| Age | Commit message (Collapse) | Author |
|---|
|
effect on the code but reduce eyestrain.
OK tb@
|
|
This extends the maximum message size of BGP from 4096 to 65535.
This mostly follows rfc8654 with the following differences:
- NOTIFICATIONS are always truncated to fit in 4096 bytes.
- There is no message reduction using "attribute discard" in case of overflow.
- Large messages are only sent if both sides announced extended message support.
OK tb@
|
|
Single out the auth_config yacc rules. Even though this requires an
extra merge_auth_conf() function to handle manual IPsec setups but
even with that this seems like a net gain.
There is no rtr cache that does tcp md5 on OpenBSD so those bits remain
untested for now.
OK tb@
|
|
Instead use struct auth_config and struct auth_state in the pfkey calls
and those tcp_md5 calls where it matters.
This is preparation work to allow RTR to use TCP MD5 as well.
OK tb@
|
|
|
|
Adjust the error check that is now wrong after the inet_aton -> inet_pton
conversion.
Noticed by & OK bluhm.
OK tb
|
|
No need for inet_aton's flexibility.
OK claudio
|
|
filtered prefixes in the Loc-RIB
This includes filtered prefixes into the Loc-RIB but they are marked
ineligible so nothing will select them but it is possible to show them
in bgpctl. So 'bppctl show rib filtered' will return all prefixes filtered
out by the input filters.
OK tb@
|
|
The min-version pins a minimal required version for rtr session. This is
needed if specific PDUs are required and it ensures that the session is
not suddenly downgraded. This is important for ASPA where a minimum
version of 2 is required. Only then the ASPA PDUs are transmitted.
By default a RTR version of 1 is used but setting min-version to 2
will enable draft-ietf-sidrops-8210bis-14 support and enforce it
at the same time. Right now defaulting to version 2 is not possible
since draft-ietf-sidrops-8210bis failed to progress for a too long
time resulting in split eco system with various incompatible RTR
version 2 implementations.
OK tb@
|
|
Before the RDE used host byte order for remote_bgpid but all the other
code used network byte order. The reason for that was that bgpid was
initially an IPv4 address but since RFC 6286 in 2011 this is much more
relaxed and so it makes more sense to just treat them as numbers and
so host byte order.
OK tb@
|
|
There is no need to have an easy knob to get outdated or crappy
implementations to limp along. Instead the various default on
capabilities just need to be disabled (e.g. announce as-4byte no).
OK tb@
|
|
Fixes: https://github.com/openbgpd-portable/openbgpd-portable/issues/77
ok claudio
|
|
in the parser as well.
OK tb@
|
|
For simple capabilities this just adds enforce to the yes/no option of the
announce statement. For multi-protocol capabilities and add-path there is
an extra keyword. On top of this for add-path the enforcement requires the
neighbor to send a matching capability, e.g
'announce add-path recv enforce' requires the other side to send any
'announce add-path send XYZ' capability.
This is mainly to enforce as-4byte and extra multi-protocol capabilities.
OK denis@ tb@
|
|
char. Instead use a simple function to do the conversion per nibble.
OK deraadt@ tb@
|
|
- Loops over all valid AID should start with AID_MIN and go up to AID_MAX - 1
e.g. for (i = AID_MIN; i < AID_MAX; i++)
If for some reason AID_UNSPEC must be handled make that explicit in the
for loop.
- aid2afi() now returns an error for AID_UNSPEC since there is no valid
AFI SAFI combo for AID_UNSPEC.
- Add additional checks for AID_MIN where currently only AID_MAX was checked.
This affects imsg for route refresh and graceful restart.
- Simplify add-path capability handling. Only the negotiated add_path capa
sets the flag for AID_UNSPEC to help code to quickly check if any add-path
is active.
OK tb@
|
|
only works that way correctly.
OK deraadt@
|
|
With draft-ietf-sidrops-aspa-profile-16 and
draft-ietf-sidrops-aspa-verification-15 the AFI dependence of ASPA
records was dropped. So remove this complication form the code.
This only removes the AFI handling internally in bgpd but still allows
the old syntax in aspa-set tables. The optional address family is just
ignored and records are merged together.
For RTR sessions draft-ietf-sidrops-8210bis has not yet been updated so
right now we still handle RTR sessions as specified there. The IPv4 and
IPv6 ASPA entries are handled in two trees and merged together into one
AFI independent tree. This is the best we can do for now until IETF
updates draft-ietf-sidrops-8210bis.
OK tb@ job@
|
|
Right now these are not reachable. Should also clear some gcc warnings.
OK tb@
|
|
Needed for bison.
|
|
introduced with flowspec.
OK tb@
|
|
|
|
OK tb@
|
|
order.
|
|
This fixes a few KNF issues and ugly line wrapping by using a local
version of nitems(); fix two bsearch() on top.
ok claudio
|
|
pfctl, in bgpd flowspec rules are written like pf rules (with a few
exceptions / extensions). As a result not all flowspec features are
available but that is OK.
OK tb@
|
|
OK tb@
|
|
OK tb@
|
|
network rules up into the grammar and switch the order of restricted
to be more like the rest.
OK tb@
|
|
connection with SAFI 133. Right now any sent UPDATE with SAFI 133 is
simply ignored. At the moment SAFI 134 (flowspec for L3VPN) is unsupported.
OK tb@
|
|
too conservative. Fixes and changes include:
- add role output to bgpctl, also adjust the capability output.
Note, this changes the JSON output of neighbors a bit.
- adjust the config parser to enable the RFC9234 role capability when
there is a role set. iBGP and sessions with no role will not announce
the role capability.
- adjust the role capability announcement to be only on sessions that
use either AFI IPv4 or IPv6 and SAFI 1 (AID_INET, AID_INET6).
- if there is an OPEN notification indicating that the role capability
is bad only disable the capability if it is not enforced.
- Adjust capability negotiation, store remote_role on the peer since
the neighbors role is no longer needed by the RDE.
- inject the OTC attribute on ingress only for AID_INET and AID_INET6.
For other AIDs clear the F_ATTR_OTC_LOOP flag.
- Adjust the role logic in the RDE and use the peer->role (local role of
the system) for all checks. Also remove the check if the role capability
was negotiated between peers.
- In prefix_eligible() check also if the F_ATTR_OTC_LOOP flag is set.
The RFC requires that prefixes must be considered ineligible (and not
treat as withdraw as done before)
- When generating an UPDATE include the OTC attribute unless the AID is
neither AID_INET or AID_INET6.
Fixes https://github.com/openbgpd-portable/openbgpd-portable/issues/51
Reported by Pier Carlo Chiodi
OK tb@
|
|
is auto-expanded or masked off.
Try to match against both 2- and 4-byte AS encoding and on insertion
check if expansion is actually possible and deny communities where both
community values are > USHRT_MAX.
OK tb@
|
|
This adds avs (ASPA validation state) which can be 'unknown', 'valid'
or 'invalid'. It behaves similar to ovs but the ASPA validation state
of paths from iBGP sessions is 'unknown' and the role of the ebgp session
is important to get the right validation state.
OK tb@
|
|
keyword.
OK tb@
|
|
This somewhat replaces the RFC 9234 open policy role. This is done because
ASPA requires the same role to be present to properly validate paths.
For iBGP sessions the role is forced to ROLE_NONE. If no role is set on
an ebgp session then 'announce policy' is forced to 'no'.
Also make sure the the role capability is only added if the role is set.
OK tb@
|
|
logic in the rtr process. It does not implement the new RTR messages yet
but it is possible to specify an aspa-set in the config. Also the validation
code in the RDE is missing so this does not do anything.
With this in it will be possible to extend rpki-client to publish an
aspa-set as part of the openbgpd config file.
OK tb@
|
|
the RTP_BGP and similar defines all into kroute.c and export them via
kr_default_prio() and kr_check_prio().
OK tb@
|
|
The memory regions passed to memcpy() can not overlap so no need for memmove().
OK tb@ deraadt@
|
|
|
|
add-path send is kind of like rde evaluate all (at least if plus is used)
and so it kind of implies 'rde evaluate all' in that case. Removing the
check in neighbor_consistent() allows to setup sessions so that 'either or'
are used. This makes sense since peers may opt out of add-path by disabling
the capability on their side.
Based on report from Pier Carlo Chiodi
OK tb@
cvs: ----------------------------------------------------------------------
|
|
This allows to send out more then one path per perfix to a neighbor that
supports add-path receive. OpenBGPD supports a few different modes to
select which paths to send:
- all: send all valid paths (the ones with a * in bgpctl output)
- best: send out only the single best path
- ecmp: send out paths that evaluate the same up and including
the nexthop metric
- as-wide-best: send out paths that evaluete the same up but not including
the nexthop metric
Currently ecmp and as-wide-best are the same. On top of this best, ecmp
and as-wide-best allow to include extra paths (e.g. best plus 2) and
for the multipath modes there is also a maximum (e.g. ecmp plus 2 max 4)
OK tb@
|
|
With this it is possible to send a role in the OPEN message and if that
was successful the RDE will add the new OTC attribute if necessary.
OK tb@
|
|
Instead define our own algorithm enums for the IPsec code.
OK tb@ sthen@
|
|
ERROR to yylex() to make the parser fail nicely.
OK tb@
|
|
RTP_LOCAL is internally used by the kernel and is not available for
userland. The minimal usable routing prio is 2.
OK tb@
|
|
in range. Also rephrase the error message.
OK tb@
|
|
Check the return value in all cases and use a common idiom for this check.
OK tb@
|
|
When max-communities X is set on a filterrule the filter will match when
more than X communities are present in the path. In other words
max-communities 0 means no communities are allowed and max-communities 3
limits it up to 3 communities.
There is max-communities, max-ext-communities and max-large-communities
for each of the 3 community attributes. These three max checks can be used
together.
OK tb@ job@
|
|
|
|
Expand $macros not only at the start of a yacc token but also inside STRING
elements. STRING elements are used e.g. for community specifications and
it makes sense to allow $FOO:$BAR to correctly expand. There is no expansion
of macros in quoted strings (both single and double quotes).
Factor out the macro expand logic and with this introduce its own lookup
buffer for the macro name. For expansion to work inside STRING the char
after the makro name must be a character not allowed in macro names (not
alpha-numerical or '_').
Add extra checks to set variables. Mainly restrict length of the name and
also make sure it does not include not allowed characters.
OK tb@
|
