /* pos && member(val, set) || !pos && !member(val, set), member() depends on tree */ + if ((tree ? !!find_tree(set.val.t, v) : lc_set_contains(set.val.ad, v.val.lc)) == pos) + k = lc_copy(k, l+i); + } + + uint nl = (k - tmp) * sizeof(u32); if (nl == list->length) return list; @@ -381,6 +456,9 @@ val_in_range(struct f_val v1, struct f_val v2) if ((v1.type == T_EC) && (v2.type == T_ECLIST)) return ec_set_contains(v2.val.ad, v1.val.ec); + if ((v1.type == T_LC) && (v2.type == T_LCLIST)) + return lc_set_contains(v2.val.ad, v1.val.lc); + if ((v1.type == T_STRING) && (v2.type == T_STRING)) return patmatch(v2.val.s, v1.val.s); @@ -407,6 +485,9 @@ val_in_range(struct f_val v1, struct f_val v2) if (v1.type == T_ECLIST) return eclist_match_set(v1.val.ad, v2.val.t); + if (v1.type == T_LCLIST) + return lclist_match_set(v1.val.ad, v2.val.t); + if (v1.type == T_PATH) return as_path_match_set(v1.val.ad, v2.val.t); @@ -431,12 +512,14 @@ val_format(struct f_val v, buffer *buf) case T_PAIR: buffer_print(buf, "(%u,%u)", v.val.i >> 16, v.val.i & 0xffff); return; case T_QUAD: buffer_print(buf, "%R", v.val.i); return; case T_EC: ec_format(buf2, v.val.ec); buffer_print(buf, "%s", buf2); return; + case T_LC: lc_format(buf2, v.val.lc); buffer_print(buf, "%s", buf2); return; case T_PREFIX_SET: trie_format(v.val.ti, buf); return; case T_SET: tree_format(v.val.t, buf); return; case T_ENUM: buffer_print(buf, "(enum %x)%u", v.type, v.val.i); return; case T_PATH: as_path_format(v.val.ad, buf2, 1000); buffer_print(buf, "(path %s)", buf2); return; case T_CLIST: int_set_format(v.val.ad, 1, -1, buf2, 1000); buffer_print(buf, "(clist %s)", buf2); return; case T_ECLIST: ec_set_format(v.val.ad, -1, buf2, 1000); buffer_print(buf, "(eclist %s)", buf2); return; + case T_LCLIST: lc_set_format(v.val.ad, -1, buf2, 1000); buffer_print(buf, "(lclist %s)", buf2); return; case T_PATH_MASK: pm_format(v.val.path_mask, buf); return; default: buffer_print(buf, "[unknown type %x]", v.type); return; } @@ -628,6 +711,7 @@ interpret(struct f_inst *what) runtime("Can't operate with value of non-integer type in EC constructor"); val = v2.val.i; + /* XXXX */ res.type = T_EC; if (what->aux == EC_GENERIC) { @@ -649,6 +733,24 @@ interpret(struct f_inst *what) break; } + case P('m','l'): + { + TWOARGS; + + /* Third argument hack */ + struct f_val v3 = interpret(INST3(what).p); + if (v3.type & T_RETURN) + return v3; + + if ((v1.type != T_INT) || (v2.type != T_INT) || (v3.type != T_INT)) + runtime( "Can't operate with value of non-integer type in LC constructor" ); + + res.type = T_LC; + res.val.lc = (lcomm) { v1.val.i, v2.val.i, v3.val.i }; + + break; + } + /* Relational operators */ #define COMPARE(x) \ @@ -883,6 +985,13 @@ interpret(struct f_inst *what) break; } + /* The same special case for lc_set */ + if ((what->aux & EAF_TYPE_MASK) == EAF_TYPE_LC_SET) { + res.type = T_LCLIST; + res.val.ad = adata_empty(f_pool, 0); + break; + } + /* Undefined value */ res.type = T_VOID; break; @@ -922,6 +1031,10 @@ interpret(struct f_inst *what) res.type = T_ECLIST; res.val.ad = e->u.ptr; break; + case EAF_TYPE_LC_SET: + res.type = T_LCLIST; + res.val.ad = e->u.ptr; + break; case EAF_TYPE_UNDEF: res.type = T_VOID; break; @@ -1010,6 +1123,11 @@ interpret(struct f_inst *what) runtime( "Setting eclist attribute to non-eclist value" ); l->attrs[0].u.ptr = v1.val.ad; break; + case EAF_TYPE_LC_SET: + if (v1.type != T_LCLIST) + runtime( "Setting lclist attribute to non-lclist value" ); + l->attrs[0].u.ptr = v1.val.ad; + break; case EAF_TYPE_UNDEF: if (v1.type != T_VOID) runtime( "Setting void attribute to non-void value" ); @@ -1051,6 +1169,7 @@ interpret(struct f_inst *what) case T_PATH: res.val.i = as_path_getlen(v1.val.ad); break; case T_CLIST: res.val.i = int_set_get_size(v1.val.ad); break; case T_ECLIST: res.val.i = ec_set_get_size(v1.val.ad); break; + case T_LCLIST: res.val.i = lc_set_get_size(v1.val.ad); break; default: runtime( "Prefix, path, clist or eclist expected" ); } break; @@ -1240,7 +1359,7 @@ interpret(struct f_inst *what) else if (v2.type == T_ECLIST) arg_set = 2; else if (v2.type != T_EC) - runtime("Can't add/delete non-pair"); + runtime("Can't add/delete non-ec"); res.type = T_ECLIST; switch (what->aux) @@ -1271,8 +1390,50 @@ interpret(struct f_inst *what) bug("unknown Ca operation"); } } + else if (v1.type == T_LCLIST) + { + /* Large community list */ + int arg_set = 0; + + /* v2.val is either LC or LC-set */ + if ((v2.type == T_SET) && lclist_set_type(v2.val.t)) + arg_set = 1; + else if (v2.type == T_LCLIST) + arg_set = 2; + else if (v2.type != T_LC) + runtime("Can't add/delete non-lc"); + + res.type = T_LCLIST; + switch (what->aux) + { + case 'a': + if (arg_set == 1) + runtime("Can't add set"); + else if (!arg_set) + res.val.ad = lc_set_add(f_pool, v1.val.ad, v2.val.lc); + else + res.val.ad = lc_set_union(f_pool, v1.val.ad, v2.val.ad); + break; + + case 'd': + if (!arg_set) + res.val.ad = lc_set_del(f_pool, v1.val.ad, v2.val.lc); + else + res.val.ad = lclist_filter(f_pool, v1.val.ad, v2, 0); + break; + + case 'f': + if (!arg_set) + runtime("Can't filter lc"); + res.val.ad = lclist_filter(f_pool, v1.val.ad, v2, 1); + break; + + default: + bug("unknown Ca operation"); + } + } else - runtime("Can't add/delete to non-(e)clist"); + runtime("Can't add/delete to non-[e|l]clist"); break; @@ -1370,6 +1531,12 @@ i_same(struct f_inst *f1, struct f_inst *f2) case '~': TWOARGS; break; case P('d','e'): ONEARG; break; + case P('m','l'): + TWOARGS; + if (!i_same(INST3(f1).p, INST3(f2).p)) + return 0; + break; + case 's': ARG(v2, a2.p); { diff --git a/filter/filter.h b/filter/filter.h index af490121..fc11b91e 100644 --- a/filter/filter.h +++ b/filter/filter.h @@ -38,6 +38,17 @@ struct f_inst_roa_check { struct rtable_config *rtc; }; +struct f_inst3 { + struct f_inst i; + union { + int i; + void *p; + } a3; +}; + +#define INST3(x) (((struct f_inst3 *) x)->a3) + + struct f_prefix { net_addr net; u8 lo, hi; @@ -48,6 +59,7 @@ struct f_val { union { uint i; u64 ec; + lcomm lc; ip_addr ip; const net_addr *net; char *s; @@ -146,8 +158,10 @@ void val_format(struct f_val v, buffer *buf); #define T_PATH_MASK 0x23 /* mask for BGP path */ #define T_PATH 0x24 /* BGP path */ #define T_CLIST 0x25 /* Community list */ -#define T_ECLIST 0x26 /* Extended community list */ -#define T_EC 0x27 /* Extended community value, u64 */ +#define T_EC 0x26 /* Extended community value, u64 */ +#define T_ECLIST 0x27 /* Extended community list */ +#define T_LC 0x28 /* Large community value, lcomm */ +#define T_LCLIST 0x29 /* Large community list */ #define T_RETURN 0x40 #define T_SET 0x80 @@ -160,10 +174,10 @@ void val_format(struct f_val v, buffer *buf); #define SA_PROTO 4 #define SA_SOURCE 5 #define SA_SCOPE 6 -#define SA_CAST 7 -#define SA_DEST 8 -#define SA_IFNAME 9 -#define SA_IFINDEX 10 +#define SA_CAST 7 +#define SA_DEST 8 +#define SA_IFNAME 9 +#define SA_IFINDEX 10 struct f_tree { @@ -175,7 +189,7 @@ struct f_tree { struct f_trie_node { ip_addr addr, mask, accept; - int plen; + uint plen; struct f_trie_node *c[2]; }; diff --git a/filter/test.conf b/filter/test.conf index a8c3a508..e65b3ebb 100644 --- a/filter/test.conf +++ b/filter/test.conf @@ -31,6 +31,11 @@ function 'mkpair-a'(int a) return (1, a); } +function mktrip(int a) +{ + return (a, 2*a, 3*a); +} + function mkpath(int a; int b) { return [= a b 3 2 1 =]; @@ -95,6 +100,8 @@ clist l; clist l2; eclist el; eclist el2; +lclist ll; +lclist ll2; { print "Entering path test..."; pm1 = / 4 3 2 1 /; @@ -160,7 +167,7 @@ eclist el2; print "Community list (1,2) (3,1) (3,5) ", l, " len: ", l.len; l = add( l, (3,2) ); l = add( l, (4,5) ); - print "Community list (1,2) (3,1) (3,2) (3,5) (4,5) ", l, " len: ", l.len; + print "Community list (1,2) (3,1) (3,5) (3,2) (4,5) ", l, " len: ", l.len; print "Should be true: ", l ~ [(*,2)], " ", l ~ [(*,5)], " ", l ~ [(*, one)]; print "Should be false: ", l ~ [(*,3)], " ", l ~ [(*,(one+6))], " ", l ~ [(*, (one+one+one))]; l = delete( l, [(*,(one+onef(3)))] ); @@ -175,7 +182,7 @@ eclist el2; print "clist B (3..6): ", l2; print "clist A union B: ", add( l2, l ); print "clist A isect B: ", filter( l, l2 ); - print "clist A \ B: ", delete( l, l2 ); + print "clist A \ B: ", delete( l, l2 ); el = -- empty --; el = add(el, (rt, 10, 20)); @@ -207,7 +214,34 @@ eclist el2; print "eclist B (30,40,50): ", el2; print "eclist A union B: ", add( el2, el ); print "eclist A isect B: ", filter( el, el2 ); - print "eclist A \ B: ", delete( el, el2 ); + print "eclist A \ B: ", delete( el, el2 ); + + ll = --- empty ---; + ll = add(ll, (ten, 20, 30)); + ll = add(ll, (1000, 2000, 3000)); + ll = add(ll, mktrip(100000)); + print "LC list (10, 20, 30) (1000, 2000, 3000) (100000, 200000, 300000):"; + print ll; + print "LC len: ", el.len; + print "Should be true: ", mktrip(1000) ~ ll, " ", ll ~ [(5,10,15), (10,20,30)], " ", ll ~ [(10,15..25,*)], " ", ll ~ [(ten, *, *)]; + print "Should be false: ", mktrip(100) ~ ll, " ", ll ~ [(5,10,15), (10,21,30)], " ", ll ~ [(10,21..25,*)], " ", ll ~ [(11, *, *)]; + print "LC filtered: ", filter(ll, [(5..15, *, *), (100000, 500..500000, *)]); + + ll = --- empty ---; + ll = add(ll, (10, 10, 10)); + ll = add(ll, (20, 20, 20)); + ll = add(ll, (30, 30, 30)); + + ll2 = --- empty ---; + ll2 = add(ll2, (20, 20, 20)); + ll2 = add(ll2, (30, 30, 30)); + ll2 = add(ll2, (40, 40, 40)); + + print "lclist A (10,20,30): ", ll; + print "lclist B (20,30,40): ", ll2; + print "lclist A union B: ", add(ll, ll2); + print "lclist A isect B: ", filter(ll, ll2); + print "lclist A \ B: ", delete(ll, ll2); # test_roa(); } diff --git a/filter/tree.c b/filter/tree.c index 328c7184..f8379fa8 100644 --- a/filter/tree.c +++ b/filter/tree.c @@ -63,7 +63,7 @@ tree_compare(const void *p1, const void *p2) * build_tree * @from: degenerated tree (linked by @tree->left) to be transformed into form suitable for find_tree() * - * Transforms denerated tree into balanced tree. + * Transforms degenerated tree into balanced tree. */ struct f_tree * build_tree(struct f_tree *from) @@ -162,12 +162,15 @@ void tree_format(struct f_tree *t, buffer *buf) { buffer_puts(buf, "["); - + tree_node_format(t, buf); + if (buf->pos == buf->end) + return; + /* Undo last separator */ if (buf->pos[-1] != '[') buf->pos -= 2; - + buffer_puts(buf, "]"); } diff --git a/filter/trie.c b/filter/trie.c index dad87339..adcfcdf3 100644 --- a/filter/trie.c +++ b/filter/trie.c @@ -220,7 +220,7 @@ trie_add_prefix(struct f_trie *t, const net_addr *net, uint l, uint h) } static int -trie_match_prefix(struct f_trie *t, ip_addr px, int plen) +trie_match_prefix(struct f_trie *t, ip_addr px, uint plen) { ip_addr pmask = ipa_mkmask(plen); ip_addr paddr = ipa_and(px, pmask); @@ -266,7 +266,8 @@ trie_match_prefix(struct f_trie *t, ip_addr px, int plen) int trie_match_net(struct f_trie *t, const net_addr *n) { - int add = 0; + uint add = 0; + switch (n->type) { case NET_IP4: case NET_VPN4: @@ -333,9 +334,12 @@ trie_format(struct f_trie *t, buffer *buf) buffer_puts(buf, "["); if (t->zero) - buffer_print(buf, "%I/%d", IPA_NONE, 0); + buffer_print(buf, "%I/%d, ", IPA_NONE, 0); trie_node_format(t->root, buf); + if (buf->pos == buf->end) + return; + /* Undo last separator */ if (buf->pos[-1] != '[') buf->pos -= 2; @@ -2,6 +2,7 @@ H Library functions S ip.c S lists.c S checksum.c bitops.c patmatch.c printf.c xmalloc.c tbf.c +S mac.c D resource.sgml S resource.c S mempool.c diff --git a/lib/Makefile b/lib/Makefile index 8e372bd3..551089c3 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -1,3 +1,3 @@ -src := bitops.c checksum.c event.c idm.c ip.c lists.c md5.c mempool.c net.c patmatch.c printf.c resource.c sha1.c sha256.c sha512.c slab.c slists.c tbf.c xmalloc.c +src := bitops.c checksum.c event.c idm.c ip.c lists.c mac.c md5.c mempool.c net.c patmatch.c printf.c resource.c sha1.c sha256.c sha512.c slab.c slists.c tbf.c xmalloc.c obj := $(src-o-files) $(all-daemon) diff --git a/lib/birdlib.h b/lib/birdlib.h index 188e59b2..ddc963f4 100644 --- a/lib/birdlib.h +++ b/lib/birdlib.h @@ -63,7 +63,6 @@ static inline int u64_cmp(u64 i1, u64 i2) #define UNUSED __attribute__((unused)) #define PACKED __attribute__((packed)) - /* Microsecond time */ typedef s64 btime; diff --git a/lib/buffer.h b/lib/buffer.h index cf073e88..2a53f211 100644 --- a/lib/buffer.h +++ b/lib/buffer.h @@ -1,3 +1,17 @@ +/* + * BIRD Library -- Generic Buffer Structure + * + * (c) 2013 Ondrej Zajicek <santiago@crfreenet.org> + * (c) 2013 CZ.NIC z.s.p.o. + * + * Can be freely distributed and used under the terms of the GNU GPL. + */ + +#ifndef _BIRD_BUFFER_H_ +#define _BIRD_BUFFER_H_ + +#include "lib/resource.h" +#include "sysdep/config.h" #define BUFFER(type) struct { type *data; uint used, size; } @@ -32,4 +46,4 @@ #define BUFFER_FLUSH(v) ({ (v).used = 0; }) - +#endif /* _BIRD_BUFFER_H_ */ @@ -1,8 +1,18 @@ - +/* + * BIRD Library -- Generic Hash Table + * + * (c) 2013 Ondrej Zajicek <santiago@crfreenet.org> + * (c) 2013 CZ.NIC z.s.p.o. + * + * Can be freely distributed and used under the terms of the GNU GPL. + */ + +#ifndef _BIRD_HASH_H_ +#define _BIRD_HASH_H_ #define HASH(type) struct { type **data; uint count, order; } #define HASH_TYPE(v) typeof(** (v).data) -#define HASH_SIZE(v) (1 << (v).order) +#define HASH_SIZE(v) (1U << (v).order) #define HASH_EQ(v,id,k1,k2...) (id##_EQ(k1, k2)) #define HASH_FN(v,id,key...) ((u32) (id##_FN(key)) >> (32 - (v).order)) @@ -116,12 +126,12 @@ #define HASH_MAY_RESIZE_DOWN_(v,pool,rehash_fn,args) \ ({ \ - int _o = (v).order; \ - while (((v).count < ((1 << _o) REHASH_LO_MARK(args))) && \ + uint _o = (v).order; \ + while (((v).count < ((1U << _o) REHASH_LO_MARK(args))) && \ (_o > (REHASH_LO_BOUND(args)))) \ _o -= (REHASH_LO_STEP(args)); \ if (_o < (v).order) \ - rehash_fn(&(v), pool, _o - (int) (v).order); \ + rehash_fn(&(v), pool, _o - (v).order); \ }) @@ -178,6 +188,7 @@ #define HASH_WALK_FILTER_END } while (0) + static inline void mem_hash_init(u64 *h) { @@ -185,14 +196,15 @@ mem_hash_init(u64 *h) } static inline void -mem_hash_mix(u64 *h, void *p, int s) +mem_hash_mix(u64 *h, void *p, uint s) { const u64 multiplier = 0xb38bc09a61202731ULL; const char *pp = p; uint i; + for (i=0; i<s/4; i++) *h = *h * multiplier + ((const u32 *)pp)[i]; - + for (i=s & ~0x3; i<s; i++) *h = *h * multiplier + pp[i]; } @@ -204,7 +216,7 @@ mem_hash_value(u64 *h) } static inline uint -mem_hash(void *p, int s) +mem_hash(void *p, uint s) { static u64 h; mem_hash_init(&h); @@ -212,3 +224,4 @@ mem_hash(void *p, int s) return mem_hash_value(&h); } +#endif @@ -53,7 +53,7 @@ idm_alloc(struct idm *m) ASSERT(0); - found: +found: ASSERT(i < 0x8000000); m->pos = i; diff --git a/lib/mac.c b/lib/mac.c new file mode 100644 index 00000000..977d6559 --- /dev/null +++ b/lib/mac.c @@ -0,0 +1,289 @@ +/* + * BIRD Library -- Message Authentication Codes + * + * (c) 2016 Ondrej Zajicek <santiago@crfreenet.org> + * (c) 2016 CZ.NIC z.s.p.o. + * + * Can be freely distributed and used under the terms of the GNU GPL. + */ + +/** + * DOC: Message authentication codes + * + * MAC algorithms are simple cryptographic tools for message authentication. + * They use shared a secret key a and message text to generate authentication + * code, which is then passed with the message to the other side, where the code + * is verified. There are multiple families of MAC algorithms based on different + * cryptographic primitives, BIRD implements two MAC families which use hash + * functions. + * + * The first family is simply a cryptographic hash camouflaged as MAC algorithm. + * Originally supposed to be (m|k)-hash (message is concatenated with key, and + * that is hashed), but later it turned out that a raw hash is more practical. + * This is used for cryptographic authentication in OSPFv2, RIP and BFD. + * + * The second family is the standard HMAC (RFC 2104), using inner and outer hash + * to process key and message. HMAC (with SHA) is used in advanced OSPF and RIP + * authentication (RFC 5709, RFC 4822). + */ + +#include "lib/mac.h" +#include "lib/md5.h" +#include "lib/sha1.h" +#include "lib/sha256.h" +#include "lib/sha512.h" + + +/* + * Internal hash calls + */ + +static inline void +hash_init(struct mac_context *mctx, struct hash_context *hctx) +{ mctx->type->hash_init(hctx); } + +static inline void +hash_update(struct mac_context *mctx, struct hash_context *hctx, const byte *buf, uint len) +{ mctx->type->hash_update(hctx, buf, len); } + +static inline byte * +hash_final(struct mac_context *mctx, struct hash_context *hctx) +{ return mctx->type->hash_final(hctx); } + +static inline void +hash_buffer(struct mac_context *mctx, byte *outbuf, const byte *buffer, uint length) +{ + struct hash_context hctx; + + hash_init(mctx, &hctx); + hash_update(mctx, &hctx, buffer, length); + memcpy(outbuf, hash_final(mctx, &hctx), mctx->type->hash_size); +} + + +/* + * (not-really-MAC) Hash + */ + +static void +nrmh_init(struct mac_context *ctx, const byte *key UNUSED, uint keylen UNUSED) +{ + struct nrmh_context *ct = (void *) ctx; + hash_init(ctx, &ct->ictx); +} + +static void +nrmh_update(struct mac_context *ctx, const byte *data, uint datalen) +{ + struct nrmh_context *ct = (void *) ctx; + hash_update(ctx, &ct->ictx, data, datalen); +} + +static byte * +nrmh_final(struct mac_context *ctx) +{ + struct nrmh_context *ct = (void *) ctx; + return hash_final(ctx, &ct->ictx); +} + + +/* + * HMAC + */ + +static void +hmac_init(struct mac_context *ctx, const byte *key, uint keylen) +{ + struct hmac_context *ct = (void *) ctx; + uint block_size = ctx->type->block_size; + uint hash_size = ctx->type->hash_size; + + byte *keybuf = alloca(block_size); + byte *buf = alloca(block_size); + uint i; + + /* Hash the key if necessary */ + if (keylen <= block_size) + { + memcpy(keybuf, key, keylen); + memset(keybuf + keylen, 0, block_size - keylen); + } + else + { + hash_buffer(ctx, keybuf, key, keylen); + memset(keybuf + hash_size, 0, block_size - hash_size); + } + + /* Initialize the inner digest */ + hash_init(ctx, &ct->ictx); + for (i = 0; i < block_size; i++) + buf[i] = keybuf[i] ^ 0x36; + hash_update(ctx, &ct->ictx, buf, block_size); + + /* Initialize the outer digest */ + hash_init(ctx, &ct->octx); + for (i = 0; i < block_size; i++) + buf[i] = keybuf[i] ^ 0x5c; + hash_update(ctx, &ct->octx, buf, block_size); +} + +static void +hmac_update(struct mac_context *ctx, const byte *data, uint datalen) +{ + struct hmac_context *ct = (void *) ctx; + + /* Just update the inner digest */ + hash_update(ctx, &ct->ictx, data, datalen); +} + +static byte * +hmac_final(struct mac_context *ctx) +{ + struct hmac_context *ct = (void *) ctx; + + /* Finish the inner digest */ + byte *isha = hash_final(ctx, &ct->ictx); + + /* Finish the outer digest */ + hash_update(ctx, &ct->octx, isha, ctx->type->hash_size); + return hash_final(ctx, &ct->octx); +} + + +/* + * Common code + */ + +#define HASH_DESC(name, px, PX) \ + { name, PX##_SIZE, sizeof(struct nrmh_context), nrmh_init, nrmh_update, nrmh_final, \ + PX##_SIZE, PX##_BLOCK_SIZE, px##_init, px##_update, px##_final } + +#define HMAC_DESC(name, px, PX) \ + { name, PX##_SIZE, sizeof(struct hmac_context), hmac_init, hmac_update, hmac_final, \ + PX##_SIZE, PX##_BLOCK_SIZE, px##_init, px##_update, px##_final } + +const struct mac_desc mac_table[ALG_MAX] = { + [ALG_MD5] = HASH_DESC("Keyed MD5", md5, MD5), + [ALG_SHA1] = HASH_DESC("Keyed SHA-1", sha1, SHA1), + [ALG_SHA224] = HASH_DESC("Keyed SHA-224", sha224, SHA224), + [ALG_SHA256] = HASH_DESC("Keyed SHA-256", sha256, SHA256), + [ALG_SHA384] = HASH_DESC("Keyed SHA-384", sha384, SHA384), + [ALG_SHA512] = HASH_DESC("Keyed SHA-512", sha512, SHA512), + [ALG_HMAC_MD5] = HMAC_DESC("HMAC-MD5", md5, MD5), + [ALG_HMAC_SHA1] = HMAC_DESC("HMAC-SHA-1", sha1, SHA1), + [ALG_HMAC_SHA224] = HMAC_DESC("HMAC-SHA-224", sha224, SHA224), + [ALG_HMAC_SHA256] = HMAC_DESC("HMAC-SHA-256", sha256, SHA256), + [ALG_HMAC_SHA384] = HMAC_DESC("HMAC-SHA-384", sha384, SHA384), + [ALG_HMAC_SHA512] = HMAC_DESC("HMAC-SHA-512", sha512, SHA512), +}; + + +/** + * mac_init - initialize MAC algorithm + * @ctx: context to initialize + * @id: MAC algorithm ID + * @key: MAC key + * @keylen: MAC key length + * + * Initialize MAC context @ctx for algorithm @id (e.g., %ALG_HMAC_SHA1), with + * key @key of length @keylen. After that, message data could be added using + * mac_update() function. + */ +void +mac_init(struct mac_context *ctx, uint id, const byte *key, uint keylen) +{ + ctx->type = &mac_table[id]; + ctx->type->init(ctx, key, keylen); +} + +#if 0 +/** + * mac_update - add more data to MAC algorithm + * @ctx: MAC context + * @data: data to add + * @datalen: length of data + * + * Push another @datalen bytes of data pointed to by @data into the MAC + * algorithm currently in @ctx. Can be called multiple times for the same MAC + * context. It has the same effect as concatenating all the data together and + * passing them at once. + */ +void mac_update(struct mac_context *ctx, const byte *data, uint datalen) +{ DUMMY; } + +/** + * mac_final - finalize MAC algorithm + * @ctx: MAC context + * + * Finish MAC computation and return a pointer to the result. No more + * @mac_update() calls could be done, but the context may be reinitialized + * later. + * + * Note that the returned pointer points into data in the @ctx context. If it + * ceases to exist, the pointer becomes invalid. + */ +byte *mac_final(struct mac_context *ctx) +{ DUMMY; } + +/** + * mac_cleanup - cleanup MAC context + * @ctx: MAC context + * + * Cleanup MAC context after computation (by filling with zeros). Not strictly + * necessary, just to erase sensitive data from stack. This also invalidates the + * pointer returned by @mac_final(). + */ +void mac_cleanup(struct mac_context *ctx) +{ DUMMY; } + +#endif + +/** + * mac_fill - compute and fill MAC + * @id: MAC algorithm ID + * @key: secret key + * @keylen: key length + * @data: message data + * @datalen: message length + * @mac: place to fill MAC + * + * Compute MAC for specified key @key and message @data using algorithm @id and + * copy it to buffer @mac. mac_fill() is a shortcut function doing all usual + * steps for transmitted messages. + */ +void +mac_fill(uint id, const byte *key, uint keylen, const byte *data, uint datalen, byte *mac) +{ + struct mac_context ctx; + + mac_init(&ctx, id, key, keylen); + mac_update(&ctx, data, datalen); + memcpy(mac, mac_final(&ctx), mac_get_length(&ctx)); + mac_cleanup(&ctx); +} + +/** + * mac_verify - compute and verify MAC + * @id: MAC algorithm ID + * @key: secret key + * @keylen: key length + * @data: message data + * @datalen: message length + * @mac: received MAC + * + * Compute MAC for specified key @key and message @data using algorithm @id and + * compare it with received @mac, return whether they are the same. mac_verify() + * is a shortcut function doing all usual steps for received messages. + */ +int +mac_verify(uint id, const byte *key, uint keylen, const byte *data, uint datalen, const byte *mac) +{ + struct mac_context ctx; + + mac_init(&ctx, id, key, keylen); + mac_update(&ctx, data, datalen); + int res = !memcmp(mac, mac_final(&ctx), mac_get_length(&ctx)); + mac_cleanup(&ctx); + + return res; +} diff --git a/lib/mac.h b/lib/mac.h new file mode 100644 index 00000000..b6f3af52 --- /dev/null +++ b/lib/mac.h @@ -0,0 +1,121 @@ +/* + * BIRD Library -- Message Authentication Codes + * + * (c) 2016 Ondrej Zajicek <santiago@crfreenet.org> + * (c) 2016 CZ.NIC z.s.p.o. + * + * Can be freely distributed and used under the terms of the GNU GPL. + */ + +#ifndef _BIRD_MAC_H_ +#define _BIRD_MAC_H_ + +#include "nest/bird.h" +#include "lib/sha512.h" + + +#define ALG_UNDEFINED 0 +#define ALG_MD5 0x01 +#define ALG_SHA1 0x02 +#define ALG_SHA224 0x03 +#define ALG_SHA256 0x04 +#define ALG_SHA384 0x05 +#define ALG_SHA512 0x06 +#define ALG_HMAC 0x10 +#define ALG_HMAC_MD5 0x11 +#define ALG_HMAC_SHA1 0x12 +#define ALG_HMAC_SHA224 0x13 +#define ALG_HMAC_SHA256 0x14 +#define ALG_HMAC_SHA384 0x15 +#define ALG_HMAC_SHA512 0x16 +#define ALG_MAX 0x17 + +/* These are maximums for HASH/MAC lengths and required context space */ +#define MAX_HASH_SIZE SHA512_SIZE +#define HASH_STORAGE sizeof(struct sha512_context) +#define MAC_STORAGE sizeof(struct hmac_context) + +/* This value is used by several IETF protocols for padding */ +#define HMAC_MAGIC htonl(0x878FE1F3) + +/* Generic context used by hash functions */ +struct hash_context +{ + u8 data[HASH_STORAGE]; + u64 align[0]; +}; + +/* Context for embedded hash (not-really-MAC hash) */ +struct nrmh_context { + const struct mac_desc *type; + struct hash_context ictx; +}; + +/* Context for hash based HMAC */ +struct hmac_context { + const struct mac_desc *type; + struct hash_context ictx; + struct hash_context octx; +}; + +/* Generic context used by MAC functions */ +struct mac_context +{ + const struct mac_desc *type; + u8 data[MAC_STORAGE - sizeof(void *)]; + u64 align[0]; +}; + +/* Union to satisfy C aliasing rules */ +union mac_context_union { + struct mac_context mac; + struct nrmh_context nrmh; + struct hmac_context hmac; +}; + + +struct mac_desc { + const char *name; /* Name of MAC algorithm */ + uint mac_length; /* Length of authentication code */ + uint ctx_length; /* Length of algorithm context */ + void (*init)(struct mac_context *ctx, const byte *key, uint keylen); + void (*update)(struct mac_context *ctx, const byte *data, uint datalen); + byte *(*final)(struct mac_context *ctx); + + uint hash_size; /* Hash length, for hash-based MACs */ + uint block_size; /* Hash block size, for hash-based MACs */ + void (*hash_init)(struct hash_context *ctx); + void (*hash_update)(struct hash_context *ctx, const byte *data, uint datalen); + byte *(*hash_final)(struct hash_context *ctx); +}; + +extern const struct mac_desc mac_table[ALG_MAX]; + +static inline const char *mac_type_name(uint id) +{ return mac_table[id].name; } + +static inline uint mac_type_length(uint id) +{ return mac_table[id].mac_length; } + +static inline const char *mac_get_name(struct mac_context *ctx) +{ return ctx->type->name; } + +static inline uint mac_get_length(struct mac_context *ctx) +{ return ctx->type->mac_length; } + +void mac_init(struct mac_context *ctx, uint id, const byte *key, uint keylen); + +static inline void mac_update(struct mac_context *ctx, const byte *data, uint datalen) +{ ctx->type->update(ctx, data, datalen); } + +static inline byte *mac_final(struct mac_context *ctx) +{ return ctx->type->final(ctx); } + +static inline void mac_cleanup(struct mac_context *ctx) +{ memset(ctx, 0, ctx->type->ctx_length); } + +void mac_fill(uint id, const byte *key, uint keylen, const byte *data, uint datalen, byte *mac); +int mac_verify(uint id, const byte *key, uint keylen, const byte *data, uint datalen, const byte *mac); + + +#endif /* _BIRD_MAC_H_ */ @@ -39,8 +39,10 @@ static void md5_transform(u32 buf[4], u32 const in[16]); * initialization constants. */ void -md5_init(struct md5_context *ctx) +md5_init(struct hash_context *CTX) { + struct md5_context *ctx = (void *) CTX; + ctx->buf[0] = 0x67452301; ctx->buf[1] = 0xefcdab89; ctx->buf[2] = 0x98badcfe; @@ -55,8 +57,9 @@ md5_init(struct md5_context *ctx) * of bytes. */ void -md5_update(struct md5_context *ctx, const byte *buf, uint len) +md5_update(struct hash_context *CTX, const byte *buf, uint len) { + struct md5_context *ctx = (void *) CTX; u32 t; /* Update bitcount */ @@ -105,8 +108,9 @@ md5_update(struct md5_context *ctx, const byte *buf, uint len) * 1 0* (64-bit count of bits processed, MSB-first) */ byte * -md5_final(struct md5_context *ctx) +md5_final(struct hash_context *CTX) { + struct md5_context *ctx = (void *) CTX; uint count; byte *p; @@ -149,13 +153,6 @@ md5_final(struct md5_context *ctx) return (byte*) ctx->buf; } -/* I am a hard paranoid */ -void -md5_erase_ctx(struct md5_context *ctx) -{ - memset((char *) ctx, 0, sizeof(*ctx)); /* In case it's sensitive */ -} - /* The four core functions - F1 is optimized somewhat */ /* #define F1(x, y, z) (x & y | ~x & z) */ @@ -256,67 +253,3 @@ md5_transform(u32 buf[4], u32 const in[16]) buf[2] += c; buf[3] += d; } - - -/* - * MD5-HMAC - */ - -static void -md5_hash_buffer(byte *outbuf, const byte *buffer, size_t length) -{ - struct md5_context hd_tmp; - - md5_init(&hd_tmp); - md5_update(&hd_tmp, buffer, length); - memcpy(outbuf, md5_final(&hd_tmp), MD5_SIZE); -} - -void -md5_hmac_init(struct md5_hmac_context *ctx, const byte *key, size_t keylen) -{ - byte keybuf[MD5_BLOCK_SIZE], buf[MD5_BLOCK_SIZE]; - - /* Hash the key if necessary */ - if (keylen <= MD5_BLOCK_SIZE) - { - memcpy(keybuf, key, keylen); - bzero(keybuf + keylen, MD5_BLOCK_SIZE - keylen); - } - else - { - md5_hash_buffer(keybuf, key, keylen); - bzero(keybuf + MD5_SIZE, MD5_BLOCK_SIZE - MD5_SIZE); - } - - /* Initialize the inner digest */ - md5_init(&ctx->ictx); - int i; - for (i = 0; i < MD5_BLOCK_SIZE; i++) - buf[i] = keybuf[i] ^ 0x36; - md5_update(&ctx->ictx, buf, MD5_BLOCK_SIZE); - - /* Initialize the outer digest */ - md5_init(&ctx->octx); - for (i = 0; i < MD5_BLOCK_SIZE; i++) - buf[i] = keybuf[i] ^ 0x5c; - md5_update(&ctx->octx, buf, MD5_BLOCK_SIZE); -} - -void -md5_hmac_update(struct md5_hmac_context *ctx, const byte *buf, size_t buflen) -{ - /* Just update the inner digest */ - md5_update(&ctx->ictx, buf, buflen); -} - -byte * -md5_hmac_final(struct md5_hmac_context *ctx) -{ - /* Finish the inner digest */ - byte *isha = md5_final(&ctx->ictx); - - /* Finish the outer digest */ - md5_update(&ctx->octx, isha, MD5_SIZE); - return md5_final(&ctx->octx); -} @@ -19,29 +19,18 @@ #define MD5_BLOCK_SIZE 64 +struct hash_context; + struct md5_context { u32 buf[4]; u32 bits[2]; byte in[64]; }; -void md5_init(struct md5_context *ctx); -void md5_update(struct md5_context *ctx, const byte *buf, uint len); -byte *md5_final(struct md5_context *ctx); - - -/* - * HMAC-MD5 - */ - -struct md5_hmac_context { - struct md5_context ictx; - struct md5_context octx; -}; -void md5_hmac_init(struct md5_hmac_context *ctx, const byte *key, size_t keylen); -void md5_hmac_update(struct md5_hmac_context *ctx, const byte *buf, size_t buflen); -byte *md5_hmac_final(struct md5_hmac_context *ctx); +void md5_init(struct hash_context *ctx); +void md5_update(struct hash_context *ctx, const byte *buf, uint len); +byte *md5_final(struct hash_context *ctx); #endif /* _BIRD_MD5_H_ */ @@ -1,5 +1,5 @@ /* - * BIRD Library -- SHA-1 Hash Function (FIPS 180-1, RFC 3174) and HMAC-SHA-1 + * BIRD Library -- SHA-1 Hash Function (FIPS 180-1, RFC 3174) * * (c) 2015 CZ.NIC z.s.p.o. * @@ -17,8 +17,10 @@ void -sha1_init(struct sha1_context *ctx) +sha1_init(struct hash_context *CTX) { + struct sha1_context *ctx = (void *) CTX; + ctx->h0 = 0x67452301; ctx->h1 = 0xefcdab89; ctx->h2 = 0x98badcfe; @@ -167,8 +169,10 @@ sha1_transform(struct sha1_context *ctx, const byte *data) * Update the message digest with the contents of BUF with length LEN. */ void -sha1_update(struct sha1_context *ctx, const byte *buf, uint len) +sha1_update(struct hash_context *CTX, const byte *buf, uint len) { + struct sha1_context *ctx = (void *) CTX; + if (ctx->count) { /* Fill rest of internal buffer */ @@ -209,11 +213,12 @@ sha1_update(struct sha1_context *ctx, const byte *buf, uint len) * Returns: 20 bytes representing the digest. */ byte * -sha1_final(struct sha1_context *ctx) +sha1_final(struct hash_context *CTX) { + struct sha1_context *ctx = (void *) CTX; u32 t, msb, lsb; - sha1_update(ctx, NULL, 0); /* flush */ + sha1_update(CTX, NULL, 0); /* flush */ t = ctx->nblocks; /* multiply by 64 to make a byte count */ @@ -242,7 +247,7 @@ sha1_final(struct sha1_context *ctx) ctx->buf[ctx->count++] = 0x80; /* pad character */ while (ctx->count < 64) ctx->buf[ctx->count++] = 0; - sha1_update(ctx, NULL, 0); /* flush */ + sha1_update(CTX, NULL, 0); /* flush */ memset(ctx->buf, 0, 56); /* fill next block with zeroes */ } @@ -268,81 +273,3 @@ sha1_final(struct sha1_context *ctx) return ctx->buf; } - - -/* - * SHA1-HMAC - */ - -/* - * Shortcut function which puts the hash value of the supplied buffer - * into outbuf which must have a size of 20 bytes. - */ -void -sha1_hash_buffer(byte *outbuf, const byte *buffer, uint length) -{ - struct sha1_context ctx; - - sha1_init(&ctx); - sha1_update(&ctx, buffer, length); - memcpy(outbuf, sha1_final(&ctx), SHA1_SIZE); -} - -void -sha1_hmac_init(struct sha1_hmac_context *ctx, const byte *key, uint keylen) -{ - byte keybuf[SHA1_BLOCK_SIZE], buf[SHA1_BLOCK_SIZE]; - - /* Hash the key if necessary */ - if (keylen <= SHA1_BLOCK_SIZE) - { - memcpy(keybuf, key, keylen); - memset(keybuf + keylen, 0, SHA1_BLOCK_SIZE - keylen); - } - else - { - sha1_hash_buffer(keybuf, key, keylen); - memset(keybuf + SHA1_SIZE, 0, SHA1_BLOCK_SIZE - SHA1_SIZE); - } - - /* Initialize the inner digest */ - sha1_init(&ctx->ictx); - int i; - for (i = 0; i < SHA1_BLOCK_SIZE; i++) - buf[i] = keybuf[i] ^ 0x36; - sha1_update(&ctx->ictx, buf, SHA1_BLOCK_SIZE); - - /* Initialize the outer digest */ - sha1_init(&ctx->octx); - for (i = 0; i < SHA1_BLOCK_SIZE; i++) - buf[i] = keybuf[i] ^ 0x5c; - sha1_update(&ctx->octx, buf, SHA1_BLOCK_SIZE); -} - -void -sha1_hmac_update(struct sha1_hmac_context *ctx, const byte *data, uint datalen) -{ - /* Just update the inner digest */ - sha1_update(&ctx->ictx, data, datalen); -} - -byte * -sha1_hmac_final(struct sha1_hmac_context *ctx) -{ - /* Finish the inner digest */ - byte *isha = sha1_final(&ctx->ictx); - - /* Finish the outer digest */ - sha1_update(&ctx->octx, isha, SHA1_SIZE); - return sha1_final(&ctx->octx); -} - -void -sha1_hmac(byte *outbuf, const byte *key, uint keylen, const byte *data, uint datalen) -{ - struct sha1_hmac_context ctx; - - sha1_hmac_init(&ctx, key, keylen); - sha1_hmac_update(&ctx, data, datalen); - memcpy(outbuf, sha1_hmac_final(&ctx), SHA1_SIZE); -} @@ -1,5 +1,5 @@ /* - * BIRD Library -- SHA-1 Hash Function (FIPS 180-1, RFC 3174) and HMAC-SHA-1 + * BIRD Library -- SHA-1 Hash Function (FIPS 180-1, RFC 3174) * * (c) 2015 CZ.NIC z.s.p.o. * @@ -27,6 +27,8 @@ * Internal SHA1 state. * You should use it just as an opaque handle only. */ +struct hash_context; + struct sha1_context { u32 h0, h1, h2, h3, h4; byte buf[SHA1_BLOCK_SIZE]; @@ -34,15 +36,14 @@ struct sha1_context { uint count; }; - -void sha1_init(struct sha1_context *ctx); /* Initialize new algorithm run in the @ctx context. **/ +void sha1_init(struct hash_context *ctx); /* Initialize new algorithm run in the @ctx context. **/ /* * Push another @len bytes of data pointed to by @buf onto the SHA1 hash * currently in @ctx. You can call this any times you want on the same hash (and * you do not need to reinitialize it by @sha1_init()). It has the same effect * as concatenating all the data together and passing them at once. */ -void sha1_update(struct sha1_context *ctx, const byte *buf, uint len); +void sha1_update(struct hash_context *ctx, const byte *buf, uint len); /* * No more @sha1_update() calls will be done. This terminates the hash and * returns a pointer to it. @@ -50,7 +51,7 @@ void sha1_update(struct sha1_context *ctx, const byte *buf, uint len); * Note that the pointer points into data in the @ctx context. If it ceases to * exist, the pointer becomes invalid. */ -byte *sha1_final(struct sha1_context *ctx); +byte *sha1_final(struct hash_context *ctx); /* * A convenience one-shot function for SHA1 hash. It is equivalent to this @@ -63,24 +64,5 @@ byte *sha1_final(struct sha1_context *ctx); */ void sha1_hash_buffer(byte *outbuf, const byte *buffer, uint length); -/* - * SHA1 HMAC message authentication. If you provide @key and @data, the result - * will be stored in @outbuf. - */ -void sha1_hmac(byte *outbuf, const byte *key, uint keylen, const byte *data, uint datalen); - -/* - * The HMAC also exists in a stream version in a way analogous to the plain - * SHA1. Pass this as a context. - */ -struct sha1_hmac_context { - struct sha1_context ictx; - struct sha1_context octx; -}; - -void sha1_hmac_init(struct sha1_hmac_context *ctx, const byte *key, uint keylen); /* Initialize HMAC with context @ctx and the given key. See sha1_init(). */ -void sha1_hmac_update(struct sha1_hmac_context *ctx, const byte *data, uint datalen); /* Hash another @datalen bytes of data. See sha1_update(). */ -byte *sha1_hmac_final(struct sha1_hmac_context *ctx); /* Terminate the HMAC and return a pointer to the allocated hash. See sha1_final(). */ - #endif /* _BIRD_SHA1_H_ */ diff --git a/lib/sha256.c b/lib/sha256.c index 440245d5..11ff2b05 100644 --- a/lib/sha256.c +++ b/lib/sha256.c @@ -1,6 +1,5 @@ /* - * BIRD Library -- SHA-256 and SHA-224 Hash Functions, - * HMAC-SHA-256 and HMAC-SHA-224 Functions + * BIRD Library -- SHA-256 and SHA-224 Hash Functions * * (c) 2015 CZ.NIC z.s.p.o. * @@ -17,8 +16,10 @@ // #define SHA256_UNROLLED void -sha256_init(struct sha256_context *ctx) +sha256_init(struct hash_context *CTX) { + struct sha256_context *ctx = (void *) CTX; + ctx->h0 = 0x6a09e667; ctx->h1 = 0xbb67ae85; ctx->h2 = 0x3c6ef372; @@ -33,8 +34,10 @@ sha256_init(struct sha256_context *ctx) } void -sha224_init(struct sha224_context *ctx) +sha224_init(struct hash_context *CTX) { + struct sha224_context *ctx = (void *) CTX; + ctx->h0 = 0xc1059ed8; ctx->h1 = 0x367cd507; ctx->h2 = 0x3070dd17; @@ -219,8 +222,10 @@ sha256_transform(struct sha256_context *ctx, const byte *data) not have any meaning but writing after finalize is sometimes helpful to mitigate timing attacks. */ void -sha256_update(struct sha256_context *ctx, const byte *buf, size_t len) +sha256_update(struct hash_context *CTX, const byte *buf, uint len) { + struct sha256_context *ctx = (void *) CTX; + if (ctx->count) { /* Fill rest of internal buffer */ @@ -261,11 +266,12 @@ sha256_update(struct sha256_context *ctx, const byte *buf, size_t len) * Returns: 32 bytes with the message the digest. 28 bytes for SHA-224. */ byte * -sha256_final(struct sha256_context *ctx) +sha256_final(struct hash_context *CTX) { + struct sha256_context *ctx = (void *) CTX; u32 t, th, msb, lsb; - sha256_update(ctx, NULL, 0); /* flush */ + sha256_update(CTX, NULL, 0); /* flush */ t = ctx->nblocks; th = 0; @@ -296,7 +302,7 @@ sha256_final(struct sha256_context *ctx) ctx->buf[ctx->count++] = 0x80; /* pad character */ while (ctx->count < 64) ctx->buf[ctx->count++] = 0; - sha256_update(ctx, NULL, 0); /* flush */; + sha256_update(CTX, NULL, 0); /* flush */; memset(ctx->buf, 0, 56 ); /* fill next block with zeroes */ } @@ -319,131 +325,3 @@ sha256_final(struct sha256_context *ctx) return ctx->buf; } - - -/* - * SHA256-HMAC - */ - -static void -sha256_hash_buffer(byte *outbuf, const byte *buffer, size_t length) -{ - struct sha256_context ctx; - - sha256_init(&ctx); - sha256_update(&ctx, buffer, length); - memcpy(outbuf, sha256_final(&ctx), SHA256_SIZE); -} - -void -sha256_hmac_init(struct sha256_hmac_context *ctx, const byte *key, size_t keylen) -{ - byte keybuf[SHA256_BLOCK_SIZE], buf[SHA256_BLOCK_SIZE]; - - /* Hash the key if necessary */ - if (keylen <= SHA256_BLOCK_SIZE) - { - memcpy(keybuf, key, keylen); - memset(keybuf + keylen, 0, SHA256_BLOCK_SIZE - keylen); - } - else - { - sha256_hash_buffer(keybuf, key, keylen); - memset(keybuf + SHA256_SIZE, 0, SHA256_BLOCK_SIZE - SHA256_SIZE); - } - - /* Initialize the inner digest */ - sha256_init(&ctx->ictx); - int i; - for (i = 0; i < SHA256_BLOCK_SIZE; i++) - buf[i] = keybuf[i] ^ 0x36; - sha256_update(&ctx->ictx, buf, SHA256_BLOCK_SIZE); - - /* Initialize the outer digest */ - sha256_init(&ctx->octx); - for (i = 0; i < SHA256_BLOCK_SIZE; i++) - buf[i] = keybuf[i] ^ 0x5c; - sha256_update(&ctx->octx, buf, SHA256_BLOCK_SIZE); -} - -void -sha256_hmac_update(struct sha256_hmac_context *ctx, const byte *buf, size_t buflen) -{ - /* Just update the inner digest */ - sha256_update(&ctx->ictx, buf, buflen); -} - -byte * -sha256_hmac_final(struct sha256_hmac_context *ctx) -{ - /* Finish the inner digest */ - byte *isha = sha256_final(&ctx->ictx); - - /* Finish the outer digest */ - sha256_update(&ctx->octx, isha, SHA256_SIZE); - return sha256_final(&ctx->octx); -} - - -/* - * SHA224-HMAC - */ - -static void -sha224_hash_buffer(byte *outbuf, const byte *buffer, size_t length) -{ - struct sha224_context ctx; - - sha224_init(&ctx); - sha224_update(&ctx, buffer, length); - memcpy(outbuf, sha224_final(&ctx), SHA224_SIZE); -} - -void -sha224_hmac_init(struct sha224_hmac_context *ctx, const byte *key, size_t keylen) -{ - byte keybuf[SHA224_BLOCK_SIZE], buf[SHA224_BLOCK_SIZE]; - - /* Hash the key if necessary */ - if (keylen <= SHA224_BLOCK_SIZE) - { - memcpy(keybuf, key, keylen); - memset(keybuf + keylen, 0, SHA224_BLOCK_SIZE - keylen); - } - else - { - sha224_hash_buffer(keybuf, key, keylen); - memset(keybuf + SHA224_SIZE, 0, SHA224_BLOCK_SIZE - SHA224_SIZE); - } - - /* Initialize the inner digest */ - sha224_init(&ctx->ictx); - int i; - for (i = 0; i < SHA224_BLOCK_SIZE; i++) - buf[i] = keybuf[i] ^ 0x36; - sha224_update(&ctx->ictx, buf, SHA224_BLOCK_SIZE); - - /* Initialize the outer digest */ - sha224_init(&ctx->octx); - for (i = 0; i < SHA224_BLOCK_SIZE; i++) - buf[i] = keybuf[i] ^ 0x5c; - sha224_update(&ctx->octx, buf, SHA224_BLOCK_SIZE); -} - -void -sha224_hmac_update(struct sha224_hmac_context *ctx, const byte *buf, size_t buflen) -{ - /* Just update the inner digest */ - sha256_update(&ctx->ictx, buf, buflen); -} - -byte * -sha224_hmac_final(struct sha224_hmac_context *ctx) -{ - /* Finish the inner digest */ - byte *isha = sha224_final(&ctx->ictx); - - /* Finish the outer digest */ - sha224_update(&ctx->octx, isha, SHA224_SIZE); - return sha224_final(&ctx->octx); -} diff --git a/lib/sha256.h b/lib/sha256.h index 381200a9..88a948eb 100644 --- a/lib/sha256.h +++ b/lib/sha256.h @@ -1,6 +1,5 @@ /* - * BIRD Library -- SHA-256 and SHA-224 Hash Functions, - * HMAC-SHA-256 and HMAC-SHA-224 Functions + * BIRD Library -- SHA-256 and SHA-224 Hash Functions * * (c) 2015 CZ.NIC z.s.p.o. * @@ -25,6 +24,8 @@ #define SHA256_BLOCK_SIZE 64 +struct hash_context; + struct sha256_context { u32 h0, h1, h2, h3, h4, h5, h6, h7; byte buf[SHA256_BLOCK_SIZE]; @@ -35,39 +36,14 @@ struct sha256_context { #define sha224_context sha256_context -void sha256_init(struct sha256_context *ctx); -void sha224_init(struct sha224_context *ctx); - -void sha256_update(struct sha256_context *ctx, const byte *buf, size_t len); -static inline void sha224_update(struct sha224_context *ctx, const byte *buf, size_t len) -{ sha256_update(ctx, buf, len); } - -byte *sha256_final(struct sha256_context *ctx); -static inline byte *sha224_final(struct sha224_context *ctx) -{ return sha256_final(ctx); } - - -/* - * HMAC-SHA256, HMAC-SHA224 - */ - -struct sha256_hmac_context -{ - struct sha256_context ictx; - struct sha256_context octx; -}; - -#define sha224_hmac_context sha256_hmac_context - - -void sha256_hmac_init(struct sha256_hmac_context *ctx, const byte *key, size_t keylen); -void sha224_hmac_init(struct sha224_hmac_context *ctx, const byte *key, size_t keylen); +void sha256_init(struct hash_context *ctx); +void sha224_init(struct hash_context *ctx); -void sha256_hmac_update(struct sha256_hmac_context *ctx, const byte *buf, size_t buflen); -void sha224_hmac_update(struct sha224_hmac_context *ctx, const byte *buf, size_t buflen); +void sha256_update(struct hash_context *ctx, const byte *buf, uint len); +#define sha224_update sha256_update -byte *sha256_hmac_final(struct sha256_hmac_context *ctx); -byte *sha224_hmac_final(struct sha224_hmac_context *ctx); +byte *sha256_final(struct hash_context *ctx); +#define sha224_final sha256_final #endif /* _BIRD_SHA256_H_ */ diff --git a/lib/sha512.c b/lib/sha512.c index 37e660f7..576ae1e8 100644 --- a/lib/sha512.c +++ b/lib/sha512.c @@ -1,6 +1,5 @@ /* - * BIRD Library -- SHA-512 and SHA-384 Hash Functions, - * HMAC-SHA-512 and HMAC-SHA-384 Functions + * BIRD Library -- SHA-512 and SHA-384 Hash Functions * * (c) 2015 CZ.NIC z.s.p.o. * @@ -17,8 +16,10 @@ // #define SHA512_UNROLLED void -sha512_init(struct sha512_context *ctx) +sha512_init(struct hash_context *CTX) { + struct sha512_context *ctx = (void *) CTX; + ctx->h0 = U64(0x6a09e667f3bcc908); ctx->h1 = U64(0xbb67ae8584caa73b); ctx->h2 = U64(0x3c6ef372fe94f82b); @@ -33,8 +34,10 @@ sha512_init(struct sha512_context *ctx) } void -sha384_init(struct sha384_context *ctx) +sha384_init(struct hash_context *CTX) { + struct sha384_context *ctx = (void *) CTX; + ctx->h0 = U64(0xcbbb9d5dc1059ed8); ctx->h1 = U64(0x629a292a367cd507); ctx->h2 = U64(0x9159015a3070dd17); @@ -389,8 +392,10 @@ sha512_transform(struct sha512_context *ctx, const byte *data) } void -sha512_update(struct sha512_context *ctx, const byte *buf, size_t len) +sha512_update(struct hash_context *CTX, const byte *buf, uint len) { + struct sha512_context *ctx = (void *) CTX; + if (ctx->count) { /* Fill rest of internal buffer */ @@ -432,11 +437,12 @@ sha512_update(struct sha512_context *ctx, const byte *buf, size_t len) * first 48 of those bytes. */ byte * -sha512_final(struct sha512_context *ctx) +sha512_final(struct hash_context *CTX) { + struct sha512_context *ctx = (void *) CTX; u64 t, th, msb, lsb; - sha512_update(ctx, NULL, 0); /* flush */ + sha512_update(CTX, NULL, 0); /* flush */ t = ctx->nblocks; th = 0; @@ -467,7 +473,7 @@ sha512_final(struct sha512_context *ctx) ctx->buf[ctx->count++] = 0x80; /* pad character */ while(ctx->count < 128) ctx->buf[ctx->count++] = 0; - sha512_update(ctx, NULL, 0); /* flush */ + sha512_update(CTX, NULL, 0); /* flush */ memset(ctx->buf, 0, 112); /* fill next block with zeroes */ } @@ -490,131 +496,3 @@ sha512_final(struct sha512_context *ctx) return ctx->buf; } - - -/* - * SHA512-HMAC - */ - -static void -sha512_hash_buffer(byte *outbuf, const byte *buffer, size_t length) -{ - struct sha512_context ctx; - - sha512_init(&ctx); - sha512_update(&ctx, buffer, length); - memcpy(outbuf, sha512_final(&ctx), SHA512_SIZE); -} - -void -sha512_hmac_init(struct sha512_hmac_context *ctx, const byte *key, size_t keylen) -{ - byte keybuf[SHA512_BLOCK_SIZE], buf[SHA512_BLOCK_SIZE]; - - /* Hash the key if necessary */ - if (keylen <= SHA512_BLOCK_SIZE) - { - memcpy(keybuf, key, keylen); - memset(keybuf + keylen, 0, SHA512_BLOCK_SIZE - keylen); - } - else - { - sha512_hash_buffer(keybuf, key, keylen); - memset(keybuf + SHA512_SIZE, 0, SHA512_BLOCK_SIZE - SHA512_SIZE); - } - - /* Initialize the inner digest */ - sha512_init(&ctx->ictx); - int i; - for (i = 0; i < SHA512_BLOCK_SIZE; i++) - buf[i] = keybuf[i] ^ 0x36; - sha512_update(&ctx->ictx, buf, SHA512_BLOCK_SIZE); - - /* Initialize the outer digest */ - sha512_init(&ctx->octx); - for (i = 0; i < SHA512_BLOCK_SIZE; i++) - buf[i] = keybuf[i] ^ 0x5c; - sha512_update(&ctx->octx, buf, SHA512_BLOCK_SIZE); -} - -void -sha512_hmac_update(struct sha512_hmac_context *ctx, const byte *buf, size_t buflen) -{ - /* Just update the inner digest */ - sha512_update(&ctx->ictx, buf, buflen); -} - -byte * -sha512_hmac_final(struct sha512_hmac_context *ctx) -{ - /* Finish the inner digest */ - byte *isha = sha512_final(&ctx->ictx); - - /* Finish the outer digest */ - sha512_update(&ctx->octx, isha, SHA512_SIZE); - return sha512_final(&ctx->octx); -} - - -/* - * SHA384-HMAC - */ - -static void -sha384_hash_buffer(byte *outbuf, const byte *buffer, size_t length) -{ - struct sha384_context ctx; - - sha384_init(&ctx); - sha384_update(&ctx, buffer, length); - memcpy(outbuf, sha384_final(&ctx), SHA384_SIZE); -} - -void -sha384_hmac_init(struct sha384_hmac_context *ctx, const byte *key, size_t keylen) -{ - byte keybuf[SHA384_BLOCK_SIZE], buf[SHA384_BLOCK_SIZE]; - - /* Hash the key if necessary */ - if (keylen <= SHA384_BLOCK_SIZE) - { - memcpy(keybuf, key, keylen); - memset(keybuf + keylen, 0, SHA384_BLOCK_SIZE - keylen); - } - else - { - sha384_hash_buffer(keybuf, key, keylen); - memset(keybuf + SHA384_SIZE, 0, SHA384_BLOCK_SIZE - SHA384_SIZE); - } - - /* Initialize the inner digest */ - sha384_init(&ctx->ictx); - int i; - for (i = 0; i < SHA384_BLOCK_SIZE; i++) - buf[i] = keybuf[i] ^ 0x36; - sha384_update(&ctx->ictx, buf, SHA384_BLOCK_SIZE); - - /* Initialize the outer digest */ - sha384_init(&ctx->octx); - for (i = 0; i < SHA384_BLOCK_SIZE; i++) - buf[i] = keybuf[i] ^ 0x5c; - sha384_update(&ctx->octx, buf, SHA384_BLOCK_SIZE); -} - -void -sha384_hmac_update(struct sha384_hmac_context *ctx, const byte *buf, size_t buflen) -{ - /* Just update the inner digest */ - sha384_update(&ctx->ictx, buf, buflen); -} - -byte * -sha384_hmac_final(struct sha384_hmac_context *ctx) -{ - /* Finish the inner digest */ - byte *isha = sha384_final(&ctx->ictx); - - /* Finish the outer digest */ - sha384_update(&ctx->octx, isha, SHA384_SIZE); - return sha384_final(&ctx->octx); -} diff --git a/lib/sha512.h b/lib/sha512.h index 1614a3ac..02220c93 100644 --- a/lib/sha512.h +++ b/lib/sha512.h @@ -1,6 +1,5 @@ /* - * BIRD Library -- SHA-512 and SHA-384 Hash Functions, - * HMAC-SHA-512 and HMAC-SHA-384 Functions + * BIRD Library -- SHA-512 and SHA-384 Hash Functions * * (c) 2015 CZ.NIC z.s.p.o. * @@ -25,8 +24,10 @@ #define SHA512_BLOCK_SIZE 128 +struct hash_context; + struct sha512_context { - u64 h0, h1, h2, h3, h4, h5, h6, h7; + u64 h0, h1, h2, h3, h4, h5, h6, h7; byte buf[SHA512_BLOCK_SIZE]; uint nblocks; uint count; @@ -35,39 +36,14 @@ struct sha512_context { #define sha384_context sha512_context -void sha512_init(struct sha512_context *ctx); -void sha384_init(struct sha384_context *ctx); - -void sha512_update(struct sha512_context *ctx, const byte *buf, size_t len); -static inline void sha384_update(struct sha384_context *ctx, const byte *buf, size_t len) -{ sha512_update(ctx, buf, len); } - -byte *sha512_final(struct sha512_context *ctx); -static inline byte *sha384_final(struct sha384_context *ctx) -{ return sha512_final(ctx); } - - -/* - * HMAC-SHA512, HMAC-SHA384 - */ - -struct sha512_hmac_context -{ - struct sha512_context ictx; - struct sha512_context octx; -}; - -#define sha384_hmac_context sha512_hmac_context - - -void sha512_hmac_init(struct sha512_hmac_context *ctx, const byte *key, size_t keylen); -void sha384_hmac_init(struct sha384_hmac_context *ctx, const byte *key, size_t keylen); +void sha512_init(struct hash_context *ctx); +void sha384_init(struct hash_context *ctx); -void sha512_hmac_update(struct sha512_hmac_context *ctx, const byte *buf, size_t buflen); -void sha384_hmac_update(struct sha384_hmac_context *ctx, const byte *buf, size_t buflen); +void sha512_update(struct hash_context *ctx, const byte *buf, uint len); +#define sha384_update sha512_update -byte *sha512_hmac_final(struct sha512_hmac_context *ctx); -byte *sha384_hmac_final(struct sha384_hmac_context *ctx); +byte *sha512_final(struct hash_context *ctx); +#define sha384_final sha512_final #endif /* _BIRD_SHA512_H_ */ diff --git a/lib/socket.h b/lib/socket.h index 7d1aa7ef..43db3cab 100644 --- a/lib/socket.h +++ b/lib/socket.h @@ -30,7 +30,7 @@ typedef struct birdsock { byte *rbuf, *rpos; /* NULL=allocate automatically */ uint fast_rx; /* RX has higher priority in event loop */ uint rbsize; - int (*rx_hook)(struct birdsock *, int size); /* NULL=receiving turned off, returns 1 to clear rx buffer */ + int (*rx_hook)(struct birdsock *, uint size); /* NULL=receiving turned off, returns 1 to clear rx buffer */ byte *tbuf, *tpos; /* NULL=allocate automatically */ byte *ttx; /* Internal */ diff --git a/lib/string.h b/lib/string.h index 9af49b9e..75cb88dd 100644 --- a/lib/string.h +++ b/lib/string.h @@ -30,6 +30,25 @@ static inline char *xbasename(const char *str) return s ? s+1 : (char *) str; } +static inline char * +xstrdup(const char *c) +{ + size_t l = strlen(c) + 1; + char *z = xmalloc(l); + memcpy(z, c, l); + return z; +} + +static inline void +memset32(void *D, u32 val, uint n) +{ + u32 *dst = D; + uint i; + + for (i = 0; i < n; i++) + dst[i] = val; +} + #define ROUTER_ID_64_LENGTH 23 #endif diff --git a/nest/a-path.c b/nest/a-path.c index e1031b7b..b453f702 100644 --- a/nest/a-path.c +++ b/nest/a-path.c @@ -370,7 +370,7 @@ as_path_filter(struct linpool *pool, struct adata *path, struct f_tree *set, u32 } } - int nl = d - buf; + uint nl = d - buf; if (nl == path->length) return path; diff --git a/nest/a-set.c b/nest/a-set.c index a6116022..bd244e2e 100644 --- a/nest/a-set.c +++ b/nest/a-set.c @@ -116,7 +116,7 @@ int ec_set_format(struct adata *set, int from, byte *buf, uint size) { u32 *z = int_set_get_data(set); - byte *end = buf + size - 24; + byte *end = buf + size - 64; int from2 = MAX(from, 0); int to = int_set_get_size(set); int i; @@ -142,6 +142,43 @@ ec_set_format(struct adata *set, int from, byte *buf, uint size) } int +lc_format(byte *buf, lcomm lc) +{ + return bsprintf(buf, "(%u, %u, %u)", lc.asn, lc.ldp1, lc.ldp2); +} + +int +lc_set_format(struct adata *set, int from, byte *buf, uint bufsize) +{ + u32 *d = (u32 *) set->data; + byte *end = buf + bufsize - 64; + int from2 = MAX(from, 0); + int to = set->length / 4; + int i; + + for (i = from2; i < to; i += 3) + { + if (buf > end) + { + if (from < 0) + strcpy(buf, "..."); + else + buf[-1] = 0; + return i; + } + + buf += bsprintf(buf, "(%u, %u, %u)", d[i], d[i+1], d[i+2]); + *buf++ = ' '; + } + + if (i != from2) + buf--; + + *buf = 0; + return 0; +} + +int int_set_contains(struct adata *list, u32 val) { if (!list) @@ -177,6 +214,24 @@ ec_set_contains(struct adata *list, u64 val) return 0; } +int +lc_set_contains(struct adata *list, lcomm val) +{ + if (!list) + return 0; + + u32 *l = int_set_get_data(list); + int len = int_set_get_size(list); + int i; + + for (i = 0; i < len; i += 3) + if (lc_match(l, i, val)) + return 1; + + return 0; +} + + struct adata * int_set_add(struct linpool *pool, struct adata *list, u32 val) { @@ -189,9 +244,13 @@ int_set_add(struct linpool *pool, struct adata *list, u32 val) len = list ? list->length : 0; res = lp_alloc(pool, sizeof(struct adata) + len + 4); res->length = len + 4; - * (u32 *) res->data = val; + if (list) - memcpy((char *) res->data + 4, list->data, list->length); + memcpy(res->data, list->data, list->length); + + u32 *c = (u32 *) (res->data + len); + *c = val; + return res; } @@ -208,13 +267,30 @@ ec_set_add(struct linpool *pool, struct adata *list, u64 val) if (list) memcpy(res->data, list->data, list->length); - u32 *l = (u32 *) (res->data + res->length - 8); + u32 *l = (u32 *) (res->data + olen); l[0] = ec_hi(val); l[1] = ec_lo(val); return res; } +struct adata * +lc_set_add(struct linpool *pool, struct adata *list, lcomm val) +{ + if (lc_set_contains(list, val)) + return list; + + int olen = list ? list->length : 0; + struct adata *res = lp_alloc(pool, sizeof(struct adata) + olen + LCOMM_LENGTH); + res->length = olen + LCOMM_LENGTH; + + if (list) + memcpy(res->data, list->data, list->length); + + lc_put((u32 *) (res->data + olen), val); + + return res; +} struct adata * int_set_del(struct linpool *pool, struct adata *list, u32 val) @@ -265,6 +341,27 @@ ec_set_del(struct linpool *pool, struct adata *list, u64 val) return res; } +struct adata * +lc_set_del(struct linpool *pool, struct adata *list, lcomm val) +{ + if (!lc_set_contains(list, val)) + return list; + + struct adata *res; + res = lp_alloc(pool, sizeof(struct adata) + list->length - LCOMM_LENGTH); + res->length = list->length - LCOMM_LENGTH; + + u32 *l = int_set_get_data(list); + u32 *k = int_set_get_data(res); + int len = int_set_get_size(list); + int i; + + for (i=0; i < len; i += 3) + if (! lc_match(l, i, val)) + k = lc_copy(k, l+i); + + return res; +} struct adata * int_set_union(struct linpool *pool, struct adata *l1, struct adata *l2) @@ -328,3 +425,33 @@ ec_set_union(struct linpool *pool, struct adata *l1, struct adata *l2) memcpy(res->data + l1->length, tmp, len); return res; } + +struct adata * +lc_set_union(struct linpool *pool, struct adata *l1, struct adata *l2) +{ + if (!l1) + return l2; + if (!l2) + return l1; + + struct adata *res; + int len = int_set_get_size(l2); + u32 *l = int_set_get_data(l2); + u32 tmp[len]; + u32 *k = tmp; + int i; + + for (i = 0; i < len; i += 3) + if (!lc_set_contains(l1, lc_get(l, i))) + k = lc_copy(k, l+i); + + if (k == tmp) + return l1; + + len = (k - tmp) * 4; + res = lp_alloc(pool, sizeof(struct adata) + l1->length + len); + res->length = l1->length + len; + memcpy(res->data, l1->data, l1->length); + memcpy(res->data + l1->length, tmp, len); + return res; +} diff --git a/nest/attrs.h b/nest/attrs.h index 670b048f..548d71a9 100644 --- a/nest/attrs.h +++ b/nest/attrs.h @@ -68,6 +68,7 @@ int as_path_match(struct adata *path, struct f_path_mask *mask); /* Transitive bit (for first u32 half of EC) */ #define EC_TBIT 0x40000000 +#define ECOMM_LENGTH 8 static inline int int_set_get_size(struct adata *list) { return list->length / 4; } @@ -75,6 +76,9 @@ static inline int int_set_get_size(struct adata *list) static inline int ec_set_get_size(struct adata *list) { return list->length / 8; } +static inline int lc_set_get_size(struct adata *list) +{ return list->length / 12; } + static inline u32 *int_set_get_data(struct adata *list) { return (u32 *) list->data; } @@ -98,17 +102,45 @@ static inline u64 ec_ip4(u64 kind, u64 key, u64 val) static inline u64 ec_generic(u64 key, u64 val) { return (key << 32) | val; } +/* Large community value */ +typedef struct lcomm { + u32 asn; + u32 ldp1; + u32 ldp2; +} lcomm; + +#define LCOMM_LENGTH 12 + +static inline lcomm lc_get(const u32 *l, int i) +{ return (lcomm) { l[i], l[i+1], l[i+2] }; } + +static inline void lc_put(u32 *l, lcomm v) +{ l[0] = v.asn; l[1] = v.ldp1; l[2] = v.ldp2; } + +static inline int lc_match(const u32 *l, int i, lcomm v) +{ return (l[i] == v.asn && l[i+1] == v.ldp1 && l[i+2] == v.ldp2); } + +static inline u32 *lc_copy(u32 *dst, const u32 *src) +{ memcpy(dst, src, LCOMM_LENGTH); return dst + 3; } + + int int_set_format(struct adata *set, int way, int from, byte *buf, uint size); int ec_format(byte *buf, u64 ec); int ec_set_format(struct adata *set, int from, byte *buf, uint size); +int lc_format(byte *buf, lcomm lc); +int lc_set_format(struct adata *set, int from, byte *buf, uint size); int int_set_contains(struct adata *list, u32 val); int ec_set_contains(struct adata *list, u64 val); +int lc_set_contains(struct adata *list, lcomm val); struct adata *int_set_add(struct linpool *pool, struct adata *list, u32 val); struct adata *ec_set_add(struct linpool *pool, struct adata *list, u64 val); +struct adata *lc_set_add(struct linpool *pool, struct adata *list, lcomm val); struct adata *int_set_del(struct linpool *pool, struct adata *list, u32 val); struct adata *ec_set_del(struct linpool *pool, struct adata *list, u64 val); +struct adata *lc_set_del(struct linpool *pool, struct adata *list, lcomm val); struct adata *int_set_union(struct linpool *pool, struct adata *l1, struct adata *l2); struct adata *ec_set_union(struct linpool *pool, struct adata *l1, struct adata *l2); +struct adata *lc_set_union(struct linpool *pool, struct adata *l1, struct adata *l2); #endif @@ -42,7 +42,7 @@ struct bfd_request { struct bfd_request * bfd_request_session(pool *p, ip_addr addr, ip_addr local, struct iface *iface, void (*hook)(struct bfd_request *), void *data); -static inline void cf_check_bfd(int use) { } +static inline void cf_check_bfd(int use UNUSED) { } #else diff --git a/nest/config.Y b/nest/config.Y index 2a746657..776e5d16 100644 --- a/nest/config.Y +++ b/nest/config.Y @@ -13,6 +13,7 @@ CF_HDR #include "nest/password.h" #include "nest/cmds.h" #include "lib/lists.h" +#include "lib/mac.h" CF_DEFINES @@ -68,7 +69,8 @@ CF_KEYWORDS(INTERFACE, IMPORT, EXPORT, FILTER, NONE, TABLE, STATES, ROUTES, FILT CF_KEYWORDS(IPV4, IPV6, VPN4, VPN6, ROA4, ROA6) CF_KEYWORDS(RECEIVE, LIMIT, ACTION, WARN, BLOCK, RESTART, DISABLE, KEEP, FILTERED) CF_KEYWORDS(PASSWORD, FROM, PASSIVE, TO, ID, EVENTS, PACKETS, PROTOCOLS, INTERFACES) -CF_KEYWORDS(PRIMARY, STATS, COUNT, FOR, COMMANDS, PREEXPORT, NOEXPORT, GENERATE) /* ,ROA */ +CF_KEYWORDS(ALGORITHM, KEYED, HMAC, MD5, SHA1, SHA256, SHA384, SHA512) +CF_KEYWORDS(PRIMARY, STATS, COUNT, FOR, COMMANDS, PREEXPORT, NOEXPORT, GENERATE) CF_KEYWORDS(LISTEN, BGP, V6ONLY, DUAL, ADDRESS, PORT, PASSWORDS, DESCRIPTION, SORTED) CF_KEYWORDS(RELOAD, IN, OUT, MRTDUMP, MESSAGES, RESTRICT, MEMORY, IGP_METRIC, CLASS, DSCP) CF_KEYWORDS(GRACEFUL, RESTART, WAIT, MAX, FLUSH, AS) @@ -86,7 +88,7 @@ CF_ENUM(T_ENUM_ROA, ROA_, UNKNOWN, VALID, INVALID) %type <s> optsym %type <ra> r_args %type <sd> sym_args -%type <i> proto_start echo_mask echo_size debug_mask debug_list debug_flag mrtdump_mask mrtdump_list mrtdump_flag export_mode limit_action net_type table_sorted tos +%type <i> proto_start echo_mask echo_size debug_mask debug_list debug_flag mrtdump_mask mrtdump_list mrtdump_flag export_mode limit_action net_type table_sorted tos password_algorithm %type <ps> proto_patt proto_patt2 %type <cc> channel_start proto_channel %type <cl> limit_spec @@ -419,7 +421,7 @@ password_list: | password_item ; -password_items: +password_items: /* empty */ | password_item ';' password_items ; @@ -438,11 +440,13 @@ password_item_begin: } this_p_item = cfg_alloc(sizeof (struct password_item)); this_p_item->password = $2; + this_p_item->length = strlen($2); this_p_item->genfrom = 0; this_p_item->gento = TIME_INFINITY; this_p_item->accfrom = 0; this_p_item->accto = TIME_INFINITY; this_p_item->id = password_id++; + this_p_item->alg = ALG_UNDEFINED; add_tail(this_p_list, &this_p_item->n); } ; @@ -453,10 +457,24 @@ password_item_params: | GENERATE TO datetime ';' password_item_params { this_p_item->gento = $3; } | ACCEPT FROM datetime ';' password_item_params { this_p_item->accfrom = $3; } | ACCEPT TO datetime ';' password_item_params { this_p_item->accto = $3; } + | FROM datetime ';' password_item_params { this_p_item->genfrom = this_p_item->accfrom = $2; } + | TO datetime ';' password_item_params { this_p_item->gento = this_p_item->accto = $2; } | ID expr ';' password_item_params { this_p_item->id = $2; if ($2 <= 0) cf_error("Password ID has to be greated than zero."); } + | ALGORITHM password_algorithm ';' password_item_params { this_p_item->alg = $2; } ; - +password_algorithm: + KEYED MD5 { $$ = ALG_MD5; } + | KEYED SHA1 { $$ = ALG_SHA1; } + | KEYED SHA256 { $$ = ALG_SHA256; } + | KEYED SHA384 { $$ = ALG_SHA384; } + | KEYED SHA512 { $$ = ALG_SHA512; } + | HMAC MD5 { $$ = ALG_HMAC_MD5; } + | HMAC SHA1 { $$ = ALG_HMAC_SHA1; } + | HMAC SHA256 { $$ = ALG_HMAC_SHA256; } + | HMAC SHA384 { $$ = ALG_HMAC_SHA384; } + | HMAC SHA512 { $$ = ALG_HMAC_SHA512; } + ; /* Core commands */ CF_CLI_HELP(SHOW, ..., [[Show status information]]) @@ -605,7 +623,7 @@ CF_CLI(EVAL, term, <expr>, [[Evaluate an expression]]) { cmd_eval($2); } ; CF_CLI_HELP(ECHO, ..., [[Control echoing of log messages]]) -CF_CLI(ECHO, echo_mask echo_size, (all | off | { debug | trace | info | remote | warning | error | auth }) [<buffer-size>], [[Control echoing of log messages]]) { +CF_CLI(ECHO, echo_mask echo_size, (all | off | { debug|trace|info|remote|warning|error|auth [, ...] }) [<buffer-size>], [[Control echoing of log messages]]) { cli_set_log_echo(this_cli, $2, $3); cli_msg(0, ""); } ; @@ -638,11 +656,11 @@ CF_CLI(RELOAD OUT, proto_patt, <protocol> | \"<pattern>\" | all, [[Reload protoc { proto_apply_cmd($3, proto_cmd_reload, 1, CMD_RELOAD_OUT); } ; CF_CLI_HELP(DEBUG, ..., [[Control protocol debugging via BIRD logs]]) -CF_CLI(DEBUG, proto_patt debug_mask, (<protocol> | <pattern> | all) (all | off | { states | routes | filters | interfaces | events | packets }), [[Control protocol debugging via BIRD logs]]) +CF_CLI(DEBUG, proto_patt debug_mask, (<protocol> | \"<pattern>\" | all) (all | off | { states|routes|filters|interfaces|events|packets [, ...] }), [[Control protocol debugging via BIRD logs]]) { proto_apply_cmd($2, proto_cmd_debug, 1, $3); } ; CF_CLI_HELP(MRTDUMP, ..., [[Control protocol debugging via MRTdump files]]) -CF_CLI(MRTDUMP, proto_patt mrtdump_mask, (<protocol> | <pattern> | all) (all | off | { states | messages }), [[Control protocol debugging via MRTdump format]]) +CF_CLI(MRTDUMP, proto_patt mrtdump_mask, (<protocol> | \"<pattern>\" | all) (all | off | { states|messages [, ...] }), [[Control protocol debugging via MRTdump format]]) { proto_apply_cmd($2, proto_cmd_mrtdump, 1, $3); } ; CF_CLI(RESTRICT,,,[[Restrict current CLI session to safe commands]]) diff --git a/nest/locks.c b/nest/locks.c index ad2af493..84b8b0ae 100644 --- a/nest/locks.c +++ b/nest/locks.c @@ -100,7 +100,8 @@ static struct resclass olock_class = { sizeof(struct object_lock), olock_free, olock_dump, - NULL + NULL, + NULL, }; /** diff --git a/nest/password.c b/nest/password.c index 91aaa418..e4813741 100644 --- a/nest/password.c +++ b/nest/password.c @@ -10,6 +10,7 @@ #include "nest/bird.h" #include "nest/password.h" #include "lib/string.h" +#include "lib/mac.h" struct password_item *last_password_item = NULL; @@ -37,7 +38,7 @@ password_find(list *l, int first_fit) } struct password_item * -password_find_by_id(list *l, int id) +password_find_by_id(list *l, uint id) { struct password_item *pi; @@ -66,3 +67,17 @@ password_find_by_value(list *l, char *pass, uint size) return NULL; } +uint +max_mac_length(list *l) +{ + struct password_item *pi; + uint val = 0; + + if (!l) + return 0; + + WALK_LIST(pi, *l) + val = MAX(val, mac_type_length(pi->alg)); + + return val; +} diff --git a/nest/password.h b/nest/password.h index cbf80b99..78244985 100644 --- a/nest/password.h +++ b/nest/password.h @@ -9,19 +9,22 @@ #ifndef PASSWORD_H #define PASSWORD_H + #include "sysdep/unix/timer.h" struct password_item { node n; - char *password; - int id; + char *password; /* Key data, null terminated */ + uint length; /* Key length, without null */ + uint id; /* Key ID */ + uint alg; /* MAC algorithm */ bird_clock_t accfrom, accto, genfrom, gento; }; extern struct password_item *last_password_item; struct password_item *password_find(list *l, int first_fit); -struct password_item *password_find_by_id(list *l, int id); +struct password_item *password_find_by_id(list *l, uint id); struct password_item *password_find_by_value(list *l, char *pass, uint size); static inline int password_verify(struct password_item *p1, char *p2, uint size) @@ -31,4 +34,6 @@ static inline int password_verify(struct password_item *p1, char *p2, uint size) return !memcmp(buf, p2, size); } +uint max_mac_length(list *l); + #endif diff --git a/nest/route.h b/nest/route.h index a536def7..f2e883b6 100644 --- a/nest/route.h +++ b/nest/route.h @@ -285,7 +285,6 @@ rte *rte_find(net *net, struct rte_src *src); rte *rte_get_temp(struct rta *); void rte_update2(struct channel *c, net_addr *n, rte *new, struct rte_src *src); /* rte_update() moved to protocol.h to avoid dependency conflicts */ -void rte_discard(rtable *tab, rte *old); int rt_examine(rtable *t, net_addr *a, struct proto *p, struct filter *filter); rte *rt_export_merged(struct channel *c, net *net, rte **rt_free, struct ea_list **tmpa, linpool *pool, int silent); void rt_refresh_begin(rtable *t, struct channel *c); @@ -445,7 +444,7 @@ typedef struct eattr { #define EA_ALLOW_UNDEF 0x10000 /* ea_find: allow EAF_TYPE_UNDEF */ #define EA_BIT(n) ((n) << 24) /* Used in bitfield accessors */ -#define EAF_TYPE_MASK 0x0f /* Mask with this to get type */ +#define EAF_TYPE_MASK 0x1f /* Mask with this to get type */ #define EAF_TYPE_INT 0x01 /* 32-bit unsigned integer number */ #define EAF_TYPE_OPAQUE 0x02 /* Opaque byte string (not filterable) */ #define EAF_TYPE_IP_ADDRESS 0x04 /* IP address */ @@ -454,7 +453,8 @@ typedef struct eattr { #define EAF_TYPE_BITFIELD 0x09 /* 32-bit embedded bitfield */ #define EAF_TYPE_INT_SET 0x0a /* Set of u32's (e.g., a community list) */ #define EAF_TYPE_EC_SET 0x0e /* Set of pairs of u32's - ext. community list */ -#define EAF_TYPE_UNDEF 0x0f /* `force undefined' entry */ +#define EAF_TYPE_LC_SET 0x12 /* Set of triplets of u32's - large community list */ +#define EAF_TYPE_UNDEF 0x1f /* `force undefined' entry */ #define EAF_EMBEDDED 0x01 /* Data stored in eattr.u.data (part of type spec) */ #define EAF_VAR_LENGTH 0x02 /* Attribute length is variable (part of type spec) */ #define EAF_ORIGINATED 0x40 /* The attribute has originated locally */ diff --git a/nest/rt-attr.c b/nest/rt-attr.c index bb2b3561..e280bbd9 100644 --- a/nest/rt-attr.c +++ b/nest/rt-attr.c @@ -733,7 +733,7 @@ static inline void opaque_format(struct adata *ad, byte *buf, uint size) { byte *bound = buf + size - 10; - int i; + uint i; for(i = 0; i < ad->length; i++) { @@ -776,6 +776,18 @@ ea_show_ec_set(struct cli *c, struct adata *ad, byte *pos, byte *buf, byte *end) } } +static inline void +ea_show_lc_set(struct cli *c, struct adata *ad, byte *pos, byte *buf, byte *end) +{ + int i = lc_set_format(ad, 0, pos, end - pos); + cli_printf(c, -1012, "\t%s", buf); + while (i) + { + i = lc_set_format(ad, i, buf, end - buf - 1); + cli_printf(c, -1012, "\t\t%s", buf); + } +} + /** * ea_show - print an &eattr to CLI * @c: destination CLI @@ -840,6 +852,9 @@ ea_show(struct cli *c, eattr *e) case EAF_TYPE_EC_SET: ea_show_ec_set(c, ad, pos, buf, end); return; + case EAF_TYPE_LC_SET: + ea_show_lc_set(c, ad, pos, buf, end); + return; case EAF_TYPE_UNDEF: default: bsprintf(pos, "<type %02x>", e->type); diff --git a/nest/rt-table.c b/nest/rt-table.c index eb9dc3a5..4260e493 100644 --- a/nest/rt-table.c +++ b/nest/rt-table.c @@ -63,7 +63,7 @@ make_tmp_attrs(struct rte *rt, struct linpool *pool) { struct ea_list *(*mta)(struct rte *rt, struct linpool *pool); mta = rt->attrs->src->proto->make_tmp_attrs; - return mta ? mta(rt, rte_update_pool) : NULL; + return mta ? mta(rt, pool) : NULL; } @@ -713,7 +713,7 @@ mpnh_merge_rta(struct mpnh *nhs, rta *a, linpool *pool, int max) { struct mpnh nh = { .gw = a->gw, .iface = a->iface }; struct mpnh *nh2 = (a->dest == RTD_MULTIPATH) ? a->nexthops : &nh; - return mpnh_merge(nhs, nh2, 1, 0, max, rte_update_pool); + return mpnh_merge(nhs, nh2, 1, 0, max, pool); } rte * @@ -1403,8 +1403,8 @@ rte_announce_i(rtable *tab, unsigned type, net *net, rte *new, rte *old, rte_update_unlock(); } -void -rte_discard(rtable *t, rte *old) /* Non-filtered route deletion, used during garbage collection */ +static inline void +rte_discard(rte *old) /* Non-filtered route deletion, used during garbage collection */ { rte_update_lock(); rte_recalculate(old->sender, old->net, NULL, old->attrs->src); @@ -1695,7 +1695,7 @@ again: return; } - rte_discard(tab, e); + rte_discard(e); limit--; goto rescan; @@ -1780,7 +1780,7 @@ rta_apply_hostentry(rta *a, struct hostentry *he) } static inline rte * -rt_next_hop_update_rte(rtable *tab, rte *old) +rt_next_hop_update_rte(rtable *tab UNUSED, rte *old) { rta a; memcpy(&a, old->attrs, sizeof(rta)); @@ -2166,11 +2166,11 @@ hc_remove(struct hostcache *hc, struct hostentry *he) static void hc_alloc_table(struct hostcache *hc, unsigned order) { - unsigned hsize = 1 << order; + uint hsize = 1 << order; hc->hash_order = order; hc->hash_shift = 32 - order; - hc->hash_max = (order >= HC_HI_ORDER) ? ~0 : (hsize HC_HI_MARK); - hc->hash_min = (order <= HC_LO_ORDER) ? 0 : (hsize HC_LO_MARK); + hc->hash_max = (order >= HC_HI_ORDER) ? ~0U : (hsize HC_HI_MARK); + hc->hash_min = (order <= HC_LO_ORDER) ? 0U : (hsize HC_LO_MARK); hc->hash_table = mb_allocz(rt_table_pool, hsize * sizeof(struct hostentry *)); } @@ -2178,10 +2178,10 @@ hc_alloc_table(struct hostcache *hc, unsigned order) static void hc_resize(struct hostcache *hc, unsigned new_order) { - unsigned old_size = 1 << hc->hash_order; struct hostentry **old_table = hc->hash_table; struct hostentry *he, *hen; - int i; + uint old_size = 1 << hc->hash_order; + uint i; hc_alloc_table(hc, new_order); for (i = 0; i < old_size; i++) diff --git a/proto/babel/babel.c b/proto/babel/babel.c index 9d73a264..38be6909 100644 --- a/proto/babel/babel.c +++ b/proto/babel/babel.c @@ -1723,7 +1723,7 @@ babel_dump(struct proto *P) } static void -babel_get_route_info(rte *rte, byte *buf, ea_list *attrs) +babel_get_route_info(rte *rte, byte *buf, ea_list *attrs UNUSED) { buf += bsprintf(buf, " (%d/%d) [%lR]", rte->pref, rte->u.babel.metric, rte->u.babel.router_id); } @@ -1965,7 +1965,7 @@ babel_store_tmp_attrs(struct rte *rt, struct ea_list *attrs) */ static void babel_rt_notify(struct proto *P, struct rtable *table UNUSED, struct network *net, - struct rte *new, struct rte *old, struct ea_list *attrs) + struct rte *new, struct rte *old UNUSED, struct ea_list *attrs UNUSED) { struct babel_proto *p = (void *) P; struct babel_entry *e; diff --git a/proto/babel/babel.h b/proto/babel/babel.h index 481c88a7..6a95d82f 100644 --- a/proto/babel/babel.h +++ b/proto/babel/babel.h @@ -111,7 +111,7 @@ struct babel_iface_config { u16 rxcost; u8 type; u8 check_link; - int port; + uint port; u16 hello_interval; u16 ihu_interval; u16 update_interval; diff --git a/proto/babel/packets.c b/proto/babel/packets.c index 65dd6853..08054832 100644 --- a/proto/babel/packets.c +++ b/proto/babel/packets.c @@ -146,6 +146,7 @@ struct babel_write_state { #define TLV_HDR(tlv,t,l) ({ tlv->type = t; tlv->length = l - sizeof(struct babel_tlv); }) #define TLV_HDR0(tlv,t) TLV_HDR(tlv, t, tlv_data[t].min_length) +#define BYTES(n) ((((uint) n) + 7) / 8) static inline u16 get_time16(const void *p) @@ -161,18 +162,18 @@ put_time16(void *p, u16 v) } static inline ip6_addr -get_ip6_px(const void *p, int plen) +get_ip6_px(const void *p, uint plen) { ip6_addr addr = IPA_NONE; - memcpy(&addr, p, (plen + 7) / 8); + memcpy(&addr, p, BYTES(plen)); return ip6_ntoh(addr); } static inline void -put_ip6_px(void *p, ip6_addr addr, int plen) +put_ip6_px(void *p, ip6_addr addr, uint plen) { addr = ip6_hton(addr); - memcpy(p, &addr, (plen + 7) / 8); + memcpy(p, &addr, BYTES(plen)); } static inline ip6_addr @@ -202,21 +203,21 @@ static int babel_read_update(struct babel_tlv *hdr, union babel_msg *msg, struct static int babel_read_route_request(struct babel_tlv *hdr, union babel_msg *msg, struct babel_parse_state *state); static int babel_read_seqno_request(struct babel_tlv *hdr, union babel_msg *msg, struct babel_parse_state *state); -static int babel_write_ack(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, int max_len); -static int babel_write_hello(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, int max_len); -static int babel_write_ihu(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, int max_len); -static int babel_write_update(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, int max_len); -static int babel_write_route_request(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, int max_len); -static int babel_write_seqno_request(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, int max_len); +static uint babel_write_ack(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, uint max_len); +static uint babel_write_hello(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, uint max_len); +static uint babel_write_ihu(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, uint max_len); +static uint babel_write_update(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, uint max_len); +static uint babel_write_route_request(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, uint max_len); +static uint babel_write_seqno_request(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, uint max_len); struct babel_tlv_data { u8 min_length; int (*read_tlv)(struct babel_tlv *hdr, union babel_msg *m, struct babel_parse_state *state); - int (*write_tlv)(struct babel_tlv *hdr, union babel_msg *m, struct babel_write_state *state, int max_len); + uint (*write_tlv)(struct babel_tlv *hdr, union babel_msg *m, struct babel_write_state *state, uint max_len); void (*handle_tlv)(union babel_msg *m, struct babel_iface *ifa); }; -const static struct babel_tlv_data tlv_data[BABEL_TLV_MAX] = { +static const struct babel_tlv_data tlv_data[BABEL_TLV_MAX] = { [BABEL_TLV_ACK_REQ] = { sizeof(struct babel_tlv_ack_req), babel_read_ack_req, @@ -291,9 +292,9 @@ babel_read_ack_req(struct babel_tlv *hdr, union babel_msg *m, return PARSE_SUCCESS; } -static int +static uint babel_write_ack(struct babel_tlv *hdr, union babel_msg *m, - struct babel_write_state *state, int max_len) + struct babel_write_state *state UNUSED, uint max_len UNUSED) { struct babel_tlv_ack *tlv = (void *) hdr; struct babel_msg_ack *msg = &m->ack; @@ -319,9 +320,9 @@ babel_read_hello(struct babel_tlv *hdr, union babel_msg *m, return PARSE_SUCCESS; } -static int +static uint babel_write_hello(struct babel_tlv *hdr, union babel_msg *m, - struct babel_write_state *state, int max_len) + struct babel_write_state *state UNUSED, uint max_len UNUSED) { struct babel_tlv_hello *tlv = (void *) hdr; struct babel_msg_hello *msg = &m->hello; @@ -363,9 +364,9 @@ babel_read_ihu(struct babel_tlv *hdr, union babel_msg *m, return PARSE_SUCCESS; } -static int +static uint babel_write_ihu(struct babel_tlv *hdr, union babel_msg *m, - struct babel_write_state *state, int max_len) + struct babel_write_state *state UNUSED, uint max_len) { struct babel_tlv_ihu *tlv = (void *) hdr; struct babel_msg_ihu *msg = &m->ihu; @@ -401,9 +402,9 @@ babel_read_router_id(struct babel_tlv *hdr, union babel_msg *m UNUSED, } /* This is called directly from babel_write_update() */ -static int +static uint babel_write_router_id(struct babel_tlv *hdr, u64 router_id, - struct babel_write_state *state, int max_len UNUSED) + struct babel_write_state *state, uint max_len UNUSED) { struct babel_tlv_router_id *tlv = (void *) hdr; @@ -467,10 +468,10 @@ babel_read_update(struct babel_tlv *hdr, union babel_msg *m, msg->metric = get_u16(&tlv->metric); /* Length of received prefix data without omitted part */ - int len = (tlv->plen + 7)/8 - (int) tlv->omitted; + int len = BYTES(tlv->plen) - (int) tlv->omitted; u8 buf[16] = {}; - if ((len < 0) || (len > TLV_OPT_LENGTH(tlv))) + if ((len < 0) || ((uint) len > TLV_OPT_LENGTH(tlv))) return PARSE_ERROR; switch (tlv->ae) @@ -536,13 +537,13 @@ babel_read_update(struct babel_tlv *hdr, union babel_msg *m, return PARSE_SUCCESS; } -static int +static uint babel_write_update(struct babel_tlv *hdr, union babel_msg *m, - struct babel_write_state *state, int max_len) + struct babel_write_state *state, uint max_len) { struct babel_tlv_update *tlv = (void *) hdr; struct babel_msg_update *msg = &m->update; - int len0 = 0; + uint len0 = 0; /* * When needed, we write Router-ID TLV before Update TLV and return size of @@ -558,7 +559,7 @@ babel_write_update(struct babel_tlv *hdr, union babel_msg *m, tlv = (struct babel_tlv_update *) NEXT_TLV(tlv); } - int len = sizeof(struct babel_tlv_update) + (msg->plen + 7)/8; + uint len = sizeof(struct babel_tlv_update) + BYTES(msg->plen); if (len0 + len > max_len) return 0; @@ -587,7 +588,7 @@ babel_write_update(struct babel_tlv *hdr, union babel_msg *m, static int babel_read_route_request(struct babel_tlv *hdr, union babel_msg *m, - struct babel_parse_state *state) + struct babel_parse_state *state UNUSED) { struct babel_tlv_route_request *tlv = (void *) hdr; struct babel_msg_route_request *msg = &m->route_request; @@ -612,7 +613,7 @@ babel_read_route_request(struct babel_tlv *hdr, union babel_msg *m, if (tlv->plen > MAX_PREFIX_LENGTH) return PARSE_ERROR; - if (TLV_OPT_LENGTH(tlv) < (tlv->plen + 7)/8) + if (TLV_OPT_LENGTH(tlv) < BYTES(tlv->plen)) return PARSE_ERROR; msg->plen = tlv->plen; @@ -629,14 +630,14 @@ babel_read_route_request(struct babel_tlv *hdr, union babel_msg *m, return PARSE_IGNORE; } -static int +static uint babel_write_route_request(struct babel_tlv *hdr, union babel_msg *m, - struct babel_write_state *state, int max_len) + struct babel_write_state *state UNUSED, uint max_len) { struct babel_tlv_route_request *tlv = (void *) hdr; struct babel_msg_route_request *msg = &m->route_request; - int len = sizeof(struct babel_tlv_route_request) + (msg->plen + 7)/8; + uint len = sizeof(struct babel_tlv_route_request) + BYTES(msg->plen); if (len > max_len) return 0; @@ -687,7 +688,7 @@ babel_read_seqno_request(struct babel_tlv *hdr, union babel_msg *m, if (tlv->plen > MAX_PREFIX_LENGTH) return PARSE_ERROR; - if (TLV_OPT_LENGTH(tlv) < (tlv->plen + 7)/8) + if (TLV_OPT_LENGTH(tlv) < BYTES(tlv->plen)) return PARSE_ERROR; msg->plen = tlv->plen; @@ -704,14 +705,14 @@ babel_read_seqno_request(struct babel_tlv *hdr, union babel_msg *m, return PARSE_IGNORE; } -static int +static uint babel_write_seqno_request(struct babel_tlv *hdr, union babel_msg *m, - struct babel_write_state *state, int max_len) + struct babel_write_state *state UNUSED, uint max_len) { struct babel_tlv_seqno_request *tlv = (void *) hdr; struct babel_msg_seqno_request *msg = &m->seqno_request; - int len = sizeof(struct babel_tlv_seqno_request) + (msg->plen + 7)/8; + uint len = sizeof(struct babel_tlv_seqno_request) + BYTES(msg->plen); if (len > max_len) return 0; @@ -744,11 +745,11 @@ babel_read_tlv(struct babel_tlv *hdr, return tlv_data[hdr->type].read_tlv(hdr, msg, state); } -static int +static uint babel_write_tlv(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, - int max_len) + uint max_len) { if ((msg->type <= BABEL_TLV_PADN) || (msg->type >= BABEL_TLV_MAX) || @@ -792,7 +793,7 @@ babel_send_to(struct babel_iface *ifa, ip_addr dest) * * The TLVs in the queue are freed after they are written to the buffer. */ -static int +static uint babel_write_queue(struct babel_iface *ifa, list *queue) { struct babel_proto *p = ifa->proto; @@ -813,6 +814,9 @@ babel_write_queue(struct babel_iface *ifa, list *queue) struct babel_msg_node *msg; WALK_LIST_FIRST(msg, *queue) { + if (pos >= end) + break; + int len = babel_write_tlv((struct babel_tlv *) pos, &msg->msg, &state, end - pos); if (!len) @@ -823,7 +827,7 @@ babel_write_queue(struct babel_iface *ifa, list *queue) sl_free(p->msg_slab, msg); } - int plen = pos - (byte *) pkt; + uint plen = pos - (byte *) pkt; put_u16(&pkt->length, plen - sizeof(struct babel_pkt_header)); return plen; @@ -1027,7 +1031,7 @@ babel_tx_hook(sock *sk) static int -babel_rx_hook(sock *sk, int len) +babel_rx_hook(sock *sk, uint len) { struct babel_iface *ifa = sk->data; struct babel_proto *p = ifa->proto; diff --git a/proto/bfd/bfd.c b/proto/bfd/bfd.c index d33424b0..e2c6050b 100644 --- a/proto/bfd/bfd.c +++ b/proto/bfd/bfd.c @@ -316,6 +316,7 @@ bfd_session_timeout(struct bfd_session *s) s->rem_min_rx_int = 1; s->rem_demand_mode = 0; s->rem_detect_mult = 0; + s->rx_csn_known = 0; s->poll_active = 0; s->poll_scheduled = 0; @@ -429,6 +430,7 @@ bfd_add_session(struct bfd_proto *p, ip_addr addr, ip_addr local, struct iface * s->rem_min_rx_int = 1; s->detect_mult = ifa->cf->multiplier; s->passive = ifa->cf->passive; + s->tx_csn = random_u32(); s->tx_timer = tm2_new_init(p->tpool, bfd_tx_timer_hook, s, 0, 0); s->hold_timer = tm2_new_init(p->tpool, bfd_hold_timer_hook, s, 0, 0); @@ -796,7 +798,7 @@ bfd_start_neighbor(struct bfd_proto *p, struct bfd_neighbor *n) } static void -bfd_stop_neighbor(struct bfd_proto *p, struct bfd_neighbor *n) +bfd_stop_neighbor(struct bfd_proto *p UNUSED, struct bfd_neighbor *n) { if (n->neigh) n->neigh->data = NULL; @@ -853,7 +855,7 @@ void pipe_drain(int fd); void pipe_kick(int fd); static int -bfd_notify_hook(sock *sk, int len) +bfd_notify_hook(sock *sk, uint len UNUSED) { struct bfd_proto *p = sk->data; struct bfd_session *s; @@ -1062,7 +1064,7 @@ bfd_preconfig(struct protocol *P UNUSED, struct config *c UNUSED) } static void -bfd_copy_config(struct proto_config *dest, struct proto_config *src) +bfd_copy_config(struct proto_config *dest, struct proto_config *src UNUSED) { struct bfd_config *d = (struct bfd_config *) dest; // struct bfd_config *s = (struct bfd_config *) src; diff --git a/proto/bfd/bfd.h b/proto/bfd/bfd.h index ce7d665b..e2e75753 100644 --- a/proto/bfd/bfd.h +++ b/proto/bfd/bfd.h @@ -14,6 +14,7 @@ #include "nest/iface.h" #include "nest/protocol.h" #include "nest/route.h" +#include "nest/password.h" #include "conf/conf.h" #include "lib/hash.h" #include "lib/resource.h" @@ -52,6 +53,8 @@ struct bfd_iface_config u32 idle_tx_int; u8 multiplier; u8 passive; + u8 auth_type; /* Authentication type (BFD_AUTH_*) */ + list *passwords; /* Passwords for authentication */ }; struct bfd_neighbor @@ -116,7 +119,7 @@ struct bfd_session u8 passive; u8 poll_active; u8 poll_scheduled; - + u8 loc_state; u8 rem_state; u8 loc_diag; @@ -143,6 +146,11 @@ struct bfd_session list request_list; /* List of client requests (struct bfd_request) */ bird_clock_t last_state_change; /* Time of last state change */ u8 notify_running; /* 1 if notify hooks are running */ + + u8 rx_csn_known; /* Received crypto sequence number is known */ + u32 rx_csn; /* Last received crypto sequence number */ + u32 tx_csn; /* Last transmitted crypto sequence number */ + u32 tx_csn_time; /* Timestamp of last tx_csn change */ }; @@ -174,6 +182,15 @@ extern const char *bfd_state_names[]; #define BFD_FLAG_DEMAND (1 << 1) #define BFD_FLAG_MULTIPOINT (1 << 0) +#define BFD_AUTH_NONE 0 +#define BFD_AUTH_SIMPLE 1 +#define BFD_AUTH_KEYED_MD5 2 +#define BFD_AUTH_METICULOUS_KEYED_MD5 3 +#define BFD_AUTH_KEYED_SHA1 4 +#define BFD_AUTH_METICULOUS_KEYED_SHA1 5 + +extern const u8 bfd_auth_type_to_hash_alg[]; + static inline void bfd_lock_sessions(struct bfd_proto *p) { pthread_spin_lock(&p->lock); } static inline void bfd_unlock_sessions(struct bfd_proto *p) { pthread_spin_unlock(&p->lock); } diff --git a/proto/bfd/config.Y b/proto/bfd/config.Y index 4affb927..73414362 100644 --- a/proto/bfd/config.Y +++ b/proto/bfd/config.Y @@ -22,11 +22,12 @@ extern struct bfd_config *bfd_cf; CF_DECLS CF_KEYWORDS(BFD, MIN, IDLE, RX, TX, INTERVAL, MULTIPLIER, PASSIVE, - INTERFACE, MULTIHOP, NEIGHBOR, DEV, LOCAL) + INTERFACE, MULTIHOP, NEIGHBOR, DEV, LOCAL, AUTHENTICATION, + NONE, SIMPLE, METICULOUS, KEYED, MD5, SHA1) %type <iface> bfd_neigh_iface %type <a> bfd_neigh_local -%type <i> bfd_neigh_multihop +%type <i> bfd_neigh_multihop bfd_auth_type CF_GRAMMAR @@ -62,12 +63,35 @@ bfd_proto: bfd_iface_start: { this_ipatt = cfg_allocz(sizeof(struct bfd_iface_config)); + add_tail(&BFD_CFG->patt_list, NODE this_ipatt); init_list(&this_ipatt->ipn_list); BFD_IFACE->min_rx_int = BFD_DEFAULT_MIN_RX_INT; BFD_IFACE->min_tx_int = BFD_DEFAULT_MIN_TX_INT; BFD_IFACE->idle_tx_int = BFD_DEFAULT_IDLE_TX_INT; BFD_IFACE->multiplier = BFD_DEFAULT_MULTIPLIER; + + reset_passwords(); +}; + +bfd_iface_finish: +{ + BFD_IFACE->passwords = get_passwords(); + + if (!BFD_IFACE->auth_type != !BFD_IFACE->passwords) + log(L_WARN "Authentication and password options should be used together"); + + if (BFD_IFACE->passwords) + { + struct password_item *pass; + WALK_LIST(pass, *BFD_IFACE->passwords) + { + if (pass->alg) + cf_error("Password algorithm option not available in BFD protocol"); + + pass->alg = bfd_auth_type_to_hash_alg[BFD_IFACE->auth_type]; + } + } }; bfd_iface_item: @@ -77,6 +101,17 @@ bfd_iface_item: | IDLE TX INTERVAL expr_us { BFD_IFACE->idle_tx_int = $4; } | MULTIPLIER expr { BFD_IFACE->multiplier = $2; } | PASSIVE bool { BFD_IFACE->passive = $2; } + | AUTHENTICATION bfd_auth_type { BFD_IFACE->auth_type = $2; } + | password_list {} + ; + +bfd_auth_type: + NONE { $$ = BFD_AUTH_NONE; } + | SIMPLE { $$ = BFD_AUTH_SIMPLE; } + | KEYED MD5 { $$ = BFD_AUTH_KEYED_MD5; } + | KEYED SHA1 { $$ = BFD_AUTH_KEYED_SHA1; } + | METICULOUS KEYED MD5 { $$ = BFD_AUTH_METICULOUS_KEYED_MD5; } + | METICULOUS KEYED SHA1 { $$ = BFD_AUTH_METICULOUS_KEYED_SHA1; } ; bfd_iface_opts: @@ -89,10 +124,11 @@ bfd_iface_opt_list: | '{' bfd_iface_opts '}' ; -bfd_iface: bfd_iface_start iface_patt_list_nopx bfd_iface_opt_list -{ add_tail(&BFD_CFG->patt_list, NODE this_ipatt); }; +bfd_iface: + bfd_iface_start iface_patt_list_nopx bfd_iface_opt_list bfd_iface_finish; -bfd_multihop: bfd_iface_start bfd_iface_opt_list +bfd_multihop: + bfd_iface_start bfd_iface_opt_list bfd_iface_finish { BFD_CFG->multihop = BFD_IFACE; }; diff --git a/proto/bfd/packets.c b/proto/bfd/packets.c index 579064c6..06cde4d3 100644 --- a/proto/bfd/packets.c +++ b/proto/bfd/packets.c @@ -5,24 +5,60 @@ */ #include "bfd.h" +#include "lib/mac.h" struct bfd_ctl_packet { - u8 vdiag; /* version and diagnostic */ - u8 flags; /* state and flags */ + u8 vdiag; /* Version and diagnostic */ + u8 flags; /* State and flags */ u8 detect_mult; - u8 length; - u32 snd_id; /* sender ID, aka 'my discriminator' */ - u32 rcv_id; /* receiver ID, aka 'your discriminator' */ + u8 length; /* Whole packet length */ + u32 snd_id; /* Sender ID, aka 'my discriminator' */ + u32 rcv_id; /* Receiver ID, aka 'your discriminator' */ u32 des_min_tx_int; u32 req_min_rx_int; u32 req_min_echo_rx_int; }; +struct bfd_auth +{ + u8 type; /* Authentication type (BFD_AUTH_*) */ + u8 length; /* Authentication section length */ +}; + +struct bfd_simple_auth +{ + u8 type; /* BFD_AUTH_SIMPLE */ + u8 length; /* Length of bfd_simple_auth + pasword length */ + u8 key_id; /* Key ID */ + byte password[0]; /* Password itself, variable length */ +}; + +#define BFD_MAX_PASSWORD_LENGTH 16 + +struct bfd_crypto_auth +{ + u8 type; /* BFD_AUTH_*_MD5 or BFD_AUTH_*_SHA1 */ + u8 length; /* Length of bfd_crypto_auth + hash length */ + u8 key_id; /* Key ID */ + u8 zero; /* Reserved, zero on transmit */ + u32 csn; /* Cryptographic sequence number */ + byte data[0]; /* Authentication key/hash, length 16 or 20 */ +}; + #define BFD_BASE_LEN sizeof(struct bfd_ctl_packet) #define BFD_MAX_LEN 64 +#define DROP(DSC,VAL) do { err_dsc = DSC; err_val = VAL; goto drop; } while(0) + +#define LOG_PKT(msg, args...) \ + log(L_REMOTE "%s: " msg, p->p.name, args) + +#define LOG_PKT_AUTH(msg, args...) \ + log(L_AUTH "%s: " msg, p->p.name, args) + + static inline u8 bfd_pack_vdiag(u8 version, u8 diag) { return (version << 5) | diag; } @@ -39,7 +75,7 @@ static inline u8 bfd_pkt_get_diag(struct bfd_ctl_packet *pkt) static inline u8 bfd_pkt_get_state(struct bfd_ctl_packet *pkt) { return pkt->flags >> 6; } -static inline void bfd_pkt_set_state(struct bfd_ctl_packet *pkt, u8 val) +static inline void UNUSED bfd_pkt_set_state(struct bfd_ctl_packet *pkt, u8 val) { pkt->flags = val << 6; } @@ -59,6 +95,189 @@ bfd_format_flags(u8 flags, char *buf) return buf; } +const u8 bfd_auth_type_to_hash_alg[] = { + [BFD_AUTH_NONE] = ALG_UNDEFINED, + [BFD_AUTH_SIMPLE] = ALG_UNDEFINED, + [BFD_AUTH_KEYED_MD5] = ALG_MD5, + [BFD_AUTH_METICULOUS_KEYED_MD5] = ALG_MD5, + [BFD_AUTH_KEYED_SHA1] = ALG_SHA1, + [BFD_AUTH_METICULOUS_KEYED_SHA1] = ALG_SHA1, +}; + + +/* Fill authentication section and modifies final length in control section packet */ +static void +bfd_fill_authentication(struct bfd_proto *p, struct bfd_session *s, struct bfd_ctl_packet *pkt) +{ + struct bfd_iface_config *cf = s->ifa->cf; + struct password_item *pass = password_find(cf->passwords, 0); + uint meticulous = 0; + + if (!pass) + { + /* FIXME: This should not happen */ + log(L_ERR "%s: No suitable password found for authentication", p->p.name); + return; + } + + switch (cf->auth_type) + { + case BFD_AUTH_SIMPLE: + { + struct bfd_simple_auth *auth = (void *) (pkt + 1); + uint pass_len = MIN(pass->length, BFD_MAX_PASSWORD_LENGTH); + + auth->type = BFD_AUTH_SIMPLE; + auth->length = sizeof(struct bfd_simple_auth) + pass_len; + auth->key_id = pass->id; + + pkt->flags |= BFD_FLAG_AP; + pkt->length += auth->length; + + memcpy(auth->password, pass->password, pass_len); + return; + } + + case BFD_AUTH_METICULOUS_KEYED_MD5: + case BFD_AUTH_METICULOUS_KEYED_SHA1: + meticulous = 1; + + case BFD_AUTH_KEYED_MD5: + case BFD_AUTH_KEYED_SHA1: + { + struct bfd_crypto_auth *auth = (void *) (pkt + 1); + uint hash_alg = bfd_auth_type_to_hash_alg[cf->auth_type]; + uint hash_len = mac_type_length(pass->alg); + + /* Increase CSN about one time per second */ + u32 new_time = (u64) current_time() >> 20; + if ((new_time != s->tx_csn_time) || meticulous) + { + s->tx_csn++; + s->tx_csn_time = new_time; + } + + DBG("[%I] CSN: %u\n", s->addr, s->last_tx_csn); + + auth->type = cf->auth_type; + auth->length = sizeof(struct bfd_crypto_auth) + hash_len; + auth->key_id = pass->id; + auth->zero = 0; + auth->csn = htonl(s->tx_csn); + + pkt->flags |= BFD_FLAG_AP; + pkt->length += auth->length; + + strncpy(auth->data, pass->password, hash_len); + mac_fill(hash_alg, NULL, 0, (byte *) pkt, pkt->length, auth->data); + return; + } + } +} + +static int +bfd_check_authentication(struct bfd_proto *p, struct bfd_session *s, struct bfd_ctl_packet *pkt) +{ + struct bfd_iface_config *cf = s->ifa->cf; + const char *err_dsc = NULL; + uint err_val = 0; + uint auth_type = 0; + uint meticulous = 0; + + if (pkt->flags & BFD_FLAG_AP) + { + struct bfd_auth *auth = (void *) (pkt + 1); + + if ((pkt->length < (BFD_BASE_LEN + sizeof(struct bfd_auth))) || + (pkt->length < (BFD_BASE_LEN + auth->length))) + DROP("packet length mismatch", pkt->length); + + /* Zero is reserved, we use it as BFD_AUTH_NONE internally */ + if (auth->type == 0) + DROP("reserved authentication type", 0); + + auth_type = auth->type; + } + + if (auth_type != cf->auth_type) + DROP("authentication method mismatch", auth_type); + + switch (auth_type) + { + case BFD_AUTH_NONE: + return 1; + + case BFD_AUTH_SIMPLE: + { + struct bfd_simple_auth *auth = (void *) (pkt + 1); + + if (auth->length < sizeof(struct bfd_simple_auth)) + DROP("wrong authentication length", auth->length); + + struct password_item *pass = password_find_by_id(cf->passwords, auth->key_id); + if (!pass) + DROP("no suitable password found", auth->key_id); + + uint pass_len = MIN(pass->length, BFD_MAX_PASSWORD_LENGTH); + uint auth_len = sizeof(struct bfd_simple_auth) + pass_len; + + if ((auth->length != auth_len) || memcmp(auth->password, pass->password, pass_len)) + DROP("wrong password", pass->id); + + return 1; + } + + case BFD_AUTH_METICULOUS_KEYED_MD5: + case BFD_AUTH_METICULOUS_KEYED_SHA1: + meticulous = 1; + + case BFD_AUTH_KEYED_MD5: + case BFD_AUTH_KEYED_SHA1: + { + struct bfd_crypto_auth *auth = (void *) (pkt + 1); + uint hash_alg = bfd_auth_type_to_hash_alg[cf->auth_type]; + uint hash_len = mac_type_length(hash_alg); + + if (auth->length != (sizeof(struct bfd_crypto_auth) + hash_len)) + DROP("wrong authentication length", auth->length); + + struct password_item *pass = password_find_by_id(cf->passwords, auth->key_id); + if (!pass) + DROP("no suitable password found", auth->key_id); + + /* BFD CSNs are in 32-bit circular number space */ + u32 csn = ntohl(auth->csn); + if (s->rx_csn_known && + (((csn - s->rx_csn) > (3 * s->detect_mult)) || + (meticulous && (csn == s->rx_csn)))) + { + /* We want to report both new and old CSN */ + LOG_PKT_AUTH("Authentication failed for %I - " + "wrong sequence number (rcv %u, old %u)", + s->addr, csn, s->rx_csn); + return 0; + } + + byte *auth_data = alloca(hash_len); + memcpy(auth_data, auth->data, hash_len); + strncpy(auth->data, pass->password, hash_len); + + if (!mac_verify(hash_alg, NULL, 0, (byte *) pkt, pkt->length, auth_data)) + DROP("wrong authentication code", pass->id); + + s->rx_csn = csn; + s->rx_csn_known = 1; + + return 1; + } + } + +drop: + LOG_PKT_AUTH("Authentication failed for %I - %s (%u)", + s->addr, err_dsc, err_val); + return 0; +} + void bfd_send_ctl(struct bfd_proto *p, struct bfd_session *s, int final) { @@ -85,6 +304,9 @@ bfd_send_ctl(struct bfd_proto *p, struct bfd_session *s, int final) else if (s->poll_active) pkt->flags |= BFD_FLAG_POLL; + if (s->ifa->cf->auth_type) + bfd_fill_authentication(p, s, pkt); + if (sk->tbuf != sk->tpos) log(L_WARN "%s: Old packet overwritten in TX buffer", p->p.name); @@ -94,10 +316,8 @@ bfd_send_ctl(struct bfd_proto *p, struct bfd_session *s, int final) sk_send_to(sk, pkt->length, s->addr, sk->dport); } -#define DROP(DSC,VAL) do { err_dsc = DSC; err_val = VAL; goto drop; } while(0) - static int -bfd_rx_hook(sock *sk, int len) +bfd_rx_hook(sock *sk, uint len) { struct bfd_proto *p = sk->data; struct bfd_ctl_packet *pkt = (struct bfd_ctl_packet *) sk->rbuf; @@ -151,10 +371,9 @@ bfd_rx_hook(sock *sk, int len) return 1; } - /* FIXME: better authentication handling and message */ - if (pkt->flags & BFD_FLAG_AP) - DROP("authentication not supported", 0); - + /* bfd_check_authentication() has its own error logging */ + if (!bfd_check_authentication(p, s, pkt)) + return 1; u32 old_tx_int = s->des_min_tx_int; u32 old_rx_int = s->rem_min_rx_int; @@ -173,8 +392,8 @@ bfd_rx_hook(sock *sk, int len) bfd_session_process_ctl(s, pkt->flags, old_tx_int, old_rx_int); return 1; - drop: - log(L_REMOTE "%s: Bad packet from %I - %s (%u)", p->p.name, sk->faddr, err_dsc, err_val); +drop: + LOG_PKT("Bad packet from %I - %s (%u)", sk->faddr, err_dsc, err_val); return 1; } diff --git a/proto/bgp/attrs.c b/proto/bgp/attrs.c index b8371f32..0309c1f7 100644 --- a/proto/bgp/attrs.c +++ b/proto/bgp/attrs.c @@ -191,7 +191,7 @@ validate_as4_path(struct bgp_proto *p, struct adata *path) } static int -bgp_check_next_hop(struct bgp_proto *p UNUSED, byte *a, int len) +bgp_check_next_hop(struct bgp_proto *p UNUSED, byte *a UNUSED6, int len UNUSED6) { #ifdef IPV6 return IGNORE; @@ -289,6 +289,12 @@ bgp_check_ext_community(struct bgp_proto *p UNUSED, byte *a UNUSED, int len) return ((len % 8) == 0) ? 0 : WITHDRAW; } +static int +bgp_check_large_community(struct bgp_proto *p UNUSED, byte *a UNUSED, int len) +{ + return ((len % 12) == 0) ? 0 : WITHDRAW; +} + static struct attr_desc bgp_attr_table[] = { { NULL, -1, 0, 0, 0, /* Undefined */ @@ -325,7 +331,10 @@ static struct attr_desc bgp_attr_table[] = { { "as4_path", -1, BAF_OPTIONAL | BAF_TRANSITIVE, EAF_TYPE_OPAQUE, 1, /* BA_AS4_PATH */ NULL, NULL }, { "as4_aggregator", -1, BAF_OPTIONAL | BAF_TRANSITIVE, EAF_TYPE_OPAQUE, 1, /* BA_AS4_PATH */ - NULL, NULL } + NULL, NULL }, + [BA_LARGE_COMMUNITY] = + { "large_community", -1, BAF_OPTIONAL | BAF_TRANSITIVE, EAF_TYPE_LC_SET, 1, + bgp_check_large_community, NULL } }; /* BA_AS4_PATH is type EAF_TYPE_OPAQUE and not type EAF_TYPE_AS_PATH. @@ -575,7 +584,7 @@ bgp_encode_attrs(struct bgp_proto *p, byte *w, ea_list *attrs, int remains) len = bgp_get_attr_len(a); /* Skip empty sets */ - if (((type == EAF_TYPE_INT_SET) || (type == EAF_TYPE_EC_SET)) && (len == 0)) + if (((type == EAF_TYPE_INT_SET) || (type == EAF_TYPE_EC_SET) || (type == EAF_TYPE_LC_SET)) && (len == 0)) continue; if (remains < len + 4) @@ -601,6 +610,7 @@ bgp_encode_attrs(struct bgp_proto *p, byte *w, ea_list *attrs, int remains) break; } case EAF_TYPE_INT_SET: + case EAF_TYPE_LC_SET: case EAF_TYPE_EC_SET: { u32 *z = int_set_get_data(a->u.ptr); @@ -683,6 +693,25 @@ bgp_normalize_ec_set(struct adata *ad, u32 *src, int internal) qsort(dst, ad->length / 8, 8, (int(*)(const void *, const void *)) bgp_compare_ec); } +static int +bgp_compare_lc(const u32 *x, const u32 *y) +{ + if (x[0] != y[0]) + return (x[0] > y[0]) ? 1 : -1; + if (x[1] != y[1]) + return (x[1] > y[1]) ? 1 : -1; + if (x[2] != y[2]) + return (x[2] > y[2]) ? 1 : -1; + return 0; +} + +static inline void +bgp_normalize_lc_set(u32 *dest, u32 *src, unsigned cnt) +{ + memcpy(dest, src, LCOMM_LENGTH * cnt); + qsort(dest, cnt, LCOMM_LENGTH, (int(*)(const void *, const void *)) bgp_compare_lc); +} + static void bgp_rehash_buckets(struct bgp_proto *p) { @@ -827,6 +856,14 @@ bgp_get_bucket(struct bgp_proto *p, net *n, ea_list *attrs, int originate) d->u.ptr = z; break; } + case EAF_TYPE_LC_SET: + { + struct adata *z = alloca(sizeof(struct adata) + d->u.ptr->length); + z->length = d->u.ptr->length; + bgp_normalize_lc_set((u32 *) z->data, (u32 *) d->u.ptr->data, z->length / LCOMM_LENGTH); + d->u.ptr = z; + break; + } default: ; } d++; @@ -1797,6 +1834,7 @@ bgp_decode_attrs(struct bgp_conn *conn, byte *attr, uint len, struct linpool *po ipa_ntoh(*(ip_addr *)ad->data); break; case EAF_TYPE_INT_SET: + case EAF_TYPE_LC_SET: case EAF_TYPE_EC_SET: { u32 *z = (u32 *) ad->data; diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c index 0ae3db7b..cac5d4c4 100644 --- a/proto/bgp/bgp.c +++ b/proto/bgp/bgp.c @@ -807,7 +807,7 @@ bgp_find_proto(sock *sk) * closes the new connection by sending a Notification message. */ static int -bgp_incoming_connection(sock *sk, int dummy UNUSED) +bgp_incoming_connection(sock *sk, uint dummy UNUSED) { struct bgp_proto *p; int acc, hops; diff --git a/proto/bgp/bgp.h b/proto/bgp/bgp.h index b1cca2d9..b4067f3a 100644 --- a/proto/bgp/bgp.h +++ b/proto/bgp/bgp.h @@ -191,7 +191,7 @@ struct bgp_bucket { #define BGP_RX_BUFFER_EXT_SIZE 65535 #define BGP_TX_BUFFER_EXT_SIZE 65535 -static inline int bgp_max_packet_length(struct bgp_proto *p) +static inline uint bgp_max_packet_length(struct bgp_proto *p) { return p->ext_messages ? BGP_MAX_EXT_MSG_LENGTH : BGP_MAX_MESSAGE_LENGTH; } extern struct linpool *bgp_linpool; @@ -268,7 +268,7 @@ void mrt_dump_bgp_state_change(struct bgp_conn *conn, unsigned old, unsigned new void bgp_schedule_packet(struct bgp_conn *conn, int type); void bgp_kick_tx(void *vconn); void bgp_tx(struct birdsock *sk); -int bgp_rx(struct birdsock *sk, int size); +int bgp_rx(struct birdsock *sk, uint size); const char * bgp_error_dsc(unsigned code, unsigned subcode); void bgp_log_error(struct bgp_proto *p, u8 class, char *msg, unsigned code, unsigned subcode, byte *data, unsigned len); @@ -308,6 +308,7 @@ void bgp_log_error(struct bgp_proto *p, u8 class, char *msg, unsigned code, unsi #define BA_EXT_COMMUNITY 0x10 /* [RFC4360] */ #define BA_AS4_PATH 0x11 /* [RFC4893] */ #define BA_AS4_AGGREGATOR 0x12 +#define BA_LARGE_COMMUNITY 0x20 /* [draft-ietf-idr-large-community] */ /* BGP connection states */ diff --git a/proto/bgp/config.Y b/proto/bgp/config.Y index 33561bff..bdbb6007 100644 --- a/proto/bgp/config.Y +++ b/proto/bgp/config.Y @@ -27,7 +27,7 @@ CF_KEYWORDS(BGP, LOCAL, NEIGHBOR, AS, HOLD, TIME, CONNECT, RETRY, INTERPRET, COMMUNITIES, BGP_ORIGINATOR_ID, BGP_CLUSTER_LIST, IGP, TABLE, GATEWAY, DIRECT, RECURSIVE, MED, TTL, SECURITY, DETERMINISTIC, SECONDARY, ALLOW, BFD, ADD, PATHS, RX, TX, GRACEFUL, RESTART, AWARE, - CHECK, LINK, PORT, EXTENDED, MESSAGES, SETKEY) + CHECK, LINK, PORT, EXTENDED, MESSAGES, SETKEY, BGP_LARGE_COMMUNITY) CF_GRAMMAR @@ -153,6 +153,8 @@ CF_ADDTO(dynamic_attr, BGP_CLUSTER_LIST { $$ = f_new_dynamic_attr(EAF_TYPE_INT_SET, T_CLIST, EA_CODE(EAP_BGP, BA_CLUSTER_LIST)); }) CF_ADDTO(dynamic_attr, BGP_EXT_COMMUNITY { $$ = f_new_dynamic_attr(EAF_TYPE_EC_SET, T_ECLIST, EA_CODE(EAP_BGP, BA_EXT_COMMUNITY)); }) +CF_ADDTO(dynamic_attr, BGP_LARGE_COMMUNITY + { $$ = f_new_dynamic_attr(EAF_TYPE_LC_SET, T_LCLIST, EA_CODE(EAP_BGP, BA_LARGE_COMMUNITY)); }) diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c index 0cf38edf..3e816839 100644 --- a/proto/bgp/packets.c +++ b/proto/bgp/packets.c @@ -191,7 +191,7 @@ bgp_put_cap_gr1(struct bgp_proto *p, byte *buf) } static byte * -bgp_put_cap_gr2(struct bgp_proto *p, byte *buf) +bgp_put_cap_gr2(struct bgp_proto *p UNUSED, byte *buf) { *buf++ = 64; /* Capability 64: Support for graceful restart */ *buf++ = 2; /* Capability data length */ @@ -931,7 +931,7 @@ bgp_parse_options(struct bgp_conn *conn, byte *opt, int len) } static void -bgp_rx_open(struct bgp_conn *conn, byte *pkt, int len) +bgp_rx_open(struct bgp_conn *conn, byte *pkt, uint len) { struct bgp_conn *other; struct bgp_proto *p = conn->bgp; @@ -944,7 +944,7 @@ bgp_rx_open(struct bgp_conn *conn, byte *pkt, int len) { bgp_error(conn, 5, fsm_err_subcode[conn->state], NULL, 0); return; } /* Check message contents */ - if (len < 29 || len != 29 + pkt[28]) + if (len < 29 || len != 29U + pkt[28]) { bgp_error(conn, 1, 2, pkt+16, 2); return; } if (pkt[19] != BGP_VERSION) { bgp_error(conn, 2, 1, pkt+19, 1); return; } /* RFC 1771 says 16 bits, draft-09 tells to use 8 */ @@ -1256,16 +1256,15 @@ bgp_do_rx_update(struct bgp_conn *conn, #else /* IPv6 version */ #define DO_NLRI(name) \ - start = x = p->name##_start; \ + x = p->name##_start; \ len = len0 = p->name##_len; \ if (len) \ { \ if (len < 3) { err=9; goto done; } \ af = get_u16(x); \ - sub = x[2]; \ x += 3; \ len -= 3; \ - DBG("\tNLRI AF=%d sub=%d len=%d\n", af, sub, len);\ + DBG("\tNLRI AF=%d sub=%d len=%d\n", af, x[-1], len);\ } \ else \ af = 0; \ @@ -1291,15 +1290,15 @@ bgp_attach_next_hop(rta *a0, byte *x) static void bgp_do_rx_update(struct bgp_conn *conn, - byte *withdrawn, int withdrawn_len, - byte *nlri, int nlri_len, + byte *withdrawn UNUSED, int withdrawn_len, + byte *nlri UNUSED, int nlri_len, byte *attrs, int attr_len) { struct bgp_proto *p = conn->bgp; struct rte_src *src = p->p.main_source; - byte *start, *x; + byte *x; int len, len0; - unsigned af, sub; + unsigned af; rta *a0, *a = NULL; ip_addr prefix; int pxlen, err = 0; @@ -1375,11 +1374,11 @@ bgp_do_rx_update(struct bgp_conn *conn, #endif static void -bgp_rx_update(struct bgp_conn *conn, byte *pkt, int len) +bgp_rx_update(struct bgp_conn *conn, byte *pkt, uint len) { struct bgp_proto *p = conn->bgp; byte *withdrawn, *attrs, *nlri; - int withdrawn_len, attr_len, nlri_len; + uint withdrawn_len, attr_len, nlri_len; BGP_TRACE_RL(&rl_rcv_update, D_PACKETS, "Got UPDATE"); @@ -1525,7 +1524,7 @@ bgp_log_error(struct bgp_proto *p, u8 class, char *msg, unsigned code, unsigned } static void -bgp_rx_notification(struct bgp_conn *conn, byte *pkt, int len) +bgp_rx_notification(struct bgp_conn *conn, byte *pkt, uint len) { struct bgp_proto *p = conn->bgp; if (len < 21) @@ -1591,7 +1590,7 @@ bgp_rx_keepalive(struct bgp_conn *conn) } static void -bgp_rx_route_refresh(struct bgp_conn *conn, byte *pkt, int len) +bgp_rx_route_refresh(struct bgp_conn *conn, byte *pkt, uint len) { struct bgp_proto *p = conn->bgp; @@ -1680,7 +1679,7 @@ bgp_rx_packet(struct bgp_conn *conn, byte *pkt, unsigned len) * bgp_rx_packet(). */ int -bgp_rx(sock *sk, int size) +bgp_rx(sock *sk, uint size) { struct bgp_conn *conn = sk->data; struct bgp_proto *p = conn->bgp; diff --git a/proto/ospf/config.Y b/proto/ospf/config.Y index 297774b5..72928875 100644 --- a/proto/ospf/config.Y +++ b/proto/ospf/config.Y @@ -42,6 +42,20 @@ ospf_iface_finish(void) if ((ip->autype == OSPF_AUTH_NONE) && (ip->passwords != NULL)) log(L_WARN "Password option without authentication option does not make sense"); + + if (ip->passwords) + { + struct password_item *pass; + WALK_LIST(pass, *ip->passwords) + { + if (pass->alg && (ip->autype != OSPF_AUTH_CRYPT)) + cf_error("Password algorithm option requires cryptographic authentication"); + + /* Set default OSPF crypto algorithms */ + if (!pass->alg && (ip->autype == OSPF_AUTH_CRYPT)) + pass->alg = ospf_cfg_is_v2() ? ALG_MD5 : ALG_HMAC_SHA256; + } + } } static void diff --git a/proto/ospf/hello.c b/proto/ospf/hello.c index 3fbb6167..2c55155d 100644 --- a/proto/ospf/hello.c +++ b/proto/ospf/hello.c @@ -105,7 +105,7 @@ ospf_send_hello(struct ospf_iface *ifa, int kind, struct ospf_neighbor *dirn) } i = 0; - max = (ospf_pkt_maxsize(p, ifa) - length) / sizeof(u32); + max = (ospf_pkt_maxsize(ifa) - length) / sizeof(u32); /* Fill all neighbors */ if (kind != OHS_SHUTDOWN) @@ -222,9 +222,12 @@ ospf_receive_hello(struct ospf_packet *pkt, struct ospf_iface *ifa, rcv_priority = ps->priority; int pxlen = u32_masklen(ntohl(ps->netmask)); + if (pxlen < 0) + DROP("prefix garbled", ntohl(ps->netmask)); + if ((ifa->type != OSPF_IT_VLINK) && (ifa->type != OSPF_IT_PTP) && - (pxlen != ifa->addr->prefix.pxlen)) + ((uint) pxlen != ifa->addr->prefix.pxlen)) DROP("prefix length mismatch", pxlen); neighbors = ps->neighbors; diff --git a/proto/ospf/iface.c b/proto/ospf/iface.c index 6ef24ffe..675cf76d 100644 --- a/proto/ospf/iface.c +++ b/proto/ospf/iface.c @@ -9,6 +9,7 @@ */ #include "ospf.h" +#include "nest/password.h" const char *ospf_is_names[] = { @@ -52,6 +53,20 @@ ifa_tx_length(struct ospf_iface *ifa) } static inline uint +ifa_tx_hdrlen(struct ospf_iface *ifa) +{ + struct ospf_proto *p = ifa->oa->po; + + uint hlen = ospf_is_v2(p) ? IP4_HEADER_LENGTH : IP6_HEADER_LENGTH; + + /* Relevant just for OSPFv2 */ + if (ifa->autype == OSPF_AUTH_CRYPT) + hlen += max_mac_length(ifa->passwords); + + return hlen; +} + +static inline uint ifa_bufsize(struct ospf_iface *ifa) { uint bsize = ifa->cf->rx_buffer ?: ifa->iface->mtu; @@ -67,13 +82,7 @@ ifa_flood_queue_size(struct ospf_iface *ifa) int ospf_iface_assure_bufsize(struct ospf_iface *ifa, uint plen) { - struct ospf_proto *p = ifa->oa->po; - - plen += ospf_is_v2(p) ? IP4_HEADER_LENGTH : IP6_HEADER_LENGTH; - - /* This is relevant just for OSPFv2 */ - if (ifa->autype == OSPF_AUTH_CRYPT) - plen += OSPF_AUTH_CRYPT_SIZE; + plen += ifa->tx_hdrlen; if (plen <= ifa->sk->tbsize) return 0; @@ -569,6 +578,7 @@ ospf_iface_new(struct ospf_area *oa, struct ifa *addr, struct ospf_iface_patt *i ifa->stub = ospf_iface_stubby(ip, addr); ifa->ioprob = OSPF_I_OK; ifa->tx_length = ifa_tx_length(ifa); + ifa->tx_hdrlen = ifa_tx_hdrlen(ifa); ifa->check_link = ip->check_link; ifa->ecmp_weight = ip->ecmp_weight; ifa->check_ttl = (ip->ttl_security == 1); @@ -680,6 +690,7 @@ ospf_iface_new_vlink(struct ospf_proto *p, struct ospf_iface_patt *ip) ifa->deadint = ip->deadint; ifa->inftransdelay = ip->inftransdelay; ifa->tx_length = ospf_is_v2(p) ? IP4_MIN_MTU : IP6_MIN_MTU; + ifa->tx_hdrlen = ifa_tx_hdrlen(ifa); ifa->autype = ip->autype; ifa->passwords = ip->passwords; ifa->instance_id = ip->instance_id; @@ -820,6 +831,9 @@ ospf_iface_reconfigure(struct ospf_iface *ifa, struct ospf_iface_patt *new) /* Update passwords */ ifa->passwords = new->passwords; + /* Update header length */ + ifa->tx_hdrlen = ifa_tx_hdrlen(ifa); + /* Remaining options are just for proper interfaces */ if (ifa->type == OSPF_IT_VLINK) return 1; diff --git a/proto/ospf/lsalib.c b/proto/ospf/lsalib.c index b4d2faba..b88a114d 100644 --- a/proto/ospf/lsalib.c +++ b/proto/ospf/lsalib.c @@ -461,7 +461,7 @@ lsa_validate_sum3_net(struct ospf_lsa_header *lsa, struct ospf_lsa_sum3_net *bod } static int -lsa_validate_sum3_rt(struct ospf_lsa_header *lsa, struct ospf_lsa_sum3_rt *body) +lsa_validate_sum3_rt(struct ospf_lsa_header *lsa, struct ospf_lsa_sum3_rt *body UNUSED) { if (lsa->length != (HDRLEN + sizeof(struct ospf_lsa_sum3_rt))) return 0; diff --git a/proto/ospf/lsupd.c b/proto/ospf/lsupd.c index 65ad8e3d..157d9628 100644 --- a/proto/ospf/lsupd.c +++ b/proto/ospf/lsupd.c @@ -105,7 +105,7 @@ invalid: static inline void -ospf_lsa_lsrq_down(struct top_hash_entry *req, struct ospf_neighbor *n, struct ospf_neighbor *from) +ospf_lsa_lsrq_down(struct top_hash_entry *req, struct ospf_neighbor *n) { if (req == n->lsrqi) n->lsrqi = SNODE_NEXT(req); @@ -188,7 +188,7 @@ ospf_enqueue_lsa(struct ospf_proto *p, struct top_hash_entry *en, struct ospf_if { /* If we already have full queue, we send some packets */ uint sent = ospf_flood_lsupd(p, ifa->flood_queue, ifa->flood_queue_used, ifa->flood_queue_used / 2, ifa); - int i; + uint i; for (i = 0; i < sent; i++) ifa->flood_queue[i]->ret_count--; @@ -275,7 +275,7 @@ ospf_flood_lsa(struct ospf_proto *p, struct top_hash_entry *en, struct ospf_neig /* If same or newer, remove LSA from the link state request list */ if (cmp > CMP_OLDER) - ospf_lsa_lsrq_down(req, n, from); + ospf_lsa_lsrq_down(req, n); /* If older or same, skip processing of this neighbor */ if (cmp < CMP_NEWER) @@ -330,7 +330,7 @@ ospf_prepare_lsupd(struct ospf_proto *p, struct ospf_iface *ifa, pkt = ospf_tx_buffer(ifa); hlen = ospf_lsupd_hdrlen(p); - maxsize = ospf_pkt_maxsize(p, ifa); + maxsize = ospf_pkt_maxsize(ifa); ospf_pkt_fill_hdr(ifa, pkt, LSUPD_P); pos = hlen; diff --git a/proto/ospf/ospf.h b/proto/ospf/ospf.h index 4f445f07..e3eae2b5 100644 --- a/proto/ospf/ospf.h +++ b/proto/ospf/ospf.h @@ -171,11 +171,7 @@ struct ospf_iface_patt #define OSPF_RXBUF_MINSIZE 256 /* Minimal allowed size */ u8 instance_id; - u8 autype; /* Not really used in OSPFv3 */ -#define OSPF_AUTH_NONE 0 -#define OSPF_AUTH_SIMPLE 1 -#define OSPF_AUTH_CRYPT 2 -#define OSPF_AUTH_CRYPT_SIZE 16 + u8 autype; /* OSPF_AUTH_*, not really used in OSPFv3 */ u8 strictnbma; u8 check_link; u8 ecmp_weight; @@ -325,6 +321,7 @@ struct ospf_iface u8 marked; /* Used in OSPF reconfigure, 2 for force restart */ u16 rxbuf; /* Buffer size */ u16 tx_length; /* Soft TX packet length limit, usually MTU */ + u16 tx_hdrlen; /* Expected packet header length, less than tx_length */ u8 check_link; /* Whether iface link change is used */ u8 ecmp_weight; /* Weight used for ECMP */ u8 link_lsa_suppression; /* Suppression of Link-LSA origination */ @@ -415,6 +412,11 @@ struct ospf_neighbor #define ISM_UNLOOP 5 /* Link up */ #define ISM_DOWN 6 /* Interface down */ +/* OSPF authentication types */ +#define OSPF_AUTH_NONE 0 +#define OSPF_AUTH_SIMPLE 1 +#define OSPF_AUTH_CRYPT 2 + /* OSPF neighbor states */ #define NEIGHBOR_DOWN 0 @@ -446,7 +448,6 @@ struct ospf_neighbor #define TRANS_WAIT 2 /* Waiting before the end of translation */ - /* Generic option flags */ #define OPT_V6 0x01 /* OSPFv3, LSA relevant for IPv6 routing calculation */ #define OPT_E 0x02 /* Related to AS-external LSAs */ @@ -482,7 +483,7 @@ struct ospf_packet u8 autype; /* Undefined for OSPFv3 */ }; -struct ospf_md5 +struct ospf_auth_crypto { u16 zero; u8 keyid; @@ -493,7 +494,7 @@ struct ospf_md5 union ospf_auth { u8 password[8]; - struct ospf_md5 md5; + struct ospf_auth_crypto c32; }; /* Packet types */ @@ -890,8 +891,7 @@ void ospf_sh_neigh_info(struct ospf_neighbor *n); /* packet.c */ void ospf_pkt_fill_hdr(struct ospf_iface *ifa, void *buf, u8 h_type); -uint ospf_pkt_maxsize(struct ospf_proto *p, struct ospf_iface *ifa); -int ospf_rx_hook(sock * sk, int size); +int ospf_rx_hook(sock * sk, uint size); // void ospf_tx_hook(sock * sk); void ospf_err_hook(sock * sk, int err); void ospf_verr_hook(sock *sk, int err); @@ -899,6 +899,9 @@ void ospf_send_to(struct ospf_iface *ifa, ip_addr ip); void ospf_send_to_agt(struct ospf_iface *ifa, u8 state); void ospf_send_to_bdr(struct ospf_iface *ifa); +static inline uint ospf_pkt_maxsize(struct ospf_iface *ifa) +{ return ifa->tx_length - ifa->tx_hdrlen; } + static inline void ospf_send_to_all(struct ospf_iface *ifa) { ospf_send_to(ifa, ifa->all_routers); } diff --git a/proto/ospf/packet.c b/proto/ospf/packet.c index 7ce6d99f..b84780d3 100644 --- a/proto/ospf/packet.c +++ b/proto/ospf/packet.c @@ -11,6 +11,7 @@ #include "ospf.h" #include "nest/password.h" #include "lib/md5.h" +#include "lib/mac.h" #include "lib/socket.h" void @@ -23,7 +24,7 @@ ospf_pkt_fill_hdr(struct ospf_iface *ifa, void *buf, u8 h_type) pkt->version = ospf_get_version(p); pkt->type = h_type; - pkt->length = htons(ospf_pkt_maxsize(p, ifa)); + pkt->length = htons(ospf_pkt_maxsize(ifa)); pkt->routerid = htonl(p->router_id); pkt->areaid = htonl(ifa->oa->areaid); pkt->checksum = 0; @@ -31,25 +32,12 @@ ospf_pkt_fill_hdr(struct ospf_iface *ifa, void *buf, u8 h_type) pkt->autype = ifa->autype; } -uint -ospf_pkt_maxsize(struct ospf_proto *p, struct ospf_iface *ifa) -{ - uint headers = ospf_is_v2(p) ? IP4_HEADER_LENGTH : IP6_HEADER_LENGTH; - - /* Relevant just for OSPFv2 */ - if (ifa->autype == OSPF_AUTH_CRYPT) - headers += OSPF_AUTH_CRYPT_SIZE; - - return ifa->tx_length - headers; -} - /* We assume OSPFv2 in ospf_pkt_finalize() */ static void -ospf_pkt_finalize(struct ospf_iface *ifa, struct ospf_packet *pkt) +ospf_pkt_finalize(struct ospf_iface *ifa, struct ospf_packet *pkt, uint *plen) { - struct password_item *passwd = NULL; + struct password_item *pass = NULL; union ospf_auth *auth = (void *) (pkt + 1); - uint plen = ntohs(pkt->length); pkt->checksum = 0; pkt->autype = ifa->autype; @@ -61,25 +49,25 @@ ospf_pkt_finalize(struct ospf_iface *ifa, struct ospf_packet *pkt) switch (ifa->autype) { case OSPF_AUTH_SIMPLE: - passwd = password_find(ifa->passwords, 1); - if (!passwd) + pass = password_find(ifa->passwords, 1); + if (!pass) { log(L_ERR "No suitable password found for authentication"); return; } - strncpy(auth->password, passwd->password, sizeof(auth->password)); + strncpy(auth->password, pass->password, sizeof(auth->password)); case OSPF_AUTH_NONE: { void *body = (void *) (auth + 1); - uint blen = plen - sizeof(struct ospf_packet) - sizeof(union ospf_auth); + uint blen = *plen - sizeof(struct ospf_packet) - sizeof(union ospf_auth); pkt->checksum = ipsum_calculate(pkt, sizeof(struct ospf_packet), body, blen, NULL); } break; case OSPF_AUTH_CRYPT: - passwd = password_find(ifa->passwords, 0); - if (!passwd) + pass = password_find(ifa->passwords, 0); + if (!pass) { log(L_ERR "No suitable password found for authentication"); return; @@ -100,20 +88,25 @@ ospf_pkt_finalize(struct ospf_iface *ifa, struct ospf_packet *pkt) ifa->csn_use = now; - auth->md5.zero = 0; - auth->md5.keyid = passwd->id; - auth->md5.len = OSPF_AUTH_CRYPT_SIZE; - auth->md5.csn = htonl(ifa->csn); + uint auth_len = mac_type_length(pass->alg); + byte *auth_tail = ((byte *) pkt + *plen); + *plen += auth_len; + + ASSERT(*plen < ifa->sk->tbsize); - void *tail = ((void *) pkt) + plen; - char password[OSPF_AUTH_CRYPT_SIZE]; - strncpy(password, passwd->password, sizeof(password)); + auth->c32.zero = 0; + auth->c32.keyid = pass->id; + auth->c32.len = auth_len; + auth->c32.csn = htonl(ifa->csn); - struct md5_context ctx; - md5_init(&ctx); - md5_update(&ctx, (char *) pkt, plen); - md5_update(&ctx, password, OSPF_AUTH_CRYPT_SIZE); - memcpy((byte *) tail, md5_final(&ctx), MD5_SIZE); + /* Append key for keyed hash, append padding for HMAC (RFC 5709 3.3) */ + if (pass->alg < ALG_HMAC) + strncpy(auth_tail, pass->password, auth_len); + else + memset32(auth_tail, HMAC_MAGIC, auth_len / 4); + + mac_fill(pass->alg, pass->password, pass->length, + (byte *) pkt, *plen, auth_tail); break; default: @@ -124,7 +117,7 @@ ospf_pkt_finalize(struct ospf_iface *ifa, struct ospf_packet *pkt) /* We assume OSPFv2 in ospf_pkt_checkauth() */ static int -ospf_pkt_checkauth(struct ospf_neighbor *n, struct ospf_iface *ifa, struct ospf_packet *pkt, int len) +ospf_pkt_checkauth(struct ospf_neighbor *n, struct ospf_iface *ifa, struct ospf_packet *pkt, uint len) { struct ospf_proto *p = ifa->oa->po; union ospf_auth *auth = (void *) (pkt + 1); @@ -154,13 +147,19 @@ ospf_pkt_checkauth(struct ospf_neighbor *n, struct ospf_iface *ifa, struct ospf_ return 1; case OSPF_AUTH_CRYPT: - if (auth->md5.len != OSPF_AUTH_CRYPT_SIZE) - DROP("invalid MD5 digest length", auth->md5.len); + pass = password_find_by_id(ifa->passwords, auth->c32.keyid); + if (!pass) + DROP("no suitable password found", auth->c32.keyid); + + uint auth_len = mac_type_length(pass->alg); - if (plen + OSPF_AUTH_CRYPT_SIZE > len) - DROP("length mismatch", len); + if (plen + auth->c32.len > len) + DROP("packet length mismatch", len); - u32 rcv_csn = ntohl(auth->md5.csn); + if (auth->c32.len != auth_len) + DROP("wrong authentication length", auth->c32.len); + + u32 rcv_csn = ntohl(auth->c32.csn); if (n && (rcv_csn < n->csn)) // DROP("lower sequence number", rcv_csn); { @@ -171,22 +170,19 @@ ospf_pkt_checkauth(struct ospf_neighbor *n, struct ospf_iface *ifa, struct ospf_ return 0; } - pass = password_find_by_id(ifa->passwords, auth->md5.keyid); - if (!pass) - DROP("no suitable password found", auth->md5.keyid); - - byte *tail = ((byte *) pkt) + plen; - char received[OSPF_AUTH_CRYPT_SIZE]; - memcpy(received, tail, OSPF_AUTH_CRYPT_SIZE); - strncpy(tail, pass->password, OSPF_AUTH_CRYPT_SIZE); + byte *auth_tail = ((byte *) pkt) + plen; + byte *auth_data = alloca(auth_len); + memcpy(auth_data, auth_tail, auth_len); - struct md5_context ctx; - md5_init(&ctx); - md5_update(&ctx, (byte *) pkt, plen + OSPF_AUTH_CRYPT_SIZE); - char *computed = md5_final(&ctx); + /* Append key for keyed hash, append padding for HMAC (RFC 5709 3.3) */ + if (pass->alg < ALG_HMAC) + strncpy(auth_tail, pass->password, auth_len); + else + memset32(auth_tail, HMAC_MAGIC, auth_len / 4); - if (memcmp(received, computed, OSPF_AUTH_CRYPT_SIZE)) - DROP("wrong MD5 digest", pass->id); + if (!mac_verify(pass->alg, pass->password, pass->length, + (byte *) pkt, plen + auth_len, auth_data)) + DROP("wrong authentication code", pass->id); if (n) n->csn = rcv_csn; @@ -214,7 +210,7 @@ drop: * non generic functions. */ int -ospf_rx_hook(sock *sk, int len) +ospf_rx_hook(sock *sk, uint len) { /* We want just packets from sk->iface. Unfortunately, on BSD we cannot filter out other packets at kernel level and we receive all packets on all sockets */ @@ -472,15 +468,10 @@ ospf_send_to(struct ospf_iface *ifa, ip_addr dst) { sock *sk = ifa->sk; struct ospf_packet *pkt = (struct ospf_packet *) sk->tbuf; - int plen = ntohs(pkt->length); + uint plen = ntohs(pkt->length); if (ospf_is_v2(ifa->oa->po)) - { - if (ifa->autype == OSPF_AUTH_CRYPT) - plen += OSPF_AUTH_CRYPT_SIZE; - - ospf_pkt_finalize(ifa, pkt); - } + ospf_pkt_finalize(ifa, pkt, &plen); int done = sk_send_to(sk, plen, dst, 0); if (!done) diff --git a/proto/ospf/rt.c b/proto/ospf/rt.c index 5538f4c8..c5c54783 100644 --- a/proto/ospf/rt.c +++ b/proto/ospf/rt.c @@ -671,7 +671,7 @@ link_back(struct ospf_area *oa, struct top_hash_entry *en, struct top_hash_entry which may be later used as the next hop. */ /* In OSPFv2, en->lb is set here. In OSPFv3, en->lb is just cleared here, - it is set in process_prefixes() to any global addres in the area */ + it is set in process_prefixes() to any global address in the area */ en->lb = IPA_NONE; en->lb_id = 0; @@ -923,7 +923,7 @@ ospf_rt_sum_tr(struct ospf_area *oa) } } -/* Decide about originating or flushing summary LSAs for condended area networks */ +/* Decide about originating or flushing summary LSAs for condensed area networks */ static int decide_anet_lsa(struct ospf_area *oa, struct area_net *anet, struct ospf_area *anet_oa) { diff --git a/proto/ospf/topology.c b/proto/ospf/topology.c index 86e39d75..aaaf2e8e 100644 --- a/proto/ospf/topology.c +++ b/proto/ospf/topology.c @@ -513,6 +513,7 @@ ospf_update_lsadb(struct ospf_proto *p) } } + static u32 ort_to_lsaid(struct ospf_proto *p, ort *nf) { @@ -610,7 +611,7 @@ lsab_offset(struct ospf_proto *p, uint offset) return ((byte *) p->lsab) + offset; } -static inline void * +static inline void * UNUSED lsab_end(struct ospf_proto *p) { return ((byte *) p->lsab) + p->lsab_used; @@ -1558,7 +1559,7 @@ static void add_link_lsa(struct ospf_proto *p, struct ospf_lsa_link *ll, int offset, int *pxc) { u32 *pxb = ll->rest; - int j; + uint j; for (j = 0; j < ll->pxcount; pxb = prefix_advance(pxb), j++) { diff --git a/proto/pipe/pipe.c b/proto/pipe/pipe.c index d40b3f91..8924c200 100644 --- a/proto/pipe/pipe.c +++ b/proto/pipe/pipe.c @@ -191,7 +191,7 @@ pipe_reconfigure(struct proto *P, struct proto_config *CF) } static void -pipe_copy_config(struct proto_config *dest, struct proto_config *src) +pipe_copy_config(struct proto_config *dest UNUSED, struct proto_config *src UNUSED) { /* Just a shallow copy, not many items here */ } diff --git a/proto/radv/packets.c b/proto/radv/packets.c index 915b412f..f4352155 100644 --- a/proto/radv/packets.c +++ b/proto/radv/packets.c @@ -156,12 +156,12 @@ radv_process_domain(struct radv_dnssl_config *cf) char *dom = cf->domain; char *dom_end = dom; /* Just to */ u8 *dlen_save = &cf->dlen_first; - int len; + uint len; while (dom_end) { dom_end = strchr(dom, '.'); - len = dom_end ? (dom_end - dom) : strlen(dom); + len = dom_end ? (uint)(dom_end - dom) : strlen(dom); if (len < 1 || len > 63) return -1; @@ -349,7 +349,7 @@ radv_send_ra(struct radv_iface *ifa, int shutdown) static int -radv_rx_hook(sock *sk, int size) +radv_rx_hook(sock *sk, uint size) { struct radv_iface *ifa = sk->data; struct proto_radv *ra = ifa->ra; diff --git a/proto/radv/radv.c b/proto/radv/radv.c index 4c845f7a..44b44879 100644 --- a/proto/radv/radv.c +++ b/proto/radv/radv.c @@ -240,7 +240,7 @@ radv_if_notify(struct proto *p, unsigned flags, struct iface *iface) } static void -radv_ifa_notify(struct proto *p, unsigned flags, struct ifa *a) +radv_ifa_notify(struct proto *p, unsigned flags UNUSED, struct ifa *a) { struct proto_radv *ra = (struct proto_radv *) p; diff --git a/proto/rip/config.Y b/proto/rip/config.Y index 61a2a101..b3ccdf39 100644 --- a/proto/rip/config.Y +++ b/proto/rip/config.Y @@ -104,15 +104,29 @@ rip_iface_start: rip_iface_finish: { + /* Default mode is broadcast for RIPv1, multicast for RIPv2 and RIPng */ + if (!RIP_IFACE->mode) + RIP_IFACE->mode = (rip_cfg_is_v2() && (RIP_IFACE->version == RIP_V1)) ? + RIP_IM_BROADCAST : RIP_IM_MULTICAST; + RIP_IFACE->passwords = get_passwords(); if (!RIP_IFACE->auth_type != !RIP_IFACE->passwords) log(L_WARN "Authentication and password options should be used together"); - /* Default mode is broadcast for RIPv1, multicast for RIPv2 and RIPng */ - if (!RIP_IFACE->mode) - RIP_IFACE->mode = (rip_cfg_is_v2() && (RIP_IFACE->version == RIP_V1)) ? - RIP_IM_BROADCAST : RIP_IM_MULTICAST; + if (RIP_IFACE->passwords) + { + struct password_item *pass; + WALK_LIST(pass, *RIP_IFACE->passwords) + { + if (pass->alg && (RIP_IFACE->auth_type != RIP_AUTH_CRYPTO)) + cf_error("Password algorithm option requires cryptographic authentication"); + + /* Set default crypto algorithm (MD5) */ + if (!pass->alg && (RIP_IFACE->auth_type == RIP_AUTH_CRYPTO)) + pass->alg = ALG_MD5; + } + } RIP_CFG->min_timeout_time = MIN_(RIP_CFG->min_timeout_time, RIP_IFACE->timeout_time); RIP_CFG->max_garbage_time = MAX_(RIP_CFG->max_garbage_time, RIP_IFACE->garbage_time); @@ -153,7 +167,7 @@ rip_auth: NONE { $$ = RIP_AUTH_NONE; } | PLAINTEXT { $$ = RIP_AUTH_PLAIN; } | CRYPTOGRAPHIC { $$ = RIP_AUTH_CRYPTO; } - | MD5 { $$ = RIP_AUTH_CRYPTO; } + | MD5 { $$ = RIP_AUTH_CRYPTO; } /* For backward compatibility */ ; rip_iface_opts: diff --git a/proto/rip/packets.c b/proto/rip/packets.c index f89bb178..9dc492b7 100644 --- a/proto/rip/packets.c +++ b/proto/rip/packets.c @@ -12,16 +12,14 @@ #undef LOCAL_DEBUG #include "rip.h" -#include "lib/md5.h" +#include "lib/mac.h" #define RIP_CMD_REQUEST 1 /* want info */ #define RIP_CMD_RESPONSE 2 /* responding to request */ #define RIP_BLOCK_LENGTH 20 - #define RIP_PASSWD_LENGTH 16 -#define RIP_MD5_LENGTH 16 #define RIP_AF_IPV4 2 #define RIP_AF_AUTH 0xffff @@ -74,7 +72,7 @@ struct rip_auth_tail { u16 must_be_ffff; u16 must_be_0001; - byte auth_data[]; + byte auth_data[0]; }; /* Internal representation of RTE block data */ @@ -132,7 +130,7 @@ rip_put_block(struct rip_proto *p, byte *pos, struct rip_block *rte) } static inline void -rip_put_next_hop(struct rip_proto *p, byte *pos, struct rip_block *rte) +rip_put_next_hop(struct rip_proto *p UNUSED, byte *pos, struct rip_block *rte) { struct rip_block_ng *block = (void *) pos; block->prefix = ip6_hton(ipa_to_ip6(rte->next_hop)); @@ -221,16 +219,24 @@ rip_fill_authentication(struct rip_proto *p, struct rip_iface *ifa, struct rip_p auth->auth_type = htons(RIP_AUTH_CRYPTO); auth->packet_len = htons(*plen); auth->key_id = pass->id; - auth->auth_len = sizeof(struct rip_auth_tail) + RIP_MD5_LENGTH; + auth->auth_len = mac_type_length(pass->alg); auth->seq_num = ifa->csn_ready ? htonl(ifa->csn) : 0; auth->unused1 = 0; auth->unused2 = 0; ifa->csn_ready = 1; + if (pass->alg < ALG_HMAC) + auth->auth_len += sizeof(struct rip_auth_tail); + /* * Note that RFC 4822 is unclear whether auth_len should cover whole * authentication trailer or just auth_data length. * + * FIXME: We should use just auth_data length by default. Currently we put + * the whole auth trailer length in keyed hash case to keep old behavior, + * but we put just auth_data length in the new HMAC case. Note that Quagga + * has config option for this. + * * Crypto sequence numbers are increased by sender in rip_update_csn(). * First CSN should be zero, this is handled by csn_ready. */ @@ -238,14 +244,18 @@ rip_fill_authentication(struct rip_proto *p, struct rip_iface *ifa, struct rip_p struct rip_auth_tail *tail = (void *) ((byte *) pkt + *plen); tail->must_be_ffff = htons(0xffff); tail->must_be_0001 = htons(0x0001); - strncpy(tail->auth_data, pass->password, RIP_MD5_LENGTH); - *plen += sizeof(struct rip_auth_tail) + RIP_MD5_LENGTH; + uint auth_len = mac_type_length(pass->alg); + *plen += sizeof(struct rip_auth_tail) + auth_len; - struct md5_context ctx; - md5_init(&ctx); - md5_update(&ctx, (byte *) pkt, *plen); - memcpy(tail->auth_data, md5_final(&ctx), RIP_MD5_LENGTH); + /* Append key for keyed hash, append padding for HMAC (RFC 4822 2.5) */ + if (pass->alg < ALG_HMAC) + strncpy(tail->auth_data, pass->password, auth_len); + else + memset32(tail->auth_data, HMAC_MAGIC, auth_len / 4); + + mac_fill(pass->alg, pass->password, pass->length, + (byte *) pkt, *plen, tail->auth_data); return; default: @@ -288,13 +298,25 @@ rip_check_authentication(struct rip_proto *p, struct rip_iface *ifa, struct rip_ DROP("no suitable password found", auth->key_id); uint data_len = ntohs(auth->packet_len); - uint auth_len = sizeof(struct rip_auth_tail) + RIP_MD5_LENGTH; + uint auth_len = mac_type_length(pass->alg); + uint auth_len2 = sizeof(struct rip_auth_tail) + auth_len; - if (data_len + auth_len != *plen) - DROP("packet length mismatch", data_len); + /* + * Ideally, first check should be check for internal consistency: + * (data_len + sizeof(struct rip_auth_tail) + auth->auth_len) != *plen + * + * Second one should check expected code length: + * auth->auth_len != auth_len + * + * But as auth->auth_len has two interpretations, we simplify this + */ - if ((auth->auth_len != RIP_MD5_LENGTH) && (auth->auth_len != auth_len)) - DROP("authentication data length mismatch", auth->auth_len); + if (data_len + auth_len2 != *plen) + DROP("packet length mismatch", *plen); + + /* Warning: two interpretations of auth_len field */ + if ((auth->auth_len != auth_len) && (auth->auth_len != auth_len2)) + DROP("wrong authentication length", auth->auth_len); struct rip_auth_tail *tail = (void *) ((byte *) pkt + data_len); if ((tail->must_be_ffff != htons(0xffff)) || (tail->must_be_0001 != htons(0x0001))) @@ -312,17 +334,18 @@ rip_check_authentication(struct rip_proto *p, struct rip_iface *ifa, struct rip_ return 0; } - char received[RIP_MD5_LENGTH]; - memcpy(received, tail->auth_data, RIP_MD5_LENGTH); - strncpy(tail->auth_data, pass->password, RIP_MD5_LENGTH); + byte *auth_data = alloca(auth_len); + memcpy(auth_data, tail->auth_data, auth_len); - struct md5_context ctx; - md5_init(&ctx); - md5_update(&ctx, (byte *) pkt, *plen); - char *computed = md5_final(&ctx); + /* Append key for keyed hash, append padding for HMAC (RFC 4822 2.5) */ + if (pass->alg < ALG_HMAC) + strncpy(tail->auth_data, pass->password, auth_len); + else + memset32(tail->auth_data, HMAC_MAGIC, auth_len / 4); - if (memcmp(received, computed, RIP_MD5_LENGTH)) - DROP("wrong MD5 digest", pass->id); + if (!mac_verify(pass->alg, pass->password, pass->length, + (byte *) pkt, *plen, auth_data)) + DROP("wrong authentication code", pass->id); *plen = data_len; n->csn = rcv_csn; @@ -632,7 +655,7 @@ rip_receive_response(struct rip_proto *p, struct rip_iface *ifa, struct rip_pack } static int -rip_rx_hook(sock *sk, int len) +rip_rx_hook(sock *sk, uint len) { struct rip_iface *ifa = sk->data; struct rip_proto *p = ifa->rip; diff --git a/proto/rip/rip.c b/proto/rip/rip.c index 74d472c9..d87a078c 100644 --- a/proto/rip/rip.c +++ b/proto/rip/rip.c @@ -575,7 +575,7 @@ rip_iface_update_buffers(struct rip_iface *ifa) ifa->tx_plen = tbsize - headers; if (ifa->cf->auth_type == RIP_AUTH_CRYPTO) - ifa->tx_plen -= RIP_AUTH_TAIL_LENGTH; + ifa->tx_plen -= RIP_AUTH_TAIL_LENGTH + max_mac_length(ifa->cf->passwords); } static inline void @@ -687,12 +687,11 @@ rip_reconfigure_iface(struct rip_proto *p, struct rip_iface *ifa, struct rip_ifa ifa->cf = new; + rip_iface_update_buffers(ifa); + if (ifa->next_regular > (now + new->update_time)) ifa->next_regular = now + (random() % new->update_time) + 1; - if ((new->tx_length != old->tx_length) || (new->rx_buffer != old->rx_buffer)) - rip_iface_update_buffers(ifa); - if (new->check_link != old->check_link) rip_iface_update_state(ifa); @@ -1011,7 +1010,7 @@ rip_prepare_attrs(struct linpool *pool, ea_list *next, u8 metric, u16 tag) } static int -rip_import_control(struct proto *P, struct rte **rt, struct ea_list **attrs, struct linpool *pool) +rip_import_control(struct proto *P UNUSED, struct rte **rt, struct ea_list **attrs, struct linpool *pool) { /* Prepare attributes with initial values */ if ((*rt)->attrs->source != RTS_RIP) @@ -1145,7 +1144,7 @@ rip_reconfigure(struct proto *P, struct proto_config *CF) } static void -rip_get_route_info(rte *rte, byte *buf, ea_list *attrs) +rip_get_route_info(rte *rte, byte *buf, ea_list *attrs UNUSED) { buf += bsprintf(buf, " (%d/%d)", rte->pref, rte->u.rip.metric); diff --git a/proto/rip/rip.h b/proto/rip/rip.h index 7ec7e24d..03dc9138 100644 --- a/proto/rip/rip.h +++ b/proto/rip/rip.h @@ -34,7 +34,7 @@ #define RIP_NG_PORT 521 /* RIPng */ #define RIP_MAX_PKT_LENGTH 532 /* 512 + IP4_HEADER_LENGTH */ -#define RIP_AUTH_TAIL_LENGTH 20 /* 4 + MD5 length */ +#define RIP_AUTH_TAIL_LENGTH 4 /* Without auth_data */ #define RIP_DEFAULT_ECMP_LIMIT 16 #define RIP_DEFAULT_INFINITY 16 diff --git a/proto/static/static.c b/proto/static/static.c index a8abdef0..b5e717ca 100644 --- a/proto/static/static.c +++ b/proto/static/static.c @@ -244,7 +244,7 @@ static_add(struct proto *p, struct static_config *cf, struct static_route *r) } static void -static_rte_cleanup(struct proto *p, struct static_route *r) +static_rte_cleanup(struct proto *p UNUSED, struct static_route *r) { struct static_route *r2; @@ -440,7 +440,7 @@ static_if_notify(struct proto *p, unsigned flags, struct iface *i) } int -static_rte_mergable(rte *pri, rte *sec) +static_rte_mergable(rte *pri UNUSED, rte *sec UNUSED) { return 1; } diff --git a/sysdep/bsd/krt-sock.c b/sysdep/bsd/krt-sock.c index 3440ed63..d2372a3d 100644 --- a/sysdep/bsd/krt-sock.c +++ b/sysdep/bsd/krt-sock.c @@ -933,7 +933,7 @@ kif_do_scan(struct kif_proto *p) /* Kernel sockets */ static int -krt_sock_hook(sock *sk, int size UNUSED) +krt_sock_hook(sock *sk, uint size UNUSED) { struct ks_msg msg; int l = read(sk->fd, (char *)&msg, sizeof(msg)); @@ -953,7 +953,7 @@ krt_sock_err_hook(sock *sk, int e UNUSED) } static sock * -krt_sock_open(pool *pool, void *data, int table_id) +krt_sock_open(pool *pool, void *data, int table_id UNUSED) { sock *sk; int fd; @@ -1120,7 +1120,7 @@ kif_sys_shutdown(struct kif_proto *p) struct ifa * -kif_get_primary_ip(struct iface *i) +kif_get_primary_ip(struct iface *i UNUSED) { #if 0 static int fd = -1; diff --git a/sysdep/bsd/krt-sys.h b/sysdep/bsd/krt-sys.h index 870cdf2c..ed667e80 100644 --- a/sysdep/bsd/krt-sys.h +++ b/sysdep/bsd/krt-sys.h @@ -48,4 +48,5 @@ static inline void krt_sys_postconfig(struct krt_config *x UNUSED) { } static inline int krt_sys_get_attr(eattr *a UNUSED, byte *buf UNUSED, int buflen UNUSED) { return GA_UNKNOWN; } + #endif diff --git a/sysdep/bsd/sysio.h b/sysdep/bsd/sysio.h index 57c45bcf..0c5f8fbb 100644 --- a/sysdep/bsd/sysio.h +++ b/sysdep/bsd/sysio.h @@ -28,6 +28,7 @@ #endif +#undef SA_LEN #define SA_LEN(x) (x).sa.sa_len @@ -133,12 +134,12 @@ sk_process_cmsg4_ttl(sock *s, struct cmsghdr *cm) s->rcv_ttl = * (byte *) CMSG_DATA(cm); } +#ifdef IP_SENDSRCADDR static inline void sk_prepare_cmsgs4(sock *s, struct msghdr *msg, void *cbuf, size_t cbuflen) { /* Unfortunately, IP_SENDSRCADDR does not work for raw IP sockets on BSD kernels */ -#ifdef IP_SENDSRCADDR struct cmsghdr *cm; struct in_addr *sa; int controllen = 0; @@ -156,10 +157,13 @@ sk_prepare_cmsgs4(sock *s, struct msghdr *msg, void *cbuf, size_t cbuflen) *sa = ipa_to_in4(s->saddr); msg->msg_controllen = controllen; -#endif } +#else +static inline void +sk_prepare_cmsgs4(sock *s UNUSED, struct msghdr *msg UNUSED, void *cbuf UNUSED, size_t cbuflen UNUSED) { } +#endif -static void +static void UNUSED sk_prepare_ip_header(sock *s, void *hdr, int dlen) { struct ip *ip = hdr; @@ -200,7 +204,7 @@ sk_prepare_ip_header(sock *s, void *hdr, int dlen) #endif int -sk_set_md5_auth(sock *s, ip_addr local, ip_addr remote, struct iface *ifa, char *passwd, int setkey UNUSED) +sk_set_md5_auth(sock *s, ip_addr local UNUSED, ip_addr remote UNUSED, struct iface *ifa UNUSED, char *passwd, int setkey UNUSED) { #ifdef USE_MD5SIG_SETKEY if (setkey) @@ -235,20 +239,20 @@ sk_set_min_ttl4(sock *s, int ttl) } static inline int -sk_set_min_ttl6(sock *s, int ttl) +sk_set_min_ttl6(sock *s, int ttl UNUSED) { ERR_MSG("Kernel does not support IPv6 TTL security"); } static inline int -sk_disable_mtu_disc4(sock *s) +sk_disable_mtu_disc4(sock *s UNUSED) { /* TODO: Set IP_DONTFRAG to 0 ? */ return 0; } static inline int -sk_disable_mtu_disc6(sock *s) +sk_disable_mtu_disc6(sock *s UNUSED) { /* TODO: Set IPV6_DONTFRAG to 0 ? */ return 0; diff --git a/sysdep/linux/krt-sys.h b/sysdep/linux/krt-sys.h index 6d6586d1..76ae29b7 100644 --- a/sysdep/linux/krt-sys.h +++ b/sysdep/linux/krt-sys.h @@ -27,7 +27,7 @@ static inline void kif_sys_postconfig(struct kif_config *c UNUSED) { } static inline void kif_sys_init_config(struct kif_config *c UNUSED) { } static inline void kif_sys_copy_config(struct kif_config *d UNUSED, struct kif_config *s UNUSED) { } -static inline struct ifa * kif_get_primary_ip(struct iface *i) { return NULL; } +static inline struct ifa * kif_get_primary_ip(struct iface *i UNUSED) { return NULL; } /* Kernel routes */ diff --git a/sysdep/linux/netlink.c b/sysdep/linux/netlink.c index 7af575a7..ee2cd125 100644 --- a/sysdep/linux/netlink.c +++ b/sysdep/linux/netlink.c @@ -503,7 +503,7 @@ nl_parse_multipath(struct krt_proto *p, struct rtattr *ra) struct rtattr *a[BIRD_RTA_MAX]; struct rtnexthop *nh = RTA_DATA(ra); struct mpnh *rv, *first, **last; - int len = RTA_PAYLOAD(ra); + unsigned len = RTA_PAYLOAD(ra); first = NULL; last = &first; @@ -1584,7 +1584,7 @@ nl_async_msg(struct nlmsghdr *h) } static int -nl_async_hook(sock *sk, int size UNUSED) +nl_async_hook(sock *sk, uint size UNUSED) { struct iovec iov = { nl_async_rx_buffer, NL_RX_SIZE }; struct sockaddr_nl sa; diff --git a/sysdep/linux/syspriv.h b/sysdep/linux/syspriv.h index d2ba95dd..8b210f06 100644 --- a/sysdep/linux/syspriv.h +++ b/sysdep/linux/syspriv.h @@ -1,4 +1,11 @@ +#ifndef _BIRD_SYSPRIV_H_ +#define _BIRD_SYSPRIV_H_ +#ifndef _GNU_SOURCE +#define _GNU_SOURCE +#endif + +#include <unistd.h> #include <sys/prctl.h> #include <linux/capability.h> @@ -70,3 +77,5 @@ drop_uid(uid_t uid) if (setresuid(uid, uid, uid) < 0) die("setresuid: %m"); } + +#endif /* _BIRD_SYSPRIV_H_ */ diff --git a/sysdep/unix/io.c b/sysdep/unix/io.c index e90964c1..6d886dab 100644 --- a/sysdep/unix/io.c +++ b/sysdep/unix/io.c @@ -9,7 +9,9 @@ /* Unfortunately, some glibc versions hide parts of RFC 3542 API if _GNU_SOURCE is not defined. */ -#define _GNU_SOURCE 1 +#ifndef _GNU_SOURCE +#define _GNU_SOURCE +#endif #include <stdio.h> #include <stdlib.h> @@ -507,11 +509,11 @@ tm_format_datetime(char *x, struct timeformat *fmt_spec, bird_clock_t t) * Sockaddr helper functions */ -static inline int sockaddr_length(int af) +static inline int UNUSED sockaddr_length(int af) { return (af == AF_INET) ? sizeof(struct sockaddr_in) : sizeof(struct sockaddr_in6); } static inline void -sockaddr_fill4(struct sockaddr_in *sa, ip_addr a, struct iface *ifa, uint port) +sockaddr_fill4(struct sockaddr_in *sa, ip_addr a, uint port) { memset(sa, 0, sizeof(struct sockaddr_in)); #ifdef HAVE_SIN_LEN @@ -542,7 +544,7 @@ void sockaddr_fill(sockaddr *sa, int af, ip_addr a, struct iface *ifa, uint port) { if (af == AF_INET) - sockaddr_fill4((struct sockaddr_in *) sa, a, ifa, port); + sockaddr_fill4((struct sockaddr_in *) sa, a, port); else if (af == AF_INET6) sockaddr_fill6((struct sockaddr_in6 *) sa, a, ifa, port); else @@ -550,7 +552,7 @@ sockaddr_fill(sockaddr *sa, int af, ip_addr a, struct iface *ifa, uint port) } static inline void -sockaddr_read4(struct sockaddr_in *sa, ip_addr *a, struct iface **ifa, uint *port) +sockaddr_read4(struct sockaddr_in *sa, ip_addr *a, uint *port) { *port = ntohs(sa->sin_port); *a = ipa_from_in4(sa->sin_addr); @@ -573,7 +575,7 @@ sockaddr_read(sockaddr *sa, int af, ip_addr *a, struct iface **ifa, uint *port) goto fail; if (af == AF_INET) - sockaddr_read4((struct sockaddr_in *) sa, a, ifa, port); + sockaddr_read4((struct sockaddr_in *) sa, a, port); else if (af == AF_INET6) sockaddr_read6((struct sockaddr_in6 *) sa, a, ifa, port); else @@ -770,7 +772,7 @@ sk_set_tos6(sock *s, int tos) } static inline int -sk_set_high_port(sock *s) +sk_set_high_port(sock *s UNUSED) { /* Port range setting is optional, ignore it if not supported */ @@ -2085,6 +2087,7 @@ watchdog_stop(void) volatile int async_config_flag; /* Asynchronous reconfiguration/dump scheduled */ volatile int async_dump_flag; +volatile int async_shutdown_flag; void io_init(void) diff --git a/sysdep/unix/krt.c b/sysdep/unix/krt.c index d4cb964e..e899671d 100644 --- a/sysdep/unix/krt.c +++ b/sysdep/unix/krt.c @@ -899,7 +899,7 @@ krt_scan_timer_start(struct krt_proto *p) } static void -krt_scan_timer_stop(struct krt_proto *p) +krt_scan_timer_stop(struct krt_proto *p UNUSED) { krt_scan_count--; @@ -988,7 +988,7 @@ krt_store_tmp_attrs(rte *rt, struct ea_list *attrs) } static int -krt_import_control(struct proto *P, rte **new, ea_list **attrs, struct linpool *pool) +krt_import_control(struct proto *P, rte **new, ea_list **attrs UNUSED, struct linpool *pool UNUSED) { struct krt_proto *p = (struct krt_proto *) P; rte *e = *new; diff --git a/sysdep/unix/log.c b/sysdep/unix/log.c index e5c5e74e..42c933ef 100644 --- a/sysdep/unix/log.c +++ b/sysdep/unix/log.c @@ -288,18 +288,22 @@ log_switch(int debug, list *l, char *new_syslog_name) current_log_list = l; #ifdef HAVE_SYSLOG - char *old_syslog_name = current_syslog_name; - current_syslog_name = new_syslog_name; - - if (old_syslog_name && new_syslog_name && - !strcmp(old_syslog_name, new_syslog_name)) + if (current_syslog_name && new_syslog_name && + !strcmp(current_syslog_name, new_syslog_name)) return; - if (old_syslog_name) + if (current_syslog_name) + { closelog(); + xfree(current_syslog_name); + current_syslog_name = NULL; + } if (new_syslog_name) - openlog(new_syslog_name, LOG_CONS | LOG_NDELAY, LOG_DAEMON); + { + current_syslog_name = xstrdup(new_syslog_name); + openlog(current_syslog_name, LOG_CONS | LOG_NDELAY, LOG_DAEMON); + } #endif } diff --git a/sysdep/unix/main.c b/sysdep/unix/main.c index 9594269d..c1b92b7e 100644 --- a/sysdep/unix/main.c +++ b/sysdep/unix/main.c @@ -8,7 +8,9 @@ #undef LOCAL_DEBUG -#define _GNU_SOURCE 1 +#ifndef _GNU_SOURCE +#define _GNU_SOURCE +#endif #include <stdio.h> #include <stdlib.h> @@ -73,7 +75,7 @@ async_dump(void) #else static inline void -drop_uid(uid_t uid) +drop_uid(uid_t uid UNUSED) { die("Cannot change user on this platform"); } @@ -419,7 +421,7 @@ cli_get_command(cli *c) } static int -cli_rx(sock *s, int size UNUSED) +cli_rx(sock *s, uint size UNUSED) { cli_kick(s->data); return 0; @@ -439,7 +441,7 @@ cli_err(sock *s, int err) } static int -cli_connect(sock *s, int size UNUSED) +cli_connect(sock *s, uint size UNUSED) { cli *c; |