| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* bgp_attr.c
* bgp_attr_cluster_list(): accept extra argument, add checks for
"optional", "transitive" and "partial" bits, log each error
condition independently
* bgp_attr_parse(): provide extra arguments
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* bgp_attr.c
* bgp_attr_originator_id(): accept extra argument, add checks for
"optional", "transitive" and "partial" bits, log each error
condition independently
* bgp_attr_parse(): provide extra arguments
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
IPv6 supports the same concept of differentiated service for routing
protocols as IPv4, but like too many things, the standards committee
decided that having two names for the same thing wasn't good enough and
introduced a third more generic term transport class.
The socket option to set transport class works the same as IPv4, but the
arguments are different.
* lib/sockopt.[ch]
* setsockopt_ipv6_tclass(): new function
* bgpd/bgp_network.c
* bgp_connect(): set socket option
* bgp_listener(): set socket option
* ospf6d/ospf6_network.c
* ospf6_set_transport_class(): new function
* ospf6_serv_sock(): set socket option
* ripngd/ripngd.c
* ripng_make_socket(): set socket option
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Commit 2febf323411c1aed9d7694898f852ce2ef36a7e5 assumed every flag
bit except optional/transitive/partial unset, which at times could
not be true for "extended length" bit.
* bgp_attr.c
* bgp_attr_origin(): exclude BGP_ATTR_FLAG_EXTLEN from comparison
* bgp_attr_nexthop(): idem
* bgp_attr_med(): idem
* bgp_attr_local_pref(): idem
* bgp_attr_atomic(): idem
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
"While setting up a testbed, I ran across a little problem in the
parsing of the "graceful restart" BGP capability that resulted in
Quagga not actually activating it for the peer in question - when
the peer sent a single AFI/SAFI block."
* bgp_open.c
* bgp_capability_restart(): actually process the last AFI/SAFI block
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* bgp_attr.c
* bgp_attr_parse(): provide extra argument to bgp_attr_aggregator()
* bgp_attr_local_pref(): use bgp_notify_send_with_data()
* bgp_attr_atomic(): idem
* bgp_attr_aggregator(): idem
Conflicts:
bgpd/bgp_attr.c
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Do not check each of the Optional/Transitive/Partial attribute
flag bits, when their only valid combination is known in advance,
but still perform bit-deep error message logging. This change
assumes unused (low-order) 4 bits of the flag octet cleared.
* bgp_attr.c
* bgp_attr_origin(): rewrite check
* bgp_attr_nexthop(): idem
* bgp_attr_med(): idem
* bgp_attr_local_pref(): idem
* bgp_attr_atomic(): idem
Conflicts:
bgpd/bgp_attr.c
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
ORIGIN handling function used to have "partial" bit check and recent
commits added it for NEXT_HOP, MULTI_EXIT_DISC and ATOMIC_AGGREGATE
cases. This commit adds "partial" check for AS_PATH and LOCAL_PREF
cases, which should leave attributes 1 through 6 inclusive completely
covered with attribute flags checks.
* bgp_attr.c
* bgp_attr_origin(): use bit-by-bit checks for better diagnostics
* bgp_attr_aspath(): add flag check
* bgp_attr_local_pref(): idem
Conflicts:
bgpd/bgp_attr.c
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* lib/prefix.h
* IPV4_CLASS_DE(): new helper macro
* bgp_attr.c
* bgp_attr_nexthop(): add check for "partial" bit, refresh flag error
reporting, explain meaning of RFC4271 section 6.3 and implement it
Conflicts:
bgpd/bgp_attr.c
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- SAFI value 3 is reserved. It was assigned by RFC 2858 for a use
that was never fully implemented, so it is deprecated by this
document.
* zebra.h: rename macro
* bgp_fsm.c: (bgp_graceful_restart_timer_expire,
bgp_graceful_stale_timer_expire, bgp_stop, bgp_establish): update
* bgpd.c: (peer_nsf_stop): update
* bgp_open.c: (bgp_capability_vty_out): SAFI 3 isn't a recognized case
any more
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
(with resolved conflict in bgpd/bgp_packet.c)
Two macros resolving to the same integer constant broke a case block and
a more thorough merge of BGP_SAFI_VPNV4 and BGP_SAFI_VPNV6 was
performed.
* bgpd.h: MPLS-labeled VPN SAFI is AFI-independent, switch to single
* macro
* bgp_capability_test.c: update test data
* bgp_mp_attr_test.c: idem
* bgp_route.c: (bgp_maximum_prefix_overflow, bgp_table_stats_vty) update
macro and check conditions (where appropriate)
* bgp_packet.c: (bgp_route_refresh_send, bgp_capability_send,
bgp_update_receive, bgp_route_refresh_receive): idem
* bgp_open.c: (bgp_capability_vty_out, bgp_afi_safi_valid_indices,
bgp_open_capability_orf, bgp_open_capability): idem
* bgp_attr.c: (bgp_mp_reach_parse, bgp_packet_attribute,
bgp_packet_withdraw): idem
|
| | |/
| |
| |
| |
| | |
* bgpd.h: change value of BGP_SAFI_VPNV6 to 128 (RFC4659, BZ#659)
* bgp_route.c: (bgp_table_stats_vty) fix length argument to strncmp()
|
| | |
| |
| |
| |
| |
| | |
* bgp_debug.c (bgp_notify_open_msg, bgp_notify_update_msg,
bgp_notify_cease_msg, bgp_notify_capability_msg): add messages for
"unspecific" subcode.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
* bgp_attr.c
* bgp_attr_atomic(): accept extra argument, add checks for
"optional", "transitive" and "partial" bits, log each error
condition independently
* bgp_attr_parse(): provide extra argument
|
| | |
| |
| |
| |
| |
| | |
* bgp_attr.c
* bgp_attr_med(): add checks for "optional", "transitive" and
"partial" bits, log each error condition independently
|
| | |
| |
| |
| |
| |
| |
| |
| | |
* bgp_attr.c
* bgp_attr_local_pref(): accept extra argument, add checks for
"optional" and "transitive" bits, log each error condition
independently
* bgp_attr_parse(): provide extra argument
|
| | |
| |
| |
| |
| | |
* bgp_packet.c
* bgp_notify_send_with_data(): add calls to zlog_info()
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This vulnerability (CERT-FI #513254) was reported by CROSS project.
They have also suggested a fix to the problem, which was found
acceptable.
The problem occurs when bgpd receives an UPDATE message containing
255 unknown AS_PATH attributes in Path Attribute Extended Communities.
This causes a buffer overlow in bgpd.
* bgp_ecommunity.c
* ecommunity_ecom2str(): perform size check earlier
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Some changes to symtab.c had broken the symbol reference handling for
prefix-lists in plist.c
This commit further "improves" the symbol table functions, to support
current use rather better. One key change is that the symbol table
supports the notion of a symbol which is "set", so has some value other
than its name.
In the case of prefix-lists, a prefix-list is "set" when there is at
least one (valid) entry or a description has been set.
Changes include:
* small changes in bgpd/bgp_clist.c where symbol table function names
have changed and other small differences.
* similarly in bgpd/bgp_peer_index.c, but here also clarified ownership
of the peer index entries, and ensured that the symbol table stuff
does *not* free same.
* in bgpd/bgp_route.c fixed the handling of references to prefix-lists.
Newer symbol handling more clearly identifies when a symbol has some
value "set".
* in bgpd/bgp_vty.c similarly, when showing state of filtering the "*"
against a prefix-list means it is "set".
* in lib/plist.c -- adjust to newer symbol table stuff. Fix issues
will add_hook and delete_hook. Changed lookup so that if plist
is not set, then lookup will return not-found -- so works as
before (!).
* adjusted test for symbol stuff.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* fix stream_put() to accept NULL src (again).
* changed how vty terminal reports time-out and end-of-file,
and made --more-- show the same as ordinary cli.
* tighten on or two stream functions, to cope if for some
reason the getp > endp or endp > size.
* update documentation in vio_lines.c
* fixed (potential) bug which would have tripped up --more--
if were to be required while outputting notification for a
cancel operation.
* as a new command loop is set up, make sure all start in
vst_cmd_running_executing, so that output will be dispatched.
* fix uty_std_out_push() and uty_vtysh_out_push to take notice
of vst_cmd_running and vst_cmd_executing and change to
vst_cmd_complete as required.
* fix handling of hold_mark in VOUT_TERM obuf an line control.
* fix various state related issues for vtysh server and the
vtysh itself.
* when vtysh connects to a daemon, the daemon responds with
its name and version number.
TBD: the vtysh to check that version is as expected !
* clarified handling of errors in vtysh... distinguishing
errors reported by the client daemon, and errors in the
mechanics of talking to the client daemon.
~
|
| | |
| |
| |
| |
| |
| |
| |
| | |
In particular, do not install in VIEW_NODE, where it prevents "en" being
a short form of "enable".
Also: change privilege handling so that can run bgpd --dryrun without
needing to be a privileged user.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
NB: this is a partial interim version -- NOT for production.
Reinstate vtysh. In bgpd: cope better with generating oversize messages.
The "pipework" branch is no more. There is now "euro_ix" and "euro_ix_b",
where 'b' stands for 'bleedin'. The "pipework" is currently in 'bleedin'.
Version updated to: 0.99.18ex20b
Major changes in this commit:
* modified bgpd to avoid crashing if an oversize message is created.
At present, any oversize messages are simply discarded. This may be a
mistake... since it is possible that some routes that should have been
withdrawn are not. TBA.
The stream lib facilities have been overhauled to may this easier.
* restoring vtysh.
At present the vtysh is thought to work, except that it does not
currently create integrated configuration files.
For the time being, *only* the following compile:
lib, bgpd, zebra, vtysh, tests
All other daemons will fail to compile, and must be disabled.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Functions to output scaled decimal and binary numbers were implemented
for memory show commands. Those have been generalised and placed in
the qfstring.c.
The memory show commands have been updated to use the newer functions,
and a small test program for those has been implemeted.
Other small updates to qfstring.c, qstring.c and qpath.c.
|
| |\ \ |
|
| | | |
| | |
| | |
| | | |
Some small changes to accomodate same.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bring in fixes for bgp dumping with pthreaded BGP Engine.
Bring in new "show nexus xxx" command.
Fix removal of '~' prompt.
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Modified the symbol table so that the name of the symbol is now
a property of its value -- which simplifies some of the semantics,
because the name no longer has a separate existence (a name which
refers to an empty or undefined value is now a matter for the
value, not for the symbol table). It also allows for the symbol
table to be used where the value and the name are almost
indistinguishable.
Introduced AVL tree to support large prefix lists, routemaps,
etc. etc.
Updated testsymtab and added testavl.
Updated exiting use of the symbol table.
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Merge with euro_ix branch v0.99.18ex17.
Update version to: 0.99.18ex18p
Of particular note:
* includes support for GTSM:
neighbor ... ttl-security hops X
no neighbor ... ttl-security hops X
where X is 1-254. For usual case of immediately connected
peer, X == 1.
Cannot set ttl-security while ebgp-multihop is set, and
vice-versa.
If underlying O/S does not support GTSM, then will set ttl
as per ebgp-multihop.
In passing, have fixed various bugs in the main Quagga branch.
* initial support for draft-ietf-idr-optional-transitive
Does not yet support "neighbor-complete" flag.
* main Quagga now uses TCP_CORK and permanent non-blocking
Do not beleive TCP_CORK to be necessary for euro_ix code...
which has a different buffering strategy.
The euro_ix code already runs sockets permanently non-blocking.
* various fixes to attribute intern/unintern
Trying to remove memory leaks. Nobody seems convinced that
this has been perfected, yet.
* fixes for ospfd and ospf6d issues.
Up to date with master branch up to:
commit 538cb284864c17de66152a5236db4cd80e3e7639
Merge: 036a6e6 8ced4e8
Author: Paul Jakma <paul@quagga.net>
Date: Fri Jul 29 18:21:50 2011 +0100
|
| | |\|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Create euro_ix branch.
Update version to: 0.99.18ex17
Of particular note:
* includes support for GTSM:
neighbor ... ttl-security hops X
no neighbor ... ttl-security hops X
where X is 1-254. For usual case of immediately connected
peer, X == 1.
Cannot set ttl-security while ebgp-multihop is set, and
vice-versa.
If underlying O/S does not support GTSM, then will set ttl
as per ebgp-multihop.
In passing, have fixed various bugs in the main Quagga branch.
* initial support for draft-ietf-idr-optional-transitive
Does not yet support "neighbor-complete" flag.
* main Quagga now uses TCP_CORK and permanent non-blocking
Do not beleive TCP_CORK to be necessary for euro_ix code...
which has a different buffering strategy.
The euro_ix code already runs sockets permanently non-blocking.
* various fixes to attribute intern/unintern
Trying to remove memory leaks. Nobody seems convinced that
this has been perfected, yet.
* fixes for ospfd and ospf6d issues.
Up to date with master branch up to:
commit 538cb284864c17de66152a5236db4cd80e3e7639
Merge: 036a6e6 8ced4e8
Author: Paul Jakma <paul@quagga.net>
Date: Fri Jul 29 18:21:50 2011 +0100
|
| | | |\
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Contains BGP fixes:
- set extcommunity crash: tihs patch tries to make the refcounting more robust
but does not fully solve the problem, sadly.
- BGP attribute error handling: Little testing.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* BGP error handling generally boils down to "reset session". This was fine
when all BGP speakers pretty much understood all BGP messages. However
the increasing deployment of new attribute types has shown this approach
to cause problems, in particular where a new attribute type is "tunneled"
over some speakers which do not understand it, and then arrives at a speaker
which does but considers it malformed (e.g. corruption along the way, or
because of early implementation bugs/interop issues).
To mitigate this drafts before the IDR (likely to be adopted) propose to
treat errors in partial (i.e. not understood by neighbour), optional
transitive attributes, when received from eBGP peers, as withdrawing only
the NLRIs in the affected UPDATE, rather than causing the entire session
to be reset. See:
http://tools.ietf.org/html/draft-scudder-idr-optional-transitive
* bgp_aspath.c: (assegments_parse) Replace the "NULL means valid, 0-length
OR an error" return value with an error code - instead taking
pointer to result structure as arg.
(aspath_parse) adjust to suit previous change, but here NULL really
does mean error in the external interface.
* bgp_attr.h (bgp_attr_parse) use an explictly typed and enumerated
value to indicate return result.
(bgp_attr_unintern_sub) cleans up just the members of an attr, but not the
attr itself, for benefit of those who use a stack-local attr.
* bgp_attr.c: (bgp_attr_unintern_sub) split out from bgp_attr_unintern
(bgp_attr_unintern) as previous.
(bgp_attr_malformed) helper function to centralise decisions on how to
handle errors in attributes.
(bgp_attr_{aspathlimit,origin,etc..}) Use bgp_attr_malformed.
(bgp_attr_aspathlimit) Subcode for error specifc to this attr should be
BGP_NOTIFY_UPDATE_OPT_ATTR_ERR.
(bgp_attr_as4_path) be more rigorous about checks, ala bgp_attr_as_path.
(bgp_attr_parse) Adjust to deal with the additional error level that
bgp_attr_ parsers can raise, and also similarly return appropriate
error back up to (bgp_update_receive). Try to avoid leaking as4_path.
* bgp_packet.c: (bgp_update_receive) Adjust to deal with BGP_ATTR_PARSE_WITHDRAW
error level from bgp_attr_parse, which should lead to a withdraw, by
making the attribute parameter in call to (bgp_nlri_parse) conditional
on the error, so the update case morphs also into a withdraw.
Use bgp_attr_unintern_sub from above, instead of doing this itself.
Fix error case returns which were not calling bgp_attr_unintern_sub
and probably leaking memory.
* tests/aspath_test.c: Fix to work for null return with bad segments
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
extcom..'
* Extended communities has some kind of resource allocation problem which
causes a double-free if the 'set extcommunity ...' command is used.
Try fix by properly interning extcommunities.
Also, more generally, make unintern functions take a double pointer
so they can NULL out callers references - a usefully defensive programming
pattern for functions which make refs invalid.
Sadly, this patch doesn't fix the problem entirely - crashes still
occur on session clear.
* bgp_ecommunity.h: (ecommunity_{free,unintern}) take double pointer
args.
* bgp_community.h: (community_unintern) ditto
* bgp_attr.h: (bgp_attr_intern) ditto
* bgp_aspath.h: (bgp_aspath.h) ditto
* (general) update all callers of above
* bgp_routemap.c: (route_set_ecommunity_{rt,soo}) intern the new extcom added
to the attr, and unintern any old one.
(route_set_ecommunity_{rt,soo}_compile) intern the extcom to be used
for the route-map set.
(route_set_ecommunity_*_free) unintern to match, instead of free
(route_set_ecommunity_soo) Do as _rt does and don't just leak
any pre-existing community, add to it (is additive right though?)
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Some of the changes made in commit cddb8112b80fa9867156c637d63e6e79eeac67bb
don't work particularly well for other changes that need to be made to
address BGP attribute error handling problems. In particular, returning
a pointer from complex attribute data parsing functions will not suffice
to express the require range of return status conditions.
* bgp_aspath.c: (assegments_parse) Rollback to a more minimal set of
changes to fix the original problem.
(aspath_parse) Slightly needless pushing around of code, and taking
2 parameters to say whether ot use 2 or 4 byte encoding seems unnecessary.
* bgp_attr.c: (bgp_attr_as{,4}path) Rollback, in preparation for BGP
attribute error handling update.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* bgp_aspath.c: (assegments_parse) just bail early if length doesn't match
and fix the formatting.
* bgp_network.c: add include needed for set_nonblocking
* bgp_packet.c: formatting
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* bgp_routemap.c: (route_set_community_delete) When deleting a
community in a route-map the old community was being orphaned. Like
the description of the same code in route_set_community, this is a
hack, not a true fix.
|
| | | | |
| | | |
| | | |
| | | | |
This reverts commit 2c9fd7e07283b8904ef20030c9dadb032e999b12.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* bgp_attr.c: (attrhash_key_make) 98e30f should have changed jhash2 to jhash.
These kinds of merge errors would be reduced and life would be easier if
people would submit fully-formed fixes that could be chucked directly into
git-am.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* bgpd.h: Add error code for setting GTSM on iBGP
* bgpd.c: (peer_ttl_security_hops_set) use previous error code and signal
incompatibility of GTSM+iBGP to vty.
Consider the session state when setting GTSM, and reset Open/Active peers
to let them pick up new TTL from start.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* bgp_vty.c: (peer_ebgp_multihop_{un,}set_vty) tail-call cleanup.
({no_,}neighbor_ttl_security) ditto.
* bgpd.c: (peer_ttl_security_hops_set) Peer group checks and TTL set only
need to be done on transition.
* sockunion.c: (sockopt_minttl) remove always-on debug and improve readability.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* bgpd: Add support for RFC 5082 GTSM, which allows the TTL field to be used
to verify that incoming packets have been sent from neighbours no more
than X IP hops away. In other words, this allows packets that were sent from
further away (i.e. not by the neighbour with known distance, and so possibly
a miscreant) to be filtered out.
* lib/sockunion.{c,h}: (sockopt_minttl) new function, to set a minimum TTL
using the IP_MINTTL socket opt.
* bgpd.h: (BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK) define for command
error for minttl.
(struct peer) add a config variable, to store the configured minttl.
(peer_ttl_security_hops_{set,unset}) configuration handlers
* bgpd.c: (peer_group_get) init gtsm_hops
(peer_ebgp_multihop_{un,}set) check for conflicts with GTSM. Multihop and
GTSM can't both be active for a peer at the same time.
(peer_ttl_security_hops_set) set minttl, taking care to avoid conflicts with
ebgp_multihop.
(bgp_config_write_peer) write out minttl as "neighbor .. ttl-security hops X".
* bgp_vty.c: (bgp_vty_return) message for
BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK
(peer_ebgp_multihop_{un,}set_vty)
* bgp_network.c: (bgp_accept) set minttl on accepted sockets if appropriate.
(bgp_connect) ditto for outbound.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* bgp_route.c: ({no_,}ipv6_bgp_network_ttl_cmd) depends on ipv6_bgp_network
which is HAVE_IPV6, so these should be too.
(bgp_route_init) and the installs should be similarly ifdefed
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* bgp_attr.c; (attrhash_key_make) s6_addr is only member of in6_addr
guaranteed to be available - s6_addr32 isn't. Fix to be more portable, and
thus allow compilation on BSD again.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* bgp_packet.c: (bgp_write) On BGP write, use TCP_CORK to provide hints to
kernel about TCP buffering. This will cause BGP packets to occur in
bigger chunks (full size MTU), improving performance and getting rid of
one of the problems reported in the UNH BGP conformance test.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* bgpd: Rather than toggling socket in/out of non-block mode, just leave it
in nonblocking mode.
One exception is in bgp_notify which only happens just before close.
|
