import CS frr-7.5.1-13.el8

.frr.metadata

@@ -1,2 +1 @@
 dfc756dfd123360d1e1a760d66821e47f9a6afed SOURCES/frr-7.5.1.tar.gz
-e25979fad0e873cd0196e528cae570ba18c11a8f SOURCES/frr.if

.gitignore

@@ -1,2 +1 @@
 SOURCES/frr-7.5.1.tar.gz
-SOURCES/frr.if

SOURCES/0014-bfd-profile-crash.patch

@@ -0,0 +1,117 @@
+From 4b793d1eb35ab5794db12725a28fcdb4fef23af7 Mon Sep 17 00:00:00 2001
+From: Igor Ryzhov <iryzhov@nfware.com>
+Date: Thu, 1 Apr 2021 15:29:18 +0300
+Subject: [PATCH] bfdd: remove profiles when removing bfd node
+
+Fixes #8379.
+
+Signed-off-by: Igor Ryzhov <iryzhov@nfware.com>
+---
+ bfdd/bfd.c            | 8 ++++++++
+ bfdd/bfd.h            | 1 +
+ bfdd/bfdd_nb_config.c | 1 +
+ 3 files changed, 10 insertions(+)
+
+diff --git a/bfdd/bfd.c b/bfdd/bfd.c
+index c966efd8ea71..cf292a836354 100644
+--- a/bfdd/bfd.c
++++ b/bfdd/bfd.c
+@@ -1889,6 +1889,14 @@ void bfd_sessions_remove_manual(void)
+ 	hash_iterate(bfd_key_hash, _bfd_session_remove_manual, NULL);
+ }
+ 
++void bfd_profiles_remove(void)
++{
++	struct bfd_profile *bp;
++
++	while ((bp = TAILQ_FIRST(&bplist)) != NULL)
++		bfd_profile_free(bp);
++}
++
+ /*
+  * Profile related hash functions.
+  */
+diff --git a/bfdd/bfd.h b/bfdd/bfd.h
+index af3f92d6a8f8..9ee1da728717 100644
+--- a/bfdd/bfd.h
++++ b/bfdd/bfd.h
+@@ -596,6 +596,7 @@ void bfd_session_free(struct bfd_session *bs);
+ const struct bfd_session *bfd_session_next(const struct bfd_session *bs,
+ 					   bool mhop);
+ void bfd_sessions_remove_manual(void);
++void bfd_profiles_remove(void);
+ 
+ /**
+  * Set the BFD session echo state.
+diff --git a/bfdd/bfdd_nb_config.c b/bfdd/bfdd_nb_config.c
+index 0046bc625b45..77f8cbd09c07 100644
+--- a/bfdd/bfdd_nb_config.c
++++ b/bfdd/bfdd_nb_config.c
+@@ -203,6 +203,7 @@ int bfdd_bfd_destroy(struct nb_cb_destroy_args *args)
+ 
+ 	case NB_EV_APPLY:
+ 		bfd_sessions_remove_manual();
++		bfd_profiles_remove();
+ 		break;
+ 
+ 	case NB_EV_ABORT:
+diff --git a/bfdd/bfdd_nb_config.c b/bfdd/bfdd_nb_config.c
+index 77f8cbd09c07..4030e2eefa50 100644
+--- a/bfdd/bfdd_nb_config.c
++++ b/bfdd/bfdd_nb_config.c
+@@ -186,7 +186,15 @@ static int bfd_session_destroy(enum nb_event event,
+  */
+ int bfdd_bfd_create(struct nb_cb_create_args *args)
+ {
+-	/* NOTHING */
++	if (args->event != NB_EV_APPLY)
++		return NB_OK;
++
++	/*
++	 * Set any non-NULL value to be able to call
++	 * nb_running_unset_entry in bfdd_bfd_destroy.
++	 */
++	nb_running_set_entry(args->dnode, (void *)0x1);
++
+ 	return NB_OK;
+ }
+ 
+@@ -202,6 +210,12 @@ int bfdd_bfd_destroy(struct nb_cb_destroy_args *args)
+ 		return NB_OK;
+ 
+ 	case NB_EV_APPLY:
++		/*
++		 * We need to call this to unset pointers from
++		 * the child nodes - sessions and profiles.
++		 */
++		nb_running_unset_entry(args->dnode);
++
+ 		bfd_sessions_remove_manual();
+ 		bfd_profiles_remove();
+ 		break;
+diff --git a/bfdd/bfdd_cli.c b/bfdd/bfdd_cli.c
+index b64e36b36a44..5a844e56e121 100644
+--- a/bfdd/bfdd_cli.c
++++ b/bfdd/bfdd_cli.c
+@@ -486,7 +486,7 @@ void bfd_cli_show_echo_interval(struct vty *vty, struct lyd_node *dnode,
+  * Profile commands.
+  */
+ DEFPY_YANG_NOSH(bfd_profile, bfd_profile_cmd,
+-	   "profile WORD$name",
++	   "profile BFDPROF$name",
+ 	   BFD_PROFILE_STR
+ 	   BFD_PROFILE_NAME_STR)
+ {
+diff --git a/vtysh/vtysh.c b/vtysh/vtysh.c
+index 74f13e1a44e8..cf1811bb1f2f 100644
+--- a/vtysh/vtysh.c
++++ b/vtysh/vtysh.c
+@@ -1959,7 +1959,7 @@ DEFUNSH(VTYSH_BFDD, bfd_peer_enter, bfd_peer_enter_cmd,
+ }
+ 
+ DEFUNSH(VTYSH_BFDD, bfd_profile_enter, bfd_profile_enter_cmd,
+-	"profile WORD",
++	"profile BFDPROF",
+ 	BFD_PROFILE_STR
+ 	BFD_PROFILE_NAME_STR)
+ {

SOURCES/0015-max-ttl-reload.patch

@@ -0,0 +1,93 @@
+From 767aaa3a80489bfc4ff097f932fc347e3db25b89 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Mon, 21 Aug 2023 00:01:42 +0300
+Subject: [PATCH] bgpd: Do not explicitly print MAXTTL value for ebgp-multihop
+ vty output
+
+1. Create /etc/frr/frr.conf
+```
+frr version 7.5
+frr defaults traditional
+hostname centos8.localdomain
+no ip forwarding
+no ipv6 forwarding
+service integrated-vtysh-config
+line vty
+router bgp 4250001000
+  neighbor 192.168.122.207 remote-as 65512
+  neighbor 192.168.122.207 ebgp-multihop
+```
+
+2. Start FRR
+`# systemctl start frr
+`
+3. Show running configuration. Note that FRR explicitly set and shows the default TTL (225)
+
+```
+Building configuration...
+
+Current configuration:
+!
+frr version 7.5
+frr defaults traditional
+hostname centos8.localdomain
+no ip forwarding
+no ipv6 forwarding
+service integrated-vtysh-config
+!
+router bgp 4250001000
+ neighbor 192.168.122.207 remote-as 65512
+ neighbor 192.168.122.207 ebgp-multihop 255
+!
+line vty
+!
+end
+```
+4. Copy initial frr.conf to frr.conf.new (no changes)
+`# cp /etc/frr/frr.conf /root/frr.conf.new
+`
+5. Run frr-reload.sh:
+
+```
+$ /usr/lib/frr/frr-reload.py --test  /root/frr.conf.new
+2023-08-20 20:15:48,050  INFO: Called via "Namespace(bindir='/usr/bin', confdir='/etc/frr', daemon='', debug=False, filename='/root/frr.conf.new', input=None, log_level='info', overwrite=False, pathspace=None, reload=False, rundir='/var/run/frr', stdout=False, test=True, vty_socket=None)"
+2023-08-20 20:15:48,050  INFO: Loading Config object from file /root/frr.conf.new
+2023-08-20 20:15:48,124  INFO: Loading Config object from vtysh show running
+
+Lines To Delete
+===============
+router bgp 4250001000
+ no neighbor 192.168.122.207 ebgp-multihop 255
+
+Lines To Add
+============
+router bgp 4250001000
+ neighbor 192.168.122.207 ebgp-multihop
+```
+
+Closes https://github.com/FRRouting/frr/issues/14242
+
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+---
+ bgpd/bgp_vty.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/bgpd/bgp_vty.c b/bgpd/bgp_vty.c
+index be0fe4283747..c9a9255f3392 100644
+--- a/bgpd/bgp_vty.c
++++ b/bgpd/bgp_vty.c
+@@ -17735,8 +17735,12 @@ static void bgp_config_write_peer_global(struct vty *vty, struct bgp *bgp,
+ 	    && !(peer->gtsm_hops != BGP_GTSM_HOPS_DISABLED
+ 		 && peer->ttl == MAXTTL)) {
+ 		if (!peer_group_active(peer) || g_peer->ttl != peer->ttl) {
+-			vty_out(vty, " neighbor %s ebgp-multihop %d\n", addr,
+-				peer->ttl);
++			if (peer->ttl != MAXTTL)
++				vty_out(vty, " neighbor %s ebgp-multihop %d\n",
++					addr, peer->ttl);
++			else
++				vty_out(vty, " neighbor %s ebgp-multihop\n",
++					addr);
+ 		}
+ 	}
+ 

SOURCES/frr.if

@@ -0,0 +1,206 @@
+## <summary>policy for frr</summary>
+
+########################################
+## <summary>
+##	Execute frr_exec_t in the frr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`frr_domtrans',`
+	gen_require(`
+		type frr_t, frr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, frr_exec_t, frr_t)
+')
+
+######################################
+## <summary>
+##	Execute frr in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_exec',`
+	gen_require(`
+		type frr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, frr_exec_t)
+')
+
+########################################
+## <summary>
+##	Read frr's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`frr_read_log',`
+	gen_require(`
+		type frr_log_t;
+	')
+
+	read_files_pattern($1, frr_log_t, frr_log_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+')
+
+########################################
+## <summary>
+##	Append to frr log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_append_log',`
+	gen_require(`
+		type frr_log_t;
+	')
+
+	append_files_pattern($1, frr_log_t, frr_log_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+')
+
+########################################
+## <summary>
+##	Manage frr log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_manage_log',`
+	gen_require(`
+		type frr_log_t;
+	')
+
+	manage_dirs_pattern($1, frr_log_t, frr_log_t)
+	manage_files_pattern($1, frr_log_t, frr_log_t)
+	manage_lnk_files_pattern($1, frr_log_t, frr_log_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+')
+
+########################################
+## <summary>
+##	Read frr PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_read_pid_files',`
+	gen_require(`
+		type frr_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, frr_var_run_t, frr_var_run_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an frr environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_admin',`
+	gen_require(`
+		type frr_t;
+		type frr_log_t;
+		type frr_var_run_t;
+	')
+
+	allow $1 frr_t:process { signal_perms };
+	ps_process_pattern($1, frr_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 frr_t:process ptrace;
+	')
+
+	admin_pattern($1, frr_log_t)
+
+	files_search_pids($1)
+	admin_pattern($1, frr_var_run_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+########################################
+## <summary>
+##  Read ifconfig_var_run_t files and link files
+## </summary>
+## <param name="domain">
+##  <summary>
+##      Domain allowed access.
+##  </summary>
+## </param>
+#
+ifndef(`sysnet_read_ifconfig_run',`
+  interface(`sysnet_read_ifconfig_run',`
+    gen_require(`
+      type ifconfig_var_run_t;
+    ')
+
+    manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+    list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+    read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+    read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+  ')
+')
+
+########################################
+## <summary>
+##  Read unconfined_t files and dirs
+## </summary>
+## <param name="domain">
+##  <summary>
+##      Domain allowed access.
+##  </summary>
+## </param>
+#
+ifndef(`unconfined_read_files',`
+  interface(`unconfined_read_files',`
+    gen_require(`
+      type unconfined_t;
+    ')
+
+    allow $1 unconfined_t:file read_file_perms;
+    allow $1 unconfined_t:dir list_dir_perms;
+  ')
+')

SOURCES/frr.te

@@ -31,7 +31,7 @@ files_pid_file(frr_var_run_t)
 #
 # frr local policy
 #
-allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin };
+allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
 allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
 allow frr_t self:packet_socket create;
 allow frr_t self:process { setcap setpgid };
@@ -96,6 +96,7 @@ fs_read_nsfs_files(frr_t)
 fs_search_cgroup_dirs(frr_t)
 
 sysnet_exec_ifconfig(frr_t)
+sysnet_read_ifconfig_run(frr_t)
 
 userdom_read_admin_home_files(frr_t)
 
@@ -107,6 +108,10 @@ optional_policy(`
 	logging_send_syslog_msg(frr_t)
 ')
 
+optional_policy(`
+  unconfined_read_files(frr_t)
+')
+
 optional_policy(`
 	modutils_exec_kmod(frr_t)
 	modutils_getattr_module_deps(frr_t)

SPECS/frr.spec

@@ -7,7 +7,7 @@
 
 Name: frr
 Version: 7.5.1
-Release: 7%{?checkout}%{?dist}
+Release: 13%{?checkout}%{?dist}
 Summary: Routing daemon
 License: GPLv2+
 URL: http://www.frrouting.org
@@ -53,6 +53,8 @@ Patch0010: 0010-moving-executables.patch
 Patch0011: 0011-reload-bfd-profile.patch
 Patch0012: 0012-graceful-restart.patch
 Patch0013: 0013-CVE-2022-37032.patch
+Patch0014: 0014-bfd-profile-crash.patch
+Patch0015: 0015-max-ttl-reload.patch
 
 %description
 FRRouting is free software that manages TCP/IP based routing protocols. It takes
@@ -273,6 +275,24 @@ make check PYTHON=%{__python3}
 %endif
 
 %changelog
+* Tue Oct 10 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-13
+- Resolves: RHEL-2263 - eBGP multihop peer flapping due to delta miscalculation of new configuration
+
+* Wed Aug 23 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-12
+- Resolves: #2216911 - Adding missing sys_admin SELinux call
+
+* Mon Aug 21 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-11
+- Related: #2216911 - Adding unconfined_t type to access namespaces
+
+* Thu Aug 17 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-10
+- Related: #2226803 - Adding patch
+
+* Wed Aug 16 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-9
+- Resolves: #2226803 - BFD crash in FRR running in MetalLB
+
+* Fri Aug 11 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-8
+- Resolves: #2216911 - SELinux is preventing FRR-Zebra to access to network namespaces
+
 * Wed Nov 30 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-7
 - Resolves: #2128737 - out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service