summaryrefslogtreecommitdiff
path: root/usr.sbin/ldpd
AgeCommit message (Collapse)Author
2019-08-10Like we did on other daemons that cannot be pledged due to forbidden ioctls theRicardo Mestre
main process can be unveiled to restrict filesystem access. In this case we can restrict it to only read, although it must be the entire / since the daemon is able to include config files from anywhere. Additionally the ldpe process currently has cpath promise to unlink the socket, nevertheless the socket is actually unlinked from the main proc so this permission can be removed. As we discussed before, leaving the socket behind doesn't do any harm that's why I didn't unveil it in the main proc. OK deraadt@
2019-06-28When system calls indicate an error they return -1, not some arbitraryTheo de Raadt
value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
2019-03-31new sentence, new line;Jason McIntyre
2019-03-31GTSM is not widely known, so be more concrete as to its effectRichard Procter
(viz. hop-limit-sensitive discards). Older implementations are known to violate it, as it was made mandatory only recently by RFC7552 (2015), eight years after the original LDP specification. ok claudio@
2019-03-31Avoid calling dup2(oldd, newd) when oldd == newd. In that case theYASUOKA Masahiko
descriptor keeps CLOEXEC flag then it will be closed unexpectedly by exec(). ok tedu florian
2019-02-13(unsigned) means (unsigned int) which on ptrdiff_t or size_t or otherTheo de Raadt
larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
2019-01-23teach ldpd to ask if a potential pseudowire interface can do pwe3David Gwynne
this makes ldpd open the ioctl socket early so the config parser can run the SIOCGPWE3 ioctl against the requested interface. ok claudio@
2019-01-23factor out parsing of ldp router ids by making it part of the grammarDavid Gwynne
this way we do the inet_aton and bad address check in one place, and just reuse it in the router-id, neighbor, and pseudowire bits. ok claudio@
2019-01-23rework how tcp md5 signatures are configured.David Gwynne
previously ldpd only allowed tcp md5 to be configured against a neighbor (by ldp router id), but other vendors supported configuring tcp md5sig by prefix as well as neighbor. this reworks the config so auth is maintained globally as a list of prefixes that you do and do not want to do tcp md5sig auth with. the config statements look more like what is in bgpd.conf now too. an example of the new config for interoperating with my baby cisco test network: on ios: mpls ldp password required for MPLS mpls ldp password option 1 for MPLS key-chain LDPAUTH key chain LDPAUTH key 1 key-string secret interface Loopback0 ip address 192.168.0.0 255.255.255.255 end ip prefix-list MPLS seq 5 permit 192.168.0.0/24 ip access-list standard MPLS mpls ldp router-id Loopback0 force and in ldpd.conf: router-id 192.168.0.25 tcp md5sig password secret 192.168.0.0/24 address-family ipv4 { interface vmx1 } this still supports specifying tcp md5sig on neighbors, but that is syntactic sugar around adding entries to the list of auths. ok (and lots of help from) claudio@
2019-01-22PF_ROUTE -> AF_ROUTE in the scattered sock()/setsockopt() callsKenneth R Westerback
where the "wrong" #define was used. ok dlg@
2018-12-07Be more strict in converting a netmask into a prefixlen. Make sureClaudio Jeker
the prefixlen is never bigger than 128 for inet6. OK remi@
2018-11-01- odd condition/test in PF lexerAlexandr Nedvedicky
(and other lexers too) This commit rectifies earlier change: in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). OK deraadt@, OK millert@
2018-09-07replace malloc()+strlcpy() with strndup() in cmdline_symset().miko
"looks good" gilles@ halex@
2018-08-06Change manpage example for reserved words since the macro used is to replaceRicardo Mestre
a password and that way it would log it when the daemon is ran in verbose mode. Hint and OK claudio@
2018-07-11Do for most running out of memory err() what was done for most runningKenneth R Westerback
out of memory log_warn(). i.e. ("%s", __func__) instead of manual function names and redundant verbiage about which wrapper detected the out of memory condition. ok henning@
2018-07-09No need to mention which memory allocation entry point failed (malloc,Kenneth R Westerback
calloc or strdup), we just need to log that we ran out of memory in a particular function. Recommended by florian@ and deraadt@ ok benno@ henning@ tb@
2018-06-18remove the SECTIONS header, since a one line DESCRIPTION is a bit silly;Jason McIntyre
use a more general text for the sections, and avoid the catchup issue that was trying to document how many there were; ok benno rob
2018-06-11Fix an off-by-one line count when using include statements.denis
Thanks to otto@ for the initial diff. OK benno@
2018-04-26Plug leak in error case of the common 'varset' implementations.Kenneth R Westerback
ok benno@
2018-02-08Bump the read sockbuf of the routing socket to 2MB, may help reduce some ofClaudio Jeker
the desync cases. OK benno@
2018-01-03Add support for IPv6 over MPLS pseudowire aka mpw(4)denis
OK claudio@ jca@
2017-07-24Unify ROUNDUP macros for parsing route messages.friehm
Use the macro from route(8) / ospf6d(8) since it works also with argument 0. OK claudio@
2017-04-18use freezero()Theo de Raadt
2017-03-21From a syslog perspective it does not make sense to log fatal andAlexander Bluhm
warn with the same severity. Switch log_warn() to LOG_ERR and keep fatal() at LOG_CRIT. OK reyk@ florian@
2017-03-04Send VPLS MAC withdrawals.Renato Westphal
RFC 4762 says that MAC address withdrawal messages can be used to improve convergence time in VPLS networks. This patch makes ldpd send MAC withdrawals whenever a non-pseudowire interface pertaining to a VPLS goes down. The processing of received MAC withdrawals will be implemented later.
2017-03-04Fix parsing of optional tlvs in address messages.Renato Westphal
We were aborting the session upon receipt of MAC Address Withdrawal messages. Now make the parser aware that optional TLVs are possible in address messages.
2017-03-04Implement RFC 5919 (LDP End-of-LIB).Renato Westphal
2017-03-04Implement RFC 6667 (Typed Wildcard FEC for PWid).Renato Westphal
2017-03-04Implement RFC 5918 (Typed Wildcard FEC).Renato Westphal
2017-03-04Implement RFC 5561 (LDP Capabilities).Renato Westphal
This patch per-se doesn't introduce any useful functionality, but prepares the ground for new enhancements to ldpd (i.e. implementation of new RFCs that make use of LDP capabilities).
2017-03-04Implement support for PWid group wildcards.Renato Westphal
This was missing from our original RFC 4447 VPLS implementation. Now ldpd understands group wildcards as mandated by the RFC, but we still don't send them ourselves. I can't see any case in which sending a group wildcard would be useful, but nonetheless this patch provides a function called lde_send_labelwithdraw_pwid_wcard() which is ready to be used in the future anytime we feel like it might be useful.
2017-03-03Fix processing of Label Withdraw messages.Renato Westphal
Whenever we receive a Label Withdraw message with an optional Label TLV, we should check if this label matches the label previously received from this neighbor for this FEC. If they don't match then we shouldn't uninstall the previous label from the kernel. This fixes a misinterpretation from the "Receive Label Withdraw" algorithm described in the A.1.5 section of RFC 5036. Also, simplify the check of pending withdraws in lde_check_release() and lde_check_release_wcard().
2017-03-03The PW Status is an unknown TLV.Renato Westphal
Without this fix, any LDP speaker that doesn't implement RFC 4447 will shut down the session upon receipt of a PWid Label Mapping (unless the use of the PW-Status TLV is disabled via configuration).
2017-03-03Send correct status code on error condition.Renato Westphal
The Unknown TLV status code is reserved for cases where we don't know how to process a given TLV and its Unknown TLV bit is not set. In the case of Address Messages, the Address List TLV is mandatory and should appear before any optional TLV in the message. If that doesn't happen the correct status notification to send is "Missing Message Parameters" (non-fatal error). Also, add a missing htons when creating an Address List TLV. Since the value of TLV_TYPE_ADDRLIST is 0x0101 this missing htons wasn't noticed earlier.
2017-03-03Create helper functions to log sent/received messages.Renato Westphal
2017-03-03Provide more detailed output when logging notification messages.Renato Westphal
2017-03-03Kill send_notification_nbr().Renato Westphal
Be more clever and trigger the PDU SENT event inside send_notification() when tcp->nbr is set. This way we can eliminate send_notification_nbr() and always use send_notification() instead.
2017-03-03Minor tweaks.Renato Westphal
2017-03-03Allow to run on a non-default rdomain.Renato Westphal
OK claudio@
2017-03-03Allow to specify an alternate control socket.Renato Westphal
This is required to run multiple instances of ldpd. OK claudio@
2017-01-20work on making log.c similar in all daemons:Sebastian Benoit
move daemon-local functions into new logmsg.c, and reduce the (mostly whitespace) differences so that log.c's can be diffed easily. removal of log_rtmsg() aproved by claudio@ ok claudio@ krw@
2017-01-08Replace hand-rolled for(;;) traversal of ctl_conns TAILQ withKenneth R Westerback
TAILQ_FOREACH(). No intentional functional change. ok reyk@
2017-01-05Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with moreKenneth R Westerback
modern TAILQ_FOREACH_SAFE(). No intentional functional change. ok millert@ bluhm@ gilles@
2017-01-05Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQKenneth R Westerback
with more modern TAILQ_FOREACH(). This what symget() was already doing. Add paranoia '{}' around body of symget()'s TAILQ_FOREACH(). No intentional functional change. ok bluhm@ otto@
2016-09-28'unneded stuff' -> 'unneeded stuff' in comments.Kenneth R Westerback
2016-09-03Rework the sending of address messages.Renato Westphal
* Respect the session's negotiated maximum pdu length and split the sending of our local addresses into multiple messages if necessary; * Log sent/received addresses; * Add new wrappers to send only one address (send_address_single) and to send all addresses of the given address-family (send_address_all). These wrappers create a temporary list of addresses to be sent, and send_address() then acts on this last.
2016-09-02Fix small memleak on error path.Renato Westphal
2016-09-02lde() and ldpe() should return void.Renato Westphal
Remove these leftovers from the pre-fork+exec era. Spotted by and ok rzalamena@ ok claudio@
2016-09-02Improve logging of sent and received messages.Renato Westphal
* Standardize the logging format of sent and received messages: "msg-[in|out]: message type: lsr-id A.B.C.D [additional info]"; * Log sent label messages as well, not only the received ones; * Move the logging of sent notification messages from send_notification_nbr() to send_notification_full(), this way notification triggered by the lde process are logged as well; * Minor clean-up.
2016-09-02Reevaluate received mappings upon receipt of address message.Renato Westphal
If a neighbor was a nexthop for a given set of prefixes but it's not anymore, then we should uninstall the associated label mappings (if any) from the kernel. The same applies for the other way round (neighbor wasn't a nexthop for a given set of prefixes but now is). This issue is only evident when we have multiple links between a pair of LSRs. Generally, when a link is shut down, the whole LDP is torn down and all label mappings uninstalled automatically. ok claudio@