diff --git a/conf/conf.c b/conf/conf.c
index a744dcaa..fefcac51 100644
--- a/conf/conf.c
+++ b/conf/conf.c
@@ -266,7 +266,7 @@ config_commit(struct config *c)
}
if (old_config) /* Reconfiguration already in progress */
{
- if (shutting_down)
+ if (shutting_down == 2)
{
log(L_INFO "New configuration discarded due to shutdown");
config_free(c);
@@ -314,8 +314,9 @@ order_shutdown(void)
init_list(&c->protos);
init_list(&c->tables);
c->shutdown = 1;
- config_commit(c);
shutting_down = 1;
+ config_commit(c);
+ shutting_down = 2;
}
/**
diff --git a/doc/bird.conf.example b/doc/bird.conf.example
index 05259d5b..22221d43 100644
--- a/doc/bird.conf.example
+++ b/doc/bird.conf.example
@@ -179,6 +179,9 @@ protocol static {
# default bgp_med 0; # MED value we use for comparison when none is defined
# default bgp_local_pref 0; # The same for local preference
# source address 62.168.0.14; # What local address we use for the TCP connection
+# password "secret" # Password used for MD5 authentication
+# rr client; # I am a route reflector and the neighor is my client
+# rr cluster id 1.0.0.1 # Use this value for cluster id instead of my router id
# export where source=RTS_STATIC;
# export filter {
# if source = RTS_STATIC then {
diff --git a/doc/bird.sgml b/doc/bird.sgml
index 87113fa9..8fa55f85 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -655,13 +655,19 @@ routing table it wishes to export along with complete path information
route) in order to avoid routing loops.
BIRD supports all requirements of the BGP4 standard as defined in
-RFC 1771
-including several enhancements from the
-latest draft.
-It also supports the community attributes as per
-RFC 1997,
-capability negotiation defined in
-RFC 2842.
+RFC 4271
+It also supports the community attributes
+(RFC 1997),
+capability negotiation
+(RFC 3392),
+MD5 password authentication
+(RFC 2385),
+route reflectors
+(RFC 4456),
+and 4B AS numbers
+(RFC 4893).
+
+
For IPv6, it uses the standard multiprotocol extensions defined in
RFC 2283
including changes described in the
@@ -721,6 +727,27 @@ for each neighbor using the following configuration parameters:
for next hop calculation. Default: the address of the local end
of the interface our neighbor is connected to.
+ password Use this password for MD5 authentication
+ of BGP sessions. Default: no authentication.
+
+ rr client Be a route reflector and treat neighbor as
+ route reflection client. Default: disabled.
+
+ rr cluster id Route reflectors use cluster id
+ to avoid route reflection loops. When there is one route reflector in a cluster
+ it usually uses its router id as a cluster id, but when there are more route
+ reflectors in a cluster, these need to be configured (using this option) to
+ use a common cluster id. Clients in a cluster need not known their cluster
+ id and this option is not allowed to them Default: a same as router id.
+
+ enable as4 BGP protocol was designed to use 2B AS numbers
+ and was extended later to allow 4B AS number. BIRD supports 4B AS extension,
+ but by disabling this option it can be persuaded not to advertise it and
+ to maintain old-style sessions with its neighbors. This might be useful for
+ circumventing bugs in neighbor's implementation of 4B AS extension.
+ Even when disabled (off), BIRD behaves internally as AS4-aware BGP router.
+ Default: on.
+
disable after error When an error is encountered (either
locally or by the other side), disable the instance automatically
and wait for an administrator to fix the problem manually. Default: off.
@@ -757,7 +784,7 @@ for each neighbor using the following configuration parameters:
default bgp_med Value of the Multiple Exit
Discriminator to be used during route selection when the MED attribute
- is missing. Default: infinite.
+ is missing. Default: 0.
default bgp_local_pref Value of the Local Preference
to be used during route selection when the Local Preference attribute
@@ -779,10 +806,16 @@ with `int The Multiple Exit Discriminator of the route
- is an optional attribute which is often used within the local AS to
- reflect interior distances to various boundary routers. See the route selection
- rules above for exact semantics.
+ int The Multiple Exit Discriminator of the route
+ is an optional attribute which is used on on external (inter-AS) links to
+ convey to an adjacent AS the optimal entry point into the local AS.
+ The received attribute may be also propagated over internal BGP links
+ (and this is default behavior). The attribute value is zeroed when a route
+ is exported from a routing table to a BGP instance to ensure that the attribute
+ received from a neighboring AS is not propagated to other neighboring ASes.
+ A new value might be set in the export filter of a BGP instance.
+ See RFC 4451
+ for further discussion of BGP MED attribute.
enum Origin of the route: either set_atom fprefix fprefix_s fipa
%type decls declsn one_decl function_params
%type bgp_path
-%type bgp_one
CF_GRAMMAR
@@ -273,14 +272,12 @@ switch_body: /* EMPTY */ { $$ = NULL; }
/* CONST '(' expr ')' { $$ = f_new_inst(); $$->code = 'c'; $$->aux = T_INT; $$->a2.i = $3; } */
-bgp_one:
- NUM { $$ = $1; }
- | '?' { $$ = PM_ANY; }
- ;
bgp_path:
- bgp_one { $$ = cfg_alloc(sizeof(struct f_path_mask)); $$->next = NULL; $$->val = $1; }
- | bgp_one bgp_path { $$ = cfg_alloc(sizeof(struct f_path_mask)); $$->next = $2; $$->val = $1; }
+ NUM { $$ = cfg_alloc(sizeof(struct f_path_mask)); $$->next = NULL; $$->val = $1; $$->any = 0; }
+ | '?' { $$ = cfg_alloc(sizeof(struct f_path_mask)); $$->next = NULL; $$->val = 0; $$->any = 1; }
+ | NUM bgp_path { $$ = cfg_alloc(sizeof(struct f_path_mask)); $$->next = $2; $$->val = $1; $$->any = 0; }
+ | '?' bgp_path { $$ = cfg_alloc(sizeof(struct f_path_mask)); $$->next = $2; $$->val = 0; $$->any = 1; }
;
constant:
diff --git a/filter/filter.c b/filter/filter.c
index 9cde3d96..7893d9ae 100644
--- a/filter/filter.c
+++ b/filter/filter.c
@@ -69,6 +69,30 @@ pm_path_compare(struct f_path_mask *m1, struct f_path_mask *m2)
}
}
+static void
+pm_format(struct f_path_mask *p, byte *buf, unsigned int size)
+{
+ byte *end = buf + size - 16;
+
+ while (p)
+ {
+ if (buf > end)
+ {
+ strcpy(buf, " ...");
+ return;
+ }
+
+ if (p->any)
+ buf += bsprintf(buf, "? ");
+ else
+ buf += bsprintf(buf, "%u ", p->val);
+
+ p = p->next;
+ }
+
+ *buf = 0;
+}
+
/**
* val_compare - compare two values
* @v1: first value
@@ -224,7 +248,7 @@ val_print(struct f_val v)
case T_ENUM: PRINTF( "(enum %x)%d", v.type, v.val.i ); break;
case T_PATH: as_path_format(v.val.ad, buf2, 1020); PRINTF( "(path %s)", buf2 ); break;
case T_CLIST: int_set_format(v.val.ad, buf2, 1020); PRINTF( "(clist %s)", buf2 ); break;
- case T_PATH_MASK: debug( "(pathmask " ); { struct f_path_mask *p = v.val.path_mask; while (p) { debug("%d ", p->val); p=p->next; } debug(")" ); } break;
+ case T_PATH_MASK: pm_format(v.val.path_mask, buf2, 1020); PRINTF( "(pathmask %s)", buf2 ); break;
default: PRINTF( "[unknown type %x]", v.type );
#undef PRINTF
}
diff --git a/filter/filter.h b/filter/filter.h
index 04a26236..f71e54d3 100644
--- a/filter/filter.h
+++ b/filter/filter.h
@@ -11,6 +11,7 @@
#include "lib/resource.h"
#include "lib/ip.h"
+#include "nest/route.h"
#include "nest/attrs.h"
struct f_inst { /* Instruction */
diff --git a/lib/socket.h b/lib/socket.h
index ab932b31..4aa521db 100644
--- a/lib/socket.h
+++ b/lib/socket.h
@@ -39,6 +39,7 @@ typedef struct birdsock {
int fd; /* System-dependent data */
node n;
void *rbuf_alloc, *tbuf_alloc;
+ char *password; /* Password for MD5 authentication */
} sock;
sock *sk_new(pool *); /* Allocate new socket */
@@ -47,6 +48,7 @@ int sk_send(sock *, unsigned len); /* Send data, <0=err, >0=ok, 0=sleep */
int sk_send_to(sock *, unsigned len, ip_addr to, unsigned port); /* sk_send to given destination */
void sk_reallocate(sock *); /* Free and allocate tbuf & rbuf */
void sk_dump_all(void);
+int sk_set_md5_auth(sock *s, ip_addr a, char *passwd); /* Add or remove security associations for given passive socket */
static inline int
sk_send_buffer_empty(sock *sk)
diff --git a/nest/a-path.c b/nest/a-path.c
index 1b08f809..5e3ecfd4 100644
--- a/nest/a-path.c
+++ b/nest/a-path.c
@@ -14,38 +14,139 @@
#include "lib/unaligned.h"
#include "lib/string.h"
-struct adata *
-as_path_prepend(struct linpool *pool, struct adata *olda, int as)
+
+/* Global AS4 support, shared by all BGP instances.
+ * This specifies whether BA_AS_PATH attributes contain 2 or 4 B per ASN
+ */
+
+int bgp_as4_support = 1;
+
+static void
+put_as(byte *data, u32 as)
{
+ if (bgp_as4_support)
+ put_u32(data, as);
+ else if (as <= 0xFFFF)
+ put_u16(data, as);
+ else
+ bug("put_as: Try to put 32bit AS to 16bit AS Path");
+}
+
+static inline u32
+get_as(byte *data)
+{
+ return bgp_as4_support ? get_u32(data) : get_u16(data);
+}
+
+struct adata *
+as_path_prepend(struct linpool *pool, struct adata *olda, u32 as)
+{
+ int bs = bgp_as4_support ? 4 : 2;
struct adata *newa;
- if (olda->length && olda->data[0] == AS_PATH_SEQUENCE &&
- olda->data[1] < 255) /* Starting with sequence => just prepend the AS number */
+ if (olda->length && olda->data[0] == AS_PATH_SEQUENCE && olda->data[1] < 255)
+ /* Starting with sequence => just prepend the AS number */
{
- newa = lp_alloc(pool, sizeof(struct adata) + olda->length + 2);
- newa->length = olda->length + 2;
- newa->data[0] = 2;
+ int nl = olda->length + bs;
+ newa = lp_alloc(pool, sizeof(struct adata) + nl);
+ newa->length = nl;
+ newa->data[0] = AS_PATH_SEQUENCE;
newa->data[1] = olda->data[1] + 1;
- memcpy(newa->data+4, olda->data+2, olda->length-2);
+ memcpy(newa->data + bs + 2, olda->data + 2, olda->length - 2);
}
- else /* Create new path segment */
+ else /* Create new path segment */
{
- newa = lp_alloc(pool, sizeof(struct adata) + olda->length + 4);
- newa->length = olda->length + 4;
- newa->data[0] = 2;
+ int nl = olda->length + bs + 2;
+ newa = lp_alloc(pool, sizeof(struct adata) + nl);
+ newa->length = nl;
+ newa->data[0] = AS_PATH_SEQUENCE;
newa->data[1] = 1;
- memcpy(newa->data+4, olda->data, olda->length);
+ memcpy(newa->data + bs + 2, olda->data, olda->length);
}
- put_u16(newa->data+2, as);
+ put_as(newa->data + 2, as);
return newa;
}
+int
+as_path_convert_to_old(struct adata *path, byte *dst, int *new_used)
+{
+ byte *src = path->data;
+ byte *src_end = src + path->length;
+ byte *dst_start = dst;
+ u32 as;
+ int i, n;
+ *new_used = 0;
+
+ while (src < src_end)
+ {
+ n = src[1];
+ *dst++ = *src++;
+ *dst++ = *src++;
+
+ for(i=0; i 0xFFFF)
+ {
+ as = AS_TRANS;
+ *new_used = 1;
+ }
+ put_u16(dst, as);
+ src += 4;
+ dst += 2;
+ }
+ }
+
+ return dst - dst_start;
+}
+
+int
+as_path_convert_to_new(struct adata *path, byte *dst, int req_as)
+{
+ byte *src = path->data;
+ byte *src_end = src + path->length;
+ byte *dst_start = dst;
+ u32 as;
+ int i, t, n;
+
+
+ while ((src < src_end) && (req_as > 0))
+ {
+ t = *src++;
+ n = *src++;
+
+ if (t == AS_PATH_SEQUENCE)
+ {
+ if (n > req_as)
+ n = req_as;
+
+ req_as -= n;
+ }
+ else // t == AS_PATH_SET
+ req_as--;
+
+ *dst++ = t;
+ *dst++ = n;
+
+ for(i=0; idata;
byte *e = p + path->length;
- byte *end = buf + size - 8;
+ byte *end = buf + size - 16;
int sp = 1;
int l, isset;
@@ -69,8 +170,8 @@ as_path_format(struct adata *path, byte *buf, unsigned int size)
{
if (!sp)
*buf++ = ' ';
- buf += bsprintf(buf, "%d", get_u16(p));
- p += 2;
+ buf += bsprintf(buf, "%u", get_as(p));
+ p += bs;
sp = 0;
}
if (isset)
@@ -86,6 +187,7 @@ as_path_format(struct adata *path, byte *buf, unsigned int size)
int
as_path_getlen(struct adata *path)
{
+ int bs = bgp_as4_support ? 4 : 2;
int res = 0;
u8 *p = path->data;
u8 *q = p+path->length;
@@ -95,8 +197,8 @@ as_path_getlen(struct adata *path)
{
switch (*p++)
{
- case AS_PATH_SET: len = *p++; res++; p += 2*len; break;
- case AS_PATH_SEQUENCE: len = *p++; res+=len; p += 2*len; break;
+ case AS_PATH_SET: len = *p++; res++; p += bs * len; break;
+ case AS_PATH_SEQUENCE: len = *p++; res += len; p += bs * len; break;
default: bug("as_path_getlen: Invalid path segment");
}
}
@@ -104,9 +206,11 @@ as_path_getlen(struct adata *path)
}
int
-as_path_get_first(struct adata *path)
+as_path_get_first(struct adata *path, u32 *orig_as)
{
- int res = -1;
+ int bs = bgp_as4_support ? 4 : 2;
+ int found = 0;
+ u32 res = 0;
u8 *p = path->data;
u8 *q = p+path->length;
int len;
@@ -117,36 +221,84 @@ as_path_get_first(struct adata *path)
{
case AS_PATH_SET:
if (len = *p++)
- res = get_u16(p);
- p += 2*len;
+ {
+ found = 1;
+ res = get_as(p);
+ p += bs * len;
+ }
break;
case AS_PATH_SEQUENCE:
if (len = *p++)
- res = get_u16(p+2*(len-1));
- p += 2*len;
+ {
+ found = 1;
+ res = get_as(p + bs * (len - 1));
+ p += bs * len;
+ }
break;
default: bug("as_path_get_first: Invalid path segment");
}
}
- return res;
+
+ *orig_as = res;
+ return found;
}
+int
+as_path_get_last(struct adata *path, u32 *last_as)
+{
+ u8 *p = path->data;
+
+ if ((path->length == 0) || (p[0] != AS_PATH_SEQUENCE) || (p[1] == 0))
+ return 0;
+ else
+ {
+ *last_as = get_as(p+2);
+ return 1;
+ }
+}
+
+int
+as_path_is_member(struct adata *path, u32 as)
+{
+ int bs = bgp_as4_support ? 4 : 2;
+ u8 *p = path->data;
+ u8 *q = p+path->length;
+ int i, n;
+
+ while (pnext; if (!mask) return next == q; \
- asterisk = (mask->val == PM_ANY); \
+ asterisk = mask->any; \
if (asterisk) { mask = mask->next; if (!mask) { return 1; } } \
} while(0)
int
as_path_match(struct adata *path, struct f_path_mask *mask)
{
+ int bs = bgp_as4_support ? 4 : 2;
int i;
int asterisk = 0;
u8 *p = path->data;
u8 *q = p+path->length;
int len;
u8 *next;
+ u32 as;
- asterisk = (mask->val == PM_ANY);
+ asterisk = mask->any;
if (asterisk)
{ mask = mask->next; if (!mask) return 1; }
@@ -156,20 +308,21 @@ as_path_match(struct adata *path, struct f_path_mask *mask)
len = *p++;
{
u8 *p_save = p;
- next = p_save + 2*len;
+ next = p_save + bs * len;
retry:
p = p_save;
for (i=0; ival)) {
+ as = get_as(p);
+ if (asterisk && (as == mask->val)) {
MASK_PLUS;
goto retry;
}
- if (!asterisk && (get_u16(p) == mask->val)) {
+ if (!asterisk && (as == mask->val)) {
p = next;
MASK_PLUS;
goto okay;
}
- p+=2;
+ p += bs;
}
if (!asterisk)
return 0;
@@ -180,15 +333,15 @@ as_path_match(struct adata *path, struct f_path_mask *mask)
case AS_PATH_SEQUENCE:
len = *p++;
for (i=0; ival))
+ as = get_as(p);
+ if (asterisk && (as == mask->val))
MASK_PLUS;
else if (!asterisk) {
- if (get_u16(p) != mask->val)
+ if (as != mask->val)
return 0;
MASK_PLUS;
}
- p+=2;
+ p += bs;
}
break;
diff --git a/nest/a-set.c b/nest/a-set.c
index 44407141..69c090b7 100644
--- a/nest/a-set.c
+++ b/nest/a-set.c
@@ -40,10 +40,12 @@ int_set_format(struct adata *set, byte *buf, unsigned int size)
struct adata *
int_set_add(struct linpool *pool, struct adata *list, u32 val)
{
- struct adata *res = lp_alloc(pool, list->length + sizeof(struct adata) + 4);
- res->length = list->length+4;
+ int len = list ? list->length : 0;
+ struct adata *res = lp_alloc(pool, len + sizeof(struct adata) + 4);
+ res->length = len + 4;
* (u32 *) res->data = val;
- memcpy((char *) res->data + 4, list->data, list->length);
+ if (list)
+ memcpy((char *) res->data + 4, list->data, list->length);
return res;
}
diff --git a/nest/attrs.h b/nest/attrs.h
index abd6b9e9..fee2c2c8 100644
--- a/nest/attrs.h
+++ b/nest/attrs.h
@@ -14,16 +14,30 @@
#define AS_PATH_SET 1 /* Types of path segments */
#define AS_PATH_SEQUENCE 2
-struct adata *as_path_prepend(struct linpool *pool, struct adata *olda, int as);
+#define AS_PATH_MAXLEN 10000
+
+#define AS_TRANS 23456
+/* AS_TRANS is used when we need to store 32bit ASN larger than 0xFFFF
+ * to 16bit slot (like in 16bit AS_PATH). See RFC 4893 for details
+ */
+
+struct adata *as_path_prepend(struct linpool *pool, struct adata *olda, u32 as);
+int as_path_convert_to_old(struct adata *path, byte *dst, int *new_used);
+int as_path_convert_to_new(struct adata *path, byte *dst, int req_as);
void as_path_format(struct adata *path, byte *buf, unsigned int size);
int as_path_getlen(struct adata *path);
-int as_path_get_first(struct adata *path);
+int as_path_get_first(struct adata *path, u32 *orig_as);
+int as_path_get_last(struct adata *path, u32 *last_as);
+int as_path_is_member(struct adata *path, u32 as);
+
struct f_path_mask {
struct f_path_mask *next;
- int val;
+ u32 val;
+ int any;
};
-#define PM_ANY -1
+
+// #define PM_ANY -1
int as_path_match(struct adata *path, struct f_path_mask *mask);
@@ -34,4 +48,7 @@ struct adata *int_set_add(struct linpool *pool, struct adata *list, u32 val);
int int_set_contains(struct adata *list, u32 val);
struct adata *int_set_del(struct linpool *pool, struct adata *list, u32 val);
+static inline int int_set_get_size(struct adata *list)
+{ return list->length / 4; }
+
#endif
diff --git a/proto/bgp/attrs.c b/proto/bgp/attrs.c
index 30699f84..2210cbe7 100644
--- a/proto/bgp/attrs.c
+++ b/proto/bgp/attrs.c
@@ -55,21 +55,37 @@ bgp_format_origin(eattr *a, byte *buf)
}
static int
-bgp_check_path(struct bgp_proto *p UNUSED, byte *a, int len)
+bgp_check_path(byte *a, int len, int bs, int errcode)
{
while (len)
{
DBG("Path segment %02x %02x\n", a[0], a[1]);
if (len < 2 ||
- a[0] != AS_PATH_SET && a[0] != AS_PATH_SEQUENCE ||
- 2*a[1] + 2 > len)
- return 11;
- len -= 2*a[1] + 2;
- a += 2*a[1] + 2;
+ (a[0] != AS_PATH_SET && a[0] != AS_PATH_SEQUENCE) ||
+ bs * a[1] + 2 > len)
+ return errcode;
+ len -= bs * a[1] + 2;
+ a += bs * a[1] + 2;
}
return 0;
}
+static int
+bgp_check_as_path(struct bgp_proto *p, byte *a, int len)
+{
+ return bgp_check_path(a, len, p->as4_session ? 4 : 2, 11);
+}
+
+static int
+bgp_check_as4_path(struct bgp_proto *p, byte *a, int len)
+{
+ if (bgp_as4_support && (! p->as4_session))
+ return bgp_check_path(a, len, 4, 9);
+ else
+ return 0;
+}
+
+
static int
bgp_check_next_hop(struct bgp_proto *p UNUSED, byte *a, int len)
{
@@ -87,6 +103,20 @@ bgp_check_next_hop(struct bgp_proto *p UNUSED, byte *a, int len)
#endif
}
+static int
+bgp_check_aggregator(struct bgp_proto *p, UNUSED byte *a, int len)
+{
+ int exp_len = p->as4_session ? 8 : 6;
+
+ return (len == exp_len) ? 0 : 5;
+}
+
+static int
+bgp_check_cluster_list(struct bgp_proto *p UNUSED, UNUSED byte *a, int len)
+{
+ return ((len % 4) == 0) ? 0 : 5;
+}
+
static int
bgp_check_reach_nlri(struct bgp_proto *p UNUSED, byte *a UNUSED, int len UNUSED)
{
@@ -113,21 +143,23 @@ static struct attr_desc bgp_attr_table[] = {
{ "origin", 1, BAF_TRANSITIVE, EAF_TYPE_INT, 1, /* BA_ORIGIN */
bgp_check_origin, bgp_format_origin },
{ "as_path", -1, BAF_TRANSITIVE, EAF_TYPE_AS_PATH, 1, /* BA_AS_PATH */
- bgp_check_path, NULL },
+ bgp_check_as_path, NULL },
{ "next_hop", 4, BAF_TRANSITIVE, EAF_TYPE_IP_ADDRESS, 1, /* BA_NEXT_HOP */
bgp_check_next_hop, NULL },
- { "med", 4, BAF_OPTIONAL, EAF_TYPE_INT, 0, /* BA_MULTI_EXIT_DISC */
+ { "med", 4, BAF_OPTIONAL, EAF_TYPE_INT, 1, /* BA_MULTI_EXIT_DISC */
NULL, NULL },
{ "local_pref", 4, BAF_TRANSITIVE, EAF_TYPE_INT, 0, /* BA_LOCAL_PREF */
NULL, NULL },
{ "atomic_aggr", 0, BAF_TRANSITIVE, EAF_TYPE_OPAQUE, 1, /* BA_ATOMIC_AGGR */
NULL, NULL },
- { "aggregator", 6, BAF_OPTIONAL | BAF_TRANSITIVE, EAF_TYPE_OPAQUE, 1, /* BA_AGGREGATOR */
- NULL, NULL },
+ { "aggregator", -1, BAF_OPTIONAL | BAF_TRANSITIVE, EAF_TYPE_OPAQUE, 1, /* BA_AGGREGATOR */
+ bgp_check_aggregator, NULL },
{ "community", -1, BAF_OPTIONAL | BAF_TRANSITIVE, EAF_TYPE_INT_SET, 1, /* BA_COMMUNITY */
NULL, NULL },
- { NULL, }, /* BA_ORIGINATOR_ID */
- { NULL, }, /* BA_CLUSTER_LIST */
+ { "originator_id", 4, BAF_OPTIONAL, EAF_TYPE_INT, 0, /* BA_ORIGINATOR_ID */
+ NULL, NULL },
+ { "cluster_list", -1, BAF_OPTIONAL, EAF_TYPE_INT_SET, 0, /* BA_CLUSTER_LIST */
+ bgp_check_cluster_list, NULL },
{ NULL, }, /* BA_DPA */
{ NULL, }, /* BA_ADVERTISER */
{ NULL, }, /* BA_RCID_PATH */
@@ -135,43 +167,152 @@ static struct attr_desc bgp_attr_table[] = {
bgp_check_reach_nlri, NULL },
{ "mp_unreach_nlri", -1, BAF_OPTIONAL, EAF_TYPE_OPAQUE, 1, /* BA_MP_UNREACH_NLRI */
bgp_check_unreach_nlri, NULL },
+ { NULL, }, /* BA_EXTENDED_COMM */
+ { "as4_path", -1, BAF_OPTIONAL | BAF_TRANSITIVE, EAF_TYPE_OPAQUE, 1, /* BA_AS4_PATH */
+ bgp_check_as4_path, NULL },
+ { "as4_aggregator", 8, BAF_OPTIONAL | BAF_TRANSITIVE, EAF_TYPE_OPAQUE, 1, /* BA_AS4_PATH */
+ NULL, NULL }
};
+/* BA_AS4_PATH is type EAF_TYPE_OPAQUE and not type EAF_TYPE_AS_PATH because
+ * EAF_TYPE_AS_PATH is supposed to have different format (2 or 4 B for each ASN)
+ * depending on bgp_as4_support variable.
+ */
+
#define ATTR_KNOWN(code) ((code) < ARRAY_SIZE(bgp_attr_table) && bgp_attr_table[code].name)
-static byte *
-bgp_set_attr(eattr *e, struct linpool *pool, unsigned attr, unsigned val)
+static inline struct adata *
+bgp_alloc_adata(struct linpool *pool, unsigned len)
+{
+ struct adata *ad = lp_alloc(pool, sizeof(struct adata) + len);
+ ad->length = len;
+ return ad;
+}
+
+static void
+bgp_set_attr(eattr *e, unsigned attr, uintptr_t val)
{
ASSERT(ATTR_KNOWN(attr));
e->id = EA_CODE(EAP_BGP, attr);
e->type = bgp_attr_table[attr].type;
e->flags = bgp_attr_table[attr].expected_flags;
if (e->type & EAF_EMBEDDED)
- {
- e->u.data = val;
- return NULL;
- }
+ e->u.data = val;
else
- {
- e->u.ptr = lp_alloc(pool, sizeof(struct adata) + val);
- e->u.ptr->length = val;
- return e->u.ptr->data;
- }
+ e->u.ptr = (struct adata *) val;
}
-byte *
-bgp_attach_attr(ea_list **to, struct linpool *pool, unsigned attr, unsigned val)
+static byte *
+bgp_set_attr_wa(eattr *e, struct linpool *pool, unsigned attr, unsigned len)
+{
+ struct adata *ad = bgp_alloc_adata(pool, len);
+ bgp_set_attr(e, attr, (uintptr_t) ad);
+ return ad->data;
+}
+
+void
+bgp_attach_attr(ea_list **to, struct linpool *pool, unsigned attr, uintptr_t val)
{
ea_list *a = lp_alloc(pool, sizeof(ea_list) + sizeof(eattr));
a->next = *to;
*to = a;
a->flags = EALF_SORTED;
a->count = 1;
- return bgp_set_attr(a->attrs, pool, attr, val);
+ bgp_set_attr(a->attrs, attr, val);
}
+byte *
+bgp_attach_attr_wa(ea_list **to, struct linpool *pool, unsigned attr, unsigned len)
+{
+ struct adata *ad = bgp_alloc_adata(pool, len);
+ bgp_attach_attr(to, pool, attr, (uintptr_t) ad);
+ return ad->data;
+}
+
+static int
+bgp_encode_attr_hdr(byte *dst, unsigned int flags, unsigned code, int len)
+{
+ int wlen;
+
+ DBG("\tAttribute %02x (%d bytes, flags %02x)\n", code, len, flags);
+
+ if (len < 256)
+ {
+ *dst++ = flags;
+ *dst++ = code;
+ *dst++ = len;
+ wlen = 3;
+ }
+ else
+ {
+ *dst++ = flags | BAF_EXT_LEN;
+ *dst++ = code;
+ put_u16(dst, len);
+ wlen = 4;
+ }
+
+ return wlen;
+}
+
+static void
+aggregator_convert_to_old(struct adata *aggr, byte *dst, int *new_used)
+{
+ byte *src = aggr->data;
+ *new_used = 0;
+
+ u32 as = get_u32(src);
+ if (as > 0xFFFF)
+ {
+ as = AS_TRANS;
+ *new_used = 1;
+ }
+ put_u16(dst, as);
+
+ /* Copy IPv4 address */
+ memcpy(dst + 2, src + 4, 4);
+}
+
+static void
+aggregator_convert_to_new(struct adata *aggr, byte *dst)
+{
+ byte *src = aggr->data;
+
+ u32 as = get_u16(src);
+ put_u32(dst, as);
+
+ /* Copy IPv4 address */
+ memcpy(dst + 4, src + 2, 4);
+}
+
+static int
+bgp_get_attr_len(eattr *a)
+{
+ int len;
+ if (ATTR_KNOWN(EA_ID(a->id)))
+ {
+ int code = EA_ID(a->id);
+ struct attr_desc *desc = &bgp_attr_table[code];
+ len = desc->expected_length;
+ if (len < 0)
+ {
+ ASSERT(!(a->type & EAF_EMBEDDED));
+ len = a->u.ptr->length;
+ }
+ }
+ else
+ {
+ ASSERT((a->type & EAF_TYPE_MASK) == EAF_TYPE_OPAQUE);
+ len = a->u.ptr->length;
+ }
+
+ return len;
+}
+
+#define ADVANCE(w, r, l) do { r -= l; w += l; } while (0)
+
/**
* bgp_encode_attrs - encode BGP attributes
+ * @p: BGP instance
* @w: buffer
* @attrs: a list of extended attributes
* @remains: remaining space in the buffer
@@ -182,11 +323,11 @@ bgp_attach_attr(ea_list **to, struct linpool *pool, unsigned attr, unsigned val)
* Result: Length of the attribute block generated.
*/
unsigned int
-bgp_encode_attrs(byte *w, ea_list *attrs, int remains)
+bgp_encode_attrs(struct bgp_proto *p, byte *w, ea_list *attrs, int remains)
{
unsigned int i, code, flags;
byte *start = w;
- int len;
+ int len, rv;
for(i=0; icount; i++)
{
@@ -198,43 +339,90 @@ bgp_encode_attrs(byte *w, ea_list *attrs, int remains)
if (code == BA_NEXT_HOP)
continue;
#endif
- flags = a->flags & (BAF_OPTIONAL | BAF_TRANSITIVE | BAF_PARTIAL);
- if (ATTR_KNOWN(code))
+
+ /* When AS4-aware BGP speaker is talking to non-AS4-aware BGP speaker,
+ * we have to convert our 4B AS_PATH to 2B AS_PATH and send our AS_PATH
+ * as optional AS4_PATH attribute.
+ */
+ if ((code == BA_AS_PATH) && bgp_as4_support && (! p->as4_session))
{
- struct attr_desc *desc = &bgp_attr_table[code];
- len = desc->expected_length;
- if (len < 0)
- {
- ASSERT(!(a->type & EAF_EMBEDDED));
- len = a->u.ptr->length;
- }
- }
- else
- {
- ASSERT((a->type & EAF_TYPE_MASK) == EAF_TYPE_OPAQUE);
len = a->u.ptr->length;
+
+ if (remains < (len + 4))
+ goto err_no_buffer;
+
+ /* Using temporary buffer because don't know a length of created attr
+ * and therefore a length of a header. Perhaps i should better always
+ * use BAF_EXT_LEN. */
+
+ byte buf[len];
+ int new_used;
+ int nl = as_path_convert_to_old(a->u.ptr, buf, &new_used);
+
+ rv = bgp_encode_attr_hdr(w, BAF_TRANSITIVE, BA_AS_PATH, nl);
+ ADVANCE(w, remains, rv);
+ memcpy(w, buf, nl);
+ ADVANCE(w, remains, nl);
+
+ if (! new_used)
+ continue;
+
+ if (remains < (len + 4))
+ goto err_no_buffer;
+
+ /* We should discard AS_CONFED_SEQUENCE or AS_CONFED_SET path segments
+ * here but we don't support confederations and such paths we already
+ * discarded in bgp_check_as_path().
+ */
+
+ rv = bgp_encode_attr_hdr(w, BAF_OPTIONAL | BAF_TRANSITIVE, BA_AS4_PATH, len);
+ ADVANCE(w, remains, rv);
+ memcpy(w, a->u.ptr->data, len);
+ ADVANCE(w, remains, len);
+
+ continue;
}
- DBG("\tAttribute %02x (type %02x, %d bytes, flags %02x)\n", code, a->type, len, flags);
+
+ /* The same issue with AGGREGATOR attribute */
+ if ((code == BA_AGGREGATOR) && bgp_as4_support && (! p->as4_session))
+ {
+ int new_used;
+
+ len = 6;
+ if (remains < (len + 3))
+ goto err_no_buffer;
+
+ rv = bgp_encode_attr_hdr(w, BAF_OPTIONAL | BAF_TRANSITIVE, BA_AGGREGATOR, len);
+ ADVANCE(w, remains, rv);
+ aggregator_convert_to_old(a->u.ptr, w, &new_used);
+ ADVANCE(w, remains, len);
+
+ if (! new_used)
+ continue;
+
+ len = 8;
+ if (remains < (len + 3))
+ goto err_no_buffer;
+
+ rv = bgp_encode_attr_hdr(w, BAF_OPTIONAL | BAF_TRANSITIVE, BA_AS4_AGGREGATOR, len);
+ ADVANCE(w, remains, rv);
+ memcpy(w, a->u.ptr->data, len);
+ ADVANCE(w, remains, len);
+
+ continue;
+ }
+
+ /* Standard path continues here ... */
+
+ flags = a->flags & (BAF_OPTIONAL | BAF_TRANSITIVE | BAF_PARTIAL);
+ len = bgp_get_attr_len(a);
+
if (remains < len + 4)
- {
- log(L_ERR "BGP: attribute list too long, ignoring the remaining attributes");
- break;
- }
- if (len < 256)
- {
- *w++ = flags;
- *w++ = code;
- *w++ = len;
- remains -= 3;
- }
- else
- {
- *w++ = flags | BAF_EXT_LEN;
- *w++ = code;
- put_u16(w, len);
- w += 2;
- remains -= 4;
- }
+ goto err_no_buffer;
+
+ rv = bgp_encode_attr_hdr(w, flags, code, len);
+ ADVANCE(w, remains, rv);
+
switch (a->type & EAF_TYPE_MASK)
{
case EAF_TYPE_INT:
@@ -266,10 +454,13 @@ bgp_encode_attrs(byte *w, ea_list *attrs, int remains)
default:
bug("bgp_encode_attrs: unknown attribute type %02x", a->type);
}
- remains -= len;
- w += len;
+ ADVANCE(w, remains, len);
}
return w - start;
+
+ err_no_buffer:
+ log(L_ERR "BGP: attribute list too long, ignoring the remaining attributes");
+ return w - start;
}
static void
@@ -547,6 +738,7 @@ bgp_rt_notify(struct proto *P, net *n, rte *new, rte *old UNUSED, ea_list *attrs
bgp_schedule_packet(p->conn, PKT_UPDATE);
}
+
static int
bgp_create_attrs(struct bgp_proto *p, rte *e, ea_list **attrs, struct linpool *pool)
{
@@ -559,20 +751,24 @@ bgp_create_attrs(struct bgp_proto *p, rte *e, ea_list **attrs, struct linpool *p
ea->flags = EALF_SORTED;
ea->count = 4;
- bgp_set_attr(ea->attrs, pool, BA_ORIGIN,
+ bgp_set_attr(ea->attrs, BA_ORIGIN,
((rta->source == RTS_OSPF_EXT1) || (rta->source == RTS_OSPF_EXT2)) ? ORIGIN_INCOMPLETE : ORIGIN_IGP);
if (p->is_internal)
- bgp_set_attr(ea->attrs+1, pool, BA_AS_PATH, 0);
+ bgp_set_attr_wa(ea->attrs+1, pool, BA_AS_PATH, 0);
else
{
- z = bgp_set_attr(ea->attrs+1, pool, BA_AS_PATH, 4);
+ z = bgp_set_attr_wa(ea->attrs+1, pool, BA_AS_PATH, bgp_as4_support ? 6 : 4);
z[0] = AS_PATH_SEQUENCE;
z[1] = 1; /* 1 AS */
- put_u16(z+2, p->local_as);
+
+ if (bgp_as4_support)
+ put_u32(z+2, p->local_as);
+ else
+ put_u16(z+2, p->local_as);
}
- z = bgp_set_attr(ea->attrs+2, pool, BA_NEXT_HOP, sizeof(ip_addr));
+ z = bgp_set_attr_wa(ea->attrs+2, pool, BA_NEXT_HOP, sizeof(ip_addr));
if (p->cf->next_hop_self ||
!p->is_internal ||
rta->dest != RTD_ROUTER)
@@ -585,34 +781,65 @@ bgp_create_attrs(struct bgp_proto *p, rte *e, ea_list **attrs, struct linpool *p
else
*(ip_addr *)z = e->attrs->gw;
- bgp_set_attr(ea->attrs+3, pool, BA_LOCAL_PREF, 0);
+ bgp_set_attr(ea->attrs+3, BA_LOCAL_PREF, 0);
return 0; /* Leave decision to the filters */
}
-static ea_list *
-bgp_path_prepend(struct linpool *pool, eattr *a, ea_list *old, int as)
-{
- struct ea_list *e = lp_alloc(pool, sizeof(ea_list) + sizeof(eattr));
- struct adata *olda = a->u.ptr;
- e->next = old;
- e->flags = EALF_SORTED;
- e->count = 1;
- e->attrs[0].id = EA_CODE(EAP_BGP, BA_AS_PATH);
- e->attrs[0].flags = BAF_TRANSITIVE;
- e->attrs[0].type = EAF_TYPE_AS_PATH;
- e->attrs[0].u.ptr = as_path_prepend(pool, olda, as);
- return e;
+static inline int
+bgp_as_path_loopy(struct bgp_proto *p, rta *a)
+{
+ eattr *e = ea_find(a->eattrs, EA_CODE(EAP_BGP, BA_AS_PATH));
+ return (e && as_path_is_member(e->u.ptr, p->local_as));
+}
+
+static inline int
+bgp_originator_id_loopy(struct bgp_proto *p, rta *a)
+{
+ eattr *e = ea_find(a->eattrs, EA_CODE(EAP_BGP, BA_ORIGINATOR_ID));
+ return (e && (e->u.data == p->local_id));
+}
+
+static inline int
+bgp_cluster_list_loopy(struct bgp_proto *p, rta *a)
+{
+ eattr *e = ea_find(a->eattrs, EA_CODE(EAP_BGP, BA_CLUSTER_LIST));
+ return (e && p->rr_client && int_set_contains(e->u.ptr, p->rr_cluster_id));
+}
+
+
+static inline void
+bgp_path_prepend(rte *e, ea_list **attrs, struct linpool *pool, u32 as)
+{
+ eattr *a = ea_find(e->attrs->eattrs, EA_CODE(EAP_BGP, BA_AS_PATH));
+ bgp_attach_attr(attrs, pool, BA_AS_PATH, (uintptr_t) as_path_prepend(pool, a->u.ptr, as));
+}
+
+static inline void
+bgp_cluster_list_prepend(rte *e, ea_list **attrs, struct linpool *pool, u32 cid)
+{
+ eattr *a = ea_find(e->attrs->eattrs, EA_CODE(EAP_BGP, BA_CLUSTER_LIST));
+ bgp_attach_attr(attrs, pool, BA_CLUSTER_LIST, (uintptr_t) int_set_add(pool, a ? a->u.ptr : NULL, cid));
}
static int
-bgp_update_attrs(struct bgp_proto *p, rte *e, ea_list **attrs, struct linpool *pool)
+bgp_update_attrs(struct bgp_proto *p, rte *e, ea_list **attrs, struct linpool *pool, int rr)
{
eattr *a;
- if (!p->is_internal && (a = ea_find(e->attrs->eattrs, EA_CODE(EAP_BGP, BA_AS_PATH))))
- *attrs = bgp_path_prepend(pool, a, *attrs, p->local_as);
+ if (!p->is_internal)
+ {
+ bgp_path_prepend(e, attrs, pool, p->local_as);
+
+ /* The MULTI_EXIT_DISC attribute received from a neighboring AS MUST NOT be
+ * propagated to other neighboring ASes.
+ * Perhaps it would be better to undefine it.
+ */
+ a = ea_find(e->attrs->eattrs, EA_CODE(EAP_BGP, BA_MULTI_EXIT_DISC));
+ if (a)
+ bgp_attach_attr(attrs, pool, BA_MULTI_EXIT_DISC, 0);
+ }
a = ea_find(e->attrs->eattrs, EA_CODE(EAP_BGP, BA_NEXT_HOP));
if (a && (p->is_internal || (!p->is_internal && e->attrs->iface == p->neigh->iface)))
@@ -622,7 +849,24 @@ bgp_update_attrs(struct bgp_proto *p, rte *e, ea_list **attrs, struct linpool *p
else
{
/* Need to create new one */
- *(ip_addr *) bgp_attach_attr(attrs, pool, BA_NEXT_HOP, sizeof(ip_addr)) = p->local_addr;
+ bgp_attach_attr_ip(attrs, pool, BA_NEXT_HOP, p->local_addr);
+ }
+
+ if (rr)
+ {
+ /* Handling route reflection, RFC 4456 */
+ struct bgp_proto *src = (struct bgp_proto *) e->attrs->proto;
+
+ a = ea_find(e->attrs->eattrs, EA_CODE(EAP_BGP, BA_ORIGINATOR_ID));
+ if (!a)
+ bgp_attach_attr(attrs, pool, BA_ORIGINATOR_ID, src->remote_id);
+
+ /* We attach proper cluster ID according to whether the route is entering or leaving the cluster */
+ bgp_cluster_list_prepend(e, attrs, pool, src->rr_client ? src->rr_cluster_id : p->rr_cluster_id);
+
+ /* Two RR clients with different cluster ID, hmmm */
+ if (src->rr_client && p->rr_client && (src->rr_cluster_id != p->rr_cluster_id))
+ bgp_cluster_list_prepend(e, attrs, pool, p->rr_cluster_id);
}
return 0; /* Leave decision to the filters */
@@ -639,14 +883,39 @@ bgp_import_control(struct proto *P, rte **new, ea_list **attrs, struct linpool *
return -1;
if (new_bgp)
{
+ /* We should check here for cluster list loop, because the receiving BGP instance
+ might have different cluster ID */
+ if (bgp_cluster_list_loopy(p, e->attrs))
+ return -1;
+
if (p->local_as == new_bgp->local_as && p->is_internal && new_bgp->is_internal)
- return -1; /* Don't redistribute internal routes with IBGP */
- return bgp_update_attrs(p, e, attrs, pool);
+ {
+ /* Redistribution of internal routes with IBGP */
+ if (p->rr_client || new_bgp->rr_client)
+ /* Route reflection, RFC 4456 */
+ return bgp_update_attrs(p, e, attrs, pool, 1);
+ else
+ return -1;
+ }
+ else
+ return bgp_update_attrs(p, e, attrs, pool, 0);
}
else
return bgp_create_attrs(p, e, attrs, pool);
}
+static inline u32
+bgp_get_neighbor(rte *r)
+{
+ eattr *e = ea_find(r->attrs->eattrs, EA_CODE(EAP_BGP, BA_AS_PATH));
+ u32 as;
+
+ if (e && as_path_get_last(e->u.ptr, &as))
+ return as;
+ else
+ return ((struct bgp_proto *) r->attrs->proto)->remote_as;
+}
+
int
bgp_rte_better(rte *new, rte *old)
{
@@ -665,20 +934,20 @@ bgp_rte_better(rte *new, rte *old)
if (n < o)
return 0;
- /* Use AS path lengths */
+ /* RFC 4271 9.1.2.2. a) Use AS path lengths */
if (new_bgp->cf->compare_path_lengths || old_bgp->cf->compare_path_lengths)
{
x = ea_find(new->attrs->eattrs, EA_CODE(EAP_BGP, BA_AS_PATH));
y = ea_find(old->attrs->eattrs, EA_CODE(EAP_BGP, BA_AS_PATH));
- n = x ? as_path_getlen(x->u.ptr) : 100000;
- o = y ? as_path_getlen(y->u.ptr) : 100000;
+ n = x ? as_path_getlen(x->u.ptr) : AS_PATH_MAXLEN;
+ o = y ? as_path_getlen(y->u.ptr) : AS_PATH_MAXLEN;
if (n < o)
return 1;
if (n > o)
return 0;
}
- /* Use origins */
+ /* RFC 4271 9.1.2.2. b) Use origins */
x = ea_find(new->attrs->eattrs, EA_CODE(EAP_BGP, BA_ORIGIN));
y = ea_find(old->attrs->eattrs, EA_CODE(EAP_BGP, BA_ORIGIN));
n = x ? x->u.data : ORIGIN_INCOMPLETE;
@@ -688,47 +957,163 @@ bgp_rte_better(rte *new, rte *old)
if (n > o)
return 0;
- /* Compare MED's */
- x = ea_find(new->attrs->eattrs, EA_CODE(EAP_BGP, BA_MULTI_EXIT_DISC));
- y = ea_find(old->attrs->eattrs, EA_CODE(EAP_BGP, BA_MULTI_EXIT_DISC));
- n = x ? x->u.data : new_bgp->cf->default_med;
- o = y ? y->u.data : old_bgp->cf->default_med;
+ /* RFC 4271 9.1.2.2. c) Compare MED's */
+
+ if (bgp_get_neighbor(new) == bgp_get_neighbor(old))
+ {
+ x = ea_find(new->attrs->eattrs, EA_CODE(EAP_BGP, BA_MULTI_EXIT_DISC));
+ y = ea_find(old->attrs->eattrs, EA_CODE(EAP_BGP, BA_MULTI_EXIT_DISC));
+ n = x ? x->u.data : new_bgp->cf->default_med;
+ o = y ? y->u.data : old_bgp->cf->default_med;
+ if (n < o)
+ return 1;
+ if (n > o)
+ return 0;
+ }
+
+ /* RFC 4271 9.1.2.2. d) Prefer external peers */
+ if (new_bgp->is_internal > old_bgp->is_internal)
+ return 0;
+ if (new_bgp->is_internal < old_bgp->is_internal)
+ return 1;
+
+ /* Skipping RFC 4271 9.1.2.2. e) */
+ /* We don't have interior distances */
+
+ /* RFC 4456 9. b) Compare cluster list lengths */
+ x = ea_find(new->attrs->eattrs, EA_CODE(EAP_BGP, BA_CLUSTER_LIST));
+ y = ea_find(old->attrs->eattrs, EA_CODE(EAP_BGP, BA_CLUSTER_LIST));
+ n = x ? int_set_get_size(x->u.ptr) : 0;
+ o = y ? int_set_get_size(y->u.ptr) : 0;
if (n < o)
return 1;
if (n > o)
return 0;
- /* A tie breaking procedure according to RFC 1771, section 9.1.2.1 */
- /* We don't have interior distances */
- /* We prefer external peers */
- if (new_bgp->is_internal > old_bgp->is_internal)
- return 0;
- if (new_bgp->is_internal < old_bgp->is_internal)
+ /* RFC 4271 9.1.2.2. f) Compare BGP identifiers */
+ /* RFC 4456 9. a) Use ORIGINATOR_ID instead of local neighor ID */
+ x = ea_find(new->attrs->eattrs, EA_CODE(EAP_BGP, BA_ORIGINATOR_ID));
+ y = ea_find(old->attrs->eattrs, EA_CODE(EAP_BGP, BA_ORIGINATOR_ID));
+ n = x ? x->u.data : new_bgp->remote_id;
+ o = y ? y->u.data : old_bgp->remote_id;
+ if (n < o)
return 1;
- /* Finally we compare BGP identifiers */
- return (new_bgp->remote_id < old_bgp->remote_id);
+ if (n > o)
+ return 0;
+
+
+ /* RFC 4271 9.1.2.2. g) Compare peer IP adresses */
+ return (ipa_compare(new_bgp->cf->remote_ip, old_bgp->cf->remote_ip) < 0);
}
-static int
-bgp_path_loopy(struct bgp_proto *p, eattr *a)
+static struct adata *
+bgp_aggregator_convert_to_new(struct adata *old, struct linpool *pool)
{
- byte *path = a->u.ptr->data;
- int len = a->u.ptr->length;
- int i, n;
+ struct adata *newa = lp_alloc(pool, sizeof(struct adata) + 8);
+ newa->length = 8;
+ aggregator_convert_to_new(old, newa->data);
+ return newa;
+}
- while (len > 0)
+
+/* Take last req_as ASNs from path old2 (in 2B format), convert to 4B format
+ * and append path old4 (in 4B format).
+ */
+static struct adata *
+bgp_merge_as_paths(struct adata *old2, struct adata *old4, int req_as, struct linpool *pool)
+{
+ byte buf[old2->length * 2];
+
+ int ol = as_path_convert_to_new(old2, buf, req_as);
+ int nl = ol + (old4 ? old4->length : 0);
+
+ struct adata *newa = lp_alloc(pool, sizeof(struct adata) + nl);
+ newa->length = nl;
+ memcpy(newa->data, buf, ol);
+ if (old4) memcpy(newa->data + ol, old4->data, old4->length);
+
+ return newa;
+}
+
+
+/* Reconstruct 4B AS_PATH and AGGREGATOR according to RFC 4893 4.2.3 */
+static void
+bgp_reconstruct_4b_atts(struct bgp_proto *p, rta *a, struct linpool *pool)
+{
+ eattr *p2 =ea_find(a->eattrs, EA_CODE(EAP_BGP, BA_AS_PATH));
+ eattr *p4 =ea_find(a->eattrs, EA_CODE(EAP_BGP, BA_AS4_PATH));
+ eattr *a2 =ea_find(a->eattrs, EA_CODE(EAP_BGP, BA_AGGREGATOR));
+ eattr *a4 =ea_find(a->eattrs, EA_CODE(EAP_BGP, BA_AS4_AGGREGATOR));
+
+ if (a2)
{
- n = path[1];
- len -= 2 + 2*n;
- path += 2;
- for(i=0; iu.ptr->data);
+
+ if (a4)
{
- if (get_u16(path) == p->local_as)
- return 1;
- path += 2;
+ if (a2_as != AS_TRANS)
+ {
+ /* Routes were aggregated by old router and therefore AS4_PATH
+ * and AS4_AGGREGATOR is invalid
+ *
+ * Convert AS_PATH and AGGREGATOR to 4B format and finish.
+ */
+
+ a2->u.ptr = bgp_aggregator_convert_to_new(a2->u.ptr, pool);
+ p2->u.ptr = bgp_merge_as_paths(p2->u.ptr, NULL, AS_PATH_MAXLEN, pool);
+
+ return;
+ }
+ else
+ {
+ /* Common case, use AS4_AGGREGATOR attribute */
+ a2->u.ptr = a4->u.ptr;
+ }
+ }
+ else
+ {
+ /* Common case, use old AGGREGATOR attribute */
+ a2->u.ptr = bgp_aggregator_convert_to_new(a2->u.ptr, pool);
+
+ if (a2_as == AS_TRANS)
+ log(L_WARN "BGP: AGGREGATOR attribute contain AS_TRANS, but AS4_AGGREGATOR is missing");
}
}
- return 0;
+ else
+ if (a4)
+ log(L_WARN "BGP: AS4_AGGREGATOR attribute received, but AGGREGATOR attribute is missing");
+
+ int p2_len = as_path_getlen(p2->u.ptr);
+ int p4_len = p4 ? as_path_getlen(p4->u.ptr) : AS_PATH_MAXLEN;
+
+ if (p2_len < p4_len)
+ p2->u.ptr = bgp_merge_as_paths(p2->u.ptr, NULL, AS_PATH_MAXLEN, pool);
+ else
+ p2->u.ptr = bgp_merge_as_paths(p2->u.ptr, p4->u.ptr, p2_len - p4_len, pool);
+
+}
+
+static void
+bgp_remove_as4_attrs(struct bgp_proto *p, rta *a)
+{
+ unsigned id1 = EA_CODE(EAP_BGP, BA_AS4_PATH);
+ unsigned id2 = EA_CODE(EAP_BGP, BA_AS4_AGGREGATOR);
+ ea_list **el = &(a->eattrs);
+
+ /* We know that ea_lists constructed in bgp_decode_attrs have one attribute per ea_list struct */
+ while (*el != NULL)
+ {
+ unsigned fid = (*el)->attrs[0].id;
+
+ if ((fid == id1) || (fid == id2))
+ {
+ *el = (*el)->next;
+ if (p->as4_session)
+ log(L_WARN "BGP: Unexpected AS4_* attributes received");
+ }
+ else
+ el = &((*el)->next);
+ }
}
/**
@@ -883,20 +1268,34 @@ bgp_decode_attrs(struct bgp_conn *conn, byte *attr, unsigned int len, struct lin
}
}
}
+
+ /* When receiving attributes from non-AS4-aware BGP speaker,
+ * we have to reconstruct 4B AS_PATH and AGGREGATOR attributes
+ */
+ if (bgp_as4_support && (! bgp->as4_session))
+ bgp_reconstruct_4b_atts(bgp, a, pool);
+
+ if (bgp_as4_support)
+ bgp_remove_as4_attrs(bgp, a);
/* If the AS path attribute contains our AS, reject the routes */
- e = ea_find(a->eattrs, EA_CODE(EAP_BGP, BA_AS_PATH));
- if (e && bgp_path_loopy(bgp, e))
- {
- DBG("BGP: Path loop!\n");
- return NULL;
- }
+ if (bgp_as_path_loopy(bgp, a))
+ goto loop;
+
+ /* Two checks for IBGP loops caused by route reflection, RFC 4456 */
+ if (bgp_originator_id_loopy(bgp, a) ||
+ bgp_cluster_list_loopy(bgp, a))
+ goto loop;
/* If there's no local preference, define one */
- if (!(seen[0] && (1 << BA_LOCAL_PREF)))
+ if (!(seen[0] & (1 << BA_LOCAL_PREF)))
bgp_attach_attr(&a->eattrs, pool, BA_LOCAL_PREF, 0);
return a;
+loop:
+ DBG("BGP: Path loop!\n");
+ return NULL;
+
malformed:
bgp_error(conn, 3, 1, NULL, 0);
return NULL;
@@ -945,11 +1344,11 @@ bgp_get_route_info(rte *e, byte *buf, ea_list *attrs)
{
eattr *p = ea_find(attrs, EA_CODE(EAP_BGP, BA_AS_PATH));
eattr *o = ea_find(attrs, EA_CODE(EAP_BGP, BA_ORIGIN));
- int origas;
+ u32 origas;
buf += bsprintf(buf, " (%d) [", e->pref);
- if (p && (origas = as_path_get_first(p->u.ptr)) >= 0)
- buf += bsprintf(buf, "AS%d", origas);
+ if (p && as_path_get_first(p->u.ptr, &origas))
+ buf += bsprintf(buf, "AS%u", origas);
if (o)
buf += bsprintf(buf, "%c", "ie?"[o->u.data]);
strcpy(buf, "]");
diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c
index cedd223b..0d580be1 100644
--- a/proto/bgp/bgp.c
+++ b/proto/bgp/bgp.c
@@ -76,11 +76,16 @@ static void bgp_connect(struct bgp_proto *p);
static void bgp_initiate(struct bgp_proto *p);
static void bgp_setup_listen_sk(void);
+
static void
-bgp_close(struct bgp_proto *p UNUSED)
+bgp_close(struct bgp_proto *p)
{
ASSERT(bgp_counter);
bgp_counter--;
+
+ if (p->cf->password)
+ sk_set_md5_auth(bgp_listen_sk, p->cf->remote_ip, NULL);
+
if (!bgp_counter)
{
rfree(bgp_listen_sk);
@@ -329,6 +334,7 @@ bgp_connect(struct bgp_proto *p) /* Enter Connect state and start establishing c
bgp_setup_conn(p, conn);
bgp_setup_sk(p, conn, s);
s->tx_hook = bgp_connected;
+ s->password = p->cf->password;
conn->state = BS_CONNECT;
if (sk_open(s))
{
@@ -479,6 +485,13 @@ bgp_start_locked(struct object_lock *lock)
p->local_id = cf->c.global->router_id;
p->next_hop = cf->multihop ? cf->multihop_via : cf->remote_ip;
p->neigh = neigh_find(&p->p, &p->next_hop, NEF_STICKY);
+
+ if (cf->rr_client)
+ {
+ p->rr_cluster_id = cf->rr_cluster_id ? cf->rr_cluster_id : p->local_id;
+ p->rr_client = cf->rr_client;
+ }
+
if (!p->neigh)
{
log(L_ERR "%s: Invalid next hop %I", p->p.name, p->next_hop);
@@ -505,6 +518,7 @@ bgp_start(struct proto *P)
bgp_counter++;
bgp_setup_listen_sk();
+
if (!bgp_linpool)
bgp_linpool = lp_new(&root_pool, 4080);
@@ -522,6 +536,17 @@ bgp_start(struct proto *P)
lock->hook = bgp_start_locked;
lock->data = p;
olock_acquire(lock);
+
+ /* We should create security association after we get a lock not to
+ * break existing connections.
+ */
+ if (p->cf->password)
+ {
+ int rv = sk_set_md5_auth(bgp_listen_sk, p->cf->remote_ip, p->cf->password);
+ if (rv < 0)
+ return PS_STOP;
+ }
+
return PS_START;
}
@@ -611,6 +636,14 @@ bgp_check(struct bgp_config *c)
cf_error("Local AS number must be set");
if (!c->remote_as)
cf_error("Neighbor must be configured");
+ if (!bgp_as4_support && c->enable_as4)
+ cf_error("AS4 support disabled globbaly");
+ if (!c->enable_as4 && (c->local_as > 0xFFFF))
+ cf_error("Local AS number out of range");
+ if (!c->enable_as4 && (c->remote_as > 0xFFFF))
+ cf_error("Neighbor AS number out of range");
+ if ((c->local_as != c->remote_as) && (c->rr_client))
+ cf_error("Only internal neighbor can be RR client");
}
static void
diff --git a/proto/bgp/bgp.h b/proto/bgp/bgp.h
index 6519db85..1d67e336 100644
--- a/proto/bgp/bgp.h
+++ b/proto/bgp/bgp.h
@@ -16,7 +16,7 @@ struct eattr;
struct bgp_config {
struct proto_config c;
- unsigned int local_as, remote_as;
+ u32 local_as, remote_as;
ip_addr remote_ip;
int multihop; /* Number of hops if multihop */
ip_addr multihop_via; /* Multihop: address to route to */
@@ -25,6 +25,9 @@ struct bgp_config {
int compare_path_lengths; /* Use path lengths when selecting best route */
u32 default_local_pref; /* Default value for LOCAL_PREF attribute */
u32 default_med; /* Default value for MULTI_EXIT_DISC attribute */
+ int enable_as4; /* Enable local support for 4B AS numbers [RFC4893] */
+ u32 rr_cluster_id; /* Route reflector cluster ID, if different from local ID */
+ int rr_client; /* Whether neighbor is RR client of me */
unsigned connect_retry_time;
unsigned hold_time, initial_hold_time;
unsigned keepalive_time;
@@ -33,6 +36,7 @@ struct bgp_config {
unsigned error_delay_time_min; /* Time to wait after an error is detected */
unsigned error_delay_time_max;
unsigned disable_after_error; /* Disable the protocol when error is detected */
+ char *password; /* Password used for MD5 authentication */
};
struct bgp_conn {
@@ -47,16 +51,21 @@ struct bgp_conn {
byte *notify_data;
int error_flag; /* Error state, ignore all input */
int primary; /* This connection is primary */
+ u32 advertised_as; /* Temporary value for AS number received */
unsigned hold_time, keepalive_time; /* Times calculated from my and neighbor's requirements */
};
struct bgp_proto {
struct proto p;
struct bgp_config *cf; /* Shortcut to BGP configuration */
- unsigned local_as, remote_as;
+ u32 local_as, remote_as;
int is_internal; /* Internal BGP connection (local_as == remote_as) */
+ int as4_support; /* Peer supports 4B AS numbers [RFC4893] */
+ int as4_session; /* Session uses 4B AS numbers in AS_PATH (both sides support it) */
u32 local_id; /* BGP identifier of this router */
u32 remote_id; /* BGP identifier of the neighbor */
+ u32 rr_cluster_id; /* Route reflector cluster ID */
+ int rr_client; /* Whether neighbor is RR client of me */
struct bgp_conn *conn; /* Connection we have established */
struct bgp_conn outgoing_conn; /* Outgoing connection we're working with */
struct bgp_conn incoming_conn; /* Incoming connection we have neither accepted nor rejected yet */
@@ -100,6 +109,9 @@ struct bgp_bucket {
extern struct linpool *bgp_linpool;
+extern int bgp_as4_support;
+
+
void bgp_start_timer(struct timer *t, int value);
void bgp_check(struct bgp_config *c);
void bgp_error(struct bgp_conn *c, unsigned code, unsigned subcode, byte *data, int len);
@@ -115,17 +127,21 @@ void bgp_close_conn(struct bgp_conn *c);
/* attrs.c */
-byte *bgp_attach_attr(struct ea_list **to, struct linpool *, unsigned attr, unsigned val);
+void bgp_attach_attr(struct ea_list **to, struct linpool *pool, unsigned attr, uintptr_t val);
+byte *bgp_attach_attr_wa(struct ea_list **to, struct linpool *pool, unsigned attr, unsigned len);
struct rta *bgp_decode_attrs(struct bgp_conn *conn, byte *a, unsigned int len, struct linpool *pool, int mandatory);
int bgp_get_attr(struct eattr *e, byte *buf);
int bgp_rte_better(struct rte *, struct rte *);
void bgp_rt_notify(struct proto *, struct network *, struct rte *, struct rte *, struct ea_list *);
int bgp_import_control(struct proto *, struct rte **, struct ea_list **, struct linpool *);
void bgp_attr_init(struct bgp_proto *);
-unsigned int bgp_encode_attrs(byte *w, struct ea_list *attrs, int remains);
+unsigned int bgp_encode_attrs(struct bgp_proto *p, byte *w, ea_list *attrs, int remains);
void bgp_free_bucket(struct bgp_proto *p, struct bgp_bucket *buck);
void bgp_get_route_info(struct rte *, byte *buf, struct ea_list *attrs);
+inline static void bgp_attach_attr_ip(struct ea_list **to, struct linpool *pool, unsigned attr, ip_addr a)
+{ *(ip_addr *) bgp_attach_attr_wa(to, pool, attr, sizeof(ip_addr)) = a; }
+
/* packets.c */
void bgp_schedule_packet(struct bgp_conn *conn, int type);
@@ -165,6 +181,8 @@ void bgp_log_error(struct bgp_proto *p, char *msg, unsigned code, unsigned subco
#define BA_MP_REACH_NLRI 0x0e /* [RFC2283] */
#define BA_MP_UNREACH_NLRI 0x0f
#define BA_EXTENDED_COMM 0x10 /* draft-ramachandra-bgp-ext-communities */
+#define BA_AS4_PATH 0x11 /* [RFC4893] */
+#define BA_AS4_AGGREGATOR 0x12
/* BGP states */
diff --git a/proto/bgp/config.Y b/proto/bgp/config.Y
index 52ad731e..8524b2dd 100644
--- a/proto/bgp/config.Y
+++ b/proto/bgp/config.Y
@@ -18,9 +18,10 @@ CF_DECLS
CF_KEYWORDS(BGP, LOCAL, NEIGHBOR, AS, HOLD, TIME, CONNECT, RETRY, KEEPALIVE,
MULTIHOP, STARTUP, VIA, NEXT, HOP, SELF, DEFAULT, PATH, METRIC,
- ERROR, START, DELAY, FORGET, WAIT, DISABLE, AFTER,
+ ERROR, START, DELAY, FORGET, WAIT, ENABLE, DISABLE, AFTER,
BGP_PATH, BGP_LOCAL_PREF, BGP_MED, BGP_ORIGIN, BGP_NEXT_HOP,
- BGP_ATOMIC_AGGR, BGP_AGGREGATOR, BGP_COMMUNITY, SOURCE, ADDRESS)
+ BGP_ATOMIC_AGGR, BGP_AGGREGATOR, BGP_COMMUNITY, SOURCE, ADDRESS,
+ PASSWORD, RR, CLIENT, CLUSTER, ID, AS4)
CF_GRAMMAR
@@ -32,27 +33,28 @@ bgp_proto_start: proto_start BGP {
BGP_CFG->hold_time = 240;
BGP_CFG->connect_retry_time = 120;
BGP_CFG->initial_hold_time = 240;
- BGP_CFG->default_med = ~0; /* RFC 1771 doesn't specify this, draft-09 says ~0 */
+ BGP_CFG->default_med = 0;
BGP_CFG->compare_path_lengths = 1;
BGP_CFG->start_delay_time = 5;
BGP_CFG->error_amnesia_time = 300;
BGP_CFG->error_delay_time_min = 60;
BGP_CFG->error_delay_time_max = 300;
+ BGP_CFG->enable_as4 = bgp_as4_support;
}
;
bgp_proto:
bgp_proto_start proto_name '{'
| bgp_proto proto_item ';'
- | bgp_proto LOCAL AS expr ';' {
- if ($4 < 0 || $4 > 65535) cf_error("AS number out of range");
- BGP_CFG->local_as = $4;
- }
+ | bgp_proto LOCAL AS expr ';' { BGP_CFG->local_as = $4; }
| bgp_proto NEIGHBOR ipa AS expr ';' {
- if ($5 < 0 || $5 > 65535) cf_error("AS number out of range");
+ if (ipa_nonzero(BGP_CFG->remote_ip)) cf_error("Only one neighbor per BGP instance is allowed");
+
BGP_CFG->remote_ip = $3;
BGP_CFG->remote_as = $5;
}
+ | bgp_proto RR CLUSTER ID expr ';' { BGP_CFG->rr_cluster_id = $5; }
+ | bgp_proto RR CLIENT ';' { BGP_CFG->rr_client = 1; }
| bgp_proto HOLD TIME expr ';' { BGP_CFG->hold_time = $4; }
| bgp_proto STARTUP HOLD TIME expr ';' { BGP_CFG->initial_hold_time = $5; }
| bgp_proto CONNECT RETRY TIME expr ';' { BGP_CFG->connect_retry_time = $5; }
@@ -67,6 +69,8 @@ bgp_proto:
| bgp_proto ERROR FORGET TIME expr ';' { BGP_CFG->error_amnesia_time = $5; }
| bgp_proto ERROR WAIT TIME expr ',' expr ';' { BGP_CFG->error_delay_time_min = $5; BGP_CFG->error_delay_time_max = $7; }
| bgp_proto DISABLE AFTER ERROR bool ';' { BGP_CFG->disable_after_error = $5; }
+ | bgp_proto ENABLE AS4 bool ';' { BGP_CFG->enable_as4 = $4; }
+ | bgp_proto PASSWORD TEXT ';' { BGP_CFG->password = $3; }
;
CF_ADDTO(dynamic_attr, BGP_PATH
diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c
index 2e6f0b60..c18c6e42 100644
--- a/proto/bgp/packets.c
+++ b/proto/bgp/packets.c
@@ -12,6 +12,7 @@
#include "nest/iface.h"
#include "nest/protocol.h"
#include "nest/route.h"
+#include "nest/attrs.h"
#include "conf/conf.h"
#include "lib/unaligned.h"
#include "lib/socket.h"
@@ -30,25 +31,10 @@ bgp_create_notification(struct bgp_conn *conn, byte *buf)
return buf + 2 + conn->notify_size;
}
+#ifdef IPV6
static byte *
-bgp_create_open(struct bgp_conn *conn, byte *buf)
+bgp_put_cap_ipv6(struct bgp_conn *conn UNUSED, byte *buf)
{
- struct bgp_proto *p = conn->bgp;
-
- BGP_TRACE(D_PACKETS, "Sending OPEN(ver=%d,as=%d,hold=%d,id=%08x)",
- BGP_VERSION, p->local_as, p->cf->hold_time, p->local_id);
- buf[0] = BGP_VERSION;
- put_u16(buf+1, p->local_as);
- put_u16(buf+3, p->cf->hold_time);
- put_u32(buf+5, p->local_id);
-#ifndef IPV6
- buf[9] = 0; /* No optional parameters */
- return buf+10;
-#else
- buf += 9;
- *buf++ = 8; /* Optional params len */
- *buf++ = 2; /* Option: Capability list */
- *buf++ = 6; /* Option length */
*buf++ = 1; /* Capability 1: Multiprotocol extensions */
*buf++ = 4; /* Capability data length */
*buf++ = 0; /* We support AF IPv6 */
@@ -56,7 +42,53 @@ bgp_create_open(struct bgp_conn *conn, byte *buf)
*buf++ = 0; /* RFU */
*buf++ = 1; /* and SAFI 1 */
return buf;
+}
#endif
+
+static byte *
+bgp_put_cap_as4(struct bgp_conn *conn, byte *buf)
+{
+ *buf++ = 65; /* Capability 65: Support for 4-octet AS number */
+ *buf++ = 4; /* Capability data length */
+ put_u32(buf, conn->bgp->local_as);
+ return buf + 4;
+}
+
+static byte *
+bgp_create_open(struct bgp_conn *conn, byte *buf)
+{
+ struct bgp_proto *p = conn->bgp;
+ byte *cap;
+ int cap_len;
+
+ BGP_TRACE(D_PACKETS, "Sending OPEN(ver=%d,as=%d,hold=%d,id=%08x)",
+ BGP_VERSION, p->local_as, p->cf->hold_time, p->local_id);
+ buf[0] = BGP_VERSION;
+ put_u16(buf+1, (p->local_as < 0xFFFF) ? p->local_as : AS_TRANS);
+ put_u16(buf+3, p->cf->hold_time);
+ put_u32(buf+5, p->local_id);
+ /* Skipped 3 B for length field and Capabilities parameter header */
+ cap = buf + 12;
+
+#ifdef IPV6
+ cap = bgp_put_cap_ipv6(conn, cap);
+#endif
+ if (p->cf->enable_as4)
+ cap = bgp_put_cap_as4(conn, cap);
+
+ cap_len = cap - buf - 12;
+ if (cap_len > 0)
+ {
+ buf[9] = cap_len + 2; /* Optional params len */
+ buf[10] = 2; /* Option: Capability list */
+ buf[11] = cap_len; /* Option length */
+ return cap;
+ }
+ else
+ {
+ buf[9] = 0; /* No optional parameters */
+ return buf + 10;
+ }
}
static unsigned int
@@ -118,7 +150,7 @@ bgp_create_update(struct bgp_conn *conn, byte *buf)
continue;
}
DBG("Processing bucket %p\n", buck);
- a_size = bgp_encode_attrs(w+2, buck->eattrs, 1024);
+ a_size = bgp_encode_attrs(p, w+2, buck->eattrs, 1024);
put_u16(w, a_size);
w += a_size + 2;
r_size = bgp_encode_prefixes(p, w, buck, remains - a_size);
@@ -161,12 +193,12 @@ bgp_create_update(struct bgp_conn *conn, byte *buf)
if ((buck = p->withdraw_bucket) && !EMPTY_LIST(buck->prefixes))
{
DBG("Withdrawn routes:\n");
- tmp = bgp_attach_attr(&ea, bgp_linpool, BA_MP_UNREACH_NLRI, remains-8);
+ tmp = bgp_attach_attr_wa(&ea, bgp_linpool, BA_MP_UNREACH_NLRI, remains-8);
*tmp++ = 0;
*tmp++ = BGP_AF_IPV6;
*tmp++ = 1;
ea->attrs[0].u.ptr->length = bgp_encode_prefixes(p, tmp, buck, remains-11);
- size = bgp_encode_attrs(w, ea, remains);
+ size = bgp_encode_attrs(p, w, ea, remains);
w += size;
remains -= size;
}
@@ -183,10 +215,10 @@ bgp_create_update(struct bgp_conn *conn, byte *buf)
continue;
}
DBG("Processing bucket %p\n", buck);
- size = bgp_encode_attrs(w, buck->eattrs, 1024);
+ size = bgp_encode_attrs(p, w, buck->eattrs, 1024);
w += size;
remains -= size;
- tstart = tmp = bgp_attach_attr(&ea, bgp_linpool, BA_MP_REACH_NLRI, remains-8);
+ tstart = tmp = bgp_attach_attr_wa(&ea, bgp_linpool, BA_MP_REACH_NLRI, remains-8);
*tmp++ = 0;
*tmp++ = BGP_AF_IPV6;
*tmp++ = 1;
@@ -230,7 +262,7 @@ bgp_create_update(struct bgp_conn *conn, byte *buf)
*tmp++ = 0; /* No SNPA information */
tmp += bgp_encode_prefixes(p, tmp, buck, remains - (8+3+32+1));
ea->attrs[0].u.ptr->length = tmp - tstart;
- w += bgp_encode_attrs(w, ea, remains);
+ w += bgp_encode_attrs(p, w, ea, remains);
break;
}
}
@@ -353,9 +385,50 @@ bgp_tx(sock *sk)
;
}
+/* Capatibility negotiation as per RFC 2842 */
+
+void
+bgp_parse_capabilities(struct bgp_conn *conn, byte *opt, int len)
+{
+ struct bgp_proto *p = conn->bgp;
+ int cl;
+ u32 as;
+
+ while (len > 0)
+ {
+ if (len < 2 || len < 2 + opt[1])
+ goto err;
+
+ cl = opt[1];
+
+ switch (opt[0])
+ {
+ case 65:
+ if (cl != 4)
+ goto err;
+ p->as4_support = 1;
+ p->as4_session = p->cf->enable_as4;
+ if (p->as4_session)
+ conn->advertised_as = get_u32(opt + 2);
+ break;
+
+ /* We can safely ignore all other capabilities */
+ }
+ len -= 2 + cl;
+ opt += 2 + cl;
+ }
+ return;
+
+ err:
+ bgp_error(conn, 2, 0, NULL, 0);
+ return;
+}
+
static int
bgp_parse_options(struct bgp_conn *conn, byte *opt, int len)
{
+ int ol;
+
while (len > 0)
{
if (len < 2 || len < 2 + opt[1])
@@ -369,12 +442,14 @@ bgp_parse_options(struct bgp_conn *conn, byte *opt, int len)
DBG("\n");
}
#endif
+
+ ol = opt[1];
switch (opt[0])
{
case 2:
- /* Capatibility negotiation as per RFC 2842 */
- /* We can safely ignore all capabilities announced */
+ bgp_parse_capabilities(conn, opt + 2, ol);
break;
+
default:
/*
* BGP specs don't tell us to send which option
@@ -382,11 +457,11 @@ bgp_parse_options(struct bgp_conn *conn, byte *opt, int len)
* to do so. Also, capability negotiation with
* Cisco routers doesn't work without that.
*/
- bgp_error(conn, 2, 4, opt, opt[1]);
+ bgp_error(conn, 2, 4, opt, ol);
return 0;
}
- len -= 2 + opt[1];
- opt += 2 + opt[1];
+ len -= 2 + ol;
+ opt += 2 + ol;
}
return 0;
}
@@ -397,7 +472,7 @@ bgp_rx_open(struct bgp_conn *conn, byte *pkt, int len)
struct bgp_conn *other;
struct bgp_proto *p = conn->bgp;
struct bgp_config *cf = p->cf;
- unsigned as, hold;
+ unsigned hold;
u32 id;
/* Check state */
@@ -409,20 +484,27 @@ bgp_rx_open(struct bgp_conn *conn, byte *pkt, int len)
{ bgp_error(conn, 1, 2, pkt+16, 2); return; }
if (pkt[19] != BGP_VERSION)
{ bgp_error(conn, 2, 1, pkt+19, 1); return; } /* RFC 1771 says 16 bits, draft-09 tells to use 8 */
- as = get_u16(pkt+20);
+ conn->advertised_as = get_u16(pkt+20);
hold = get_u16(pkt+22);
id = get_u32(pkt+24);
- BGP_TRACE(D_PACKETS, "Got OPEN(as=%d,hold=%d,id=%08x)", as, hold, id);
- if (cf->remote_as && as != p->remote_as)
- { bgp_error(conn, 2, 2, pkt+20, -2); return; }
- if (hold > 0 && hold < 3)
- { bgp_error(conn, 2, 6, pkt+22, 2); return; }
- p->remote_id = id;
+ BGP_TRACE(D_PACKETS, "Got OPEN(as=%d,hold=%d,id=%08x)", conn->advertised_as, hold, id);
+
+ p->remote_id = id; // ???
if (bgp_parse_options(conn, pkt+29, pkt[28]))
return;
+
+ if (hold > 0 && hold < 3)
+ { bgp_error(conn, 2, 6, pkt+22, 2); return; }
+
if (!id || id == 0xffffffff || id == p->local_id)
{ bgp_error(conn, 2, 3, pkt+24, -4); return; }
+
+ if (conn->advertised_as != p->remote_as)
+ {
+ bgp_error(conn, 2, 2, (byte *) &(conn->advertised_as), -4); return;
+ }
+
/* Check the other connection */
other = (conn == &p->outgoing_conn) ? &p->incoming_conn : &p->outgoing_conn;
switch (other->state)
@@ -463,7 +545,7 @@ bgp_rx_open(struct bgp_conn *conn, byte *pkt, int len)
else
conn->hold_time = p->cf->hold_time;
conn->keepalive_time = p->cf->keepalive_time ? : conn->hold_time / 3;
- p->remote_as = as;
+ // p->remote_as = conn->advertised_as;
p->remote_id = id;
DBG("BGP: Hold timer set to %d, keepalive to %d, AS to %d, ID to %x\n", conn->hold_time, conn->keepalive_time, p->remote_as, p->remote_id);
@@ -621,7 +703,7 @@ bgp_do_rx_update(struct bgp_conn *conn,
/* Create fake NEXT_HOP attribute */
if (len < 1 || (*x != 16 && *x != 32) || len < *x + 2)
goto bad;
- memcpy(bgp_attach_attr(&a0->eattrs, bgp_linpool, BA_NEXT_HOP, 16), x+1, 16);
+ bgp_attach_attr_ip(&a0->eattrs, bgp_linpool, BA_NEXT_HOP, x[1]);
len -= *x + 2;
x += *x + 1;
@@ -720,7 +802,7 @@ static struct {
{ 2, 4, "Unsupported optional parameter" },
{ 2, 5, "Authentication failure" },
{ 2, 6, "Unacceptable hold time" },
- { 2, 7, "Required capability missing" }, /* capability negotiation draft */
+ { 2, 7, "Required capability missing" }, /* [RFC3392] */
{ 3, 0, "Invalid UPDATE message" },
{ 3, 1, "Malformed attribute list" },
{ 3, 2, "Unrecognized well-known attribute" },
diff --git a/sysdep/linux/netlink/netlink.c b/sysdep/linux/netlink/netlink.c
index 47841955..38d00afe 100644
--- a/sysdep/linux/netlink/netlink.c
+++ b/sysdep/linux/netlink/netlink.c
@@ -499,6 +499,8 @@ nl_send_route(struct krt_proto *p, rte *e, int new)
nl_add_attr_ipa(&r.h, sizeof(r), RTA_GATEWAY, a->gw);
break;
case RTD_DEVICE:
+ if (!a->iface)
+ return;
r.r.rtm_type = RTN_UNICAST;
nl_add_attr_u32(&r.h, sizeof(r), RTA_OIF, a->iface->index);
break;
@@ -532,11 +534,8 @@ krt_set_notify(struct krt_proto *p, net *n UNUSED, rte *new, rte *old)
else
{
if (old)
- {
- if (!old->attrs->iface || (old->attrs->iface->flags & IF_UP))
- nl_send_route(p, old, 0);
- /* else the kernel has already flushed it */
- }
+ nl_send_route(p, old, 0);
+
if (new)
nl_send_route(p, new, 1);
}
diff --git a/sysdep/linux/sysio.h b/sysdep/linux/sysio.h
index 3a29cdc9..b0aff71f 100644
--- a/sysdep/linux/sysio.h
+++ b/sysdep/linux/sysio.h
@@ -139,3 +139,24 @@ static inline char *sysio_mcast_join(sock *s)
#endif
#endif
+
+#include
+#include
+
+/* For the case that we have older kernel headers */
+/* Copied from Linux kernel file include/linux/tcp.h */
+
+#ifndef TCP_MD5SIG
+
+#define TCP_MD5SIG 14
+#define TCP_MD5SIG_MAXKEYLEN 80
+
+struct tcp_md5sig {
+ struct __kernel_sockaddr_storage tcpm_addr; /* address associated */
+ __u16 __tcpm_pad1; /* zero */
+ __u16 tcpm_keylen; /* key length */
+ __u32 __tcpm_pad2; /* zero */
+ __u8 tcpm_key[TCP_MD5SIG_MAXKEYLEN]; /* key (binary) */
+};
+
+#endif
diff --git a/sysdep/unix/io.c b/sysdep/unix/io.c
index fa471f6e..8cec2cdd 100644
--- a/sysdep/unix/io.c
+++ b/sysdep/unix/io.c
@@ -546,6 +546,7 @@ sk_new(pool *p)
s->err_hook = NULL;
s->fd = -1;
s->rbuf_alloc = s->tbuf_alloc = NULL;
+ s->password = NULL;
return s;
}
@@ -642,6 +643,71 @@ bad:
return err;
}
+
+/* FIXME: check portability */
+
+static int
+sk_set_md5_auth_int(sock *s, sockaddr *sa, char *passwd)
+{
+ struct tcp_md5sig md5;
+
+ memset(&md5, 0, sizeof(md5));
+ memcpy(&md5.tcpm_addr, (struct sockaddr *) sa, sizeof(*sa));
+
+ if (passwd)
+ {
+ int len = strlen(passwd);
+
+ if (len > TCP_MD5SIG_MAXKEYLEN)
+ {
+ log(L_ERR "MD5 password too long");
+ return -1;
+ }
+
+ md5.tcpm_keylen = len;
+ memcpy(&md5.tcpm_key, passwd, len);
+ }
+
+ int rv = setsockopt(s->fd, IPPROTO_TCP, TCP_MD5SIG, &md5, sizeof(md5));
+
+ if (rv < 0)
+ {
+ if (errno == ENOPROTOOPT)
+ log(L_ERR "Kernel does not support TCP MD5 signatures");
+ else
+ log(L_ERR "sk_set_md5_auth_int: setsockopt: %m");
+ }
+
+ return rv;
+}
+
+/**
+ * sk_set_md5_auth - add / remove MD5 security association for given socket.
+ * @s: socket
+ * @a: IP address of the other side
+ * @passwd: password used for MD5 authentication
+ *
+ * In TCP MD5 handling code in kernel, there is a set of pairs
+ * (address, password) used to choose password according to
+ * address of the other side. This function is useful for
+ * listening socket, for active sockets it is enough to set
+ * s->password field.
+ *
+ * When called with passwd != NULL, the new pair is added,
+ * When called with passwd == NULL, the existing pair is removed.
+ *
+ * Result: 0 for success, -1 for an error.
+ */
+
+int
+sk_set_md5_auth(sock *s, ip_addr a, char *passwd)
+{
+ sockaddr sa;
+ fill_in_sockaddr(&sa, a, 0);
+ return sk_set_md5_auth_int(s, &sa, passwd);
+}
+
+
static void
sk_tcp_connected(sock *s)
{
@@ -805,6 +871,14 @@ sk_open(sock *s)
ERR("bind");
}
fill_in_sockaddr(&sa, s->daddr, s->dport);
+
+ if (s->password)
+ {
+ int rv = sk_set_md5_auth_int(s, &sa, s->password);
+ if (rv < 0)
+ goto bad_no_log;
+ }
+
switch (type)
{
case SK_TCP_ACTIVE:
@@ -846,6 +920,7 @@ sk_open(sock *s)
bad:
log(L_ERR "sk_open: %s: %m", err);
+bad_no_log:
close(fd);
s->fd = -1;
return -1;
diff --git a/sysdep/unix/krt-set.c b/sysdep/unix/krt-set.c
index bd564486..23cbe5c5 100644
--- a/sysdep/unix/krt-set.c
+++ b/sysdep/unix/krt-set.c
@@ -61,6 +61,8 @@ krt_ioctl(int ioc, rte *e, char *name)
re.rt_flags |= RTF_GATEWAY;
break;
case RTD_DEVICE:
+ if (!a->iface)
+ return;
re.rt_dev = a->iface->name;
break;
#ifdef RTF_REJECT
diff --git a/sysdep/unix/krt.c b/sysdep/unix/krt.c
index a6d17279..5269eb71 100644
--- a/sysdep/unix/krt.c
+++ b/sysdep/unix/krt.c
@@ -684,7 +684,7 @@ krt_notify(struct proto *P, net *net, rte *new, rte *old, struct ea_list *attrs
{
struct krt_proto *p = (struct krt_proto *) P;
- if (shutting_down && KRT_CF->persist)
+ if (shutting_down)
return;
if (new && (!krt_capable(new) || new->attrs->source == RTS_INHERIT))
new = NULL;