preserve mtu upon interface flapping and tunnel source change.
Signed-off-by:Reuben Dowle <reuben.dowle@4rf.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
flush netlink related dependencies with gre information.
Add some linux headers required to compile with it.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
as zebra has a new api to get gre and set gre source commands,
netlink gre get and netlink gre source function calls are redirected to zebra
by using the zapi interface.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
... by referencing all autogenerated headers relative to the root
directory. (90% of the changes here is `version.h`.)
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
zapi_nbr structure is renamed to zapi_neigh_ip.
Initially used to set a neighbor ip entry for gre interfaces, this
structure is used to get events from the zebra layer to nhrp layer.
The ndm state has been added, as it is needed on both sides.
The zebra dplane layer is slightly modified.
Also, to clarify what ZEBRA_NEIGH_ADD/DEL means, a rename is done:
it is called now ZEBRA_NEIGH_IP_ADD/DEL, and it signified that this
zapi interface permits to set link operations by associating ip
addresses to link addresses.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
a zebra api is extended to offer ability to add or remove neighbor
entry from daemon. Also this extension makes possible to add neigh
entry, not only between IPs and macs, but also between IPs and NBMA IPs.
This API supports configuring ipv6/ipv4 entries with ipv4/ipv6 lladdr.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
neighbor notifications are done in zebra. so, instead of relying on
nhrp, rely on zebra by using zebra api interface.
Consequently, the code originally used in nhrp for netlink neighor
notification is no more used.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
lookup appropriate ipsec path. there are systems where the path where
the charon.vici file is not in standard paths. For that, 'ipsec
--piddir' may help in solving the path.
result of ipsec --piddir is as follow for example:
'
/etc/ike/ipsec.d/run
'
Note that the assumption is done that even if there are several
instances of strongswan across the vrfs, the charon.vici path file is
the same across vrfs. Consequently, as there is a thread per vrf that
performs vici initialisation, and file path retrieval is part of the
vici initialisation procedure, in order to avoid intempestive system
calls, use a boolean 'vici_charon_filepath_done' to avoid doing
unnecessary calls.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
For some reason the usage of tabs in a string snuck in as well
as using a sockunion2str instead of %pSU. Fix.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
Forwarding multicast is a pre-requisite for allowing multicast based routing
protocols such as OSPF to work with DMVPN
This code relies on externally adding iptables rule. For example:
iptables -A OUTPUT -d 224.0.0.0/24 -o gre1 -j NFLOG --nflog-group 224
Signed-off-by: Reuben Dowle <reuben.dowle@4rf.com>
Back when I put this together in 2015, ISO C11 was still reasonably new
and we couldn't require it just yet. Without ISO C11, there is no
"good" way (only bad hacks) to require a semicolon after a macro that
ends with a function definition. And if you added one anyway, you'd get
"spurious semicolon" warnings on some compilers...
With C11, `_Static_assert()` at the end of a macro will make it so that
the semicolon is properly required, consumed, and not warned about.
Consistently requiring semicolons after "file-level" macros matches
Linux kernel coding style and helps some editors against mis-syntax'ing
these macros.
Signed-off-by: David Lamparter <equinox@diac24.net>
This prevents a failed IPSec connection from preventing DMVPN from working.
A failure situation can be reproduced using a Cisco peer, and and disabling then
re-enabling the tunnel IPSec protection (after the IPSec connection has
already been established).
Signed-off-by: Reuben Dowle <reuben.dowle@4rf.com>
If hop count is 0, this causes Cisco routers to reject the traffic indication
as invalid. This appears to be a Cisco bug, and has been observed in processing
of registration packets in the past. That problem was covered in issue #951
Signed-off-by: Reuben Dowle <reuben.dowle@4rf.com>
Clang was complaining when running SA that the nhrpd_privs.change
function was null. It just does not fully understand how things
are setup. Add a assert to make it happy.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
There are cases where nhrp wants to create a nhrp route to gre interface
with the nexthop which is the same the prefix. This is the case with
ipv6:
ipv6 route a:ff::ff:4/128 via a:ff::ff:4:/128 dev gre1
This route entry is false from zebra point of view, and to avoid that,
the nexthop is ignored in nhrp only if the prefix equals the nexthop.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Previously, when a shortcut entry was created, its associated route was
created on system, with no nexthop, only gre device. eg:
[..]
N>* 192.168.2.0/24 [10/0] is directly connected, gre1, 00:01:04 <--- can not be resolved
[..]
Type Prefix Via Identity
dynamic 192.168.2.0/24 10.255.255.2 <---- correct
This situation was forcing neighbor resolution on the first outgoing packet matching the route entry. for instance 192.168.2.1 could not be resolved at link layer, and was going to fail. Instead, nhrp nexthop should have been used.
This is what this commit intends to do, that is to say that when a
shortcut is installed by nhrp, the associated nexthop entry is used.
[..]
N>* 192.168.2.0/24 [10/0] via 10.255.255.2, gre1 onlink, 00:00:31
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Currently when an interface is deleted from configuration, associated
resources are not freed. This causes memory leaks and crashes.
To reproduce this issue:
* Connect to a DMVPN hub
* Outside of frr, delete the underlying GRE interface
* Use 'no interface xxx' to delete the interface containing nhrp configurations
Signed-off-by: Reuben Dowle <reuben.dowle@4rf.com>
In some circumstances, especicially when GRE tunnel interface does not exist,
repeated child sa requests are sent. Prevent this by only sending another
request if the child sa does not exist
Signed-off-by: Reuben Dowle <reuben.dowle@4rf.com>
Currently when the first traffic to a private network causes a shortcut, an
on-link route to the private network is created on the gre interface, along
with the cache entry.
When connecting to a second IP in the same network, the kernel tries to resolve
the public IP for this private network via query to NHRP. nhrpd sees no entry
in the cache, so the packet is dropped.
The fix to this solution can be instead of creating an on-link route, create an
off-link route to private network, with the next-hop being the remote tunnel's
gre IP address.
Signed-off-by: Reuben Dowle <reuben.dowle@4rf.com>
Currently when nhrp shortcuts are purged they will not be recreated. This
patch fixes that by ensuring the shortcut routes get purged correctly.
This situation can be reproduced by first allowing a shortcut to be created
then clearing the shortcut:
clear ip nhrp cache
clear ip nhrp shortcuts
Signed-off-by: Reuben Dowle <reuben.dowle@4rf.com>
Under certain misconfigurations, the SA count can be unusually high
and wrap 8-bit counter. That leads to premature free, and crash.
Make the count 32-bit to avoid crash in these rare conditions.
Signed-off-by: Reuben Dowle <reuben.dowle@4rf.com>
RFC2332 section 5.2.1 states (regarding the uniqueness bit) that:
Note that when this bit is set in an NHRP Registration Request, only a
single CIE may be specified in the NHRP Registration Request and that
CIE must have the Prefix Length field set to 0xFF. the prefix length is
the widest acceptable destination protocol address prefix. However, if
"Uniqueness" bit is set then it must be 255
This patch implements this requirement, which fixes interoperability with Cisco
NHRP hub routers.
Signed-off-by: Reuben Dowle <reuben.dowle@4rf.com>
When interface not present at config time, store separately the list of
config parameters. Then, when interface is ready and an address has been configured, the nbma setting is done. Reversely, when interface disappears,
there is no need to keep the maps present, then keep only the configuration.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
The return from sockunion2hostprefix tells us if the conversion
succeeded or not. There are places in the code where we
always assume that it just `works`, since it can fail
notice and try to do the right thing.
Please note that failure of this function for most cases
of sockunion2hostprefix is highly highly unlikely as that
the sockunion was already created and tested elsewhere
it's just that this function can fail.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
Replace all lib/thread cancel macros, use thread_cancel()
everywhere. Only the THREAD_OFF macro and thread_cancel() api are
supported. Also adjust thread_cancel_async() to NULL caller's pointer (if
present).
Signed-off-by: Mark Stapp <mjs@voltanet.io>
nhrp: Configure vici socket path using
configure --with-vici-socket=/var/run/charon.vici
If not specified default to /var/run/charon.vici
Signed-off-by: Zoran Peričić <zpericic@netst.org>
Whenever libyang loads a module that contains a leafref, it will
also implicitly load the module of the referring node if it's
not loaded already. That makes sense as otherwise it wouldn't be
possible to validate the leafref value correctly.
The problem is that loading a module implicitly violates the
assumption of the northbound layer that all loaded modules
are implemented (i.e. they have a northbound node associated
to each schema node). This means that loading a module that
isn't implemented can lead to crashes as the "priv" pointer
of schema nodes is no longer guaranteed to be valid. To fix this
problem, add a few null checks to ignore data nodes associated
to non-implemented modules.
The side effect of this change is harmless. If a daemon receives
configuration it doesn't support (e.g. BFD peers on staticd),
that configuration will be stored but otherwise ignored. This can
only happen when using a northbound client like gRPC, as the CLI
will never send to a daemon a command it doesn't support. This
minor problem should go away in the long run as FRR migrates to
a centralized management model, at which point the YANG-modeled
configuration of all daemons will be maintained in a single place.
Finally, update some daemons to stop implementing YANG modules
they don't need to (i.e. revert 1b741a01c and a74b47f5).
Signed-off-by: Renato Westphal <renato@opensourcerouting.org>
PR #6376 introduced a VRF leafref in the frr-interface YANG module.
That change exposed a bug in the northbound layer that is causing
nhrpd to crash under certain circumstances. Even though nhrpd wasn't
converted to the new northbound model yet, make it implement the
frr-vrf module in order to work around this problem. This is a
temporary fix until a better solution is available.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
nhrp listens for route entries to be deleted, in case some new routes
impact the current routes installed by nhrp. To prevent from
unconfiguring nhrp shortcut route, just prevent nhrp routes to be
processed.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Remove mid-string line breaks, cf. workflow doc:
.. [#tool_style_conflicts] For example, lines over 80 characters are allowed
for text strings to make it possible to search the code for them: please
see `Linux kernel style (breaking long lines and strings)
<https://www.kernel.org/doc/html/v4.10/process/coding-style.html#breaking-long-lines-and-strings>`_
and `Issue #1794 <https://github.com/FRRouting/frr/issues/1794>`_.
Scripted commit, idempotent to running:
```
python3 tools/stringmangle.py --unwrap `git ls-files | egrep '\.[ch]$'`
```
Signed-off-by: David Lamparter <equinox@diac24.net>
Don't crash when trying to `show running-config` because of missing
filter northbound integration.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
- Fix 1 byte overflow when showing GR info in bgpd
- Use PATH_MAX for path buffers
- Use unsigned specifiers for uint16_t's in zebra pbr
Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
Replace sprintf with snprintf where straightforward to do so.
- sprintf's into local scope buffers of known size are replaced with the
equivalent snprintf call
- snprintf's into local scope buffers of known size that use the buffer
size expression now use sizeof(buffer)
- sprintf(buf + strlen(buf), ...) replaced with snprintf() into temp
buffer followed by strlcat
Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
And again for the name. Why on earth would we centralize this, just so
people can forget to update it?
Signed-off-by: David Lamparter <equinox@diac24.net>
Same as before, instead of shoving this into a big central list we can
just put the parent node in cmd_node.
Signed-off-by: David Lamparter <equinox@diac24.net>
There is really no reason to not put this in the cmd_node.
And while we're add it, rename from pointless ".func" to ".config_write".
[v2: fix forgotten ldpd config_write]
Signed-off-by: David Lamparter <equinox@diac24.net>
The only nodes that have this as 0 don't have a "->func" anyway, so the
entire thing is really just pointless.
Signed-off-by: David Lamparter <equinox@diac24.net>
as the helper said, the dynamic cache entries should be flushed once the
vty command 'clear ip/ipv6 nhrp cache' mentions. This was not the case.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
nhrp listens for route entries to be deleted, in case some new routes
impact the current routes installed by nhrp. To prevent from
unconfiguring nhrp shortcut route, just prevent nhrp routes to be
processed.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
nhrp_cache_update_route, nhrp_cache_authorize_binding: Fix route update for NAT scenario. When remote_nbma_natoa is already set in the cache entry, binding should be updated to this value and not vc remote nbma, which would be different from the NATted address.
nhrp_shortcut_recv_resolution_rep: Simplify the logic for finding the natoa nbma. Also, install shortcut entries as DYNAMIC type, as suggested in Section 6.2.2 of RFC2332.
nhrp_shortcut_cache_notify: announce the installed route with the correct interface from cache.
Signed-off-by: Ghasem Naddaf <gshirazi@infoblox.com>
nhrp_shortcut_send_resolution_req: Add Holding time and MTU to the resolution request CIE according to RFC2332 Sec. 5.2.1.
nhrp_handle_resolution_req: Parse Holding time and MTU from CIE and update the requestor's binding. Also, when preparing the resolution reply, copy the Holding time and MTU to the CIE according to RFC2332 Sec. 5.2.2.
Signed-off-by: Ghasem Naddaf <gshirazi@infoblox.com>
The vrrpd one conflicts with the standalone vrrpd package; also we're
installing daemons to /usr/lib/frr on some systems so they're not on
PATH.
Signed-off-by: David Lamparter <equinox@diac24.net>
If the extension offset points to a location within the packet header,
we end up with an integer underflow leading to heap buffer read
overflow.
Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
To keep the calling code agnostic of the DNS resolver libary used, pass
a strerror-style string instead of a status code that would need extra
handling.
Signed-off-by: David Lamparter <equinox@diac24.net>
We passed peer as NULL and nothing happened.
exit2-debian-9# conf
exit2-debian-9(config)# int gre1
exit2-debian-9(config-if)# ip nhrp map 1.1.1.1 local
exit2-debian-9(config-if)# ip nhrp map 2.2.2.2 3.3.3.3
exit2-debian-9(config-if)# do sh run
...
!
interface gre1
ip nhrp map 1.1.1.1 local
ip nhrp map 2.2.2.2 3.3.3.3
!
...
exit2-debian-9(config-if)# no ip nhrp map 1.1.1.1
exit2-debian-9(config-if)# do sh run
...
!
interface gre1
ip nhrp map 2.2.2.2 3.3.3.3
!
Signed-off-by: Donatas Abraitis <donatas.abraitis@gmail.com>
NHRPD has its own linked-list implementation, and one of the
apis is a little free and easy with pointers. Also be safer
with one list iteration operation.
Signed-off-by: Mark Stapp <mjs@voltanet.io>
For all the places we have a zclient->interface_up convert
them to use the interface ifp_up callback instead.
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
Switch the zclient->interface_add functionality to have everyone
use the interface create callback in lib/if.c
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
Start the conversion to allow zapi interface callbacks to be
controlled like vrf creation/destruction/change callbacks.
This will allow us to consolidate control into the interface.c
instead of having each daemon read the stream and react accordingly.
This will hopefully reduce a bunch of cut-n-paste stuff
Create 4 new callback functions that will be controlled by
lib/if.c
create -> A upper level protocol receives an interface creation event
The ifp is brand spanking newly created in the system.
up -> A upper level protocol receives a interface up event
This means the interface is up and ready to go.
down -> A upper level protocol receives a interface down
destroy -> A upper level protocol receives a destroy event
This means to delete the pointers associated with it.
At this point this is just boilerplate setup for future commits.
There is no new functionality.
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
the vrf_id parameter is replaced by struct vrf * parameter.
this impacts most of the daemons that look for an interface based on the
name and the vrf identifier.
Also, it fixes 2 lookup calls in zebra and sharpd, where the vrf_id was
ignored until now.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
It doesn't make much sense for a hash function to modify its argument,
so const the hash input.
BGP does it in a couple places, those cast away the const. Not great but
not any worse than it was.
Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
This macro:
- Marks ZAPI callbacks for readability
- Standardizes argument names
- Makes it simple to add ZAPI arguments in the future
- Ensures proper types
- Looks better
- Shortens function declarations
Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
When we delete an interface, we need to set the interface
ifindex to an internal value so that we don't end up in
a state where the re-addition of the same ifindex, due to
a rename operation, causes an infinite loop.
Fixes:#4007
Fix-Suggested-by: Saravanan K
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
