import frr-7.5.1-3.el8

This commit is contained in:
CentOS Sources 2022-09-27 05:57:02 -04:00 committed by Stepan Oksanichenko
parent 9d4921fbd1
commit 387acfb08a
14 changed files with 542 additions and 307 deletions

View File

@ -1 +1 @@
67064fd2c9f971a7004e3e66411f9c99e56cfb9c SOURCES/frr-7.5.tar.gz dfc756dfd123360d1e1a760d66821e47f9a6afed SOURCES/frr-7.5.1.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/frr-7.5.tar.gz SOURCES/frr-7.5.1.tar.gz

View File

@ -1,119 +0,0 @@
diff --git a/ospfd/ospfd.c b/ospfd/ospfd.c
index d8be19db9..6fe94f3a4 100644
--- a/ospfd/ospfd.c
+++ b/ospfd/ospfd.c
@@ -384,12 +384,50 @@ struct ospf *ospf_lookup_by_inst_name(unsigned short instance, const char *name)
return NULL;
}
-struct ospf *ospf_get(unsigned short instance, const char *name, bool *created)
+static void ospf_init(struct ospf *ospf)
{
- struct ospf *ospf;
struct vrf *vrf;
struct interface *ifp;
+ ospf_opaque_type11_lsa_init(ospf);
+
+ if (ospf->vrf_id != VRF_UNKNOWN)
+ ospf->oi_running = 1;
+
+ /* Activate 'ip ospf area x' configured interfaces for given
+ * vrf. Activate area on vrf x aware interfaces.
+ * vrf_enable callback calls router_id_update which
+ * internally will call ospf_if_update to trigger
+ * network_run_state
+ */
+ vrf = vrf_lookup_by_id(ospf->vrf_id);
+
+ FOR_ALL_INTERFACES (vrf, ifp) {
+ struct ospf_if_params *params;
+ struct route_node *rn;
+ uint32_t count = 0;
+
+ params = IF_DEF_PARAMS(ifp);
+ if (OSPF_IF_PARAM_CONFIGURED(params, if_area))
+ count++;
+
+ for (rn = route_top(IF_OIFS_PARAMS(ifp)); rn; rn = route_next(rn))
+ if ((params = rn->info) && OSPF_IF_PARAM_CONFIGURED(params, if_area))
+ count++;
+
+ if (count > 0) {
+ ospf_interface_area_set(ospf, ifp);
+ ospf->if_ospf_cli_count += count;
+ }
+ }
+
+ ospf_router_id_update(ospf);
+}
+
+struct ospf *ospf_get(unsigned short instance, const char *name, bool *created)
+{
+ struct ospf *ospf;
+
/* vrf name provided call inst and name based api
* in case of no name pass default ospf instance */
if (name)
@@ -402,39 +440,7 @@ struct ospf *ospf_get(unsigned short instance, const char *name, bool *created)
ospf = ospf_new(instance, name);
ospf_add(ospf);
- ospf_opaque_type11_lsa_init(ospf);
-
- if (ospf->vrf_id != VRF_UNKNOWN)
- ospf->oi_running = 1;
-
- /* Activate 'ip ospf area x' configured interfaces for given
- * vrf. Activate area on vrf x aware interfaces.
- * vrf_enable callback calls router_id_update which
- * internally will call ospf_if_update to trigger
- * network_run_state
- */
- vrf = vrf_lookup_by_id(ospf->vrf_id);
-
- FOR_ALL_INTERFACES (vrf, ifp) {
- struct ospf_if_params *params;
- struct route_node *rn;
- uint32_t count = 0;
-
- params = IF_DEF_PARAMS(ifp);
- if (OSPF_IF_PARAM_CONFIGURED(params, if_area))
- count++;
-
- for (rn = route_top(IF_OIFS_PARAMS(ifp)); rn; rn = route_next(rn))
- if ((params = rn->info) && OSPF_IF_PARAM_CONFIGURED(params, if_area))
- count++;
-
- if (count > 0) {
- ospf_interface_area_set(ospf, ifp);
- ospf->if_ospf_cli_count += count;
- }
- }
-
- ospf_router_id_update(ospf);
+ ospf_init(ospf);
}
return ospf;
@@ -450,7 +456,7 @@ struct ospf *ospf_get_instance(unsigned short instance, bool *created)
ospf = ospf_new(instance, NULL /* VRF_DEFAULT*/);
ospf_add(ospf);
- ospf_opaque_type11_lsa_init(ospf);
+ ospf_init(ospf);
}
return ospf;
diff --git a/ospfd/ospfd.h b/ospfd/ospfd.h
index 192e54281..3087b735a 100644
--- a/ospfd/ospfd.h
+++ b/ospfd/ospfd.h
@@ -604,7 +604,6 @@ extern int ospf_nbr_nbma_poll_interval_set(struct ospf *, struct in_addr,
unsigned int);
extern int ospf_nbr_nbma_poll_interval_unset(struct ospf *, struct in_addr);
extern void ospf_prefix_list_update(struct prefix_list *);
-extern void ospf_init(void);
extern void ospf_if_update(struct ospf *, struct interface *);
extern void ospf_ls_upd_queue_empty(struct ospf_interface *);
extern void ospf_terminate(void);

View File

@ -1,92 +0,0 @@
From 8a66632391db5f5181a4afef6aae41f48bee7fdb Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Fri, 15 Jan 2021 08:14:49 -0500
Subject: [PATCH] bgpd: Allow peer-groups to have `ttl-security hops`
configured
The command `neighbor PGROUP ttl-security hops X` was being
accepted but ignored. Allow it to be stored. I am still
not sure that this is applied correctly, but that is another
problem.
Fixes: #7848
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
bgpd/bgpd.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
index 9297ec4711c..4ebd3da0620 100644
--- a/bgpd/bgpd.c
+++ b/bgpd/bgpd.c
@@ -7150,6 +7150,7 @@ int is_ebgp_multihop_configured(struct peer *peer)
int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops)
{
struct peer_group *group;
+ struct peer *gpeer;
struct listnode *node, *nnode;
int ret;
@@ -7186,9 +7187,10 @@ int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops)
return ret;
} else {
group = peer->group;
+ group->conf->gtsm_hops = gtsm_hops;
for (ALL_LIST_ELEMENTS(group->peer, node, nnode,
- peer)) {
- peer->gtsm_hops = group->conf->gtsm_hops;
+ gpeer)) {
+ gpeer->gtsm_hops = group->conf->gtsm_hops;
/* Calling ebgp multihop also resets the
* session.
@@ -7198,7 +7200,7 @@ int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops)
* value is
* irrelevant.
*/
- peer_ebgp_multihop_set(peer, MAXTTL);
+ peer_ebgp_multihop_set(gpeer, MAXTTL);
}
}
} else {
@@ -7219,9 +7221,10 @@ int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops)
MAXTTL + 1 - gtsm_hops);
} else {
group = peer->group;
+ group->conf->gtsm_hops = gtsm_hops;
for (ALL_LIST_ELEMENTS(group->peer, node, nnode,
- peer)) {
- peer->gtsm_hops = group->conf->gtsm_hops;
+ gpeer)) {
+ gpeer->gtsm_hops = group->conf->gtsm_hops;
/* Change setting of existing peer
* established then change value (may break
@@ -7231,17 +7234,18 @@ int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops)
* no session then do nothing (will get
* handled by next connection)
*/
- if (peer->fd >= 0
- && peer->gtsm_hops
+ if (gpeer->fd >= 0
+ && gpeer->gtsm_hops
!= BGP_GTSM_HOPS_DISABLED)
sockopt_minttl(
- peer->su.sa.sa_family, peer->fd,
- MAXTTL + 1 - peer->gtsm_hops);
- if ((peer->status < Established)
- && peer->doppelganger
- && (peer->doppelganger->fd >= 0))
- sockopt_minttl(peer->su.sa.sa_family,
- peer->doppelganger->fd,
+ gpeer->su.sa.sa_family,
+ gpeer->fd,
+ MAXTTL + 1 - gpeer->gtsm_hops);
+ if ((gpeer->status < Established)
+ && gpeer->doppelganger
+ && (gpeer->doppelganger->fd >= 0))
+ sockopt_minttl(gpeer->su.sa.sa_family,
+ gpeer->doppelganger->fd,
MAXTTL + 1 - gtsm_hops);
}
}

View File

@ -0,0 +1,25 @@
diff --git a/lib/routemap.c b/lib/routemap.c
index a90443a..0b594b2 100644
--- a/lib/routemap.c
+++ b/lib/routemap.c
@@ -1649,9 +1649,9 @@ static struct list *route_map_get_index_list(struct route_node **rn,
*/
static struct route_map_index *
route_map_get_index(struct route_map *map, const struct prefix *prefix,
- route_map_object_t type, void *object, uint8_t *match_ret)
+ route_map_object_t type, void *object, enum route_map_cmd_result_t *match_ret)
{
- int ret = 0;
+ enum route_map_cmd_result_t ret = RMAP_NOMATCH;
struct list *candidate_rmap_list = NULL;
struct route_node *rn = NULL;
struct listnode *ln = NULL, *nn = NULL;
@@ -2399,7 +2399,7 @@ route_map_result_t route_map_apply(struct route_map *map,
if ((!map->optimization_disabled)
&& (map->ipv4_prefix_table || map->ipv6_prefix_table)) {
index = route_map_get_index(map, prefix, type, object,
- (uint8_t *)&match_ret);
+ &match_ret);
if (index) {
if (rmap_debug)
zlog_debug(

View File

@ -1,60 +0,0 @@
From 46a2b560fa84c5f8ece8dbb82cbf355af675ad41 Mon Sep 17 00:00:00 2001
From: Rafael Zalamena <rzalamena@opensourcerouting.org>
Date: Tue, 19 Jan 2021 08:49:23 -0300
Subject: [PATCH] tools: fix frr-reload BFD profile support
Fix the handling of multiple BFD profiles by adding the appropriated
code to push/pop contexts inside BFD configuration node.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
---
tools/frr-reload.py | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/tools/frr-reload.py b/tools/frr-reload.py
index da005b6f874..ca6fe81f007 100755
--- a/tools/frr-reload.py
+++ b/tools/frr-reload.py
@@ -533,6 +533,18 @@ def load_contexts(self):
if line.startswith('!') or line.startswith('#'):
continue
+ if (len(ctx_keys) == 2
+ and ctx_keys[0].startswith('bfd')
+ and ctx_keys[1].startswith('profile ')
+ and line == 'end'):
+ log.debug('LINE %-50s: popping from sub context, %-50s', line, ctx_keys)
+
+ if main_ctx_key:
+ self.save_contexts(ctx_keys, current_context_lines)
+ ctx_keys = copy.deepcopy(main_ctx_key)
+ current_context_lines = []
+ continue
+
# one line contexts
# there is one exception though: ldpd accepts a 'router-id' clause
# as part of its 'mpls ldp' config context. If we are processing
@@ -649,6 +661,22 @@ def load_contexts(self):
log.debug('LINE %-50s: entering sub-sub-context, append to ctx_keys', line)
ctx_keys.append(line)
+ elif (
+ line.startswith('profile ')
+ and len(ctx_keys) == 1
+ and ctx_keys[0].startswith('bfd')
+ ):
+
+ # Save old context first
+ self.save_contexts(ctx_keys, current_context_lines)
+ current_context_lines = []
+ main_ctx_key = copy.deepcopy(ctx_keys)
+ log.debug(
+ "LINE %-50s: entering BFD profile sub-context, append to ctx_keys",
+ line
+ )
+ ctx_keys.append(line)
+
else:
# Continuing in an existing context, add non-commented lines to it
current_context_lines.append(line)

View File

@ -0,0 +1,40 @@
diff --git a/tools/frr.service b/tools/frr.service
index aa45f42..a3f0103 100644
--- a/tools/frr.service
+++ b/tools/frr.service
@@ -17,9 +17,9 @@ WatchdogSec=60s
RestartSec=5
Restart=on-abnormal
LimitNOFILE=1024
-ExecStart=/usr/lib/frr/frrinit.sh start
-ExecStop=/usr/lib/frr/frrinit.sh stop
-ExecReload=/usr/lib/frr/frrinit.sh reload
+ExecStart=/usr/libexec/frr/frrinit.sh start
+ExecStop=/usr/libexec/frr/frrinit.sh stop
+ExecReload=/usr/libexec/frr/frrinit.sh reload
[Install]
WantedBy=multi-user.target
diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
index 9a144b2..a334d95 100644
--- a/tools/frrcommon.sh.in
+++ b/tools/frrcommon.sh.in
@@ -59,6 +59,9 @@ chownfrr() {
[ -n "$FRR_USER" ] && chown "$FRR_USER" "$1"
[ -n "$FRR_GROUP" ] && chgrp "$FRR_GROUP" "$1"
[ -n "$FRR_CONFIG_MODE" ] && chmod "$FRR_CONFIG_MODE" "$1"
+ if [ -d "$1" ]; then
+ chmod gu+x "$1"
+ fi
}
vtysh_b () {
@@ -152,7 +155,7 @@ daemon_start() {
daemon_prep "$daemon" "$inst" || return 1
if test ! -d "$V_PATH"; then
mkdir -p "$V_PATH"
- chown frr "$V_PATH"
+ chownfrr "$V_PATH"
fi
eval wrap="\$${daemon}_wrap"

View File

@ -0,0 +1,77 @@
diff --git a/tools/frr-reload.py b/tools/frr-reload.py
index 9979c8b..1c24f90 100755
--- a/tools/frr-reload.py
+++ b/tools/frr-reload.py
@@ -785,6 +785,48 @@ def line_exist(lines, target_ctx_keys, target_line, exact_match=True):
return True
return False
+def delete_bgp_bfd(lines_to_add, lines_to_del):
+ """
+ When 'neighbor <peer> bfd profile <profile>' is present without a
+ 'neighbor <peer> bfd' line, FRR explicitily adds it to the running
+ configuration. When the new configuration drops the bfd profile
+ line, the user's intent is to delete any bfd configuration on the
+ peer. On reload, deleting the bfd profile line after the bfd line
+ will re-enable BFD with the default BFD profile. Move the bfd line
+ to the end, if it exists in the new configuration.
+
+ Example:
+
+ neighbor 10.0.0.1 bfd
+ neighbor 10.0.0.1 bfd profile bfd-profile-1
+
+ Move to end:
+ neighbor 10.0.0.1 bfd profile bfd-profile-1
+ ...
+
+ neighbor 10.0.0.1 bfd
+
+ """
+ lines_to_del_to_app = []
+ for (ctx_keys, line) in lines_to_del:
+ if (
+ ctx_keys[0].startswith("router bgp")
+ and line
+ and line.startswith("neighbor ")
+ ):
+ # 'no neighbor [peer] bfd>'
+ nb_bfd = "neighbor (\S+) .*bfd$"
+ re_nb_bfd = re.search(nb_bfd, line)
+ if re_nb_bfd:
+ lines_to_del_to_app.append((ctx_keys, line))
+
+ for (ctx_keys, line) in lines_to_del_to_app:
+ lines_to_del.remove((ctx_keys, line))
+ lines_to_del.append((ctx_keys, line))
+
+ return (lines_to_add, lines_to_del)
+
+
def check_for_exit_vrf(lines_to_add, lines_to_del):
# exit-vrf is a bit tricky. If the new config is missing it but we
@@ -1248,6 +1290,7 @@ def compare_context_objects(newconf, running):
for line in newconf_ctx.lines:
lines_to_add.append((newconf_ctx_keys, line))
+ (lines_to_add, lines_to_del) = delete_bgp_bfd(lines_to_add, lines_to_del)
(lines_to_add, lines_to_del) = check_for_exit_vrf(lines_to_add, lines_to_del)
(lines_to_add, lines_to_del) = ignore_delete_re_add_lines(lines_to_add, lines_to_del)
(lines_to_add, lines_to_del) = ignore_unconfigurable_lines(lines_to_add, lines_to_del)
diff --git a/bgpd/bgp_bfd.c b/bgpd/bgp_bfd.c
index b566b0e..1bd6249 100644
--- a/bgpd/bgp_bfd.c
+++ b/bgpd/bgp_bfd.c
@@ -686,9 +686,9 @@ void bgp_bfd_peer_config_write(struct vty *vty, struct peer *peer, char *addr)
if (!CHECK_FLAG(bfd_info->flags, BFD_FLAG_PARAM_CFG)
&& (bfd_info->type == BFD_TYPE_NOT_CONFIGURED)) {
- vty_out(vty, " neighbor %s bfd", addr);
+ vty_out(vty, " neighbor %s bfd\n", addr);
if (bfd_info->profile[0])
- vty_out(vty, " profile %s", bfd_info->profile);
+ vty_out(vty, " neighbor %s bfd profile %s", addr, bfd_info->profile);
vty_out(vty, "\n");
}

View File

@ -1,25 +0,0 @@
From 1d923374f64e099d734899aff219d90cb0213fa6 Mon Sep 17 00:00:00 2001
From: Emanuele Bovisio <emanuele.bovisio@eolo.it>
Date: Thu, 5 Nov 2020 14:27:51 +0100
Subject: [PATCH] bfdd: fix crash on show bfd peers counters json
wrong pointer passed to bfd_id_iterate function
Signed-off-by: Emanuele Bovisio <emanuele.bovisio@eolo.it>
---
bfdd/bfdd_vty.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bfdd/bfdd_vty.c b/bfdd/bfdd_vty.c
index a3f1638e5f6..837a7b7d7d6 100644
--- a/bfdd/bfdd_vty.c
+++ b/bfdd/bfdd_vty.c
@@ -447,7 +447,7 @@ static void _display_peers_counter(struct vty *vty, char *vrfname, bool use_json
jo = json_object_new_array();
bvt.jo = jo;
- bfd_id_iterate(_display_peer_counter_json_iter, jo);
+ bfd_id_iterate(_display_peer_counter_json_iter, &bvt);
vty_out(vty, "%s\n", json_object_to_json_string_ext(jo, 0));
json_object_free(jo);

28
SOURCES/frr.fc Normal file
View File

@ -0,0 +1,28 @@
/usr/libexec/frr(/.*)? gen_context(system_u:object_r:frr_exec_t,s0)
/usr/lib/systemd/system/frr.* gen_context(system_u:object_r:frr_unit_file_t,s0)
/etc/frr(/.*)? gen_context(system_u:object_r:frr_conf_t,s0)
/var/log/frr(/.*)? gen_context(system_u:object_r:frr_log_t,s0)
/var/tmp/frr(/.*)? gen_context(system_u:object_r:frr_tmp_t,s0)
/var/lock/subsys/bfdd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/bgpd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/eigrpd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/fabricd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/isisd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/nhrpd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/ospf6d -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/ospfd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/pbrd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/pimd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/ripd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/ripngd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/staticd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/zebra -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/vrrpd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/run/frr(/.*)? gen_context(system_u:object_r:frr_var_run_t,s0)
/usr/bin/vtysh -- gen_context(system_u:object_r:frr_exec_t,s0)

162
SOURCES/frr.if Normal file
View File

@ -0,0 +1,162 @@
## <summary>policy for frr</summary>
########################################
## <summary>
## Execute frr_exec_t in the frr domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`frr_domtrans',`
gen_require(`
type frr_t, frr_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, frr_exec_t, frr_t)
')
######################################
## <summary>
## Execute frr in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`frr_exec',`
gen_require(`
type frr_exec_t;
')
corecmd_search_bin($1)
can_exec($1, frr_exec_t)
')
########################################
## <summary>
## Read frr's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`frr_read_log',`
gen_require(`
type frr_log_t;
')
read_files_pattern($1, frr_log_t, frr_log_t)
optional_policy(`
logging_search_logs($1)
')
')
########################################
## <summary>
## Append to frr log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`frr_append_log',`
gen_require(`
type frr_log_t;
')
append_files_pattern($1, frr_log_t, frr_log_t)
optional_policy(`
logging_search_logs($1)
')
')
########################################
## <summary>
## Manage frr log files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`frr_manage_log',`
gen_require(`
type frr_log_t;
')
manage_dirs_pattern($1, frr_log_t, frr_log_t)
manage_files_pattern($1, frr_log_t, frr_log_t)
manage_lnk_files_pattern($1, frr_log_t, frr_log_t)
optional_policy(`
logging_search_logs($1)
')
')
########################################
## <summary>
## Read frr PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`frr_read_pid_files',`
gen_require(`
type frr_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, frr_var_run_t, frr_var_run_t)
')
########################################
## <summary>
## All of the rules required to administrate
## an frr environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`frr_admin',`
gen_require(`
type frr_t;
type frr_log_t;
type frr_var_run_t;
')
allow $1 frr_t:process { signal_perms };
ps_process_pattern($1, frr_t)
tunable_policy(`deny_ptrace',`',`
allow $1 frr_t:process ptrace;
')
admin_pattern($1, frr_log_t)
files_search_pids($1)
admin_pattern($1, frr_var_run_t)
optional_policy(`
logging_search_logs($1)
')
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
')

121
SOURCES/frr.te Normal file
View File

@ -0,0 +1,121 @@
policy_module(frr, 1.0.0)
########################################
#
# Declarations
#
type frr_t;
type frr_exec_t;
init_daemon_domain(frr_t, frr_exec_t)
type frr_log_t;
logging_log_file(frr_log_t)
type frr_tmp_t;
files_tmp_file(frr_tmp_t)
type frr_lock_t;
files_lock_file(frr_lock_t)
type frr_conf_t;
files_config_file(frr_conf_t)
type frr_unit_file_t;
systemd_unit_file(frr_unit_file_t)
type frr_var_run_t;
files_pid_file(frr_var_run_t)
########################################
#
# frr local policy
#
allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid };
allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
allow frr_t self:packet_socket create;
allow frr_t self:process { setcap setpgid };
allow frr_t self:rawip_socket create_socket_perms;
allow frr_t self:tcp_socket { connect connected_stream_socket_perms };
allow frr_t self:udp_socket create_socket_perms;
allow frr_t self:unix_stream_socket connectto;
allow frr_t frr_conf_t:dir list_dir_perms;
manage_files_pattern(frr_t, frr_conf_t, frr_conf_t)
read_lnk_files_pattern(frr_t, frr_conf_t, frr_conf_t)
manage_dirs_pattern(frr_t, frr_log_t, frr_log_t)
manage_files_pattern(frr_t, frr_log_t, frr_log_t)
manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t)
logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file })
allow frr_t frr_tmp_t:file map;
manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t)
manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t)
files_tmp_filetrans(frr_t, frr_tmp_t, { file dir })
manage_files_pattern(frr_t, frr_lock_t, frr_lock_t)
manage_lnk_files_pattern(frr_t, frr_lock_t, frr_lock_t)
files_lock_filetrans(frr_t, frr_lock_t, { file lnk_file })
manage_dirs_pattern(frr_t, frr_var_run_t, frr_var_run_t)
manage_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
manage_lnk_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
manage_sock_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
files_pid_filetrans(frr_t, frr_var_run_t, { dir file lnk_file })
allow frr_t frr_exec_t:dir search_dir_perms;
can_exec(frr_t, frr_exec_t)
kernel_read_network_state(frr_t)
kernel_read_net_sysctls(frr_t)
kernel_read_system_state(frr_t)
auth_use_nsswitch(frr_t)
corecmd_exec_bin(frr_t)
corenet_tcp_bind_appswitch_emp_port(frr_t)
corenet_udp_bind_bfd_control_port(frr_t)
corenet_udp_bind_bfd_echo_port(frr_t)
corenet_tcp_bind_bgp_port(frr_t)
corenet_udp_bind_all_unreserved_ports(frr_t);
corenet_tcp_bind_generic_port(frr_t)
corenet_tcp_bind_firepower_port(frr_t)
corenet_tcp_bind_priority_e_com_port(frr_t)
corenet_udp_bind_router_port(frr_t)
corenet_tcp_bind_qpasa_agent_port(frr_t)
corenet_tcp_bind_smntubootstrap_port(frr_t)
corenet_tcp_bind_versa_tek_port(frr_t)
corenet_tcp_bind_zebra_port(frr_t)
domain_use_interactive_fds(frr_t)
fs_read_nsfs_files(frr_t)
sysnet_exec_ifconfig(frr_t)
userdom_read_admin_home_files(frr_t)
init_signal(frr_t)
init_signal_script(frr_t)
init_signull_script(frr_t)
optional_policy(`
logging_send_syslog_msg(frr_t)
')
optional_policy(`
modutils_exec_kmod(frr_t)
modutils_getattr_module_deps(frr_t)
modutils_read_module_config(frr_t)
modutils_read_module_deps_files(frr_t)
')
optional_policy(`
networkmanager_read_state(frr_t)
')
optional_policy(`
userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr")
')

View File

@ -1,16 +1,21 @@
%global frrversion 7.5 %global frrversion 7.5.1
%global frr_libdir /usr/lib/frr %global frr_libdir /usr/libexec/frr
%global _hardened_build 1 %global _hardened_build 1
%global selinuxtype targeted
%bcond_without selinux
Name: frr Name: frr
Version: 7.5 Version: 7.5.1
Release: 11%{?checkout}%{?dist} Release: 3%{?checkout}%{?dist}
Summary: Routing daemon Summary: Routing daemon
License: GPLv2+ License: GPLv2+
URL: http://www.frrouting.org URL: http://www.frrouting.org
Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{frrversion}/%{name}-%{frrversion}.tar.gz Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{frrversion}/%{name}-%{frrversion}.tar.gz
Source1: %{name}-tmpfiles.conf Source1: %{name}-tmpfiles.conf
Source2: frr.fc
Source3: frr.te
Source4: frr.if
BuildRequires: perl-generators BuildRequires: perl-generators
BuildRequires: gcc BuildRequires: gcc
BuildRequires: net-snmp-devel BuildRequires: net-snmp-devel
@ -27,6 +32,11 @@ Requires(preun): systemd /sbin/install-info
Requires(postun): systemd Requires(postun): systemd
Requires: iproute Requires: iproute
Requires: initscripts Requires: initscripts
%if 0%{?with_selinux}
Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
%endif
Provides: routingdaemon = %{version}-%{release} Provides: routingdaemon = %{version}-%{release}
Obsoletes: frr-sysvinit quagga frr-contrib Obsoletes: frr-sysvinit quagga frr-contrib
@ -37,11 +47,10 @@ Patch0003: 0003-disable-eigrp-crypto.patch
Patch0004: 0004-fips-mode.patch Patch0004: 0004-fips-mode.patch
Patch0006: 0006-CVE-2020-12831.patch Patch0006: 0006-CVE-2020-12831.patch
Patch0007: 0007-frrinit.patch Patch0007: 0007-frrinit.patch
Patch0008: 0008-ospf-multi-instance.patch Patch0008: 0008-designated-router.patch
Patch0009: 0009-bgp-ttl-security.patch Patch0009: 0009-routemap.patch
Patch0010: 0010-bfd-reload.patch Patch0010: 0010-moving-executables.patch
Patch0011: 0011-designated-router.patch Patch0011: 0011-reload-bfd-profile.patch
Patch0012: 0012-bfd-peers-crash.patch
%description %description
FRRouting is free software that manages TCP/IP based routing protocols. It takes FRRouting is free software that manages TCP/IP based routing protocols. It takes
@ -52,8 +61,25 @@ FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP
FRRouting is a fork of Quagga. FRRouting is a fork of Quagga.
%if 0%{?with_selinux}
%package selinux
Summary: Selinux policy for FRR
BuildArch: noarch
Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-%{selinuxtype}
BuildRequires: selinux-policy-devel
%{?selinux_requires}
%description selinux
SELinux policy modules for FRR package
%endif
%prep %prep
%autosetup -S git %autosetup -S git
#SELinux
mkdir selinux
cp -p %{SOURCE2} %{SOURCE3} %{SOURCE4} selinux
%build %build
autoreconf -ivf autoreconf -ivf
@ -88,6 +114,12 @@ pushd doc
make info make info
popd popd
#SELinux policy
%if 0%{?with_selinux}
make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp
bzip2 -9 selinux/%{name}.pp
%endif
%install %install
mkdir -p %{buildroot}/etc/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \ mkdir -p %{buildroot}/etc/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \
%{buildroot}/var/log/frr %{buildroot}%{_infodir} \ %{buildroot}/var/log/frr %{buildroot}%{_infodir} \
@ -112,6 +144,12 @@ install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.logrotate %{buil
install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.pam %{buildroot}/etc/pam.d/frr install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.pam %{buildroot}/etc/pam.d/frr
install -d -m 775 %{buildroot}/run/frr install -d -m 775 %{buildroot}/run/frr
%if 0%{?with_selinux}
install -D -m 644 selinux/%{name}.pp.bz2 \
%{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
%endif
rm %{buildroot}%{_libdir}/frr/*.la rm %{buildroot}%{_libdir}/frr/*.la
rm %{buildroot}%{_libdir}/frr/modules/*.la rm %{buildroot}%{_libdir}/frr/modules/*.la
@ -127,6 +165,8 @@ getent passwd frr >/dev/null 2>&1 || useradd -M -r -g frr -s /sbin/nologin \
usermod -aG frrvty frr usermod -aG frrvty frr
%post %post
#Because we move files to /usr/libexec, we need to reload .service files as well
/usr/bin/systemctl daemon-reload
%systemd_post frr.service %systemd_post frr.service
if [ -f %{_infodir}/%{name}.inf* ]; then if [ -f %{_infodir}/%{name}.inf* ]; then
@ -166,6 +206,26 @@ fi
%preun %preun
%systemd_preun frr.service %systemd_preun frr.service
#SELinux
%if 0%{?with_selinux}
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}
%post selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%selinux_relabel_post -s %{selinuxtype}
#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade
%{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null
%{_sbindir}/restorecon -R /var/run/frr &> /dev/null
%postun selinux
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} %{name}
%selinux_relabel_post -s %{selinuxtype}
fi
%endif
%check %check
make check PYTHON=%{__python3} make check PYTHON=%{__python3}
@ -201,7 +261,25 @@ make check PYTHON=%{__python3}
/usr/share/yang/*.yang /usr/share/yang/*.yang
%{_tmpfilesdir}/%{name}.conf %{_tmpfilesdir}/%{name}.conf
%if 0%{?with_selinux}
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.*
%{_datadir}/selinux/devel/include/distributed/%{name}.if
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
%endif
%changelog %changelog
* Thu Aug 25 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-3
- Resolves: #2054160 - FRR reloader does not disable BFD when unsetting BFD profile
* Wed Aug 24 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-2
- Resolves: #1941765 - AVCs while running frr tests on RHEL 8.4.0 Beta-1.2
- Resolves: #1714984 - SELinux policy (daemons) changes required for package
* Wed May 11 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-1
- Resolves: #2018451 - Rebase of frr to version 7.5.1
- Resolves: #1975361 - the dynamic routing setup does not work any more
* Wed Jan 05 2022 Michal Ruprich <mruprich@redhat.com> - 7.5-11 * Wed Jan 05 2022 Michal Ruprich <mruprich@redhat.com> - 7.5-11
- Resolves: #2034328 - Bfdd crash in metallb CI - Resolves: #2034328 - Bfdd crash in metallb CI