| Age | Commit message (Collapse) | Author |
|---|
|
introduced with flowspec.
OK tb@
|
|
|
|
OK tb@
|
|
OK tb@
|
|
ASPA provider AS sets can include optional limitations to inet/inet6 these
limits are represented in the TAS_AID bit masks (2bits per AS).
Introduce a TAS_AID_SIZE() makro that returns the size in bytes of this
bit mask (rounded to the next uint32_t).
Without this change aspa objects with AID specific elements trigger a
fatal error condition when the config is loaded.
OK tb@ job@
|
|
|
|
other AFI
OK claudio@
|
|
This uses the flowspec.c file from bgpd and implements the output
for flowspec only for the text printer for now. That code uses a lot
of code from printconf.c
OK tb@
|
|
IMSG_FLOWSPEC_ADD and IMSG_FLOWSPEC_REMOVE received from bgpctl via SE.
OK tb@
|
|
Input and OK jmc@ tb@
|
|
|
|
the user has a restrictive mask, various items (new directories, @sample'd
files, /var/db/pkg entries, mandoc databases) end up not readable.
feedback/ok espie@
|
|
order.
|
|
|
|
and Loc-RIB. Flowspec objects are collected in a single flowrib RIB
and then directly distributed into the various Adj-RIB-Outs.
For this to work add a bypass in the filter logic (flowspec AFI/SAFI
are currently accepted without any rule). The filter language lacks
a way to allow prefixes based on AFI/SAFI which is the minimum needed.
OK tb@
|
|
|
|
In flowspec_cmp() make sure a deterministic sort is possible. Most error
cases are unreachable if flowspec NLRI are validated first (flowspec_valid).
In flowspec_valid() replace the assert like check with an error return.
OK tb@
|
|
In general people should use table-v2 which handles flowspec just fine.
OK tb@
|
|
Flowspec has no nexthop so adjust up_prep_adjout() to handle a NULL nexthop.
Add the MP_REACH encoding in up_generate_mp_reach for flowspec.
OK tb@
|
|
process tracks which prefixes are added / removed and issues the
corresponding imsg calls.
Right now the RDE does nothing with the received information.
OK tb@
|
|
Introduce pt_get_flow() and pt_add_flow() to lookup and insert flowspec
objects. Add pt_getflowspec() which works somewhat similar to pt_getaddr()
to extract the flowspec NLRI from a pt_entry.
Make pt_getaddr() to return the destination prefix of the flowspec rule and
handle flowspec in pt_write().
OK tb@
|
|
|
|
with the parser but that is for a later time to fix.
OK tb@
|
|
This fixes a few KNF issues and ugly line wrapping by using a local
version of nitems(); fix two bsearch() on top.
ok claudio
|
|
pfctl, in bgpd flowspec rules are written like pf rules (with a few
exceptions / extensions). As a result not all flowspec features are
available but that is OK.
OK tb@
|
|
|
|
RB trees. Mainly RB_FOREACH() walks form RB_MIN to RB_MAX so the most
preferred entry should be at RB_MIN.
OK tb@
|
|
like it was done for communities. Again a fair amount of token tables
disappear.
OK tb@
|
|
successful. Do not clear it all the time since that breaks the ANYTOKEN
fallback since it resets the just set address on the next argument.
OK tb@
|
|
Instead pass argc and argv as value and return the consumed number of
arguments in argsused (normally 1).
OK tb@
|
|
available inside match_token() and peek and consume argv[1] and for
ext-communities also argv[2].
OK tb@
|
|
Flowspec is excessivly flexible and large so there is no way to convert
the flowspec data into a struct bgpd_addr and it is better to keep it in
wireformat and add a few functions to validate and extract information
from the NLRI encoding.
OK tb@
|
|
the install media would grow too much, so use the same strategy as we
for stack protector and other things: disable them, just on the install
media
ok kettenis
|
|
ok jsg@
|
|
Comment incorrectly mentioned returning sectors when this function
returns bytes; the logic in virtio.c computes the number of 512
byte sectors after calling virtio_raw_init.
While here, adjust the formatting of return's to match the rest of vmd.
No functional change.
|
|
Some mild tidying of fd closing in the vmm process in prep for
landing parts of my fork+exec diff.
With input from guenther@ on the nuances of if/when EINTR may happen
in a call to close(2).
ok mlarkin@
|
|
to fall back to another table if no other element in the current table
matched. ANYTOKEN needs to be the last element in a table.
With this 'bgpctl show rib 192.0.2.1 detail' works.
OK tb@
|
|
In 1992, the ITU-T - through X.509 version 2 - introduced subject and
issuer unique identifier fields to handle the possibility of reuse
of subject and/or issuer names over time. However, the standing
recommendation is that names not be reused for different entities and
that Internet certificates not make use of unique identifiers.
Conforming RPKI CAs will never issue certificates with unique identifiers.
OK tb@ claudio@
|
|
There is another thing clang 15 is whining about - this will be resolved
in upcoming work by dv.
ok dv
|
|
|
|
authority as the manifest itself
OK tb@
|
|
call imsg_compose() and be done with it.
OK tb@
|
|
OK tb@
|
|
In the add case the extra attributes can be specified afterwards.
This makes the parser behave cleaner since 'add' and 'delete' are removed
from the attribute set table.
OK tb@
|
|
|
|
|
|
Add rib_get_addr() to behave like rib_get() did before.
OK tb@
|
|
instead. Comparing the arp(8) and ndp(8) code shows that the latter
has a fallthrough to delete. Return an error also in this case.
OK kn@
|
|
OK tb@
|
|
OK tb@
|
