summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2022-01-14Netlink: Add workaround for older kernel headersOndrej Zajicek (work)
2022-01-14Netlink: Enable strict checking for KRT dumpsOndrej Zajicek (work)
Add strict checking for netlink KRT dumps to avoid PMTU cache records from FNHE table dump along with KRT. Linux Kernel added FNHE table dump to the netlink API in patch: https://patchwork.ozlabs.org/project/netdev/patch/8d3b68cd37fb5fddc470904cdd6793fcf480c6c1.1561131177.git.sbrivio@redhat.com/ Therefore, since Linux 5.3 these route cache entries are dumped together with regular routes during periodic KRT scans, which in some cases may be huge amount of useless data. This can be avoided by using strict checking for netlink dumps: https://lore.kernel.org/netdev/20181008031644.15989-1-dsahern@kernel.org/ The patch mitigates the risk of receiving unknown and potentially large number of FNHE records that would block BIRD I/O in each sync. There is a known issue caused by the GRE tunnels on Linux that seems to be creating one FNHE record for each destination IP address that is routed through the tunnel, even when the PMTU equals to GRE interface MTU. Thanks to Tomas Hlavacek for the original patch.
2022-01-14Netlink: Explicitly skip received cloned routesOndrej Zajicek (work)
Kernel uses cloned routes to keep route cache entries, but reports them together with regular routes. They were skipped implicitly as they do not have rtm_protocol filled. Add explicit check for cloned flag and skip such routes explicitly. Also, improve debug logs of skipped routes.
2022-01-09BGP: Add option 'free bind'Ondrej Zajicek (work)
The BGP 'free bind' option applies the IP_FREEBIND/IPV6_FREEBIND socket option for the BGP listening socket. Thanks to Alexander Zubkov for the idea.
2022-01-08IO: Support nonlocal bind in socket interfaceAlexander Zubkov
Add option to socket interface for nonlocal binding, i.e. binding to an IP address that is not present on interfaces. This behaviour is enabled when SKF_FREEBIND socket flag is set. For Linux systems, it is implemented by IP_FREEBIND socket flag. Minor changes done by commiter.
2022-01-05Test: Activate some remaining build testsOndrej Zajicek (work)
2022-01-05Netlink: Do not ignore dead routes from BIRDOndrej Zajicek (work)
Currently, BIRD ignores dead routes to consider them absent. But it also ignores its own routes and thus it can not correctly manage such routes in some cases. This patch makes an exception for routes with proto bird when ignoring dead routes, so they can be properly updated or removed. Thanks to Alexander Zubkov for the original patch.
2022-01-05Netlink: Improve multipath parsing errorsOndrej Zajicek (work)
Function nl_parse_multipath() should handle errors internally.
2022-01-05Conf: Fix parsing full-length IPv6 addressesOndrej Zajicek (work)
Lexer expression for bytestring was too loose, accepting also full-length IPv6 addresses. It should be restricted such that colon is used between every byte or never. Fix the regex and also add some test cases for it. Thanks to Alexander Zubkov for the bugreport
2022-01-05gitlab-ci.yml: failing gitlab runner fixed.Matous
'registry.labs.nic.cz' -> 'registry.nic.cz' changed
2021-12-28Doc: Document min/max operators for listsAlexander Zubkov
2021-12-28Filter: Add operators to find minimum and maximum element of setsAlexander Zubkov
Add operators .min and .max to find minumum or maximum element in sets of types: clist, eclist, lclist. Example usage: bgp_community.min bgp_ext_community.max filter(bgp_large_community, [(as1, as2, *)]).min Signed-off-by: Alexander Zubkov <green@qrator.net>
2021-12-28Doc: Document community components access operatorsAlexander Zubkov
2021-12-28Filter: Add operators to pick community componentsAlexander Zubkov
Add operators that can be used to pick components from pair (standard community) or lc (large community) types. For example: (10, 20).asn --> 10 (10, 20).data --> 20 (10, 20, 30).asn --> 10 (10, 20, 30).data1 --> 20 (10, 20, 30).data2 --> 30 Signed-off-by: Alexander Zubkov <green@qrator.net>
2021-12-27BSD: Assume onlink flag on ifaces with only host addressesOndrej Zajicek (work)
The BSD kernel does not support the onlink flag and BIRD does not use direct routes for next hop validation, instead depends on interface address ranges. We would like to handle PtMP cases with only host addresses configured, like: ifconfig wg0 192.168.0.10/32 route add 192.168.0.4 -iface wg0 route add 192.168.0.8 -iface wg0 To accept BIRD routes with onlink next-hop, like: route 192.168.42.0/24 via 192.168.0.4%wg0 onlink BIRD would dismiss the route when receiving from the kernel, as the next-hop 192.168.0.4 is not part of any interface subnet and onlink flag is not kept by the BSD kernel. The commit fixes this by assuming that for routes received from the kernel, any next-hop is onlink on ifaces with only host addresses. Thanks to Stefan Haller for the original patch.
2021-12-18RPKI: Add contextual out-of-bound checks in RTR Prefix PDU handlerJob Snijders
RFC 6810 and RFC 8210 specify that the "Max Length" value MUST NOT be less than the Prefix Length element (underflow). On the other side, overflow of the Max Length element also is possible, it being an 8-bit unsigned integer allows for values larger than 32 or 128. This also implicitly ensures there is no overflow of "Length" value. When a PDU is received where the Max Length field is corrputed, the RTR client (BIRD) should immediately terminate the session, flush all data learned from that cache, and log an error for the operator. Minor changes done by commiter.
2021-12-18Doc: bgp: remove "advertise ipv4"Simon Ruderich
The option was removed in d15b0b0a ("BGP redesign", 2016-12-07) but the documentation wasn't updated.
2021-12-18Nest: Do not ignore secondary flag changes in ifa updatesOndrej Zajicek (work)
Compare all IA_* flags that are set by sysdep iface code. The old code ignores IA_SECONDARY flag when comparing whether iface address updates from kernel changed anything. This is usually not an issue as kernel removes all secondary addresses due to removal of the primary one, but it breaks when sysctl 'promote_secondaries' is enabled and kernel promotes secondary addresses to primary ones. Thanks to 'Alexander' for the bugreport.
2021-11-27Memory statistics split into Effective and OverheadMaria Matejka
This feature is intended mostly for checking that BIRD's allocation strategies don't consume much memory space. There are some cases where withdrawing routes in a specific order lead to memory fragmentation and this output should give the user at least a notion of how much memory is actually used for data storage and how much memory is "just allocated" or used for overhead. Also raising the "system allocator overhead estimation" from 8 to 16 bytes; it is probably even more. I've found 16 as a local minimum in best scenarios among reachable machines. I couldn't find any reasonable method to estimate this value when BIRD starts up. This commit also fixes the inaccurate computation of memory overhead for slabs where the "system allocater overhead estimation" was improperly added to the size of mmap-ed memory.
2021-11-24Directly mapped pages are kept for future use if temporarily not neededMaria Matejka
2021-10-20Conf: Fix crash during shutdownOndrej Zajicek (work)
BIRD implements shutdown by reconfiguring to fake empty configuration. Such fake config structure is created from the last running config and shares some data, including symbol table. This allows access to (removed) routing tables and causes crash when 'show route' command is used during shutdown. Clean up symbol table, table list and links to default tables, so removed routing tables cannot be accessed during shutdown.
2021-06-17Nest: Clean up main channel handlingOndrej Zajicek (work)
Remove assumption that main channel is the only channel.
2021-06-14Nest: Fix export of tmpattrs through pipesOndrej Zajicek (work)
Pipes copy the original rte with old values, so they require rte to be exported with stored tmpattrs. Other protocols access stored attributes using eattr list, so they require rte to be exported with expanded tmpattrs. This is temporary hack, we plan to remove whoe tmpattr mechanism. Thanks to Paul Donohue for the bugreport.
2021-06-14Revert "Nest: Fix export of tmpattrs through pipes"Ondrej Zajicek (work)
This reverts commit f8e273b5e7a3c721f4a30cf27a0b4fe54602e83f.
2021-06-14Nest: Fix export of tmpattrs through pipesOndrej Zajicek (work)
In most cases of export there is no need to store back temporary attributes to rte, as receivers (protocols) access eattr list anyway. But pipe copies the original rte with old values, so we should store tmpattrs also during export. Thanks to Paul Donohue for the bugreport.
2021-06-11CI: Allow Babel testsOndrej Zajicek (work)
2021-06-09Nest: Allow both 'password' and 'key' keywords for authentication keysOndrej Zajicek (work)
2021-06-09Babel: Simplify auth expirationOndrej Zajicek (work)
Just use hello_expiry for that, keep init_expiry for initial unauthentized neighbors.
2021-06-06Nest: Fix password list parsing codeOndrej Zajicek (work)
One of previous patches broke password list parsing code, fix that.
2021-06-06Lib: Fix static assert macroOndrej Zajicek (work)
2021-06-06Babel: Add MAC authentication support - updateOndrej Zajicek (work)
Some cleanups and bugfixes to the previous patch, including: - Fix rate limiting in index mismatch check - Fix missing BABEL_AUTH_INDEX_LEN in auth_tx_overhead computation - Fix missing auth_tx_overhead recalculation during reconfiguration - Fix pseudoheader construction in babel_auth_sign() (sport vs fport) - Fix typecasts for ptrdiffs in log messages - Make auth log messages similar to corresponding RIP/OSPF ones - Change auth log messages for events that happen during regular operation to debug messages - Switch meaning of babel_auth_check*() functions for consistency with corresponding RIP/OSPF ones - Remove requirement for min/max key length, only those required by given MAC code are enforced
2021-06-06Babel: Add MAC authentication supportToke Høiland-Jørgensen
This implements support for MAC authentication in the Babel protocol, as specified by RFC 8967. The implementation seeks to follow the RFC as close as possible, with the only deliberate deviation being the addition of support for all the HMAC algorithms already supported by Bird, as well as the Blake2b variant of the Blake algorithm. For description of applicability, assumptions and security properties, see RFC 8967 sections 1.1 and 1.2.
2021-06-06Babel: Refactor TLV parsing code for easier reuseToke Høiland-Jørgensen
In preparation for adding authentication checks, refactor the TLV walking code so it can be reused for a separate pass of the packet for authentication checks.
2021-06-06Nest: Allow MAC algorithms to specify min/max key lengthToke Høiland-Jørgensen
Add min/max key length fields to the MAC algorithm description and validate configured keys before they are used.
2021-06-06Nest: Allow specifying security keys as hex bytes as well as stringsToke Høiland-Jørgensen
Add support for specifying a password in hexadecimal format, The result is the same whether a password is specified as a quoted string or a hex-encoded byte string, this just makes it more convenient to input high-entropy byte strings as MAC keys.
2021-06-06Lib: Add tests for blake2s and blake2bToke Høiland-Jørgensen
Import the blake2-kat.h header with test vector output from the blake reference implementation, and add tests to mac_test.c to compare the output of the Bird MAC algorithm implementations with that reference output. Since the reference implementation only has test vectors for the full output size, there are no tests for the smaller-sized output variants.
2021-06-06Lib: Add Blake2s and Blake2b hash functionsToke Høiland-Jørgensen
The Babel MAC authentication RFC recommends implementing Blake2s as one of the supported algorithms. In order to achieve do this, add the blake2b and blake2s hash functions for MAC authentication. The hashing function implementations are the reference implementations from blake2.net. The Blake2 algorithms allow specifying an arbitrary output size, and the Babel MAC spec says to implement Blake2s with 128-bit output. To satisfy this, we add two different variants of each of the algorithms, one using the default size (256 bits for Blake2s, 512 bits for Blake2b), and one using half the default output size. Update to BIRD coding style done by committer.
2021-06-06sysdep: Add wrapper to get random bytes - updateOndrej Zajicek (work)
Simplify the code and fix an issue with getentropy() return value.
2021-06-06sysdep: Add wrapper to get random bytesToke Høiland-Jørgensen
Add a wrapper function in sysdep to get random bytes, and required checks in configure.ac to select how to do it. The configure script tries, in order, getrandom(), getentropy() and reading from /dev/urandom.
2021-06-01BGP: Ensure that freed neighbor entry is not accessedOndrej Zajicek (work)
Routes from downed protocols stay in rtable (until next rtable prune cycle ends) and may be even exported to another protocol. In BGP case, source BGP protocol is examined, although dynamic parts (including neighbor entries) are already freed. That may lead to crash under some race conditions. Ensure that freed neighbor entry is not accessed to avoid this issue.
2021-05-30Babel: Seqno requests are properly decoupled from neighbors when the ↵Maria Matejka
underlying interface disappears When an interface disappears, all the neighbors are freed as well. Seqno requests were anyway not decoupled from them, leading to strange segfaults. This fix adds a proper seqno request list inside neighbors to make sure that no pointer to neighbor is kept after free.
2021-05-26OSPF: Fix OSPFv3 in IPv4 mode with multiple areasOndrej Zajicek (work)
Some area handling code got confused by IPv4 setup in OSPFv3 mode.
2021-05-20CI: Try different locale for Centos 7Ondrej Zajicek (work)
2021-05-20CI: Package build for more platformsMatous Holinka
.gitlab-ci.yml: + pkg targets for some distros added + artifacts added - some distros were commented out (due to errors). misc/docker/*: + Dockerfiles updated with the necessary packages.
2021-05-19CI: Try utf-8 locale to workaround apkg issueOndrej Zajicek (work)
2021-05-19CI: Build documentation where tools are availableOndrej Zajicek (work)
2021-05-19CI: Update docker images for building of documentationOndrej Zajicek (work)
2021-05-19Pkg: Enable docs subpackage for DebianOndrej Zajicek (work)
2021-05-19CI: Test of apkg buildOndrej Zajicek (work)
Also temporarily disable cf-ospf-auth, as there is some problem with it.
2021-05-19Tools: Improve make-dev-archiveOndrej Zajicek (work)
Use git-archive to avoid unrelated and temporary files and fix some minor issues (e.g. dependency on bash as system shell).