Merge commit '652be92a21f5575e5f74f6abe98eb4200b86776c' into haugesund

.gitlab-ci.yml

@@ -360,17 +360,17 @@ build-opensuse-15.3-amd64:
   <<: *build-linux
   image: registry.nic.cz/labs/bird:opensuse-15.3-amd64
 
-build-freebsd-11-amd64:
-  <<: *build-base
-  tags:
-    - freebsd
-    - amd64
+#build-freebsd-11-amd64:
+#  <<: *build-base
+#  tags:
+#    - freebsd
+#    - amd64
 
-build-freebsd-11-i386:
-  <<: *build-base
-  tags:
-    - freebsd
-    - i386
+#build-freebsd-11-i386:
+#  <<: *build-base
+#  tags:
+#    - freebsd
+#    - i386
 
 
 .pkg-deb: &pkg-deb

client/client.c

@@ -50,6 +50,7 @@ static byte *server_read_pos = server_read_buf;
 int init = 1;		/* During intial sequence */
 int busy = 1;		/* Executing BIRD command */
 int interactive;	/* Whether stdin is terminal */
+int last_code;		/* Last return code */
 
 static int num_lines, skip_input;
 int term_lns, term_cls;
@@ -196,7 +197,7 @@ init_commands(void)
     {
       /* Initial command is finished and we want to exit */
       cleanup();
-      exit(0);
+      exit((last_code < 8000) ? 0 : 1);
     }
 
   input_init();
@@ -283,6 +284,8 @@ server_got_reply(char *x)
       if (code)
         PRINTF(len, "%s\n", verbose ? x : x+5);
 
+      last_code = code;
+
       if (x[4] == ' ')
       {
         busy = 0;

distro/pkg/rpm/bird.service

@@ -5,8 +5,9 @@ After=network.target
 
 [Service]
 Type=simple
+ExecStartPre=/usr/sbin/bird -p
 ExecStart=/usr/sbin/bird -f -u bird -g bird
-ExecReload=/bin/kill -HUP $MAINPID
+ExecReload=/usr/sbin/birdc configure
 Restart=on-failure
 
 [Install]

doc/bird.sgml

@@ -2153,6 +2153,13 @@ protocol bfd [<name>] {
 	to configure separate BFD protocol instances for IPv4 and for IPv6
 	sessions.
 
+	<tag><label id="bfd-strict-bind">strict bind <m/switch/</tag>
+	Specify whether each BFD interface should use a separate listening
+	socket bound to its local address, or just use a shared listening socket
+	accepting all addresses. Binding to a specific address could be useful
+	in cases like running multiple BIRD instances on a machine, each
+	handling a different set of interfaces. Default: disabled.
+
 	<tag><label id="bfd-iface">interface <m/pattern/ [, <m/.../] { <m/options/ }</tag>
 	Interface definitions allow to specify options for sessions associated
 	with such interfaces and also may contain interface specific options.
@@ -5252,7 +5259,7 @@ Note that for negated matches, value must be either zero or equal to bitmask
 	<cf>port 1..1023,1194,3306</cf>).
 
 	<tag><label id="flow-dport">dport <m/numbers-match/</tag>
-	Set a mating destination port numbers (e.g. <cf>dport 49151</cf>).
+	Set a matching destination port numbers (e.g. <cf>dport 49151</cf>).
 
 	<tag><label id="flow-sport">sport <m/numbers-match/</tag>
 	Set a matching source port numbers (e.g. <cf>sport = 0</cf>).

filter/f-inst.c

@@ -737,6 +737,7 @@
       l->attrs[0].type = da.type;
       l->attrs[0].originated = 1;
       l->attrs[0].fresh = 1;
+      l->attrs[0].undef = 0;
 
       switch (da.type) {
       case EAF_TYPE_INT:

lib/ip.c

@@ -85,25 +85,29 @@ ip4_classify(ip4_addr ad)
   u32 a = _I(ad);
   u32 b = a >> 24U;
 
-  if (b && b <= 0xdf)
+  if (b < 0xe0)
   {
-    if (b == 0x7f)
+    if (b == 0x00)				/* 0.0.0.0/8        This network */
+      return IADDR_INVALID;
+
+    if (b == 0x7f)				/* 127.0.0.0/8      Loopback address */
       return IADDR_HOST | SCOPE_HOST;
-    else if ((b == 0x0a) ||
-	     ((a & 0xffff0000) == 0xc0a80000) ||
-	     ((a & 0xfff00000) == 0xac100000))
+
+    if ((b == 0x0a) ||				/* 10.0.0.0/8       Private range */
+	((a & 0xffff0000) == 0xc0a80000) ||	/* 192.168.0.0/16   Private range */
+	((a & 0xfff00000) == 0xac100000))	/* 172.16.0.0/12    Private range */
       return IADDR_HOST | SCOPE_SITE;
-    else
-      return IADDR_HOST | SCOPE_UNIVERSE;
+
+    return IADDR_HOST | SCOPE_UNIVERSE;
   }
 
-  if (b >= 0xe0 && b <= 0xef)
+  if (b < 0xf0)					/* 224.0.0.0/4      Multicast address */
     return IADDR_MULTICAST | SCOPE_UNIVERSE;
 
-  if (a == 0xffffffff)
+  if (a == 0xffffffff)				/* 255.255.255.255  Broadcast address */
     return IADDR_BROADCAST | SCOPE_LINK;
 
-  return IADDR_INVALID;
+  return IADDR_HOST | SCOPE_SITE;		/* 240.0.0.0/4      Reserved / private */
 }
 
 int

nest/rt-table.c

@@ -2294,7 +2294,7 @@ static void
 rt_prune_table(rtable *tab)
 {
   struct fib_iterator *fit = &tab->prune_fit;
-  int limit = 512;
+  int limit = 2000;
 
   struct rt_import_hook *ih;
   node *n, *x;

proto/babel/babel.c

@@ -862,14 +862,14 @@ babel_send_ihus(struct babel_iface *ifa)
 }
 
 static void
-babel_send_hello(struct babel_iface *ifa)
+babel_send_hello(struct babel_iface *ifa, uint interval)
 {
   struct babel_proto *p = ifa->proto;
   union babel_msg msg = {};
 
   msg.type = BABEL_TLV_HELLO;
   msg.hello.seqno = ifa->hello_seqno++;
-  msg.hello.interval = ifa->cf->hello_interval;
+  msg.hello.interval = interval ?: ifa->cf->hello_interval;
 
   TRACE(D_PACKETS, "Sending hello on %s with seqno %d interval %t",
 	ifa->ifname, msg.hello.seqno, (btime) msg.hello.interval);
@@ -1577,7 +1577,7 @@ babel_iface_timer(timer *t)
 
   if (now_ >= ifa->next_hello)
   {
-    babel_send_hello(ifa);
+    babel_send_hello(ifa, 0);
     ifa->next_hello += hello_period * (1 + (now_ - ifa->next_hello) / hello_period);
   }
 
@@ -1624,7 +1624,7 @@ babel_iface_start(struct babel_iface *ifa)
   tm_start(ifa->timer, 100 MS);
   ifa->up = 1;
 
-  babel_send_hello(ifa);
+  babel_send_hello(ifa, 0);
   babel_send_wildcard_retraction(ifa);
   babel_send_wildcard_request(ifa);
   babel_send_update(ifa, 0);	/* Full update */
@@ -2435,6 +2435,11 @@ babel_iface_shutdown(struct babel_iface *ifa)
 {
   if (ifa->sk)
   {
+    /*
+     * Retract all our routes and lower the hello interval so peers' neighbour
+     * state expires quickly
+     */
+    babel_send_hello(ifa, BABEL_MIN_INTERVAL);
     babel_send_wildcard_retraction(ifa);
     babel_send_queue(ifa);
   }

proto/babel/packets.c

@@ -2010,7 +2010,7 @@ babel_auth_sign(struct babel_iface *ifa, ip_addr dest)
   }
 
   DBG("Added MAC signatures (%d bytes) on ifa %s for dest %I\n",
-      tot_len, ifa->ifname, dest);
+      pos - (pkt + len), ifa->ifname, dest);
 
   return pos - (pkt + len);
 }

proto/bfd/bfd.c

@@ -582,6 +582,9 @@ bfd_get_iface(struct bfd_proto *p, ip_addr local, struct iface *iface)
   ifa->sk = bfd_open_tx_sk(p, local, iface);
   ifa->uc = 1;
 
+  if (cf->strict_bind)
+    ifa->rx = bfd_open_rx_sk_bound(p, local, iface);
+
   add_tail(&p->iface_list, &ifa->n);
 
   return ifa;
@@ -599,6 +602,12 @@ bfd_free_iface(struct bfd_iface *ifa)
     rfree(ifa->sk);
   }
 
+  if (ifa->rx)
+  {
+    sk_stop(ifa->rx);
+    rfree(ifa->rx);
+  }
+
   rem_node(&ifa->n);
   mb_free(ifa);
 }
@@ -1031,17 +1040,20 @@ bfd_start(struct proto *P)
 
   birdloop_enter(p->loop);
 
-  if (cf->accept_ipv4 && cf->accept_direct)
-    p->rx4_1 = bfd_open_rx_sk(p, 0, SK_IPV4);
+  if (!cf->strict_bind)
+  {
+    if (cf->accept_ipv4 && cf->accept_direct)
+      p->rx4_1 = bfd_open_rx_sk(p, 0, SK_IPV4);
 
-  if (cf->accept_ipv4 && cf->accept_multihop)
-    p->rx4_m = bfd_open_rx_sk(p, 1, SK_IPV4);
+    if (cf->accept_ipv4 && cf->accept_multihop)
+      p->rx4_m = bfd_open_rx_sk(p, 1, SK_IPV4);
 
-  if (cf->accept_ipv6 && cf->accept_direct)
-    p->rx6_1 = bfd_open_rx_sk(p, 0, SK_IPV6);
+    if (cf->accept_ipv6 && cf->accept_direct)
+      p->rx6_1 = bfd_open_rx_sk(p, 0, SK_IPV6);
 
-  if (cf->accept_ipv6 && cf->accept_multihop)
-    p->rx6_m = bfd_open_rx_sk(p, 1, SK_IPV6);
+    if (cf->accept_ipv6 && cf->accept_multihop)
+      p->rx6_m = bfd_open_rx_sk(p, 1, SK_IPV6);
+  }
 
   birdloop_leave(p->loop);
 
@@ -1095,7 +1107,8 @@ bfd_reconfigure(struct proto *P, struct proto_config *c)
   if ((new->accept_ipv4 != old->accept_ipv4) ||
       (new->accept_ipv6 != old->accept_ipv6) ||
       (new->accept_direct != old->accept_direct) ||
-      (new->accept_multihop != old->accept_multihop))
+      (new->accept_multihop != old->accept_multihop) ||
+      (new->strict_bind != old->strict_bind))
     return 0;
 
   birdloop_mask_wakeups(p->loop);

proto/bfd/bfd.h

@@ -47,6 +47,7 @@ struct bfd_config
   u8 accept_ipv6;
   u8 accept_direct;
   u8 accept_multihop;
+  u8 strict_bind;
 };
 
 struct bfd_iface_config
@@ -116,6 +117,7 @@ struct bfd_iface
   struct bfd_proto *bfd;
 
   sock *sk;
+  sock *rx;
   u32 uc;
   u8 changed;
 };
@@ -221,6 +223,7 @@ void bfd_show_sessions(struct proto *P);
 /* packets.c */
 void bfd_send_ctl(struct bfd_proto *p, struct bfd_session *s, int final);
 sock * bfd_open_rx_sk(struct bfd_proto *p, int multihop, int inet_version);
+sock * bfd_open_rx_sk_bound(struct bfd_proto *p, ip_addr local, struct iface *ifa);
 sock * bfd_open_tx_sk(struct bfd_proto *p, ip_addr local, struct iface *ifa);
 
 

proto/bfd/config.Y

@@ -23,7 +23,8 @@ CF_DECLS
 
 CF_KEYWORDS(BFD, MIN, IDLE, RX, TX, INTERVAL, MULTIPLIER, PASSIVE,
 	INTERFACE, MULTIHOP, NEIGHBOR, DEV, LOCAL, AUTHENTICATION,
-	NONE, SIMPLE, METICULOUS, KEYED, MD5, SHA1, IPV4, IPV6, DIRECT)
+	NONE, SIMPLE, METICULOUS, KEYED, MD5, SHA1, IPV4, IPV6, DIRECT,
+	STRICT, BIND)
 
 %type <iface> bfd_neigh_iface
 %type <a> bfd_neigh_local
@@ -48,6 +49,7 @@ bfd_proto_item:
  | INTERFACE bfd_iface
  | MULTIHOP bfd_multihop
  | NEIGHBOR bfd_neighbor
+ | STRICT BIND bool { BFD_CFG->strict_bind = $3; }
  ;
 
 bfd_proto_opts:

proto/bfd/packets.c

@@ -366,7 +366,9 @@ bfd_rx_hook(sock *sk, uint len)
     if (ps > BFD_STATE_DOWN)
       DROP("invalid init state", ps);
 
-    uint ifindex = (sk->sport == BFD_CONTROL_PORT) ? sk->lifindex : 0;
+    uint ifindex = (sk->sport == BFD_CONTROL_PORT) ?
+      (sk->iface ? sk->iface->index : sk->lifindex) :
+      0;
     s = bfd_find_session_by_addr(p, sk->faddr, ifindex);
 
     /* FIXME: better session matching and message */
@@ -438,6 +440,38 @@ bfd_open_rx_sk(struct bfd_proto *p, int multihop, int af)
   return NULL;
 }
 
+sock *
+bfd_open_rx_sk_bound(struct bfd_proto *p, ip_addr local, struct iface *ifa)
+{
+  sock *sk = sk_new(p->tpool);
+  sk->type = SK_UDP;
+  sk->saddr = local;
+  sk->sport = ifa ? BFD_CONTROL_PORT : BFD_MULTI_CTL_PORT;
+  sk->iface = ifa;
+  sk->vrf = p->p.vrf;
+  sk->data = p;
+
+  sk->rbsize = BFD_MAX_LEN;
+  sk->rx_hook = bfd_rx_hook;
+  sk->err_hook = bfd_err_hook;
+
+  /* TODO: configurable ToS and priority */
+  sk->tos = IP_PREC_INTERNET_CONTROL;
+  sk->priority = sk_priority_control;
+  sk->flags = SKF_THREAD | SKF_BIND | (ifa ? SKF_TTL_RX : 0);
+
+  if (sk_open(sk) < 0)
+    goto err;
+
+  sk_start(sk);
+  return sk;
+
+ err:
+  sk_log_error(sk, p->p.name);
+  rfree(sk);
+  return NULL;
+}
+
 sock *
 bfd_open_tx_sk(struct bfd_proto *p, ip_addr local, struct iface *ifa)
 {

proto/bgp/attrs.c

@@ -1465,7 +1465,7 @@ bgp_finish_attrs(struct bgp_parse_state *s, rta *a)
 #define RBH_FN(a,h)		h
 
 #define RBH_REHASH		bgp_rbh_rehash
-#define RBH_PARAMS		/8, *2, 2, 2, 8, 20
+#define RBH_PARAMS		/8, *2, 2, 2, 12, 20
 
 
 HASH_DEFINE_REHASH_FN(RBH, struct bgp_bucket)
@@ -1607,7 +1607,7 @@ bgp_withdraw_bucket(struct bgp_channel *c, struct bgp_bucket *b)
 #define PXH_FN(n,i,h)		h
 
 #define PXH_REHASH		bgp_pxh_rehash
-#define PXH_PARAMS		/8, *2, 2, 2, 8, 24
+#define PXH_PARAMS		/8, *2, 2, 2, 12, 24
 
 
 HASH_DEFINE_REHASH_FN(PXH, struct bgp_prefix)
@@ -1633,7 +1633,8 @@ bgp_free_prefix_table(struct bgp_channel *c)
 static struct bgp_prefix *
 bgp_get_prefix(struct bgp_channel *c, const net_addr *net, u32 path_id)
 {
-  u32 hash = net_hash(net) ^ u32_hash(path_id);
+  /* We must use a different hash function than the rtable */
+  u32 hash = u32_hash(net_hash(net) ^ u32_hash(path_id));
   struct bgp_prefix *px = HASH_FIND(c->prefix_hash, PXH, net, path_id, hash);
 
   if (px)

proto/bgp/bgp.c

@@ -2467,6 +2467,9 @@ bgp_show_proto_info(struct proto *P)
   else
     cli_msg(-1006, "    Neighbor address: %I%J", p->remote_ip, p->cf->iface);
 
+  if ((p->conn == &p->outgoing_conn) && (p->cf->remote_port != BGP_PORT))
+    cli_msg(-1006, "    Neighbor port:    %u", p->cf->remote_port);
+
   cli_msg(-1006, "    Neighbor AS:      %u", p->remote_as);
   cli_msg(-1006, "    Local AS:         %u", p->cf->local_as);
 

proto/rpki/rpki.c

@@ -834,16 +834,27 @@ rpki_show_proto_info(struct proto *P)
   if (cache)
   {
     const char *transport_name = "---";
+    uint default_port = 0;
 
     switch (cf->tr_config.type)
     {
 #if HAVE_LIBSSH
-    case RPKI_TR_SSH: transport_name = "SSHv2"; break;
+    case RPKI_TR_SSH:
+      transport_name = "SSHv2";
+      default_port = RPKI_SSH_PORT;
+      break;
 #endif
-    case RPKI_TR_TCP: transport_name = "Unprotected over TCP"; break;
+    case RPKI_TR_TCP:
+      transport_name = "Unprotected over TCP";
+      default_port = RPKI_TCP_PORT;
+      break;
     };
 
     cli_msg(-1006, "  Cache server:     %s", cf->hostname);
+
+    if (cf->port != default_port)
+      cli_msg(-1006, "  Cache port:       %u", cf->port);
+
     cli_msg(-1006, "  Status:           %s", rpki_cache_state_to_str(cache->state));
     cli_msg(-1006, "  Transport:        %s", transport_name);
     cli_msg(-1006, "  Protocol version: %u", cache->version);

proto/rpki/transport.c

@@ -85,6 +85,7 @@ rpki_tr_open(struct rpki_tr_sock *tr)
   sk->rbsize = RPKI_RX_BUFFER_SIZE;
   sk->tbsize = RPKI_TX_BUFFER_SIZE;
   sk->tos = IP_PREC_INTERNET_CONTROL;
+  sk->vrf = cache->p->p.vrf;
 
   if (ipa_zero(sk->daddr) && sk->host)
   {