| Age | Commit message (Collapse) | Author |
|---|
|
For this use the validation state (vstate) in struct prefix and
struct filterstate to store both the ASPA and ROA validity.
Introduce helper functions to set and get the various states for
struct prefix and make sure struct filterstate is also setup properly.
Change the ASPA state in rde_aspath to be AFI/AID and role independent
by storing all 4 possible outcomes. Also add a ASPA generation count
which is used to update the rde_aspath ASPA state cache on reloads.
Rework the rde_aspa.c code to be AFI/AID and role independent. Doing
this for roles is trivial but AFI switch goes deep and is so unnecessary.
The reload is combined with the ROA reload logic and renamed to RPKI
softreload.
OK tb@
|
|
keyword.
OK tb@
|
|
|
|
|
|
|
|
to the various prefix update functions.
While there fix a filterstate leak in up_generate_updates().
With and OK tb@
|
|
and by making peer_imsg_pending() a true O(1) function.
OK tb@
|
|
RDE. The actual reload logic is missing to keep the diff small.
OK tb@
|
|
Found by and fix provided by Zenon Mousmoulas (@zmousm)
|
|
- rde_filterstate_init(): initialize a filterstate to default values
- rde_filterstate_copy(): copy from a filterstate into a new state object
- rde_filterstate_prep(): set filtersate based on prefix passed as argument.
This makes the code a bit easier to read.
OK tb@
|
|
Removes vstate argument from rde_filter().
Rename prefix_vstate() to prefix_roa_vstate().
OK tb@
|
|
This implements ASPA validation based on the current draft. Implementing
this showed various weaknesses in the current ASPA draft which I hope to
fix in the near future.
Unlike the algorithm specified in the draft our version validates the
AS_PATH attribute in a single path doing one or two lookups depending on
the sessions BGP role.
The code is not yet hooked up into the RDE (see the NOTYET blocks).
Missing are reload logic, bgpctl integration and the loading of the
merged ASPA set from the rtr process.
OK tb@
|
|
This somewhat replaces the RFC 9234 open policy role. This is done because
ASPA requires the same role to be present to properly validate paths.
For iBGP sessions the role is forced to ROLE_NONE. If no role is set on
an ebgp session then 'announce policy' is forced to 'no'.
Also make sure the the role capability is only added if the role is set.
OK tb@
|
|
any parts of his diff not taken are noted on tech
|
|
- Exclude the role capability on ibgp sessions when sending an OPEN
- Warn when a role capability is received on an iBGP session
- Make sure the capability negotiation is skipped for ibgp sessions,
this in turn disables the role capability on the session.
OK tb@
|
|
A few programs used the plural in their synopsis which doesn't read as
clear as the obvious triple-dot notation.
mdoc(7) .Ar defaults to "file ..." if no arguments are given and consistent
use of 'arg ...' matches that behaviour.
Cleanup a few markups of the same argument so the text keeps reading
naturally; omit unhelpful parts like 'if optional arguments are given,
they are passed along' for tools like time(1) and timeout(1) that obviously
execute commands with whatever arguments where given -- just like doas(1)
which doesn't mention arguments in its DESCRIPTION in the first place.
For expr(1) the difference between 'expressions' and 'expression ...' is
crucial, as arguments must be passed as individual words.
Feedback millert jmc schwarze deraadt
OK jmc
|
|
instead of per prefix.
OK sthen@
|
|
OK tb@
|
|
logic in the rtr process. It does not implement the new RTR messages yet
but it is possible to specify an aspa-set in the config. Also the validation
code in the RDE is missing so this does not do anything.
With this in it will be possible to extend rpki-client to publish an
aspa-set as part of the openbgpd config file.
OK tb@
|
|
large part of the code.
Issue reported and fix tested by Bars Bars tutbaranov (at) gmail.com
OK tb@
|
|
L3VPN NLRI have different encoding for updates and withdraws. The withdraw
carries one dummy MPLS label that needs to be skipped. The code doing that
did adjust the lenght but did not skip the the label in the buffer and so
the parsed prefix was off by 3 bytes.
OK tb@
|
|
ctx is leaked in case of an allocation in prefix_dump_new,
prefix_dump_subtree, rib_dump_new, or rib_dump_subtree fails.
Found by CodeChecker.
OK claudio@
|
|
bgpd and ldpd.
Found by CodeChecker.
OK claudio@
|
|
OK claudio@
|
|
for peers that never managed to establish a connection.
OK tb@
|
|
Thanks Marco D'Itri for spotting them
OK claudio@
|
|
ok miod@ claudio@ tb@
|
|
|
|
With this bgpd.h no longer depends on net/route.h
OK tb@
|
|
The generic add-path code up_generate_addpath() reevaluates everything
since this is the simplest way to select the announced paths. For add-path
all this is overkill since there is no dependency between prefixes and so
individual prefixes can be handled more efficently.
Extend rde_generate_updates() to pass the current newbest and oldbest
prefixes (for the selected best path) but now also include newpath and
oldpath (which is the prefix that is added/removed/modified).
If newpath or oldpath is set then a single prefix was altered and
up_generate_addpath_all() can just remove or add this prefix.
If newpath and oldpath are NULL than the full list based on newbest
needs to be inserted and any old path/prefix removed in the process.
This improves update generation performance on big route collectors using
add-path all substantially.
OK tb@
|
|
the RTP_BGP and similar defines all into kroute.c and export them via
kr_default_prio() and kr_check_prio().
OK tb@
|
|
Use a per peer path_id_tx to assign to paths received from none add-path
enabled peers. This skips two extra walks of the RIB prefix list and is
a big speed-up when there are many regular sessions. If the session uses
add-path recv then the old way of assigning random path_ids needs to be
used.
With input and OK tb@
|
|
Connected routes have no gateway set but only have ifindex set.
When an interface is deconfigured this makes sure the right route is
removed.
OK tb@
|
|
|
|
In some cases only a "small" part of the RIB needs to be looked at. Like
bgpctl show rib 10/8 or-longer that only needs to travers nodes under
10/8 all other RIB entries do not matter. By setting the start node to
the RB_NFIND(10/8) the all nodes below this point can be skipped.
Using prefix_compare() while walking the tree with RB_NEXT() the walker
know when it steps outside of the 10/8 subtree and stops.
With this the or-longer commands become a lot faster.
Looks good to tb@
|
|
prefixlen. Even for IPv6 this is much faster than a full table walk.
OK tb@
|
|
Only the RDE used a hashtable for lookups while the session engine
switched from a list to RB tree some time ago.
Use peer_foreach() in the mrt code instead of passing the peer list
as an argument.
OK benno@ tb@
|
|
prototypes and members that were not removed in the previous RB tree
conversions.
OK benno@ tb@
|
|
longer used. Also cleanup some hash sizes which are also no longer used.
OK tb@
|
|
OK benno@ tb@
|
|
If a run takes to long drop the current update and wait for the next update.
OK benno@
|
|
OK benno@
|
|
|
|
|
|
struct. It uses a bit more memory but improves performance a lot on really
big systems because aspath_get() becomes a very hot function.
OK tb@
|
|
OK tb@
|
|
undersized hash table.
OK tb@
|
|
OK tb@
|
|
OK tb@
|
|
them on the per peer imsg queue. This is mainly for IMSG_SESSION_DOWN.
Delaying the session down can race against IMSG_SESSION_ADD which is
handled immediatly and as a result an establised connection may be
removed in the RDE because of it.
The various graceful restart imsgs need similar treatment for similar
reasons. In the end when a session is reset/closed the RDE needs to
stop all work and flush the per peer imsg queue.
With this only update and route refresh messages are handled via the
imsg queue.
OK tb@
|
