From 15822b9dd74685bc8a855ba98512711ba712d504 Mon Sep 17 00:00:00 2001 From: James Antill Date: Thu, 26 May 2022 07:12:40 -0400 Subject: [PATCH] Auto sync2gitlab import of frr-7.5-11.el8.src.rpm --- .gitignore | 1 + 0000-remove-babeld-and-ldpd.patch | 55 ++++++ 0001-use-python3.patch | 20 +++ 0002-enable-openssl.patch | 86 ++++++++++ 0003-disable-eigrp-crypto.patch | 252 ++++++++++++++++++++++++++++ 0004-fips-mode.patch | 103 ++++++++++++ 0006-CVE-2020-12831.patch | 17 ++ 0007-frrinit.patch | 31 ++++ 0008-ospf-multi-instance.patch | 119 +++++++++++++ 0009-bgp-ttl-security.patch | 92 ++++++++++ 0010-bfd-reload.patch | 60 +++++++ 0011-designated-router.patch | 33 ++++ 0012-bfd-peers-crash.patch | 25 +++ EMPTY | 1 - frr-tmpfiles.conf | 1 + frr.spec | 267 ++++++++++++++++++++++++++++++ sources | 1 + 17 files changed, 1163 insertions(+), 1 deletion(-) create mode 100644 .gitignore create mode 100644 0000-remove-babeld-and-ldpd.patch create mode 100644 0001-use-python3.patch create mode 100644 0002-enable-openssl.patch create mode 100644 0003-disable-eigrp-crypto.patch create mode 100644 0004-fips-mode.patch create mode 100644 0006-CVE-2020-12831.patch create mode 100644 0007-frrinit.patch create mode 100644 0008-ospf-multi-instance.patch create mode 100644 0009-bgp-ttl-security.patch create mode 100644 0010-bfd-reload.patch create mode 100644 0011-designated-router.patch create mode 100644 0012-bfd-peers-crash.patch delete mode 100644 EMPTY create mode 100644 frr-tmpfiles.conf create mode 100644 frr.spec create mode 100644 sources diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..90074dc --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/frr-7.5.tar.gz diff --git a/0000-remove-babeld-and-ldpd.patch b/0000-remove-babeld-and-ldpd.patch new file mode 100644 index 0000000..37c416a --- /dev/null +++ b/0000-remove-babeld-and-ldpd.patch @@ -0,0 +1,55 @@ +diff --git a/Makefile.am b/Makefile.am +index 5be3264..33abc1d 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -130,8 +130,6 @@ include ospf6d/subdir.am + include ospfclient/subdir.am + include isisd/subdir.am + include nhrpd/subdir.am +-include ldpd/subdir.am +-include babeld/subdir.am + include eigrpd/subdir.am + include sharpd/subdir.am + include pimd/subdir.am +@@ -182,7 +180,6 @@ EXTRA_DIST += \ + snapcraft/defaults \ + snapcraft/helpers \ + snapcraft/snap \ +- babeld/Makefile \ + bgpd/Makefile \ + bgpd/rfp-example/librfp/Makefile \ + bgpd/rfp-example/rfptest/Makefile \ +@@ -193,7 +190,6 @@ EXTRA_DIST += \ + fpm/Makefile \ + grpc/Makefile \ + isisd/Makefile \ +- ldpd/Makefile \ + lib/Makefile \ + nhrpd/Makefile \ + ospf6d/Makefile \ +diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons +index f6d512b..6d4831d 100644 +--- a/tools/etc/frr/daemons ++++ b/tools/etc/frr/daemons +@@ -21,10 +21,8 @@ ripd=no + ripngd=no + isisd=no + pimd=no +-ldpd=no + nhrpd=no + eigrpd=no +-babeld=no + sharpd=no + pbrd=no + bfdd=no +@@ -45,10 +43,8 @@ ripd_options=" -A 127.0.0.1" + ripngd_options=" -A ::1" + isisd_options=" -A 127.0.0.1" + pimd_options=" -A 127.0.0.1" +-ldpd_options=" -A 127.0.0.1" + nhrpd_options=" -A 127.0.0.1" + eigrpd_options=" -A 127.0.0.1" +-babeld_options=" -A 127.0.0.1" + sharpd_options=" -A 127.0.0.1" + pbrd_options=" -A 127.0.0.1" + staticd_options="-A 127.0.0.1" diff --git a/0001-use-python3.patch b/0001-use-python3.patch new file mode 100644 index 0000000..ce0359e --- /dev/null +++ b/0001-use-python3.patch @@ -0,0 +1,20 @@ +diff --git a/tools/frr-reload.py b/tools/frr-reload.py +index 208fb11..0692adc 100755 +--- a/tools/frr-reload.py ++++ b/tools/frr-reload.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python3 + # Frr Reloader + # Copyright (C) 2014 Cumulus Networks, Inc. + # +diff --git a/tools/generate_support_bundle.py b/tools/generate_support_bundle.py +index 540b7a1..0876ebb 100755 +--- a/tools/generate_support_bundle.py ++++ b/tools/generate_support_bundle.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python3 + + ######################################################## + ### Python Script to generate the FRR support bundle ### diff --git a/0002-enable-openssl.patch b/0002-enable-openssl.patch new file mode 100644 index 0000000..6f1c389 --- /dev/null +++ b/0002-enable-openssl.patch @@ -0,0 +1,86 @@ +diff --git a/lib/subdir.am b/lib/subdir.am +index 0b7af18..0533e24 100644 +--- a/lib/subdir.am ++++ b/lib/subdir.am +@@ -41,7 +41,6 @@ lib_libfrr_la_SOURCES = \ + lib/log.c \ + lib/log_filter.c \ + lib/log_vty.c \ +- lib/md5.c \ + lib/memory.c \ + lib/mlag.c \ + lib/module.c \ +diff --git a/lib/subdir.am b/lib/subdir.am +index 0533e24..b3d3700 100644 +--- a/lib/subdir.am ++++ b/lib/subdir.am +@@ -170,7 +170,6 @@ pkginclude_HEADERS += \ + lib/linklist.h \ + lib/log.h \ + lib/log_vty.h \ +- lib/md5.h \ + lib/memory.h \ + lib/module.h \ + lib/monotime.h \ +diff --git a/lib/subdir.am b/lib/subdir.am +index 53f7115..cea866f 100644 +--- a/lib/subdir.am ++++ b/lib/subdir.am +@@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \ + lib/routemap_northbound.c \ + lib/sbuf.c \ + lib/seqlock.c \ +- lib/sha256.c \ + lib/sigevent.c \ + lib/skiplist.c \ + lib/sockopt.c \ +@@ -191,7 +190,6 @@ pkginclude_HEADERS += \ + lib/routemap.h \ + lib/sbuf.h \ + lib/seqlock.h \ +- lib/sha256.h \ + lib/sigevent.h \ + lib/skiplist.h \ + lib/smux.h \ +diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c +index 1991666..2e4fe55 100644 +--- a/isisd/isis_lsp.c ++++ b/isisd/isis_lsp.c +@@ -35,7 +35,9 @@ + #include "hash.h" + #include "if.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "table.h" + #include "srcdest_table.h" + #include "lib_errors.h" +diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c +index 9c63311..7cf594c 100644 +--- a/isisd/isis_pdu.c ++++ b/isisd/isis_pdu.c +@@ -33,7 +33,9 @@ + #include "prefix.h" + #include "if.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "lib_errors.h" + + #include "isisd/isis_constants.h" +diff --git a/isisd/isis_te.c b/isisd/isis_te.c +index 4ea6c2c..72ff0d2 100644 +--- a/isisd/isis_te.c ++++ b/isisd/isis_te.c +@@ -38,7 +38,9 @@ + #include "if.h" + #include "vrf.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "sockunion.h" + #include "network.h" + #include "sbuf.h" diff --git a/0003-disable-eigrp-crypto.patch b/0003-disable-eigrp-crypto.patch new file mode 100644 index 0000000..cd43569 --- /dev/null +++ b/0003-disable-eigrp-crypto.patch @@ -0,0 +1,252 @@ +diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c +index bedaf15..8dc09bf 100644 +--- a/eigrpd/eigrp_packet.c ++++ b/eigrpd/eigrp_packet.c +@@ -40,8 +40,10 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" + #include "sha256.h" ++#endif + #include "lib_errors.h" + + #include "eigrpd/eigrp_structs.h" +@@ -95,8 +97,12 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s, + struct key *key = NULL; + struct keychain *keychain; + ++ + unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN]; ++#ifdef CRYPTO_OPENSSL ++#elif CRYPTO_INTERNAL + MD5_CTX ctx; ++#endif + uint8_t *ibuf; + size_t backup_get, backup_end; + struct TLV_MD5_Authentication_Type *auth_TLV; +@@ -119,6 +125,9 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s, + return EIGRP_AUTH_TYPE_NONE; + } + ++#ifdef CRYPTO_OPENSSL ++//TBD when this is fixed in upstream ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + MD5Init(&ctx); + +@@ -146,7 +155,7 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s, + } + + MD5Final(digest, &ctx); +- ++#endif + /* Append md5 digest to the end of the stream. */ + memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_MD5_LEN); + +@@ -162,7 +171,10 @@ int eigrp_check_md5_digest(struct stream *s, + struct TLV_MD5_Authentication_Type *authTLV, + struct eigrp_neighbor *nbr, uint8_t flags) + { ++#ifdef CRYPTO_OPENSSL ++#elif CRYPTO_INTERNAL + MD5_CTX ctx; ++#endif + unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN]; + unsigned char orig[EIGRP_AUTH_TYPE_MD5_LEN]; + struct key *key = NULL; +@@ -203,6 +215,9 @@ int eigrp_check_md5_digest(struct stream *s, + return 0; + } + ++#ifdef CRYPTO_OPENSSL ++ //TBD when eigrpd crypto is fixed in upstream ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + MD5Init(&ctx); + +@@ -230,6 +245,7 @@ int eigrp_check_md5_digest(struct stream *s, + } + + MD5Final(digest, &ctx); ++#endif + + /* compare the two */ + if (memcmp(orig, digest, EIGRP_AUTH_TYPE_MD5_LEN) != 0) { +@@ -254,7 +270,11 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, + unsigned char digest[EIGRP_AUTH_TYPE_SHA256_LEN]; + unsigned char buffer[1 + PLAINTEXT_LENGTH + 45 + 1] = {0}; + ++#ifdef CRYPTO_OPENSSL ++ //TBD when eigrpd crypto is fixed in upstream ++#elif CRYPTO_INTERNAL + HMAC_SHA256_CTX ctx; ++#endif + void *ibuf; + size_t backup_get, backup_end; + struct TLV_SHA256_Authentication_Type *auth_TLV; +@@ -283,6 +303,9 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, + + inet_ntop(AF_INET, &ei->address.u.prefix4, source_ip, PREFIX_STRLEN); + ++#ifdef CRYPTO_OPENSSL ++ //TBD when eigrpd crypto is fixed in upstream ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + buffer[0] = '\n'; + memcpy(buffer + 1, key, strlen(key->string)); +@@ -291,7 +314,7 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, + 1 + strlen(key->string) + strlen(source_ip)); + HMAC__SHA256_Update(&ctx, ibuf, strlen(ibuf)); + HMAC__SHA256_Final(digest, &ctx); +- ++#endif + + /* Put hmac-sha256 digest to it's place */ + memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_SHA256_LEN); +diff --git a/eigrpd/eigrp_filter.c b/eigrpd/eigrp_filter.c +index 93eed94..f1c7347 100644 +--- a/eigrpd/eigrp_filter.c ++++ b/eigrpd/eigrp_filter.c +@@ -47,7 +47,9 @@ + #include "if_rmap.h" + #include "plist.h" + #include "distribute.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "keychain.h" + #include "privs.h" + #include "vrf.h" +diff --git a/eigrpd/eigrp_hello.c b/eigrpd/eigrp_hello.c +index dacd5ca..b232cc5 100644 +--- a/eigrpd/eigrp_hello.c ++++ b/eigrpd/eigrp_hello.c +@@ -43,7 +43,9 @@ + #include "sockopt.h" + #include "checksum.h" + #include "vty.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + + #include "eigrpd/eigrp_structs.h" + #include "eigrpd/eigrpd.h" +diff --git a/eigrpd/eigrp_query.c b/eigrpd/eigrp_query.c +index 84dcf5e..a2575e3 100644 +--- a/eigrpd/eigrp_query.c ++++ b/eigrpd/eigrp_query.c +@@ -38,7 +38,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + + #include "eigrpd/eigrp_structs.h" +diff --git a/eigrpd/eigrp_reply.c b/eigrpd/eigrp_reply.c +index ccf0496..2902365 100644 +--- a/eigrpd/eigrp_reply.c ++++ b/eigrpd/eigrp_reply.c +@@ -42,7 +42,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + #include "keychain.h" + #include "plist.h" +diff --git a/eigrpd/eigrp_siaquery.c b/eigrpd/eigrp_siaquery.c +index ff38325..09b9369 100644 +--- a/eigrpd/eigrp_siaquery.c ++++ b/eigrpd/eigrp_siaquery.c +@@ -38,7 +38,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + + #include "eigrpd/eigrp_structs.h" +diff --git a/eigrpd/eigrp_siareply.c b/eigrpd/eigrp_siareply.c +index d3dd123..f6a2bd6 100644 +--- a/eigrpd/eigrp_siareply.c ++++ b/eigrpd/eigrp_siareply.c +@@ -37,7 +37,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + + #include "eigrpd/eigrp_structs.h" +diff --git a/eigrpd/eigrp_snmp.c b/eigrpd/eigrp_snmp.c +index 21c9238..cfb8890 100644 +--- a/eigrpd/eigrp_snmp.c ++++ b/eigrpd/eigrp_snmp.c +@@ -42,7 +42,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "keychain.h" + #include "smux.h" + +diff --git a/eigrpd/eigrp_update.c b/eigrpd/eigrp_update.c +index 8db4903..2a4f0bb 100644 +--- a/eigrpd/eigrp_update.c ++++ b/eigrpd/eigrp_update.c +@@ -42,7 +42,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + #include "plist.h" + #include "plist_int.h" +diff --git a/eigrpd/eigrp_cli.c b/eigrpd/eigrp_cli.c +index a93d4c8..b01e121 100644 +--- a/eigrpd/eigrp_cli.c ++++ b/eigrpd/eigrp_cli.c +@@ -25,6 +25,7 @@ + #include "lib/command.h" + #include "lib/log.h" + #include "lib/northbound_cli.h" ++#include "lib/libfrr.h" + + #include "eigrp_structs.h" + #include "eigrpd.h" +@@ -726,6 +726,20 @@ DEFPY( + "Keyed message digest\n" + "HMAC SHA256 algorithm \n") + { ++ //EIGRP authentication is currently broken in FRR ++ switch (frr_get_cli_mode()) { ++ case FRR_CLI_CLASSIC: ++ vty_out(vty, "%% Eigrp Authentication is disabled\n\n"); ++ break; ++ case FRR_CLI_TRANSACTIONAL: ++ vty_out(vty, ++ "%% Failed to edit candidate configuration - " ++ "Eigrp Authentication is disabled.\n\n"); ++ break; ++ } ++ ++ return CMD_WARNING_CONFIG_FAILED; ++ + char xpath[XPATH_MAXLEN], xpath_auth[XPATH_MAXLEN + 64]; + + snprintf(xpath, sizeof(xpath), "./frr-eigrpd:eigrp/instance[asn='%s']", diff --git a/0004-fips-mode.patch b/0004-fips-mode.patch new file mode 100644 index 0000000..e8efeb7 --- /dev/null +++ b/0004-fips-mode.patch @@ -0,0 +1,103 @@ +diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c +index 631465f..e084ff3 100644 +--- a/ospfd/ospf_vty.c ++++ b/ospfd/ospf_vty.c +@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink, + + if (argv_find(argv, argc, "message-digest", &idx)) { + /* authentication message-digest */ ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } + vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC; + } else if (argv_find(argv, argc, "null", &idx)) { + /* "authentication null" */ +@@ -1993,6 +1998,15 @@ DEFUN (ospf_area_authentication_message_digest, + ? OSPF_AUTH_NULL + : OSPF_AUTH_CRYPTOGRAPHIC; + ++ if(area->auth_type == OSPF_AUTH_CRYPTOGRAPHIC) ++ { ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } ++ } ++ + return CMD_SUCCESS; + } + +@@ -6665,6 +6679,11 @@ DEFUN (ip_ospf_authentication_args, + + /* Handle message-digest authentication */ + if (argv[idx_encryption]->arg[0] == 'm') { ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } + SET_IF_PARAM(params, auth_type); + params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC; + return CMD_SUCCESS; +@@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key, + "The OSPF password (key)\n" + "Address of interface\n") + { ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } + VTY_DECLVAR_CONTEXT(interface, ifp); + struct crypt_key *ck; + uint8_t key_id; +diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c +index 81b4b39..cce33d9 100644 +--- a/isisd/isis_circuit.c ++++ b/isisd/isis_circuit.c +@@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit, + return ferr_code_bug( + "circuit password too long (max 254 chars)"); + ++ //When in FIPS mode, the password never gets set in MD5 ++ if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode()) ++ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled"); ++ + circuit->passwd.len = len; + strlcpy((char *)circuit->passwd.passwd, passwd, + sizeof(circuit->passwd.passwd)); +diff --git a/isisd/isisd.c b/isisd/isisd.c +index 419127c..a6c36af 100644 +--- a/isisd/isisd.c ++++ b/isisd/isisd.c +@@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level, + if (len > 254) + return -1; + ++ //When in FIPS mode, the password never get set in MD5 ++ if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode())) ++ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled"); ++ + modified.len = len; + strlcpy((char *)modified.passwd, passwd, + sizeof(modified.passwd)); +diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c +index 5bb81ef..02a09ef 100644 +--- a/ripd/rip_cli.c ++++ b/ripd/rip_cli.c +@@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode, + value = "20"; + } + ++ if(strmatch(mode, "md5") && FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication id disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } ++ + nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY, + strmatch(mode, "md5") ? "md5" : "plain-text"); + if (strmatch(mode, "md5")) diff --git a/0006-CVE-2020-12831.patch b/0006-CVE-2020-12831.patch new file mode 100644 index 0000000..df352d2 --- /dev/null +++ b/0006-CVE-2020-12831.patch @@ -0,0 +1,17 @@ +diff --git a/tools/frr.in b/tools/frr.in +index b860797..eb64a93 100755 +--- a/tools/frr.in ++++ b/tools/frr.in +@@ -105,10 +105,12 @@ check_daemon() + if [ ! -r "$C_PATH/$1-$2.conf" ]; then + touch "$C_PATH/$1-$2.conf" + chownfrr "$C_PATH/$1-$2.conf" ++ chmod 0600 "$C_PATH/$1-$2.conf" + fi + elif [ ! -r "$C_PATH/$1.conf" ]; then + touch "$C_PATH/$1.conf" + chownfrr "$C_PATH/$1.conf" ++ chmod 0600 "$C_PATH/$1.conf" + fi + fi + return 0 diff --git a/0007-frrinit.patch b/0007-frrinit.patch new file mode 100644 index 0000000..f5fd13c --- /dev/null +++ b/0007-frrinit.patch @@ -0,0 +1,31 @@ +diff --git a/tools/frrinit.sh.in b/tools/frrinit.sh.in +index 539ab7d..d27d1be 100644 +--- a/tools/frrinit.sh.in ++++ b/tools/frrinit.sh.in +@@ -43,7 +43,7 @@ fi + case "$1" in + start) + daemon_list daemons +- watchfrr_options="$watchfrr_options $daemons" ++ watchfrr_options="$daemons" + daemon_start watchfrr + ;; + stop) +@@ -57,7 +57,7 @@ restart|force-reload) + all_stop --reallyall + + daemon_list daemons +- watchfrr_options="$watchfrr_options $daemons" ++ watchfrr_options="$daemons" + daemon_start watchfrr + ;; + +@@ -87,7 +87,7 @@ reload) + # restart watchfrr to pick up added daemons. + # NB: This will NOT cause the other daemons to be restarted. + daemon_list daemons +- watchfrr_options="$watchfrr_options $daemons" ++ watchfrr_options="$daemons" + daemon_stop watchfrr && \ + daemon_start watchfrr + diff --git a/0008-ospf-multi-instance.patch b/0008-ospf-multi-instance.patch new file mode 100644 index 0000000..e0da72a --- /dev/null +++ b/0008-ospf-multi-instance.patch @@ -0,0 +1,119 @@ +diff --git a/ospfd/ospfd.c b/ospfd/ospfd.c +index d8be19db9..6fe94f3a4 100644 +--- a/ospfd/ospfd.c ++++ b/ospfd/ospfd.c +@@ -384,12 +384,50 @@ struct ospf *ospf_lookup_by_inst_name(unsigned short instance, const char *name) + return NULL; + } + +-struct ospf *ospf_get(unsigned short instance, const char *name, bool *created) ++static void ospf_init(struct ospf *ospf) + { +- struct ospf *ospf; + struct vrf *vrf; + struct interface *ifp; + ++ ospf_opaque_type11_lsa_init(ospf); ++ ++ if (ospf->vrf_id != VRF_UNKNOWN) ++ ospf->oi_running = 1; ++ ++ /* Activate 'ip ospf area x' configured interfaces for given ++ * vrf. Activate area on vrf x aware interfaces. ++ * vrf_enable callback calls router_id_update which ++ * internally will call ospf_if_update to trigger ++ * network_run_state ++ */ ++ vrf = vrf_lookup_by_id(ospf->vrf_id); ++ ++ FOR_ALL_INTERFACES (vrf, ifp) { ++ struct ospf_if_params *params; ++ struct route_node *rn; ++ uint32_t count = 0; ++ ++ params = IF_DEF_PARAMS(ifp); ++ if (OSPF_IF_PARAM_CONFIGURED(params, if_area)) ++ count++; ++ ++ for (rn = route_top(IF_OIFS_PARAMS(ifp)); rn; rn = route_next(rn)) ++ if ((params = rn->info) && OSPF_IF_PARAM_CONFIGURED(params, if_area)) ++ count++; ++ ++ if (count > 0) { ++ ospf_interface_area_set(ospf, ifp); ++ ospf->if_ospf_cli_count += count; ++ } ++ } ++ ++ ospf_router_id_update(ospf); ++} ++ ++struct ospf *ospf_get(unsigned short instance, const char *name, bool *created) ++{ ++ struct ospf *ospf; ++ + /* vrf name provided call inst and name based api + * in case of no name pass default ospf instance */ + if (name) +@@ -402,39 +440,7 @@ struct ospf *ospf_get(unsigned short instance, const char *name, bool *created) + ospf = ospf_new(instance, name); + ospf_add(ospf); + +- ospf_opaque_type11_lsa_init(ospf); +- +- if (ospf->vrf_id != VRF_UNKNOWN) +- ospf->oi_running = 1; +- +- /* Activate 'ip ospf area x' configured interfaces for given +- * vrf. Activate area on vrf x aware interfaces. +- * vrf_enable callback calls router_id_update which +- * internally will call ospf_if_update to trigger +- * network_run_state +- */ +- vrf = vrf_lookup_by_id(ospf->vrf_id); +- +- FOR_ALL_INTERFACES (vrf, ifp) { +- struct ospf_if_params *params; +- struct route_node *rn; +- uint32_t count = 0; +- +- params = IF_DEF_PARAMS(ifp); +- if (OSPF_IF_PARAM_CONFIGURED(params, if_area)) +- count++; +- +- for (rn = route_top(IF_OIFS_PARAMS(ifp)); rn; rn = route_next(rn)) +- if ((params = rn->info) && OSPF_IF_PARAM_CONFIGURED(params, if_area)) +- count++; +- +- if (count > 0) { +- ospf_interface_area_set(ospf, ifp); +- ospf->if_ospf_cli_count += count; +- } +- } +- +- ospf_router_id_update(ospf); ++ ospf_init(ospf); + } + + return ospf; +@@ -450,7 +456,7 @@ struct ospf *ospf_get_instance(unsigned short instance, bool *created) + ospf = ospf_new(instance, NULL /* VRF_DEFAULT*/); + ospf_add(ospf); + +- ospf_opaque_type11_lsa_init(ospf); ++ ospf_init(ospf); + } + + return ospf; +diff --git a/ospfd/ospfd.h b/ospfd/ospfd.h +index 192e54281..3087b735a 100644 +--- a/ospfd/ospfd.h ++++ b/ospfd/ospfd.h +@@ -604,7 +604,6 @@ extern int ospf_nbr_nbma_poll_interval_set(struct ospf *, struct in_addr, + unsigned int); + extern int ospf_nbr_nbma_poll_interval_unset(struct ospf *, struct in_addr); + extern void ospf_prefix_list_update(struct prefix_list *); +-extern void ospf_init(void); + extern void ospf_if_update(struct ospf *, struct interface *); + extern void ospf_ls_upd_queue_empty(struct ospf_interface *); + extern void ospf_terminate(void); diff --git a/0009-bgp-ttl-security.patch b/0009-bgp-ttl-security.patch new file mode 100644 index 0000000..193929c --- /dev/null +++ b/0009-bgp-ttl-security.patch @@ -0,0 +1,92 @@ +From 8a66632391db5f5181a4afef6aae41f48bee7fdb Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Fri, 15 Jan 2021 08:14:49 -0500 +Subject: [PATCH] bgpd: Allow peer-groups to have `ttl-security hops` + configured + +The command `neighbor PGROUP ttl-security hops X` was being +accepted but ignored. Allow it to be stored. I am still +not sure that this is applied correctly, but that is another +problem. + +Fixes: #7848 +Signed-off-by: Donald Sharp +--- + bgpd/bgpd.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c +index 9297ec4711c..4ebd3da0620 100644 +--- a/bgpd/bgpd.c ++++ b/bgpd/bgpd.c +@@ -7150,6 +7150,7 @@ int is_ebgp_multihop_configured(struct peer *peer) + int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops) + { + struct peer_group *group; ++ struct peer *gpeer; + struct listnode *node, *nnode; + int ret; + +@@ -7186,9 +7187,10 @@ int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops) + return ret; + } else { + group = peer->group; ++ group->conf->gtsm_hops = gtsm_hops; + for (ALL_LIST_ELEMENTS(group->peer, node, nnode, +- peer)) { +- peer->gtsm_hops = group->conf->gtsm_hops; ++ gpeer)) { ++ gpeer->gtsm_hops = group->conf->gtsm_hops; + + /* Calling ebgp multihop also resets the + * session. +@@ -7198,7 +7200,7 @@ int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops) + * value is + * irrelevant. + */ +- peer_ebgp_multihop_set(peer, MAXTTL); ++ peer_ebgp_multihop_set(gpeer, MAXTTL); + } + } + } else { +@@ -7219,9 +7221,10 @@ int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops) + MAXTTL + 1 - gtsm_hops); + } else { + group = peer->group; ++ group->conf->gtsm_hops = gtsm_hops; + for (ALL_LIST_ELEMENTS(group->peer, node, nnode, +- peer)) { +- peer->gtsm_hops = group->conf->gtsm_hops; ++ gpeer)) { ++ gpeer->gtsm_hops = group->conf->gtsm_hops; + + /* Change setting of existing peer + * established then change value (may break +@@ -7231,17 +7234,18 @@ int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops) + * no session then do nothing (will get + * handled by next connection) + */ +- if (peer->fd >= 0 +- && peer->gtsm_hops ++ if (gpeer->fd >= 0 ++ && gpeer->gtsm_hops + != BGP_GTSM_HOPS_DISABLED) + sockopt_minttl( +- peer->su.sa.sa_family, peer->fd, +- MAXTTL + 1 - peer->gtsm_hops); +- if ((peer->status < Established) +- && peer->doppelganger +- && (peer->doppelganger->fd >= 0)) +- sockopt_minttl(peer->su.sa.sa_family, +- peer->doppelganger->fd, ++ gpeer->su.sa.sa_family, ++ gpeer->fd, ++ MAXTTL + 1 - gpeer->gtsm_hops); ++ if ((gpeer->status < Established) ++ && gpeer->doppelganger ++ && (gpeer->doppelganger->fd >= 0)) ++ sockopt_minttl(gpeer->su.sa.sa_family, ++ gpeer->doppelganger->fd, + MAXTTL + 1 - gtsm_hops); + } + } diff --git a/0010-bfd-reload.patch b/0010-bfd-reload.patch new file mode 100644 index 0000000..b153592 --- /dev/null +++ b/0010-bfd-reload.patch @@ -0,0 +1,60 @@ +From 46a2b560fa84c5f8ece8dbb82cbf355af675ad41 Mon Sep 17 00:00:00 2001 +From: Rafael Zalamena +Date: Tue, 19 Jan 2021 08:49:23 -0300 +Subject: [PATCH] tools: fix frr-reload BFD profile support + +Fix the handling of multiple BFD profiles by adding the appropriated +code to push/pop contexts inside BFD configuration node. + +Signed-off-by: Rafael Zalamena +--- + tools/frr-reload.py | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/tools/frr-reload.py b/tools/frr-reload.py +index da005b6f874..ca6fe81f007 100755 +--- a/tools/frr-reload.py ++++ b/tools/frr-reload.py +@@ -533,6 +533,18 @@ def load_contexts(self): + if line.startswith('!') or line.startswith('#'): + continue + ++ if (len(ctx_keys) == 2 ++ and ctx_keys[0].startswith('bfd') ++ and ctx_keys[1].startswith('profile ') ++ and line == 'end'): ++ log.debug('LINE %-50s: popping from sub context, %-50s', line, ctx_keys) ++ ++ if main_ctx_key: ++ self.save_contexts(ctx_keys, current_context_lines) ++ ctx_keys = copy.deepcopy(main_ctx_key) ++ current_context_lines = [] ++ continue ++ + # one line contexts + # there is one exception though: ldpd accepts a 'router-id' clause + # as part of its 'mpls ldp' config context. If we are processing +@@ -649,6 +661,22 @@ def load_contexts(self): + log.debug('LINE %-50s: entering sub-sub-context, append to ctx_keys', line) + ctx_keys.append(line) + ++ elif ( ++ line.startswith('profile ') ++ and len(ctx_keys) == 1 ++ and ctx_keys[0].startswith('bfd') ++ ): ++ ++ # Save old context first ++ self.save_contexts(ctx_keys, current_context_lines) ++ current_context_lines = [] ++ main_ctx_key = copy.deepcopy(ctx_keys) ++ log.debug( ++ "LINE %-50s: entering BFD profile sub-context, append to ctx_keys", ++ line ++ ) ++ ctx_keys.append(line) ++ + else: + # Continuing in an existing context, add non-commented lines to it + current_context_lines.append(line) + diff --git a/0011-designated-router.patch b/0011-designated-router.patch new file mode 100644 index 0000000..323a10e --- /dev/null +++ b/0011-designated-router.patch @@ -0,0 +1,33 @@ +diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c +index 69a3e4587..57ef6029a 100644 +--- a/ospfd/ospf_vty.c ++++ b/ospfd/ospf_vty.c +@@ -3737,6 +3737,28 @@ static void show_ip_ospf_interface_sub(struct vty *vty, struct ospf *ospf, + vty_out(vty, + " No backup designated router on this network\n"); + } else { ++ nbr = ospf_nbr_lookup_by_addr(oi->nbrs, &DR(oi)); ++ if (nbr) { ++ if (use_json) { ++ json_object_string_add( ++ json_interface_sub, "drId", ++ inet_ntoa(nbr->router_id)); ++ json_object_string_add( ++ json_interface_sub, "drAddress", ++ inet_ntoa(nbr->address.u ++ .prefix4)); ++ } else { ++ vty_out(vty, ++ " Designated Router (ID) %s", ++ inet_ntoa(nbr->router_id)); ++ vty_out(vty, ++ " Interface Address %s\n", ++ inet_ntoa(nbr->address.u ++ .prefix4)); ++ } ++ } ++ nbr = NULL; ++ + nbr = ospf_nbr_lookup_by_addr(oi->nbrs, &BDR(oi)); + if (nbr == NULL) { + if (!use_json) diff --git a/0012-bfd-peers-crash.patch b/0012-bfd-peers-crash.patch new file mode 100644 index 0000000..1e2d78e --- /dev/null +++ b/0012-bfd-peers-crash.patch @@ -0,0 +1,25 @@ +From 1d923374f64e099d734899aff219d90cb0213fa6 Mon Sep 17 00:00:00 2001 +From: Emanuele Bovisio +Date: Thu, 5 Nov 2020 14:27:51 +0100 +Subject: [PATCH] bfdd: fix crash on show bfd peers counters json + +wrong pointer passed to bfd_id_iterate function + +Signed-off-by: Emanuele Bovisio +--- + bfdd/bfdd_vty.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bfdd/bfdd_vty.c b/bfdd/bfdd_vty.c +index a3f1638e5f6..837a7b7d7d6 100644 +--- a/bfdd/bfdd_vty.c ++++ b/bfdd/bfdd_vty.c +@@ -447,7 +447,7 @@ static void _display_peers_counter(struct vty *vty, char *vrfname, bool use_json + + jo = json_object_new_array(); + bvt.jo = jo; +- bfd_id_iterate(_display_peer_counter_json_iter, jo); ++ bfd_id_iterate(_display_peer_counter_json_iter, &bvt); + + vty_out(vty, "%s\n", json_object_to_json_string_ext(jo, 0)); + json_object_free(jo); diff --git a/EMPTY b/EMPTY deleted file mode 100644 index 0519ecb..0000000 --- a/EMPTY +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/frr-tmpfiles.conf b/frr-tmpfiles.conf new file mode 100644 index 0000000..c1613b2 --- /dev/null +++ b/frr-tmpfiles.conf @@ -0,0 +1 @@ +d /run/frr 0755 frr frr - diff --git a/frr.spec b/frr.spec new file mode 100644 index 0000000..1a3b1a8 --- /dev/null +++ b/frr.spec @@ -0,0 +1,267 @@ +%global frrversion 7.5 +%global frr_libdir /usr/lib/frr + +%global _hardened_build 1 + +Name: frr +Version: 7.5 +Release: 11%{?checkout}%{?dist} +Summary: Routing daemon +License: GPLv2+ +URL: http://www.frrouting.org +Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{frrversion}/%{name}-%{frrversion}.tar.gz +Source1: %{name}-tmpfiles.conf +BuildRequires: perl-generators +BuildRequires: gcc +BuildRequires: net-snmp-devel +BuildRequires: texinfo libcap-devel autoconf automake libtool patch groff +BuildRequires: readline readline-devel ncurses ncurses-devel +BuildRequires: git pam-devel c-ares-devel +BuildRequires: json-c-devel bison >= 2.7 flex perl-XML-LibXML +BuildRequires: python3-devel python3-sphinx python3-pytest +BuildRequires: systemd systemd-devel +BuildRequires: libyang-devel >= 1.0.184 +Requires: net-snmp ncurses +Requires(post): systemd /sbin/install-info +Requires(preun): systemd /sbin/install-info +Requires(postun): systemd +Requires: iproute +Requires: initscripts +Provides: routingdaemon = %{version}-%{release} +Obsoletes: frr-sysvinit quagga frr-contrib + +Patch0000: 0000-remove-babeld-and-ldpd.patch +Patch0001: 0001-use-python3.patch +Patch0002: 0002-enable-openssl.patch +Patch0003: 0003-disable-eigrp-crypto.patch +Patch0004: 0004-fips-mode.patch +Patch0006: 0006-CVE-2020-12831.patch +Patch0007: 0007-frrinit.patch +Patch0008: 0008-ospf-multi-instance.patch +Patch0009: 0009-bgp-ttl-security.patch +Patch0010: 0010-bfd-reload.patch +Patch0011: 0011-designated-router.patch +Patch0012: 0012-bfd-peers-crash.patch + +%description +FRRouting is free software that manages TCP/IP based routing protocols. It takes +a multi-server and multi-threaded approach to resolve the current complexity +of the Internet. + +FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD. + +FRRouting is a fork of Quagga. + +%prep +%autosetup -S git + +%build +autoreconf -ivf + +%configure \ + --sbindir=%{frr_libdir} \ + --sysconfdir=%{_sysconfdir}/frr \ + --libdir=%{_libdir}/frr \ + --libexecdir=%{_libexecdir}/frr \ + --localstatedir=%{_localstatedir}/run/frr \ + --enable-snmp=agentx \ + --enable-multipath=64 \ + --enable-vtysh=yes \ + --enable-ospfclient=no \ + --enable-ospfapi=no \ + --enable-user=frr \ + --enable-group=frr \ + --enable-vty-group=frrvty \ + --enable-rtadv \ + --disable-exampledir \ + --enable-systemd=yes \ + --enable-static=no \ + --disable-ldpd \ + --disable-babeld \ + --with-moduledir=%{_libdir}/frr/modules \ + --with-crypto=openssl \ + --enable-fpm + +%make_build MAKEINFO="makeinfo --no-split" PYTHON=%{__python3} + +pushd doc +make info +popd + +%install +mkdir -p %{buildroot}/etc/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \ + %{buildroot}/var/log/frr %{buildroot}%{_infodir} \ + %{buildroot}%{_unitdir} + +mkdir -p -m 0755 %{buildroot}%{_libdir}/frr +mkdir -p %{buildroot}%{_tmpfilesdir} + +%make_install + +# Remove this file, as it is uninstalled and causes errors when building on RH9 +rm -rf %{buildroot}/usr/share/info/dir + +install -p -m 644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf +install -p -m 644 %{_builddir}/%{name}-%{frrversion}/tools/etc/frr/daemons %{buildroot}/etc/frr/daemons +install -p -m 644 %{_builddir}/%{name}-%{frrversion}/tools/frr.service %{buildroot}%{_unitdir}/frr.service +install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/frrinit.sh %{buildroot}%{frr_libdir}/frr +install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/frrcommon.sh %{buildroot}%{frr_libdir}/frrcommon.sh +install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/watchfrr.sh %{buildroot}%{frr_libdir}/watchfrr.sh + +install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.logrotate %{buildroot}/etc/logrotate.d/frr +install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.pam %{buildroot}/etc/pam.d/frr +install -d -m 775 %{buildroot}/run/frr + +rm %{buildroot}%{_libdir}/frr/*.la +rm %{buildroot}%{_libdir}/frr/modules/*.la + +#Upstream does not maintain a stable API, these headers from -devel subpackage are no longer needed +rm %{buildroot}%{_libdir}/frr/*.so +rm -r %{buildroot}%{_includedir}/frr/ + +%pre +getent group fttvty >/dev/null 2>&1 || groupadd -r frrvty >/dev/null 2>&1 || : +getent group frr >/dev/null 2>&1 || groupadd -r frr >/dev/null 2>&1 || : +getent passwd frr >/dev/null 2>&1 || useradd -M -r -g frr -s /sbin/nologin \ + -c "FRRouting suite" -d %{_localstatedir}/run/frr frr || : +usermod -aG frrvty frr + +%post +%systemd_post frr.service + +if [ -f %{_infodir}/%{name}.inf* ]; then + install-info %{_infodir}/frr.info %{_infodir}/dir || : +fi + +# Create dummy files if they don't exist so basic functions can be used. +if [ ! -e %{_sysconfdir}/frr/zebra.conf ]; then + echo "hostname `hostname`" > %{_sysconfdir}/frr/zebra.conf + chown frr:frr %{_sysconfdir}/frr/zebra.conf + chmod 640 %{_sysconfdir}/frr/zebra.conf +fi + +if [ ! -e %{_sysconfdir}/frr/vtysh.conf ]; then + echo 'no service integrated-vtysh-config' > %{_sysconfdir}/frr/vtysh.conf + chmod 640 %{_sysconfdir}/frr/vtysh.conf + chown frr:frrvty %{_sysconfdir}/frr/vtysh.conf +fi + +#Making sure that the old format of config file still works +#Checking whether .rpmnew conf file is present - in that case I want to change the old config +if [ -e %{_sysconfdir}/frr/daemons.rpmnew ]; then + sed -i s'/watchfrr_/#watchfrr_/g' %{_sysconfdir}/frr/daemons + sed -i s'/zebra=/#zebra=/g' %{_sysconfdir}/frr/daemons +fi + +%postun +%systemd_postun_with_restart frr.service + +#only when removing the package +if [ $1 -ge 0 ]; then + if [ -f %{_infodir}/%{name}.inf* ]; then + install-info --delete %{_infodir}/frr.info %{_infodir}/dir || : + fi +fi + +%preun +%systemd_preun frr.service + +%check +make check PYTHON=%{__python3} + +%files +%defattr(-,root,root) +%license COPYING +%doc zebra/zebra.conf.sample +%doc isisd/isisd.conf.sample +%doc ripd/ripd.conf.sample +%doc bgpd/bgpd.conf.sample* +%doc ospfd/ospfd.conf.sample +%doc ospf6d/ospf6d.conf.sample +%doc ripngd/ripngd.conf.sample +%doc pimd/pimd.conf.sample +%doc doc/mpls +%dir %attr(740,frr,frr) %{_sysconfdir}/frr +%dir %attr(755,frr,frr) /var/log/frr +%dir %attr(755,frr,frr) /run/frr +%{_infodir}/*info* +%{_mandir}/man*/* +%dir %{frr_libdir}/ +%{frr_libdir}/* +%{_bindir}/* +%dir %{_libdir}/frr +%{_libdir}/frr/*.so.* +%dir %{_libdir}/frr/modules/ +%{_libdir}/frr/modules/* +%config(noreplace) %attr(644,root,root) /etc/logrotate.d/frr +%config(noreplace) %attr(644,frr,frr) /etc/frr/daemons +%config(noreplace) /etc/pam.d/frr +%{_unitdir}/*.service +%dir /usr/share/yang +/usr/share/yang/*.yang +%{_tmpfilesdir}/%{name}.conf + +%changelog +* Wed Jan 05 2022 Michal Ruprich - 7.5-11 +- Resolves: #2034328 - Bfdd crash in metallb CI + +* Tue Jan 04 2022 Michal Ruprich - 7.5-10 +- Resolves: #2020878 - frr ospfd show ip ospf interface does not show designated router info + +* Fri Dec 10 2021 Michal Ruprich - 7.5-9 +- Resolves: #2029958 - FRR reloader generating invalid BFD configurations, exits with error + +* Tue Nov 16 2021 Michal Ruprich - 7.5-8 +- Resolves: #2021819 - Rebuilding for the new json-c + +* Thu Sep 30 2021 Michal Ruprich - 7.5-7 +- Related: #1917269 - Wrong value in gating file + +* Fri Sep 17 2021 Michal Ruprich - 7.5-6 +- Related: #1917269 - Incomplete patch, adding gating rules + +* Thu Sep 16 2021 Michal Ruprich - 7.5-5 +- Resolves: #1979426 - Unable to configure OSPF in multi-instance mode +- Resolves: #1917269 - vtysh running-config output not showing bgp ttl-security hops option + +* Tue Jan 12 2021 root - 7.5-4 +- Related: #1889323 - Fixing start-up with old config file + +* Mon Jan 11 2021 root - 7.5-3 +- Related: #1889323 - Reverting to non-integrated cofiguration + +* Thu Jan 07 2021 Michal Ruprich - 7.5-2 +- Related: #1889323 - Obsoleting frr-contrib + +* Thu Jan 07 2021 Michal Ruprich - 7.5-1 +- Resolves: #1889323 - [RFE] Rebase FRR to 7.5 + +* Thu Aug 20 2020 Michal Ruprich - 7.0-10 +- Resolves: #1867793 - FRR does not conform to the source port range specified in RFC5881 + +* Thu Aug 20 2020 Michal Ruprich - 7.0-9 +- Resolves: #1852476 - default permission issue eases information leaks + +* Tue May 05 2020 Michal Ruprich - 7.0-8 +- Resolves: #1819319 - frr fails to start start if the initscripts package is missing + +* Mon May 04 2020 Michal Ruprich - 7.0-7 +- Resolves: #1758544 - IGMPv3 queries may lead to DoS + +* Tue Mar 10 2020 Michal Ruprich - 7.0-6 +- Resolves: #1776342 - frr has missing dependency on iproute + +* Tue Sep 03 2019 Michal Ruprich - 7.0-5 +- Resolves: #1719465 - Removal of component Frr or its crypto + +* Wed Jun 19 2019 Michal Ruprich - 7.0-4 +- Related: #1657029 - frr-contrib is back, it is breaking the rpmdeplint test + +* Wed Jun 19 2019 Michal Ruprich - 7.0-3 +- Related: #1657029 - more cleanup, removed frr-contrib, frrvt changed to frrvty + +* Wed Jun 19 2019 Michal Ruprich - 7.0-2 +- Related: #1657029 - cleaning specfile, adding Requires on libyang-devel + +* Wed May 29 2019 Michal Ruprich - 7.0-1 +- Resolves: #1657029 - Add FRR as a replacement of Quagga in RHEL 8 diff --git a/sources b/sources new file mode 100644 index 0000000..b0b7c94 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (frr-7.5.tar.gz) = f605df81cdcf4ba7b91b402397816fdbc8299c406f719cc09d54c942cc0d6bed3e855a2f3d6cbd9594c7f83b6c8c7181b5fa8e8096712dc2d821b6d16d65fafa