rpms/frr
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c10s
rpms:c8s
rpms:c9s
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:a8
rpms:a9
rpms:imports/c10s/frr-10.1-7.el10
rpms:imports/c10s/frr-10.1-6.el10
rpms:imports/c10s/frr-10.1-5.el10
rpms:imports/c10s/frr-10.1-4.el10
rpms:imports/c10s/frr-10.1-3.el10
rpms:imports/c10s/frr-9.1-11.el10
rpms:imports/c8/frr-7.5.1-22.el8
rpms:imports/c9/frr-8.5.3-4.el9
rpms:changed/a8/frr-7.5.1-13.el8_9.4.alma.1
rpms:changed/a9/frr-8.3.1-11.el9_3.2.alma.1
rpms:changed/a8/frr-7.5.1-13.el8_9.3.alma.1
rpms:changed/a9/frr-8.3.1-11.el9_3.1.alma.1
rpms:changed/a9/frr-8.3.1-11.el9_3.alma.1
rpms:imports/c9/frr-8.3.1-10.el9_3
rpms:imports/c8-beta/frr-7.5.1-13.el8_9
rpms:imports/c9-beta/frr-8.3.1-10.el9
rpms:changed/a8/frr-7.5.1-7.el8_8.2.alma.1
rpms:changed/a9/frr-8.3.1-5.el9_2.2.alma
rpms:changed/a9/frr-8.3.1-5.el9_2.1.alma
rpms:imports/c8/frr-7.5.1-7.el8
rpms:imports/c9/frr-8.3.1-5.el9
rpms:imports/c9-beta/frr-8.3.1-5.el9
rpms:imports/c8-beta/frr-7.5.1-7.el8
rpms:imports/c8s/frr-7.5.1-7.el8
rpms:imports/c8s/frr-7.5.1-5.el8
rpms:imports/c9/frr-8.2.2-4.el9
rpms:imports/c8/frr-7.5.1-4.el8
rpms:imports/c8-beta/frr-7.5.1-3.el8
rpms:imports/c9-beta/frr-8.2.2-4.el9
rpms:imports/c8s/frr-7.5.1-4.el8
rpms:imports/c8s/frr-7.5.1-3.el8
rpms:imports/c8s/frr-7.5.1-1.el8
rpms:imports/c9/frr-8.0-5.el9
rpms:imports/c8/frr-7.5-11.el8
rpms:imports/c8-beta/frr-7.5-11.el8
rpms:imports/c8/frr-7.5-4.el8_5.2
rpms:imports/c8s/frr-7.5-11.el8
rpms:imports/c8s/frr-7.5-9.el8
rpms:imports/c9-beta/frr-8.0-5.el9
rpms:imports/c9-beta/frr-8.0-3.el9
rpms:imports/c8s/frr-7.5-8.el8
rpms:imports/c8-beta/frr-7.5-4.el8
rpms:imports/c8-beta/frr-7.0-8.el8
rpms:imports/c8-beta/frr-7.0-5.el8
rpms:imports/c8-beta/frr-7.0-4.el8
rpms:imports/c8s/frr-7.5-7.el8
rpms:imports/c8s/frr-7.5-4.el8
rpms:imports/c8s/frr-7.5-2.el8
rpms:imports/c8s/frr-7.0-10.el8
rpms:imports/c8s/frr-7.0-8.el8
rpms:imports/c8s/frr-7.0-6.el8
rpms:imports/c8/frr-7.5-4.el8
rpms:imports/c8/frr-7.0-10.el8
rpms:imports/c8/frr-7.0-5.el8
...
pull from: rpms:c10s
Branches Tags
rpms:c10s
rpms:c8s
rpms:c9s
rpms:c8
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:a8
rpms:a9
rpms:imports/c10s/frr-10.1-7.el10
rpms:imports/c10s/frr-10.1-6.el10
rpms:imports/c10s/frr-10.1-5.el10
rpms:imports/c10s/frr-10.1-4.el10
rpms:imports/c10s/frr-10.1-3.el10
rpms:imports/c10s/frr-9.1-11.el10
rpms:imports/c8/frr-7.5.1-22.el8
rpms:imports/c9/frr-8.5.3-4.el9
rpms:changed/a8/frr-7.5.1-13.el8_9.4.alma.1
rpms:changed/a9/frr-8.3.1-11.el9_3.2.alma.1
rpms:changed/a8/frr-7.5.1-13.el8_9.3.alma.1
rpms:changed/a9/frr-8.3.1-11.el9_3.1.alma.1
rpms:changed/a9/frr-8.3.1-11.el9_3.alma.1
rpms:imports/c9/frr-8.3.1-10.el9_3
rpms:imports/c8-beta/frr-7.5.1-13.el8_9
rpms:imports/c9-beta/frr-8.3.1-10.el9
rpms:changed/a8/frr-7.5.1-7.el8_8.2.alma.1
rpms:changed/a9/frr-8.3.1-5.el9_2.2.alma
rpms:changed/a9/frr-8.3.1-5.el9_2.1.alma
rpms:imports/c8/frr-7.5.1-7.el8
rpms:imports/c9/frr-8.3.1-5.el9
rpms:imports/c9-beta/frr-8.3.1-5.el9
rpms:imports/c8-beta/frr-7.5.1-7.el8
rpms:imports/c8s/frr-7.5.1-7.el8
rpms:imports/c8s/frr-7.5.1-5.el8
rpms:imports/c9/frr-8.2.2-4.el9
rpms:imports/c8/frr-7.5.1-4.el8
rpms:imports/c8-beta/frr-7.5.1-3.el8
rpms:imports/c9-beta/frr-8.2.2-4.el9
rpms:imports/c8s/frr-7.5.1-4.el8
rpms:imports/c8s/frr-7.5.1-3.el8
rpms:imports/c8s/frr-7.5.1-1.el8
rpms:imports/c9/frr-8.0-5.el9
rpms:imports/c8/frr-7.5-11.el8
rpms:imports/c8-beta/frr-7.5-11.el8
rpms:imports/c8/frr-7.5-4.el8_5.2
rpms:imports/c8s/frr-7.5-11.el8
rpms:imports/c8s/frr-7.5-9.el8
rpms:imports/c9-beta/frr-8.0-5.el9
rpms:imports/c9-beta/frr-8.0-3.el9
rpms:imports/c8s/frr-7.5-8.el8
rpms:imports/c8-beta/frr-7.5-4.el8
rpms:imports/c8-beta/frr-7.0-8.el8
rpms:imports/c8-beta/frr-7.0-5.el8
rpms:imports/c8-beta/frr-7.0-4.el8
rpms:imports/c8s/frr-7.5-7.el8
rpms:imports/c8s/frr-7.5-4.el8
rpms:imports/c8s/frr-7.5-2.el8
rpms:imports/c8s/frr-7.0-10.el8
rpms:imports/c8s/frr-7.0-8.el8
rpms:imports/c8s/frr-7.0-6.el8
rpms:imports/c8/frr-7.5-4.el8
rpms:imports/c8/frr-7.0-10.el8
rpms:imports/c8/frr-7.0-5.el8

No commits in common. "c8" and "c10s" have entirely different histories.
c8 ... c10s

46 changed files with 1426 additions and 2176 deletions
Show Stats Expand all files Collapse all files

1
.fmf/version Normal file
View File

@ -0,0 +1 @@
1

23
.gitignore vendored
View File

@ -1 +1,22 @@
SOURCES/frr-7.5.1.tar.gz
/frr-7.1.tar.gz
/frr-7.2.tar.gz
/frr-7.3.tar.gz
/remove-babeld-ldpd.sh
/frr-7.3.1.tar.gz
/frr-7.4.tar.gz
/frr-7.5.tar.gz
/frr-7.5.1.tar.gz
/frr-8.0.tar.gz
/frr-8.0.1.tar.gz
/frr-8.2.tar.gz
/frr-8.2.2.tar.gz
/frr-8.3.1.tar.gz
/frr-8.4.tar.gz
/frr-8.4.1.tar.gz
/frr-8.4.2.tar.gz
/frr-8.5.tar.gz
/frr-8.5.1.tar.gz
/frr-8.5.2.tar.gz
/frr-9.0.1.tar.gz
/frr-9.1.tar.gz
/frr-10.1.tar.gz

12
SOURCES/0000-remove-babeld-and-ldpd.patch → 0000-remove-babeld-and-ldpd.patch
View File

@ -16,9 +16,9 @@ index 5be3264..33abc1d 100644
snapcraft/helpers \
snapcraft/snap \
- babeld/Makefile \
mgmtd/Makefile \
bgpd/Makefile \
bgpd/rfp-example/librfp/Makefile \
bgpd/rfp-example/rfptest/Makefile \
@@ -193,7 +190,6 @@ EXTRA_DIST += \
fpm/Makefile \
grpc/Makefile \
@ -28,13 +28,13 @@ index 5be3264..33abc1d 100644
nhrpd/Makefile \
ospf6d/Makefile \
diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons
index f6d512b..6d4831d 100644
index 8aa0887..c92dcca 100644
--- a/tools/etc/frr/daemons
+++ b/tools/etc/frr/daemons
@@ -21,10 +21,8 @@ ripd=no
ripngd=no
@@ -22,10 +22,8 @@ ripngd=no
isisd=no
pimd=no
pim6d=no
-ldpd=no
nhrpd=no
eigrpd=no
@ -42,10 +42,10 @@ index f6d512b..6d4831d 100644
sharpd=no
pbrd=no
bfdd=no
@@ -45,10 +43,8 @@ ripd_options=" -A 127.0.0.1"
ripngd_options=" -A ::1"
@@ -48,10 +46,8 @@ ripngd_options=" -A ::1"
isisd_options=" -A 127.0.0.1"
pimd_options=" -A 127.0.0.1"
pim6d_options=" -A ::1"
-ldpd_options=" -A 127.0.0.1"
nhrpd_options=" -A 127.0.0.1"
eigrpd_options=" -A 127.0.0.1"

30
SOURCES/0002-enable-openssl.patch → 0002-enable-openssl.patch
View File

@ -8,24 +8,8 @@ index 0b7af18..0533e24 100644
lib/log_vty.c \
- lib/md5.c \
lib/memory.c \
lib/mlag.c \
lib/module.c \
diff --git a/lib/subdir.am b/lib/subdir.am
index 0533e24..b3d3700 100644
--- a/lib/subdir.am
+++ b/lib/subdir.am
@@ -170,7 +170,6 @@ pkginclude_HEADERS += \
lib/linklist.h \
lib/log.h \
lib/log_vty.h \
- lib/md5.h \
lib/memory.h \
lib/module.h \
lib/monotime.h \
diff --git a/lib/subdir.am b/lib/subdir.am
index 53f7115..cea866f 100644
--- a/lib/subdir.am
+++ b/lib/subdir.am
lib/mgmt_be_client.c \
lib/mgmt_fe_client.c \
@@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \
lib/routemap_northbound.c \
lib/sbuf.c \
@ -34,8 +18,16 @@ index 53f7115..cea866f 100644
lib/sigevent.c \
lib/skiplist.c \
lib/sockopt.c \
@@ -170,7 +170,6 @@ pkginclude_HEADERS += \
lib/link_state.h \
lib/log.h \
lib/log_vty.h \
- lib/md5.h \
lib/memory.h \
lib/mgmt.pb-c.h \
lib/mgmt_be_client.h \
@@ -191,7 +190,6 @@ pkginclude_HEADERS += \
lib/routemap.h \
lib/route_opaque.h \
lib/sbuf.h \
lib/seqlock.h \
- lib/sha256.h \

0
SOURCES/0003-disable-eigrp-crypto.patch → 0003-disable-eigrp-crypto.patch
View File

50
SOURCES/0004-fips-mode.patch → 0004-fips-mode.patch
View File

@ -2,9 +2,20 @@ diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c
index 631465f..e084ff3 100644
--- a/ospfd/ospf_vty.c
+++ b/ospfd/ospf_vty.c
@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink,
@@ -7,6 +7,10 @@
#include <zebra.h>
#include <string.h>
if (argv_find(argv, argc, "message-digest", &idx)) {
+#ifdef CRYPTO_OPENSSL
+#include <openssl/fips.h>
+#endif
+
#include "printfrr.h"
#include "monotime.h"
#include "memory.h"
@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink,
vl_config.keychain = argv[idx+1]->arg;
} else if (argv_find(argv, argc, "message-digest", &idx)) {
/* authentication message-digest */
+ if(FIPS_mode())
+ {
@ -41,7 +52,7 @@ index 631465f..e084ff3 100644
+ }
SET_IF_PARAM(params, auth_type);
params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
return CMD_SUCCESS;
UNSET_IF_PARAM(params, keychain_name);
@@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key,
"The OSPF password (key)\n"
"Address of interface\n")
@ -58,6 +69,17 @@ diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
index 81b4b39..cce33d9 100644
--- a/isisd/isis_circuit.c
+++ b/isisd/isis_circuit.c
@@ -13,6 +13,10 @@
#include <netinet/if_ether.h>
#endif
+#ifdef CRYPTO_OPENSSL
+#include <openssl/fips.h>
+#endif
+
#include "log.h"
#include "memory.h"
#include "vrf.h"
@@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit,
return ferr_code_bug(
"circuit password too long (max 254 chars)");
@ -73,6 +95,17 @@ diff --git a/isisd/isisd.c b/isisd/isisd.c
index 419127c..a6c36af 100644
--- a/isisd/isisd.c
+++ b/isisd/isisd.c
@@ -9,6 +9,10 @@
#include <zebra.h>
+#ifdef CRYPTO_OPENSSL
+#include <openssl/fips.h>
+#endif
+
#include "frrevent.h"
#include "vty.h"
#include "command.h"
@@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
if (len > 254)
return -1;
@ -88,6 +121,17 @@ diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c
index 5bb81ef..02a09ef 100644
--- a/ripd/rip_cli.c
+++ b/ripd/rip_cli.c
@@ -7,6 +7,10 @@
#include <zebra.h>
+#ifdef CRYPTO_OPENSSL
+#include <openssl/fips.h>
+#endif
+
#include "if.h"
#include "if_rmap.h"
#include "vrf.h"
@@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode,
value = "20";
}

27
0005-remove-grpc-test.patch Normal file
View File

@ -0,0 +1,27 @@
diff --git a/tests/lib/subdir.am b/tests/lib/subdir.am
index 7b5eaa4..5c82f69 100644
--- a/tests/lib/subdir.am
+++ b/tests/lib/subdir.am
@@ -18,22 +18,6 @@ tests_lib_test_frrscript_SOURCES = tests/lib/test_frrscript.c
test -e tests/lib/script1.lua || \
$(INSTALL_SCRIPT) $< tests/lib/script1.lua
-##############################################################################
-GRPC_TESTS_LDADD = mgmtd/libmgmt_be_nb.la staticd/libstatic.a grpc/libfrrgrpc_pb.la $(GRPC_LIBS) $(ALL_TESTS_LDADD) $(LIBYANG_LIBS) -lm
-
-if GRPC
-check_PROGRAMS += tests/lib/test_grpc
-endif
-tests_lib_test_grpc_CXXFLAGS = $(WERROR) $(TESTS_CXXFLAGS)
-tests_lib_test_grpc_CPPFLAGS = $(TESTS_CPPFLAGS)
-tests_lib_test_grpc_LDADD = $(GRPC_TESTS_LDADD)
-tests_lib_test_grpc_SOURCES = tests/lib/test_grpc.cpp
-nodist_tests_lib_test_grpc_SOURCES = \
- yang/frr-bfdd.yang.c \
- yang/frr-staticd.yang.c \
- # end
-
-
##############################################################################
if ZEROMQ
check_PROGRAMS += tests/lib/test_zmq

487
0006-noprefixroute-network-manager.patch Normal file
View File

@ -0,0 +1,487 @@
From f450e1cda41f1b7576094a0b3017ba9849cd55ae Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Fri, 7 Jun 2024 12:30:59 -0400
Subject: [PATCH 1/5] zebra: Make p and src_p const for rib_delete
The prefix'es p and src_p are not const. Let's make
them so. Useful to signal that we will not change this
data.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
zebra/rib.h | 2 +-
zebra/zebra_rib.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/zebra/rib.h b/zebra/rib.h
index 84ea766c4733..7f4e3949e02d 100644
--- a/zebra/rib.h
+++ b/zebra/rib.h
@@ -395,7 +395,7 @@ extern int rib_add_multipath_nhe(afi_t afi, safi_t safi, struct prefix *p,
extern void rib_delete(afi_t afi, safi_t safi, vrf_id_t vrf_id, int type,
unsigned short instance, uint32_t flags,
- struct prefix *p, struct prefix_ipv6 *src_p,
+ const struct prefix *p, const struct prefix_ipv6 *src_p,
const struct nexthop *nh, uint32_t nhe_id,
uint32_t table_id, uint32_t metric, uint8_t distance,
bool fromkernel);
diff --git a/zebra/zebra_rib.c b/zebra/zebra_rib.c
index 59190e9dd330..c1bd61e1db31 100644
--- a/zebra/zebra_rib.c
+++ b/zebra/zebra_rib.c
@@ -4393,8 +4393,8 @@ int rib_add_multipath(afi_t afi, safi_t safi, struct prefix *p,
}
void rib_delete(afi_t afi, safi_t safi, vrf_id_t vrf_id, int type,
- unsigned short instance, uint32_t flags, struct prefix *p,
- struct prefix_ipv6 *src_p, const struct nexthop *nh,
+ unsigned short instance, uint32_t flags, const struct prefix *p,
+ const struct prefix_ipv6 *src_p, const struct nexthop *nh,
uint32_t nhe_id, uint32_t table_id, uint32_t metric,
uint8_t distance, bool fromkernel)
{
From bdfccf69fa128c51c45bbd3528788f72ac17d854 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Fri, 7 Jun 2024 12:56:35 -0400
Subject: [PATCH 2/5] zebra: Expose rib_update_handle_vrf_all
This function will be used on interface down
events to allow for kernel routes to be cleaned
up.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
zebra/rib.h | 2 ++
zebra/zebra_rib.c | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/zebra/rib.h b/zebra/rib.h
index 7f4e3949e02d..8792fb7908ac 100644
--- a/zebra/rib.h
+++ b/zebra/rib.h
@@ -477,6 +477,8 @@ extern uint8_t route_distance(int type);
extern void zebra_rib_evaluate_rn_nexthops(struct route_node *rn, uint32_t seq,
bool rt_delete);
+extern void rib_update_handle_vrf_all(enum rib_update_event event, int rtype);
+
/*
* rib_find_rn_from_ctx
*
diff --git a/zebra/zebra_rib.c b/zebra/zebra_rib.c
index c1bd61e1db31..649450b5c63c 100644
--- a/zebra/zebra_rib.c
+++ b/zebra/zebra_rib.c
@@ -4543,7 +4543,7 @@ void rib_update_table(struct route_table *table, enum rib_update_event event,
}
}
-static void rib_update_handle_vrf_all(enum rib_update_event event, int rtype)
+void rib_update_handle_vrf_all(enum rib_update_event event, int rtype)
{
struct zebra_router_table *zrt;
From d528c02a204086da0d542d5655b8724de681a65c Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Fri, 7 Jun 2024 13:50:07 -0400
Subject: [PATCH 3/5] zebra: Handle kernel routes appropriately
Current code intentionally ignores kernel routes. Modify
zebra to allow these routes to be read in on linux. Also
modify zebra to look to see if a route should be treated
as a connected and mark it as such.
Additionally this should properly handle some of the issues
being seen with NOPREFIXROUTE.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
zebra/interface.c | 2 +
zebra/rib.h | 1 +
zebra/rt_netlink.c | 2 -
zebra/zebra_rib.c | 105 +++++++++++++++++++++++++++++++++++++++------
4 files changed, 96 insertions(+), 14 deletions(-)
diff --git a/zebra/interface.c b/zebra/interface.c
index 03b710e1a0f9..d146004781a5 100644
--- a/zebra/interface.c
+++ b/zebra/interface.c
@@ -1058,6 +1058,8 @@ void if_down(struct interface *ifp)
/* Delete all neighbor addresses learnt through IPv6 RA */
if_down_del_nbr_connected(ifp);
+
+ rib_update_handle_vrf_all(RIB_UPDATE_INTERFACE_DOWN, ZEBRA_ROUTE_KERNEL);
}
void if_refresh(struct interface *ifp)
diff --git a/zebra/rib.h b/zebra/rib.h
index 8792fb7908ac..cd6efbfb36dd 100644
--- a/zebra/rib.h
+++ b/zebra/rib.h
@@ -326,6 +326,7 @@ typedef struct rib_tables_iter_t_ {
/* Events/reasons triggering a RIB update. */
enum rib_update_event {
+ RIB_UPDATE_INTERFACE_DOWN,
RIB_UPDATE_KERNEL,
RIB_UPDATE_RMAP_CHANGE,
RIB_UPDATE_OTHER,
diff --git a/zebra/rt_netlink.c b/zebra/rt_netlink.c
index c22145be693b..ddcb83cd8ce7 100644
--- a/zebra/rt_netlink.c
+++ b/zebra/rt_netlink.c
@@ -799,8 +799,6 @@ int netlink_route_change_read_unicast_internal(struct nlmsghdr *h,
return 0;
if (rtm->rtm_protocol == RTPROT_REDIRECT)
return 0;
- if (rtm->rtm_protocol == RTPROT_KERNEL)
- return 0;
selfroute = is_selfroute(rtm->rtm_protocol);
diff --git a/zebra/zebra_rib.c b/zebra/zebra_rib.c
index 649450b5c63c..2d6c5148833a 100644
--- a/zebra/zebra_rib.c
+++ b/zebra/zebra_rib.c
@@ -1619,6 +1619,10 @@ static bool rib_compare_routes(const struct route_entry *re1,
* v6 link-locals, and we also support multiple addresses in the same
* subnet on a single interface.
*/
+ if (re1->type == ZEBRA_ROUTE_CONNECT &&
+ (re1->nhe->nhg.nexthop->ifindex == re2->nhe->nhg.nexthop->ifindex))
+ return true;
+
if (re1->type != ZEBRA_ROUTE_CONNECT && re1->type != ZEBRA_ROUTE_LOCAL)
return true;
@@ -2863,10 +2867,11 @@ static void process_subq_early_route_add(struct zebra_early_route *ere)
/* Link new re to node.*/
if (IS_ZEBRA_DEBUG_RIB) {
- rnode_debug(
- rn, re->vrf_id,
- "Inserting route rn %p, re %p (%s) existing %p, same_count %d",
- rn, re, zebra_route_string(re->type), same, same_count);
+ rnode_debug(rn, re->vrf_id,
+ "Inserting route rn %p, re %p (%s/%s/%s) existing %p, same_count %d",
+ rn, re, zebra_route_string(re->type),
+ afi2str(ere->afi), safi2str(ere->safi), same,
+ same_count);
if (IS_ZEBRA_DEBUG_RIB_DETAILED)
route_entry_dump(
@@ -4383,6 +4388,34 @@ int rib_add_multipath(afi_t afi, safi_t safi, struct prefix *p,
nhe.id = re->nhe_id;
n = zebra_nhe_copy(&nhe, 0);
+
+ if (re->type == ZEBRA_ROUTE_KERNEL) {
+ struct interface *ifp;
+ struct connected *connected;
+
+ if (p->family == AF_INET6 &&
+ IN6_IS_ADDR_LINKLOCAL(&p->u.prefix6)) {
+ zebra_nhg_free(n);
+ zebra_rib_route_entry_free(re);
+ return -1;
+ }
+
+ ifp = if_lookup_prefix(p, re->vrf_id);
+ if (ifp) {
+ connected = connected_lookup_prefix(ifp, p);
+
+ if (connected && !CHECK_FLAG(connected->flags,
+ ZEBRA_IFA_NOPREFIXROUTE)) {
+ zebra_nhg_free(n);
+ zebra_rib_route_entry_free(re);
+ return -1;
+ }
+
+ if (ifp->ifindex == ng->nexthop->ifindex)
+ re->type = ZEBRA_ROUTE_CONNECT;
+ }
+ }
+
ret = rib_add_multipath_nhe(afi, safi, p, src_p, re, n, startup);
/* In error cases, free the route also */
@@ -4458,6 +4491,9 @@ static const char *rib_update_event2str(enum rib_update_event event)
const char *ret = "UNKNOWN";
switch (event) {
+ case RIB_UPDATE_INTERFACE_DOWN:
+ ret = "RIB_UPDATE_INTERFACE_DOWN";
+ break;
case RIB_UPDATE_KERNEL:
ret = "RIB_UPDATE_KERNEL";
break;
@@ -4474,15 +4510,56 @@ static const char *rib_update_event2str(enum rib_update_event event)
return ret;
}
+/*
+ * We now keep kernel routes, but we don't have any
+ * trigger events for them when they are implicitly
+ * deleted. Since we are already walking the
+ * entire table on a down event let's look at
+ * the few kernel routes we may have
+ */
+static void
+rib_update_handle_kernel_route_down_possibility(struct route_node *rn,
+ struct route_entry *re)
+{
+ struct nexthop *nexthop = NULL;
+ bool alive = false;
+
+ for (ALL_NEXTHOPS(re->nhe->nhg, nexthop)) {
+ struct interface *ifp = if_lookup_by_index(nexthop->ifindex,
+ nexthop->vrf_id);
+
+ if (ifp && if_is_up(ifp)) {
+ alive = true;
+ break;
+ }
+ }
+
+ if (!alive) {
+ struct rib_table_info *rib_table = srcdest_rnode_table_info(rn);
+ const struct prefix *p;
+ const struct prefix_ipv6 *src_p;
+
+ srcdest_rnode_prefixes(rn, &p, (const struct prefix **)&src_p);
+
+ rib_delete(rib_table->afi, rib_table->safi, re->vrf_id,
+ re->type, re->instance, re->flags, p, src_p, NULL, 0,
+ re->table, re->metric, re->distance, true);
+ }
+}
+
/* Schedule route nodes to be processed if they match the type */
-static void rib_update_route_node(struct route_node *rn, int type)
+static void rib_update_route_node(struct route_node *rn, int type,
+ enum rib_update_event event)
{
struct route_entry *re, *next;
bool re_changed = false;
RNODE_FOREACH_RE_SAFE (rn, re, next) {
- if (type == ZEBRA_ROUTE_ALL || type == re->type) {
+ if (event == RIB_UPDATE_INTERFACE_DOWN && type == re->type &&
+ type == ZEBRA_ROUTE_KERNEL)
+ rib_update_handle_kernel_route_down_possibility(rn, re);
+ else if (type == ZEBRA_ROUTE_ALL || type == re->type) {
SET_FLAG(re->status, ROUTE_ENTRY_CHANGED);
re_changed = true;
}
@@ -4522,20 +4599,24 @@ void rib_update_table(struct route_table *table, enum rib_update_event event,
/*
* If we are looking at a route node and the node
* has already been queued we don't
- * need to queue it up again
+ * need to queue it up again, unless it is
+ * an interface down event as that we need
+ * to process this no matter what.
*/
- if (rn->info
- && CHECK_FLAG(rib_dest_from_rnode(rn)->flags,
- RIB_ROUTE_ANY_QUEUED))
+ if (rn->info &&
+ CHECK_FLAG(rib_dest_from_rnode(rn)->flags,
+ RIB_ROUTE_ANY_QUEUED) &&
+ event != RIB_UPDATE_INTERFACE_DOWN)
continue;
switch (event) {
+ case RIB_UPDATE_INTERFACE_DOWN:
case RIB_UPDATE_KERNEL:
- rib_update_route_node(rn, ZEBRA_ROUTE_KERNEL);
+ rib_update_route_node(rn, ZEBRA_ROUTE_KERNEL, event);
break;
case RIB_UPDATE_RMAP_CHANGE:
case RIB_UPDATE_OTHER:
- rib_update_route_node(rn, rtype);
+ rib_update_route_node(rn, rtype, event);
break;
case RIB_UPDATE_MAX:
break;
From 9bc0cd8241f39e4fd751edfa52c09fae6db2db1c Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Wed, 26 Jun 2024 13:21:38 -0400
Subject: [PATCH 4/5] zebra: Prevent accidental re memory leak in odd case
There exists a path in rib_add_multipath where if a decision
is made to not use the passed in re, we just drop the memory
instead of freeing it. Let's free it.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
zebra/zebra_rib.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/zebra/zebra_rib.c b/zebra/zebra_rib.c
index 2d6c5148833a..b4baee148aef 100644
--- a/zebra/zebra_rib.c
+++ b/zebra/zebra_rib.c
@@ -4375,8 +4375,10 @@ int rib_add_multipath(afi_t afi, safi_t safi, struct prefix *p,
return -1;
/* We either need nexthop(s) or an existing nexthop id */
- if (ng == NULL && re->nhe_id == 0)
+ if (ng == NULL && re->nhe_id == 0) {
+ zebra_rib_route_entry_free(re);
return -1;
+ }
/*
* Use a temporary nhe to convey info to the common/main api.
From 37dd51867f2b98f0fb616fc3cf9922240346fd19 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Thu, 15 Aug 2024 16:02:55 -0400
Subject: [PATCH 5/5] tests: Add some tests to show new behavior works as
expected
a) A noprefix address by itself should not create a connected route.
This was pre-existing.
b) A noprefix address with a corresponding route should result in a
connected route. This is how NetworkManager appears to work.
This is new behavior, so a new test.
c) A route is added to the system from someone else.
This is new behavior, so a new test.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
.../r1/ip_route_connected.json | 24 +++++++++++
.../r1/ip_route_kernel.json | 24 +++++++++++
.../test_zebra_multiple_connected.py | 43 +++++++++++++++++++
3 files changed, 91 insertions(+)
create mode 100644 tests/topotests/zebra_multiple_connected/r1/ip_route_connected.json
create mode 100644 tests/topotests/zebra_multiple_connected/r1/ip_route_kernel.json
diff --git a/tests/topotests/zebra_multiple_connected/r1/ip_route_connected.json b/tests/topotests/zebra_multiple_connected/r1/ip_route_connected.json
new file mode 100644
index 000000000000..db03ce84a6a4
--- /dev/null
+++ b/tests/topotests/zebra_multiple_connected/r1/ip_route_connected.json
@@ -0,0 +1,24 @@
+{
+ "192.168.44.0/24":[
+ {
+ "prefix":"192.168.44.0/24",
+ "prefixLen":24,
+ "protocol":"connected",
+ "vrfName":"default",
+ "selected":true,
+ "destSelected":true,
+ "distance":0,
+ "metric":0,
+ "installed":true,
+ "table":254,
+ "nexthops":[
+ {
+ "fib":true,
+ "directlyConnected":true,
+ "interfaceName":"r1-eth1",
+ "active":true
+ }
+ ]
+ }
+ ]
+}
diff --git a/tests/topotests/zebra_multiple_connected/r1/ip_route_kernel.json b/tests/topotests/zebra_multiple_connected/r1/ip_route_kernel.json
new file mode 100644
index 000000000000..22465cb477d3
--- /dev/null
+++ b/tests/topotests/zebra_multiple_connected/r1/ip_route_kernel.json
@@ -0,0 +1,24 @@
+{
+ "4.5.6.7/32":[
+ {
+ "prefix":"4.5.6.7/32",
+ "prefixLen":32,
+ "protocol":"kernel",
+ "vrfName":"default",
+ "selected":true,
+ "destSelected":true,
+ "distance":0,
+ "metric":0,
+ "installed":true,
+ "table":254,
+ "nexthops":[
+ {
+ "fib":true,
+ "directlyConnected":true,
+ "interfaceName":"r1-eth1",
+ "active":true
+ }
+ ]
+ }
+ ]
+}
diff --git a/tests/topotests/zebra_multiple_connected/test_zebra_multiple_connected.py b/tests/topotests/zebra_multiple_connected/test_zebra_multiple_connected.py
index dc47527c74c2..7dbeb6f1ccb3 100644
--- a/tests/topotests/zebra_multiple_connected/test_zebra_multiple_connected.py
+++ b/tests/topotests/zebra_multiple_connected/test_zebra_multiple_connected.py
@@ -19,6 +19,9 @@
import pytest
import json
from functools import partial
+from lib.topolog import logger
+
+pytestmark = pytest.mark.random_order(disabled=True)
# Save the Current Working Directory to find configuration files.
CWD = os.path.dirname(os.path.realpath(__file__))
@@ -159,6 +162,46 @@ def test_zebra_noprefix_connected():
assert result, "Connected Route should not have been added"
+def test_zebra_noprefix_connected_add():
+ "Test that a noprefixroute created with a manual route works as expected, this is for NetworkManager"
+
+ tgen = get_topogen()
+ if tgen.routers_have_failure():
+ pytest.skip(tgen.errors)
+
+ router = tgen.gears["r1"]
+ router.run("ip route add 192.168.44.0/24 dev r1-eth1")
+
+ connected = "{}/{}/ip_route_connected.json".format(CWD, router.name)
+ expected = json.loads(open(connected).read())
+
+ test_func = partial(
+ topotest.router_json_cmp, router, "show ip route 192.168.44.0/24 json", expected
+ )
+ result, _ = topotest.run_and_expect(test_func, None, count=20, wait=1)
+ assert result, "Connected Route should have been added\n{}".format(_)
+
+
+def test_zebra_kernel_route_add():
+ "Test that a random kernel route is properly handled as expected"
+
+ tgen = get_topogen()
+ if tgen.routers_have_failure():
+ pytest.skip(tgen.errors)
+
+ router = tgen.gears["r1"]
+ router.run("ip route add 4.5.6.7/32 dev r1-eth1")
+
+ kernel = "{}/{}/ip_route_kernel.json".format(CWD, router.name)
+ expected = json.loads(open(kernel).read())
+
+ test_func = partial(
+ topotest.router_json_cmp, router, "show ip route 4.5.6.7/32 json", expected
+ )
+ result, _ = topotest.run_and_expect(test_func, None, count=20, wait=1)
+ assert result, "Connected Route should have been added\n{}".format(_)
+
+
if __name__ == "__main__":
args = ["-s"] + sys.argv[1:]
sys.exit(pytest.main(args))

48
0007-CVE-2024-44070.patch Normal file
View File

@ -0,0 +1,48 @@
From 0998b38e4d61179441f90dd7e7fd6a3a8b7bd8c5 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Wed, 31 Jul 2024 08:35:14 +0300
Subject: [PATCH] bgpd: Check the actual remaining stream length before taking
TLV value
```
0 0xb50b9f898028 in __sanitizer_print_stack_trace (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x368028) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
1 0xb50b9f7ed8e4 in fuzzer::PrintStackTrace() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2bd8e4) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
2 0xb50b9f7d4d9c in fuzzer::Fuzzer::CrashCallback() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2a4d9c) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
3 0xe0d12d7469cc (linux-vdso.so.1+0x9cc) (BuildId: 1a77697e9d723fe22246cfd7641b140c427b7e11)
4 0xe0d12c88f1fc in __pthread_kill_implementation nptl/pthread_kill.c:43:17
5 0xe0d12c84a678 in gsignal signal/../sysdeps/posix/raise.c:26:13
6 0xe0d12c83712c in abort stdlib/abort.c:79:7
7 0xe0d12d214724 in _zlog_assert_failed /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/zlog.c:789:2
8 0xe0d12d1285e4 in stream_get /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/stream.c:324:3
9 0xb50b9f8e47c4 in bgp_attr_encap /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:2758:3
10 0xb50b9f8dcd38 in bgp_attr_parse /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:3783:10
11 0xb50b9faf74b4 in bgp_update_receive /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:2383:20
12 0xb50b9faf1dcc in bgp_process_packet /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:4075:11
13 0xb50b9f8c90d0 in LLVMFuzzerTestOneInput /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_main.c:582:3
```
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
---
bgpd/bgp_attr.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 2ed49935e52b..ac5d08b6fe6e 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2749,6 +2749,14 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args)
args->total);
}
+ if (STREAM_READABLE(BGP_INPUT(peer)) < sublength) {
+ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining stream length %zu",
+ sublength, STREAM_READABLE(BGP_INPUT(peer)));
+ return bgp_attr_malformed(args,
+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+ args->total);
+ }
+
/* alloc and copy sub-tlv */
/* TBD make sure these are freed when attributes are released */
tlv = XCALLOC(MTYPE_ENCAP_TLV,

3
README.md Normal file
View File

@ -0,0 +1,3 @@
# frr
The frr package

20
SOURCES/0001-use-python3.patch
View File

@ -1,20 +0,0 @@
diff --git a/tools/frr-reload.py b/tools/frr-reload.py
index 208fb11..0692adc 100755
--- a/tools/frr-reload.py
+++ b/tools/frr-reload.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
# Frr Reloader
# Copyright (C) 2014 Cumulus Networks, Inc.
#
diff --git a/tools/generate_support_bundle.py b/tools/generate_support_bundle.py
index 540b7a1..0876ebb 100755
--- a/tools/generate_support_bundle.py
+++ b/tools/generate_support_bundle.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
########################################################
### Python Script to generate the FRR support bundle ###

17
SOURCES/0006-CVE-2020-12831.patch
View File

@ -1,17 +0,0 @@
diff --git a/tools/frr.in b/tools/frr.in
index b860797..eb64a93 100755
--- a/tools/frr.in
+++ b/tools/frr.in
@@ -105,10 +105,12 @@ check_daemon()
if [ ! -r "$C_PATH/$1-$2.conf" ]; then
touch "$C_PATH/$1-$2.conf"
chownfrr "$C_PATH/$1-$2.conf"
+ chmod 0600 "$C_PATH/$1-$2.conf"
fi
elif [ ! -r "$C_PATH/$1.conf" ]; then
touch "$C_PATH/$1.conf"
chownfrr "$C_PATH/$1.conf"
+ chmod 0600 "$C_PATH/$1.conf"
fi
fi
return 0

31
SOURCES/0007-frrinit.patch
View File

@ -1,31 +0,0 @@
diff --git a/tools/frrinit.sh.in b/tools/frrinit.sh.in
index 539ab7d..d27d1be 100644
--- a/tools/frrinit.sh.in
+++ b/tools/frrinit.sh.in
@@ -43,7 +43,7 @@ fi
case "$1" in
start)
daemon_list daemons
- watchfrr_options="$watchfrr_options $daemons"
+ watchfrr_options="$daemons"
daemon_start watchfrr
;;
stop)
@@ -57,7 +57,7 @@ restart|force-reload)
all_stop --reallyall
daemon_list daemons
- watchfrr_options="$watchfrr_options $daemons"
+ watchfrr_options="$daemons"
daemon_start watchfrr
;;
@@ -87,7 +87,7 @@ reload)
# restart watchfrr to pick up added daemons.
# NB: This will NOT cause the other daemons to be restarted.
daemon_list daemons
- watchfrr_options="$watchfrr_options $daemons"
+ watchfrr_options="$daemons"
daemon_stop watchfrr && \
daemon_start watchfrr

33
SOURCES/0008-designated-router.patch
View File

@ -1,33 +0,0 @@
diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c
index 69a3e4587..57ef6029a 100644
--- a/ospfd/ospf_vty.c
+++ b/ospfd/ospf_vty.c
@@ -3737,6 +3737,28 @@ static void show_ip_ospf_interface_sub(struct vty *vty, struct ospf *ospf,
vty_out(vty,
" No backup designated router on this network\n");
} else {
+ nbr = ospf_nbr_lookup_by_addr(oi->nbrs, &DR(oi));
+ if (nbr) {
+ if (use_json) {
+ json_object_string_add(
+ json_interface_sub, "drId",
+ inet_ntoa(nbr->router_id));
+ json_object_string_add(
+ json_interface_sub, "drAddress",
+ inet_ntoa(nbr->address.u
+ .prefix4));
+ } else {
+ vty_out(vty,
+ " Designated Router (ID) %s",
+ inet_ntoa(nbr->router_id));
+ vty_out(vty,
+ " Interface Address %s\n",
+ inet_ntoa(nbr->address.u
+ .prefix4));
+ }
+ }
+ nbr = NULL;
+
nbr = ospf_nbr_lookup_by_addr(oi->nbrs, &BDR(oi));
if (nbr == NULL) {
if (!use_json)

25
SOURCES/0009-routemap.patch
View File

@ -1,25 +0,0 @@
diff --git a/lib/routemap.c b/lib/routemap.c
index a90443a..0b594b2 100644
--- a/lib/routemap.c
+++ b/lib/routemap.c
@@ -1649,9 +1649,9 @@ static struct list *route_map_get_index_list(struct route_node **rn,
*/
static struct route_map_index *
route_map_get_index(struct route_map *map, const struct prefix *prefix,
- route_map_object_t type, void *object, uint8_t *match_ret)
+ route_map_object_t type, void *object, enum route_map_cmd_result_t *match_ret)
{
- int ret = 0;
+ enum route_map_cmd_result_t ret = RMAP_NOMATCH;
struct list *candidate_rmap_list = NULL;
struct route_node *rn = NULL;
struct listnode *ln = NULL, *nn = NULL;
@@ -2399,7 +2399,7 @@ route_map_result_t route_map_apply(struct route_map *map,
if ((!map->optimization_disabled)
&& (map->ipv4_prefix_table || map->ipv6_prefix_table)) {
index = route_map_get_index(map, prefix, type, object,
- (uint8_t *)&match_ret);
+ &match_ret);
if (index) {
if (rmap_debug)
zlog_debug(

40
SOURCES/0010-moving-executables.patch
View File

@ -1,40 +0,0 @@
diff --git a/tools/frr.service b/tools/frr.service
index aa45f42..a3f0103 100644
--- a/tools/frr.service
+++ b/tools/frr.service
@@ -17,9 +17,9 @@ WatchdogSec=60s
RestartSec=5
Restart=on-abnormal
LimitNOFILE=1024
-ExecStart=/usr/lib/frr/frrinit.sh start
-ExecStop=/usr/lib/frr/frrinit.sh stop
-ExecReload=/usr/lib/frr/frrinit.sh reload
+ExecStart=/usr/libexec/frr/frrinit.sh start
+ExecStop=/usr/libexec/frr/frrinit.sh stop
+ExecReload=/usr/libexec/frr/frrinit.sh reload
[Install]
WantedBy=multi-user.target
diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
index 9a144b2..a334d95 100644
--- a/tools/frrcommon.sh.in
+++ b/tools/frrcommon.sh.in
@@ -59,6 +59,9 @@ chownfrr() {
[ -n "$FRR_USER" ] && chown "$FRR_USER" "$1"
[ -n "$FRR_GROUP" ] && chgrp "$FRR_GROUP" "$1"
[ -n "$FRR_CONFIG_MODE" ] && chmod "$FRR_CONFIG_MODE" "$1"
+ if [ -d "$1" ]; then
+ chmod gu+x "$1"
+ fi
}
vtysh_b () {
@@ -152,7 +155,7 @@ daemon_start() {
daemon_prep "$daemon" "$inst" || return 1
if test ! -d "$V_PATH"; then
mkdir -p "$V_PATH"
- chown frr "$V_PATH"
+ chownfrr "$V_PATH"
fi
eval wrap="\$${daemon}_wrap"

77
SOURCES/0011-reload-bfd-profile.patch
View File

@ -1,77 +0,0 @@
diff --git a/tools/frr-reload.py b/tools/frr-reload.py
index 9979c8b..1c24f90 100755
--- a/tools/frr-reload.py
+++ b/tools/frr-reload.py
@@ -785,6 +785,48 @@ def line_exist(lines, target_ctx_keys, target_line, exact_match=True):
return True
return False
+def delete_bgp_bfd(lines_to_add, lines_to_del):
+ """
+ When 'neighbor <peer> bfd profile <profile>' is present without a
+ 'neighbor <peer> bfd' line, FRR explicitily adds it to the running
+ configuration. When the new configuration drops the bfd profile
+ line, the user's intent is to delete any bfd configuration on the
+ peer. On reload, deleting the bfd profile line after the bfd line
+ will re-enable BFD with the default BFD profile. Move the bfd line
+ to the end, if it exists in the new configuration.
+
+ Example:
+
+ neighbor 10.0.0.1 bfd
+ neighbor 10.0.0.1 bfd profile bfd-profile-1
+
+ Move to end:
+ neighbor 10.0.0.1 bfd profile bfd-profile-1
+ ...
+
+ neighbor 10.0.0.1 bfd
+
+ """
+ lines_to_del_to_app = []
+ for (ctx_keys, line) in lines_to_del:
+ if (
+ ctx_keys[0].startswith("router bgp")
+ and line
+ and line.startswith("neighbor ")
+ ):
+ # 'no neighbor [peer] bfd>'
+ nb_bfd = "neighbor (\S+) .*bfd$"
+ re_nb_bfd = re.search(nb_bfd, line)
+ if re_nb_bfd:
+ lines_to_del_to_app.append((ctx_keys, line))
+
+ for (ctx_keys, line) in lines_to_del_to_app:
+ lines_to_del.remove((ctx_keys, line))
+ lines_to_del.append((ctx_keys, line))
+
+ return (lines_to_add, lines_to_del)
+
+
def check_for_exit_vrf(lines_to_add, lines_to_del):
# exit-vrf is a bit tricky. If the new config is missing it but we
@@ -1248,6 +1290,7 @@ def compare_context_objects(newconf, running):
for line in newconf_ctx.lines:
lines_to_add.append((newconf_ctx_keys, line))
+ (lines_to_add, lines_to_del) = delete_bgp_bfd(lines_to_add, lines_to_del)
(lines_to_add, lines_to_del) = check_for_exit_vrf(lines_to_add, lines_to_del)
(lines_to_add, lines_to_del) = ignore_delete_re_add_lines(lines_to_add, lines_to_del)
(lines_to_add, lines_to_del) = ignore_unconfigurable_lines(lines_to_add, lines_to_del)
diff --git a/bgpd/bgp_bfd.c b/bgpd/bgp_bfd.c
index b566b0e..1bd6249 100644
--- a/bgpd/bgp_bfd.c
+++ b/bgpd/bgp_bfd.c
@@ -686,9 +686,9 @@ void bgp_bfd_peer_config_write(struct vty *vty, struct peer *peer, char *addr)
if (!CHECK_FLAG(bfd_info->flags, BFD_FLAG_PARAM_CFG)
&& (bfd_info->type == BFD_TYPE_NOT_CONFIGURED)) {
- vty_out(vty, " neighbor %s bfd", addr);
+ vty_out(vty, " neighbor %s bfd\n", addr);
if (bfd_info->profile[0])
- vty_out(vty, " profile %s", bfd_info->profile);
+ vty_out(vty, " neighbor %s bfd profile %s", addr, bfd_info->profile);
vty_out(vty, "\n");
}

79
SOURCES/0012-graceful-restart.patch
View File

@ -1,79 +0,0 @@
From 12f9f8472d0f8cfc026352906b8e5342df2846cc Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Tue, 27 Sep 2022 17:30:16 +0300
Subject: [PATCH] bgpd: Do not send Deconfig/Shutdown message when restarting
We might disable sending unconfig/shutdown notifications when
Graceful-Restart is enabled and negotiated.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
---
bgpd/bgpd.c | 35 ++++++++++++++++++++++++++---------
1 file changed, 26 insertions(+), 9 deletions(-)
diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
index 3d4ef7c..f8089c6 100644
--- a/bgpd/bgpd.c
+++ b/bgpd/bgpd.c
@@ -2564,11 +2564,34 @@ int peer_group_remote_as(struct bgp *bgp, const char *group_name, as_t *as,
void peer_notify_unconfig(struct peer *peer)
{
+ if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) {
+ if (bgp_debug_neighbor_events(peer))
+ zlog_debug(
+ "%pBP configured Graceful-Restart, skipping unconfig notification",
+ peer);
+ return;
+ }
+
if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
bgp_notify_send(peer, BGP_NOTIFY_CEASE,
BGP_NOTIFY_CEASE_PEER_UNCONFIG);
}
+static void peer_notify_shutdown(struct peer *peer)
+{
+ if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) {
+ if (bgp_debug_neighbor_events(peer))
+ zlog_debug(
+ "%pBP configured Graceful-Restart, skipping shutdown notification",
+ peer);
+ return;
+ }
+
+ if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
+ bgp_notify_send(peer, BGP_NOTIFY_CEASE,
+ BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN);
+}
+
void peer_group_notify_unconfig(struct peer_group *group)
{
struct peer *peer, *other;
@@ -3380,11 +3403,8 @@ int bgp_delete(struct bgp *bgp)
}
/* Inform peers we're going down. */
- for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer)) {
- if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
- bgp_notify_send(peer, BGP_NOTIFY_CEASE,
- BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN);
- }
+ for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer))
+ peer_notify_shutdown(peer);
/* Delete static routes (networks). */
bgp_static_delete(bgp);
@@ -7238,11 +7258,7 @@ void bgp_terminate(void)
for (ALL_LIST_ELEMENTS(bm->bgp, mnode, mnnode, bgp))
for (ALL_LIST_ELEMENTS(bgp->peer, node, nnode, peer))
- if (peer->status == Established
- || peer->status == OpenSent
- || peer->status == OpenConfirm)
- bgp_notify_send(peer, BGP_NOTIFY_CEASE,
- BGP_NOTIFY_CEASE_PEER_UNCONFIG);
+ peer_notify_unconfig(peer);
if (bm->process_main_queue)
work_queue_free_and_null(&bm->process_main_queue);

32
SOURCES/0013-CVE-2022-37032.patch
View File

@ -1,32 +0,0 @@
From ff6db1027f8f36df657ff2e5ea167773752537ed Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Thu, 21 Jul 2022 08:11:58 -0400
Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is
expected
Ensure that if the capability length specified is enough data.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
bgpd/bgp_packet.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index dbf6c0b2e99..45752a8ab6d 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2620,6 +2620,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
"%s CAPABILITY has action: %d, code: %u, length %u",
peer->host, action, hdr->code, hdr->length);
+ if (hdr->length < sizeof(struct capability_mp_data)) {
+ zlog_info(
+ "%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d",
+ peer, sizeof(struct capability_mp_data),
+ hdr->length);
+ return BGP_Stop;
+ }
+
/* Capability length check. */
if ((pnt + hdr->length + 3) > end) {
zlog_info("%s Capability length error", peer->host);

117
SOURCES/0014-bfd-profile-crash.patch
View File

@ -1,117 +0,0 @@
From 4b793d1eb35ab5794db12725a28fcdb4fef23af7 Mon Sep 17 00:00:00 2001
From: Igor Ryzhov <iryzhov@nfware.com>
Date: Thu, 1 Apr 2021 15:29:18 +0300
Subject: [PATCH] bfdd: remove profiles when removing bfd node
Fixes #8379.
Signed-off-by: Igor Ryzhov <iryzhov@nfware.com>
---
bfdd/bfd.c | 8 ++++++++
bfdd/bfd.h | 1 +
bfdd/bfdd_nb_config.c | 1 +
3 files changed, 10 insertions(+)
diff --git a/bfdd/bfd.c b/bfdd/bfd.c
index c966efd8ea71..cf292a836354 100644
--- a/bfdd/bfd.c
+++ b/bfdd/bfd.c
@@ -1889,6 +1889,14 @@ void bfd_sessions_remove_manual(void)
hash_iterate(bfd_key_hash, _bfd_session_remove_manual, NULL);
}
+void bfd_profiles_remove(void)
+{
+ struct bfd_profile *bp;
+
+ while ((bp = TAILQ_FIRST(&bplist)) != NULL)
+ bfd_profile_free(bp);
+}
+
/*
* Profile related hash functions.
*/
diff --git a/bfdd/bfd.h b/bfdd/bfd.h
index af3f92d6a8f8..9ee1da728717 100644
--- a/bfdd/bfd.h
+++ b/bfdd/bfd.h
@@ -596,6 +596,7 @@ void bfd_session_free(struct bfd_session *bs);
const struct bfd_session *bfd_session_next(const struct bfd_session *bs,
bool mhop);
void bfd_sessions_remove_manual(void);
+void bfd_profiles_remove(void);
/**
* Set the BFD session echo state.
diff --git a/bfdd/bfdd_nb_config.c b/bfdd/bfdd_nb_config.c
index 0046bc625b45..77f8cbd09c07 100644
--- a/bfdd/bfdd_nb_config.c
+++ b/bfdd/bfdd_nb_config.c
@@ -203,6 +203,7 @@ int bfdd_bfd_destroy(struct nb_cb_destroy_args *args)
case NB_EV_APPLY:
bfd_sessions_remove_manual();
+ bfd_profiles_remove();
break;
case NB_EV_ABORT:
diff --git a/bfdd/bfdd_nb_config.c b/bfdd/bfdd_nb_config.c
index 77f8cbd09c07..4030e2eefa50 100644
--- a/bfdd/bfdd_nb_config.c
+++ b/bfdd/bfdd_nb_config.c
@@ -186,7 +186,15 @@ static int bfd_session_destroy(enum nb_event event,
*/
int bfdd_bfd_create(struct nb_cb_create_args *args)
{
- /* NOTHING */
+ if (args->event != NB_EV_APPLY)
+ return NB_OK;
+
+ /*
+ * Set any non-NULL value to be able to call
+ * nb_running_unset_entry in bfdd_bfd_destroy.
+ */
+ nb_running_set_entry(args->dnode, (void *)0x1);
+
return NB_OK;
}
@@ -202,6 +210,12 @@ int bfdd_bfd_destroy(struct nb_cb_destroy_args *args)
return NB_OK;
case NB_EV_APPLY:
+ /*
+ * We need to call this to unset pointers from
+ * the child nodes - sessions and profiles.
+ */
+ nb_running_unset_entry(args->dnode);
+
bfd_sessions_remove_manual();
bfd_profiles_remove();
break;
diff --git a/bfdd/bfdd_cli.c b/bfdd/bfdd_cli.c
index b64e36b36a44..5a844e56e121 100644
--- a/bfdd/bfdd_cli.c
+++ b/bfdd/bfdd_cli.c
@@ -486,7 +486,7 @@ void bfd_cli_show_echo_interval(struct vty *vty, struct lyd_node *dnode,
* Profile commands.
*/
DEFPY_YANG_NOSH(bfd_profile, bfd_profile_cmd,
- "profile WORD$name",
+ "profile BFDPROF$name",
BFD_PROFILE_STR
BFD_PROFILE_NAME_STR)
{
diff --git a/vtysh/vtysh.c b/vtysh/vtysh.c
index 74f13e1a44e8..cf1811bb1f2f 100644
--- a/vtysh/vtysh.c
+++ b/vtysh/vtysh.c
@@ -1959,7 +1959,7 @@ DEFUNSH(VTYSH_BFDD, bfd_peer_enter, bfd_peer_enter_cmd,
}
DEFUNSH(VTYSH_BFDD, bfd_profile_enter, bfd_profile_enter_cmd,
- "profile WORD",
+ "profile BFDPROF",
BFD_PROFILE_STR
BFD_PROFILE_NAME_STR)
{

93
SOURCES/0015-max-ttl-reload.patch
View File

@ -1,93 +0,0 @@
From 767aaa3a80489bfc4ff097f932fc347e3db25b89 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Mon, 21 Aug 2023 00:01:42 +0300
Subject: [PATCH] bgpd: Do not explicitly print MAXTTL value for ebgp-multihop
vty output
1. Create /etc/frr/frr.conf
```
frr version 7.5
frr defaults traditional
hostname centos8.localdomain
no ip forwarding
no ipv6 forwarding
service integrated-vtysh-config
line vty
router bgp 4250001000
neighbor 192.168.122.207 remote-as 65512
neighbor 192.168.122.207 ebgp-multihop
```
2. Start FRR
`# systemctl start frr
`
3. Show running configuration. Note that FRR explicitly set and shows the default TTL (225)
```
Building configuration...
Current configuration:
!
frr version 7.5
frr defaults traditional
hostname centos8.localdomain
no ip forwarding
no ipv6 forwarding
service integrated-vtysh-config
!
router bgp 4250001000
neighbor 192.168.122.207 remote-as 65512
neighbor 192.168.122.207 ebgp-multihop 255
!
line vty
!
end
```
4. Copy initial frr.conf to frr.conf.new (no changes)
`# cp /etc/frr/frr.conf /root/frr.conf.new
`
5. Run frr-reload.sh:
```
$ /usr/lib/frr/frr-reload.py --test /root/frr.conf.new
2023-08-20 20:15:48,050 INFO: Called via "Namespace(bindir='/usr/bin', confdir='/etc/frr', daemon='', debug=False, filename='/root/frr.conf.new', input=None, log_level='info', overwrite=False, pathspace=None, reload=False, rundir='/var/run/frr', stdout=False, test=True, vty_socket=None)"
2023-08-20 20:15:48,050 INFO: Loading Config object from file /root/frr.conf.new
2023-08-20 20:15:48,124 INFO: Loading Config object from vtysh show running
Lines To Delete
===============
router bgp 4250001000
no neighbor 192.168.122.207 ebgp-multihop 255
Lines To Add
============
router bgp 4250001000
neighbor 192.168.122.207 ebgp-multihop
```
Closes https://github.com/FRRouting/frr/issues/14242
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
---
bgpd/bgp_vty.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/bgpd/bgp_vty.c b/bgpd/bgp_vty.c
index be0fe4283747..c9a9255f3392 100644
--- a/bgpd/bgp_vty.c
+++ b/bgpd/bgp_vty.c
@@ -17735,8 +17735,12 @@ static void bgp_config_write_peer_global(struct vty *vty, struct bgp *bgp,
&& !(peer->gtsm_hops != BGP_GTSM_HOPS_DISABLED
&& peer->ttl == MAXTTL)) {
if (!peer_group_active(peer) || g_peer->ttl != peer->ttl) {
- vty_out(vty, " neighbor %s ebgp-multihop %d\n", addr,
- peer->ttl);
+ if (peer->ttl != MAXTTL)
+ vty_out(vty, " neighbor %s ebgp-multihop %d\n",
+ addr, peer->ttl);
+ else
+ vty_out(vty, " neighbor %s ebgp-multihop\n",
+ addr);
}
}

129
SOURCES/0016-CVE-2023-38802.patch
View File

@ -1,129 +0,0 @@
From 46817adab03802355c3cce7b753c7a735bdcc5ae Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Thu, 13 Jul 2023 22:32:03 +0300
Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation
attribute
Before this path we used session reset method, which is discouraged by rfc7606.
Handle this as rfc requires.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit bcb6b58d9530173df41d3a3cbc4c600ee0b4b186)
---
bgpd/bgp_attr.c | 61 ++++++++++++++++++++-----------------------------
1 file changed, 25 insertions(+), 36 deletions(-)
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 058fae23cbd..1c0803cfd8e 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -1301,6 +1301,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
case BGP_ATTR_LARGE_COMMUNITIES:
case BGP_ATTR_ORIGINATOR_ID:
case BGP_ATTR_CLUSTER_LIST:
+ case BGP_ATTR_ENCAP:
return BGP_ATTR_PARSE_WITHDRAW;
case BGP_ATTR_MP_REACH_NLRI:
case BGP_ATTR_MP_UNREACH_NLRI:
@@ -2434,26 +2435,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args)
}
/* Parse Tunnel Encap attribute in an UPDATE */
-static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
- bgp_size_t length, /* IN: attr's length field */
- struct attr *attr, /* IN: caller already allocated */
- uint8_t flag, /* IN: attr's flags field */
- uint8_t *startp)
+static int bgp_attr_encap(struct bgp_attr_parser_args *args)
{
- bgp_size_t total;
uint16_t tunneltype = 0;
-
- total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);
+ struct peer *const peer = args->peer;
+ struct attr *const attr = args->attr;
+ bgp_size_t length = args->length;
+ uint8_t type = args->type;
+ uint8_t flag = args->flags;
if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS)
|| !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) {
- zlog_info(
- "Tunnel Encap attribute flag isn't optional and transitive %d",
- flag);
- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR,
- startp, total);
- return -1;
+ zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d",
+ flag);
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+ args->total);
}
if (BGP_ATTR_ENCAP == type) {
@@ -2461,12 +2457,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
uint16_t tlv_length;
if (length < 4) {
- zlog_info(
+ zlog_err(
"Tunnel Encap attribute not long enough to contain outer T,L");
- bgp_notify_send_with_data(
- peer, BGP_NOTIFY_UPDATE_ERR,
- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
- return -1;
+ return bgp_attr_malformed(args,
+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+ args->total);
}
tunneltype = stream_getw(BGP_INPUT(peer));
tlv_length = stream_getw(BGP_INPUT(peer));
@@ -2496,13 +2491,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
}
if (sublength > length) {
- zlog_info(
- "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
- sublength, length);
- bgp_notify_send_with_data(
- peer, BGP_NOTIFY_UPDATE_ERR,
- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
- return -1;
+ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
+ sublength, length);
+ return bgp_attr_malformed(args,
+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+ args->total);
}
/* alloc and copy sub-tlv */
@@ -2550,13 +2543,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
if (length) {
/* spurious leftover data */
- zlog_info(
- "Tunnel Encap attribute length is bad: %d leftover octets",
- length);
- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
- startp, total);
- return -1;
+ zlog_err("Tunnel Encap attribute length is bad: %d leftover octets",
+ length);
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+ args->total);
}
return 0;
@@ -3396,8 +3386,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
case BGP_ATTR_VNC:
#endif
case BGP_ATTR_ENCAP:
- ret = bgp_attr_encap(type, peer, length, attr, flag,
- startp);
+ ret = bgp_attr_encap(&attr_args);
break;
case BGP_ATTR_PREFIX_SID:
ret = bgp_attr_prefix_sid(&attr_args);

48
SOURCES/0017-fix-crash-in-plist-update.patch
View File

@ -1,48 +0,0 @@
From 0f9e4c4a36cf2b0dd585a7ef97acccb8eebdf7bd Mon Sep 17 00:00:00 2001
From: Chirag Shah <chirag@nvidia.com>
Date: Mon, 25 Jan 2021 11:44:56 -0800
Subject: [PATCH] lib: fix a crash in plist update
Problem:
Prefix-list with mulitiple rules, an update to
a rule/sequence with different prefix/prefixlen
reset prefix-list next-base pointer to avoid
having stale value.
In some case the old next-bast's reference leads
to an assert in tri (trie_install_fn ) add.
bt:
(object=0x55576a4c8a00, updptr=0x55576a4b97e0) at lib/plist.c:560
(plist=0x55576a4a1770, pentry=0x55576a4c8a00) at lib/plist.c:585
(ple=0x55576a4c8a00) at lib/plist.c:745
(args=0x7fffe04beb50) at lib/filter_nb.c:1181
Solution:
Reset prefix-list next-base pointer whenver a
sequence/rule is updated.
Ticket:CM-33109
Testing Done:
Signed-off-by: Chirag Shah <chirag@nvidia.com>
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
(cherry picked from commit f7f101156eb0e225f375f12cf4f863ebbe3fed03)
---
lib/plist.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/plist.c b/lib/plist.c
index 981e86e2a..c746d1946 100644
--- a/lib/plist.c
+++ b/lib/plist.c
@@ -684,6 +684,7 @@ void prefix_list_entry_update_start(struct prefix_list_entry *ple)
if (pl->head || pl->tail || pl->desc)
pl->master->recent = pl;
+ ple->next_best = NULL;
ple->installed = false;
}
--
2.41.0

34
SOURCES/0018-CVE-2023-38406.patch
View File

@ -1,34 +0,0 @@
From 0b999c886e241c52bd1f7ef0066700e4b618ebb3 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Thu, 23 Feb 2023 13:29:32 -0500
Subject: [PATCH] bgpd: Flowspec overflow issue
According to the flowspec RFC 8955 a flowspec nlri is <length, <nlri data>>
Specifying 0 as a length makes BGP get all warm on the inside. Which
in this case is not a good thing at all. Prevent warmth, stay cold
on the inside.
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
bgpd/bgp_flowspec.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c
index 8d5ca5e77779..f9debe43cd45 100644
--- a/bgpd/bgp_flowspec.c
+++ b/bgpd/bgp_flowspec.c
@@ -127,6 +127,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
psize);
return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
}
+
+ if (psize == 0) {
+ flog_err(EC_BGP_FLOWSPEC_PACKET,
+ "Flowspec NLRI length 0 which makes no sense");
+ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
+ }
+
if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) {
flog_err(
EC_BGP_FLOWSPEC_PACKET,

54
SOURCES/0019-CVE-2023-38407.patch
View File

@ -1,54 +0,0 @@
From 7404a914b0cafe046703c8381903a80d3def8f8b Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Fri, 3 Mar 2023 21:58:33 -0500
Subject: [PATCH] bgpd: Fix use beyond end of stream of labeled unicast parsing
Fixes a couple crashes associated with attempting to read
beyond the end of the stream.
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
bgpd/bgp_label.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/bgpd/bgp_label.c b/bgpd/bgp_label.c
index 0cad119af101..c4a5277553ba 100644
--- a/bgpd/bgp_label.c
+++ b/bgpd/bgp_label.c
@@ -297,6 +297,9 @@ static int bgp_nlri_get_labels(struct peer *peer, uint8_t *pnt, uint8_t plen,
uint8_t llen = 0;
uint8_t label_depth = 0;
+ if (plen < BGP_LABEL_BYTES)
+ return 0;
+
for (; data < lim; data += BGP_LABEL_BYTES) {
memcpy(label, data, BGP_LABEL_BYTES);
llen += BGP_LABEL_BYTES;
@@ -359,6 +362,9 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr,
memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN);
addpath_id = ntohl(addpath_id);
pnt += BGP_ADDPATH_ID_LEN;
+
+ if (pnt >= lim)
+ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
}
/* Fetch prefix length. */
@@ -377,6 +383,15 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr,
/* Fill in the labels */
llen = bgp_nlri_get_labels(peer, pnt, psize, &label);
+ if (llen == 0) {
+ flog_err(
+ EC_BGP_UPDATE_RCV,
+ "%s [Error] Update packet error (wrong label length 0)",
+ peer->host);
+ bgp_notify_send(peer, BGP_NOTIFY_UPDATE_ERR,
+ BGP_NOTIFY_UPDATE_INVAL_NETWORK);
+ return BGP_NLRI_PARSE_ERROR_LABEL_LENGTH;
+ }
p.prefixlen = prefixlen - BSIZE(llen);
/* There needs to be at least one label */

89
SOURCES/0020-CVE-2023-47234.patch
View File

@ -1,89 +0,0 @@
From c37119df45bbf4ef713bc10475af2ee06e12f3bf Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Sun, 29 Oct 2023 22:44:45 +0200
Subject: [PATCH] bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI
If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if
no mandatory path attributes received.
In other words, if MP_UNREACH_NLRI received, the remaining NLRIs should be handled
as a new data, but without mandatory attributes, it's a malformed packet.
In normal case, this MUST not happen at all, but to avoid crashing bgpd, we MUST
handle that.
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
---
bgpd/bgp_attr.c | 19 ++++++++++---------
bgpd/bgp_attr.h | 1 +
bgpd/bgp_packet.c | 7 ++++++-
3 files changed, 17 insertions(+), 10 deletions(-)
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 1473dc772502..75aa2ac7cce6 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -3399,15 +3399,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr,
if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
return BGP_ATTR_PARSE_PROCEED;
- /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required
- to carry any other path attributes.", though if MP_REACH_NLRI or NLRI
- are present, it should. Check for any other attribute being present
- instead.
- */
- if ((!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
- CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI))))
- return BGP_ATTR_PARSE_PROCEED;
-
if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
type = BGP_ATTR_ORIGIN;
@@ -3426,6 +3417,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr,
&& !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF)))
type = BGP_ATTR_LOCAL_PREF;
+ /* An UPDATE message that contains the MP_UNREACH_NLRI is not required
+ * to carry any other path attributes. Though if MP_REACH_NLRI or NLRI
+ * are present, it should. Check for any other attribute being present
+ * instead.
+ */
+ if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) &&
+ CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI)))
+ return type ? BGP_ATTR_PARSE_MISSING_MANDATORY
+ : BGP_ATTR_PARSE_PROCEED;
+
/* If any of the well-known mandatory attributes are not present
* in an UPDATE message, then "treat-as-withdraw" MUST be used.
*/
diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
index fc347e7a1b4b..d30155e6dba0 100644
--- a/bgpd/bgp_attr.h
+++ b/bgpd/bgp_attr.h
@@ -364,6 +364,7 @@ enum bgp_attr_parse_ret {
*/
BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
BGP_ATTR_PARSE_EOR = -4,
+ BGP_ATTR_PARSE_MISSING_MANDATORY = -4,
} bgp_attr_parse_ret_t;
struct bpacket_attr_vec_arr;
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index a7514a26aa64..5dc35157ebf6 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2359,7 +2359,12 @@ static int bgp_update_receive(struct peer_connection *connection,
/* Network Layer Reachability Information. */
update_len = end - stream_pnt(s);
- if (update_len) {
+ /* If we received MP_UNREACH_NLRI attribute, but also NLRIs, then
+ * NLRIs should be handled as a new data. Though, if we received
+ * NLRIs without mandatory attributes, they should be ignored.
+ */
+ if (update_len && attribute_len &&
+ attr_parse_ret != BGP_ATTR_PARSE_MISSING_MANDATORY) {
/* Set NLRI portion to structure. */
nlris[NLRI_UPDATE].afi = AFI_IP;
nlris[NLRI_UPDATE].safi = SAFI_UNICAST;

105
SOURCES/0021-CVE-2023-47235.patch
View File

@ -1,105 +0,0 @@
From 6814f2e0138a6ea5e1f83bdd9085d9a77999900b Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Fri, 27 Oct 2023 11:56:45 +0300
Subject: [PATCH] bgpd: Treat EOR as withdrawn to avoid unwanted handling of
malformed attrs
Treat-as-withdraw, otherwise if we just ignore it, we will pass it to be
processed as a normal UPDATE without mandatory attributes, that could lead
to harmful behavior. In this case, a crash for route-maps with the configuration
such as:
```
router bgp 65001
no bgp ebgp-requires-policy
neighbor 127.0.0.1 remote-as external
neighbor 127.0.0.1 passive
neighbor 127.0.0.1 ebgp-multihop
neighbor 127.0.0.1 disable-connected-check
neighbor 127.0.0.1 update-source 127.0.0.2
neighbor 127.0.0.1 timers 3 90
neighbor 127.0.0.1 timers connect 1
!
address-family ipv4 unicast
neighbor 127.0.0.1 addpath-tx-all-paths
neighbor 127.0.0.1 default-originate
neighbor 127.0.0.1 route-map RM_IN in
exit-address-family
exit
!
route-map RM_IN permit 10
set as-path prepend 200
exit
```
Send a malformed optional transitive attribute:
```
import socket
import time
OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02"
b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02"
b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00"
b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d"
b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01"
b"\x80\x00\x00\x00")
KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
b"\xff\xff\xff\xff\xff\xff\x00\x13\x04")
UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff002b0200000003c0ff00010100eb00ac100b0b001ad908ac100b0b")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.2', 179))
s.send(OPEN)
data = s.recv(1024)
s.send(KEEPALIVE)
data = s.recv(1024)
s.send(UPDATE)
data = s.recv(1024)
time.sleep(100)
s.close()
```
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
---
bgpd/bgp_attr.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index cf2dbe65b805..1473dc772502 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -3391,9 +3391,12 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr,
uint8_t type = 0;
/* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an
- * empty UPDATE. */
+ * empty UPDATE. Treat-as-withdraw, otherwise if we just ignore it,
+ * we will pass it to be processed as a normal UPDATE without mandatory
+ * attributes, that could lead to harmful behavior.
+ */
if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
- return BGP_ATTR_PARSE_PROCEED;
+ return BGP_ATTR_PARSE_WITHDRAW;
if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
type = BGP_ATTR_ORIGIN;
@@ -3273,7 +3276,13 @@ done:
aspath_unintern(&as4_path);
}
- if (ret != BGP_ATTR_PARSE_ERROR) {
+ /* If we received an UPDATE with mandatory attributes, then
+ * the unrecognized transitive optional attribute of that
+ * path MUST be passed. Otherwise, it's an error, and from
+ * security perspective it might be very harmful if we continue
+ * here with the unrecognized attributes.
+ */
+ if (ret == BGP_ATTR_PARSE_PROCEED) {
/* Finally intern unknown attribute. */
if (attr->transit)
attr->transit = transit_intern(attr->transit);

47
SOURCES/0022-route-map-event.patch
View File

@ -1,47 +0,0 @@
From 4fc5dafd1c8167a98e3a5f51efc1ea5092513364 Mon Sep 17 00:00:00 2001
From: rgirada <rgirada@vmware.com>
Date: Thu, 18 Feb 2021 20:15:40 -0800
Subject: [PATCH] lib: Routemap is not getting applied upon changing the
routemap action
Description:
This looks broken after NB changes in routemap. When routemap
action modified from permit to deny, it is expected to apply
the new action on the filtered routes before the action in the
routemap data structure has been changed. But currently this is
not handled by the corresponding northbound API.
Signed-off-by: Rajesh Girada <rgirada@vmware.com>
---
lib/routemap_northbound.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/lib/routemap_northbound.c b/lib/routemap_northbound.c
index db06e9caac75..3473ca2aea8c 100644
--- a/lib/routemap_northbound.c
+++ b/lib/routemap_northbound.c
@@ -271,6 +271,7 @@ lib_route_map_entry_description_destroy(struct nb_cb_destroy_args *args)
static int lib_route_map_entry_action_modify(struct nb_cb_modify_args *args)
{
struct route_map_index *rmi;
+ struct route_map *map;
switch (args->event) {
case NB_EV_VALIDATE:
@@ -281,7 +282,15 @@ static int lib_route_map_entry_action_modify(struct nb_cb_modify_args *args)
case NB_EV_APPLY:
rmi = nb_running_get_entry(args->dnode, NULL, true);
rmi->type = yang_dnode_get_enum(args->dnode, NULL);
- /* TODO: notify? */
+ map = rmi->map;
+
+ /* Execute event hook. */
+ if (route_map_master.event_hook) {
+ (*route_map_master.event_hook)(map->name);
+ route_map_notify_dependencies(map->name,
+ RMAP_EVENT_CALL_ADDED);
+ }
+
break;
}

76
SOURCES/0023-CVE-2023-46752.patch
View File

@ -1,76 +0,0 @@
From b08afc81c60607a4f736f418f2e3eb06087f1a35 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Fri, 20 Oct 2023 17:49:18 +0300
Subject: [PATCH] bgpd: Handle MP_REACH_NLRI malformed packets with session
reset
Avoid crashing bgpd.
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
---
bgpd/bgp_attr.c | 6 +-----
bgpd/bgp_attr.h | 1 -
bgpd/bgp_packet.c | 6 +-----
3 files changed, 2 insertions(+), 11 deletions(-)
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 6925aff727e2..e7bb42a5d989 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2421,7 +2421,7 @@ int bgp_mp_reach_parse(struct bgp_attr_parser_args *args,
mp_update->afi = afi;
mp_update->safi = safi;
- return BGP_ATTR_PARSE_EOR;
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_MAL_ATTR, 0);
}
mp_update->afi = afi;
@@ -3759,10 +3759,6 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
goto done;
}
- if (ret == BGP_ATTR_PARSE_EOR) {
- goto done;
- }
-
if (ret == BGP_ATTR_PARSE_ERROR) {
flog_warn(EC_BGP_ATTRIBUTE_PARSE_ERROR,
"%s: Attribute %s, parse error", peer->host,
diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
index 961e5f122470..fc347e7a1b4b 100644
--- a/bgpd/bgp_attr.h
+++ b/bgpd/bgp_attr.h
@@ -364,7 +364,6 @@ enum bgp_attr_parse_ret {
/* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR
*/
BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3,
- BGP_ATTR_PARSE_EOR = -4,
BGP_ATTR_PARSE_MISSING_MANDATORY = -4,
} bgp_attr_parse_ret_t;
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index b585591e2f69..5ecf343b6657 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2397,8 +2397,7 @@ static int bgp_update_receive(struct peer_connection *connection,
* Non-MP IPv4/Unicast EoR is a completely empty UPDATE
* and MP EoR should have only an empty MP_UNREACH
*/
- if ((!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0)
- || (attr_parse_ret == BGP_ATTR_PARSE_EOR)) {
+ if (!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) {
afi_t afi = 0;
safi_t safi;
struct graceful_restart_info *gr_info;
@@ -2419,9 +2418,6 @@ static int bgp_update_receive(struct peer_connection *connection,
&& nlris[NLRI_MP_WITHDRAW].length == 0) {
afi = nlris[NLRI_MP_WITHDRAW].afi;
safi = nlris[NLRI_MP_WITHDRAW].safi;
- } else if (attr_parse_ret == BGP_ATTR_PARSE_EOR) {
- afi = nlris[NLRI_MP_UPDATE].afi;
- safi = nlris[NLRI_MP_UPDATE].safi;
}
if (afi && peer->afc[afi][safi]) {

60
SOURCES/0024-CVE-2023-46753.patch
View File

@ -1,60 +0,0 @@
From d8482bf011cb2b173e85b65b4bf3d5061250cdb9 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Mon, 23 Oct 2023 23:34:10 +0300
Subject: [PATCH] bgpd: Check mandatory attributes more carefully for UPDATE
message
If we send a crafted BGP UPDATE message without mandatory attributes, we do
not check if the length of the path attributes is zero or not. We only check
if attr->flag is at least set or not. Imagine we send only unknown transit
attribute, then attr->flag is always 0. Also, this is true only if graceful-restart
capability is received.
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
---
bgpd/bgp_attr.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 26fd3de..bcc4424 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -3400,7 +3400,8 @@ bgp_attr_unknown(struct bgp_attr_parser_args *args)
}
/* Well-known attribute check. */
-static int bgp_attr_check(struct peer *peer, struct attr *attr)
+static int bgp_attr_check(struct peer *peer, struct attr *attr,
+ bgp_size_t length)
{
uint8_t type = 0;
@@ -3409,7 +3410,8 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr)
* we will pass it to be processed as a normal UPDATE without mandatory
* attributes, that could lead to harmful behavior.
*/
- if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag)
+ if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag &&
+ !length)
return BGP_ATTR_PARSE_WITHDRAW;
if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN)))
@@ -3462,7 +3464,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
bgp_attr_parse_ret_t ret;
uint8_t flag = 0;
uint8_t type = 0;
- bgp_size_t length;
+ bgp_size_t length = 0;
uint8_t *startp, *endp;
uint8_t *attr_endp;
uint8_t seen[BGP_ATTR_BITMAP_SIZE];
@@ -3216,7 +3218,7 @@ bgp_attr_parse_ret_t bgp_attr_parse(struct peer *peer, struct attr *attr,
}
/* Check all mandatory well-known attributes are present */
- if ((ret = bgp_attr_check(peer, attr)) < 0)
+ if ((ret = bgp_attr_check(peer, attr, length)) < 0)
goto done;
/*

150
SOURCES/0025-CVE-2023-31490.patch
View File

@ -1,150 +0,0 @@
From 06431bfa7570f169637ebb5898f0b0cc3b010802 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Tue, 6 Dec 2022 10:23:11 -0500
Subject: [PATCH] bgpd: Ensure stream received has enough data
BGP_PREFIX_SID_SRV6_L3_SERVICE attributes must not
fully trust the length value specified in the nlri.
Always ensure that the amount of data we need to read
can be fullfilled.
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
bgpd/bgp_attr.c | 79 ++++++++++++++++---------------------------------
1 file changed, 25 insertions(+), 54 deletions(-)
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index c35e45275c9b..5b06bc391375 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2927,9 +2927,21 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
uint16_t endpoint_behavior;
char buf[BUFSIZ];
+ /*
+ * Check that we actually have at least as much data as
+ * specified by the length field
+ */
+ if (STREAM_READABLE(peer->curr) < length) {
+ flog_err(
+ EC_BGP_ATTR_LEN,
+ "Prefix SID specifies length %hu, but only %zu bytes remain",
+ length, STREAM_READABLE(peer->curr));
+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
+ args->total);
+ }
+
if (type == BGP_PREFIX_SID_LABEL_INDEX) {
- if (STREAM_READABLE(peer->curr) < length
- || length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) {
+ if (length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) {
flog_err(EC_BGP_ATTR_LEN,
"Prefix SID label index length is %hu instead of %u",
length, BGP_PREFIX_SID_LABEL_INDEX_LENGTH);
@@ -2951,12 +2963,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
/* Store label index; subsequently, we'll check on
* address-family */
attr->label_index = label_index;
- }
-
- /* Placeholder code for the IPv6 SID type */
- else if (type == BGP_PREFIX_SID_IPV6) {
- if (STREAM_READABLE(peer->curr) < length
- || length != BGP_PREFIX_SID_IPV6_LENGTH) {
+ } else if (type == BGP_PREFIX_SID_IPV6) {
+ if (length != BGP_PREFIX_SID_IPV6_LENGTH) {
flog_err(EC_BGP_ATTR_LEN,
"Prefix SID IPv6 length is %hu instead of %u",
length, BGP_PREFIX_SID_IPV6_LENGTH);
@@ -2970,10 +2978,7 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
stream_getw(peer->curr);
stream_get(&ipv6_sid, peer->curr, 16);
- }
-
- /* Placeholder code for the Originator SRGB type */
- else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) {
+ } else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) {
/*
* ietf-idr-bgp-prefix-sid-05:
* Length is the total length of the value portion of the
@@ -2998,19 +3003,6 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
args->total);
}
- /*
- * Check that we actually have at least as much data as
- * specified by the length field
- */
- if (STREAM_READABLE(peer->curr) < length) {
- flog_err(EC_BGP_ATTR_LEN,
- "Prefix SID Originator SRGB specifies length %hu, but only %zu bytes remain",
- length, STREAM_READABLE(peer->curr));
- return bgp_attr_malformed(
- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
- args->total);
- }
-
/*
* Check that the portion of the TLV containing the sequence of
* SRGBs corresponds to a multiple of the SRGB size; to get
@@ -3034,12 +3026,8 @@ bgp_attr_psid_sub(uint8_t type, uint16_t length,
stream_get(&srgb_base, peer->curr, 3);
stream_get(&srgb_range, peer->curr, 3);
}
- }
-
- /* Placeholder code for the VPN-SID Service type */
- else if (type == BGP_PREFIX_SID_VPN_SID) {
- if (STREAM_READABLE(peer->curr) < length
- || length != BGP_PREFIX_SID_VPN_SID_LENGTH) {
+ } else if (type == BGP_PREFIX_SID_VPN_SID) {
+ if (length != BGP_PREFIX_SID_VPN_SID_LENGTH) {
flog_err(EC_BGP_ATTR_LEN,
"Prefix SID VPN SID length is %hu instead of %u",
length, BGP_PREFIX_SID_VPN_SID_LENGTH);
@@ -2601,18 +2589,13 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length,
sizeof(struct bgp_attr_srv6_vpn));
attr->srv6_vpn->sid_flags = sid_flags;
sid_copy(&attr->srv6_vpn->sid, &ipv6_sid);
- }
-
- /* Placeholder code for the SRv6 L3 Service type */
- else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
- if (STREAM_READABLE(peer->curr) < length
- || length != BGP_PREFIX_SID_SRV6_L3_SERVICE_LENGTH) {
- flog_err(EC_BGP_ATTR_LEN,
- "Prefix SID SRv6 L3-Service length is %hu instead of %u",
- length, BGP_PREFIX_SID_SRV6_L3_SERVICE_LENGTH);
- return bgp_attr_malformed(args,
- BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
- args->total);
+ } else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
+ if (STREAM_READABLE(peer->curr) < 1) {
+ flog_err(EC_BGP_ATTR_LEN,
+ "Prefix SID SRV6 L3 Service not enough data left, it must be at least 1 byte");
+ return bgp_attr_malformed(
+ args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
+ args->total);
}
/* Parse L3-SERVICE Sub-TLV */
@@ -2647,17 +2630,6 @@ static bgp_attr_parse_ret_t bgp_attr_psid_sub(uint8_t type, uint16_t length,
/* Placeholder code for Unsupported TLV */
else {
-
- if (STREAM_READABLE(peer->curr) < length) {
- flog_err(
- EC_BGP_ATTR_LEN,
- "Prefix SID SRv6 length is %hu - too long, only %zu remaining in this UPDATE",
- length, STREAM_READABLE(peer->curr));
- return bgp_attr_malformed(
- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
- args->total);
- }
-
if (bgp_debug_update(peer, NULL, NULL, 1))
zlog_debug(
"%s attr Prefix-SID sub-type=%u is not supported, skipped",

34
SOURCES/0026-CVE-2023-41909.patch
View File

@ -1,34 +0,0 @@
From cfd04dcb3e689754a72507d086ba3b9709fc5ed8 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Wed, 5 Apr 2023 14:57:05 -0400
Subject: [PATCH] bgpd: Limit flowspec to no attribute means a implicit
withdrawal
All other parsing functions done from bgp_nlri_parse() assume
no attributes == an implicit withdrawal. Let's move
bgp_nlri_parse_flowspec() into the same alignment.
Reported-by: Matteo Memelli <mmemelli@amazon.it>
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
bgpd/bgp_flowspec.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c
index f9debe43cd45..5e1be21402dc 100644
--- a/bgpd/bgp_flowspec.c
+++ b/bgpd/bgp_flowspec.c
@@ -98,6 +98,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
afi = packet->afi;
safi = packet->safi;
+ /*
+ * All other AFI/SAFI's treat no attribute as a implicit
+ * withdraw. Flowspec should as well.
+ */
+ if (!attr)
+ withdraw = 1;
+
if (packet->length >= FLOWSPEC_NLRI_SIZELIMIT_EXTENDED) {
flog_err(EC_BGP_FLOWSPEC_PACKET,
"BGP flowspec nlri length maximum reached (%u)",

267
SOURCES/0027-dynamic-netlink-buffer.patch
View File

@ -1,267 +0,0 @@
From 2cf7651f0b1b0123dc5568ebad00ac84a9b3c348 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Wed, 2 Feb 2022 13:28:42 -0500
Subject: [PATCH] zebra: Make netlink buffer reads resizeable when needed
Currently when the kernel sends netlink messages to FRR
the buffers to receive this data is of fixed length.
The kernel, with certain configurations, will send
netlink messages that are larger than this fixed length.
This leads to situations where, on startup, zebra gets
really confused about the state of the kernel. Effectively
the current algorithm is this:
read up to buffer in size
while (data to parse)
get netlink message header, look at size
parse if you can
The problem is that there is a 32k buffer we read.
We get the first message that is say 1k in size,
subtract that 1k to 31k left to parse. We then
get the next header and notice that the length
of the message is 33k. Which is obviously larger
than what we read in. FRR has no recover mechanism
nor is there a way to know, a priori, what the maximum
size the kernel will send us.
Modify FRR to look at the kernel message and see if the
buffer is large enough, if not, make it large enough to
read in the message.
This code has to be per netlink socket because of the usage
of pthreads. So add to `struct nlsock` the buffer and current
buffer length. Growing it as necessary.
Fixes: #10404
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
zebra/kernel_netlink.c | 68 +++++++++++++++++++++++++-----------------
zebra/kernel_netlink.h | 2 +-
zebra/zebra_dplane.c | 4 +++
zebra/zebra_ns.h | 3 ++
4 files changed, 49 insertions(+), 28 deletions(-)
diff --git a/zebra/kernel_netlink.h b/zebra/kernel_netlink.h
index ae88f3372b1c..9421ea1c611a 100644
--- a/zebra/kernel_netlink.h
+++ b/zebra/kernel_netlink.h
@@ -96,7 +96,7 @@ extern const char *nl_family_to_str(uint8_t family);
extern const char *nl_rttype_to_str(uint8_t rttype);
extern int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int),
- const struct nlsock *nl,
+ struct nlsock *nl,
const struct zebra_dplane_info *dp_info,
int count, int startup);
extern int netlink_talk_filter(struct nlmsghdr *h, ns_id_t ns, int startup);
diff --git a/zebra/zebra_ns.h b/zebra/zebra_ns.h
index 0519e1d5b33d..7a0ffbc1ee6f 100644
--- a/zebra/zebra_ns.h
+++ b/zebra/zebra_ns.h
@@ -39,6 +39,9 @@ struct nlsock {
int seq;
struct sockaddr_nl snl;
char name[64];
+
+ uint8_t *buf;
+ size_t buflen;
};
#endif
diff --git a/zebra/kernel_netlink.c b/zebra/kernel_netlink.c
index b8eaeb1..14a40a9 100644
--- a/zebra/kernel_netlink.c
+++ b/zebra/kernel_netlink.c
@@ -90,8 +90,6 @@
*/
#define NL_DEFAULT_BATCH_SEND_THRESHOLD (15 * NL_PKT_BUF_SIZE)
-#define NL_BATCH_RX_BUFSIZE NL_RCV_PKT_BUF_SIZE
-
static const struct message nlmsg_str[] = {{RTM_NEWROUTE, "RTM_NEWROUTE"},
{RTM_DELROUTE, "RTM_DELROUTE"},
{RTM_GETROUTE, "RTM_GETROUTE"},
@@ -164,8 +162,6 @@ DEFINE_MTYPE_STATIC(ZEBRA, NL_BUF, "Zebra Netlink buffers")
size_t nl_batch_tx_bufsize;
char *nl_batch_tx_buf;
-char nl_batch_rx_buf[NL_BATCH_RX_BUFSIZE];
-
_Atomic uint32_t nl_batch_bufsize = NL_DEFAULT_BATCH_BUFSIZE;
_Atomic uint32_t nl_batch_send_threshold = NL_DEFAULT_BATCH_SEND_THRESHOLD;
@@ -322,6 +318,9 @@ static int netlink_socket(struct nlsock *nl, unsigned long groups,
nl->snl = snl;
nl->sock = sock;
+ nl->buflen = NL_RCV_PKT_BUF_SIZE;
+ nl->buf = XMALLOC(MTYPE_NL_BUF, nl->buflen);
+
return ret;
}
@@ -729,19 +728,29 @@ static ssize_t netlink_send_msg(const struct nlsock *nl, void *buf,
*
* Returns -1 on error, 0 if read would block or the number of bytes received.
*/
-static int netlink_recv_msg(const struct nlsock *nl, struct msghdr msg,
- void *buf, size_t buflen)
+static int netlink_recv_msg(struct nlsock *nl, struct msghdr *msg)
{
struct iovec iov;
int status;
- iov.iov_base = buf;
- iov.iov_len = buflen;
- msg.msg_iov = &iov;
- msg.msg_iovlen = 1;
+ iov.iov_base = nl->buf;
+ iov.iov_len = nl->buflen;
+ msg->msg_iov = &iov;
+ msg->msg_iovlen = 1;
do {
- status = recvmsg(nl->sock, &msg, 0);
+ int bytes;
+
+ bytes = recv(nl->sock, NULL, 0, MSG_PEEK | MSG_TRUNC);
+
+ if (bytes >= 0 && (size_t)bytes > nl->buflen) {
+ nl->buf = XREALLOC(MTYPE_NL_BUF, nl->buf, bytes);
+ nl->buflen = bytes;
+ iov.iov_base = nl->buf;
+ iov.iov_len = nl->buflen;
+ }
+
+ status = recvmsg(nl->sock, msg, 0);
} while (status == -1 && errno == EINTR);
if (status == -1) {
@@ -761,10 +770,10 @@ static int netlink_recv_msg(const struct nlsock *nl, struct msghdr msg,
return -1;
}
- if (msg.msg_namelen != sizeof(struct sockaddr_nl)) {
+ if (msg->msg_namelen != sizeof(struct sockaddr_nl)) {
flog_err(EC_ZEBRA_NETLINK_LENGTH_ERROR,
"%s sender address length error: length %d", nl->name,
- msg.msg_namelen);
+ msg->msg_namelen);
return -1;
}
@@ -873,8 +882,7 @@ static int netlink_parse_error(const struct nlsock *nl, struct nlmsghdr *h,
* the filter.
*/
int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int),
- const struct nlsock *nl,
- const struct zebra_dplane_info *zns,
+ struct nlsock *nl, const struct zebra_dplane_info *zns,
int count, int startup)
{
int status;
@@ -883,7 +891,6 @@ int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int),
int read_in = 0;
while (1) {
- char buf[NL_RCV_PKT_BUF_SIZE];
struct sockaddr_nl snl;
struct msghdr msg = {.msg_name = (void *)&snl,
.msg_namelen = sizeof(snl)};
@@ -892,14 +899,14 @@ int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int),
if (count && read_in >= count)
return 0;
- status = netlink_recv_msg(nl, msg, buf, sizeof(buf));
+ status = netlink_recv_msg(nl, &msg);
if (status == -1)
return -1;
else if (status == 0)
break;
read_in++;
- for (h = (struct nlmsghdr *)buf;
+ for (h = (struct nlmsghdr *)nl->buf;
(status >= 0 && NLMSG_OK(h, (unsigned int)status));
h = NLMSG_NEXT(h, status)) {
/* Finish of reading. */
@@ -976,10 +983,10 @@ int netlink_parse_info(int (*filter)(struct nlmsghdr *, ns_id_t, int),
*/
static int
netlink_talk_info(int (*filter)(struct nlmsghdr *, ns_id_t, int startup),
- struct nlmsghdr *n, const struct zebra_dplane_info *dp_info,
+ struct nlmsghdr *n, struct zebra_dplane_info *dp_info,
int startup)
{
- const struct nlsock *nl;
+ struct nlsock *nl;
nl = &(dp_info->nls);
n->nlmsg_seq = nl->seq;
@@ -1067,12 +1074,11 @@ static int nl_batch_read_resp(struct nl_batch *bth)
* message at a time.
*/
while (true) {
- status = netlink_recv_msg(nl, msg, nl_batch_rx_buf,
- sizeof(nl_batch_rx_buf));
+ status = netlink_recv_msg(nl, &msg);
if (status == -1 || status == 0)
return status;
- h = (struct nlmsghdr *)nl_batch_rx_buf;
+ h = (struct nlmsghdr *)nl->buf;
ignore_msg = false;
seq = h->nlmsg_seq;
/*
@@ -1506,11 +1512,15 @@ void kernel_terminate(struct zebra_ns *zns, bool complete)
if (zns->netlink.sock >= 0) {
close(zns->netlink.sock);
zns->netlink.sock = -1;
+ XFREE(MTYPE_NL_BUF, zns->netlink.buf);
+ zns->netlink.buflen = 0;
}
if (zns->netlink_cmd.sock >= 0) {
close(zns->netlink_cmd.sock);
zns->netlink_cmd.sock = -1;
+ XFREE(MTYPE_NL_BUF, zns->netlink_cmd.buf);
+ zns->netlink_cmd.buflen = 0;
}
/* During zebra shutdown, we need to leave the dataplane socket
@@ -1520,6 +1530,8 @@ void kernel_terminate(struct zebra_ns *zns, bool complete)
if (zns->netlink_dplane.sock >= 0) {
close(zns->netlink_dplane.sock);
zns->netlink_dplane.sock = -1;
+ XFREE(MTYPE_NL_BUF, zns->netlink_dplane.buf);
+ zns->netlink_dplane.buflen = 0;
}
}
}
diff --git a/zebra/kernel_netlink.c b/zebra/kernel_netlink.c
index 14a40a9..2b566d4 100644
--- a/zebra/kernel_netlink.c
+++ b/zebra/kernel_netlink.c
@@ -779,7 +779,7 @@ static int netlink_recv_msg(struct nlsock *nl, struct msghdr *msg)
if (IS_ZEBRA_DEBUG_KERNEL_MSGDUMP_RECV) {
zlog_debug("%s: << netlink message dump [recv]", __func__);
- zlog_hexdump(buf, status);
+ zlog_hexdump(nl->buf, status);
}
return status;
diff --git a/zebra/kernel_netlink.c b/zebra/kernel_netlink.c
index 2b566d4..0564a6b 100644
--- a/zebra/kernel_netlink.c
+++ b/zebra/kernel_netlink.c
@@ -1060,7 +1060,7 @@ static int nl_batch_read_resp(struct nl_batch *bth)
struct sockaddr_nl snl;
struct msghdr msg = {};
int status, seq;
- const struct nlsock *nl;
+ struct nlsock *nl;
struct zebra_dplane_ctx *ctx;
bool ignore_msg;

28
SOURCES/frr.fc
View File

@ -1,28 +0,0 @@
/usr/libexec/frr/(.*)? gen_context(system_u:object_r:frr_exec_t,s0)
/usr/lib/systemd/system/frr.* gen_context(system_u:object_r:frr_unit_file_t,s0)
/etc/frr(/.*)? gen_context(system_u:object_r:frr_conf_t,s0)
/var/log/frr(/.*)? gen_context(system_u:object_r:frr_log_t,s0)
/var/tmp/frr(/.*)? gen_context(system_u:object_r:frr_tmp_t,s0)
/var/lock/subsys/bfdd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/bgpd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/eigrpd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/fabricd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/isisd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/nhrpd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/ospf6d -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/ospfd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/pbrd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/pimd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/ripd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/ripngd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/staticd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/zebra -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/lock/subsys/vrrpd -- gen_context(system_u:object_r:frr_lock_t,s0)
/var/run/frr(/.*)? gen_context(system_u:object_r:frr_var_run_t,s0)
/usr/bin/vtysh -- gen_context(system_u:object_r:frr_exec_t,s0)

423
SPECS/frr.spec
View File

@ -1,423 +0,0 @@
%global frrversion 7.5.1
%global frr_libdir /usr/libexec/frr
%global _hardened_build 1
%global selinuxtype targeted
%bcond_without selinux
Name: frr
Version: 7.5.1
Release: 22%{?checkout}%{?dist}
Summary: Routing daemon
License: GPLv2+
URL: http://www.frrouting.org
Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{frrversion}/%{name}-%{frrversion}.tar.gz
Source1: %{name}-tmpfiles.conf
Source2: frr.fc
Source3: frr.te
Source4: frr.if
BuildRequires: perl-generators
BuildRequires: gcc
BuildRequires: net-snmp-devel
BuildRequires: texinfo libcap-devel autoconf automake libtool patch groff
BuildRequires: readline readline-devel ncurses ncurses-devel
BuildRequires: git pam-devel c-ares-devel
BuildRequires: json-c-devel bison >= 2.7 flex perl-XML-LibXML
BuildRequires: python3-devel python3-sphinx python3-pytest
BuildRequires: systemd systemd-devel
BuildRequires: libyang-devel >= 1.0.184
Requires: net-snmp ncurses
Requires(post): systemd /sbin/install-info
Requires(preun): systemd /sbin/install-info
Requires(postun): systemd
Requires: iproute
Requires: initscripts
%if 0%{?with_selinux}
Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
%endif
Provides: routingdaemon = %{version}-%{release}
Obsoletes: frr-sysvinit quagga frr-contrib
Patch0000: 0000-remove-babeld-and-ldpd.patch
Patch0001: 0001-use-python3.patch
Patch0002: 0002-enable-openssl.patch
Patch0003: 0003-disable-eigrp-crypto.patch
Patch0004: 0004-fips-mode.patch
Patch0006: 0006-CVE-2020-12831.patch
Patch0007: 0007-frrinit.patch
Patch0008: 0008-designated-router.patch
Patch0009: 0009-routemap.patch
Patch0010: 0010-moving-executables.patch
Patch0011: 0011-reload-bfd-profile.patch
Patch0012: 0012-graceful-restart.patch
Patch0013: 0013-CVE-2022-37032.patch
Patch0014: 0014-bfd-profile-crash.patch
Patch0015: 0015-max-ttl-reload.patch
Patch0016: 0016-CVE-2023-38802.patch
Patch0017: 0017-fix-crash-in-plist-update.patch
Patch0018: 0018-CVE-2023-38406.patch
Patch0019: 0019-CVE-2023-38407.patch
Patch0020: 0020-CVE-2023-47234.patch
Patch0021: 0021-CVE-2023-47235.patch
Patch0022: 0022-route-map-event.patch
Patch0023: 0023-CVE-2023-46752.patch
Patch0024: 0024-CVE-2023-46753.patch
Patch0025: 0025-CVE-2023-31490.patch
Patch0026: 0026-CVE-2023-41909.patch
Patch0027: 0027-dynamic-netlink-buffer.patch
%description
FRRouting is free software that manages TCP/IP based routing protocols. It takes
a multi-server and multi-threaded approach to resolve the current complexity
of the Internet.
FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD.
FRRouting is a fork of Quagga.
%if 0%{?with_selinux}
%package selinux
Summary: Selinux policy for FRR
BuildArch: noarch
Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-%{selinuxtype}
BuildRequires: selinux-policy-devel
%{?selinux_requires}
%description selinux
SELinux policy modules for FRR package
%endif
%prep
%autosetup -S git
#SELinux
mkdir selinux
cp -p %{SOURCE2} %{SOURCE3} %{SOURCE4} selinux
%build
autoreconf -ivf
%configure \
--sbindir=%{frr_libdir} \
--sysconfdir=%{_sysconfdir}/frr \
--libdir=%{_libdir}/frr \
--libexecdir=%{_libexecdir}/frr \
--localstatedir=%{_localstatedir}/run/frr \
--enable-snmp=agentx \
--enable-multipath=64 \
--enable-vtysh=yes \
--enable-ospfclient=no \
--enable-ospfapi=no \
--enable-user=frr \
--enable-group=frr \
--enable-vty-group=frrvty \
--enable-rtadv \
--disable-exampledir \
--enable-systemd=yes \
--enable-static=no \
--disable-ldpd \
--disable-babeld \
--with-moduledir=%{_libdir}/frr/modules \
--with-crypto=openssl \
--enable-fpm
%make_build MAKEINFO="makeinfo --no-split" PYTHON=%{__python3}
pushd doc
make info
popd
#SELinux policy
%if 0%{?with_selinux}
make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp
bzip2 -9 selinux/%{name}.pp
%endif
%install
mkdir -p %{buildroot}/etc/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \
%{buildroot}/var/log/frr %{buildroot}%{_infodir} \
%{buildroot}%{_unitdir}
mkdir -p -m 0755 %{buildroot}%{_libdir}/frr
mkdir -p %{buildroot}%{_tmpfilesdir}
%make_install
# Remove this file, as it is uninstalled and causes errors when building on RH9
rm -rf %{buildroot}/usr/share/info/dir
install -p -m 644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf
install -p -m 644 %{_builddir}/%{name}-%{frrversion}/tools/etc/frr/daemons %{buildroot}/etc/frr/daemons
install -p -m 644 %{_builddir}/%{name}-%{frrversion}/tools/frr.service %{buildroot}%{_unitdir}/frr.service
install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/frrinit.sh %{buildroot}%{frr_libdir}/frr
install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/frrcommon.sh %{buildroot}%{frr_libdir}/frrcommon.sh
install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/watchfrr.sh %{buildroot}%{frr_libdir}/watchfrr.sh
install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.logrotate %{buildroot}/etc/logrotate.d/frr
install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.pam %{buildroot}/etc/pam.d/frr
install -d -m 775 %{buildroot}/run/frr
%if 0%{?with_selinux}
install -D -m 644 selinux/%{name}.pp.bz2 \
%{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
%endif
rm %{buildroot}%{_libdir}/frr/*.la
rm %{buildroot}%{_libdir}/frr/modules/*.la
#Upstream does not maintain a stable API, these headers from -devel subpackage are no longer needed
rm %{buildroot}%{_libdir}/frr/*.so
rm -r %{buildroot}%{_includedir}/frr/
%pre
getent group fttvty >/dev/null 2>&1 || groupadd -r frrvty >/dev/null 2>&1 || :
getent group frr >/dev/null 2>&1 || groupadd -r frr >/dev/null 2>&1 || :
getent passwd frr >/dev/null 2>&1 || useradd -M -r -g frr -s /sbin/nologin \
-c "FRRouting suite" -d %{_localstatedir}/run/frr frr || :
usermod -aG frrvty frr
%post
#Because we move files to /usr/libexec, we need to reload .service files as well
/usr/bin/systemctl daemon-reload
%systemd_post frr.service
if [ -f %{_infodir}/%{name}.inf* ]; then
install-info %{_infodir}/frr.info %{_infodir}/dir || :
fi
# Create dummy files if they don't exist so basic functions can be used.
if [ ! -e %{_sysconfdir}/frr/zebra.conf ]; then
echo "hostname `hostname`" > %{_sysconfdir}/frr/zebra.conf
chown frr:frr %{_sysconfdir}/frr/zebra.conf
chmod 640 %{_sysconfdir}/frr/zebra.conf
fi
if [ ! -e %{_sysconfdir}/frr/vtysh.conf ]; then
echo 'no service integrated-vtysh-config' > %{_sysconfdir}/frr/vtysh.conf
chmod 640 %{_sysconfdir}/frr/vtysh.conf
chown frr:frrvty %{_sysconfdir}/frr/vtysh.conf
fi
#Making sure that the old format of config file still works
#Checking whether .rpmnew conf file is present - in that case I want to change the old config
if [ -e %{_sysconfdir}/frr/daemons.rpmnew ]; then
sed -i s'/watchfrr_/#watchfrr_/g' %{_sysconfdir}/frr/daemons
sed -i s'/zebra=/#zebra=/g' %{_sysconfdir}/frr/daemons
fi
%postun
%systemd_postun_with_restart frr.service
#only when removing the package
if [ $1 -ge 0 ]; then
if [ -f %{_infodir}/%{name}.inf* ]; then
install-info --delete %{_infodir}/frr.info %{_infodir}/dir || :
fi
fi
%preun
%systemd_preun frr.service
#SELinux
%if 0%{?with_selinux}
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}
%post selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%selinux_relabel_post -s %{selinuxtype}
#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade
if [ $1 == 2 ]; then
%{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null
%{_sbindir}/restorecon -R /var/run/frr &> /dev/null
fi
%postun selinux
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} %{name}
%selinux_relabel_post -s %{selinuxtype}
fi
%endif
%check
make check PYTHON=%{__python3}
%files
%defattr(-,root,root)
%license COPYING
%doc zebra/zebra.conf.sample
%doc isisd/isisd.conf.sample
%doc ripd/ripd.conf.sample
%doc bgpd/bgpd.conf.sample*
%doc ospfd/ospfd.conf.sample
%doc ospf6d/ospf6d.conf.sample
%doc ripngd/ripngd.conf.sample
%doc pimd/pimd.conf.sample
%doc doc/mpls
%dir %attr(740,frr,frr) %{_sysconfdir}/frr
%dir %attr(755,frr,frr) /var/log/frr
%dir %attr(755,frr,frr) /run/frr
%{_infodir}/*info*
%{_mandir}/man*/*
%dir %{frr_libdir}/
%{frr_libdir}/*
%{_bindir}/*
%dir %{_libdir}/frr
%{_libdir}/frr/*.so.*
%dir %{_libdir}/frr/modules/
%{_libdir}/frr/modules/*
%config(noreplace) %attr(644,root,root) /etc/logrotate.d/frr
%config(noreplace) %attr(644,frr,frr) /etc/frr/daemons
%config(noreplace) /etc/pam.d/frr
%{_unitdir}/*.service
%dir /usr/share/yang
/usr/share/yang/*.yang
%{_tmpfilesdir}/%{name}.conf
%if 0%{?with_selinux}
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.*
%{_datadir}/selinux/devel/include/distributed/%{name}.if
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
%endif
%changelog
* Wed Feb 07 2024 Michal Ruprich <mruprich@redhat.com> - 7.5.1-22
- Resolves: RHEL-22303 - Zebra not fetching host routes
* Wed Feb 07 2024 Michal Ruprich <mruprich@redhat.com> - 7.5.1-21
- Resolves: RHEL-2216 - NULL pointer dereference
* Wed Feb 07 2024 Michal Ruprich <mruprich@redhat.com> - 7.5.1-20
- Resolves: RHEL-4797 - missing length check in bgp_attr_psid_sub() can lead do DoS
* Mon Feb 05 2024 Michal Ruprich <mruprich@redhat.com> - 7.5.1-19
- Resolves: RHEL-14824 - crafted BGP UPDATE message leading to a crash
* Mon Feb 05 2024 Michal Ruprich <mruprich@redhat.com> - 7.5.1-18
- Resolves: RHEL-14821 - mishandled malformed data leading to a crash
* Tue Dec 19 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-17
- Resolves: RHEL-6583 - Routes are not refreshed after changing the inbound route rules from deny to permit
* Tue Dec 19 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-16
- Resolves: RHEL-15916 - Flowspec overflow in bgpd/bgp_flowspec.c
- Resolves: RHEL-15919 - Out of bounds read in bgpd/bgp_label.c
- Resolves: RHEL-15869 - crash from specially crafted MP_UNREACH_NLRI-containing BGP UPDATE message
- Resolves: RHEL-15868 - crash from malformed EOR-containing BGP UPDATE message
* Thu Oct 19 2023 Andreas Karis <akaris@redhat.com> - 7.5.1-15
- Resolves: RHEL-12039 - crash in plist update
* Fri Oct 13 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-14
- Resolves: RHEL-6617 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router
* Tue Oct 10 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-13
- Resolves: RHEL-2263 - eBGP multihop peer flapping due to delta miscalculation of new configuration
* Wed Aug 23 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-12
- Resolves: #2216911 - Adding missing sys_admin SELinux call
* Mon Aug 21 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-11
- Related: #2216911 - Adding unconfined_t type to access namespaces
* Thu Aug 17 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-10
- Related: #2226803 - Adding patch
* Wed Aug 16 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-9
- Resolves: #2226803 - BFD crash in FRR running in MetalLB
* Fri Aug 11 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-8
- Resolves: #2216911 - SELinux is preventing FRR-Zebra to access to network namespaces
* Wed Nov 30 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-7
- Resolves: #2128737 - out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service
* Tue Nov 29 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-6
- Resolves: #1939516 - frr service cannot reload itself, due to executing in the wrong SELinux context
* Mon Nov 14 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-5
- Resolves: #2127140 - Frr is unable to push routes to the system routing table
* Mon Nov 14 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-4
- Resolves: #1948422 - BGP incorrectly withdraws routes on graceful restart capable routers
* Thu Aug 25 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-3
- Resolves: #2054160 - FRR reloader does not disable BFD when unsetting BFD profile
* Wed Aug 24 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-2
- Resolves: #1941765 - AVCs while running frr tests on RHEL 8.4.0 Beta-1.2
- Resolves: #1714984 - SELinux policy (daemons) changes required for package
* Wed May 11 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-1
- Resolves: #2018451 - Rebase of frr to version 7.5.1
- Resolves: #1975361 - the dynamic routing setup does not work any more
* Wed Jan 05 2022 Michal Ruprich <mruprich@redhat.com> - 7.5-11
- Resolves: #2034328 - Bfdd crash in metallb CI
* Tue Jan 04 2022 Michal Ruprich <mruprich@redhat.com> - 7.5-10
- Resolves: #2020878 - frr ospfd show ip ospf interface does not show designated router info
* Fri Dec 10 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-9
- Resolves: #2029958 - FRR reloader generating invalid BFD configurations, exits with error
* Tue Nov 16 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-8
- Resolves: #2021819 - Rebuilding for the new json-c
* Thu Sep 30 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-7
- Related: #1917269 - Wrong value in gating file
* Fri Sep 17 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-6
- Related: #1917269 - Incomplete patch, adding gating rules
* Thu Sep 16 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-5
- Resolves: #1979426 - Unable to configure OSPF in multi-instance mode
- Resolves: #1917269 - vtysh running-config output not showing bgp ttl-security hops option
* Tue Jan 12 2021 root - 7.5-4
- Related: #1889323 - Fixing start-up with old config file
* Mon Jan 11 2021 root - 7.5-3
- Related: #1889323 - Reverting to non-integrated cofiguration
* Thu Jan 07 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-2
- Related: #1889323 - Obsoleting frr-contrib
* Thu Jan 07 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-1
- Resolves: #1889323 - [RFE] Rebase FRR to 7.5
* Thu Aug 20 2020 Michal Ruprich <mruprich@redhat.com> - 7.0-10
- Resolves: #1867793 - FRR does not conform to the source port range specified in RFC5881
* Thu Aug 20 2020 Michal Ruprich <mruprich@redhat.com> - 7.0-9
- Resolves: #1852476 - default permission issue eases information leaks
* Tue May 05 2020 Michal Ruprich <mruprich@redhat.com> - 7.0-8
- Resolves: #1819319 - frr fails to start start if the initscripts package is missing
* Mon May 04 2020 Michal Ruprich <mruprich@redhat.com> - 7.0-7
- Resolves: #1758544 - IGMPv3 queries may lead to DoS
* Tue Mar 10 2020 Michal Ruprich <mruprich@redhat.com> - 7.0-6
- Resolves: #1776342 - frr has missing dependency on iproute
* Tue Sep 03 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-5
- Resolves: #1719465 - Removal of component Frr or its crypto
* Wed Jun 19 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-4
- Related: #1657029 - frr-contrib is back, it is breaking the rpmdeplint test
* Wed Jun 19 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-3
- Related: #1657029 - more cleanup, removed frr-contrib, frrvt changed to frrvty
* Wed Jun 19 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-2
- Related: #1657029 - cleaning specfile, adding Requires on libyang-devel
* Wed May 29 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-1
- Resolves: #1657029 - Add FRR as a replacement of Quagga in RHEL 8

1
ci.fmf Normal file
View File

@ -0,0 +1 @@
resultsdb-testcase: separate

4
frr-sysusers.conf Normal file
View File

@ -0,0 +1,4 @@
#Type Name ID GECOS Home directory Shell
g frrvty -
u frr - "FRRouting routing suite" /var/run/frr /sbin/nologin
m frr frrvty

0
SOURCES/frr-tmpfiles.conf → frr-tmpfiles.conf
View File

30
frr.fc Normal file
View File

@ -0,0 +1,30 @@
/usr/libexec/frr/(.*)? gen_context(system_u:object_r:frr_exec_t,s0)
/usr/lib/systemd/system/frr.* gen_context(system_u:object_r:frr_unit_file_t,s0)
/etc/frr(/.*)? gen_context(system_u:object_r:frr_conf_t,s0)
/var/log/frr(/.*)? gen_context(system_u:object_r:frr_log_t,s0)
/var/tmp/frr(/.*)? gen_context(system_u:object_r:frr_tmp_t,s0)
/var/lib/frr(/.*)? gen_context(system_u:object_r:frr_var_lib_t,s0)
/run/lock/subsys/bfdd -- gen_context(system_u:object_r:frr_lock_t,s0)
/run/lock/subsys/bgpd -- gen_context(system_u:object_r:frr_lock_t,s0)
/run/lock/subsys/eigrpd -- gen_context(system_u:object_r:frr_lock_t,s0)
/run/lock/subsys/fabricd -- gen_context(system_u:object_r:frr_lock_t,s0)
/run/lock/subsys/isisd -- gen_context(system_u:object_r:frr_lock_t,s0)
/run/lock/subsys/nhrpd -- gen_context(system_u:object_r:frr_lock_t,s0)
/run/lock/subsys/ospf6d -- gen_context(system_u:object_r:frr_lock_t,s0)
/run/lock/subsys/ospfd -- gen_context(system_u:object_r:frr_lock_t,s0)
/run/lock/subsys/pbrd -- gen_context(system_u:object_r:frr_lock_t,s0)
/run/lock/subsys/pimd -- gen_context(system_u:object_r:frr_lock_t,s0)
/run/lock/subsys/ripd -- gen_context(system_u:object_r:frr_lock_t,s0)
/run/lock/subsys/ripngd -- gen_context(system_u:object_r:frr_lock_t,s0)
/run/lock/subsys/staticd -- gen_context(system_u:object_r:frr_lock_t,s0)
/run/lock/subsys/zebra -- gen_context(system_u:object_r:frr_lock_t,s0)
/run/lock/subsys/vrrpd -- gen_context(system_u:object_r:frr_lock_t,s0)
/run/lock/subsys/pathd -- gen_context(system_u:object_r:frr_lock_t,s0)
/run/frr(/.*)? gen_context(system_u:object_r:frr_var_run_t,s0)
/usr/bin/vtysh -- gen_context(system_u:object_r:frr_exec_t,s0)

78
SOURCES/frr.if → frr.if
View File

@ -162,45 +162,73 @@ interface(`frr_admin',`
')
########################################
#
# Interface compatibility blocks
#
# The following definitions ensure compatibility with distribution policy
# versions that do not contain given interfaces (epel, or older Fedora
# releases).
# Each block tests for existence of given interface and defines it if needed.
#
######################################
## <summary>
## Read ifconfig_var_run_t files and link files
## Watch ifconfig_var_run_t directories
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
ifndef(`sysnet_read_ifconfig_run',`
interface(`sysnet_read_ifconfig_run',`
gen_require(`
type ifconfig_var_run_t;
')
ifndef(`sysnet_watch_ifconfig_run_dirs',`
interface(`sysnet_watch_ifconfig_run_dirs',`
gen_require(`
type ifconfig_var_run_t;
')
manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
')
watch_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
')
')
########################################
## <summary>
## Read unconfined_t files and dirs
## Read ifconfig_var_run_t files and link files
## </summary>
## <param name="domain">
## <summary>
## <summary>
## Domain allowed access.
## </summary>
## </summary>
## </param>
#
ifndef(`unconfined_read_files',`
interface(`unconfined_read_files',`
gen_require(`
type unconfined_t;
')
ifndef(`sysnet_read_ifconfig_run_files',`
interface(`sysnet_read_ifconfig_run_files',`
gen_require(`
type ifconfig_var_run_t;
')
allow $1 unconfined_t:file read_file_perms;
allow $1 unconfined_t:dir list_dir_perms;
')
list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
')
')
########################################
## <summary>
## setattr admin_home_t files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
ifndef(`userdom_setattr_admin_files',`
interface(`userdom_setattr_admin_files',`
gen_require(`
type admin_home_t;
')
allow $1 admin_home_t:file setattr;
')
')

592
frr.spec Normal file
View File

@ -0,0 +1,592 @@
%global frr_libdir %{_libexecdir}/frr
%global _hardened_build 1
%global selinuxtype targeted
%define _legacy_common_support 1
%bcond grpc %{undefined rhel}
%bcond selinux 1
Name: frr
Version: 10.1
Release: 7%{?dist}
Summary: Routing daemon
License: GPL-2.0-or-later AND ISC AND LGPL-2.0-or-later AND BSD-2-Clause AND BSD-3-Clause AND (GPL-2.0-or-later OR ISC) AND MIT
URL: http://www.frrouting.org
Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
Source1: %{name}-tmpfiles.conf
Source2: %{name}-sysusers.conf
#Decentralized SELinux policy
Source3: frr.fc
Source4: frr.te
Source5: frr.if
Patch0000: 0000-remove-babeld-and-ldpd.patch
Patch0002: 0002-enable-openssl.patch
Patch0003: 0003-disable-eigrp-crypto.patch
Patch0004: 0004-fips-mode.patch
Patch0005: 0005-remove-grpc-test.patch
Patch0006: 0006-noprefixroute-network-manager.patch
Patch0007: 0007-CVE-2024-44070.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bison >= 2.7
BuildRequires: c-ares-devel
BuildRequires: flex
BuildRequires: gcc
BuildRequires: gcc-c++
BuildRequires: git-core
BuildRequires: groff
%if %{with grpc}
BuildRequires: grpc-devel
BuildRequires: grpc-plugins
%endif
BuildRequires: json-c-devel
BuildRequires: libcap-devel
BuildRequires: libtool
BuildRequires: libyang-devel >= 2.1.148
BuildRequires: make
BuildRequires: ncurses
BuildRequires: ncurses-devel
BuildRequires: net-snmp-devel
BuildRequires: pam-devel
BuildRequires: patch
BuildRequires: perl-XML-LibXML
BuildRequires: perl-generators
BuildRequires: python3-devel
BuildRequires: python3-pytest
BuildRequires: python3-sphinx
BuildRequires: readline-devel
BuildRequires: systemd-devel
BuildRequires: systemd-rpm-macros
BuildRequires: texinfo
BuildRequires: protobuf-c-devel
Requires: ncurses
Requires: net-snmp
Requires(post): hostname
%{?sysusers_requires_compat}
Requires(post): systemd
Requires(postun): systemd
Requires(preun): systemd
%if 0%{?with_selinux}
Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
%endif
Obsoletes: quagga < 1.2.4-17
Provides: routingdaemon = %{version}-%{release}
%description
FRRouting is free software that manages TCP/IP based routing protocols. It takes
a multi-server and multi-threaded approach to resolve the current complexity
of the Internet.
FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR,
EIGRP and BFD.
FRRouting is a fork of Quagga.
%if 0%{?with_selinux}
%package selinux
Summary: Selinux policy for FRR
BuildArch: noarch
Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-%{selinuxtype}
BuildRequires: selinux-policy-devel
%{?selinux_requires}
%description selinux
SELinux policy modules for FRR package
%endif
%prep
%autosetup -S git
#Selinux
mkdir selinux
cp -p %{SOURCE3} %{SOURCE4} %{SOURCE5} selinux
# C++14 or later needed for abseil-cpp 20230125; string_view needs C++17:
sed -r -i 's/(AX_CXX_COMPILE_STDCXX\(\[)11(\])/\117\2/' configure.ac
%build
autoreconf -ivf
%configure \
--sbindir=%{frr_libdir} \
--sysconfdir=%{_sysconfdir}/frr \
--libdir=%{_libdir}/frr \
--libexecdir=%{_libexecdir}/frr \
--localstatedir=/var \
--enable-multipath=64 \
--enable-vtysh=yes \
--disable-ospfclient \
--disable-ospfapi \
--enable-snmp=agentx \
--enable-user=frr \
--enable-group=frr \
--enable-vty-group=frrvty \
--enable-rtadv \
--disable-exampledir \
--enable-systemd=yes \
--enable-static=no \
--disable-ldpd \
--disable-babeld \
--with-moduledir=%{_libdir}/frr/modules \
--with-yangmodelsdir=%{_datadir}/frr-yang/ \
--with-crypto=openssl \
--enable-fpm \
%{?with_grpc:--enable-grpc}
%make_build MAKEINFO="makeinfo --no-split" PYTHON=%{__python3}
# Build info documentation
%make_build -C doc info
#SELinux policy
%if 0%{?with_selinux}
make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp
bzip2 -9 selinux/%{name}.pp
%endif
%install
mkdir -p %{buildroot}%{_sysconfdir}/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \
%{buildroot}%{_localstatedir}/log/frr %{buildroot}%{_infodir} \
%{buildroot}%{_unitdir}
mkdir -p -m 0755 %{buildroot}%{_libdir}/frr
mkdir -p %{buildroot}%{_tmpfilesdir}
mkdir -p %{buildroot}%{_sysusersdir}
%make_install
# Remove this file, as it is uninstalled and causes errors when building on RH9
rm -rf %{buildroot}%{_infodir}/dir
install -p -m 644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf
install -p -m 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
install -p -m 644 tools/etc/frr/daemons %{buildroot}%{_sysconfdir}/frr/daemons
install -p -m 644 tools/frr.service %{buildroot}%{_unitdir}/frr.service
install -p -m 755 tools/frrinit.sh %{buildroot}%{frr_libdir}/frr
install -p -m 755 tools/frrcommon.sh %{buildroot}%{frr_libdir}/frrcommon.sh
install -p -m 755 tools/watchfrr.sh %{buildroot}%{frr_libdir}/watchfrr.sh
install -p -m 644 redhat/frr.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/frr
install -p -m 644 redhat/frr.pam %{buildroot}%{_sysconfdir}/pam.d/frr
install -d -m 775 %{buildroot}/run/frr
%if 0%{?with_selinux}
install -D -m 644 selinux/%{name}.pp.bz2 \
%{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
%endif
# Delete libtool archives
find %{buildroot} -type f -name "*.la" -delete -print
#Upstream does not maintain a stable API, these headers from -devel subpackage are no longer needed
rm %{buildroot}%{_libdir}/frr/*.so
rm -r %{buildroot}%{_includedir}/frr/
%pre
%sysusers_create_compat %{SOURCE2}
%post
%systemd_post frr.service
# Create dummy files if they don't exist so basic functions can be used.
if [ ! -e %{_sysconfdir}/frr/frr.conf ]; then
echo "hostname `hostname`" > %{_sysconfdir}/frr/frr.conf
chown frr:frr %{_sysconfdir}/frr/frr.conf
chmod 640 %{_sysconfdir}/frr/frr.conf
fi
#still used by vtysh, this way no error is produced when using vtysh
if [ ! -e %{_sysconfdir}/frr/vtysh.conf ]; then
touch %{_sysconfdir}/frr/vtysh.conf
chmod 640 %{_sysconfdir}/frr/vtysh.conf
chown frr:frrvty %{_sysconfdir}/frr/vtysh.conf
fi
%postun
%systemd_postun_with_restart frr.service
%preun
%systemd_preun frr.service
#SELinux
%if 0%{?with_selinux}
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}
%post selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%selinux_relabel_post -s %{selinuxtype}
#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade
if [ $1 == 2 ]; then
%{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null
%{_sbindir}/restorecon -R /var/run/frr &> /dev/null
fi
%postun selinux
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} %{name}
%selinux_relabel_post -s %{selinuxtype}
fi
%endif
%check
#this should be temporary, the grpc test is just badly designed
rm tests/lib/*grpc*
%make_build check PYTHON=%{__python3}
%files
%license COPYING
%doc doc/mpls
%dir %attr(750,frr,frr) %{_sysconfdir}/frr
%dir %attr(755,frr,frr) %{_localstatedir}/log/frr
%dir %attr(755,frr,frr) /run/frr
%{_infodir}/*info*
%{_mandir}/man1/frr.1*
%{_mandir}/man1/vtysh.1*
%{_mandir}/man8/frr-*.8*
%{_mandir}/man8/mtracebis.8*
%dir %{frr_libdir}/
%{frr_libdir}/*
%{_bindir}/mtracebis
%{_bindir}/vtysh
%dir %{_libdir}/frr
%{_libdir}/frr/*.so.*
%dir %{_libdir}/frr/modules
%{_libdir}/frr/modules/*
%config(noreplace) %attr(644,root,root) %{_sysconfdir}/logrotate.d/frr
%config(noreplace) %attr(644,frr,frr) %{_sysconfdir}/frr/daemons
%config(noreplace) %{_sysconfdir}/pam.d/frr
%{_unitdir}/*.service
%dir %{_datadir}/frr-yang/
%{_datadir}/frr-yang/*.yang
%{_tmpfilesdir}/%{name}.conf
%{_sysusersdir}/%{name}.conf
%if 0%{?with_selinux}
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.*
%{_datadir}/selinux/devel/include/distributed/%{name}.if
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
%endif
%changelog
* Tue Nov 05 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-7
- Resolves: RHEL-54674 - Function bgpd/bgp_attr.c does not check the actual remaining stream length
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 10.1-6
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Wed Oct 23 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-5
- Resolves: RHEL-59899 - Replace NetworkManager patch in the current version
* Mon Sep 09 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-4
- Resolves: RHEL-56074 - frr AVCs after rebase to 10.1
* Mon Aug 26 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-3
- Related: RHEL-55747 - Adding libs_manage_lib_dirs for handling lib_t
* Sun Aug 25 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-2
- Related: RHEL-55747 - Adding new selinux rules
* Thu Aug 22 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-1
- New version 10.1
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 9.1-11
- Bump release for June 2024 mass rebuild
* Wed Jun 12 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-10
- Resolves: RHEL-32134 - buffer overflow and daemon crash in ospf_te_parse_ri
* Wed Jun 12 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-9
- Resolves: RHEL-32138 - buffer overflow in ospf_te_parse_ext_link
* Wed Jun 12 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-8
- Resolves: RHEL-34911 - null pointer via get_edge() function can trigger a denial of service
* Mon May 27 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-7
- Resolves: RHEL-38834 - Missing selinux rules for .history_frr file for FRR
* Thu Apr 18 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-6
- Resolves: RHEL-32128 - infinite loop
* Thu Apr 18 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-5
- Resolves: RHEL-32125 - bgpd daemon crash
* Tue Apr 16 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-4
- Moving yang modules to an frr specific directory to avoid conflicts
- Adding rpminspect.yaml
* Thu Apr 11 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-3
- Resolves: RHEL-32502 - frr fails to start: SELinux is preventing watchfrr from create access on the sock_file
* Sun Feb 04 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 9.1-2
- Rebuilt for abseil-cpp-20240116.0
* Thu Jan 25 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-1
- New version 9.1
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 9.0.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 9.0.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Mon Oct 16 2023 Michal Ruprich <mruprich@redhat.com> - 9.0.1-1
- New version 9.0.1
* Fri Sep 01 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.2-4
- Adding a couple of SELinux rules, includes fix for rhbz#2149299
* Wed Aug 30 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 8.5.2-3
- Rebuilt for abseil-cpp 20230802.0
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 8.5.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Fri Jun 30 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.2-1
- New version 8.5.2
- Fixing some rpmlint warnings
* Mon Jun 26 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.1-4
- Resolves: #2216073 - SELinux is preventing FRR-Zebra to access to network namespaces.
* Mon Jun 05 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 8.5.1-3
- Disable grpc in RHEL builds
* Fri May 19 2023 Petr Pisar <ppisar@redhat.com> - 8.5.1-2
- Rebuild against rpm-4.19 (https://fedoraproject.org/wiki/Changes/RPM-4.19)
* Wed Apr 26 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.1-1
- New version 8.5.1
* Wed Apr 12 2023 Michal Ruprich <mruprich@redhat.com> - 8.5-1
- New version 8.5
* Thu Mar 23 2023 Michal Ruprich <mruprich@redhat.com> - 8.4.2-5
- Rebuilding for new abseil-cpp version
* Wed Mar 22 2023 Michal Ruprich <mruprich@redhat.com> - 8.4.2-4
- SPDX migration
* Wed Mar 08 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 8.4.2-3
- Build as C++17, required by abseil-cpp 20230125
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 8.4.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Thu Jan 12 2023 Michal Ruprich <mruprich@redhat.com> - 8.4.2-1
- New version 8.4.2
* Fri Nov 25 2022 Michal Ruprich <mruprich@redhat.com> - 8.4.1-1
- New version 8.4.1
- Fix for rhbz #2140705
* Thu Nov 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.4-1
- New version 8.4
* Fri Sep 16 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5
- Adding SELinux rule to enable zebra to write to sysctl_net_t
- Adding SELinux rule to enable bgpd to call name_connect to bgp_port_t
* Fri Sep 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-4
- Fixing an error in post scriptlet
* Fri Sep 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-3
- Resolves: #2124254 - frr can no longer update routes
* Wed Sep 07 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-2
- Resolves: #2124253 - SELinux is preventing zebra from setattr access on the directory frr
- Better handling FRR files during upgrade
* Tue Sep 06 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-1
- New version 8.3.1
* Mon Aug 22 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-10
- Rebuilding for new abseil-cpp and grpc updates
* Wed Aug 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-9
- Adding vrrpd and pathd as daemons to the policy
* Wed Aug 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-8
- Finalizing SELinux policy
* Tue Aug 02 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-7
- Fixing wrong path for vtysh in frr.fc
* Fri Jul 29 2022 Benjamin A. Beasley <code@musicinmybrain.net> - 8.2.2-6
- Rebuild with abseil-cpp-20211102.0-4.fc37 (RHBZ#2108658)
* Wed Jul 27 2022 Michal Ruprich - 8.2.2-5
- Packaging SELinux policy for FRR
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 8.2.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Tue May 17 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-3
- Rebuild for grpc-1.46.1
* Mon Apr 11 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-2
- Fix for CVE-2022-16126
* Tue Mar 15 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-1
- New version 8.2.2
* Thu Mar 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2-2
- Rebuild for abseil-cpp 20211102.0
* Wed Mar 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.2-1
- New version 8.2 (rhbz#2020439)
- Resolves: #2011868 - systemctl frr reload does not stop daemons that are not enabled in /etc/frr/daemons
* Tue Feb 01 2022 Michal Ruprich <mruprich@redhat.com> - 8.0.1-11
- Rebuilding for FTBFS in Rawhide(rhbz#2045399)
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 8.0.1-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Sat Jan 08 2022 Miro Hrončok <mhroncok@redhat.com> - 8.0.1-9
- Rebuilt for libre2.so.9
* Sat Nov 06 2021 Adrian Reber <adrian@lisas.de> - 8.0.1-8
- Rebuilt for protobuf 3.19.0
* Mon Oct 25 2021 Adrian Reber <adrian@lisas.de> - 8.0.1-7
- Rebuilt for protobuf 3.18.1
* Fri Oct 15 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-6
- Obsoleting quagga so that it may be retired
* Thu Oct 07 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-5
- Rebuilding for grpc 1.41
* Thu Sep 30 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-4
- Rebuild for new version of libyang
* Sat Sep 18 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 8.0.1-3
- Rebuild for grpc 1.40
* Thu Sep 16 2021 Sahana Prasad <sahana@redhat.com> - 8.0.1-2
- Rebuilt with OpenSSL 3.0.0
* Thu Sep 16 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-1
- New version 8.0.1
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 8.0-2
- Rebuilt with OpenSSL 3.0.0
* Wed Aug 11 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-1
- New version 8.0
* Wed Aug 04 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 7.5.1-9
- Rebuild for grpc 1.39
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.5.1-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Jul 20 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-7
- Resolves: #1983278 - ospfd crashes in route_node_delete with assertion fail
* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 7.5.1-6
- Rebuild for versioned symbols in json-c
* Wed Jul 07 2021 Neal Gompa <ngompa@datto.com> - 7.5.1-5
- Clean up the spec file for legibility and modern spec standards
- Remove unneeded info scriptlets
- Use systemd-sysusers for frr user and frrvty group
- Use git-core instead of git for applying patches
- Drop redundant build dependencies
* Wed Jul 07 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-4
- Rebuild for newer abseil-cpp
* Tue May 11 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 7.5.1-3
- Rebuild for grpc 1.37
* Fri Apr 23 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-2
- Fixing permissions on config files in /etc/frr
- Enabling integrated configuration option for frr
* Fri Mar 12 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-1
- New version 7.5.1
- Enabling grpc, adding hostname for post scriptlet
- Moving files to libexec due to selinux issues
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 7.5-4
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Tue Feb 16 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-3
- Fixing FTBS - icc options are confusing the new gcc
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Jan 01 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-1
- New version 7.5
* Mon Sep 21 2020 Michal Ruprich <mruprich@redhat.com> - 7.4-1
- New version 7.4
* Thu Aug 27 2020 Josef Řídký <jridky@redhat.com> - 7.3.1-4
- Rebuilt for new net-snmp release
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.3.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu Jun 18 2020 Michal Ruprich <mruprich@redhat.com> - 7.3.1-1
- New version 7.3.1
- Fixes a couple of bugs(#1832259, #1835039, #1830815, #1830808, #1830806, #1830800, #1830798, #1814773)
* Tue May 19 2020 Michal Ruprich <mruprich@redhat.com> - 7.3-6
- Removing texi2html, it is not available in Rawhide anymore
* Mon May 18 2020 Michal Ruprich <mruprich@redhat.com> - 7.3-5
- Rebuild for new version of libyang
* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 7.3-4
- Rebuild (json-c)
* Mon Apr 13 2020 Björn Esser <besser82@fedoraproject.org> - 7.3-3
- Update json-c-0.14 patch with a solution from upstream
* Mon Apr 13 2020 Björn Esser <besser82@fedoraproject.org> - 7.3-2
- Add support for upcoming json-c 0.14.0
* Wed Feb 19 2020 Michal Ruprich <mruprich@redhat.com> - 7.3-1
- New version 7.3
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Dec 16 2019 Michal Ruprich <mruprich@redhat.com> - 7.2-1
- New version 7.2
* Tue Nov 12 2019 Michal Ruprich <mruprich@redhat.com> - 7.1-5
- Rebuilding for new version of libyang
* Mon Oct 07 2019 Michal Ruprich <mruprich@redhat.com> - 7.1-4
- Adding noreplace to the /etc/frr/daemons file
* Fri Sep 13 2019 Michal Ruprich <mruprich@redhat.com> - 7.1-3
- New way of finding python version during build
- Replacing crypto of all routing daemons with openssl
- Disabling EIGRP crypto because it is broken
- Disabling crypto in FIPS mode
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Tue Jun 25 2019 Michal Ruprich <mruprich@redhat.com> - 7.1-1
- New version 7.1
* Wed Jun 19 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-2
- Initial build

38
SOURCES/frr.te → frr.te
View File

@ -27,13 +27,21 @@ systemd_unit_file(frr_unit_file_t)
type frr_var_run_t;
files_pid_file(frr_var_run_t)
type frr_var_lib_t;
files_type(frr_var_lib_t)
########################################
#
# frr local policy
#
allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
allow frr_t self:packet_socket create;
allow frr_t self:netlink_generic_socket create;
allow frr_t self:netlink_generic_socket setopt;
allow frr_t self:netlink_generic_socket getopt;
allow frr_t self:netlink_generic_socket getattr;
allow frr_t self:netlink_generic_socket bind;
allow frr_t self:packet_socket create_socket_perms;
allow frr_t self:process { setcap setpgid };
allow frr_t self:rawip_socket create_socket_perms;
allow frr_t self:tcp_socket { connect connected_stream_socket_perms };
@ -49,6 +57,10 @@ manage_files_pattern(frr_t, frr_log_t, frr_log_t)
manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t)
logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file })
manage_dirs_pattern(frr_t, frr_var_lib_t, frr_var_lib_t)
manage_files_pattern(frr_t, frr_var_lib_t, frr_var_lib_t)
files_var_lib_filetrans(frr_t, frr_var_lib_t, { dir file })
allow frr_t frr_tmp_t:file map;
manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t)
manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t)
@ -70,6 +82,7 @@ can_exec(frr_t, frr_exec_t)
kernel_read_network_state(frr_t)
kernel_rw_net_sysctls(frr_t)
kernel_read_system_state(frr_t)
kernel_request_load_module(frr_t)
auth_use_nsswitch(frr_t)
@ -78,11 +91,13 @@ corecmd_exec_bin(frr_t)
corenet_tcp_bind_appswitch_emp_port(frr_t)
corenet_udp_bind_bfd_control_port(frr_t)
corenet_udp_bind_bfd_echo_port(frr_t)
corenet_udp_bind_bfd_multi_port(frr_t)
corenet_tcp_bind_bgp_port(frr_t)
corenet_tcp_connect_bgp_port(frr_t)
corenet_udp_bind_all_unreserved_ports(frr_t);
corenet_tcp_bind_generic_port(frr_t)
corenet_tcp_bind_cmadmin_port(frr_t)
corenet_udp_bind_cmadmin_port(frr_t)
corenet_tcp_bind_firepower_port(frr_t)
corenet_tcp_bind_generic_port(frr_t)
corenet_tcp_bind_priority_e_com_port(frr_t)
corenet_udp_bind_router_port(frr_t)
corenet_tcp_bind_qpasa_agent_port(frr_t)
@ -93,25 +108,19 @@ corenet_tcp_bind_zebra_port(frr_t)
domain_use_interactive_fds(frr_t)
fs_read_nsfs_files(frr_t)
fs_search_cgroup_dirs(frr_t)
sysnet_exec_ifconfig(frr_t)
sysnet_read_ifconfig_run(frr_t)
sysnet_read_ifconfig_run_files(frr_t)
sysnet_watch_ifconfig_run_dirs(frr_t)
ipsec_domtrans_mgmt(frr_t)
userdom_read_admin_home_files(frr_t)
init_signal(frr_t)
init_signal_script(frr_t)
init_signull_script(frr_t)
optional_policy(`
logging_send_syslog_msg(frr_t)
')
optional_policy(`
unconfined_read_files(frr_t)
')
optional_policy(`
modutils_exec_kmod(frr_t)
modutils_getattr_module_deps(frr_t)
@ -126,4 +135,5 @@ optional_policy(`
optional_policy(`
userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr")
userdom_inherit_append_admin_home_files(frr_t, frr_conf_t, file, ".history_frr")
userdom_setattr_admin_files(frr_t, frr_conf_t, file, ".history_frr")
')

25
gating.yaml Normal file
View File

@ -0,0 +1,25 @@
--- !Policy
product_versions:
- fedora-*
decision_context: bodhi_update_push_testing
subject_type: koji_build
rules:
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
#Rawhide
--- !Policy
product_versions:
- fedora-*
decision_context: bodhi_update_push_stable
subject_type: koji_build
rules:
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
#gating rhel
--- !Policy
product_versions:
- rhel-*
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-public.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional}

36
plans.fmf Normal file
View File

@ -0,0 +1,36 @@
/tier1-internal:
plan:
import:
url: https://src.fedoraproject.org/tests/frr.git
name: /plans/tier1/internal
/tier1-public:
plan:
import:
url: https://src.fedoraproject.org/tests/frr.git
name: /plans/tier1/public
/tier2-tier3-internal:
plan:
import:
url: https://src.fedoraproject.org/tests/frr.git
name: /plans/tier2-tier3/internal
/tier2-tier3-public:
plan:
import:
url: https://src.fedoraproject.org/tests/frr.git
name: /plans/tier2-tier3/public
/others-internal:
plan:
import:
url: https://src.fedoraproject.org/tests/frr.git
name: /plans/others/internal
/others-public:
plan:
import:
url: https://src.fedoraproject.org/tests/frr.git
name: /plans/others/public

7
rpminspect.yaml Normal file
View File

@ -0,0 +1,7 @@
---
runpath:
allowed_paths:
- /usr/lib64/frr
- /usr/lib/frr
inspections:
badfuncs: off

2
sources Normal file
View File

@ -0,0 +1,2 @@
SHA512 (frr-10.1.tar.gz) = 7484238a502ab12f178e4a210e6e4a33d0ce53edbb49b127fdc3167e31dd61c1122c1ef2d30e4bcb83b7f520b37fb9ad73e2a6a16790b608b1adf2e23b556445
SHA512 (remove-babeld-ldpd.sh) = a5bf67a3722cb20d43cef1dac28f839db68df73a1b7d34d8438e4f9366da3b67d85c1f44281f93434e8dd8ebcb2d3dc258b77eaa5627475b7395d207f020839d