Age | Commit message (Collapse) | Author |
|
Implement flowspec validation procedure as described in RFC 8955 sec. 6
and RFC 9117. The Validation procedure enforces that only routers in the
forwarding path for a network can originate flowspec rules for that
network.
The patch adds new mechanism for tracking inter-table dependencies, which
is necessary as the flowspec validation depends on IP routes, and flowspec
rules must be revalidated when best IP routes change.
The validation procedure is disabled by default and requires that
relevant IP table uses trie, as it uses interval queries for subnets.
|
|
Allow to specify sorted flag, trie fla, and min/max settle time.
Also do not enable trie by default, it must be explicitly enabled.
|
|
|
|
When output of 'show route' command was generated, the net_format() was
called for each network prematurely, even if the result was not needed.
Fix the code to call net_format() only when needed. This makes queries
that process many networks but show only few (e.g. 'show route where ..',
or 'show route count') much faster (like 5x - 10x faster).
|
|
Add trie iteration code to rt_show_cont() CLI hook and use it to
accelerate 'show route in <addr>' commands using interval queries.
|
|
Implement 'show route in <addr>' command, which shows all routes in
networks that are subnets of given network. Currently limited to IP
network types.
|
|
Attach a prefix trie to IP/VPN/ROA tables. Use it for net_route() and
net_roa_check(). This leads to 3-5x speedups for IPv4 and 5-10x
speedup for IPv6 of these calls.
TODO:
- Rebuild the trie during rt_prune_table()
- Better way to avoid trie_add_prefix() in net_get() for existing tables
- Make it configurable (?)
|
|
Remove assumption that main channel is the only channel.
|
|
Pipes copy the original rte with old values, so they require rte to be
exported with stored tmpattrs. Other protocols access stored attributes
using eattr list, so they require rte to be exported with expanded
tmpattrs. This is temporary hack, we plan to remove whoe tmpattr mechanism.
Thanks to Paul Donohue for the bugreport.
|
|
This reverts commit f8e273b5e7a3c721f4a30cf27a0b4fe54602e83f.
|
|
In most cases of export there is no need to store back temporary
attributes to rte, as receivers (protocols) access eattr list anyway.
But pipe copies the original rte with old values, so we should store
tmpattrs also during export.
Thanks to Paul Donohue for the bugreport.
|
|
|
|
One of previous patches broke password list parsing code, fix that.
|
|
Add min/max key length fields to the MAC algorithm description and
validate configured keys before they are used.
|
|
Add support for specifying a password in hexadecimal format, The result
is the same whether a password is specified as a quoted string or a
hex-encoded byte string, this just makes it more convenient to input
high-entropy byte strings as MAC keys.
|
|
The Babel MAC authentication RFC recommends implementing Blake2s as one of
the supported algorithms. In order to achieve do this, add the blake2b and
blake2s hash functions for MAC authentication. The hashing function
implementations are the reference implementations from blake2.net.
The Blake2 algorithms allow specifying an arbitrary output size, and the
Babel MAC spec says to implement Blake2s with 128-bit output. To satisfy
this, we add two different variants of each of the algorithms, one using
the default size (256 bits for Blake2s, 512 bits for Blake2b), and one
using half the default output size.
Update to BIRD coding style done by committer.
|
|
This fixes an internal table cleanup bug introduced
in ff397df7edcbe7a8abca5b419729b9c64c063847.
|
|
This saves some bytes of memory for complex ea's.
|
|
This also fixes memory leaks from import/export tables being never
cleaned up and freed.
|
|
|
|
|
|
Pipe channels are kind-of implicit, so setting protocol debug flags
should also set pipe debug flags.
|
|
In general, events are code handling some some condition, which is
scheduled when such condition happened and executed independently from
I/O loop. Work-events are a subgroup of events that are scheduled
repeatedly until some (often significant) work is done (e.g. feeding
routes to protocol). All scheduled events are executed during each
I/O loop iteration.
Separate work-events from regular events to a separate queue and
rate limit their execution to a fixed number per I/O loop iteration.
That should prevent excess latency when many work-events are
scheduled at one time (e.g. simultaneous reload of many BGP sessions).
|
|
|
|
Also, no automatic reload for BGP channels without import/export table.
|
|
This is an implementation of draft-walton-bgp-hostname-capability-02.
It is implemented since quite some time for FRR and in datacenter, this
gives a nice output to avoid using IP addresses.
It is disabled by default. The hostname is retrieved from uname(2) and
can be overriden with "hostname" option. The domain name is never set
nor displayed.
Minor changes by committer.
|
|
If there are roa_check() calls in channel filters, then the channel
subscribes to ROA table notifications, which are sent when ROA tables
are updated (subject to settle time) and trigger channel reload or
refeed.
|
|
Add macros for recursive filter iteration that allows to examine
all instructions reachable from a filter.
|
|
No longer needed after redesign of export handling.
|
|
(Minor syntactic changes by committer)
|
|
The patch add support for per-channel debug flags, currently just
'states', 'routes', and 'filters'. Flag 'states' is used for channel
state changes, remaining two for routes passed through the channel.
The per-protocol debug flags 'routes'/'filters' still enable reporting
of routes for all channels, to keep existing behavior.
The patch causes minor changes in some log messages.
|
|
Also fixes some more failed asserts due to add_tail().
|
|
When config structures are copied due to template application,
we need to reset list node structure before calling add_tail().
Thanks to Mikael Magnusson for patches.
|
|
|
|
Logging as a result of triggered receive limit in import table code
accesset rte->net, which was not filed yet.
Thanks to Pier Carlo Chiodi for the bugreport.
|
|
Merge multiple BFD option blocks in BGP configs instead of using the last
one. That is necessary for proper handling of templates when BFD options
are used both in a BGP template and in a BGP protocol derived from that
template.
|
|
BFD session options are configured per interface in BFD protocol. This
patch allows to specify them also per-request in protocols requesting
sessions (currently limited to BGP).
|
|
Put new non-best routes to the end of list instead of the second
position. Put updated routes to their old position. Position is changed
just by best route selection.
|
|
Most commands like 'show ospf neighbors' fail when protocol is not
specified and there are multiple instances of given protocol type.
This is annoying in BIRD 2, as many protocols have IPv4 and IPv6
instances. The patch changes that by showing output from all protocol
instances of appropriate type.
Note that the patch also removes terminating cli_msg() call from these
commands and moves it to the common iterating code.
|
|
There is nothing in RFCs specifying that id 0 is not allowed. Some
implementations does not support it, while some other use key id 0 by
default. We allow it but start with key id 1 by default.
Thanks to Kenth Eriksson for the bugreport.
|
|
Implement regex-like '+' operator in BGP path masks to match previous
path mask item multiple times. This is useful as ASNs may appear
multiple times in paths due to path prepending for traffic engineering
purposes.
|
|
Resolve neighbors using longest prefix match. Although interface ranges
should not generally collide, it may happen for unnumbered links.
Thanks to Kenth Eriksson for the bugreport.
|
|
|
|
|
|
change anything
|
|
|
|
|
|
The bug generated invalid AGGREGATOR attribute during translation of
32bit ASN to 16bit-only BGP peer. The patch fixes that.
|
|
This is merely a const propagation. There was no problem in there.
|
|
Use separate IPv4 and IPv6 implementation of prefix sets. Just this
change makes IPv4 prefix sets 60% smaller and 50% faster.
|