summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2021-12-02Trie: Clarify handling of less-common net typesOndrej Zajicek (work)
For convenience, Trie functions generally accept as input values not only NET_IPx types of nets, but also NET_VPNx and NET_ROAx types. But returned values are always NET_IPx types.
2021-11-26Trie: Implement longest-prefix-match queries and walksOndrej Zajicek (work)
The prefix trie now supports longest-prefix-match query by function trie_match_longest_ipX() and it can be extended to iteration over all covering prefixes for a given prefix (from longest to shortest) using TRIE_WALK_TO_ROOT_IPx() macro.
2021-11-19Trie: Implement trie walking codeOndrej Zajicek (work)
Trie walking allows enumeration of prefixes in a trie in the usual lexicographic order. Optionally, trie enumeration can be restricted to a chosen subnet (and its descendants).
2021-11-13Trie: Simplify network matching codeOndrej Zajicek (work)
Introduce ipX_prefix_equal() and use it to simplify network matching code.
2021-09-25Filter: Add prefix trie benchmarksOndrej Zajicek (work)
Add trie tests intended as benchmarks that use external datasets instead of generated prefixes. As datasets are not included, they are commented out by default.
2021-09-25Filter: Improve prefix trie testsOndrej Zajicek (work)
Add tests explicitly matching insides and outsides of trie and update tests to do testing of both IPv4 and IPv6 tries.
2021-09-25Filter: Update trie documentationOndrej Zajicek (work)
2021-09-25Filter: Fix trie testOndrej Zajicek (work)
Generated prefixes must be valid.
2021-09-25Filter: Faster prefix setsOndrej Zajicek (work)
Use 16-way (4bit) branching in prefix trie instead of basic binary branching. The change makes IPv4 prefix sets almost 3x faster, but with more memory consumption and much more complicated algorithm. Together with a previous filter change, it makes IPv4 prefix sets about ~4.3x faster and slightly smaller (on my test data).
2021-06-17Nest: Clean up main channel handlingOndrej Zajicek (work)
Remove assumption that main channel is the only channel.
2021-06-14Nest: Fix export of tmpattrs through pipesOndrej Zajicek (work)
Pipes copy the original rte with old values, so they require rte to be exported with stored tmpattrs. Other protocols access stored attributes using eattr list, so they require rte to be exported with expanded tmpattrs. This is temporary hack, we plan to remove whoe tmpattr mechanism. Thanks to Paul Donohue for the bugreport.
2021-06-14Revert "Nest: Fix export of tmpattrs through pipes"Ondrej Zajicek (work)
This reverts commit f8e273b5e7a3c721f4a30cf27a0b4fe54602e83f.
2021-06-14Nest: Fix export of tmpattrs through pipesOndrej Zajicek (work)
In most cases of export there is no need to store back temporary attributes to rte, as receivers (protocols) access eattr list anyway. But pipe copies the original rte with old values, so we should store tmpattrs also during export. Thanks to Paul Donohue for the bugreport.
2021-06-11CI: Allow Babel testsOndrej Zajicek (work)
2021-06-09Nest: Allow both 'password' and 'key' keywords for authentication keysOndrej Zajicek (work)
2021-06-09Babel: Simplify auth expirationOndrej Zajicek (work)
Just use hello_expiry for that, keep init_expiry for initial unauthentized neighbors.
2021-06-06Nest: Fix password list parsing codeOndrej Zajicek (work)
One of previous patches broke password list parsing code, fix that.
2021-06-06Lib: Fix static assert macroOndrej Zajicek (work)
2021-06-06Babel: Add MAC authentication support - updateOndrej Zajicek (work)
Some cleanups and bugfixes to the previous patch, including: - Fix rate limiting in index mismatch check - Fix missing BABEL_AUTH_INDEX_LEN in auth_tx_overhead computation - Fix missing auth_tx_overhead recalculation during reconfiguration - Fix pseudoheader construction in babel_auth_sign() (sport vs fport) - Fix typecasts for ptrdiffs in log messages - Make auth log messages similar to corresponding RIP/OSPF ones - Change auth log messages for events that happen during regular operation to debug messages - Switch meaning of babel_auth_check*() functions for consistency with corresponding RIP/OSPF ones - Remove requirement for min/max key length, only those required by given MAC code are enforced
2021-06-06Babel: Add MAC authentication supportToke Høiland-Jørgensen
This implements support for MAC authentication in the Babel protocol, as specified by RFC 8967. The implementation seeks to follow the RFC as close as possible, with the only deliberate deviation being the addition of support for all the HMAC algorithms already supported by Bird, as well as the Blake2b variant of the Blake algorithm. For description of applicability, assumptions and security properties, see RFC 8967 sections 1.1 and 1.2.
2021-06-06Babel: Refactor TLV parsing code for easier reuseToke Høiland-Jørgensen
In preparation for adding authentication checks, refactor the TLV walking code so it can be reused for a separate pass of the packet for authentication checks.
2021-06-06Nest: Allow MAC algorithms to specify min/max key lengthToke Høiland-Jørgensen
Add min/max key length fields to the MAC algorithm description and validate configured keys before they are used.
2021-06-06Nest: Allow specifying security keys as hex bytes as well as stringsToke Høiland-Jørgensen
Add support for specifying a password in hexadecimal format, The result is the same whether a password is specified as a quoted string or a hex-encoded byte string, this just makes it more convenient to input high-entropy byte strings as MAC keys.
2021-06-06Lib: Add tests for blake2s and blake2bToke Høiland-Jørgensen
Import the blake2-kat.h header with test vector output from the blake reference implementation, and add tests to mac_test.c to compare the output of the Bird MAC algorithm implementations with that reference output. Since the reference implementation only has test vectors for the full output size, there are no tests for the smaller-sized output variants.
2021-06-06Lib: Add Blake2s and Blake2b hash functionsToke Høiland-Jørgensen
The Babel MAC authentication RFC recommends implementing Blake2s as one of the supported algorithms. In order to achieve do this, add the blake2b and blake2s hash functions for MAC authentication. The hashing function implementations are the reference implementations from blake2.net. The Blake2 algorithms allow specifying an arbitrary output size, and the Babel MAC spec says to implement Blake2s with 128-bit output. To satisfy this, we add two different variants of each of the algorithms, one using the default size (256 bits for Blake2s, 512 bits for Blake2b), and one using half the default output size. Update to BIRD coding style done by committer.
2021-06-06sysdep: Add wrapper to get random bytes - updateOndrej Zajicek (work)
Simplify the code and fix an issue with getentropy() return value.
2021-06-06sysdep: Add wrapper to get random bytesToke Høiland-Jørgensen
Add a wrapper function in sysdep to get random bytes, and required checks in configure.ac to select how to do it. The configure script tries, in order, getrandom(), getentropy() and reading from /dev/urandom.
2021-06-01BGP: Ensure that freed neighbor entry is not accessedOndrej Zajicek (work)
Routes from downed protocols stay in rtable (until next rtable prune cycle ends) and may be even exported to another protocol. In BGP case, source BGP protocol is examined, although dynamic parts (including neighbor entries) are already freed. That may lead to crash under some race conditions. Ensure that freed neighbor entry is not accessed to avoid this issue.
2021-05-30Babel: Seqno requests are properly decoupled from neighbors when the ↵Maria Matejka
underlying interface disappears When an interface disappears, all the neighbors are freed as well. Seqno requests were anyway not decoupled from them, leading to strange segfaults. This fix adds a proper seqno request list inside neighbors to make sure that no pointer to neighbor is kept after free.
2021-05-26OSPF: Fix OSPFv3 in IPv4 mode with multiple areasOndrej Zajicek (work)
Some area handling code got confused by IPv4 setup in OSPFv3 mode.
2021-05-20CI: Try different locale for Centos 7Ondrej Zajicek (work)
2021-05-20CI: Package build for more platformsMatous Holinka
.gitlab-ci.yml: + pkg targets for some distros added + artifacts added - some distros were commented out (due to errors). misc/docker/*: + Dockerfiles updated with the necessary packages.
2021-05-19CI: Try utf-8 locale to workaround apkg issueOndrej Zajicek (work)
2021-05-19CI: Build documentation where tools are availableOndrej Zajicek (work)
2021-05-19CI: Update docker images for building of documentationOndrej Zajicek (work)
2021-05-19Pkg: Enable docs subpackage for DebianOndrej Zajicek (work)
2021-05-19CI: Test of apkg buildOndrej Zajicek (work)
Also temporarily disable cf-ospf-auth, as there is some problem with it.
2021-05-19Tools: Improve make-dev-archiveOndrej Zajicek (work)
Use git-archive to avoid unrelated and temporary files and fix some minor issues (e.g. dependency on bash as system shell).
2021-05-19ubuntu: use any init-system-helpersJakub Ružička
init-system-helpers (>= 1.56~) can't be satisfied on: * Ubuntu 18.04 (1.51) * Ubuntu 16.04 (1.29) * Debian 9 (1.48) Remove the specific version requirement in order to enable build on older platforms.
2021-05-19suse: fix bird.spec to work on SUSEJakub Ružička
SUSE is more strict about .spec. * use SPDX license id * add missing %ghost file directive
2021-05-19docs: disable docs subpackage to fix FTBFSJakub Ružička
Adressing following FTBFS on all older debian/ubuntu distros: Can't locate LinuxDocTools/Data/Latin1ToSgml.pm in @INC (you may need to install the LinuxDocTools::Data::Latin1ToSgml module)
2021-05-19add apkg-powered upstream packaging for deb, rpmJakub Ružička
Files in a single new distro/ dir allow apkg to build BIRD packages for various distros directly from upstream sources as well as from upstream archives. Please see distro/README.md for more detail as well as apkg docs: https://apkg.rtfd.io I've used these files to build bird-2.0.8 on all currently supported releases of following distros: * Debian * Ubuntu * Fedora * CentOS * openSUSE Please note that latest apkg with accumulated fixes for bird is needed: https://gitlab.nic.cz/packaging/apkg/-/merge_requests/35
2021-05-18Flowspec: Documentation updateOndrej Zajicek (work)
2021-05-18Flowspec: Label field should use numeric operator and not bitmask operatorOndrej Zajicek (work)
2021-05-18Flowspec: Do not use comma for bitmask operatorsOndrej Zajicek (work)
For numeric operators, comma is used for disjunction in expressions like "10, 20, 30..40". But for bitmask operators, comma is used for conjunction in a way that does not really make much sense. Use always explicit logical operators (&& and ||) to connect bitmask operators. Thanks to Matt Corallo for the bugreport.
2021-05-17Filter: Add MPLS label route attributeTrisha Biswas
Add support to set or read outgoing MPLS labels using filters. Currently this supports the addition of one label per route for the first next hop. Minor changes by committer.
2021-05-14Flowspec: Fix values for true/false operatorsOndrej Zajicek (work)
RFC 8955 is pretty clear that 000 is false and 111 is true.
2021-05-14Flowspec: Add code for conversion of flowspec parts to interval listsOndrej Zajicek (work)
Implement function flow_explicate_part() to convert flowspec numeric expressions to a simple list of (disjoint, sorted) intervals. That could be used in filters to build f_tree-based int-sets from them.
2021-05-10Babel: Log the reason when refusing to run on an interfaceOndrej Zajicek (work)
The babel protocol code checks whether iface supports multicast, and whether it has a link-local address assigned. However, it doesn not give any feedback if any of those checks fail, it just silently ignores the interface. Fix this by explicitly logging when multicast check fails. Based on patch from Toke Høiland-Jørgensen, thanks!
2021-05-10BSD: Propagate OS-level IFF_MULTICAST to internal IF_MULTICAST flagToke Høiland-Jørgensen
The BSD code did not propagate the OS-level IFF_MULTICAST flag to the Bird-internal IF_MULTICAST flag, which causes problems with Wireguard interfaces on FreeBSD. The Linux sysdep code does propagate the flag already, so just copy over the same check and flag update.