Merge commit 'e29f134a' into thread-merge-2.16

CONTRIBUTING.md

@@ -0,0 +1,106 @@
+# Contributing to BIRD
+
+We welcome a broad range of contributions to BIRD with some limitations and
+caveats.
+
+BIRD is highly optimized for performance in both memory and computation time.
+We generally don't accept obviously inefficient code and even though the
+quality of the existing codebase quite varies, there should be good reasons
+why to commit something slow or greedy.
+
+There are several basic rules for contributing:
+
+- your branch must have understandable commit messages
+- your branch must be either:
+  - rooted in the current thread-next, aiming for inclusion in BIRD 3
+  - or rooted in the master branch; in this case, we may refuse your patch
+    if it's completely unmergeable with thread-next
+- when incorporating proposed fixes, you may have to rebase your branch
+- please add automatic tests (see below)
+- upfront and continuous consultation with the development team gives you a
+  fast track for merging
+- don't forget to update documentation
+
+## Security issues
+
+Please contact us on bird-support@network.cz for private disclosure of any
+security issues. This includes any crash in or related to filters, induced by
+CLI or by receiving a malformed message by a protocol.
+
+## How to contribute
+
+You can either send a patch (prepared by git format-patch) to our mailing-list
+bird-users@network.cz, or you can send just a link to your repository and the
+commit hash you're contributing.
+
+## What if your contribution isn't mergable
+
+If your code needs minor updates to align with our standards / taste, we'll
+just do these modifications ourselves and either add these as a separate commit
+or just update your commit noting this fact in the commit message.
+
+If your code has some major flaws, misses the point or introduces another
+problem (e.g. performance issues), we'll refuse your patch. Then we'll either
+try to tell you how we prefer to reach the goal, or we may reimplement your
+ideas ourselves. We'll mention your original contribution in the commit message.
+
+## Specific kinds of contributions
+
+### Substantial updates
+
+If you feel like the BIRD internals need some major changes and you wish to
+implement it, please contact the development team first. We're (as of May 2024)
+developing two versions at once and we have some raw thoughts about BIRD's future
+which we haven't published yet.
+
+Beware that BIRD is more convoluted inside than it looks like on the surface,
+and in many places the learning curve is _very_ steep.
+
+### New protocol implementations
+
+We generally welcome broadening of BIRD capabilities. Upfront consultation is
+very much appreciated to align all parties on the development principles,
+internal APIs, coding style and more.
+
+### Refactoring and reformatting
+
+Please don't send us _any_ refactoring proposals without previous explicit approval.
+
+### Programmer's documentation, user documentation or tutorials
+
+We welcome updates to enhance the documentation, including the algorithmic
+principles, internal libraries and API. We keep our right to reject low quality
+contributions altogether.
+
+### Minor changes
+
+Feel free to propose minor fixes in any part of BIRD.
+
+## Testing
+
+There is another repository, https://gitlab.nic.cz/labs/bird-tools.git, where
+we store our automatic tests in the netlab/ directory. This repository is quite
+messy and you may need some help with it. We're planning to move the Netlab
+suite into the main git repository; after we do that, we'll require every
+contribution to add tests (if applicable, of course).
+
+## Crediting policy
+
+The credits are scattered over all the source code files; in the commentary
+section, you may find typically the original authors of these files or some
+major contributors who felt like adding their names there. Overall, if you feel
+like your name should be there, include this change in your commits please.
+If your name should be changed, please do that change there.
+
+We are planning to centralize the credits one day; we'll then update this file
+accordingly.
+
+## Meta
+
+If some of these rules are breached, you may complain either at the mailing
+list, or directly to CZ.NIC who is currently BIRD's maintainer.
+
+If we don't reply within 3 weeks, please ping us. We don't intend to ghost you,
+we are just overloaded.
+
+This contributing policy also applies to itself.

README

@@ -68,12 +68,23 @@ User support
 If you want to help us debugging, enhancing and porting BIRD or just lurk
 around to see what's going to develop, feel free to subscribe to the BIRD
 users mailing list bird-users@network.cz, just send `subscribe' to
-bird-request@network.cz. Bug reports, suggestions, feature requests and
+bird-request@network.cz.
-code are welcome! We don't use gitlab issues for reporting, sorry.
 
 Subscribe:	http://bird.network.cz/mailman/listinfo/bird-users/
 Archive:	http://bird.network.cz/pipermail/bird-users/
 
+Please don't send security issues to the mailing-list, contact us instead at
+bird-support@network.cz which is a private e-mail address where you also can
+get commercial support for your BIRD deployment.
+
+We don't use our gitlab issues for reporting but we're partially tracking
+the core developent team's work there publicly.
+
+Contributing
+============
+
+Please see the CONTRIBUTING.md file to find how to contribute to BIRD.
+
 Licence
 =======
 

doc/bird.sgml

@@ -992,7 +992,7 @@ agreement").
 
 	<tag><label id="proto-pass-gen-from">generate from "<m/time/"</tag>
 	The start time of the usage of the password for packet signing.
-	The format of <cf><m/time/</cf> is <tt>dd-mm-yyyy HH:MM:SS</tt>.
+	The format of <cf><m/time/</cf> is <tt>YYYY-MM-DD [hh:mm:ss[.sss]]</tt>.
 
 	<tag><label id="proto-pass-gen-to">generate to "<m/time/"</tag>
 	The last time of the usage of the password for packet signing.
@@ -2915,10 +2915,9 @@ using the following configuration parameters:
 	restarted. Optionally, it can be configured (by <cf/graceful/ argument)
 	to trigger graceful restart instead of regular restart. It is also
 	possible to specify section with per-peer BFD session options instead of
-	just switch argument. Most BFD session specific options are allowed here
+	just the switch argument. All BFD session-specific options are allowed
-	with the exception of authentication options. here Note that BFD
+	here. Note that BFD protocol also has to be configured, see
-	protocol also has to be configured, see <ref id="bfd" name="BFD">
+	<ref id="bfd" name="BFD"> section for details. Default: disabled.
-	section for details. Default: disabled.
 
 	<tag><label id="bgp-ttl-security">ttl security <m/switch/</tag>
 	Use GTSM (<rfc id="5082"> - the generalized TTL security mechanism). GTSM
@@ -4846,14 +4845,14 @@ protocol ospf MyOSPF {
 			authentication cryptographic;
 			password "abc" {
 				id 1;
-				generate to "22-04-2003 11:00:06";
+				generate to "2023-04-22 11:00:06";
-				accept from "17-01-2001 12:01:05";
+				accept from "2021-01-17 12:01:05";
 				algorithm hmac sha384;
 			};
 			password "def" {
 				id 2;
-				generate to "22-07-2005 17:03:21";
+				generate to "2025-07-22";
-				accept from "22-02-2001 11:34:06";
+				accept from "2021-02-22";
 				algorithm hmac sha512;
 			};
 		};

nest/bfd.h

@@ -21,6 +21,8 @@ struct bfd_options {
   u8 passive;
   u8 passive_set;
   u8 mode;
+  u8 auth_type;				/* Authentication type (BFD_AUTH_*) */
+  list *passwords;			/* Passwords for authentication */
 };
 
 struct bfd_request {

nest/config.Y

@@ -162,7 +162,6 @@ CF_KEYWORDS(BGP, PASSWORDS, DESCRIPTION)
 CF_KEYWORDS(RELOAD, IN, OUT, MRTDUMP, MESSAGES, RESTRICT, MEMORY, CLASS, DSCP, PARTIAL)
 CF_KEYWORDS(TIMEFORMAT, ISO, SHORT, LONG, ROUTE, PROTOCOL, BASE, LOG, S, MS, US)
 CF_KEYWORDS(GRACEFUL, RESTART, WAIT, MAX, AS)
-CF_KEYWORDS(MIN, IDLE, RX, TX, INTERVAL, MULTIPLIER, PASSIVE)
 CF_KEYWORDS(CHECK, LINK)
 CF_KEYWORDS(CORK, SORTED, TRIE, MIN, MAX, ROA, DIGEST, ROUTE, REFRESH, SETTLE, TIME, GC, THRESHOLD, PERIOD)
 CF_KEYWORDS(MPLS_LABEL, MPLS_POLICY, MPLS_CLASS)
@@ -665,26 +664,9 @@ password_item_end:
 };
 
 
-/* BFD options */
+/* BFD options - just dummy rule, rest in proto/bfd/config.Y */
+bfd_opts: '{' INVALID_TOKEN '}';
 
-bfd_item:
-   INTERVAL expr_us { this_bfd_opts->min_rx_int = this_bfd_opts->min_tx_int = $2; }
- | MIN RX INTERVAL expr_us { this_bfd_opts->min_rx_int = $4; }
- | MIN TX INTERVAL expr_us { this_bfd_opts->min_tx_int = $4; }
- | IDLE TX INTERVAL expr_us { this_bfd_opts->idle_tx_int = $4; }
- | MULTIPLIER expr { this_bfd_opts->multiplier = $2; }
- | PASSIVE bool { this_bfd_opts->passive = $2; this_bfd_opts->passive_set = 1; }
- | GRACEFUL { this_bfd_opts->mode = BGP_BFD_GRACEFUL; }
- ;
-
-bfd_items:
-   /* empty */
- | bfd_items bfd_item ';'
- ;
-
-bfd_opts:
-   '{' bfd_items '}'
- ;
 
 /* Core commands */
 CF_CLI_HELP(SHOW, ..., [[Show status information]])

proto/bfd/bfd.c

@@ -181,6 +181,8 @@ bfd_merge_options(const struct bfd_iface_config *cf, const struct bfd_options *o
     .idle_tx_int = opts->idle_tx_int ?: cf->idle_tx_int,
     .multiplier = opts->multiplier ?: cf->multiplier,
     .passive = opts->passive_set ? opts->passive : cf->passive,
+    .auth_type = opts->auth_type ?: cf->auth_type,
+    .passwords = opts->passwords ?: cf->passwords,
   };
 }
 
@@ -1235,7 +1237,7 @@ bfd_show_session(struct bfd_session *s, int details)
   const char *ifname = (s->ifa && s->ifa->iface) ? s->ifa->iface->name : "---";
   btime tx_int = s->last_tx ? MAX(s->des_min_tx_int, s->rem_min_rx_int) : 0;
   btime timeout = (btime) MAX(s->req_min_rx_int, s->rem_min_tx_int) * s->rem_detect_mult;
-  u8 auth_type = s->ifa->cf->auth_type;
+  u8 auth_type = s->cf.auth_type;
 
   loc_state = (loc_state < 4) ? loc_state : 0;
   rem_state = (rem_state < 4) ? rem_state : 0;

proto/bfd/bfd.h

@@ -69,6 +69,8 @@ struct bfd_session_config
   u32 idle_tx_int;
   u8 multiplier;
   u8 passive;
+  u8 auth_type;				/* Authentication type (BFD_AUTH_*) */
+  list *passwords;			/* Passwords for authentication */
 };
 
 struct bfd_neighbor

proto/bfd/config.Y

@@ -185,6 +185,52 @@ bfd_neighbor: ipa bfd_neigh_iface bfd_neigh_local bfd_neigh_multihop
 };
 
 
+/* BFD options */
+
+bfd_item:
+   INTERVAL expr_us { this_bfd_opts->min_rx_int = this_bfd_opts->min_tx_int = $2; }
+ | MIN RX INTERVAL expr_us { this_bfd_opts->min_rx_int = $4; }
+ | MIN TX INTERVAL expr_us { this_bfd_opts->min_tx_int = $4; }
+ | IDLE TX INTERVAL expr_us { this_bfd_opts->idle_tx_int = $4; }
+ | MULTIPLIER expr { this_bfd_opts->multiplier = $2; }
+ | PASSIVE bool { this_bfd_opts->passive = $2; this_bfd_opts->passive_set = 1; }
+ | GRACEFUL { this_bfd_opts->mode = BGP_BFD_GRACEFUL; }
+ | AUTHENTICATION bfd_auth_type { this_bfd_opts->auth_type = $2; }
+ | password_list {}
+ ;
+
+bfd_items:
+   /* empty */
+ | bfd_items bfd_item ';'
+ ;
+
+bfd_opts_start:
+{ reset_passwords(); } ;
+
+bfd_opts_end:
+{
+  this_bfd_opts->passwords = get_passwords();
+
+  if (!this_bfd_opts->auth_type != !this_bfd_opts->passwords)
+    cf_warn("Authentication and password options should be used together");
+
+  if (this_bfd_opts->passwords)
+  {
+    struct password_item *pass;
+    WALK_LIST(pass, *this_bfd_opts->passwords)
+    {
+      if (pass->alg)
+        cf_error("Password algorithm option not available in BFD protocol");
+
+      pass->alg = bfd_auth_type_to_hash_alg[this_bfd_opts->auth_type];
+    }
+  }
+};
+
+bfd_opts:
+  '{' bfd_opts_start bfd_items '}' bfd_opts_end;
+
+
 CF_CLI_HELP(SHOW BFD, ..., [[Show information about BFD protocol]]);
 
 CF_CLI_HELP(SHOW BFD SESSIONS, ..., [[Show information about BFD sessions]]);

proto/bfd/packets.c

@@ -109,7 +109,7 @@ const u8 bfd_auth_type_to_hash_alg[] = {
 static void
 bfd_fill_authentication(struct bfd_proto *p, struct bfd_session *s, struct bfd_ctl_packet *pkt)
 {
-  struct bfd_iface_config *cf = s->ifa->cf;
+  struct bfd_session_config *cf = &s->cf;
   struct password_item *pass = password_find(cf->passwords, 0);
   uint meticulous = 0;
 
@@ -179,7 +179,7 @@ bfd_fill_authentication(struct bfd_proto *p, struct bfd_session *s, struct bfd_c
 static int
 bfd_check_authentication(struct bfd_proto *p, struct bfd_session *s, struct bfd_ctl_packet *pkt)
 {
-  struct bfd_iface_config *cf = s->ifa->cf;
+  struct bfd_session_config *cf = &s->cf;
   const char *err_dsc = NULL;
   uint err_val = 0;
   uint auth_type = 0;
@@ -306,7 +306,7 @@ bfd_send_ctl(struct bfd_proto *p, struct bfd_session *s, int final)
   else if (s->poll_active)
     pkt->flags |= BFD_FLAG_POLL;
 
-  if (s->ifa->cf->auth_type)
+  if (s->cf.auth_type)
     bfd_fill_authentication(p, s, pkt);
 
   if (sk->tbuf != sk->tpos)