rpms/frr
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import frr-7.5.1-3.el8

Browse Source
This commit is contained in:
CentOS Sources 2022-09-27 05:57:02 -04:00 committed by Stepan Oksanichenko
parent 9d4921fbd1
commit 387acfb08a
14 changed files with 542 additions and 307 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.frr.metadata
View File

@ -1 +1 @@
67064fd2c9f971a7004e3e66411f9c99e56cfb9c SOURCES/frr-7.5.tar.gz dfc756dfd123360d1e1a760d66821e47f9a6afed SOURCES/frr-7.5.1.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/frr-7.5.tar.gz SOURCES/frr-7.5.1.tar.gz

0
SOURCES/0011-designated-router.patch → SOURCES/0008-designated-router.patch
View File

119
SOURCES/0008-ospf-multi-instance.patch
View File

@ -1,119 +0,0 @@
diff --git a/ospfd/ospfd.c b/ospfd/ospfd.c
index d8be19db9..6fe94f3a4 100644
--- a/ospfd/ospfd.c
+++ b/ospfd/ospfd.c
@@ -384,12 +384,50 @@ struct ospf *ospf_lookup_by_inst_name(unsigned short instance, const char *name)
return NULL;
}
-struct ospf *ospf_get(unsigned short instance, const char *name, bool *created)
+static void ospf_init(struct ospf *ospf)
{
- struct ospf *ospf;
struct vrf *vrf;
struct interface *ifp;
+ ospf_opaque_type11_lsa_init(ospf);
+
+ if (ospf->vrf_id != VRF_UNKNOWN)
+ ospf->oi_running = 1;
+
+ /* Activate 'ip ospf area x' configured interfaces for given
+ * vrf. Activate area on vrf x aware interfaces.
+ * vrf_enable callback calls router_id_update which
+ * internally will call ospf_if_update to trigger
+ * network_run_state
+ */
+ vrf = vrf_lookup_by_id(ospf->vrf_id);
+
+ FOR_ALL_INTERFACES (vrf, ifp) {
+ struct ospf_if_params *params;
+ struct route_node *rn;
+ uint32_t count = 0;
+
+ params = IF_DEF_PARAMS(ifp);
+ if (OSPF_IF_PARAM_CONFIGURED(params, if_area))
+ count++;
+
+ for (rn = route_top(IF_OIFS_PARAMS(ifp)); rn; rn = route_next(rn))
+ if ((params = rn->info) && OSPF_IF_PARAM_CONFIGURED(params, if_area))
+ count++;
+
+ if (count > 0) {
+ ospf_interface_area_set(ospf, ifp);
+ ospf->if_ospf_cli_count += count;
+ }
+ }
+
+ ospf_router_id_update(ospf);
+}
+
+struct ospf *ospf_get(unsigned short instance, const char *name, bool *created)
+{
+ struct ospf *ospf;
+
/* vrf name provided call inst and name based api
* in case of no name pass default ospf instance */
if (name)
@@ -402,39 +440,7 @@ struct ospf *ospf_get(unsigned short instance, const char *name, bool *created)
ospf = ospf_new(instance, name);
ospf_add(ospf);
- ospf_opaque_type11_lsa_init(ospf);
-
- if (ospf->vrf_id != VRF_UNKNOWN)
- ospf->oi_running = 1;
-
- /* Activate 'ip ospf area x' configured interfaces for given
- * vrf. Activate area on vrf x aware interfaces.
- * vrf_enable callback calls router_id_update which
- * internally will call ospf_if_update to trigger
- * network_run_state
- */
- vrf = vrf_lookup_by_id(ospf->vrf_id);
-
- FOR_ALL_INTERFACES (vrf, ifp) {
- struct ospf_if_params *params;
- struct route_node *rn;
- uint32_t count = 0;
-
- params = IF_DEF_PARAMS(ifp);
- if (OSPF_IF_PARAM_CONFIGURED(params, if_area))
- count++;
-
- for (rn = route_top(IF_OIFS_PARAMS(ifp)); rn; rn = route_next(rn))
- if ((params = rn->info) && OSPF_IF_PARAM_CONFIGURED(params, if_area))
- count++;
-
- if (count > 0) {
- ospf_interface_area_set(ospf, ifp);
- ospf->if_ospf_cli_count += count;
- }
- }
-
- ospf_router_id_update(ospf);
+ ospf_init(ospf);
}
return ospf;
@@ -450,7 +456,7 @@ struct ospf *ospf_get_instance(unsigned short instance, bool *created)
ospf = ospf_new(instance, NULL /* VRF_DEFAULT*/);
ospf_add(ospf);
- ospf_opaque_type11_lsa_init(ospf);
+ ospf_init(ospf);
}
return ospf;
diff --git a/ospfd/ospfd.h b/ospfd/ospfd.h
index 192e54281..3087b735a 100644
--- a/ospfd/ospfd.h
+++ b/ospfd/ospfd.h
@@ -604,7 +604,6 @@ extern int ospf_nbr_nbma_poll_interval_set(struct ospf *, struct in_addr,
unsigned int);
extern int ospf_nbr_nbma_poll_interval_unset(struct ospf *, struct in_addr);
extern void ospf_prefix_list_update(struct prefix_list *);
-extern void ospf_init(void);
extern void ospf_if_update(struct ospf *, struct interface *);
extern void ospf_ls_upd_queue_empty(struct ospf_interface *);
extern void ospf_terminate(void);

92
SOURCES/0009-bgp-ttl-security.patch
View File

@ -1,92 +0,0 @@
From 8a66632391db5f5181a4afef6aae41f48bee7fdb Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Fri, 15 Jan 2021 08:14:49 -0500
Subject: [PATCH] bgpd: Allow peer-groups to have `ttl-security hops`
configured
The command `neighbor PGROUP ttl-security hops X` was being
accepted but ignored. Allow it to be stored. I am still
not sure that this is applied correctly, but that is another
problem.
Fixes: #7848
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
bgpd/bgpd.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
index 9297ec4711c..4ebd3da0620 100644
--- a/bgpd/bgpd.c
+++ b/bgpd/bgpd.c
@@ -7150,6 +7150,7 @@ int is_ebgp_multihop_configured(struct peer *peer)
int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops)
{
struct peer_group *group;
+ struct peer *gpeer;
struct listnode *node, *nnode;
int ret;
@@ -7186,9 +7187,10 @@ int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops)
return ret;
} else {
group = peer->group;
+ group->conf->gtsm_hops = gtsm_hops;
for (ALL_LIST_ELEMENTS(group->peer, node, nnode,
- peer)) {
- peer->gtsm_hops = group->conf->gtsm_hops;
+ gpeer)) {
+ gpeer->gtsm_hops = group->conf->gtsm_hops;
/* Calling ebgp multihop also resets the
* session.
@@ -7198,7 +7200,7 @@ int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops)
* value is
* irrelevant.
*/
- peer_ebgp_multihop_set(peer, MAXTTL);
+ peer_ebgp_multihop_set(gpeer, MAXTTL);
}
}
} else {
@@ -7219,9 +7221,10 @@ int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops)
MAXTTL + 1 - gtsm_hops);
} else {
group = peer->group;
+ group->conf->gtsm_hops = gtsm_hops;
for (ALL_LIST_ELEMENTS(group->peer, node, nnode,
- peer)) {
- peer->gtsm_hops = group->conf->gtsm_hops;
+ gpeer)) {
+ gpeer->gtsm_hops = group->conf->gtsm_hops;
/* Change setting of existing peer
* established then change value (may break
@@ -7231,17 +7234,18 @@ int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops)
* no session then do nothing (will get
* handled by next connection)
*/
- if (peer->fd >= 0
- && peer->gtsm_hops
+ if (gpeer->fd >= 0
+ && gpeer->gtsm_hops
!= BGP_GTSM_HOPS_DISABLED)
sockopt_minttl(
- peer->su.sa.sa_family, peer->fd,
- MAXTTL + 1 - peer->gtsm_hops);
- if ((peer->status < Established)
- && peer->doppelganger
- && (peer->doppelganger->fd >= 0))
- sockopt_minttl(peer->su.sa.sa_family,
- peer->doppelganger->fd,
+ gpeer->su.sa.sa_family,
+ gpeer->fd,
+ MAXTTL + 1 - gpeer->gtsm_hops);
+ if ((gpeer->status < Established)
+ && gpeer->doppelganger
+ && (gpeer->doppelganger->fd >= 0))
+ sockopt_minttl(gpeer->su.sa.sa_family,
+ gpeer->doppelganger->fd,
MAXTTL + 1 - gtsm_hops);
}
}

25
SOURCES/0009-routemap.patch Normal file
View File

@ -0,0 +1,25 @@
diff --git a/lib/routemap.c b/lib/routemap.c
index a90443a..0b594b2 100644
--- a/lib/routemap.c
+++ b/lib/routemap.c
@@ -1649,9 +1649,9 @@ static struct list *route_map_get_index_list(struct route_node **rn,
*/
static struct route_map_index *
route_map_get_index(struct route_map *map, const struct prefix *prefix,
- route_map_object_t type, void *object, uint8_t *match_ret)
+ route_map_object_t type, void *object, enum route_map_cmd_result_t *match_ret)
{
- int ret = 0;
+ enum route_map_cmd_result_t ret = RMAP_NOMATCH;
struct list *candidate_rmap_list = NULL;
struct route_node *rn = NULL;
struct listnode *ln = NULL, *nn = NULL;
@@ -2399,7 +2399,7 @@ route_map_result_t route_map_apply(struct route_map *map,
if ((!map->optimization_disabled)
&& (map->ipv4_prefix_table || map->ipv6_prefix_table)) {
index = route_map_get_index(map, prefix, type, object,
- (uint8_t *)&match_ret);
+ &match_ret);
if (index) {
if (rmap_debug)
zlog_debug(

60
SOURCES/0010-bfd-reload.patch
View File

@ -1,60 +0,0 @@
From 46a2b560fa84c5f8ece8dbb82cbf355af675ad41 Mon Sep 17 00:00:00 2001
From: Rafael Zalamena <rzalamena@opensourcerouting.org>
Date: Tue, 19 Jan 2021 08:49:23 -0300
Subject: [PATCH] tools: fix frr-reload BFD profile support
Fix the handling of multiple BFD profiles by adding the appropriated
code to push/pop contexts inside BFD configuration node.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
---
tools/frr-reload.py | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/tools/frr-reload.py b/tools/frr-reload.py
index da005b6f874..ca6fe81f007 100755
--- a/tools/frr-reload.py
+++ b/tools/frr-reload.py
@@ -533,6 +533,18 @@ def load_contexts(self):
if line.startswith('!') or line.startswith('#'):
continue
+ if (len(ctx_keys) == 2
+ and ctx_keys[0].startswith('bfd')
+ and ctx_keys[1].startswith('profile ')
+ and line == 'end'):
+ log.debug('LINE %-50s: popping from sub context, %-50s', line, ctx_keys)
+
+ if main_ctx_key:
+ self.save_contexts(ctx_keys, current_context_lines)
+ ctx_keys = copy.deepcopy(main_ctx_key)
+ current_context_lines = []
+ continue
+
# one line contexts
# there is one exception though: ldpd accepts a 'router-id' clause
# as part of its 'mpls ldp' config context. If we are processing
@@ -649,6 +661,22 @@ def load_contexts(self):
log.debug('LINE %-50s: entering sub-sub-context, append to ctx_keys', line)
ctx_keys.append(line)
+ elif (
+ line.startswith('profile ')
+ and len(ctx_keys) == 1
+ and ctx_keys[0].startswith('bfd')
+ ):
+
+ # Save old context first
+ self.save_contexts(ctx_keys, current_context_lines)
+ current_context_lines = []
+ main_ctx_key = copy.deepcopy(ctx_keys)
+ log.debug(
+ "LINE %-50s: entering BFD profile sub-context, append to ctx_keys",
+ line
+ )
+ ctx_keys.append(line)
+
else:
# Continuing in an existing context, add non-commented lines to it
current_context_lines.append(line)

40
SOURCES/0010-moving-executables.patch Normal file
View File

@ -0,0 +1,40 @@
diff --git a/tools/frr.service b/tools/frr.service
index aa45f42..a3f0103 100644
--- a/tools/frr.service
+++ b/tools/frr.service
@@ -17,9 +17,9 @@ WatchdogSec=60s
RestartSec=5
Restart=on-abnormal
LimitNOFILE=1024
-ExecStart=/usr/lib/frr/frrinit.sh start
-ExecStop=/usr/lib/frr/frrinit.sh stop
-ExecReload=/usr/lib/frr/frrinit.sh reload
+ExecStart=/usr/libexec/frr/frrinit.sh start
+ExecStop=/usr/libexec/frr/frrinit.sh stop
+ExecReload=/usr/libexec/frr/frrinit.sh reload
[Install]
WantedBy=multi-user.target
diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
index 9a144b2..a334d95 100644
--- a/tools/frrcommon.sh.in
+++ b/tools/frrcommon.sh.in
@@ -59,6 +59,9 @@ chownfrr() {
[ -n "$FRR_USER" ] && chown "$FRR_USER" "$1"
[ -n "$FRR_GROUP" ] && chgrp "$FRR_GROUP" "$1"
[ -n "$FRR_CONFIG_MODE" ] && chmod "$FRR_CONFIG_MODE" "$1"
+ if [ -d "$1" ]; then
+ chmod gu+x "$1"
+ fi
}
vtysh_b () {
@@ -152,7 +155,7 @@ daemon_start() {
daemon_prep "$daemon" "$inst" || return 1
if test ! -d "$V_PATH"; then
mkdir -p "$V_PATH"
- chown frr "$V_PATH"
+ chownfrr "$V_PATH"
fi
eval wrap="\$${daemon}_wrap"

77
SOURCES/0011-reload-bfd-profile.patch Normal file
View File

@ -0,0 +1,77 @@
diff --git a/tools/frr-reload.py b/tools/frr-reload.py
index 9979c8b..1c24f90 100755
--- a/tools/frr-reload.py
+++ b/tools/frr-reload.py
@@ -785,6 +785,48 @@ def line_exist(lines, target_ctx_keys, target_line, exact_match=True):
return True
return False
+def delete_bgp_bfd(lines_to_add, lines_to_del):
+ """
+ When 'neighbor <peer> bfd profile <profile>' is present without a
+ 'neighbor <peer> bfd' line, FRR explicitily adds it to the running
+ configuration. When the new configuration drops the bfd profile
+ line, the user's intent is to delete any bfd configuration on the
+ peer. On reload, deleting the bfd profile line after the bfd line
+ will re-enable BFD with the default BFD profile. Move the bfd line
+ to the end, if it exists in the new configuration.
+
+ Example:
+
+ neighbor 10.0.0.1 bfd
+ neighbor 10.0.0.1 bfd profile bfd-profile-1
+
+ Move to end:
+ neighbor 10.0.0.1 bfd profile bfd-profile-1
+ ...
+
+ neighbor 10.0.0.1 bfd
+
+ """
+ lines_to_del_to_app = []
+ for (ctx_keys, line) in lines_to_del:
+ if (
+ ctx_keys[0].startswith("router bgp")
+ and line
+ and line.startswith("neighbor ")
+ ):
+ # 'no neighbor [peer] bfd>'
+ nb_bfd = "neighbor (\S+) .*bfd$"
+ re_nb_bfd = re.search(nb_bfd, line)
+ if re_nb_bfd:
+ lines_to_del_to_app.append((ctx_keys, line))
+
+ for (ctx_keys, line) in lines_to_del_to_app:
+ lines_to_del.remove((ctx_keys, line))
+ lines_to_del.append((ctx_keys, line))
+
+ return (lines_to_add, lines_to_del)
+
+
def check_for_exit_vrf(lines_to_add, lines_to_del):
# exit-vrf is a bit tricky. If the new config is missing it but we
@@ -1248,6 +1290,7 @@ def compare_context_objects(newconf, running):
for line in newconf_ctx.lines:
lines_to_add.append((newconf_ctx_keys, line))
+ (lines_to_add, lines_to_del) = delete_bgp_bfd(lines_to_add, lines_to_del)
(lines_to_add, lines_to_del) = check_for_exit_vrf(lines_to_add, lines_to_del)
(lines_to_add, lines_to_del) = ignore_delete_re_add_lines(lines_to_add, lines_to_del)
(lines_to_add, lines_to_del) = ignore_unconfigurable_lines(lines_to_add, lines_to_del)
diff --git a/bgpd/bgp_bfd.c b/bgpd/bgp_bfd.c
index b566b0e..1bd6249 100644
--- a/bgpd/bgp_bfd.c
+++ b/bgpd/bgp_bfd.c
@@ -686,9 +686,9 @@ void bgp_bfd_peer_config_write(struct vty *vty, struct peer *peer, char *addr)
if (!CHECK_FLAG(bfd_info->flags, BFD_FLAG_PARAM_CFG)
&& (bfd_info->type == BFD_TYPE_NOT_CONFIGURED)) {
- vty_out(vty, " neighbor %s bfd", addr);
+ vty_out(vty, " neighbor %s bfd\n", addr);
if (bfd_info->profile[0])
- vty_out(vty, " profile %s", bfd_info->profile);
+ vty_out(vty, " neighbor %s bfd profile %s", addr, bfd_info->profile);
vty_out(vty, "\n");
}

25
SOURCES/0012-bfd-peers-crash.patch
View File

@ -1,25 +0,0 @@
From 1d923374f64e099d734899aff219d90cb0213fa6 Mon Sep 17 00:00:00 2001
From: Emanuele Bovisio <emanuele.bovisio@eolo.it>
Date: Thu, 5 Nov 2020 14:27:51 +0100
Subject: [PATCH] bfdd: fix crash on show bfd peers counters json
wrong pointer passed to bfd_id_iterate function
Signed-off-by: Emanuele Bovisio <emanuele.bovisio@eolo.it>
---
bfdd/bfdd_vty.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bfdd/bfdd_vty.c b/bfdd/bfdd_vty.c
index a3f1638e5f6..837a7b7d7d6 100644
--- a/bfdd/bfdd_vty.c
+++ b/bfdd/bfdd_vty.c
@@ -447,7 +447,7 @@ static void _display_peers_counter(struct vty *vty, char *vrfname, bool use_json
jo = json_object_new_array();
bvt.jo = jo;
- bfd_id_iterate(_display_peer_counter_json_iter, jo);
+ bfd_id_iterate(_display_peer_counter_json_iter, &bvt);
vty_out(vty, "%s\n", json_object_to_json_string_ext(jo, 0));
json_object_free(jo);

28
SOURCES/frr.fc Normal file
View File

@ -0,0 +1,28 @@
/usr/libexec/frr(/.*)? gen_context(system_u:object_r:frr_exec_t,s0)
/usr/lib/systemd/system/frr.* gen_context(system_u:object_r:frr_unit_file_t,s0)
/etc/frr(/.*)? gen_context(system_u:object_r:frr_conf_t,s0)
/var/log/frr(/.*)? gen_context(system_u:object_r:frr_log_t,s0)
/var/tmp/frr(/.*)? gen_context(system_u:object_r:frr_tmp_t,s0)
/var/lock/subsys/bfdd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/bgpd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/eigrpd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/fabricd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/isisd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/nhrpd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/ospf6d -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/ospfd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/pbrd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/pimd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/ripd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/ripngd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/staticd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/zebra -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/vrrpd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/run/frr(/.*)? gen_context(system_u:object_r:frr_var_run_t,s0)
/usr/bin/vtysh -- gen_context(system_u:object_r:frr_exec_t,s0)

162
SOURCES/frr.if Normal file
View File

@ -0,0 +1,162 @@
## <summary>policy for frr</summary>
########################################
## <summary>
## Execute frr_exec_t in the frr domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`frr_domtrans',`
gen_require(`
type frr_t, frr_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, frr_exec_t, frr_t)
')
######################################
## <summary>
## Execute frr in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`frr_exec',`
gen_require(`
type frr_exec_t;
')
corecmd_search_bin($1)
can_exec($1, frr_exec_t)
')
########################################
## <summary>
## Read frr's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`frr_read_log',`
gen_require(`
type frr_log_t;
')
read_files_pattern($1, frr_log_t, frr_log_t)
optional_policy(`
logging_search_logs($1)
')
')
########################################
## <summary>
## Append to frr log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`frr_append_log',`
gen_require(`
type frr_log_t;
')
append_files_pattern($1, frr_log_t, frr_log_t)
optional_policy(`
logging_search_logs($1)
')
')
########################################
## <summary>
## Manage frr log files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`frr_manage_log',`
gen_require(`
type frr_log_t;
')
manage_dirs_pattern($1, frr_log_t, frr_log_t)
manage_files_pattern($1, frr_log_t, frr_log_t)
manage_lnk_files_pattern($1, frr_log_t, frr_log_t)
optional_policy(`
logging_search_logs($1)
')
')
########################################
## <summary>
## Read frr PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`frr_read_pid_files',`
gen_require(`
type frr_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, frr_var_run_t, frr_var_run_t)
')
########################################
## <summary>
## All of the rules required to administrate
## an frr environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`frr_admin',`
gen_require(`
type frr_t;
type frr_log_t;
type frr_var_run_t;
')
allow $1 frr_t:process { signal_perms };
ps_process_pattern($1, frr_t)
tunable_policy(`deny_ptrace',`',`
allow $1 frr_t:process ptrace;
')
admin_pattern($1, frr_log_t)
files_search_pids($1)
admin_pattern($1, frr_var_run_t)
optional_policy(`
logging_search_logs($1)
')
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
')

121
SOURCES/frr.te Normal file
View File

@ -0,0 +1,121 @@
policy_module(frr, 1.0.0)
########################################
#
# Declarations
#
type frr_t;
type frr_exec_t;
init_daemon_domain(frr_t, frr_exec_t)
type frr_log_t;
logging_log_file(frr_log_t)
type frr_tmp_t;
files_tmp_file(frr_tmp_t)
type frr_lock_t;
files_lock_file(frr_lock_t)
type frr_conf_t;
files_config_file(frr_conf_t)
type frr_unit_file_t;
systemd_unit_file(frr_unit_file_t)
type frr_var_run_t;
files_pid_file(frr_var_run_t)
########################################
#
# frr local policy
#
allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid };
allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
allow frr_t self:packet_socket create;
allow frr_t self:process { setcap setpgid };
allow frr_t self:rawip_socket create_socket_perms;
allow frr_t self:tcp_socket { connect connected_stream_socket_perms };
allow frr_t self:udp_socket create_socket_perms;
allow frr_t self:unix_stream_socket connectto;
allow frr_t frr_conf_t:dir list_dir_perms;
manage_files_pattern(frr_t, frr_conf_t, frr_conf_t)
read_lnk_files_pattern(frr_t, frr_conf_t, frr_conf_t)
manage_dirs_pattern(frr_t, frr_log_t, frr_log_t)
manage_files_pattern(frr_t, frr_log_t, frr_log_t)
manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t)
logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file })
allow frr_t frr_tmp_t:file map;
manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t)
manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t)
files_tmp_filetrans(frr_t, frr_tmp_t, { file dir })
manage_files_pattern(frr_t, frr_lock_t, frr_lock_t)
manage_lnk_files_pattern(frr_t, frr_lock_t, frr_lock_t)
files_lock_filetrans(frr_t, frr_lock_t, { file lnk_file })
manage_dirs_pattern(frr_t, frr_var_run_t, frr_var_run_t)
manage_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
manage_lnk_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
manage_sock_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
files_pid_filetrans(frr_t, frr_var_run_t, { dir file lnk_file })
allow frr_t frr_exec_t:dir search_dir_perms;
can_exec(frr_t, frr_exec_t)
kernel_read_network_state(frr_t)
kernel_read_net_sysctls(frr_t)
kernel_read_system_state(frr_t)
auth_use_nsswitch(frr_t)
corecmd_exec_bin(frr_t)
corenet_tcp_bind_appswitch_emp_port(frr_t)
corenet_udp_bind_bfd_control_port(frr_t)
corenet_udp_bind_bfd_echo_port(frr_t)
corenet_tcp_bind_bgp_port(frr_t)
corenet_udp_bind_all_unreserved_ports(frr_t);
corenet_tcp_bind_generic_port(frr_t)
corenet_tcp_bind_firepower_port(frr_t)
corenet_tcp_bind_priority_e_com_port(frr_t)
corenet_udp_bind_router_port(frr_t)
corenet_tcp_bind_qpasa_agent_port(frr_t)
corenet_tcp_bind_smntubootstrap_port(frr_t)
corenet_tcp_bind_versa_tek_port(frr_t)
corenet_tcp_bind_zebra_port(frr_t)
domain_use_interactive_fds(frr_t)
fs_read_nsfs_files(frr_t)
sysnet_exec_ifconfig(frr_t)
userdom_read_admin_home_files(frr_t)
init_signal(frr_t)
init_signal_script(frr_t)
init_signull_script(frr_t)
optional_policy(`
logging_send_syslog_msg(frr_t)
')
optional_policy(`
modutils_exec_kmod(frr_t)
modutils_getattr_module_deps(frr_t)
modutils_read_module_config(frr_t)
modutils_read_module_deps_files(frr_t)
')
optional_policy(`
networkmanager_read_state(frr_t)
')
optional_policy(`
userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr")
')

96
SPECS/frr.spec
View File

@ -1,16 +1,21 @@
%global frrversion 7.5 %global frrversion 7.5.1
%global frr_libdir /usr/lib/frr %global frr_libdir /usr/libexec/frr
%global _hardened_build 1 %global _hardened_build 1
%global selinuxtype targeted
%bcond_without selinux
Name: frr Name: frr
Version: 7.5 Version: 7.5.1
Release: 11%{?checkout}%{?dist} Release: 3%{?checkout}%{?dist}
Summary: Routing daemon Summary: Routing daemon
License: GPLv2+ License: GPLv2+
URL: http://www.frrouting.org URL: http://www.frrouting.org
Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{frrversion}/%{name}-%{frrversion}.tar.gz Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{frrversion}/%{name}-%{frrversion}.tar.gz
Source1: %{name}-tmpfiles.conf Source1: %{name}-tmpfiles.conf
Source2: frr.fc
Source3: frr.te
Source4: frr.if
BuildRequires: perl-generators BuildRequires: perl-generators
BuildRequires: gcc BuildRequires: gcc
BuildRequires: net-snmp-devel BuildRequires: net-snmp-devel
@ -27,6 +32,11 @@ Requires(preun): systemd /sbin/install-info
Requires(postun): systemd Requires(postun): systemd
Requires: iproute Requires: iproute
Requires: initscripts Requires: initscripts
%if 0%{?with_selinux}
Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
%endif
Provides: routingdaemon = %{version}-%{release} Provides: routingdaemon = %{version}-%{release}
Obsoletes: frr-sysvinit quagga frr-contrib Obsoletes: frr-sysvinit quagga frr-contrib
@ -37,11 +47,10 @@ Patch0003: 0003-disable-eigrp-crypto.patch
Patch0004: 0004-fips-mode.patch Patch0004: 0004-fips-mode.patch
Patch0006: 0006-CVE-2020-12831.patch Patch0006: 0006-CVE-2020-12831.patch
Patch0007: 0007-frrinit.patch Patch0007: 0007-frrinit.patch
Patch0008: 0008-ospf-multi-instance.patch Patch0008: 0008-designated-router.patch
Patch0009: 0009-bgp-ttl-security.patch Patch0009: 0009-routemap.patch
Patch0010: 0010-bfd-reload.patch Patch0010: 0010-moving-executables.patch
Patch0011: 0011-designated-router.patch Patch0011: 0011-reload-bfd-profile.patch
Patch0012: 0012-bfd-peers-crash.patch
%description %description
FRRouting is free software that manages TCP/IP based routing protocols. It takes FRRouting is free software that manages TCP/IP based routing protocols. It takes
@ -52,8 +61,25 @@ FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP
FRRouting is a fork of Quagga. FRRouting is a fork of Quagga.
%if 0%{?with_selinux}
%package selinux
Summary: Selinux policy for FRR
BuildArch: noarch
Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-%{selinuxtype}
BuildRequires: selinux-policy-devel
%{?selinux_requires}
%description selinux
SELinux policy modules for FRR package
%endif
%prep %prep
%autosetup -S git %autosetup -S git
#SELinux
mkdir selinux
cp -p %{SOURCE2} %{SOURCE3} %{SOURCE4} selinux
%build %build
autoreconf -ivf autoreconf -ivf
@ -88,6 +114,12 @@ pushd doc
make info make info
popd popd
#SELinux policy
%if 0%{?with_selinux}
make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp
bzip2 -9 selinux/%{name}.pp
%endif
%install %install
mkdir -p %{buildroot}/etc/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \ mkdir -p %{buildroot}/etc/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \
%{buildroot}/var/log/frr %{buildroot}%{_infodir} \ %{buildroot}/var/log/frr %{buildroot}%{_infodir} \
@ -112,6 +144,12 @@ install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.logrotate %{buil
install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.pam %{buildroot}/etc/pam.d/frr install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.pam %{buildroot}/etc/pam.d/frr
install -d -m 775 %{buildroot}/run/frr install -d -m 775 %{buildroot}/run/frr
%if 0%{?with_selinux}
install -D -m 644 selinux/%{name}.pp.bz2 \
%{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
%endif
rm %{buildroot}%{_libdir}/frr/*.la rm %{buildroot}%{_libdir}/frr/*.la
rm %{buildroot}%{_libdir}/frr/modules/*.la rm %{buildroot}%{_libdir}/frr/modules/*.la
@ -127,6 +165,8 @@ getent passwd frr >/dev/null 2>&1 || useradd -M -r -g frr -s /sbin/nologin \
usermod -aG frrvty frr usermod -aG frrvty frr
%post %post
#Because we move files to /usr/libexec, we need to reload .service files as well
/usr/bin/systemctl daemon-reload
%systemd_post frr.service %systemd_post frr.service
if [ -f %{_infodir}/%{name}.inf* ]; then if [ -f %{_infodir}/%{name}.inf* ]; then
@ -166,6 +206,26 @@ fi
%preun %preun
%systemd_preun frr.service %systemd_preun frr.service
#SELinux
%if 0%{?with_selinux}
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}
%post selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%selinux_relabel_post -s %{selinuxtype}
#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade
%{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null
%{_sbindir}/restorecon -R /var/run/frr &> /dev/null
%postun selinux
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} %{name}
%selinux_relabel_post -s %{selinuxtype}
fi
%endif
%check %check
make check PYTHON=%{__python3} make check PYTHON=%{__python3}
@ -201,7 +261,25 @@ make check PYTHON=%{__python3}
/usr/share/yang/*.yang /usr/share/yang/*.yang
%{_tmpfilesdir}/%{name}.conf %{_tmpfilesdir}/%{name}.conf
%if 0%{?with_selinux}
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.*
%{_datadir}/selinux/devel/include/distributed/%{name}.if
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
%endif
%changelog %changelog
* Thu Aug 25 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-3
- Resolves: #2054160 - FRR reloader does not disable BFD when unsetting BFD profile
* Wed Aug 24 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-2
- Resolves: #1941765 - AVCs while running frr tests on RHEL 8.4.0 Beta-1.2
- Resolves: #1714984 - SELinux policy (daemons) changes required for package
* Wed May 11 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-1
- Resolves: #2018451 - Rebase of frr to version 7.5.1
- Resolves: #1975361 - the dynamic routing setup does not work any more
* Wed Jan 05 2022 Michal Ruprich <mruprich@redhat.com> - 7.5-11 * Wed Jan 05 2022 Michal Ruprich <mruprich@redhat.com> - 7.5-11
- Resolves: #2034328 - Bfdd crash in metallb CI - Resolves: #2034328 - Bfdd crash in metallb CI