From 5f01e993d6064c1f8933d070a738eb6214f1a0c5 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 20 Nov 2024 13:12:50 +0000 Subject: [PATCH] import RHEL 10 Beta frr-10.1-3.el10 --- .gitignore | 2 +- ...patch => 0000-remove-babeld-and-ldpd.patch | 12 +- ...openssl.patch => 0002-enable-openssl.patch | 30 +- ...o.patch => 0003-disable-eigrp-crypto.patch | 0 ...04-fips-mode.patch => 0004-fips-mode.patch | 50 +- 0005-remove-grpc-test.patch | 27 + 0006-noprefixroute-network-manager.patch | 167 +++++ SOURCES/0001-use-python3.patch | 20 - SOURCES/0006-CVE-2020-12831.patch | 17 - SOURCES/0007-frrinit.patch | 31 - SOURCES/0008-designated-router.patch | 33 - SOURCES/0009-routemap.patch | 25 - SOURCES/0010-moving-executables.patch | 40 -- SOURCES/0011-reload-bfd-profile.patch | 77 --- SOURCES/0012-graceful-restart.patch | 79 --- SOURCES/0013-CVE-2022-37032.patch | 32 - SOURCES/0014-bfd-profile-crash.patch | 117 ---- SOURCES/0015-max-ttl-reload.patch | 93 --- SOURCES/0016-CVE-2023-38802.patch | 129 ---- SOURCES/0017-fix-crash-in-plist-update.patch | 48 -- SOURCES/0018-CVE-2023-38406.patch | 34 -- SOURCES/0019-CVE-2023-38407.patch | 54 -- SOURCES/0020-CVE-2023-47234.patch | 89 --- SOURCES/0021-CVE-2023-47235.patch | 105 ---- SOURCES/0022-route-map-event.patch | 47 -- SOURCES/0023-CVE-2023-46752.patch | 76 --- SOURCES/0024-CVE-2023-46753.patch | 60 -- SOURCES/0025-CVE-2023-31490.patch | 150 ----- SOURCES/0026-CVE-2023-41909.patch | 34 -- SOURCES/0027-dynamic-netlink-buffer.patch | 267 -------- SOURCES/frr.fc | 28 - SPECS/frr.spec | 423 ------------- frr-sysusers.conf | 4 + .../frr-tmpfiles.conf => frr-tmpfiles.conf | 0 frr.fc | 29 + SOURCES/frr.if => frr.if | 78 ++- frr.spec | 578 ++++++++++++++++++ SOURCES/frr.te => frr.te | 32 +- sources | 1 + 39 files changed, 943 insertions(+), 2175 deletions(-) rename SOURCES/0000-remove-babeld-and-ldpd.patch => 0000-remove-babeld-and-ldpd.patch (86%) rename SOURCES/0002-enable-openssl.patch => 0002-enable-openssl.patch (83%) rename SOURCES/0003-disable-eigrp-crypto.patch => 0003-disable-eigrp-crypto.patch (100%) rename SOURCES/0004-fips-mode.patch => 0004-fips-mode.patch (79%) create mode 100644 0005-remove-grpc-test.patch create mode 100644 0006-noprefixroute-network-manager.patch delete mode 100644 SOURCES/0001-use-python3.patch delete mode 100644 SOURCES/0006-CVE-2020-12831.patch delete mode 100644 SOURCES/0007-frrinit.patch delete mode 100644 SOURCES/0008-designated-router.patch delete mode 100644 SOURCES/0009-routemap.patch delete mode 100644 SOURCES/0010-moving-executables.patch delete mode 100644 SOURCES/0011-reload-bfd-profile.patch delete mode 100644 SOURCES/0012-graceful-restart.patch delete mode 100644 SOURCES/0013-CVE-2022-37032.patch delete mode 100644 SOURCES/0014-bfd-profile-crash.patch delete mode 100644 SOURCES/0015-max-ttl-reload.patch delete mode 100644 SOURCES/0016-CVE-2023-38802.patch delete mode 100644 SOURCES/0017-fix-crash-in-plist-update.patch delete mode 100644 SOURCES/0018-CVE-2023-38406.patch delete mode 100644 SOURCES/0019-CVE-2023-38407.patch delete mode 100644 SOURCES/0020-CVE-2023-47234.patch delete mode 100644 SOURCES/0021-CVE-2023-47235.patch delete mode 100644 SOURCES/0022-route-map-event.patch delete mode 100644 SOURCES/0023-CVE-2023-46752.patch delete mode 100644 SOURCES/0024-CVE-2023-46753.patch delete mode 100644 SOURCES/0025-CVE-2023-31490.patch delete mode 100644 SOURCES/0026-CVE-2023-41909.patch delete mode 100644 SOURCES/0027-dynamic-netlink-buffer.patch delete mode 100644 SOURCES/frr.fc delete mode 100644 SPECS/frr.spec create mode 100644 frr-sysusers.conf rename SOURCES/frr-tmpfiles.conf => frr-tmpfiles.conf (100%) create mode 100644 frr.fc rename SOURCES/frr.if => frr.if (70%) create mode 100644 frr.spec rename SOURCES/frr.te => frr.te (79%) create mode 100644 sources diff --git a/.gitignore b/.gitignore index c0a706d..fe2a27f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/frr-7.5.1.tar.gz +frr-10.1.tar.gz diff --git a/SOURCES/0000-remove-babeld-and-ldpd.patch b/0000-remove-babeld-and-ldpd.patch similarity index 86% rename from SOURCES/0000-remove-babeld-and-ldpd.patch rename to 0000-remove-babeld-and-ldpd.patch index 37c416a..b355ce6 100644 --- a/SOURCES/0000-remove-babeld-and-ldpd.patch +++ b/0000-remove-babeld-and-ldpd.patch @@ -16,9 +16,9 @@ index 5be3264..33abc1d 100644 snapcraft/helpers \ snapcraft/snap \ - babeld/Makefile \ + mgmtd/Makefile \ bgpd/Makefile \ bgpd/rfp-example/librfp/Makefile \ - bgpd/rfp-example/rfptest/Makefile \ @@ -193,7 +190,6 @@ EXTRA_DIST += \ fpm/Makefile \ grpc/Makefile \ @@ -28,13 +28,13 @@ index 5be3264..33abc1d 100644 nhrpd/Makefile \ ospf6d/Makefile \ diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons -index f6d512b..6d4831d 100644 +index 8aa0887..c92dcca 100644 --- a/tools/etc/frr/daemons +++ b/tools/etc/frr/daemons -@@ -21,10 +21,8 @@ ripd=no - ripngd=no +@@ -22,10 +22,8 @@ ripngd=no isisd=no pimd=no + pim6d=no -ldpd=no nhrpd=no eigrpd=no @@ -42,10 +42,10 @@ index f6d512b..6d4831d 100644 sharpd=no pbrd=no bfdd=no -@@ -45,10 +43,8 @@ ripd_options=" -A 127.0.0.1" - ripngd_options=" -A ::1" +@@ -48,10 +46,8 @@ ripngd_options=" -A ::1" isisd_options=" -A 127.0.0.1" pimd_options=" -A 127.0.0.1" + pim6d_options=" -A ::1" -ldpd_options=" -A 127.0.0.1" nhrpd_options=" -A 127.0.0.1" eigrpd_options=" -A 127.0.0.1" diff --git a/SOURCES/0002-enable-openssl.patch b/0002-enable-openssl.patch similarity index 83% rename from SOURCES/0002-enable-openssl.patch rename to 0002-enable-openssl.patch index 6f1c389..5101f06 100644 --- a/SOURCES/0002-enable-openssl.patch +++ b/0002-enable-openssl.patch @@ -8,24 +8,8 @@ index 0b7af18..0533e24 100644 lib/log_vty.c \ - lib/md5.c \ lib/memory.c \ - lib/mlag.c \ - lib/module.c \ -diff --git a/lib/subdir.am b/lib/subdir.am -index 0533e24..b3d3700 100644 ---- a/lib/subdir.am -+++ b/lib/subdir.am -@@ -170,7 +170,6 @@ pkginclude_HEADERS += \ - lib/linklist.h \ - lib/log.h \ - lib/log_vty.h \ -- lib/md5.h \ - lib/memory.h \ - lib/module.h \ - lib/monotime.h \ -diff --git a/lib/subdir.am b/lib/subdir.am -index 53f7115..cea866f 100644 ---- a/lib/subdir.am -+++ b/lib/subdir.am + lib/mgmt_be_client.c \ + lib/mgmt_fe_client.c \ @@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \ lib/routemap_northbound.c \ lib/sbuf.c \ @@ -34,8 +18,16 @@ index 53f7115..cea866f 100644 lib/sigevent.c \ lib/skiplist.c \ lib/sockopt.c \ +@@ -170,7 +170,6 @@ pkginclude_HEADERS += \ + lib/link_state.h \ + lib/log.h \ + lib/log_vty.h \ +- lib/md5.h \ + lib/memory.h \ + lib/mgmt.pb-c.h \ + lib/mgmt_be_client.h \ @@ -191,7 +190,6 @@ pkginclude_HEADERS += \ - lib/routemap.h \ + lib/route_opaque.h \ lib/sbuf.h \ lib/seqlock.h \ - lib/sha256.h \ diff --git a/SOURCES/0003-disable-eigrp-crypto.patch b/0003-disable-eigrp-crypto.patch similarity index 100% rename from SOURCES/0003-disable-eigrp-crypto.patch rename to 0003-disable-eigrp-crypto.patch diff --git a/SOURCES/0004-fips-mode.patch b/0004-fips-mode.patch similarity index 79% rename from SOURCES/0004-fips-mode.patch rename to 0004-fips-mode.patch index e8efeb7..6c0501b 100644 --- a/SOURCES/0004-fips-mode.patch +++ b/0004-fips-mode.patch @@ -2,9 +2,20 @@ diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c index 631465f..e084ff3 100644 --- a/ospfd/ospf_vty.c +++ b/ospfd/ospf_vty.c -@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink, +@@ -7,6 +7,10 @@ + #include + #include - if (argv_find(argv, argc, "message-digest", &idx)) { ++#ifdef CRYPTO_OPENSSL ++#include ++#endif ++ + #include "printfrr.h" + #include "monotime.h" + #include "memory.h" +@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink, + vl_config.keychain = argv[idx+1]->arg; + } else if (argv_find(argv, argc, "message-digest", &idx)) { /* authentication message-digest */ + if(FIPS_mode()) + { @@ -41,7 +52,7 @@ index 631465f..e084ff3 100644 + } SET_IF_PARAM(params, auth_type); params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC; - return CMD_SUCCESS; + UNSET_IF_PARAM(params, keychain_name); @@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key, "The OSPF password (key)\n" "Address of interface\n") @@ -58,6 +69,17 @@ diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c index 81b4b39..cce33d9 100644 --- a/isisd/isis_circuit.c +++ b/isisd/isis_circuit.c +@@ -13,6 +13,10 @@ + #include + #endif + ++#ifdef CRYPTO_OPENSSL ++#include ++#endif ++ + #include "log.h" + #include "memory.h" + #include "vrf.h" @@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit, return ferr_code_bug( "circuit password too long (max 254 chars)"); @@ -73,6 +95,17 @@ diff --git a/isisd/isisd.c b/isisd/isisd.c index 419127c..a6c36af 100644 --- a/isisd/isisd.c +++ b/isisd/isisd.c +@@ -9,6 +9,10 @@ + + #include + ++#ifdef CRYPTO_OPENSSL ++#include ++#endif ++ + #include "frrevent.h" + #include "vty.h" + #include "command.h" @@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level, if (len > 254) return -1; @@ -88,6 +121,17 @@ diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c index 5bb81ef..02a09ef 100644 --- a/ripd/rip_cli.c +++ b/ripd/rip_cli.c +@@ -7,6 +7,10 @@ + + #include + ++#ifdef CRYPTO_OPENSSL ++#include ++#endif ++ + #include "if.h" + #include "if_rmap.h" + #include "vrf.h" @@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode, value = "20"; } diff --git a/0005-remove-grpc-test.patch b/0005-remove-grpc-test.patch new file mode 100644 index 0000000..148c1ea --- /dev/null +++ b/0005-remove-grpc-test.patch @@ -0,0 +1,27 @@ +diff --git a/tests/lib/subdir.am b/tests/lib/subdir.am +index 7b5eaa4..5c82f69 100644 +--- a/tests/lib/subdir.am ++++ b/tests/lib/subdir.am +@@ -18,22 +18,6 @@ tests_lib_test_frrscript_SOURCES = tests/lib/test_frrscript.c + test -e tests/lib/script1.lua || \ + $(INSTALL_SCRIPT) $< tests/lib/script1.lua + +-############################################################################## +-GRPC_TESTS_LDADD = mgmtd/libmgmt_be_nb.la staticd/libstatic.a grpc/libfrrgrpc_pb.la $(GRPC_LIBS) $(ALL_TESTS_LDADD) $(LIBYANG_LIBS) -lm +- +-if GRPC +-check_PROGRAMS += tests/lib/test_grpc +-endif +-tests_lib_test_grpc_CXXFLAGS = $(WERROR) $(TESTS_CXXFLAGS) +-tests_lib_test_grpc_CPPFLAGS = $(TESTS_CPPFLAGS) +-tests_lib_test_grpc_LDADD = $(GRPC_TESTS_LDADD) +-tests_lib_test_grpc_SOURCES = tests/lib/test_grpc.cpp +-nodist_tests_lib_test_grpc_SOURCES = \ +- yang/frr-bfdd.yang.c \ +- yang/frr-staticd.yang.c \ +- # end +- +- + ############################################################################## + if ZEROMQ + check_PROGRAMS += tests/lib/test_zmq diff --git a/0006-noprefixroute-network-manager.patch b/0006-noprefixroute-network-manager.patch new file mode 100644 index 0000000..a1c2c79 --- /dev/null +++ b/0006-noprefixroute-network-manager.patch @@ -0,0 +1,167 @@ +--- b/tests/topotests/zebra_multiple_connected/test_zebra_multiple_connected.py ++++ a/tests/topotests/zebra_multiple_connected/test_zebra_multiple_connected.py +@@ -144,23 +144,6 @@ + assert result is None, "Kernel route is missing from zebra" + + +-def test_zebra_noprefix_connected(): +- "Test that a noprefixroute created does not create a connected route" +- +- tgen = get_topogen() +- if tgen.routers_have_failure(): +- pytest.skip(tgen.errors) +- +- router = tgen.gears["r1"] +- router.run("ip addr add 192.168.44.1/24 dev r1-eth1 noprefixroute") +- expected = "% Network not in table" +- test_func = partial( +- topotest.router_output_cmp, router, "show ip route 192.168.44.0/24", expected +- ) +- result, diff = topotest.run_and_expect(test_func, "", count=20, wait=1) +- assert result, "Connected Route should not have been added" +- +- + if __name__ == "__main__": + args = ["-s"] + sys.argv[1:] + sys.exit(pytest.main(args)) +--- b/zebra/if_netlink.c ++++ a/zebra/if_netlink.c +@@ -1423,9 +1423,6 @@ + if (kernel_flags & IFA_F_SECONDARY) + dplane_ctx_intf_set_secondary(ctx); + +- if (kernel_flags & IFA_F_NOPREFIXROUTE) +- dplane_ctx_intf_set_noprefixroute(ctx); +- + /* Label */ + if (tb[IFA_LABEL]) { + label = (char *)RTA_DATA(tb[IFA_LABEL]); +--- b/zebra/zebra_dplane.c ++++ a/zebra/zebra_dplane.c +@@ -230,7 +230,6 @@ + #define DPLANE_INTF_BROADCAST (1 << 2) + #define DPLANE_INTF_HAS_DEST DPLANE_INTF_CONNECTED + #define DPLANE_INTF_HAS_LABEL (1 << 4) +-#define DPLANE_INTF_NOPREFIXROUTE (1 << 5) + + /* Interface address/prefix */ + struct prefix prefix; +@@ -2542,13 +2541,6 @@ + return (ctx->u.intf.flags & DPLANE_INTF_CONNECTED); + } + +-bool dplane_ctx_intf_is_noprefixroute(const struct zebra_dplane_ctx *ctx) +-{ +- DPLANE_CTX_VALID(ctx); +- +- return (ctx->u.intf.flags & DPLANE_INTF_NOPREFIXROUTE); +-} +- + bool dplane_ctx_intf_is_secondary(const struct zebra_dplane_ctx *ctx) + { + DPLANE_CTX_VALID(ctx); +@@ -2577,13 +2569,6 @@ + ctx->u.intf.flags |= DPLANE_INTF_SECONDARY; + } + +-void dplane_ctx_intf_set_noprefixroute(struct zebra_dplane_ctx *ctx) +-{ +- DPLANE_CTX_VALID(ctx); +- +- ctx->u.intf.flags |= DPLANE_INTF_NOPREFIXROUTE; +-} +- + void dplane_ctx_intf_set_broadcast(struct zebra_dplane_ctx *ctx) + { + DPLANE_CTX_VALID(ctx); +--- b/zebra/zebra_dplane.h ++++ a/zebra/zebra_dplane.h +@@ -658,8 +658,6 @@ + void dplane_ctx_intf_set_connected(struct zebra_dplane_ctx *ctx); + bool dplane_ctx_intf_is_secondary(const struct zebra_dplane_ctx *ctx); + void dplane_ctx_intf_set_secondary(struct zebra_dplane_ctx *ctx); +-bool dplane_ctx_intf_is_noprefixroute(const struct zebra_dplane_ctx *ctx); +-void dplane_ctx_intf_set_noprefixroute(struct zebra_dplane_ctx *ctx); + bool dplane_ctx_intf_is_broadcast(const struct zebra_dplane_ctx *ctx); + void dplane_ctx_intf_set_broadcast(struct zebra_dplane_ctx *ctx); + const struct prefix *dplane_ctx_get_intf_addr( +--- b/lib/if.h ++++ a/lib/if.h +@@ -434,8 +434,6 @@ + #define ZEBRA_IFA_SECONDARY (1 << 0) + #define ZEBRA_IFA_PEER (1 << 1) + #define ZEBRA_IFA_UNNUMBERED (1 << 2) +-#define ZEBRA_IFA_NOPREFIXROUTE (1 << 3) +- + /* N.B. the ZEBRA_IFA_PEER flag should be set if and only if + a peer address has been configured. If this flag is set, + the destination field must contain the peer address. +--- b/zebra/connected.c ++++ a/zebra/connected.c +@@ -282,15 +282,13 @@ + return; + } + ++ rib_add(afi, SAFI_UNICAST, zvrf->vrf->vrf_id, ZEBRA_ROUTE_CONNECT, 0, ++ flags, &p, NULL, &nh, 0, zvrf->table_id, metric, 0, 0, 0, ++ false); +- if (!CHECK_FLAG(ifc->flags, ZEBRA_IFA_NOPREFIXROUTE)) { +- rib_add(afi, SAFI_UNICAST, zvrf->vrf->vrf_id, +- ZEBRA_ROUTE_CONNECT, 0, flags, &p, NULL, &nh, 0, +- zvrf->table_id, metric, 0, 0, 0, false); + ++ rib_add(afi, SAFI_MULTICAST, zvrf->vrf->vrf_id, ZEBRA_ROUTE_CONNECT, 0, ++ flags, &p, NULL, &nh, 0, zvrf->table_id, metric, 0, 0, 0, ++ false); +- rib_add(afi, SAFI_MULTICAST, zvrf->vrf->vrf_id, +- ZEBRA_ROUTE_CONNECT, 0, flags, &p, NULL, &nh, 0, +- zvrf->table_id, metric, 0, 0, 0, false); +- } + + if (install_local) { + rib_add(afi, SAFI_UNICAST, zvrf->vrf->vrf_id, ZEBRA_ROUTE_LOCAL, +@@ -483,15 +481,11 @@ + * Same logic as for connected_up(): push the changes into the + * head. + */ ++ rib_delete(afi, SAFI_UNICAST, zvrf->vrf->vrf_id, ZEBRA_ROUTE_CONNECT, 0, ++ 0, &p, NULL, &nh, 0, zvrf->table_id, 0, 0, false); +- if (!CHECK_FLAG(ifc->flags, ZEBRA_IFA_NOPREFIXROUTE)) { +- rib_delete(afi, SAFI_UNICAST, zvrf->vrf->vrf_id, +- ZEBRA_ROUTE_CONNECT, 0, 0, &p, NULL, &nh, 0, +- zvrf->table_id, 0, 0, false); + ++ rib_delete(afi, SAFI_MULTICAST, zvrf->vrf->vrf_id, ZEBRA_ROUTE_CONNECT, ++ 0, 0, &p, NULL, &nh, 0, zvrf->table_id, 0, 0, false); +- rib_delete(afi, SAFI_MULTICAST, zvrf->vrf->vrf_id, +- ZEBRA_ROUTE_CONNECT, 0, 0, &p, NULL, &nh, 0, +- zvrf->table_id, 0, 0, false); +- } + + if (remove_local) { + rib_delete(afi, SAFI_UNICAST, zvrf->vrf->vrf_id, +--- b/zebra/interface.c ++++ a/zebra/interface.c +@@ -1317,9 +1317,6 @@ + if (dplane_ctx_intf_is_secondary(ctx)) + SET_FLAG(flags, ZEBRA_IFA_SECONDARY); + +- if (dplane_ctx_intf_is_noprefixroute(ctx)) +- SET_FLAG(flags, ZEBRA_IFA_NOPREFIXROUTE); +- + /* Label? */ + if (dplane_ctx_intf_has_label(ctx)) + label = dplane_ctx_get_intf_label(ctx); +@@ -2337,12 +2334,6 @@ + else if (CHECK_FLAG(connected->flags, ZEBRA_IFA_SECONDARY)) + vty_out(vty, " secondary"); + +- if (json) +- json_object_boolean_add(json_addr, "noPrefixRoute", +- CHECK_FLAG(connected->flags, ZEBRA_IFA_NOPREFIXROUTE)); +- else if (CHECK_FLAG(connected->flags, ZEBRA_IFA_NOPREFIXROUTE)) +- vty_out(vty, " noprefixroute"); +- + if (json) + json_object_boolean_add( + json_addr, "unnumbered", diff --git a/SOURCES/0001-use-python3.patch b/SOURCES/0001-use-python3.patch deleted file mode 100644 index ce0359e..0000000 --- a/SOURCES/0001-use-python3.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff --git a/tools/frr-reload.py b/tools/frr-reload.py -index 208fb11..0692adc 100755 ---- a/tools/frr-reload.py -+++ b/tools/frr-reload.py -@@ -1,4 +1,4 @@ --#!/usr/bin/python -+#!/usr/bin/python3 - # Frr Reloader - # Copyright (C) 2014 Cumulus Networks, Inc. - # -diff --git a/tools/generate_support_bundle.py b/tools/generate_support_bundle.py -index 540b7a1..0876ebb 100755 ---- a/tools/generate_support_bundle.py -+++ b/tools/generate_support_bundle.py -@@ -1,4 +1,4 @@ --#!/usr/bin/python -+#!/usr/bin/python3 - - ######################################################## - ### Python Script to generate the FRR support bundle ### diff --git a/SOURCES/0006-CVE-2020-12831.patch b/SOURCES/0006-CVE-2020-12831.patch deleted file mode 100644 index df352d2..0000000 --- a/SOURCES/0006-CVE-2020-12831.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/tools/frr.in b/tools/frr.in -index b860797..eb64a93 100755 ---- a/tools/frr.in -+++ b/tools/frr.in -@@ -105,10 +105,12 @@ check_daemon() - if [ ! -r "$C_PATH/$1-$2.conf" ]; then - touch "$C_PATH/$1-$2.conf" - chownfrr "$C_PATH/$1-$2.conf" -+ chmod 0600 "$C_PATH/$1-$2.conf" - fi - elif [ ! -r "$C_PATH/$1.conf" ]; then - touch "$C_PATH/$1.conf" - chownfrr "$C_PATH/$1.conf" -+ chmod 0600 "$C_PATH/$1.conf" - fi - fi - return 0 diff --git a/SOURCES/0007-frrinit.patch b/SOURCES/0007-frrinit.patch deleted file mode 100644 index f5fd13c..0000000 --- a/SOURCES/0007-frrinit.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff --git a/tools/frrinit.sh.in b/tools/frrinit.sh.in -index 539ab7d..d27d1be 100644 ---- a/tools/frrinit.sh.in -+++ b/tools/frrinit.sh.in -@@ -43,7 +43,7 @@ fi - case "$1" in - start) - daemon_list daemons -- watchfrr_options="$watchfrr_options $daemons" -+ watchfrr_options="$daemons" - daemon_start watchfrr - ;; - stop) -@@ -57,7 +57,7 @@ restart|force-reload) - all_stop --reallyall - - daemon_list daemons -- watchfrr_options="$watchfrr_options $daemons" -+ watchfrr_options="$daemons" - daemon_start watchfrr - ;; - -@@ -87,7 +87,7 @@ reload) - # restart watchfrr to pick up added daemons. - # NB: This will NOT cause the other daemons to be restarted. - daemon_list daemons -- watchfrr_options="$watchfrr_options $daemons" -+ watchfrr_options="$daemons" - daemon_stop watchfrr && \ - daemon_start watchfrr - diff --git a/SOURCES/0008-designated-router.patch b/SOURCES/0008-designated-router.patch deleted file mode 100644 index 323a10e..0000000 --- a/SOURCES/0008-designated-router.patch +++ /dev/null @@ -1,33 +0,0 @@ -diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c -index 69a3e4587..57ef6029a 100644 ---- a/ospfd/ospf_vty.c -+++ b/ospfd/ospf_vty.c -@@ -3737,6 +3737,28 @@ static void show_ip_ospf_interface_sub(struct vty *vty, struct ospf *ospf, - vty_out(vty, - " No backup designated router on this network\n"); - } else { -+ nbr = ospf_nbr_lookup_by_addr(oi->nbrs, &DR(oi)); -+ if (nbr) { -+ if (use_json) { -+ json_object_string_add( -+ json_interface_sub, "drId", -+ inet_ntoa(nbr->router_id)); -+ json_object_string_add( -+ json_interface_sub, "drAddress", -+ inet_ntoa(nbr->address.u -+ .prefix4)); -+ } else { -+ vty_out(vty, -+ " Designated Router (ID) %s", -+ inet_ntoa(nbr->router_id)); -+ vty_out(vty, -+ " Interface Address %s\n", -+ inet_ntoa(nbr->address.u -+ .prefix4)); -+ } -+ } -+ nbr = NULL; -+ - nbr = ospf_nbr_lookup_by_addr(oi->nbrs, &BDR(oi)); - if (nbr == NULL) { - if (!use_json) diff --git a/SOURCES/0009-routemap.patch b/SOURCES/0009-routemap.patch deleted file mode 100644 index f389e57..0000000 --- a/SOURCES/0009-routemap.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff --git a/lib/routemap.c b/lib/routemap.c -index a90443a..0b594b2 100644 ---- a/lib/routemap.c -+++ b/lib/routemap.c -@@ -1649,9 +1649,9 @@ static struct list *route_map_get_index_list(struct route_node **rn, - */ - static struct route_map_index * - route_map_get_index(struct route_map *map, const struct prefix *prefix, -- route_map_object_t type, void *object, uint8_t *match_ret) -+ route_map_object_t type, void *object, enum route_map_cmd_result_t *match_ret) - { -- int ret = 0; -+ enum route_map_cmd_result_t ret = RMAP_NOMATCH; - struct list *candidate_rmap_list = NULL; - struct route_node *rn = NULL; - struct listnode *ln = NULL, *nn = NULL; -@@ -2399,7 +2399,7 @@ route_map_result_t route_map_apply(struct route_map *map, - if ((!map->optimization_disabled) - && (map->ipv4_prefix_table || map->ipv6_prefix_table)) { - index = route_map_get_index(map, prefix, type, object, -- (uint8_t *)&match_ret); -+ &match_ret); - if (index) { - if (rmap_debug) - zlog_debug( diff --git a/SOURCES/0010-moving-executables.patch b/SOURCES/0010-moving-executables.patch deleted file mode 100644 index 46f1439..0000000 --- a/SOURCES/0010-moving-executables.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff --git a/tools/frr.service b/tools/frr.service -index aa45f42..a3f0103 100644 ---- a/tools/frr.service -+++ b/tools/frr.service -@@ -17,9 +17,9 @@ WatchdogSec=60s - RestartSec=5 - Restart=on-abnormal - LimitNOFILE=1024 --ExecStart=/usr/lib/frr/frrinit.sh start --ExecStop=/usr/lib/frr/frrinit.sh stop --ExecReload=/usr/lib/frr/frrinit.sh reload -+ExecStart=/usr/libexec/frr/frrinit.sh start -+ExecStop=/usr/libexec/frr/frrinit.sh stop -+ExecReload=/usr/libexec/frr/frrinit.sh reload - - [Install] - WantedBy=multi-user.target -diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in -index 9a144b2..a334d95 100644 ---- a/tools/frrcommon.sh.in -+++ b/tools/frrcommon.sh.in -@@ -59,6 +59,9 @@ chownfrr() { - [ -n "$FRR_USER" ] && chown "$FRR_USER" "$1" - [ -n "$FRR_GROUP" ] && chgrp "$FRR_GROUP" "$1" - [ -n "$FRR_CONFIG_MODE" ] && chmod "$FRR_CONFIG_MODE" "$1" -+ if [ -d "$1" ]; then -+ chmod gu+x "$1" -+ fi - } - - vtysh_b () { -@@ -152,7 +155,7 @@ daemon_start() { - daemon_prep "$daemon" "$inst" || return 1 - if test ! -d "$V_PATH"; then - mkdir -p "$V_PATH" -- chown frr "$V_PATH" -+ chownfrr "$V_PATH" - fi - - eval wrap="\$${daemon}_wrap" diff --git a/SOURCES/0011-reload-bfd-profile.patch b/SOURCES/0011-reload-bfd-profile.patch deleted file mode 100644 index dcd6981..0000000 --- a/SOURCES/0011-reload-bfd-profile.patch +++ /dev/null @@ -1,77 +0,0 @@ -diff --git a/tools/frr-reload.py b/tools/frr-reload.py -index 9979c8b..1c24f90 100755 ---- a/tools/frr-reload.py -+++ b/tools/frr-reload.py -@@ -785,6 +785,48 @@ def line_exist(lines, target_ctx_keys, target_line, exact_match=True): - return True - return False - -+def delete_bgp_bfd(lines_to_add, lines_to_del): -+ """ -+ When 'neighbor bfd profile ' is present without a -+ 'neighbor bfd' line, FRR explicitily adds it to the running -+ configuration. When the new configuration drops the bfd profile -+ line, the user's intent is to delete any bfd configuration on the -+ peer. On reload, deleting the bfd profile line after the bfd line -+ will re-enable BFD with the default BFD profile. Move the bfd line -+ to the end, if it exists in the new configuration. -+ -+ Example: -+ -+ neighbor 10.0.0.1 bfd -+ neighbor 10.0.0.1 bfd profile bfd-profile-1 -+ -+ Move to end: -+ neighbor 10.0.0.1 bfd profile bfd-profile-1 -+ ... -+ -+ neighbor 10.0.0.1 bfd -+ -+ """ -+ lines_to_del_to_app = [] -+ for (ctx_keys, line) in lines_to_del: -+ if ( -+ ctx_keys[0].startswith("router bgp") -+ and line -+ and line.startswith("neighbor ") -+ ): -+ # 'no neighbor [peer] bfd>' -+ nb_bfd = "neighbor (\S+) .*bfd$" -+ re_nb_bfd = re.search(nb_bfd, line) -+ if re_nb_bfd: -+ lines_to_del_to_app.append((ctx_keys, line)) -+ -+ for (ctx_keys, line) in lines_to_del_to_app: -+ lines_to_del.remove((ctx_keys, line)) -+ lines_to_del.append((ctx_keys, line)) -+ -+ return (lines_to_add, lines_to_del) -+ -+ - def check_for_exit_vrf(lines_to_add, lines_to_del): - - # exit-vrf is a bit tricky. If the new config is missing it but we -@@ -1248,6 +1290,7 @@ def compare_context_objects(newconf, running): - for line in newconf_ctx.lines: - lines_to_add.append((newconf_ctx_keys, line)) - -+ (lines_to_add, lines_to_del) = delete_bgp_bfd(lines_to_add, lines_to_del) - (lines_to_add, lines_to_del) = check_for_exit_vrf(lines_to_add, lines_to_del) - (lines_to_add, lines_to_del) = ignore_delete_re_add_lines(lines_to_add, lines_to_del) - (lines_to_add, lines_to_del) = ignore_unconfigurable_lines(lines_to_add, lines_to_del) -diff --git a/bgpd/bgp_bfd.c b/bgpd/bgp_bfd.c -index b566b0e..1bd6249 100644 ---- a/bgpd/bgp_bfd.c -+++ b/bgpd/bgp_bfd.c -@@ -686,9 +686,9 @@ void bgp_bfd_peer_config_write(struct vty *vty, struct peer *peer, char *addr) - - if (!CHECK_FLAG(bfd_info->flags, BFD_FLAG_PARAM_CFG) - && (bfd_info->type == BFD_TYPE_NOT_CONFIGURED)) { -- vty_out(vty, " neighbor %s bfd", addr); -+ vty_out(vty, " neighbor %s bfd\n", addr); - if (bfd_info->profile[0]) -- vty_out(vty, " profile %s", bfd_info->profile); -+ vty_out(vty, " neighbor %s bfd profile %s", addr, bfd_info->profile); - vty_out(vty, "\n"); - } - diff --git a/SOURCES/0012-graceful-restart.patch b/SOURCES/0012-graceful-restart.patch deleted file mode 100644 index 7e874cc..0000000 --- a/SOURCES/0012-graceful-restart.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 12f9f8472d0f8cfc026352906b8e5342df2846cc Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Tue, 27 Sep 2022 17:30:16 +0300 -Subject: [PATCH] bgpd: Do not send Deconfig/Shutdown message when restarting - -We might disable sending unconfig/shutdown notifications when -Graceful-Restart is enabled and negotiated. - -Signed-off-by: Donatas Abraitis ---- - bgpd/bgpd.c | 35 ++++++++++++++++++++++++++--------- - 1 file changed, 26 insertions(+), 9 deletions(-) - -diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c -index 3d4ef7c..f8089c6 100644 ---- a/bgpd/bgpd.c -+++ b/bgpd/bgpd.c -@@ -2564,11 +2564,34 @@ int peer_group_remote_as(struct bgp *bgp, const char *group_name, as_t *as, - - void peer_notify_unconfig(struct peer *peer) - { -+ if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) { -+ if (bgp_debug_neighbor_events(peer)) -+ zlog_debug( -+ "%pBP configured Graceful-Restart, skipping unconfig notification", -+ peer); -+ return; -+ } -+ - if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status)) - bgp_notify_send(peer, BGP_NOTIFY_CEASE, - BGP_NOTIFY_CEASE_PEER_UNCONFIG); - } - -+static void peer_notify_shutdown(struct peer *peer) -+{ -+ if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) { -+ if (bgp_debug_neighbor_events(peer)) -+ zlog_debug( -+ "%pBP configured Graceful-Restart, skipping shutdown notification", -+ peer); -+ return; -+ } -+ -+ if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status)) -+ bgp_notify_send(peer, BGP_NOTIFY_CEASE, -+ BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN); -+} -+ - void peer_group_notify_unconfig(struct peer_group *group) - { - struct peer *peer, *other; -@@ -3380,11 +3403,8 @@ int bgp_delete(struct bgp *bgp) - } - - /* Inform peers we're going down. */ -- for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer)) { -- if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status)) -- bgp_notify_send(peer, BGP_NOTIFY_CEASE, -- BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN); -- } -+ for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer)) -+ peer_notify_shutdown(peer); - - /* Delete static routes (networks). */ - bgp_static_delete(bgp); -@@ -7238,11 +7258,7 @@ void bgp_terminate(void) - - for (ALL_LIST_ELEMENTS(bm->bgp, mnode, mnnode, bgp)) - for (ALL_LIST_ELEMENTS(bgp->peer, node, nnode, peer)) -- if (peer->status == Established -- || peer->status == OpenSent -- || peer->status == OpenConfirm) -- bgp_notify_send(peer, BGP_NOTIFY_CEASE, -- BGP_NOTIFY_CEASE_PEER_UNCONFIG); -+ peer_notify_unconfig(peer); - - if (bm->process_main_queue) - work_queue_free_and_null(&bm->process_main_queue); diff --git a/SOURCES/0013-CVE-2022-37032.patch b/SOURCES/0013-CVE-2022-37032.patch deleted file mode 100644 index 4899c72..0000000 --- a/SOURCES/0013-CVE-2022-37032.patch +++ /dev/null @@ -1,32 +0,0 @@ -From ff6db1027f8f36df657ff2e5ea167773752537ed Mon Sep 17 00:00:00 2001 -From: Donald Sharp -Date: Thu, 21 Jul 2022 08:11:58 -0400 -Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is - expected - -Ensure that if the capability length specified is enough data. - -Signed-off-by: Donald Sharp ---- - bgpd/bgp_packet.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c -index dbf6c0b2e99..45752a8ab6d 100644 ---- a/bgpd/bgp_packet.c -+++ b/bgpd/bgp_packet.c -@@ -2620,6 +2620,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, - "%s CAPABILITY has action: %d, code: %u, length %u", - peer->host, action, hdr->code, hdr->length); - -+ if (hdr->length < sizeof(struct capability_mp_data)) { -+ zlog_info( -+ "%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d", -+ peer, sizeof(struct capability_mp_data), -+ hdr->length); -+ return BGP_Stop; -+ } -+ - /* Capability length check. */ - if ((pnt + hdr->length + 3) > end) { - zlog_info("%s Capability length error", peer->host); diff --git a/SOURCES/0014-bfd-profile-crash.patch b/SOURCES/0014-bfd-profile-crash.patch deleted file mode 100644 index cc263ff..0000000 --- a/SOURCES/0014-bfd-profile-crash.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 4b793d1eb35ab5794db12725a28fcdb4fef23af7 Mon Sep 17 00:00:00 2001 -From: Igor Ryzhov -Date: Thu, 1 Apr 2021 15:29:18 +0300 -Subject: [PATCH] bfdd: remove profiles when removing bfd node - -Fixes #8379. - -Signed-off-by: Igor Ryzhov ---- - bfdd/bfd.c | 8 ++++++++ - bfdd/bfd.h | 1 + - bfdd/bfdd_nb_config.c | 1 + - 3 files changed, 10 insertions(+) - -diff --git a/bfdd/bfd.c b/bfdd/bfd.c -index c966efd8ea71..cf292a836354 100644 ---- a/bfdd/bfd.c -+++ b/bfdd/bfd.c -@@ -1889,6 +1889,14 @@ void bfd_sessions_remove_manual(void) - hash_iterate(bfd_key_hash, _bfd_session_remove_manual, NULL); - } - -+void bfd_profiles_remove(void) -+{ -+ struct bfd_profile *bp; -+ -+ while ((bp = TAILQ_FIRST(&bplist)) != NULL) -+ bfd_profile_free(bp); -+} -+ - /* - * Profile related hash functions. - */ -diff --git a/bfdd/bfd.h b/bfdd/bfd.h -index af3f92d6a8f8..9ee1da728717 100644 ---- a/bfdd/bfd.h -+++ b/bfdd/bfd.h -@@ -596,6 +596,7 @@ void bfd_session_free(struct bfd_session *bs); - const struct bfd_session *bfd_session_next(const struct bfd_session *bs, - bool mhop); - void bfd_sessions_remove_manual(void); -+void bfd_profiles_remove(void); - - /** - * Set the BFD session echo state. -diff --git a/bfdd/bfdd_nb_config.c b/bfdd/bfdd_nb_config.c -index 0046bc625b45..77f8cbd09c07 100644 ---- a/bfdd/bfdd_nb_config.c -+++ b/bfdd/bfdd_nb_config.c -@@ -203,6 +203,7 @@ int bfdd_bfd_destroy(struct nb_cb_destroy_args *args) - - case NB_EV_APPLY: - bfd_sessions_remove_manual(); -+ bfd_profiles_remove(); - break; - - case NB_EV_ABORT: -diff --git a/bfdd/bfdd_nb_config.c b/bfdd/bfdd_nb_config.c -index 77f8cbd09c07..4030e2eefa50 100644 ---- a/bfdd/bfdd_nb_config.c -+++ b/bfdd/bfdd_nb_config.c -@@ -186,7 +186,15 @@ static int bfd_session_destroy(enum nb_event event, - */ - int bfdd_bfd_create(struct nb_cb_create_args *args) - { -- /* NOTHING */ -+ if (args->event != NB_EV_APPLY) -+ return NB_OK; -+ -+ /* -+ * Set any non-NULL value to be able to call -+ * nb_running_unset_entry in bfdd_bfd_destroy. -+ */ -+ nb_running_set_entry(args->dnode, (void *)0x1); -+ - return NB_OK; - } - -@@ -202,6 +210,12 @@ int bfdd_bfd_destroy(struct nb_cb_destroy_args *args) - return NB_OK; - - case NB_EV_APPLY: -+ /* -+ * We need to call this to unset pointers from -+ * the child nodes - sessions and profiles. -+ */ -+ nb_running_unset_entry(args->dnode); -+ - bfd_sessions_remove_manual(); - bfd_profiles_remove(); - break; -diff --git a/bfdd/bfdd_cli.c b/bfdd/bfdd_cli.c -index b64e36b36a44..5a844e56e121 100644 ---- a/bfdd/bfdd_cli.c -+++ b/bfdd/bfdd_cli.c -@@ -486,7 +486,7 @@ void bfd_cli_show_echo_interval(struct vty *vty, struct lyd_node *dnode, - * Profile commands. - */ - DEFPY_YANG_NOSH(bfd_profile, bfd_profile_cmd, -- "profile WORD$name", -+ "profile BFDPROF$name", - BFD_PROFILE_STR - BFD_PROFILE_NAME_STR) - { -diff --git a/vtysh/vtysh.c b/vtysh/vtysh.c -index 74f13e1a44e8..cf1811bb1f2f 100644 ---- a/vtysh/vtysh.c -+++ b/vtysh/vtysh.c -@@ -1959,7 +1959,7 @@ DEFUNSH(VTYSH_BFDD, bfd_peer_enter, bfd_peer_enter_cmd, - } - - DEFUNSH(VTYSH_BFDD, bfd_profile_enter, bfd_profile_enter_cmd, -- "profile WORD", -+ "profile BFDPROF", - BFD_PROFILE_STR - BFD_PROFILE_NAME_STR) - { diff --git a/SOURCES/0015-max-ttl-reload.patch b/SOURCES/0015-max-ttl-reload.patch deleted file mode 100644 index e68a221..0000000 --- a/SOURCES/0015-max-ttl-reload.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 767aaa3a80489bfc4ff097f932fc347e3db25b89 Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Mon, 21 Aug 2023 00:01:42 +0300 -Subject: [PATCH] bgpd: Do not explicitly print MAXTTL value for ebgp-multihop - vty output - -1. Create /etc/frr/frr.conf -``` -frr version 7.5 -frr defaults traditional -hostname centos8.localdomain -no ip forwarding -no ipv6 forwarding -service integrated-vtysh-config -line vty -router bgp 4250001000 - neighbor 192.168.122.207 remote-as 65512 - neighbor 192.168.122.207 ebgp-multihop -``` - -2. Start FRR -`# systemctl start frr -` -3. Show running configuration. Note that FRR explicitly set and shows the default TTL (225) - -``` -Building configuration... - -Current configuration: -! -frr version 7.5 -frr defaults traditional -hostname centos8.localdomain -no ip forwarding -no ipv6 forwarding -service integrated-vtysh-config -! -router bgp 4250001000 - neighbor 192.168.122.207 remote-as 65512 - neighbor 192.168.122.207 ebgp-multihop 255 -! -line vty -! -end -``` -4. Copy initial frr.conf to frr.conf.new (no changes) -`# cp /etc/frr/frr.conf /root/frr.conf.new -` -5. Run frr-reload.sh: - -``` -$ /usr/lib/frr/frr-reload.py --test /root/frr.conf.new -2023-08-20 20:15:48,050 INFO: Called via "Namespace(bindir='/usr/bin', confdir='/etc/frr', daemon='', debug=False, filename='/root/frr.conf.new', input=None, log_level='info', overwrite=False, pathspace=None, reload=False, rundir='/var/run/frr', stdout=False, test=True, vty_socket=None)" -2023-08-20 20:15:48,050 INFO: Loading Config object from file /root/frr.conf.new -2023-08-20 20:15:48,124 INFO: Loading Config object from vtysh show running - -Lines To Delete -=============== -router bgp 4250001000 - no neighbor 192.168.122.207 ebgp-multihop 255 - -Lines To Add -============ -router bgp 4250001000 - neighbor 192.168.122.207 ebgp-multihop -``` - -Closes https://github.com/FRRouting/frr/issues/14242 - -Signed-off-by: Donatas Abraitis ---- - bgpd/bgp_vty.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/bgpd/bgp_vty.c b/bgpd/bgp_vty.c -index be0fe4283747..c9a9255f3392 100644 ---- a/bgpd/bgp_vty.c -+++ b/bgpd/bgp_vty.c -@@ -17735,8 +17735,12 @@ static void bgp_config_write_peer_global(struct vty *vty, struct bgp *bgp, - && !(peer->gtsm_hops != BGP_GTSM_HOPS_DISABLED - && peer->ttl == MAXTTL)) { - if (!peer_group_active(peer) || g_peer->ttl != peer->ttl) { -- vty_out(vty, " neighbor %s ebgp-multihop %d\n", addr, -- peer->ttl); -+ if (peer->ttl != MAXTTL) -+ vty_out(vty, " neighbor %s ebgp-multihop %d\n", -+ addr, peer->ttl); -+ else -+ vty_out(vty, " neighbor %s ebgp-multihop\n", -+ addr); - } - } - diff --git a/SOURCES/0016-CVE-2023-38802.patch b/SOURCES/0016-CVE-2023-38802.patch deleted file mode 100644 index 728db32..0000000 --- a/SOURCES/0016-CVE-2023-38802.patch +++ /dev/null @@ -1,129 +0,0 @@ -From 46817adab03802355c3cce7b753c7a735bdcc5ae Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Thu, 13 Jul 2023 22:32:03 +0300 -Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation - attribute - -Before this path we used session reset method, which is discouraged by rfc7606. - -Handle this as rfc requires. - -Signed-off-by: Donatas Abraitis -(cherry picked from commit bcb6b58d9530173df41d3a3cbc4c600ee0b4b186) ---- - bgpd/bgp_attr.c | 61 ++++++++++++++++++++----------------------------- - 1 file changed, 25 insertions(+), 36 deletions(-) - -diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c -index 058fae23cbd..1c0803cfd8e 100644 ---- a/bgpd/bgp_attr.c -+++ b/bgpd/bgp_attr.c -@@ -1301,6 +1301,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, - case BGP_ATTR_LARGE_COMMUNITIES: - case BGP_ATTR_ORIGINATOR_ID: - case BGP_ATTR_CLUSTER_LIST: -+ case BGP_ATTR_ENCAP: - return BGP_ATTR_PARSE_WITHDRAW; - case BGP_ATTR_MP_REACH_NLRI: - case BGP_ATTR_MP_UNREACH_NLRI: -@@ -2434,26 +2435,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args) - } - - /* Parse Tunnel Encap attribute in an UPDATE */ --static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ -- bgp_size_t length, /* IN: attr's length field */ -- struct attr *attr, /* IN: caller already allocated */ -- uint8_t flag, /* IN: attr's flags field */ -- uint8_t *startp) -+static int bgp_attr_encap(struct bgp_attr_parser_args *args) - { -- bgp_size_t total; - uint16_t tunneltype = 0; -- -- total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3); -+ struct peer *const peer = args->peer; -+ struct attr *const attr = args->attr; -+ bgp_size_t length = args->length; -+ uint8_t type = args->type; -+ uint8_t flag = args->flags; - - if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS) - || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) { -- zlog_info( -- "Tunnel Encap attribute flag isn't optional and transitive %d", -- flag); -- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, -- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR, -- startp, total); -- return -1; -+ zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d", -+ flag); -+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, -+ args->total); - } - - if (BGP_ATTR_ENCAP == type) { -@@ -2461,12 +2457,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ - uint16_t tlv_length; - - if (length < 4) { -- zlog_info( -+ zlog_err( - "Tunnel Encap attribute not long enough to contain outer T,L"); -- bgp_notify_send_with_data( -- peer, BGP_NOTIFY_UPDATE_ERR, -- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); -- return -1; -+ return bgp_attr_malformed(args, -+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, -+ args->total); - } - tunneltype = stream_getw(BGP_INPUT(peer)); - tlv_length = stream_getw(BGP_INPUT(peer)); -@@ -2496,13 +2491,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ - } - - if (sublength > length) { -- zlog_info( -- "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", -- sublength, length); -- bgp_notify_send_with_data( -- peer, BGP_NOTIFY_UPDATE_ERR, -- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); -- return -1; -+ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", -+ sublength, length); -+ return bgp_attr_malformed(args, -+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, -+ args->total); - } - - /* alloc and copy sub-tlv */ -@@ -2550,13 +2543,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ - - if (length) { - /* spurious leftover data */ -- zlog_info( -- "Tunnel Encap attribute length is bad: %d leftover octets", -- length); -- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, -- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, -- startp, total); -- return -1; -+ zlog_err("Tunnel Encap attribute length is bad: %d leftover octets", -+ length); -+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, -+ args->total); - } - - return 0; -@@ -3396,8 +3386,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, - case BGP_ATTR_VNC: - #endif - case BGP_ATTR_ENCAP: -- ret = bgp_attr_encap(type, peer, length, attr, flag, -- startp); -+ ret = bgp_attr_encap(&attr_args); - break; - case BGP_ATTR_PREFIX_SID: - ret = bgp_attr_prefix_sid(&attr_args); diff --git a/SOURCES/0017-fix-crash-in-plist-update.patch b/SOURCES/0017-fix-crash-in-plist-update.patch deleted file mode 100644 index 69bfc64..0000000 --- a/SOURCES/0017-fix-crash-in-plist-update.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 0f9e4c4a36cf2b0dd585a7ef97acccb8eebdf7bd Mon Sep 17 00:00:00 2001 -From: Chirag Shah -Date: Mon, 25 Jan 2021 11:44:56 -0800 -Subject: [PATCH] lib: fix a crash in plist update - -Problem: -Prefix-list with mulitiple rules, an update to -a rule/sequence with different prefix/prefixlen -reset prefix-list next-base pointer to avoid -having stale value. - -In some case the old next-bast's reference leads -to an assert in tri (trie_install_fn ) add. - -bt: -(object=0x55576a4c8a00, updptr=0x55576a4b97e0) at lib/plist.c:560 -(plist=0x55576a4a1770, pentry=0x55576a4c8a00) at lib/plist.c:585 -(ple=0x55576a4c8a00) at lib/plist.c:745 -(args=0x7fffe04beb50) at lib/filter_nb.c:1181 - -Solution: -Reset prefix-list next-base pointer whenver a -sequence/rule is updated. - -Ticket:CM-33109 -Testing Done: - -Signed-off-by: Chirag Shah -Signed-off-by: Rafael Zalamena -(cherry picked from commit f7f101156eb0e225f375f12cf4f863ebbe3fed03) ---- - lib/plist.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/plist.c b/lib/plist.c -index 981e86e2a..c746d1946 100644 ---- a/lib/plist.c -+++ b/lib/plist.c -@@ -684,6 +684,7 @@ void prefix_list_entry_update_start(struct prefix_list_entry *ple) - if (pl->head || pl->tail || pl->desc) - pl->master->recent = pl; - -+ ple->next_best = NULL; - ple->installed = false; - } - --- -2.41.0 diff --git a/SOURCES/0018-CVE-2023-38406.patch b/SOURCES/0018-CVE-2023-38406.patch deleted file mode 100644 index 56c9296..0000000 --- a/SOURCES/0018-CVE-2023-38406.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 0b999c886e241c52bd1f7ef0066700e4b618ebb3 Mon Sep 17 00:00:00 2001 -From: Donald Sharp -Date: Thu, 23 Feb 2023 13:29:32 -0500 -Subject: [PATCH] bgpd: Flowspec overflow issue - -According to the flowspec RFC 8955 a flowspec nlri is > -Specifying 0 as a length makes BGP get all warm on the inside. Which -in this case is not a good thing at all. Prevent warmth, stay cold -on the inside. - -Reported-by: Iggy Frankovic -Signed-off-by: Donald Sharp ---- - bgpd/bgp_flowspec.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c -index 8d5ca5e77779..f9debe43cd45 100644 ---- a/bgpd/bgp_flowspec.c -+++ b/bgpd/bgp_flowspec.c -@@ -127,6 +127,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr, - psize); - return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; - } -+ -+ if (psize == 0) { -+ flog_err(EC_BGP_FLOWSPEC_PACKET, -+ "Flowspec NLRI length 0 which makes no sense"); -+ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; -+ } -+ - if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) { - flog_err( - EC_BGP_FLOWSPEC_PACKET, diff --git a/SOURCES/0019-CVE-2023-38407.patch b/SOURCES/0019-CVE-2023-38407.patch deleted file mode 100644 index dbd4e9e..0000000 --- a/SOURCES/0019-CVE-2023-38407.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 7404a914b0cafe046703c8381903a80d3def8f8b Mon Sep 17 00:00:00 2001 -From: Donald Sharp -Date: Fri, 3 Mar 2023 21:58:33 -0500 -Subject: [PATCH] bgpd: Fix use beyond end of stream of labeled unicast parsing - -Fixes a couple crashes associated with attempting to read -beyond the end of the stream. - -Reported-by: Iggy Frankovic -Signed-off-by: Donald Sharp ---- - bgpd/bgp_label.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/bgpd/bgp_label.c b/bgpd/bgp_label.c -index 0cad119af101..c4a5277553ba 100644 ---- a/bgpd/bgp_label.c -+++ b/bgpd/bgp_label.c -@@ -297,6 +297,9 @@ static int bgp_nlri_get_labels(struct peer *peer, uint8_t *pnt, uint8_t plen, - uint8_t llen = 0; - uint8_t label_depth = 0; - -+ if (plen < BGP_LABEL_BYTES) -+ return 0; -+ - for (; data < lim; data += BGP_LABEL_BYTES) { - memcpy(label, data, BGP_LABEL_BYTES); - llen += BGP_LABEL_BYTES; -@@ -359,6 +362,9 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr, - memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN); - addpath_id = ntohl(addpath_id); - pnt += BGP_ADDPATH_ID_LEN; -+ -+ if (pnt >= lim) -+ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; - } - - /* Fetch prefix length. */ -@@ -377,6 +383,15 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr, - - /* Fill in the labels */ - llen = bgp_nlri_get_labels(peer, pnt, psize, &label); -+ if (llen == 0) { -+ flog_err( -+ EC_BGP_UPDATE_RCV, -+ "%s [Error] Update packet error (wrong label length 0)", -+ peer->host); -+ bgp_notify_send(peer, BGP_NOTIFY_UPDATE_ERR, -+ BGP_NOTIFY_UPDATE_INVAL_NETWORK); -+ return BGP_NLRI_PARSE_ERROR_LABEL_LENGTH; -+ } - p.prefixlen = prefixlen - BSIZE(llen); - - /* There needs to be at least one label */ diff --git a/SOURCES/0020-CVE-2023-47234.patch b/SOURCES/0020-CVE-2023-47234.patch deleted file mode 100644 index ac509c6..0000000 --- a/SOURCES/0020-CVE-2023-47234.patch +++ /dev/null @@ -1,89 +0,0 @@ -From c37119df45bbf4ef713bc10475af2ee06e12f3bf Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Sun, 29 Oct 2023 22:44:45 +0200 -Subject: [PATCH] bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI - -If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if -no mandatory path attributes received. - -In other words, if MP_UNREACH_NLRI received, the remaining NLRIs should be handled -as a new data, but without mandatory attributes, it's a malformed packet. - -In normal case, this MUST not happen at all, but to avoid crashing bgpd, we MUST -handle that. - -Reported-by: Iggy Frankovic -Signed-off-by: Donatas Abraitis ---- - bgpd/bgp_attr.c | 19 ++++++++++--------- - bgpd/bgp_attr.h | 1 + - bgpd/bgp_packet.c | 7 ++++++- - 3 files changed, 17 insertions(+), 10 deletions(-) - -diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c -index 1473dc772502..75aa2ac7cce6 100644 ---- a/bgpd/bgp_attr.c -+++ b/bgpd/bgp_attr.c -@@ -3399,15 +3399,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, - if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag) - return BGP_ATTR_PARSE_PROCEED; - -- /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required -- to carry any other path attributes.", though if MP_REACH_NLRI or NLRI -- are present, it should. Check for any other attribute being present -- instead. -- */ -- if ((!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) && -- CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI)))) -- return BGP_ATTR_PARSE_PROCEED; -- - if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN))) - type = BGP_ATTR_ORIGIN; - -@@ -3426,6 +3417,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, - && !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF))) - type = BGP_ATTR_LOCAL_PREF; - -+ /* An UPDATE message that contains the MP_UNREACH_NLRI is not required -+ * to carry any other path attributes. Though if MP_REACH_NLRI or NLRI -+ * are present, it should. Check for any other attribute being present -+ * instead. -+ */ -+ if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) && -+ CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI))) -+ return type ? BGP_ATTR_PARSE_MISSING_MANDATORY -+ : BGP_ATTR_PARSE_PROCEED; -+ - /* If any of the well-known mandatory attributes are not present - * in an UPDATE message, then "treat-as-withdraw" MUST be used. - */ -diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h -index fc347e7a1b4b..d30155e6dba0 100644 ---- a/bgpd/bgp_attr.h -+++ b/bgpd/bgp_attr.h -@@ -364,6 +364,7 @@ enum bgp_attr_parse_ret { - */ - BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3, - BGP_ATTR_PARSE_EOR = -4, -+ BGP_ATTR_PARSE_MISSING_MANDATORY = -4, - } bgp_attr_parse_ret_t; - - struct bpacket_attr_vec_arr; -diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c -index a7514a26aa64..5dc35157ebf6 100644 ---- a/bgpd/bgp_packet.c -+++ b/bgpd/bgp_packet.c -@@ -2359,7 +2359,12 @@ static int bgp_update_receive(struct peer_connection *connection, - /* Network Layer Reachability Information. */ - update_len = end - stream_pnt(s); - -- if (update_len) { -+ /* If we received MP_UNREACH_NLRI attribute, but also NLRIs, then -+ * NLRIs should be handled as a new data. Though, if we received -+ * NLRIs without mandatory attributes, they should be ignored. -+ */ -+ if (update_len && attribute_len && -+ attr_parse_ret != BGP_ATTR_PARSE_MISSING_MANDATORY) { - /* Set NLRI portion to structure. */ - nlris[NLRI_UPDATE].afi = AFI_IP; - nlris[NLRI_UPDATE].safi = SAFI_UNICAST; diff --git a/SOURCES/0021-CVE-2023-47235.patch b/SOURCES/0021-CVE-2023-47235.patch deleted file mode 100644 index b9786ef..0000000 --- a/SOURCES/0021-CVE-2023-47235.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 6814f2e0138a6ea5e1f83bdd9085d9a77999900b Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Fri, 27 Oct 2023 11:56:45 +0300 -Subject: [PATCH] bgpd: Treat EOR as withdrawn to avoid unwanted handling of - malformed attrs - -Treat-as-withdraw, otherwise if we just ignore it, we will pass it to be -processed as a normal UPDATE without mandatory attributes, that could lead -to harmful behavior. In this case, a crash for route-maps with the configuration -such as: - -``` -router bgp 65001 - no bgp ebgp-requires-policy - neighbor 127.0.0.1 remote-as external - neighbor 127.0.0.1 passive - neighbor 127.0.0.1 ebgp-multihop - neighbor 127.0.0.1 disable-connected-check - neighbor 127.0.0.1 update-source 127.0.0.2 - neighbor 127.0.0.1 timers 3 90 - neighbor 127.0.0.1 timers connect 1 - ! - address-family ipv4 unicast - neighbor 127.0.0.1 addpath-tx-all-paths - neighbor 127.0.0.1 default-originate - neighbor 127.0.0.1 route-map RM_IN in - exit-address-family -exit -! -route-map RM_IN permit 10 - set as-path prepend 200 -exit -``` - -Send a malformed optional transitive attribute: - -``` -import socket -import time - -OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" -b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02" -b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02" -b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00" -b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d" -b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01" -b"\x80\x00\x00\x00") - -KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" -b"\xff\xff\xff\xff\xff\xff\x00\x13\x04") - -UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff002b0200000003c0ff00010100eb00ac100b0b001ad908ac100b0b") - -s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) -s.connect(('127.0.0.2', 179)) -s.send(OPEN) -data = s.recv(1024) -s.send(KEEPALIVE) -data = s.recv(1024) -s.send(UPDATE) -data = s.recv(1024) -time.sleep(100) -s.close() -``` - -Reported-by: Iggy Frankovic -Signed-off-by: Donatas Abraitis ---- - bgpd/bgp_attr.c | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) - -diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c -index cf2dbe65b805..1473dc772502 100644 ---- a/bgpd/bgp_attr.c -+++ b/bgpd/bgp_attr.c -@@ -3391,9 +3391,12 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, - uint8_t type = 0; - - /* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an -- * empty UPDATE. */ -+ * empty UPDATE. Treat-as-withdraw, otherwise if we just ignore it, -+ * we will pass it to be processed as a normal UPDATE without mandatory -+ * attributes, that could lead to harmful behavior. -+ */ - if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag) -- return BGP_ATTR_PARSE_PROCEED; -+ return BGP_ATTR_PARSE_WITHDRAW; - - if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN))) - type = BGP_ATTR_ORIGIN; -@@ -3273,7 +3276,13 @@ done: - aspath_unintern(&as4_path); - } - -- if (ret != BGP_ATTR_PARSE_ERROR) { -+ /* If we received an UPDATE with mandatory attributes, then -+ * the unrecognized transitive optional attribute of that -+ * path MUST be passed. Otherwise, it's an error, and from -+ * security perspective it might be very harmful if we continue -+ * here with the unrecognized attributes. -+ */ -+ if (ret == BGP_ATTR_PARSE_PROCEED) { - /* Finally intern unknown attribute. */ - if (attr->transit) - attr->transit = transit_intern(attr->transit); diff --git a/SOURCES/0022-route-map-event.patch b/SOURCES/0022-route-map-event.patch deleted file mode 100644 index 74e9242..0000000 --- a/SOURCES/0022-route-map-event.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 4fc5dafd1c8167a98e3a5f51efc1ea5092513364 Mon Sep 17 00:00:00 2001 -From: rgirada -Date: Thu, 18 Feb 2021 20:15:40 -0800 -Subject: [PATCH] lib: Routemap is not getting applied upon changing the - routemap action - -Description: - This looks broken after NB changes in routemap. When routemap - action modified from permit to deny, it is expected to apply - the new action on the filtered routes before the action in the - routemap data structure has been changed. But currently this is - not handled by the corresponding northbound API. - -Signed-off-by: Rajesh Girada ---- - lib/routemap_northbound.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/lib/routemap_northbound.c b/lib/routemap_northbound.c -index db06e9caac75..3473ca2aea8c 100644 ---- a/lib/routemap_northbound.c -+++ b/lib/routemap_northbound.c -@@ -271,6 +271,7 @@ lib_route_map_entry_description_destroy(struct nb_cb_destroy_args *args) - static int lib_route_map_entry_action_modify(struct nb_cb_modify_args *args) - { - struct route_map_index *rmi; -+ struct route_map *map; - - switch (args->event) { - case NB_EV_VALIDATE: -@@ -281,7 +282,15 @@ static int lib_route_map_entry_action_modify(struct nb_cb_modify_args *args) - case NB_EV_APPLY: - rmi = nb_running_get_entry(args->dnode, NULL, true); - rmi->type = yang_dnode_get_enum(args->dnode, NULL); -- /* TODO: notify? */ -+ map = rmi->map; -+ -+ /* Execute event hook. */ -+ if (route_map_master.event_hook) { -+ (*route_map_master.event_hook)(map->name); -+ route_map_notify_dependencies(map->name, -+ RMAP_EVENT_CALL_ADDED); -+ } -+ - break; - } - diff --git a/SOURCES/0023-CVE-2023-46752.patch b/SOURCES/0023-CVE-2023-46752.patch deleted file mode 100644 index a59b74c..0000000 --- a/SOURCES/0023-CVE-2023-46752.patch +++ /dev/null @@ -1,76 +0,0 @@ -From b08afc81c60607a4f736f418f2e3eb06087f1a35 Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Fri, 20 Oct 2023 17:49:18 +0300 -Subject: [PATCH] bgpd: Handle MP_REACH_NLRI malformed packets with session - reset - -Avoid crashing bgpd. - -Reported-by: Iggy Frankovic -Signed-off-by: Donatas Abraitis ---- - bgpd/bgp_attr.c | 6 +----- - bgpd/bgp_attr.h | 1 - - bgpd/bgp_packet.c | 6 +----- - 3 files changed, 2 insertions(+), 11 deletions(-) - -diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c -index 6925aff727e2..e7bb42a5d989 100644 ---- a/bgpd/bgp_attr.c -+++ b/bgpd/bgp_attr.c -@@ -2421,7 +2421,7 @@ int bgp_mp_reach_parse(struct bgp_attr_parser_args *args, - - mp_update->afi = afi; - mp_update->safi = safi; -- return BGP_ATTR_PARSE_EOR; -+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_MAL_ATTR, 0); - } - - mp_update->afi = afi; -@@ -3759,10 +3759,6 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, - goto done; - } - -- if (ret == BGP_ATTR_PARSE_EOR) { -- goto done; -- } -- - if (ret == BGP_ATTR_PARSE_ERROR) { - flog_warn(EC_BGP_ATTRIBUTE_PARSE_ERROR, - "%s: Attribute %s, parse error", peer->host, -diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h -index 961e5f122470..fc347e7a1b4b 100644 ---- a/bgpd/bgp_attr.h -+++ b/bgpd/bgp_attr.h -@@ -364,7 +364,6 @@ enum bgp_attr_parse_ret { - /* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR - */ - BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3, -- BGP_ATTR_PARSE_EOR = -4, - BGP_ATTR_PARSE_MISSING_MANDATORY = -4, - } bgp_attr_parse_ret_t; - -diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c -index b585591e2f69..5ecf343b6657 100644 ---- a/bgpd/bgp_packet.c -+++ b/bgpd/bgp_packet.c -@@ -2397,8 +2397,7 @@ static int bgp_update_receive(struct peer_connection *connection, - * Non-MP IPv4/Unicast EoR is a completely empty UPDATE - * and MP EoR should have only an empty MP_UNREACH - */ -- if ((!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) -- || (attr_parse_ret == BGP_ATTR_PARSE_EOR)) { -+ if (!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) { - afi_t afi = 0; - safi_t safi; - struct graceful_restart_info *gr_info; -@@ -2419,9 +2418,6 @@ static int bgp_update_receive(struct peer_connection *connection, - && nlris[NLRI_MP_WITHDRAW].length == 0) { - afi = nlris[NLRI_MP_WITHDRAW].afi; - safi = nlris[NLRI_MP_WITHDRAW].safi; -- } else if (attr_parse_ret == BGP_ATTR_PARSE_EOR) { -- afi = nlris[NLRI_MP_UPDATE].afi; -- safi = nlris[NLRI_MP_UPDATE].safi; - } - - if (afi && peer->afc[afi][safi]) { diff --git a/SOURCES/0024-CVE-2023-46753.patch b/SOURCES/0024-CVE-2023-46753.patch deleted file mode 100644 index 7b8381b..0000000 --- a/SOURCES/0024-CVE-2023-46753.patch +++ /dev/null @@ -1,60 +0,0 @@ -From d8482bf011cb2b173e85b65b4bf3d5061250cdb9 Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Mon, 23 Oct 2023 23:34:10 +0300 -Subject: [PATCH] bgpd: Check mandatory attributes more carefully for UPDATE - message - -If we send a crafted BGP UPDATE message without mandatory attributes, we do -not check if the length of the path attributes is zero or not. We only check -if attr->flag is at least set or not. Imagine we send only unknown transit -attribute, then attr->flag is always 0. Also, this is true only if graceful-restart -capability is received. - -Reported-by: Iggy Frankovic -Signed-off-by: Donatas Abraitis ---- - bgpd/bgp_attr.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c -index 26fd3de..bcc4424 100644 ---- a/bgpd/bgp_attr.c -+++ b/bgpd/bgp_attr.c -@@ -3400,7 +3400,8 @@ bgp_attr_unknown(struct bgp_attr_parser_args *args) - } - - /* Well-known attribute check. */ --static int bgp_attr_check(struct peer *peer, struct attr *attr) -+static int bgp_attr_check(struct peer *peer, struct attr *attr, -+ bgp_size_t length) - { - uint8_t type = 0; - -@@ -3409,7 +3410,8 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr) - * we will pass it to be processed as a normal UPDATE without mandatory - * attributes, that could lead to harmful behavior. - */ -- if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag) -+ if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag && -+ !length) - return BGP_ATTR_PARSE_WITHDRAW; - - if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN))) -@@ -3462,7 +3464,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, - bgp_attr_parse_ret_t ret; - uint8_t flag = 0; - uint8_t type = 0; -- bgp_size_t length; -+ bgp_size_t length = 0; - uint8_t *startp, *endp; - uint8_t *attr_endp; - uint8_t seen[BGP_ATTR_BITMAP_SIZE]; -@@ -3216,7 +3218,7 @@ bgp_attr_parse_ret_t bgp_attr_parse(struct peer *peer, struct attr *attr, - } - - /* Check all mandatory well-known attributes are present */ -- if ((ret = bgp_attr_check(peer, attr)) < 0) -+ if ((ret = bgp_attr_check(peer, attr, length)) < 0) - goto done; - - /* diff --git a/SOURCES/0025-CVE-2023-31490.patch b/SOURCES/0025-CVE-2023-31490.patch deleted file mode 100644 index 5bbde8a..0000000 --- a/SOURCES/0025-CVE-2023-31490.patch +++ /dev/null @@ -1,150 +0,0 @@ -From 06431bfa7570f169637ebb5898f0b0cc3b010802 Mon Sep 17 00:00:00 2001 -From: Donald Sharp -Date: Tue, 6 Dec 2022 10:23:11 -0500 -Subject: [PATCH] bgpd: Ensure stream received has enough data - -BGP_PREFIX_SID_SRV6_L3_SERVICE attributes must not -fully trust the length value specified in the nlri. -Always ensure that the amount of data we need to read -can be fullfilled. - -Reported-by: Iggy Frankovic -Signed-off-by: Donald Sharp ---- - bgpd/bgp_attr.c | 79 ++++++++++++++++--------------------------------- - 1 file changed, 25 insertions(+), 54 deletions(-) - -diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c -index c35e45275c9b..5b06bc391375 100644 ---- a/bgpd/bgp_attr.c -+++ b/bgpd/bgp_attr.c -@@ -2927,9 +2927,21 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, - uint16_t endpoint_behavior; - char buf[BUFSIZ]; - -+ /* -+ * Check that we actually have at least as much data as -+ * specified by the length field -+ */ -+ if (STREAM_READABLE(peer->curr) < length) { -+ flog_err( -+ EC_BGP_ATTR_LEN, -+ "Prefix SID specifies length %hu, but only %zu bytes remain", -+ length, STREAM_READABLE(peer->curr)); -+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, -+ args->total); -+ } -+ - if (type == BGP_PREFIX_SID_LABEL_INDEX) { -- if (STREAM_READABLE(peer->curr) < length -- || length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) { -+ if (length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) { - flog_err(EC_BGP_ATTR_LEN, - "Prefix SID label index length is %hu instead of %u", - length, BGP_PREFIX_SID_LABEL_INDEX_LENGTH); -@@ -2951,12 +2963,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, - /* Store label index; subsequently, we'll check on - * address-family */ - attr->label_index = label_index; -- } -- -- /* Placeholder code for the IPv6 SID type */ -- else if (type == BGP_PREFIX_SID_IPV6) { -- if (STREAM_READABLE(peer->curr) < length -- || length != BGP_PREFIX_SID_IPV6_LENGTH) { -+ } else if (type == BGP_PREFIX_SID_IPV6) { -+ if (length != BGP_PREFIX_SID_IPV6_LENGTH) { - flog_err(EC_BGP_ATTR_LEN, - "Prefix SID IPv6 length is %hu instead of %u", - length, BGP_PREFIX_SID_IPV6_LENGTH); -@@ -2970,10 +2978,7 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, - stream_getw(peer->curr); - - stream_get(&ipv6_sid, peer->curr, 16); -- } -- -- /* Placeholder code for the Originator SRGB type */ -- else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) { -+ } else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) { - /* - * ietf-idr-bgp-prefix-sid-05: - * Length is the total length of the value portion of the -@@ -2998,19 +3003,6 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, - args->total); - } - -- /* -- * Check that we actually have at least as much data as -- * specified by the length field -- */ -- if (STREAM_READABLE(peer->curr) < length) { -- flog_err(EC_BGP_ATTR_LEN, -- "Prefix SID Originator SRGB specifies length %hu, but only %zu bytes remain", -- length, STREAM_READABLE(peer->curr)); -- return bgp_attr_malformed( -- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, -- args->total); -- } -- - /* - * Check that the portion of the TLV containing the sequence of - * SRGBs corresponds to a multiple of the SRGB size; to get -@@ -3034,12 +3026,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length, - stream_get(&srgb_base, peer->curr, 3); - stream_get(&srgb_range, peer->curr, 3); - } -- } -- -- /* Placeholder code for the VPN-SID Service type */ -- else if (type == BGP_PREFIX_SID_VPN_SID) { -- if (STREAM_READABLE(peer->curr) < length -- || length != BGP_PREFIX_SID_VPN_SID_LENGTH) { -+ } else if (type == BGP_PREFIX_SID_VPN_SID) { -+ if (length != BGP_PREFIX_SID_VPN_SID_LENGTH) { - flog_err(EC_BGP_ATTR_LEN, - "Prefix SID VPN SID length is %hu instead of %u", - length, BGP_PREFIX_SID_VPN_SID_LENGTH); -@@ -2601,18 +2589,13 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length, - sizeof(struct bgp_attr_srv6_vpn)); - attr->srv6_vpn->sid_flags = sid_flags; - sid_copy(&attr->srv6_vpn->sid, &ipv6_sid); -- } -- -- /* Placeholder code for the SRv6 L3 Service type */ -- else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) { -- if (STREAM_READABLE(peer->curr) < length -- || length != BGP_PREFIX_SID_SRV6_L3_SERVICE_LENGTH) { -- flog_err(EC_BGP_ATTR_LEN, -- "Prefix SID SRv6 L3-Service length is %hu instead of %u", -- length, BGP_PREFIX_SID_SRV6_L3_SERVICE_LENGTH); -- return bgp_attr_malformed(args, -- BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, -- args->total); -+ } else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) { -+ if (STREAM_READABLE(peer->curr) < 1) { -+ flog_err(EC_BGP_ATTR_LEN, -+ "Prefix SID SRV6 L3 Service not enough data left, it must be at least 1 byte"); -+ return bgp_attr_malformed( -+ args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, -+ args->total); - } - - /* Parse L3-SERVICE Sub-TLV */ -@@ -2647,17 +2630,6 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length, - - /* Placeholder code for Unsupported TLV */ - else { -- -- if (STREAM_READABLE(peer->curr) < length) { -- flog_err( -- EC_BGP_ATTR_LEN, -- "Prefix SID SRv6 length is %hu - too long, only %zu remaining in this UPDATE", -- length, STREAM_READABLE(peer->curr)); -- return bgp_attr_malformed( -- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, -- args->total); -- } -- - if (bgp_debug_update(peer, NULL, NULL, 1)) - zlog_debug( - "%s attr Prefix-SID sub-type=%u is not supported, skipped", diff --git a/SOURCES/0026-CVE-2023-41909.patch b/SOURCES/0026-CVE-2023-41909.patch deleted file mode 100644 index a61dafe..0000000 --- a/SOURCES/0026-CVE-2023-41909.patch +++ /dev/null @@ -1,34 +0,0 @@ -From cfd04dcb3e689754a72507d086ba3b9709fc5ed8 Mon Sep 17 00:00:00 2001 -From: Donald Sharp -Date: Wed, 5 Apr 2023 14:57:05 -0400 -Subject: [PATCH] bgpd: Limit flowspec to no attribute means a implicit - withdrawal - -All other parsing functions done from bgp_nlri_parse() assume -no attributes == an implicit withdrawal. Let's move -bgp_nlri_parse_flowspec() into the same alignment. - -Reported-by: Matteo Memelli -Signed-off-by: Donald Sharp ---- - bgpd/bgp_flowspec.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c -index f9debe43cd45..5e1be21402dc 100644 ---- a/bgpd/bgp_flowspec.c -+++ b/bgpd/bgp_flowspec.c -@@ -98,6 +98,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr, - afi = packet->afi; - safi = packet->safi; - -+ /* -+ * All other AFI/SAFI's treat no attribute as a implicit -+ * withdraw. Flowspec should as well. -+ */ -+ if (!attr) -+ withdraw = 1; -+ - if (packet->length >= FLOWSPEC_NLRI_SIZELIMIT_EXTENDED) { - flog_err(EC_BGP_FLOWSPEC_PACKET, - "BGP flowspec nlri length maximum reached (%u)", diff --git a/SOURCES/0027-dynamic-netlink-buffer.patch b/SOURCES/0027-dynamic-netlink-buffer.patch deleted file mode 100644 index ec31367..0000000 --- a/SOURCES/0027-dynamic-netlink-buffer.patch +++ /dev/null @@ -1,267 +0,0 @@ -From 2cf7651f0b1b0123dc5568ebad00ac84a9b3c348 Mon Sep 17 00:00:00 2001 -From: Donald Sharp -Date: Wed, 2 Feb 2022 13:28:42 -0500 -Subject: [PATCH] zebra: Make netlink buffer reads resizeable when needed - -Currently when the kernel sends netlink messages to FRR -the buffers to receive this data is of fixed length. -The kernel, with certain configurations, will send -netlink messages that are larger than this fixed length. -This leads to situations where, on startup, zebra gets -really confused about the state of the kernel. Effectively -the current algorithm is this: - -read up to buffer in size -while (data to parse) - get netlink message header, look at size - parse if you can - -The problem is that there is a 32k buffer we read. -We get the first message that is say 1k in size, -subtract that 1k to 31k left to parse. We then -get the next header and notice that the length -of the message is 33k. Which is obviously larger -than what we read in. FRR has no recover mechanism -nor is there a way to know, a priori, what the maximum -size the kernel will send us. - -Modify FRR to look at the kernel message and see if the -buffer is large enough, if not, make it large enough to -read in the message. - -This code has to be per netlink socket because of the usage -of pthreads. So add to `struct nlsock` the buffer and current -buffer length. Growing it as necessary. - -Fixes: #10404 -Signed-off-by: Donald Sharp ---- - zebra/kernel_netlink.c | 68 +++++++++++++++++++++++++----------------- - zebra/kernel_netlink.h | 2 +- - zebra/zebra_dplane.c | 4 +++ - zebra/zebra_ns.h | 3 ++ - 4 files changed, 49 insertions(+), 28 deletions(-) - -diff --git a/zebra/kernel_netlink.h b/zebra/kernel_netlink.h -index ae88f3372b1c..9421ea1c611a 100644 ---- a/zebra/kernel_netlink.h -+++ b/zebra/kernel_netlink.h -@@ -96,7 +96,7 @@ extern const char *nl_family_to_str(uint8_t family); - extern const char *nl_rttype_to_str(uint8_t rttype); - - extern int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int), -- const struct nlsock *nl, -+ struct nlsock *nl, - const struct zebra_dplane_info *dp_info, - int count, int startup); - extern int netlink_talk_filter(struct nlmsghdr *h, ns_id_t ns, int startup); -diff --git a/zebra/zebra_ns.h b/zebra/zebra_ns.h -index 0519e1d5b33d..7a0ffbc1ee6f 100644 ---- a/zebra/zebra_ns.h -+++ b/zebra/zebra_ns.h -@@ -39,6 +39,9 @@ struct nlsock { - int seq; - struct sockaddr_nl snl; - char name[64]; -+ -+ uint8_t *buf; -+ size_t buflen; - }; - #endif - -diff --git a/zebra/kernel_netlink.c b/zebra/kernel_netlink.c -index b8eaeb1..14a40a9 100644 ---- a/zebra/kernel_netlink.c -+++ b/zebra/kernel_netlink.c -@@ -90,8 +90,6 @@ - */ - #define NL_DEFAULT_BATCH_SEND_THRESHOLD (15 * NL_PKT_BUF_SIZE) - --#define NL_BATCH_RX_BUFSIZE NL_RCV_PKT_BUF_SIZE -- - static const struct message nlmsg_str[] = {{RTM_NEWROUTE, "RTM_NEWROUTE"}, - {RTM_DELROUTE, "RTM_DELROUTE"}, - {RTM_GETROUTE, "RTM_GETROUTE"}, -@@ -164,8 +162,6 @@ DEFINE_MTYPE_STATIC(ZEBRA, NL_BUF, "Zebra Netlink buffers") - size_t nl_batch_tx_bufsize; - char *nl_batch_tx_buf; - --char nl_batch_rx_buf[NL_BATCH_RX_BUFSIZE]; -- - _Atomic uint32_t nl_batch_bufsize = NL_DEFAULT_BATCH_BUFSIZE; - _Atomic uint32_t nl_batch_send_threshold = NL_DEFAULT_BATCH_SEND_THRESHOLD; - -@@ -322,6 +318,9 @@ static int netlink_socket(struct nlsock *nl, unsigned long groups, - - nl->snl = snl; - nl->sock = sock; -+ nl->buflen = NL_RCV_PKT_BUF_SIZE; -+ nl->buf = XMALLOC(MTYPE_NL_BUF, nl->buflen); -+ - return ret; - } - -@@ -729,19 +728,29 @@ static ssize_t netlink_send_msg(const struct nlsock *nl, void *buf, - * - * Returns -1 on error, 0 if read would block or the number of bytes received. - */ --static int netlink_recv_msg(const struct nlsock *nl, struct msghdr msg, -- void *buf, size_t buflen) -+static int netlink_recv_msg(struct nlsock *nl, struct msghdr *msg) - { - struct iovec iov; - int status; - -- iov.iov_base = buf; -- iov.iov_len = buflen; -- msg.msg_iov = &iov; -- msg.msg_iovlen = 1; -+ iov.iov_base = nl->buf; -+ iov.iov_len = nl->buflen; -+ msg->msg_iov = &iov; -+ msg->msg_iovlen = 1; - - do { -- status = recvmsg(nl->sock, &msg, 0); -+ int bytes; -+ -+ bytes = recv(nl->sock, NULL, 0, MSG_PEEK | MSG_TRUNC); -+ -+ if (bytes >= 0 && (size_t)bytes > nl->buflen) { -+ nl->buf = XREALLOC(MTYPE_NL_BUF, nl->buf, bytes); -+ nl->buflen = bytes; -+ iov.iov_base = nl->buf; -+ iov.iov_len = nl->buflen; -+ } -+ -+ status = recvmsg(nl->sock, msg, 0); - } while (status == -1 && errno == EINTR); - - if (status == -1) { -@@ -761,10 +770,10 @@ static int netlink_recv_msg(const struct nlsock *nl, struct msghdr msg, - return -1; - } - -- if (msg.msg_namelen != sizeof(struct sockaddr_nl)) { -+ if (msg->msg_namelen != sizeof(struct sockaddr_nl)) { - flog_err(EC_ZEBRA_NETLINK_LENGTH_ERROR, - "%s sender address length error: length %d", nl->name, -- msg.msg_namelen); -+ msg->msg_namelen); - return -1; - } - -@@ -873,8 +882,7 @@ static int netlink_parse_error(const struct nlsock *nl, struct nlmsghdr *h, - * the filter. - */ - int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int), -- const struct nlsock *nl, -- const struct zebra_dplane_info *zns, -+ struct nlsock *nl, const struct zebra_dplane_info *zns, - int count, int startup) - { - int status; -@@ -883,7 +891,6 @@ int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int), - int read_in = 0; - - while (1) { -- char buf[NL_RCV_PKT_BUF_SIZE]; - struct sockaddr_nl snl; - struct msghdr msg = {.msg_name = (void *)&snl, - .msg_namelen = sizeof(snl)}; -@@ -892,14 +899,14 @@ int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int), - if (count && read_in >= count) - return 0; - -- status = netlink_recv_msg(nl, msg, buf, sizeof(buf)); -+ status = netlink_recv_msg(nl, &msg); - if (status == -1) - return -1; - else if (status == 0) - break; - - read_in++; -- for (h = (struct nlmsghdr *)buf; -+ for (h = (struct nlmsghdr *)nl->buf; - (status >= 0 && NLMSG_OK(h, (unsigned int)status)); - h = NLMSG_NEXT(h, status)) { - /* Finish of reading. */ -@@ -976,10 +983,10 @@ int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int), - */ - static int - netlink_talk_info(int (*filter)(struct nlmsghdr *, ns_id_t, int startup), -- struct nlmsghdr *n, const struct zebra_dplane_info *dp_info, -+ struct nlmsghdr *n, struct zebra_dplane_info *dp_info, - int startup) - { -- const struct nlsock *nl; -+ struct nlsock *nl; - - nl = &(dp_info->nls); - n->nlmsg_seq = nl->seq; -@@ -1067,12 +1074,11 @@ static int nl_batch_read_resp(struct nl_batch *bth) - * message at a time. - */ - while (true) { -- status = netlink_recv_msg(nl, msg, nl_batch_rx_buf, -- sizeof(nl_batch_rx_buf)); -+ status = netlink_recv_msg(nl, &msg); - if (status == -1 || status == 0) - return status; - -- h = (struct nlmsghdr *)nl_batch_rx_buf; -+ h = (struct nlmsghdr *)nl->buf; - ignore_msg = false; - seq = h->nlmsg_seq; - /* -@@ -1506,11 +1512,15 @@ void kernel_terminate(struct zebra_ns *zns, bool complete) - if (zns->netlink.sock >= 0) { - close(zns->netlink.sock); - zns->netlink.sock = -1; -+ XFREE(MTYPE_NL_BUF, zns->netlink.buf); -+ zns->netlink.buflen = 0; - } - - if (zns->netlink_cmd.sock >= 0) { - close(zns->netlink_cmd.sock); - zns->netlink_cmd.sock = -1; -+ XFREE(MTYPE_NL_BUF, zns->netlink_cmd.buf); -+ zns->netlink_cmd.buflen = 0; - } - - /* During zebra shutdown, we need to leave the dataplane socket -@@ -1520,6 +1530,8 @@ void kernel_terminate(struct zebra_ns *zns, bool complete) - if (zns->netlink_dplane.sock >= 0) { - close(zns->netlink_dplane.sock); - zns->netlink_dplane.sock = -1; -+ XFREE(MTYPE_NL_BUF, zns->netlink_dplane.buf); -+ zns->netlink_dplane.buflen = 0; - } - } - } -diff --git a/zebra/kernel_netlink.c b/zebra/kernel_netlink.c -index 14a40a9..2b566d4 100644 ---- a/zebra/kernel_netlink.c -+++ b/zebra/kernel_netlink.c -@@ -779,7 +779,7 @@ static int netlink_recv_msg(struct nlsock *nl, struct msghdr *msg) - - if (IS_ZEBRA_DEBUG_KERNEL_MSGDUMP_RECV) { - zlog_debug("%s: << netlink message dump [recv]", __func__); -- zlog_hexdump(buf, status); -+ zlog_hexdump(nl->buf, status); - } - - return status; -diff --git a/zebra/kernel_netlink.c b/zebra/kernel_netlink.c -index 2b566d4..0564a6b 100644 ---- a/zebra/kernel_netlink.c -+++ b/zebra/kernel_netlink.c -@@ -1060,7 +1060,7 @@ static int nl_batch_read_resp(struct nl_batch *bth) - struct sockaddr_nl snl; - struct msghdr msg = {}; - int status, seq; -- const struct nlsock *nl; -+ struct nlsock *nl; - struct zebra_dplane_ctx *ctx; - bool ignore_msg; - diff --git a/SOURCES/frr.fc b/SOURCES/frr.fc deleted file mode 100644 index 8cd3b3d..0000000 --- a/SOURCES/frr.fc +++ /dev/null @@ -1,28 +0,0 @@ -/usr/libexec/frr/(.*)? gen_context(system_u:object_r:frr_exec_t,s0) - -/usr/lib/systemd/system/frr.* gen_context(system_u:object_r:frr_unit_file_t,s0) - -/etc/frr(/.*)? gen_context(system_u:object_r:frr_conf_t,s0) - -/var/log/frr(/.*)? gen_context(system_u:object_r:frr_log_t,s0) -/var/tmp/frr(/.*)? gen_context(system_u:object_r:frr_tmp_t,s0) - -/var/lock/subsys/bfdd -- gen_context(system_u:object_r:frr_lock_t,s0) -/var/lock/subsys/bgpd -- gen_context(system_u:object_r:frr_lock_t,s0) -/var/lock/subsys/eigrpd -- gen_context(system_u:object_r:frr_lock_t,s0) -/var/lock/subsys/fabricd -- gen_context(system_u:object_r:frr_lock_t,s0) -/var/lock/subsys/isisd -- gen_context(system_u:object_r:frr_lock_t,s0) -/var/lock/subsys/nhrpd -- gen_context(system_u:object_r:frr_lock_t,s0) -/var/lock/subsys/ospf6d -- gen_context(system_u:object_r:frr_lock_t,s0) -/var/lock/subsys/ospfd -- gen_context(system_u:object_r:frr_lock_t,s0) -/var/lock/subsys/pbrd -- gen_context(system_u:object_r:frr_lock_t,s0) -/var/lock/subsys/pimd -- gen_context(system_u:object_r:frr_lock_t,s0) -/var/lock/subsys/ripd -- gen_context(system_u:object_r:frr_lock_t,s0) -/var/lock/subsys/ripngd -- gen_context(system_u:object_r:frr_lock_t,s0) -/var/lock/subsys/staticd -- gen_context(system_u:object_r:frr_lock_t,s0) -/var/lock/subsys/zebra -- gen_context(system_u:object_r:frr_lock_t,s0) -/var/lock/subsys/vrrpd -- gen_context(system_u:object_r:frr_lock_t,s0) - -/var/run/frr(/.*)? gen_context(system_u:object_r:frr_var_run_t,s0) - -/usr/bin/vtysh -- gen_context(system_u:object_r:frr_exec_t,s0) diff --git a/SPECS/frr.spec b/SPECS/frr.spec deleted file mode 100644 index 24f64b4..0000000 --- a/SPECS/frr.spec +++ /dev/null @@ -1,423 +0,0 @@ -%global frrversion 7.5.1 -%global frr_libdir /usr/libexec/frr - -%global _hardened_build 1 -%global selinuxtype targeted -%bcond_without selinux - -Name: frr -Version: 7.5.1 -Release: 22%{?checkout}%{?dist} -Summary: Routing daemon -License: GPLv2+ -URL: http://www.frrouting.org -Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{frrversion}/%{name}-%{frrversion}.tar.gz -Source1: %{name}-tmpfiles.conf -Source2: frr.fc -Source3: frr.te -Source4: frr.if -BuildRequires: perl-generators -BuildRequires: gcc -BuildRequires: net-snmp-devel -BuildRequires: texinfo libcap-devel autoconf automake libtool patch groff -BuildRequires: readline readline-devel ncurses ncurses-devel -BuildRequires: git pam-devel c-ares-devel -BuildRequires: json-c-devel bison >= 2.7 flex perl-XML-LibXML -BuildRequires: python3-devel python3-sphinx python3-pytest -BuildRequires: systemd systemd-devel -BuildRequires: libyang-devel >= 1.0.184 -Requires: net-snmp ncurses -Requires(post): systemd /sbin/install-info -Requires(preun): systemd /sbin/install-info -Requires(postun): systemd -Requires: iproute -Requires: initscripts - -%if 0%{?with_selinux} -Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype}) -%endif - -Provides: routingdaemon = %{version}-%{release} -Obsoletes: frr-sysvinit quagga frr-contrib - -Patch0000: 0000-remove-babeld-and-ldpd.patch -Patch0001: 0001-use-python3.patch -Patch0002: 0002-enable-openssl.patch -Patch0003: 0003-disable-eigrp-crypto.patch -Patch0004: 0004-fips-mode.patch -Patch0006: 0006-CVE-2020-12831.patch -Patch0007: 0007-frrinit.patch -Patch0008: 0008-designated-router.patch -Patch0009: 0009-routemap.patch -Patch0010: 0010-moving-executables.patch -Patch0011: 0011-reload-bfd-profile.patch -Patch0012: 0012-graceful-restart.patch -Patch0013: 0013-CVE-2022-37032.patch -Patch0014: 0014-bfd-profile-crash.patch -Patch0015: 0015-max-ttl-reload.patch -Patch0016: 0016-CVE-2023-38802.patch -Patch0017: 0017-fix-crash-in-plist-update.patch -Patch0018: 0018-CVE-2023-38406.patch -Patch0019: 0019-CVE-2023-38407.patch -Patch0020: 0020-CVE-2023-47234.patch -Patch0021: 0021-CVE-2023-47235.patch -Patch0022: 0022-route-map-event.patch -Patch0023: 0023-CVE-2023-46752.patch -Patch0024: 0024-CVE-2023-46753.patch -Patch0025: 0025-CVE-2023-31490.patch -Patch0026: 0026-CVE-2023-41909.patch -Patch0027: 0027-dynamic-netlink-buffer.patch - -%description -FRRouting is free software that manages TCP/IP based routing protocols. It takes -a multi-server and multi-threaded approach to resolve the current complexity -of the Internet. - -FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD. - -FRRouting is a fork of Quagga. - -%if 0%{?with_selinux} -%package selinux -Summary: Selinux policy for FRR -BuildArch: noarch -Requires: selinux-policy-%{selinuxtype} -Requires(post): selinux-policy-%{selinuxtype} -BuildRequires: selinux-policy-devel -%{?selinux_requires} - -%description selinux -SELinux policy modules for FRR package - -%endif - -%prep -%autosetup -S git -#SELinux -mkdir selinux -cp -p %{SOURCE2} %{SOURCE3} %{SOURCE4} selinux - -%build -autoreconf -ivf - -%configure \ - --sbindir=%{frr_libdir} \ - --sysconfdir=%{_sysconfdir}/frr \ - --libdir=%{_libdir}/frr \ - --libexecdir=%{_libexecdir}/frr \ - --localstatedir=%{_localstatedir}/run/frr \ - --enable-snmp=agentx \ - --enable-multipath=64 \ - --enable-vtysh=yes \ - --enable-ospfclient=no \ - --enable-ospfapi=no \ - --enable-user=frr \ - --enable-group=frr \ - --enable-vty-group=frrvty \ - --enable-rtadv \ - --disable-exampledir \ - --enable-systemd=yes \ - --enable-static=no \ - --disable-ldpd \ - --disable-babeld \ - --with-moduledir=%{_libdir}/frr/modules \ - --with-crypto=openssl \ - --enable-fpm - -%make_build MAKEINFO="makeinfo --no-split" PYTHON=%{__python3} - -pushd doc -make info -popd - -#SELinux policy -%if 0%{?with_selinux} -make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp -bzip2 -9 selinux/%{name}.pp -%endif - -%install -mkdir -p %{buildroot}/etc/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \ - %{buildroot}/var/log/frr %{buildroot}%{_infodir} \ - %{buildroot}%{_unitdir} - -mkdir -p -m 0755 %{buildroot}%{_libdir}/frr -mkdir -p %{buildroot}%{_tmpfilesdir} - -%make_install - -# Remove this file, as it is uninstalled and causes errors when building on RH9 -rm -rf %{buildroot}/usr/share/info/dir - -install -p -m 644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf -install -p -m 644 %{_builddir}/%{name}-%{frrversion}/tools/etc/frr/daemons %{buildroot}/etc/frr/daemons -install -p -m 644 %{_builddir}/%{name}-%{frrversion}/tools/frr.service %{buildroot}%{_unitdir}/frr.service -install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/frrinit.sh %{buildroot}%{frr_libdir}/frr -install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/frrcommon.sh %{buildroot}%{frr_libdir}/frrcommon.sh -install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/watchfrr.sh %{buildroot}%{frr_libdir}/watchfrr.sh - -install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.logrotate %{buildroot}/etc/logrotate.d/frr -install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.pam %{buildroot}/etc/pam.d/frr -install -d -m 775 %{buildroot}/run/frr - -%if 0%{?with_selinux} -install -D -m 644 selinux/%{name}.pp.bz2 \ - %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 -install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if -%endif - -rm %{buildroot}%{_libdir}/frr/*.la -rm %{buildroot}%{_libdir}/frr/modules/*.la - -#Upstream does not maintain a stable API, these headers from -devel subpackage are no longer needed -rm %{buildroot}%{_libdir}/frr/*.so -rm -r %{buildroot}%{_includedir}/frr/ - -%pre -getent group fttvty >/dev/null 2>&1 || groupadd -r frrvty >/dev/null 2>&1 || : -getent group frr >/dev/null 2>&1 || groupadd -r frr >/dev/null 2>&1 || : -getent passwd frr >/dev/null 2>&1 || useradd -M -r -g frr -s /sbin/nologin \ - -c "FRRouting suite" -d %{_localstatedir}/run/frr frr || : -usermod -aG frrvty frr - -%post -#Because we move files to /usr/libexec, we need to reload .service files as well -/usr/bin/systemctl daemon-reload -%systemd_post frr.service - -if [ -f %{_infodir}/%{name}.inf* ]; then - install-info %{_infodir}/frr.info %{_infodir}/dir || : -fi - -# Create dummy files if they don't exist so basic functions can be used. -if [ ! -e %{_sysconfdir}/frr/zebra.conf ]; then - echo "hostname `hostname`" > %{_sysconfdir}/frr/zebra.conf - chown frr:frr %{_sysconfdir}/frr/zebra.conf - chmod 640 %{_sysconfdir}/frr/zebra.conf -fi - -if [ ! -e %{_sysconfdir}/frr/vtysh.conf ]; then - echo 'no service integrated-vtysh-config' > %{_sysconfdir}/frr/vtysh.conf - chmod 640 %{_sysconfdir}/frr/vtysh.conf - chown frr:frrvty %{_sysconfdir}/frr/vtysh.conf -fi - -#Making sure that the old format of config file still works -#Checking whether .rpmnew conf file is present - in that case I want to change the old config -if [ -e %{_sysconfdir}/frr/daemons.rpmnew ]; then - sed -i s'/watchfrr_/#watchfrr_/g' %{_sysconfdir}/frr/daemons - sed -i s'/zebra=/#zebra=/g' %{_sysconfdir}/frr/daemons -fi - -%postun -%systemd_postun_with_restart frr.service - -#only when removing the package -if [ $1 -ge 0 ]; then - if [ -f %{_infodir}/%{name}.inf* ]; then - install-info --delete %{_infodir}/frr.info %{_infodir}/dir || : - fi -fi - -%preun -%systemd_preun frr.service - -#SELinux -%if 0%{?with_selinux} -%pre selinux -%selinux_relabel_pre -s %{selinuxtype} - -%post selinux -%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 -%selinux_relabel_post -s %{selinuxtype} -#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade -if [ $1 == 2 ]; then - %{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null - %{_sbindir}/restorecon -R /var/run/frr &> /dev/null -fi - -%postun selinux -if [ $1 -eq 0 ]; then - %selinux_modules_uninstall -s %{selinuxtype} %{name} - %selinux_relabel_post -s %{selinuxtype} -fi - -%endif - -%check -make check PYTHON=%{__python3} - -%files -%defattr(-,root,root) -%license COPYING -%doc zebra/zebra.conf.sample -%doc isisd/isisd.conf.sample -%doc ripd/ripd.conf.sample -%doc bgpd/bgpd.conf.sample* -%doc ospfd/ospfd.conf.sample -%doc ospf6d/ospf6d.conf.sample -%doc ripngd/ripngd.conf.sample -%doc pimd/pimd.conf.sample -%doc doc/mpls -%dir %attr(740,frr,frr) %{_sysconfdir}/frr -%dir %attr(755,frr,frr) /var/log/frr -%dir %attr(755,frr,frr) /run/frr -%{_infodir}/*info* -%{_mandir}/man*/* -%dir %{frr_libdir}/ -%{frr_libdir}/* -%{_bindir}/* -%dir %{_libdir}/frr -%{_libdir}/frr/*.so.* -%dir %{_libdir}/frr/modules/ -%{_libdir}/frr/modules/* -%config(noreplace) %attr(644,root,root) /etc/logrotate.d/frr -%config(noreplace) %attr(644,frr,frr) /etc/frr/daemons -%config(noreplace) /etc/pam.d/frr -%{_unitdir}/*.service -%dir /usr/share/yang -/usr/share/yang/*.yang -%{_tmpfilesdir}/%{name}.conf - -%if 0%{?with_selinux} -%files selinux -%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.* -%{_datadir}/selinux/devel/include/distributed/%{name}.if -%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} -%endif - -%changelog -* Wed Feb 07 2024 Michal Ruprich - 7.5.1-22 -- Resolves: RHEL-22303 - Zebra not fetching host routes - -* Wed Feb 07 2024 Michal Ruprich - 7.5.1-21 -- Resolves: RHEL-2216 - NULL pointer dereference - -* Wed Feb 07 2024 Michal Ruprich - 7.5.1-20 -- Resolves: RHEL-4797 - missing length check in bgp_attr_psid_sub() can lead do DoS - -* Mon Feb 05 2024 Michal Ruprich - 7.5.1-19 -- Resolves: RHEL-14824 - crafted BGP UPDATE message leading to a crash - -* Mon Feb 05 2024 Michal Ruprich - 7.5.1-18 -- Resolves: RHEL-14821 - mishandled malformed data leading to a crash - -* Tue Dec 19 2023 Michal Ruprich - 7.5.1-17 -- Resolves: RHEL-6583 - Routes are not refreshed after changing the inbound route rules from deny to permit - -* Tue Dec 19 2023 Michal Ruprich - 7.5.1-16 -- Resolves: RHEL-15916 - Flowspec overflow in bgpd/bgp_flowspec.c -- Resolves: RHEL-15919 - Out of bounds read in bgpd/bgp_label.c -- Resolves: RHEL-15869 - crash from specially crafted MP_UNREACH_NLRI-containing BGP UPDATE message -- Resolves: RHEL-15868 - crash from malformed EOR-containing BGP UPDATE message - -* Thu Oct 19 2023 Andreas Karis - 7.5.1-15 -- Resolves: RHEL-12039 - crash in plist update - -* Fri Oct 13 2023 Michal Ruprich - 7.5.1-14 -- Resolves: RHEL-6617 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router - -* Tue Oct 10 2023 Michal Ruprich - 7.5.1-13 -- Resolves: RHEL-2263 - eBGP multihop peer flapping due to delta miscalculation of new configuration - -* Wed Aug 23 2023 Michal Ruprich - 7.5.1-12 -- Resolves: #2216911 - Adding missing sys_admin SELinux call - -* Mon Aug 21 2023 Michal Ruprich - 7.5.1-11 -- Related: #2216911 - Adding unconfined_t type to access namespaces - -* Thu Aug 17 2023 Michal Ruprich - 7.5.1-10 -- Related: #2226803 - Adding patch - -* Wed Aug 16 2023 Michal Ruprich - 7.5.1-9 -- Resolves: #2226803 - BFD crash in FRR running in MetalLB - -* Fri Aug 11 2023 Michal Ruprich - 7.5.1-8 -- Resolves: #2216911 - SELinux is preventing FRR-Zebra to access to network namespaces - -* Wed Nov 30 2022 Michal Ruprich - 7.5.1-7 -- Resolves: #2128737 - out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service - -* Tue Nov 29 2022 Michal Ruprich - 7.5.1-6 -- Resolves: #1939516 - frr service cannot reload itself, due to executing in the wrong SELinux context - -* Mon Nov 14 2022 Michal Ruprich - 7.5.1-5 -- Resolves: #2127140 - Frr is unable to push routes to the system routing table - -* Mon Nov 14 2022 Michal Ruprich - 7.5.1-4 -- Resolves: #1948422 - BGP incorrectly withdraws routes on graceful restart capable routers - -* Thu Aug 25 2022 Michal Ruprich - 7.5.1-3 -- Resolves: #2054160 - FRR reloader does not disable BFD when unsetting BFD profile - -* Wed Aug 24 2022 Michal Ruprich - 7.5.1-2 -- Resolves: #1941765 - AVCs while running frr tests on RHEL 8.4.0 Beta-1.2 -- Resolves: #1714984 - SELinux policy (daemons) changes required for package - -* Wed May 11 2022 Michal Ruprich - 7.5.1-1 -- Resolves: #2018451 - Rebase of frr to version 7.5.1 -- Resolves: #1975361 - the dynamic routing setup does not work any more - -* Wed Jan 05 2022 Michal Ruprich - 7.5-11 -- Resolves: #2034328 - Bfdd crash in metallb CI - -* Tue Jan 04 2022 Michal Ruprich - 7.5-10 -- Resolves: #2020878 - frr ospfd show ip ospf interface does not show designated router info - -* Fri Dec 10 2021 Michal Ruprich - 7.5-9 -- Resolves: #2029958 - FRR reloader generating invalid BFD configurations, exits with error - -* Tue Nov 16 2021 Michal Ruprich - 7.5-8 -- Resolves: #2021819 - Rebuilding for the new json-c - -* Thu Sep 30 2021 Michal Ruprich - 7.5-7 -- Related: #1917269 - Wrong value in gating file - -* Fri Sep 17 2021 Michal Ruprich - 7.5-6 -- Related: #1917269 - Incomplete patch, adding gating rules - -* Thu Sep 16 2021 Michal Ruprich - 7.5-5 -- Resolves: #1979426 - Unable to configure OSPF in multi-instance mode -- Resolves: #1917269 - vtysh running-config output not showing bgp ttl-security hops option - -* Tue Jan 12 2021 root - 7.5-4 -- Related: #1889323 - Fixing start-up with old config file - -* Mon Jan 11 2021 root - 7.5-3 -- Related: #1889323 - Reverting to non-integrated cofiguration - -* Thu Jan 07 2021 Michal Ruprich - 7.5-2 -- Related: #1889323 - Obsoleting frr-contrib - -* Thu Jan 07 2021 Michal Ruprich - 7.5-1 -- Resolves: #1889323 - [RFE] Rebase FRR to 7.5 - -* Thu Aug 20 2020 Michal Ruprich - 7.0-10 -- Resolves: #1867793 - FRR does not conform to the source port range specified in RFC5881 - -* Thu Aug 20 2020 Michal Ruprich - 7.0-9 -- Resolves: #1852476 - default permission issue eases information leaks - -* Tue May 05 2020 Michal Ruprich - 7.0-8 -- Resolves: #1819319 - frr fails to start start if the initscripts package is missing - -* Mon May 04 2020 Michal Ruprich - 7.0-7 -- Resolves: #1758544 - IGMPv3 queries may lead to DoS - -* Tue Mar 10 2020 Michal Ruprich - 7.0-6 -- Resolves: #1776342 - frr has missing dependency on iproute - -* Tue Sep 03 2019 Michal Ruprich - 7.0-5 -- Resolves: #1719465 - Removal of component Frr or its crypto - -* Wed Jun 19 2019 Michal Ruprich - 7.0-4 -- Related: #1657029 - frr-contrib is back, it is breaking the rpmdeplint test - -* Wed Jun 19 2019 Michal Ruprich - 7.0-3 -- Related: #1657029 - more cleanup, removed frr-contrib, frrvt changed to frrvty - -* Wed Jun 19 2019 Michal Ruprich - 7.0-2 -- Related: #1657029 - cleaning specfile, adding Requires on libyang-devel - -* Wed May 29 2019 Michal Ruprich - 7.0-1 -- Resolves: #1657029 - Add FRR as a replacement of Quagga in RHEL 8 diff --git a/frr-sysusers.conf b/frr-sysusers.conf new file mode 100644 index 0000000..9632955 --- /dev/null +++ b/frr-sysusers.conf @@ -0,0 +1,4 @@ +#Type Name ID GECOS Home directory Shell +g frrvty - +u frr - "FRRouting routing suite" /var/run/frr /sbin/nologin +m frr frrvty diff --git a/SOURCES/frr-tmpfiles.conf b/frr-tmpfiles.conf similarity index 100% rename from SOURCES/frr-tmpfiles.conf rename to frr-tmpfiles.conf diff --git a/frr.fc b/frr.fc new file mode 100644 index 0000000..3724f47 --- /dev/null +++ b/frr.fc @@ -0,0 +1,29 @@ +/usr/libexec/frr/(.*)? gen_context(system_u:object_r:frr_exec_t,s0) + +/usr/lib/systemd/system/frr.* gen_context(system_u:object_r:frr_unit_file_t,s0) + +/etc/frr(/.*)? gen_context(system_u:object_r:frr_conf_t,s0) + +/var/log/frr(/.*)? gen_context(system_u:object_r:frr_log_t,s0) +/var/tmp/frr(/.*)? gen_context(system_u:object_r:frr_tmp_t,s0) + +/run/lock/subsys/bfdd -- gen_context(system_u:object_r:frr_lock_t,s0) +/run/lock/subsys/bgpd -- gen_context(system_u:object_r:frr_lock_t,s0) +/run/lock/subsys/eigrpd -- gen_context(system_u:object_r:frr_lock_t,s0) +/run/lock/subsys/fabricd -- gen_context(system_u:object_r:frr_lock_t,s0) +/run/lock/subsys/isisd -- gen_context(system_u:object_r:frr_lock_t,s0) +/run/lock/subsys/nhrpd -- gen_context(system_u:object_r:frr_lock_t,s0) +/run/lock/subsys/ospf6d -- gen_context(system_u:object_r:frr_lock_t,s0) +/run/lock/subsys/ospfd -- gen_context(system_u:object_r:frr_lock_t,s0) +/run/lock/subsys/pbrd -- gen_context(system_u:object_r:frr_lock_t,s0) +/run/lock/subsys/pimd -- gen_context(system_u:object_r:frr_lock_t,s0) +/run/lock/subsys/ripd -- gen_context(system_u:object_r:frr_lock_t,s0) +/run/lock/subsys/ripngd -- gen_context(system_u:object_r:frr_lock_t,s0) +/run/lock/subsys/staticd -- gen_context(system_u:object_r:frr_lock_t,s0) +/run/lock/subsys/zebra -- gen_context(system_u:object_r:frr_lock_t,s0) +/run/lock/subsys/vrrpd -- gen_context(system_u:object_r:frr_lock_t,s0) +/run/lock/subsys/pathd -- gen_context(system_u:object_r:frr_lock_t,s0) + +/run/frr(/.*)? gen_context(system_u:object_r:frr_var_run_t,s0) + +/usr/bin/vtysh -- gen_context(system_u:object_r:frr_exec_t,s0) diff --git a/SOURCES/frr.if b/frr.if similarity index 70% rename from SOURCES/frr.if rename to frr.if index b580159..f445718 100644 --- a/SOURCES/frr.if +++ b/frr.if @@ -162,45 +162,73 @@ interface(`frr_admin',` ') ######################################## +# +# Interface compatibility blocks +# +# The following definitions ensure compatibility with distribution policy +# versions that do not contain given interfaces (epel, or older Fedora +# releases). +# Each block tests for existence of given interface and defines it if needed. +# + +###################################### ## -## Read ifconfig_var_run_t files and link files +## Watch ifconfig_var_run_t directories ## ## -## -## Domain allowed access. -## +## +## Domain allowed access. +## ## # -ifndef(`sysnet_read_ifconfig_run',` - interface(`sysnet_read_ifconfig_run',` - gen_require(` - type ifconfig_var_run_t; - ') +ifndef(`sysnet_watch_ifconfig_run_dirs',` + interface(`sysnet_watch_ifconfig_run_dirs',` + gen_require(` + type ifconfig_var_run_t; + ') - manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) - list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) - read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) - read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) - ') + watch_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + ') ') ######################################## ## -## Read unconfined_t files and dirs +## Read ifconfig_var_run_t files and link files ## ## -## +## ## Domain allowed access. -## +## ## # -ifndef(`unconfined_read_files',` - interface(`unconfined_read_files',` - gen_require(` - type unconfined_t; - ') +ifndef(`sysnet_read_ifconfig_run_files',` + interface(`sysnet_read_ifconfig_run_files',` + gen_require(` + type ifconfig_var_run_t; + ') - allow $1 unconfined_t:file read_file_perms; - allow $1 unconfined_t:dir list_dir_perms; - ') + list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + ') +') + +######################################## +## +## setattr admin_home_t files +## +## +## +## Domain allowed access. +## +## +# +ifndef(`userdom_setattr_admin_files',` + interface(`userdom_setattr_admin_files',` + gen_require(` + type admin_home_t; + ') + + allow $1 admin_home_t:file setattr; + ') ') diff --git a/frr.spec b/frr.spec new file mode 100644 index 0000000..f5d9183 --- /dev/null +++ b/frr.spec @@ -0,0 +1,578 @@ +%global frr_libdir %{_libexecdir}/frr + +%global _hardened_build 1 +%global selinuxtype targeted +%define _legacy_common_support 1 + +%bcond grpc %{undefined rhel} +%bcond selinux 1 + +Name: frr +Version: 10.1 +Release: 3%{?dist} +Summary: Routing daemon +License: GPL-2.0-or-later AND ISC AND LGPL-2.0-or-later AND BSD-2-Clause AND BSD-3-Clause AND (GPL-2.0-or-later OR ISC) AND MIT +URL: http://www.frrouting.org +Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz +Source1: %{name}-tmpfiles.conf +Source2: %{name}-sysusers.conf +#Decentralized SELinux policy +Source3: frr.fc +Source4: frr.te +Source5: frr.if + +Patch0000: 0000-remove-babeld-and-ldpd.patch +Patch0002: 0002-enable-openssl.patch +Patch0003: 0003-disable-eigrp-crypto.patch +Patch0004: 0004-fips-mode.patch +Patch0005: 0005-remove-grpc-test.patch +Patch0006: 0006-noprefixroute-network-manager.patch + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: bison >= 2.7 +BuildRequires: c-ares-devel +BuildRequires: flex +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: git-core +BuildRequires: groff +%if %{with grpc} +BuildRequires: grpc-devel +BuildRequires: grpc-plugins +%endif +BuildRequires: json-c-devel +BuildRequires: libcap-devel +BuildRequires: libtool +BuildRequires: libyang-devel >= 2.1.148 +BuildRequires: make +BuildRequires: ncurses +BuildRequires: ncurses-devel +BuildRequires: net-snmp-devel +BuildRequires: pam-devel +BuildRequires: patch +BuildRequires: perl-XML-LibXML +BuildRequires: perl-generators +BuildRequires: python3-devel +BuildRequires: python3-pytest +BuildRequires: python3-sphinx +BuildRequires: readline-devel +BuildRequires: systemd-devel +BuildRequires: systemd-rpm-macros +BuildRequires: texinfo +BuildRequires: protobuf-c-devel + +Requires: ncurses +Requires: net-snmp +Requires(post): hostname +%{?sysusers_requires_compat} +Requires(post): systemd +Requires(postun): systemd +Requires(preun): systemd + +%if 0%{?with_selinux} +Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype}) +%endif + +Obsoletes: quagga < 1.2.4-17 +Provides: routingdaemon = %{version}-%{release} + +%description +FRRouting is free software that manages TCP/IP based routing protocols. It takes +a multi-server and multi-threaded approach to resolve the current complexity +of the Internet. + +FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, +EIGRP and BFD. + +FRRouting is a fork of Quagga. + +%if 0%{?with_selinux} +%package selinux +Summary: Selinux policy for FRR +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux +SELinux policy modules for FRR package + +%endif + +%prep +%autosetup -S git +#Selinux +mkdir selinux +cp -p %{SOURCE3} %{SOURCE4} %{SOURCE5} selinux +# C++14 or later needed for abseil-cpp 20230125; string_view needs C++17: +sed -r -i 's/(AX_CXX_COMPILE_STDCXX\(\[)11(\])/\117\2/' configure.ac + +%build +autoreconf -ivf + +%configure \ + --sbindir=%{frr_libdir} \ + --sysconfdir=%{_sysconfdir}/frr \ + --libdir=%{_libdir}/frr \ + --libexecdir=%{_libexecdir}/frr \ + --localstatedir=/run/frr \ + --enable-multipath=64 \ + --enable-vtysh=yes \ + --disable-ospfclient \ + --disable-ospfapi \ + --enable-snmp=agentx \ + --enable-user=frr \ + --enable-group=frr \ + --enable-vty-group=frrvty \ + --enable-rtadv \ + --disable-exampledir \ + --enable-systemd=yes \ + --enable-static=no \ + --disable-ldpd \ + --disable-babeld \ + --with-moduledir=%{_libdir}/frr/modules \ + --with-yangmodelsdir=%{_datadir}/frr-yang/ \ + --with-crypto=openssl \ + --enable-fpm \ + %{?with_grpc:--enable-grpc} + +%make_build MAKEINFO="makeinfo --no-split" PYTHON=%{__python3} + +# Build info documentation +%make_build -C doc info + +#SELinux policy +%if 0%{?with_selinux} +make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp +bzip2 -9 selinux/%{name}.pp +%endif + +%install +mkdir -p %{buildroot}%{_sysconfdir}/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \ + %{buildroot}%{_localstatedir}/log/frr %{buildroot}%{_infodir} \ + %{buildroot}%{_unitdir} + +mkdir -p -m 0755 %{buildroot}%{_libdir}/frr +mkdir -p %{buildroot}%{_tmpfilesdir} +mkdir -p %{buildroot}%{_sysusersdir} + +%make_install + +# Remove this file, as it is uninstalled and causes errors when building on RH9 +rm -rf %{buildroot}%{_infodir}/dir + +install -p -m 644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf +install -p -m 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf +install -p -m 644 tools/etc/frr/daemons %{buildroot}%{_sysconfdir}/frr/daemons +install -p -m 644 tools/frr.service %{buildroot}%{_unitdir}/frr.service +install -p -m 755 tools/frrinit.sh %{buildroot}%{frr_libdir}/frr +install -p -m 755 tools/frrcommon.sh %{buildroot}%{frr_libdir}/frrcommon.sh +install -p -m 755 tools/watchfrr.sh %{buildroot}%{frr_libdir}/watchfrr.sh + +install -p -m 644 redhat/frr.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/frr +install -p -m 644 redhat/frr.pam %{buildroot}%{_sysconfdir}/pam.d/frr +install -d -m 775 %{buildroot}/run/frr + +%if 0%{?with_selinux} +install -D -m 644 selinux/%{name}.pp.bz2 \ + %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if +%endif + +# Delete libtool archives +find %{buildroot} -type f -name "*.la" -delete -print + +#Upstream does not maintain a stable API, these headers from -devel subpackage are no longer needed +rm %{buildroot}%{_libdir}/frr/*.so +rm -r %{buildroot}%{_includedir}/frr/ + +%pre +%sysusers_create_compat %{SOURCE2} + +%post +%systemd_post frr.service + +# Create dummy files if they don't exist so basic functions can be used. +if [ ! -e %{_sysconfdir}/frr/frr.conf ]; then + echo "hostname `hostname`" > %{_sysconfdir}/frr/frr.conf + chown frr:frr %{_sysconfdir}/frr/frr.conf + chmod 640 %{_sysconfdir}/frr/frr.conf +fi + +#still used by vtysh, this way no error is produced when using vtysh +if [ ! -e %{_sysconfdir}/frr/vtysh.conf ]; then + touch %{_sysconfdir}/frr/vtysh.conf + chmod 640 %{_sysconfdir}/frr/vtysh.conf + chown frr:frrvty %{_sysconfdir}/frr/vtysh.conf +fi + +%postun +%systemd_postun_with_restart frr.service + +%preun +%systemd_preun frr.service + +#SELinux +%if 0%{?with_selinux} +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%selinux_relabel_post -s %{selinuxtype} +#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade +if [ $1 == 2 ]; then + %{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null + %{_sbindir}/restorecon -R /var/run/frr &> /dev/null +fi + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name} + %selinux_relabel_post -s %{selinuxtype} +fi + +%endif + +%check +#this should be temporary, the grpc test is just badly designed +rm tests/lib/*grpc* +%make_build check PYTHON=%{__python3} + +%files +%license COPYING +%doc doc/mpls +%dir %attr(750,frr,frr) %{_sysconfdir}/frr +%dir %attr(755,frr,frr) %{_localstatedir}/log/frr +%dir %attr(755,frr,frr) /run/frr +%{_infodir}/*info* +%{_mandir}/man1/frr.1* +%{_mandir}/man1/vtysh.1* +%{_mandir}/man8/frr-*.8* +%{_mandir}/man8/mtracebis.8* +%dir %{frr_libdir}/ +%{frr_libdir}/* +%{_bindir}/mtracebis +%{_bindir}/vtysh +%dir %{_libdir}/frr +%{_libdir}/frr/*.so.* +%dir %{_libdir}/frr/modules +%{_libdir}/frr/modules/* +%config(noreplace) %attr(644,root,root) %{_sysconfdir}/logrotate.d/frr +%config(noreplace) %attr(644,frr,frr) %{_sysconfdir}/frr/daemons +%config(noreplace) %{_sysconfdir}/pam.d/frr +%{_unitdir}/*.service +%dir %{_datadir}/frr-yang/ +%{_datadir}/frr-yang/*.yang +%{_tmpfilesdir}/%{name}.conf +%{_sysusersdir}/%{name}.conf + +%if 0%{?with_selinux} +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.* +%{_datadir}/selinux/devel/include/distributed/%{name}.if +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} +%endif + +%changelog +* Mon Aug 26 2024 Michal Ruprich - 10.1-3 +- Related: RHEL-55747 - Adding libs_manage_lib_dirs for handling lib_t + +* Sun Aug 25 2024 Michal Ruprich - 10.1-2 +- Related: RHEL-55747 - Adding new selinux rules + +* Thu Aug 22 2024 Michal Ruprich - 10.1-1 +- New version 10.1 + +* Mon Jun 24 2024 Troy Dawson - 9.1-11 +- Bump release for June 2024 mass rebuild + +* Wed Jun 12 2024 Michal Ruprich - 9.1-10 +- Resolves: RHEL-32134 - buffer overflow and daemon crash in ospf_te_parse_ri + +* Wed Jun 12 2024 Michal Ruprich - 9.1-9 +- Resolves: RHEL-32138 - buffer overflow in ospf_te_parse_ext_link + +* Wed Jun 12 2024 Michal Ruprich - 9.1-8 +- Resolves: RHEL-34911 - null pointer via get_edge() function can trigger a denial of service + +* Mon May 27 2024 Michal Ruprich - 9.1-7 +- Resolves: RHEL-38834 - Missing selinux rules for .history_frr file for FRR + +* Thu Apr 18 2024 Michal Ruprich - 9.1-6 +- Resolves: RHEL-32128 - infinite loop + +* Thu Apr 18 2024 Michal Ruprich - 9.1-5 +- Resolves: RHEL-32125 - bgpd daemon crash + +* Tue Apr 16 2024 Michal Ruprich - 9.1-4 +- Moving yang modules to an frr specific directory to avoid conflicts +- Adding rpminspect.yaml + +* Thu Apr 11 2024 Michal Ruprich - 9.1-3 +- Resolves: RHEL-32502 - frr fails to start: SELinux is preventing watchfrr from create access on the sock_file + +* Sun Feb 04 2024 Benjamin A. Beasley - 9.1-2 +- Rebuilt for abseil-cpp-20240116.0 + +* Thu Jan 25 2024 Michal Ruprich - 9.1-1 +- New version 9.1 + +* Wed Jan 24 2024 Fedora Release Engineering - 9.0.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jan 19 2024 Fedora Release Engineering - 9.0.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Mon Oct 16 2023 Michal Ruprich - 9.0.1-1 +- New version 9.0.1 + +* Fri Sep 01 2023 Michal Ruprich - 8.5.2-4 +- Adding a couple of SELinux rules, includes fix for rhbz#2149299 + +* Wed Aug 30 2023 Benjamin A. Beasley - 8.5.2-3 +- Rebuilt for abseil-cpp 20230802.0 + +* Wed Jul 19 2023 Fedora Release Engineering - 8.5.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Fri Jun 30 2023 Michal Ruprich - 8.5.2-1 +- New version 8.5.2 +- Fixing some rpmlint warnings + +* Mon Jun 26 2023 Michal Ruprich - 8.5.1-4 +- Resolves: #2216073 - SELinux is preventing FRR-Zebra to access to network namespaces. + +* Mon Jun 05 2023 Yaakov Selkowitz - 8.5.1-3 +- Disable grpc in RHEL builds + +* Fri May 19 2023 Petr Pisar - 8.5.1-2 +- Rebuild against rpm-4.19 (https://fedoraproject.org/wiki/Changes/RPM-4.19) + +* Wed Apr 26 2023 Michal Ruprich - 8.5.1-1 +- New version 8.5.1 + +* Wed Apr 12 2023 Michal Ruprich - 8.5-1 +- New version 8.5 + +* Thu Mar 23 2023 Michal Ruprich - 8.4.2-5 +- Rebuilding for new abseil-cpp version + +* Wed Mar 22 2023 Michal Ruprich - 8.4.2-4 +- SPDX migration + +* Wed Mar 08 2023 Benjamin A. Beasley - 8.4.2-3 +- Build as C++17, required by abseil-cpp 20230125 + +* Thu Jan 19 2023 Fedora Release Engineering - 8.4.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Thu Jan 12 2023 Michal Ruprich - 8.4.2-1 +- New version 8.4.2 + +* Fri Nov 25 2022 Michal Ruprich - 8.4.1-1 +- New version 8.4.1 +- Fix for rhbz #2140705 + +* Thu Nov 10 2022 Michal Ruprich - 8.4-1 +- New version 8.4 + +* Fri Sep 16 2022 Michal Ruprich - 8.3.1-5 +- Adding SELinux rule to enable zebra to write to sysctl_net_t +- Adding SELinux rule to enable bgpd to call name_connect to bgp_port_t + +* Fri Sep 09 2022 Michal Ruprich - 8.3.1-4 +- Fixing an error in post scriptlet + +* Fri Sep 09 2022 Michal Ruprich - 8.3.1-3 +- Resolves: #2124254 - frr can no longer update routes + +* Wed Sep 07 2022 Michal Ruprich - 8.3.1-2 +- Resolves: #2124253 - SELinux is preventing zebra from setattr access on the directory frr +- Better handling FRR files during upgrade + +* Tue Sep 06 2022 Michal Ruprich - 8.3.1-1 +- New version 8.3.1 + +* Mon Aug 22 2022 Michal Ruprich - 8.2.2-10 +- Rebuilding for new abseil-cpp and grpc updates + +* Wed Aug 10 2022 Michal Ruprich - 8.2.2-9 +- Adding vrrpd and pathd as daemons to the policy + +* Wed Aug 10 2022 Michal Ruprich - 8.2.2-8 +- Finalizing SELinux policy + +* Tue Aug 02 2022 Michal Ruprich - 8.2.2-7 +- Fixing wrong path for vtysh in frr.fc + +* Fri Jul 29 2022 Benjamin A. Beasley - 8.2.2-6 +- Rebuild with abseil-cpp-20211102.0-4.fc37 (RHBZ#2108658) + +* Wed Jul 27 2022 Michal Ruprich - 8.2.2-5 +- Packaging SELinux policy for FRR + +* Thu Jul 21 2022 Fedora Release Engineering - 8.2.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Tue May 17 2022 Michal Ruprich - 8.2.2-3 +- Rebuild for grpc-1.46.1 + +* Mon Apr 11 2022 Michal Ruprich - 8.2.2-2 +- Fix for CVE-2022-16126 + +* Tue Mar 15 2022 Michal Ruprich - 8.2.2-1 +- New version 8.2.2 + +* Thu Mar 10 2022 Michal Ruprich - 8.2-2 +- Rebuild for abseil-cpp 20211102.0 + +* Wed Mar 09 2022 Michal Ruprich - 8.2-1 +- New version 8.2 (rhbz#2020439) +- Resolves: #2011868 - systemctl frr reload does not stop daemons that are not enabled in /etc/frr/daemons + +* Tue Feb 01 2022 Michal Ruprich - 8.0.1-11 +- Rebuilding for FTBFS in Rawhide(rhbz#2045399) + +* Thu Jan 20 2022 Fedora Release Engineering - 8.0.1-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Sat Jan 08 2022 Miro Hrončok - 8.0.1-9 +- Rebuilt for libre2.so.9 + +* Sat Nov 06 2021 Adrian Reber - 8.0.1-8 +- Rebuilt for protobuf 3.19.0 + +* Mon Oct 25 2021 Adrian Reber - 8.0.1-7 +- Rebuilt for protobuf 3.18.1 + +* Fri Oct 15 2021 Michal Ruprich - 8.0.1-6 +- Obsoleting quagga so that it may be retired + +* Thu Oct 07 2021 Michal Ruprich - 8.0.1-5 +- Rebuilding for grpc 1.41 + +* Thu Sep 30 2021 Michal Ruprich - 8.0.1-4 +- Rebuild for new version of libyang + +* Sat Sep 18 2021 Benjamin A. Beasley - 8.0.1-3 +- Rebuild for grpc 1.40 + +* Thu Sep 16 2021 Sahana Prasad - 8.0.1-2 +- Rebuilt with OpenSSL 3.0.0 + +* Thu Sep 16 2021 Michal Ruprich - 8.0.1-1 +- New version 8.0.1 + +* Tue Sep 14 2021 Sahana Prasad - 8.0-2 +- Rebuilt with OpenSSL 3.0.0 + +* Wed Aug 11 2021 Michal Ruprich - 8.0-1 +- New version 8.0 + +* Wed Aug 04 2021 Benjamin A. Beasley - 7.5.1-9 +- Rebuild for grpc 1.39 + +* Wed Jul 21 2021 Fedora Release Engineering - 7.5.1-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue Jul 20 2021 Michal Ruprich - 7.5.1-7 +- Resolves: #1983278 - ospfd crashes in route_node_delete with assertion fail + +* Sat Jul 10 2021 Björn Esser - 7.5.1-6 +- Rebuild for versioned symbols in json-c + +* Wed Jul 07 2021 Neal Gompa - 7.5.1-5 +- Clean up the spec file for legibility and modern spec standards +- Remove unneeded info scriptlets +- Use systemd-sysusers for frr user and frrvty group +- Use git-core instead of git for applying patches +- Drop redundant build dependencies + +* Wed Jul 07 2021 Michal Ruprich - 7.5.1-4 +- Rebuild for newer abseil-cpp + +* Tue May 11 2021 Benjamin A. Beasley - 7.5.1-3 +- Rebuild for grpc 1.37 + +* Fri Apr 23 2021 Michal Ruprich - 7.5.1-2 +- Fixing permissions on config files in /etc/frr +- Enabling integrated configuration option for frr + +* Fri Mar 12 2021 Michal Ruprich - 7.5.1-1 +- New version 7.5.1 +- Enabling grpc, adding hostname for post scriptlet +- Moving files to libexec due to selinux issues + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 7.5-4 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Tue Feb 16 2021 Michal Ruprich - 7.5-3 +- Fixing FTBS - icc options are confusing the new gcc + +* Tue Jan 26 2021 Fedora Release Engineering - 7.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Fri Jan 01 2021 Michal Ruprich - 7.5-1 +- New version 7.5 + +* Mon Sep 21 2020 Michal Ruprich - 7.4-1 +- New version 7.4 + +* Thu Aug 27 2020 Josef Řídký - 7.3.1-4 +- Rebuilt for new net-snmp release + +* Mon Jul 27 2020 Fedora Release Engineering - 7.3.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu Jun 18 2020 Michal Ruprich - 7.3.1-1 +- New version 7.3.1 +- Fixes a couple of bugs(#1832259, #1835039, #1830815, #1830808, #1830806, #1830800, #1830798, #1814773) + +* Tue May 19 2020 Michal Ruprich - 7.3-6 +- Removing texi2html, it is not available in Rawhide anymore + +* Mon May 18 2020 Michal Ruprich - 7.3-5 +- Rebuild for new version of libyang + +* Tue Apr 21 2020 Björn Esser - 7.3-4 +- Rebuild (json-c) + +* Mon Apr 13 2020 Björn Esser - 7.3-3 +- Update json-c-0.14 patch with a solution from upstream + +* Mon Apr 13 2020 Björn Esser - 7.3-2 +- Add support for upcoming json-c 0.14.0 + +* Wed Feb 19 2020 Michal Ruprich - 7.3-1 +- New version 7.3 + +* Tue Jan 28 2020 Fedora Release Engineering - 7.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Dec 16 2019 Michal Ruprich - 7.2-1 +- New version 7.2 + +* Tue Nov 12 2019 Michal Ruprich - 7.1-5 +- Rebuilding for new version of libyang + +* Mon Oct 07 2019 Michal Ruprich - 7.1-4 +- Adding noreplace to the /etc/frr/daemons file + +* Fri Sep 13 2019 Michal Ruprich - 7.1-3 +- New way of finding python version during build +- Replacing crypto of all routing daemons with openssl +- Disabling EIGRP crypto because it is broken +- Disabling crypto in FIPS mode + +* Thu Jul 25 2019 Fedora Release Engineering - 7.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Jun 25 2019 Michal Ruprich - 7.1-1 +- New version 7.1 + +* Wed Jun 19 2019 Michal Ruprich - 7.0-2 +- Initial build diff --git a/SOURCES/frr.te b/frr.te similarity index 79% rename from SOURCES/frr.te rename to frr.te index a1c8bee..34d6699 100644 --- a/SOURCES/frr.te +++ b/frr.te @@ -31,9 +31,14 @@ files_pid_file(frr_var_run_t) # # frr local policy # -allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin }; +allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin }; allow frr_t self:netlink_route_socket rw_netlink_socket_perms; -allow frr_t self:packet_socket create; +allow frr_t self:netlink_generic_socket create; +allow frr_t self:netlink_generic_socket setopt; +allow frr_t self:netlink_generic_socket getopt; +allow frr_t self:netlink_generic_socket getattr; +allow frr_t self:netlink_generic_socket bind; +allow frr_t self:packet_socket create_socket_perms; allow frr_t self:process { setcap setpgid }; allow frr_t self:rawip_socket create_socket_perms; allow frr_t self:tcp_socket { connect connected_stream_socket_perms }; @@ -70,6 +75,7 @@ can_exec(frr_t, frr_exec_t) kernel_read_network_state(frr_t) kernel_rw_net_sysctls(frr_t) kernel_read_system_state(frr_t) +kernel_request_load_module(frr_t) auth_use_nsswitch(frr_t) @@ -78,11 +84,13 @@ corecmd_exec_bin(frr_t) corenet_tcp_bind_appswitch_emp_port(frr_t) corenet_udp_bind_bfd_control_port(frr_t) corenet_udp_bind_bfd_echo_port(frr_t) +corenet_udp_bind_bfd_multi_port(frr_t) corenet_tcp_bind_bgp_port(frr_t) corenet_tcp_connect_bgp_port(frr_t) -corenet_udp_bind_all_unreserved_ports(frr_t); -corenet_tcp_bind_generic_port(frr_t) +corenet_tcp_bind_cmadmin_port(frr_t) +corenet_udp_bind_cmadmin_port(frr_t) corenet_tcp_bind_firepower_port(frr_t) +corenet_tcp_bind_generic_port(frr_t) corenet_tcp_bind_priority_e_com_port(frr_t) corenet_udp_bind_router_port(frr_t) corenet_tcp_bind_qpasa_agent_port(frr_t) @@ -93,25 +101,22 @@ corenet_tcp_bind_zebra_port(frr_t) domain_use_interactive_fds(frr_t) fs_read_nsfs_files(frr_t) -fs_search_cgroup_dirs(frr_t) sysnet_exec_ifconfig(frr_t) -sysnet_read_ifconfig_run(frr_t) +sysnet_read_ifconfig_run_files(frr_t) +sysnet_watch_ifconfig_run_dirs(frr_t) + +ipsec_domtrans_mgmt(frr_t) userdom_read_admin_home_files(frr_t) -init_signal(frr_t) -init_signal_script(frr_t) -init_signull_script(frr_t) +libs_delete_lib_symlinks(frr_t); +libs_manage_lib_dirs(frr_t); optional_policy(` logging_send_syslog_msg(frr_t) ') -optional_policy(` - unconfined_read_files(frr_t) -') - optional_policy(` modutils_exec_kmod(frr_t) modutils_getattr_module_deps(frr_t) @@ -126,4 +131,5 @@ optional_policy(` optional_policy(` userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr") userdom_inherit_append_admin_home_files(frr_t, frr_conf_t, file, ".history_frr") + userdom_setattr_admin_files(frr_t, frr_conf_t, file, ".history_frr") ') diff --git a/sources b/sources new file mode 100644 index 0000000..86c17cb --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (frr-10.1.tar.gz) = 7484238a502ab12f178e4a210e6e4a33d0ce53edbb49b127fdc3167e31dd61c1122c1ef2d30e4bcb83b7f520b37fb9ad73e2a6a16790b608b1adf2e23b556445