| Age | Commit message (Collapse) | Author |
|---|
|
Patch by Alexander V. Chernikov <melifaro@ipfw.ru>
Hello list!
This patch adds 'firewall' protocol permitting prefixes announced to
this protocol to be put in configured firewall table with optional value.
Supported firewalls: IPFW, PF, *
Optional value support: IPFW, *
Sample configuration:
protocol bgp {
..
import filter { fw_value = 42; accept; } # Set firewall optional value
for each prefix
}
protocol firewall {
fwtype ipfw;
fwtable "2";
export all;
flush always; # do flush both on startup and shutdown
};
Tested on FreeBSD 8.X, PF should work on Open/NetBSD, too.
[*] I can add support for ipset on demand. However I can't understand
how it can be [effectively] used without some kind of radix/rbtree
backend (according to docs).
P.S.
This can be thought as first step for implementation BGP FlowSpec (RFC 5575)
|
|
Prefixes with max length (/32) were not handled properly.
Thanks to bauen1 for the bugreport.
|
|
When BGP connection is opened, it may happen that rx hook (with remote
OPEN) is called before tx hook (for local OPEN). Therefore, we need to do
internal changes (like setting local_caps) synchronously with OPENSENT
transition and we need to ensure that OPEN is sent before KEEPALIVE.
|
|
Allow to specify just 'internal' or 'external' for remote neighbor
instead of specific ASN. In the second case that means BGP peers with
any non-local ASNs are accepted.
|
|
|
|
|
|
Allow to mark channel to be mandatory, and do not allow BGP sessions if
no common AFI/SAFI is established.
|
|
If peer does not announce capabilities at all, or when we have
capabilities disabled, handle that as implicit IPv4 unicast.
|
|
|
|
The temporary atttributes are no longer removed by ea_do_prune(), but
they are undefined by store_tmp_attrs() protocol hooks. This fixes
several bugs where temporary attributes were removed when they should
not or not removed when they should be. The flag EAF_TEMP is no longer
needed and was removed.
Update all protocol make_tmp_attrs() / store_tmp_attrs() hooks to use
helper functions and to handle unset attributes properly.
Also fix some related bugs like improper handling of empty eattr list.
|
|
Keep track of whether OSPF tmpattrs are actually defined for given route
(using flags in rte->pflags). That makes them behave more like real
eattrs so a protocol can define just a subset of them or they can be
undefined by filters.
Do not set ospf_metric2 for other than type 2 external OSPF routes and do
not set ospf_tag for non-external OSPF routes. That also fixes a bug
where internal/inter-area route propagated from one OSPF instance to
another is initiated with infinity ospf_metric2.
Thanks to Yaroslav Dronskii for the bugreport.
|
|
|
|
|
|
Route flags are mosty internal state of rtable, they are not significant
to whether a route has changed. With the old code, all routes received as
a part of enhanced route refresh are always re-announced to other peers
due to change in REF_STALE.
|
|
|
|
|
|
accepted mode)
Update for one of previous patches, handles the the issue for
first-accepted mode of route propagation.
|
|
When area is reconfigured to a different type, we need to flush LSAs as
they may not be valid (e.g. NSSA-LSA for non-NSSA area). Also, when we
have have just one OSPF area and that changes type, we could restart OSPF
as there is no state to keep anyway. That solves issue with different
handling of external routes exported to OSPF based of main area type.
|
|
External LSAs originated by OSPF routers with VPN-PE behavior enabled are
marked by DN flag and they are ignored by other OSPF routers with VPN-PE
enabled.
|
|
As we do not have much usage for it yet.
|
|
|
|
One of previous workarounds for phantom route avoidance breaks export
counters by expanding sending of spurious withdraws, which are send when
we are not sure whether we have advertised that routes in the past.
If not, then export counter is decreased, but it was not increased
before, so it overflows under zero.
The patch fixes that by sendung spurious withdraws, but not counting them
on export counter. That may lead to error in the other direction, but that
happens only as a race condition (i.e., in normal operation filters
return proper values about old route export state).
|
|
Thanks to Michal Nowak for reporting the issue.
|
|
Direct acknowledgements should be send as unicast to a corresponding
neighbor. Only delayed acks should be send as multicast to all/designated
routers.
|
|
Master may free last DBDES packet immediately. Slave must wait dead
interval before freeing last DBDES packet and then reject duplicate
DBDES packets with SeqNumberMismatch.
|
|
After SeqNumberMismatch/BadLSReq, we should continue with the old
seqnum++. The old code tries to do that by n->adj, but it was set
nowhere.
|
|
As it is specified in RFC 2328. The old code just provided warning.
|
|
|
|
|
|
|
|
|
|
|
|
Using dummy net instead. This should help with performance on rejected
routes.
|
|
The earlier fix loosen conditions for not running filters on old
route when deciding about route propagation to a protocol to avoid
issues with ghost routes in some race conditions.
Unfortunately, the fix also caused back-propagation of withdraws. For
regular updates, back-propagation is prevented in import_control hooks,
but these are not called on withdraws. For them, import_control hooks
are called on old routes instead, changing (old, NULL) notification
to (NULL, NULL), which is ignored. By not calling export processing
in some cases, the withdraw is not ignored and is back-propagated.
This patch fixes that by contract conditions so the earlier fix is not
applied to back-propagated updates.
|
|
Thanks to Igor Podlesny for notification.
|
|
|
|
When going up, uncleaned old channel state may trigger unexpected
conditions crashing bird.
|
|
Add support for OSPFv2 Opaque LSAs (RFC 5250) and for Router Information
LSA (RFC 7770). The second part is here mainly for testing opaque LSAs.
|
|
|
|
|
|
Also includes minor cleanup of help.
|
|
Current FreeBSD kernels require SA records for both directions.
Thanks to Joseph Mulloy and Andrey V. Elsukov for reporting and
solving the issue.
|
|
Minor cleanups, updates and clarifications. Also removes (incomplete
and well-known) build steps from README, as they are better described
in INSTALL.
|
|
Since v2 we have multiple listening BGP sockets, and each BGP protocol
has associated one of them. Use listening socket that accepted the
incoming connection as a key in the dispatch process so only BGP
protocols assocaited with that listening socket can be selected.
This is necesary for proper dispatch when VRFs are used.
|
|
It may happen that the LLv6 address for given iface is not defined during
BGP start, so we postpone the check to the the session establishment.
|
|
|
|
FreeBSD silently changes TTL to 1 when MSG_DONTROUTE is used, even when
it is explicitly set to another value. That breaks TTL security sockets,
including BFD which always uses TTL 255. Bad FreeBSD!
|
|
This protocol is highly experimental and nobody should use it in
production. Anyway it may help you getting some insight into what eats
so much time in filter processing.
|
|
|
|
|
