import frr-7.5.1-4.el8
This commit is contained in:
parent
ea88f68640
commit
6868c1555b
@ -1 +1 @@
|
||||
67064fd2c9f971a7004e3e66411f9c99e56cfb9c SOURCES/frr-7.5.tar.gz
|
||||
dfc756dfd123360d1e1a760d66821e47f9a6afed SOURCES/frr-7.5.1.tar.gz
|
||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/frr-7.5.tar.gz
|
||||
SOURCES/frr-7.5.1.tar.gz
|
||||
|
@ -1,119 +0,0 @@
|
||||
diff --git a/ospfd/ospfd.c b/ospfd/ospfd.c
|
||||
index d8be19db9..6fe94f3a4 100644
|
||||
--- a/ospfd/ospfd.c
|
||||
+++ b/ospfd/ospfd.c
|
||||
@@ -384,12 +384,50 @@ struct ospf *ospf_lookup_by_inst_name(unsigned short instance, const char *name)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
-struct ospf *ospf_get(unsigned short instance, const char *name, bool *created)
|
||||
+static void ospf_init(struct ospf *ospf)
|
||||
{
|
||||
- struct ospf *ospf;
|
||||
struct vrf *vrf;
|
||||
struct interface *ifp;
|
||||
|
||||
+ ospf_opaque_type11_lsa_init(ospf);
|
||||
+
|
||||
+ if (ospf->vrf_id != VRF_UNKNOWN)
|
||||
+ ospf->oi_running = 1;
|
||||
+
|
||||
+ /* Activate 'ip ospf area x' configured interfaces for given
|
||||
+ * vrf. Activate area on vrf x aware interfaces.
|
||||
+ * vrf_enable callback calls router_id_update which
|
||||
+ * internally will call ospf_if_update to trigger
|
||||
+ * network_run_state
|
||||
+ */
|
||||
+ vrf = vrf_lookup_by_id(ospf->vrf_id);
|
||||
+
|
||||
+ FOR_ALL_INTERFACES (vrf, ifp) {
|
||||
+ struct ospf_if_params *params;
|
||||
+ struct route_node *rn;
|
||||
+ uint32_t count = 0;
|
||||
+
|
||||
+ params = IF_DEF_PARAMS(ifp);
|
||||
+ if (OSPF_IF_PARAM_CONFIGURED(params, if_area))
|
||||
+ count++;
|
||||
+
|
||||
+ for (rn = route_top(IF_OIFS_PARAMS(ifp)); rn; rn = route_next(rn))
|
||||
+ if ((params = rn->info) && OSPF_IF_PARAM_CONFIGURED(params, if_area))
|
||||
+ count++;
|
||||
+
|
||||
+ if (count > 0) {
|
||||
+ ospf_interface_area_set(ospf, ifp);
|
||||
+ ospf->if_ospf_cli_count += count;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ ospf_router_id_update(ospf);
|
||||
+}
|
||||
+
|
||||
+struct ospf *ospf_get(unsigned short instance, const char *name, bool *created)
|
||||
+{
|
||||
+ struct ospf *ospf;
|
||||
+
|
||||
/* vrf name provided call inst and name based api
|
||||
* in case of no name pass default ospf instance */
|
||||
if (name)
|
||||
@@ -402,39 +440,7 @@ struct ospf *ospf_get(unsigned short instance, const char *name, bool *created)
|
||||
ospf = ospf_new(instance, name);
|
||||
ospf_add(ospf);
|
||||
|
||||
- ospf_opaque_type11_lsa_init(ospf);
|
||||
-
|
||||
- if (ospf->vrf_id != VRF_UNKNOWN)
|
||||
- ospf->oi_running = 1;
|
||||
-
|
||||
- /* Activate 'ip ospf area x' configured interfaces for given
|
||||
- * vrf. Activate area on vrf x aware interfaces.
|
||||
- * vrf_enable callback calls router_id_update which
|
||||
- * internally will call ospf_if_update to trigger
|
||||
- * network_run_state
|
||||
- */
|
||||
- vrf = vrf_lookup_by_id(ospf->vrf_id);
|
||||
-
|
||||
- FOR_ALL_INTERFACES (vrf, ifp) {
|
||||
- struct ospf_if_params *params;
|
||||
- struct route_node *rn;
|
||||
- uint32_t count = 0;
|
||||
-
|
||||
- params = IF_DEF_PARAMS(ifp);
|
||||
- if (OSPF_IF_PARAM_CONFIGURED(params, if_area))
|
||||
- count++;
|
||||
-
|
||||
- for (rn = route_top(IF_OIFS_PARAMS(ifp)); rn; rn = route_next(rn))
|
||||
- if ((params = rn->info) && OSPF_IF_PARAM_CONFIGURED(params, if_area))
|
||||
- count++;
|
||||
-
|
||||
- if (count > 0) {
|
||||
- ospf_interface_area_set(ospf, ifp);
|
||||
- ospf->if_ospf_cli_count += count;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- ospf_router_id_update(ospf);
|
||||
+ ospf_init(ospf);
|
||||
}
|
||||
|
||||
return ospf;
|
||||
@@ -450,7 +456,7 @@ struct ospf *ospf_get_instance(unsigned short instance, bool *created)
|
||||
ospf = ospf_new(instance, NULL /* VRF_DEFAULT*/);
|
||||
ospf_add(ospf);
|
||||
|
||||
- ospf_opaque_type11_lsa_init(ospf);
|
||||
+ ospf_init(ospf);
|
||||
}
|
||||
|
||||
return ospf;
|
||||
diff --git a/ospfd/ospfd.h b/ospfd/ospfd.h
|
||||
index 192e54281..3087b735a 100644
|
||||
--- a/ospfd/ospfd.h
|
||||
+++ b/ospfd/ospfd.h
|
||||
@@ -604,7 +604,6 @@ extern int ospf_nbr_nbma_poll_interval_set(struct ospf *, struct in_addr,
|
||||
unsigned int);
|
||||
extern int ospf_nbr_nbma_poll_interval_unset(struct ospf *, struct in_addr);
|
||||
extern void ospf_prefix_list_update(struct prefix_list *);
|
||||
-extern void ospf_init(void);
|
||||
extern void ospf_if_update(struct ospf *, struct interface *);
|
||||
extern void ospf_ls_upd_queue_empty(struct ospf_interface *);
|
||||
extern void ospf_terminate(void);
|
@ -1,92 +0,0 @@
|
||||
From 8a66632391db5f5181a4afef6aae41f48bee7fdb Mon Sep 17 00:00:00 2001
|
||||
From: Donald Sharp <sharpd@nvidia.com>
|
||||
Date: Fri, 15 Jan 2021 08:14:49 -0500
|
||||
Subject: [PATCH] bgpd: Allow peer-groups to have `ttl-security hops`
|
||||
configured
|
||||
|
||||
The command `neighbor PGROUP ttl-security hops X` was being
|
||||
accepted but ignored. Allow it to be stored. I am still
|
||||
not sure that this is applied correctly, but that is another
|
||||
problem.
|
||||
|
||||
Fixes: #7848
|
||||
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
|
||||
---
|
||||
bgpd/bgpd.c | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
|
||||
index 9297ec4711c..4ebd3da0620 100644
|
||||
--- a/bgpd/bgpd.c
|
||||
+++ b/bgpd/bgpd.c
|
||||
@@ -7150,6 +7150,7 @@ int is_ebgp_multihop_configured(struct peer *peer)
|
||||
int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops)
|
||||
{
|
||||
struct peer_group *group;
|
||||
+ struct peer *gpeer;
|
||||
struct listnode *node, *nnode;
|
||||
int ret;
|
||||
|
||||
@@ -7186,9 +7187,10 @@ int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops)
|
||||
return ret;
|
||||
} else {
|
||||
group = peer->group;
|
||||
+ group->conf->gtsm_hops = gtsm_hops;
|
||||
for (ALL_LIST_ELEMENTS(group->peer, node, nnode,
|
||||
- peer)) {
|
||||
- peer->gtsm_hops = group->conf->gtsm_hops;
|
||||
+ gpeer)) {
|
||||
+ gpeer->gtsm_hops = group->conf->gtsm_hops;
|
||||
|
||||
/* Calling ebgp multihop also resets the
|
||||
* session.
|
||||
@@ -7198,7 +7200,7 @@ int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops)
|
||||
* value is
|
||||
* irrelevant.
|
||||
*/
|
||||
- peer_ebgp_multihop_set(peer, MAXTTL);
|
||||
+ peer_ebgp_multihop_set(gpeer, MAXTTL);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
@@ -7219,9 +7221,10 @@ int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops)
|
||||
MAXTTL + 1 - gtsm_hops);
|
||||
} else {
|
||||
group = peer->group;
|
||||
+ group->conf->gtsm_hops = gtsm_hops;
|
||||
for (ALL_LIST_ELEMENTS(group->peer, node, nnode,
|
||||
- peer)) {
|
||||
- peer->gtsm_hops = group->conf->gtsm_hops;
|
||||
+ gpeer)) {
|
||||
+ gpeer->gtsm_hops = group->conf->gtsm_hops;
|
||||
|
||||
/* Change setting of existing peer
|
||||
* established then change value (may break
|
||||
@@ -7231,17 +7234,18 @@ int peer_ttl_security_hops_set(struct peer *peer, int gtsm_hops)
|
||||
* no session then do nothing (will get
|
||||
* handled by next connection)
|
||||
*/
|
||||
- if (peer->fd >= 0
|
||||
- && peer->gtsm_hops
|
||||
+ if (gpeer->fd >= 0
|
||||
+ && gpeer->gtsm_hops
|
||||
!= BGP_GTSM_HOPS_DISABLED)
|
||||
sockopt_minttl(
|
||||
- peer->su.sa.sa_family, peer->fd,
|
||||
- MAXTTL + 1 - peer->gtsm_hops);
|
||||
- if ((peer->status < Established)
|
||||
- && peer->doppelganger
|
||||
- && (peer->doppelganger->fd >= 0))
|
||||
- sockopt_minttl(peer->su.sa.sa_family,
|
||||
- peer->doppelganger->fd,
|
||||
+ gpeer->su.sa.sa_family,
|
||||
+ gpeer->fd,
|
||||
+ MAXTTL + 1 - gpeer->gtsm_hops);
|
||||
+ if ((gpeer->status < Established)
|
||||
+ && gpeer->doppelganger
|
||||
+ && (gpeer->doppelganger->fd >= 0))
|
||||
+ sockopt_minttl(gpeer->su.sa.sa_family,
|
||||
+ gpeer->doppelganger->fd,
|
||||
MAXTTL + 1 - gtsm_hops);
|
||||
}
|
||||
}
|
25
SOURCES/0009-routemap.patch
Normal file
25
SOURCES/0009-routemap.patch
Normal file
@ -0,0 +1,25 @@
|
||||
diff --git a/lib/routemap.c b/lib/routemap.c
|
||||
index a90443a..0b594b2 100644
|
||||
--- a/lib/routemap.c
|
||||
+++ b/lib/routemap.c
|
||||
@@ -1649,9 +1649,9 @@ static struct list *route_map_get_index_list(struct route_node **rn,
|
||||
*/
|
||||
static struct route_map_index *
|
||||
route_map_get_index(struct route_map *map, const struct prefix *prefix,
|
||||
- route_map_object_t type, void *object, uint8_t *match_ret)
|
||||
+ route_map_object_t type, void *object, enum route_map_cmd_result_t *match_ret)
|
||||
{
|
||||
- int ret = 0;
|
||||
+ enum route_map_cmd_result_t ret = RMAP_NOMATCH;
|
||||
struct list *candidate_rmap_list = NULL;
|
||||
struct route_node *rn = NULL;
|
||||
struct listnode *ln = NULL, *nn = NULL;
|
||||
@@ -2399,7 +2399,7 @@ route_map_result_t route_map_apply(struct route_map *map,
|
||||
if ((!map->optimization_disabled)
|
||||
&& (map->ipv4_prefix_table || map->ipv6_prefix_table)) {
|
||||
index = route_map_get_index(map, prefix, type, object,
|
||||
- (uint8_t *)&match_ret);
|
||||
+ &match_ret);
|
||||
if (index) {
|
||||
if (rmap_debug)
|
||||
zlog_debug(
|
@ -1,60 +0,0 @@
|
||||
From 46a2b560fa84c5f8ece8dbb82cbf355af675ad41 Mon Sep 17 00:00:00 2001
|
||||
From: Rafael Zalamena <rzalamena@opensourcerouting.org>
|
||||
Date: Tue, 19 Jan 2021 08:49:23 -0300
|
||||
Subject: [PATCH] tools: fix frr-reload BFD profile support
|
||||
|
||||
Fix the handling of multiple BFD profiles by adding the appropriated
|
||||
code to push/pop contexts inside BFD configuration node.
|
||||
|
||||
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
|
||||
---
|
||||
tools/frr-reload.py | 28 ++++++++++++++++++++++++++++
|
||||
1 file changed, 28 insertions(+)
|
||||
|
||||
diff --git a/tools/frr-reload.py b/tools/frr-reload.py
|
||||
index da005b6f874..ca6fe81f007 100755
|
||||
--- a/tools/frr-reload.py
|
||||
+++ b/tools/frr-reload.py
|
||||
@@ -533,6 +533,18 @@ def load_contexts(self):
|
||||
if line.startswith('!') or line.startswith('#'):
|
||||
continue
|
||||
|
||||
+ if (len(ctx_keys) == 2
|
||||
+ and ctx_keys[0].startswith('bfd')
|
||||
+ and ctx_keys[1].startswith('profile ')
|
||||
+ and line == 'end'):
|
||||
+ log.debug('LINE %-50s: popping from sub context, %-50s', line, ctx_keys)
|
||||
+
|
||||
+ if main_ctx_key:
|
||||
+ self.save_contexts(ctx_keys, current_context_lines)
|
||||
+ ctx_keys = copy.deepcopy(main_ctx_key)
|
||||
+ current_context_lines = []
|
||||
+ continue
|
||||
+
|
||||
# one line contexts
|
||||
# there is one exception though: ldpd accepts a 'router-id' clause
|
||||
# as part of its 'mpls ldp' config context. If we are processing
|
||||
@@ -649,6 +661,22 @@ def load_contexts(self):
|
||||
log.debug('LINE %-50s: entering sub-sub-context, append to ctx_keys', line)
|
||||
ctx_keys.append(line)
|
||||
|
||||
+ elif (
|
||||
+ line.startswith('profile ')
|
||||
+ and len(ctx_keys) == 1
|
||||
+ and ctx_keys[0].startswith('bfd')
|
||||
+ ):
|
||||
+
|
||||
+ # Save old context first
|
||||
+ self.save_contexts(ctx_keys, current_context_lines)
|
||||
+ current_context_lines = []
|
||||
+ main_ctx_key = copy.deepcopy(ctx_keys)
|
||||
+ log.debug(
|
||||
+ "LINE %-50s: entering BFD profile sub-context, append to ctx_keys",
|
||||
+ line
|
||||
+ )
|
||||
+ ctx_keys.append(line)
|
||||
+
|
||||
else:
|
||||
# Continuing in an existing context, add non-commented lines to it
|
||||
current_context_lines.append(line)
|
||||
|
40
SOURCES/0010-moving-executables.patch
Normal file
40
SOURCES/0010-moving-executables.patch
Normal file
@ -0,0 +1,40 @@
|
||||
diff --git a/tools/frr.service b/tools/frr.service
|
||||
index aa45f42..a3f0103 100644
|
||||
--- a/tools/frr.service
|
||||
+++ b/tools/frr.service
|
||||
@@ -17,9 +17,9 @@ WatchdogSec=60s
|
||||
RestartSec=5
|
||||
Restart=on-abnormal
|
||||
LimitNOFILE=1024
|
||||
-ExecStart=/usr/lib/frr/frrinit.sh start
|
||||
-ExecStop=/usr/lib/frr/frrinit.sh stop
|
||||
-ExecReload=/usr/lib/frr/frrinit.sh reload
|
||||
+ExecStart=/usr/libexec/frr/frrinit.sh start
|
||||
+ExecStop=/usr/libexec/frr/frrinit.sh stop
|
||||
+ExecReload=/usr/libexec/frr/frrinit.sh reload
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
|
||||
index 9a144b2..a334d95 100644
|
||||
--- a/tools/frrcommon.sh.in
|
||||
+++ b/tools/frrcommon.sh.in
|
||||
@@ -59,6 +59,9 @@ chownfrr() {
|
||||
[ -n "$FRR_USER" ] && chown "$FRR_USER" "$1"
|
||||
[ -n "$FRR_GROUP" ] && chgrp "$FRR_GROUP" "$1"
|
||||
[ -n "$FRR_CONFIG_MODE" ] && chmod "$FRR_CONFIG_MODE" "$1"
|
||||
+ if [ -d "$1" ]; then
|
||||
+ chmod gu+x "$1"
|
||||
+ fi
|
||||
}
|
||||
|
||||
vtysh_b () {
|
||||
@@ -152,7 +155,7 @@ daemon_start() {
|
||||
daemon_prep "$daemon" "$inst" || return 1
|
||||
if test ! -d "$V_PATH"; then
|
||||
mkdir -p "$V_PATH"
|
||||
- chown frr "$V_PATH"
|
||||
+ chownfrr "$V_PATH"
|
||||
fi
|
||||
|
||||
eval wrap="\$${daemon}_wrap"
|
77
SOURCES/0011-reload-bfd-profile.patch
Normal file
77
SOURCES/0011-reload-bfd-profile.patch
Normal file
@ -0,0 +1,77 @@
|
||||
diff --git a/tools/frr-reload.py b/tools/frr-reload.py
|
||||
index 9979c8b..1c24f90 100755
|
||||
--- a/tools/frr-reload.py
|
||||
+++ b/tools/frr-reload.py
|
||||
@@ -785,6 +785,48 @@ def line_exist(lines, target_ctx_keys, target_line, exact_match=True):
|
||||
return True
|
||||
return False
|
||||
|
||||
+def delete_bgp_bfd(lines_to_add, lines_to_del):
|
||||
+ """
|
||||
+ When 'neighbor <peer> bfd profile <profile>' is present without a
|
||||
+ 'neighbor <peer> bfd' line, FRR explicitily adds it to the running
|
||||
+ configuration. When the new configuration drops the bfd profile
|
||||
+ line, the user's intent is to delete any bfd configuration on the
|
||||
+ peer. On reload, deleting the bfd profile line after the bfd line
|
||||
+ will re-enable BFD with the default BFD profile. Move the bfd line
|
||||
+ to the end, if it exists in the new configuration.
|
||||
+
|
||||
+ Example:
|
||||
+
|
||||
+ neighbor 10.0.0.1 bfd
|
||||
+ neighbor 10.0.0.1 bfd profile bfd-profile-1
|
||||
+
|
||||
+ Move to end:
|
||||
+ neighbor 10.0.0.1 bfd profile bfd-profile-1
|
||||
+ ...
|
||||
+
|
||||
+ neighbor 10.0.0.1 bfd
|
||||
+
|
||||
+ """
|
||||
+ lines_to_del_to_app = []
|
||||
+ for (ctx_keys, line) in lines_to_del:
|
||||
+ if (
|
||||
+ ctx_keys[0].startswith("router bgp")
|
||||
+ and line
|
||||
+ and line.startswith("neighbor ")
|
||||
+ ):
|
||||
+ # 'no neighbor [peer] bfd>'
|
||||
+ nb_bfd = "neighbor (\S+) .*bfd$"
|
||||
+ re_nb_bfd = re.search(nb_bfd, line)
|
||||
+ if re_nb_bfd:
|
||||
+ lines_to_del_to_app.append((ctx_keys, line))
|
||||
+
|
||||
+ for (ctx_keys, line) in lines_to_del_to_app:
|
||||
+ lines_to_del.remove((ctx_keys, line))
|
||||
+ lines_to_del.append((ctx_keys, line))
|
||||
+
|
||||
+ return (lines_to_add, lines_to_del)
|
||||
+
|
||||
+
|
||||
def check_for_exit_vrf(lines_to_add, lines_to_del):
|
||||
|
||||
# exit-vrf is a bit tricky. If the new config is missing it but we
|
||||
@@ -1248,6 +1290,7 @@ def compare_context_objects(newconf, running):
|
||||
for line in newconf_ctx.lines:
|
||||
lines_to_add.append((newconf_ctx_keys, line))
|
||||
|
||||
+ (lines_to_add, lines_to_del) = delete_bgp_bfd(lines_to_add, lines_to_del)
|
||||
(lines_to_add, lines_to_del) = check_for_exit_vrf(lines_to_add, lines_to_del)
|
||||
(lines_to_add, lines_to_del) = ignore_delete_re_add_lines(lines_to_add, lines_to_del)
|
||||
(lines_to_add, lines_to_del) = ignore_unconfigurable_lines(lines_to_add, lines_to_del)
|
||||
diff --git a/bgpd/bgp_bfd.c b/bgpd/bgp_bfd.c
|
||||
index b566b0e..1bd6249 100644
|
||||
--- a/bgpd/bgp_bfd.c
|
||||
+++ b/bgpd/bgp_bfd.c
|
||||
@@ -686,9 +686,9 @@ void bgp_bfd_peer_config_write(struct vty *vty, struct peer *peer, char *addr)
|
||||
|
||||
if (!CHECK_FLAG(bfd_info->flags, BFD_FLAG_PARAM_CFG)
|
||||
&& (bfd_info->type == BFD_TYPE_NOT_CONFIGURED)) {
|
||||
- vty_out(vty, " neighbor %s bfd", addr);
|
||||
+ vty_out(vty, " neighbor %s bfd\n", addr);
|
||||
if (bfd_info->profile[0])
|
||||
- vty_out(vty, " profile %s", bfd_info->profile);
|
||||
+ vty_out(vty, " neighbor %s bfd profile %s", addr, bfd_info->profile);
|
||||
vty_out(vty, "\n");
|
||||
}
|
||||
|
@ -1,25 +0,0 @@
|
||||
From 1d923374f64e099d734899aff219d90cb0213fa6 Mon Sep 17 00:00:00 2001
|
||||
From: Emanuele Bovisio <emanuele.bovisio@eolo.it>
|
||||
Date: Thu, 5 Nov 2020 14:27:51 +0100
|
||||
Subject: [PATCH] bfdd: fix crash on show bfd peers counters json
|
||||
|
||||
wrong pointer passed to bfd_id_iterate function
|
||||
|
||||
Signed-off-by: Emanuele Bovisio <emanuele.bovisio@eolo.it>
|
||||
---
|
||||
bfdd/bfdd_vty.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/bfdd/bfdd_vty.c b/bfdd/bfdd_vty.c
|
||||
index a3f1638e5f6..837a7b7d7d6 100644
|
||||
--- a/bfdd/bfdd_vty.c
|
||||
+++ b/bfdd/bfdd_vty.c
|
||||
@@ -447,7 +447,7 @@ static void _display_peers_counter(struct vty *vty, char *vrfname, bool use_json
|
||||
|
||||
jo = json_object_new_array();
|
||||
bvt.jo = jo;
|
||||
- bfd_id_iterate(_display_peer_counter_json_iter, jo);
|
||||
+ bfd_id_iterate(_display_peer_counter_json_iter, &bvt);
|
||||
|
||||
vty_out(vty, "%s\n", json_object_to_json_string_ext(jo, 0));
|
||||
json_object_free(jo);
|
28
SOURCES/frr.fc
Normal file
28
SOURCES/frr.fc
Normal file
@ -0,0 +1,28 @@
|
||||
/usr/libexec/frr(/.*)? gen_context(system_u:object_r:frr_exec_t,s0)
|
||||
|
||||
/usr/lib/systemd/system/frr.* gen_context(system_u:object_r:frr_unit_file_t,s0)
|
||||
|
||||
/etc/frr(/.*)? gen_context(system_u:object_r:frr_conf_t,s0)
|
||||
|
||||
/var/log/frr(/.*)? gen_context(system_u:object_r:frr_log_t,s0)
|
||||
/var/tmp/frr(/.*)? gen_context(system_u:object_r:frr_tmp_t,s0)
|
||||
|
||||
/var/lock/subsys/bfdd -- gen_context(system_u:object_r:frr_lock_t,s0)
|
||||
/var/lock/subsys/bgpd -- gen_context(system_u:object_r:frr_lock_t,s0)
|
||||
/var/lock/subsys/eigrpd -- gen_context(system_u:object_r:frr_lock_t,s0)
|
||||
/var/lock/subsys/fabricd -- gen_context(system_u:object_r:frr_lock_t,s0)
|
||||
/var/lock/subsys/isisd -- gen_context(system_u:object_r:frr_lock_t,s0)
|
||||
/var/lock/subsys/nhrpd -- gen_context(system_u:object_r:frr_lock_t,s0)
|
||||
/var/lock/subsys/ospf6d -- gen_context(system_u:object_r:frr_lock_t,s0)
|
||||
/var/lock/subsys/ospfd -- gen_context(system_u:object_r:frr_lock_t,s0)
|
||||
/var/lock/subsys/pbrd -- gen_context(system_u:object_r:frr_lock_t,s0)
|
||||
/var/lock/subsys/pimd -- gen_context(system_u:object_r:frr_lock_t,s0)
|
||||
/var/lock/subsys/ripd -- gen_context(system_u:object_r:frr_lock_t,s0)
|
||||
/var/lock/subsys/ripngd -- gen_context(system_u:object_r:frr_lock_t,s0)
|
||||
/var/lock/subsys/staticd -- gen_context(system_u:object_r:frr_lock_t,s0)
|
||||
/var/lock/subsys/zebra -- gen_context(system_u:object_r:frr_lock_t,s0)
|
||||
/var/lock/subsys/vrrpd -- gen_context(system_u:object_r:frr_lock_t,s0)
|
||||
|
||||
/var/run/frr(/.*)? gen_context(system_u:object_r:frr_var_run_t,s0)
|
||||
|
||||
/usr/bin/vtysh -- gen_context(system_u:object_r:frr_exec_t,s0)
|
162
SOURCES/frr.if
Normal file
162
SOURCES/frr.if
Normal file
@ -0,0 +1,162 @@
|
||||
## <summary>policy for frr</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute frr_exec_t in the frr domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`frr_domtrans',`
|
||||
gen_require(`
|
||||
type frr_t, frr_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, frr_exec_t, frr_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute frr in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`frr_exec',`
|
||||
gen_require(`
|
||||
type frr_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, frr_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read frr's log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`frr_read_log',`
|
||||
gen_require(`
|
||||
type frr_log_t;
|
||||
')
|
||||
|
||||
read_files_pattern($1, frr_log_t, frr_log_t)
|
||||
optional_policy(`
|
||||
logging_search_logs($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Append to frr log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`frr_append_log',`
|
||||
gen_require(`
|
||||
type frr_log_t;
|
||||
')
|
||||
|
||||
append_files_pattern($1, frr_log_t, frr_log_t)
|
||||
optional_policy(`
|
||||
logging_search_logs($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage frr log files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`frr_manage_log',`
|
||||
gen_require(`
|
||||
type frr_log_t;
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1, frr_log_t, frr_log_t)
|
||||
manage_files_pattern($1, frr_log_t, frr_log_t)
|
||||
manage_lnk_files_pattern($1, frr_log_t, frr_log_t)
|
||||
optional_policy(`
|
||||
logging_search_logs($1)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read frr PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`frr_read_pid_files',`
|
||||
gen_require(`
|
||||
type frr_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
read_files_pattern($1, frr_var_run_t, frr_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an frr environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`frr_admin',`
|
||||
gen_require(`
|
||||
type frr_t;
|
||||
type frr_log_t;
|
||||
type frr_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 frr_t:process { signal_perms };
|
||||
ps_process_pattern($1, frr_t)
|
||||
|
||||
tunable_policy(`deny_ptrace',`',`
|
||||
allow $1 frr_t:process ptrace;
|
||||
')
|
||||
|
||||
admin_pattern($1, frr_log_t)
|
||||
|
||||
files_search_pids($1)
|
||||
admin_pattern($1, frr_var_run_t)
|
||||
optional_policy(`
|
||||
logging_search_logs($1)
|
||||
')
|
||||
optional_policy(`
|
||||
systemd_passwd_agent_exec($1)
|
||||
systemd_read_fifo_file_passwd_run($1)
|
||||
')
|
||||
')
|
122
SOURCES/frr.te
Normal file
122
SOURCES/frr.te
Normal file
@ -0,0 +1,122 @@
|
||||
policy_module(frr, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type frr_t;
|
||||
type frr_exec_t;
|
||||
init_daemon_domain(frr_t, frr_exec_t)
|
||||
|
||||
type frr_log_t;
|
||||
logging_log_file(frr_log_t)
|
||||
|
||||
type frr_tmp_t;
|
||||
files_tmp_file(frr_tmp_t)
|
||||
|
||||
type frr_lock_t;
|
||||
files_lock_file(frr_lock_t)
|
||||
|
||||
type frr_conf_t;
|
||||
files_config_file(frr_conf_t)
|
||||
|
||||
type frr_unit_file_t;
|
||||
systemd_unit_file(frr_unit_file_t)
|
||||
|
||||
type frr_var_run_t;
|
||||
files_pid_file(frr_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# frr local policy
|
||||
#
|
||||
allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin };
|
||||
allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||
allow frr_t self:packet_socket create;
|
||||
allow frr_t self:process { setcap setpgid };
|
||||
allow frr_t self:rawip_socket create_socket_perms;
|
||||
allow frr_t self:tcp_socket { connect connected_stream_socket_perms };
|
||||
allow frr_t self:udp_socket create_socket_perms;
|
||||
allow frr_t self:unix_stream_socket connectto;
|
||||
|
||||
allow frr_t frr_conf_t:dir list_dir_perms;
|
||||
manage_files_pattern(frr_t, frr_conf_t, frr_conf_t)
|
||||
read_lnk_files_pattern(frr_t, frr_conf_t, frr_conf_t)
|
||||
|
||||
manage_dirs_pattern(frr_t, frr_log_t, frr_log_t)
|
||||
manage_files_pattern(frr_t, frr_log_t, frr_log_t)
|
||||
manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t)
|
||||
logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file })
|
||||
|
||||
allow frr_t frr_tmp_t:file map;
|
||||
manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t)
|
||||
manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t)
|
||||
files_tmp_filetrans(frr_t, frr_tmp_t, { file dir })
|
||||
|
||||
manage_files_pattern(frr_t, frr_lock_t, frr_lock_t)
|
||||
manage_lnk_files_pattern(frr_t, frr_lock_t, frr_lock_t)
|
||||
files_lock_filetrans(frr_t, frr_lock_t, { file lnk_file })
|
||||
|
||||
manage_dirs_pattern(frr_t, frr_var_run_t, frr_var_run_t)
|
||||
manage_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
|
||||
manage_lnk_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
|
||||
manage_sock_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
|
||||
files_pid_filetrans(frr_t, frr_var_run_t, { dir file lnk_file })
|
||||
|
||||
allow frr_t frr_exec_t:dir search_dir_perms;
|
||||
can_exec(frr_t, frr_exec_t)
|
||||
|
||||
kernel_read_network_state(frr_t)
|
||||
kernel_rw_net_sysctls(frr_t)
|
||||
kernel_read_system_state(frr_t)
|
||||
|
||||
auth_use_nsswitch(frr_t)
|
||||
|
||||
corecmd_exec_bin(frr_t)
|
||||
|
||||
corenet_tcp_bind_appswitch_emp_port(frr_t)
|
||||
corenet_udp_bind_bfd_control_port(frr_t)
|
||||
corenet_udp_bind_bfd_echo_port(frr_t)
|
||||
corenet_tcp_bind_bgp_port(frr_t)
|
||||
corenet_tcp_connect_bgp_port(frr_t)
|
||||
corenet_udp_bind_all_unreserved_ports(frr_t);
|
||||
corenet_tcp_bind_generic_port(frr_t)
|
||||
corenet_tcp_bind_firepower_port(frr_t)
|
||||
corenet_tcp_bind_priority_e_com_port(frr_t)
|
||||
corenet_udp_bind_router_port(frr_t)
|
||||
corenet_tcp_bind_qpasa_agent_port(frr_t)
|
||||
corenet_tcp_bind_smntubootstrap_port(frr_t)
|
||||
corenet_tcp_bind_versa_tek_port(frr_t)
|
||||
corenet_tcp_bind_zebra_port(frr_t)
|
||||
|
||||
domain_use_interactive_fds(frr_t)
|
||||
|
||||
fs_read_nsfs_files(frr_t)
|
||||
|
||||
sysnet_exec_ifconfig(frr_t)
|
||||
|
||||
userdom_read_admin_home_files(frr_t)
|
||||
|
||||
init_signal(frr_t)
|
||||
init_signal_script(frr_t)
|
||||
init_signull_script(frr_t)
|
||||
|
||||
optional_policy(`
|
||||
logging_send_syslog_msg(frr_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
modutils_exec_kmod(frr_t)
|
||||
modutils_getattr_module_deps(frr_t)
|
||||
modutils_read_module_config(frr_t)
|
||||
modutils_read_module_deps_files(frr_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
networkmanager_read_state(frr_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr")
|
||||
')
|
@ -1,16 +1,21 @@
|
||||
%global frrversion 7.5
|
||||
%global frr_libdir /usr/lib/frr
|
||||
%global frrversion 7.5.1
|
||||
%global frr_libdir /usr/libexec/frr
|
||||
|
||||
%global _hardened_build 1
|
||||
%global selinuxtype targeted
|
||||
%bcond_without selinux
|
||||
|
||||
Name: frr
|
||||
Version: 7.5
|
||||
Release: 11%{?checkout}%{?dist}
|
||||
Version: 7.5.1
|
||||
Release: 4%{?checkout}%{?dist}
|
||||
Summary: Routing daemon
|
||||
License: GPLv2+
|
||||
URL: http://www.frrouting.org
|
||||
Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{frrversion}/%{name}-%{frrversion}.tar.gz
|
||||
Source1: %{name}-tmpfiles.conf
|
||||
Source2: frr.fc
|
||||
Source3: frr.te
|
||||
Source4: frr.if
|
||||
BuildRequires: perl-generators
|
||||
BuildRequires: gcc
|
||||
BuildRequires: net-snmp-devel
|
||||
@ -27,6 +32,11 @@ Requires(preun): systemd /sbin/install-info
|
||||
Requires(postun): systemd
|
||||
Requires: iproute
|
||||
Requires: initscripts
|
||||
|
||||
%if 0%{?with_selinux}
|
||||
Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
|
||||
%endif
|
||||
|
||||
Provides: routingdaemon = %{version}-%{release}
|
||||
Obsoletes: frr-sysvinit quagga frr-contrib
|
||||
|
||||
@ -37,11 +47,10 @@ Patch0003: 0003-disable-eigrp-crypto.patch
|
||||
Patch0004: 0004-fips-mode.patch
|
||||
Patch0006: 0006-CVE-2020-12831.patch
|
||||
Patch0007: 0007-frrinit.patch
|
||||
Patch0008: 0008-ospf-multi-instance.patch
|
||||
Patch0009: 0009-bgp-ttl-security.patch
|
||||
Patch0010: 0010-bfd-reload.patch
|
||||
Patch0011: 0011-designated-router.patch
|
||||
Patch0012: 0012-bfd-peers-crash.patch
|
||||
Patch0008: 0008-designated-router.patch
|
||||
Patch0009: 0009-routemap.patch
|
||||
Patch0010: 0010-moving-executables.patch
|
||||
Patch0011: 0011-reload-bfd-profile.patch
|
||||
|
||||
%description
|
||||
FRRouting is free software that manages TCP/IP based routing protocols. It takes
|
||||
@ -52,8 +61,25 @@ FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP
|
||||
|
||||
FRRouting is a fork of Quagga.
|
||||
|
||||
%if 0%{?with_selinux}
|
||||
%package selinux
|
||||
Summary: Selinux policy for FRR
|
||||
BuildArch: noarch
|
||||
Requires: selinux-policy-%{selinuxtype}
|
||||
Requires(post): selinux-policy-%{selinuxtype}
|
||||
BuildRequires: selinux-policy-devel
|
||||
%{?selinux_requires}
|
||||
|
||||
%description selinux
|
||||
SELinux policy modules for FRR package
|
||||
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%autosetup -S git
|
||||
#SELinux
|
||||
mkdir selinux
|
||||
cp -p %{SOURCE2} %{SOURCE3} %{SOURCE4} selinux
|
||||
|
||||
%build
|
||||
autoreconf -ivf
|
||||
@ -88,6 +114,12 @@ pushd doc
|
||||
make info
|
||||
popd
|
||||
|
||||
#SELinux policy
|
||||
%if 0%{?with_selinux}
|
||||
make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp
|
||||
bzip2 -9 selinux/%{name}.pp
|
||||
%endif
|
||||
|
||||
%install
|
||||
mkdir -p %{buildroot}/etc/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \
|
||||
%{buildroot}/var/log/frr %{buildroot}%{_infodir} \
|
||||
@ -112,6 +144,12 @@ install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.logrotate %{buil
|
||||
install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.pam %{buildroot}/etc/pam.d/frr
|
||||
install -d -m 775 %{buildroot}/run/frr
|
||||
|
||||
%if 0%{?with_selinux}
|
||||
install -D -m 644 selinux/%{name}.pp.bz2 \
|
||||
%{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
|
||||
install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
|
||||
%endif
|
||||
|
||||
rm %{buildroot}%{_libdir}/frr/*.la
|
||||
rm %{buildroot}%{_libdir}/frr/modules/*.la
|
||||
|
||||
@ -127,6 +165,8 @@ getent passwd frr >/dev/null 2>&1 || useradd -M -r -g frr -s /sbin/nologin \
|
||||
usermod -aG frrvty frr
|
||||
|
||||
%post
|
||||
#Because we move files to /usr/libexec, we need to reload .service files as well
|
||||
/usr/bin/systemctl daemon-reload
|
||||
%systemd_post frr.service
|
||||
|
||||
if [ -f %{_infodir}/%{name}.inf* ]; then
|
||||
@ -166,6 +206,26 @@ fi
|
||||
%preun
|
||||
%systemd_preun frr.service
|
||||
|
||||
#SELinux
|
||||
%if 0%{?with_selinux}
|
||||
%pre selinux
|
||||
%selinux_relabel_pre -s %{selinuxtype}
|
||||
|
||||
%post selinux
|
||||
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
|
||||
%selinux_relabel_post -s %{selinuxtype}
|
||||
#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade
|
||||
%{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null
|
||||
%{_sbindir}/restorecon -R /var/run/frr &> /dev/null
|
||||
|
||||
%postun selinux
|
||||
if [ $1 -eq 0 ]; then
|
||||
%selinux_modules_uninstall -s %{selinuxtype} %{name}
|
||||
%selinux_relabel_post -s %{selinuxtype}
|
||||
fi
|
||||
|
||||
%endif
|
||||
|
||||
%check
|
||||
make check PYTHON=%{__python3}
|
||||
|
||||
@ -201,7 +261,28 @@ make check PYTHON=%{__python3}
|
||||
/usr/share/yang/*.yang
|
||||
%{_tmpfilesdir}/%{name}.conf
|
||||
|
||||
%if 0%{?with_selinux}
|
||||
%files selinux
|
||||
%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.*
|
||||
%{_datadir}/selinux/devel/include/distributed/%{name}.if
|
||||
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Sep 15 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-4
|
||||
- Resolves: #2126040 - Frr is unable to push routes to the system routing table
|
||||
|
||||
* Thu Aug 25 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-3
|
||||
- Resolves: #2054160 - FRR reloader does not disable BFD when unsetting BFD profile
|
||||
|
||||
* Wed Aug 24 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-2
|
||||
- Resolves: #1941765 - AVCs while running frr tests on RHEL 8.4.0 Beta-1.2
|
||||
- Resolves: #1714984 - SELinux policy (daemons) changes required for package
|
||||
|
||||
* Wed May 11 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-1
|
||||
- Resolves: #2018451 - Rebase of frr to version 7.5.1
|
||||
- Resolves: #1975361 - the dynamic routing setup does not work any more
|
||||
|
||||
* Wed Jan 05 2022 Michal Ruprich <mruprich@redhat.com> - 7.5-11
|
||||
- Resolves: #2034328 - Bfdd crash in metallb CI
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user