import frr-7.5.1-7.el8
This commit is contained in:
parent
6868c1555b
commit
5788752ec0
@ -1 +1,2 @@
|
||||
dfc756dfd123360d1e1a760d66821e47f9a6afed SOURCES/frr-7.5.1.tar.gz
|
||||
e25979fad0e873cd0196e528cae570ba18c11a8f SOURCES/frr.if
|
||||
|
1
.gitignore
vendored
1
.gitignore
vendored
@ -1 +1,2 @@
|
||||
SOURCES/frr-7.5.1.tar.gz
|
||||
SOURCES/frr.if
|
||||
|
79
SOURCES/0012-graceful-restart.patch
Normal file
79
SOURCES/0012-graceful-restart.patch
Normal file
@ -0,0 +1,79 @@
|
||||
From 12f9f8472d0f8cfc026352906b8e5342df2846cc Mon Sep 17 00:00:00 2001
|
||||
From: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
Date: Tue, 27 Sep 2022 17:30:16 +0300
|
||||
Subject: [PATCH] bgpd: Do not send Deconfig/Shutdown message when restarting
|
||||
|
||||
We might disable sending unconfig/shutdown notifications when
|
||||
Graceful-Restart is enabled and negotiated.
|
||||
|
||||
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
|
||||
---
|
||||
bgpd/bgpd.c | 35 ++++++++++++++++++++++++++---------
|
||||
1 file changed, 26 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
|
||||
index 3d4ef7c..f8089c6 100644
|
||||
--- a/bgpd/bgpd.c
|
||||
+++ b/bgpd/bgpd.c
|
||||
@@ -2564,11 +2564,34 @@ int peer_group_remote_as(struct bgp *bgp, const char *group_name, as_t *as,
|
||||
|
||||
void peer_notify_unconfig(struct peer *peer)
|
||||
{
|
||||
+ if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) {
|
||||
+ if (bgp_debug_neighbor_events(peer))
|
||||
+ zlog_debug(
|
||||
+ "%pBP configured Graceful-Restart, skipping unconfig notification",
|
||||
+ peer);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
|
||||
bgp_notify_send(peer, BGP_NOTIFY_CEASE,
|
||||
BGP_NOTIFY_CEASE_PEER_UNCONFIG);
|
||||
}
|
||||
|
||||
+static void peer_notify_shutdown(struct peer *peer)
|
||||
+{
|
||||
+ if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) {
|
||||
+ if (bgp_debug_neighbor_events(peer))
|
||||
+ zlog_debug(
|
||||
+ "%pBP configured Graceful-Restart, skipping shutdown notification",
|
||||
+ peer);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
|
||||
+ bgp_notify_send(peer, BGP_NOTIFY_CEASE,
|
||||
+ BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN);
|
||||
+}
|
||||
+
|
||||
void peer_group_notify_unconfig(struct peer_group *group)
|
||||
{
|
||||
struct peer *peer, *other;
|
||||
@@ -3380,11 +3403,8 @@ int bgp_delete(struct bgp *bgp)
|
||||
}
|
||||
|
||||
/* Inform peers we're going down. */
|
||||
- for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer)) {
|
||||
- if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
|
||||
- bgp_notify_send(peer, BGP_NOTIFY_CEASE,
|
||||
- BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN);
|
||||
- }
|
||||
+ for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer))
|
||||
+ peer_notify_shutdown(peer);
|
||||
|
||||
/* Delete static routes (networks). */
|
||||
bgp_static_delete(bgp);
|
||||
@@ -7238,11 +7258,7 @@ void bgp_terminate(void)
|
||||
|
||||
for (ALL_LIST_ELEMENTS(bm->bgp, mnode, mnnode, bgp))
|
||||
for (ALL_LIST_ELEMENTS(bgp->peer, node, nnode, peer))
|
||||
- if (peer->status == Established
|
||||
- || peer->status == OpenSent
|
||||
- || peer->status == OpenConfirm)
|
||||
- bgp_notify_send(peer, BGP_NOTIFY_CEASE,
|
||||
- BGP_NOTIFY_CEASE_PEER_UNCONFIG);
|
||||
+ peer_notify_unconfig(peer);
|
||||
|
||||
if (bm->process_main_queue)
|
||||
work_queue_free_and_null(&bm->process_main_queue);
|
32
SOURCES/0013-CVE-2022-37032.patch
Normal file
32
SOURCES/0013-CVE-2022-37032.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From ff6db1027f8f36df657ff2e5ea167773752537ed Mon Sep 17 00:00:00 2001
|
||||
From: Donald Sharp <sharpd@nvidia.com>
|
||||
Date: Thu, 21 Jul 2022 08:11:58 -0400
|
||||
Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is
|
||||
expected
|
||||
|
||||
Ensure that if the capability length specified is enough data.
|
||||
|
||||
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
|
||||
---
|
||||
bgpd/bgp_packet.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
|
||||
index dbf6c0b2e99..45752a8ab6d 100644
|
||||
--- a/bgpd/bgp_packet.c
|
||||
+++ b/bgpd/bgp_packet.c
|
||||
@@ -2620,6 +2620,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
|
||||
"%s CAPABILITY has action: %d, code: %u, length %u",
|
||||
peer->host, action, hdr->code, hdr->length);
|
||||
|
||||
+ if (hdr->length < sizeof(struct capability_mp_data)) {
|
||||
+ zlog_info(
|
||||
+ "%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d",
|
||||
+ peer, sizeof(struct capability_mp_data),
|
||||
+ hdr->length);
|
||||
+ return BGP_Stop;
|
||||
+ }
|
||||
+
|
||||
/* Capability length check. */
|
||||
if ((pnt + hdr->length + 3) > end) {
|
||||
zlog_info("%s Capability length error", peer->host);
|
@ -1,4 +1,4 @@
|
||||
/usr/libexec/frr(/.*)? gen_context(system_u:object_r:frr_exec_t,s0)
|
||||
/usr/libexec/frr/(.*)? gen_context(system_u:object_r:frr_exec_t,s0)
|
||||
|
||||
/usr/lib/systemd/system/frr.* gen_context(system_u:object_r:frr_unit_file_t,s0)
|
||||
|
||||
|
162
SOURCES/frr.if
162
SOURCES/frr.if
@ -1,162 +0,0 @@
|
||||
## <summary>policy for frr</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute frr_exec_t in the frr domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`frr_domtrans',`
|
||||
gen_require(`
|
||||
type frr_t, frr_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, frr_exec_t, frr_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute frr in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`frr_exec',`
|
||||
gen_require(`
|
||||
type frr_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, frr_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read frr's log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`frr_read_log',`
|
||||
gen_require(`
|
||||
type frr_log_t;
|
||||
')
|
||||
|
||||
read_files_pattern($1, frr_log_t, frr_log_t)
|
||||
optional_policy(`
|
||||
logging_search_logs($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Append to frr log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`frr_append_log',`
|
||||
gen_require(`
|
||||
type frr_log_t;
|
||||
')
|
||||
|
||||
append_files_pattern($1, frr_log_t, frr_log_t)
|
||||
optional_policy(`
|
||||
logging_search_logs($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage frr log files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`frr_manage_log',`
|
||||
gen_require(`
|
||||
type frr_log_t;
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1, frr_log_t, frr_log_t)
|
||||
manage_files_pattern($1, frr_log_t, frr_log_t)
|
||||
manage_lnk_files_pattern($1, frr_log_t, frr_log_t)
|
||||
optional_policy(`
|
||||
logging_search_logs($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read frr PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`frr_read_pid_files',`
|
||||
gen_require(`
|
||||
type frr_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
read_files_pattern($1, frr_var_run_t, frr_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an frr environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`frr_admin',`
|
||||
gen_require(`
|
||||
type frr_t;
|
||||
type frr_log_t;
|
||||
type frr_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 frr_t:process { signal_perms };
|
||||
ps_process_pattern($1, frr_t)
|
||||
|
||||
tunable_policy(`deny_ptrace',`',`
|
||||
allow $1 frr_t:process ptrace;
|
||||
')
|
||||
|
||||
admin_pattern($1, frr_log_t)
|
||||
|
||||
files_search_pids($1)
|
||||
admin_pattern($1, frr_var_run_t)
|
||||
optional_policy(`
|
||||
logging_search_logs($1)
|
||||
')
|
||||
optional_policy(`
|
||||
systemd_passwd_agent_exec($1)
|
||||
systemd_read_fifo_file_passwd_run($1)
|
||||
')
|
||||
')
|
@ -93,6 +93,7 @@ corenet_tcp_bind_zebra_port(frr_t)
|
||||
domain_use_interactive_fds(frr_t)
|
||||
|
||||
fs_read_nsfs_files(frr_t)
|
||||
fs_search_cgroup_dirs(frr_t)
|
||||
|
||||
sysnet_exec_ifconfig(frr_t)
|
||||
|
||||
@ -119,4 +120,5 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr")
|
||||
userdom_inherit_append_admin_home_files(frr_t, frr_conf_t, file, ".history_frr")
|
||||
')
|
||||
|
@ -7,7 +7,7 @@
|
||||
|
||||
Name: frr
|
||||
Version: 7.5.1
|
||||
Release: 4%{?checkout}%{?dist}
|
||||
Release: 7%{?checkout}%{?dist}
|
||||
Summary: Routing daemon
|
||||
License: GPLv2+
|
||||
URL: http://www.frrouting.org
|
||||
@ -51,6 +51,8 @@ Patch0008: 0008-designated-router.patch
|
||||
Patch0009: 0009-routemap.patch
|
||||
Patch0010: 0010-moving-executables.patch
|
||||
Patch0011: 0011-reload-bfd-profile.patch
|
||||
Patch0012: 0012-graceful-restart.patch
|
||||
Patch0013: 0013-CVE-2022-37032.patch
|
||||
|
||||
%description
|
||||
FRRouting is free software that manages TCP/IP based routing protocols. It takes
|
||||
@ -215,8 +217,10 @@ fi
|
||||
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
|
||||
%selinux_relabel_post -s %{selinuxtype}
|
||||
#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade
|
||||
if [ $1 == 2 ]; then
|
||||
%{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null
|
||||
%{_sbindir}/restorecon -R /var/run/frr &> /dev/null
|
||||
fi
|
||||
|
||||
%postun selinux
|
||||
if [ $1 -eq 0 ]; then
|
||||
@ -269,8 +273,17 @@ make check PYTHON=%{__python3}
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Sep 15 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-4
|
||||
- Resolves: #2126040 - Frr is unable to push routes to the system routing table
|
||||
* Wed Nov 30 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-7
|
||||
- Resolves: #2128737 - out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service
|
||||
|
||||
* Tue Nov 29 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-6
|
||||
- Resolves: #1939516 - frr service cannot reload itself, due to executing in the wrong SELinux context
|
||||
|
||||
* Mon Nov 14 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-5
|
||||
- Resolves: #2127140 - Frr is unable to push routes to the system routing table
|
||||
|
||||
* Mon Nov 14 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-4
|
||||
- Resolves: #1948422 - BGP incorrectly withdraws routes on graceful restart capable routers
|
||||
|
||||
* Thu Aug 25 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-3
|
||||
- Resolves: #2054160 - FRR reloader does not disable BFD when unsetting BFD profile
|
||||
|
Loading…
Reference in New Issue
Block a user