From 66dbdbd993115c57acafdb776d2165d0b4a90a45 Mon Sep 17 00:00:00 2001
From: "Ondrej Zajicek (work)" <santiago@crfreenet.org>
Date: Sat, 1 Oct 2016 12:50:29 +0200
Subject: [PATCH 01/37] BGP: Support for large communities

Add support for large communities (draft-ietf-idr-large-community),
96bit alternative to RFC 1997 communities.

Thanks to Matt Griswold for the original patch.
---
 filter/config.Y    |  43 +++++++++++-
 filter/filter.c    | 171 ++++++++++++++++++++++++++++++++++++++++++++-
 filter/filter.h    |  18 ++++-
 filter/test.conf   |  17 +++++
 nest/a-set.c       | 127 ++++++++++++++++++++++++++++++++-
 nest/attrs.h       |  32 +++++++++
 nest/route.h       |   5 +-
 nest/rt-attr.c     |  15 ++++
 proto/bgp/attrs.c  |  42 ++++++++++-
 proto/bgp/bgp.h    |   1 +
 proto/bgp/config.Y |   4 +-
 11 files changed, 462 insertions(+), 13 deletions(-)

diff --git a/filter/config.Y b/filter/config.Y
index 9fffd651..79e274ab 100644
--- a/filter/config.Y
+++ b/filter/config.Y
@@ -36,6 +36,7 @@ f_valid_set_type(int type)
   case T_ENUM:
   case T_IP:
   case T_EC:
+  case T_LC:
     return 1;
 
   default:
@@ -148,6 +149,9 @@ f_generate_empty(struct f_inst *dyn)
     case EAF_TYPE_EC_SET:
       e->aux = T_ECLIST;
       break;
+    case EAF_TYPE_LC_SET:
+      e->aux = T_LCLIST;
+      break;
     default:
       cf_error("Can't empty that attribute");
   }
@@ -268,14 +272,44 @@ f_generate_ec(u16 kind, struct f_inst *tk, struct f_inst *tv)
   return rv;
 }
 
+static inline struct f_inst *
+f_generate_lc(struct f_inst *t1, struct f_inst *t2, struct f_inst *t3)
+{
+  struct f_inst *rv;
+
+  if ((t1->code == 'c') && (t2->code == 'c') && (t3->code == 'c')) {
+    if ((t1->aux != T_INT) || (t2->aux != T_INT) || (t3->aux != T_INT))
+      cf_error( "LC - Can't operate with value of non-integer type in tuple constructor");
+
+    rv = f_new_inst();
+    rv->code = 'C';
+
+    NEW_F_VAL;
+    rv->a1.p = val;
+    val->type = T_LC;
+    val->val.lc = (lcomm) { t1->a2.i, t2->a2.i, t3->a2.i };
+  }
+  else
+  {
+    rv = cfg_allocz(sizeof(struct f_inst3));
+    rv->lineno = ifs->lino;
+    rv->code = P('m','l');
+    rv->a1.p = t1;
+    rv->a2.p = t2;
+    INST3(rv).p = t3;
+  }
+
+  return rv;
+}
+
 
 
 CF_DECLS
 
 CF_KEYWORDS(FUNCTION, PRINT, PRINTN, UNSET, RETURN,
 	ACCEPT, REJECT, ERROR, QUITBIRD,
-	INT, BOOL, IP, PREFIX, PAIR, QUAD, EC,
-	SET, STRING, BGPMASK, BGPPATH, CLIST, ECLIST,
+	INT, BOOL, IP, PREFIX, PAIR, QUAD, EC, LC,
+	SET, STRING, BGPMASK, BGPPATH, CLIST, ECLIST, LCLIST,
 	IF, THEN, ELSE, CASE,
 	TRUE, FALSE, RT, RO, UNKNOWN, GENERIC,
 	FROM, GW, NET, MASK, PROTO, SOURCE, SCOPE, CAST, DEST, IFNAME, IFINDEX,
@@ -327,17 +361,20 @@ type:
  | PAIR { $$ = T_PAIR; }
  | QUAD { $$ = T_QUAD; }
  | EC { $$ = T_EC; }
+ | LC { $$ = T_LC; }
  | STRING { $$ = T_STRING; }
  | BGPMASK { $$ = T_PATH_MASK; }
  | BGPPATH { $$ = T_PATH; }
  | CLIST { $$ = T_CLIST; }
  | ECLIST { $$ = T_ECLIST; }
+ | LCLIST { $$ = T_LCLIST; }
  | type SET { 
 	switch ($1) {
 	  case T_INT:
 	  case T_PAIR:
 	  case T_QUAD:
 	  case T_EC:
+	  case T_LC:
 	  case T_IP:
 	       $$ = T_SET;
 	       break;
@@ -657,6 +694,7 @@ constant:
 constructor:
    '(' term ',' term ')' { $$ = f_generate_dpair($2, $4); }
  | '(' ec_kind ',' term ',' term ')' { $$ = f_generate_ec($2, $4, $6); }
+ | '(' term ',' term ',' term ')' { $$ = f_generate_lc($2, $4, $6); }
  ;
 
 
@@ -767,6 +805,7 @@ term:
  | '+' EMPTY '+' { $$ = f_new_inst(); $$->code = 'E'; $$->aux = T_PATH; }
  | '-' EMPTY '-' { $$ = f_new_inst(); $$->code = 'E'; $$->aux = T_CLIST; }
  | '-' '-' EMPTY '-' '-' { $$ = f_new_inst(); $$->code = 'E'; $$->aux = T_ECLIST; }
+ | '-' '-' '-' EMPTY '-' '-' '-' { $$ = f_new_inst(); $$->code = 'E'; $$->aux = T_LCLIST; }
  | PREPEND '(' term ',' term ')' { $$ = f_new_inst(); $$->code = P('A','p'); $$->a1.p = $3; $$->a2.p = $5; } 
  | ADD '(' term ',' term ')' { $$ = f_new_inst(); $$->code = P('C','a'); $$->a1.p = $3; $$->a2.p = $5; $$->aux = 'a'; } 
  | DELETE '(' term ',' term ')' { $$ = f_new_inst(); $$->code = P('C','a'); $$->a1.p = $3; $$->a2.p = $5; $$->aux = 'd'; }
diff --git a/filter/filter.c b/filter/filter.c
index 2f5f00d8..510303a7 100644
--- a/filter/filter.c
+++ b/filter/filter.c
@@ -106,6 +106,18 @@ u64_cmp(u64 i1, u64 i2)
   return (int)(i1 > i2) - (int)(i1 < i2);
 }
 
+static inline int
+lcomm_cmp(lcomm v1, lcomm v2)
+{
+  if (v1.asn != v2.asn)
+    return (v1.asn > v2.asn) ? 1 : -1;
+  if (v1.ldp1 != v2.ldp1)
+    return (v1.ldp1 > v2.ldp1) ? 1 : -1;
+  if (v1.ldp2 != v2.ldp2)
+    return (v1.ldp2 > v2.ldp2) ? 1 : -1;
+  return 0;
+}
+
 /**
  * val_compare - compare two values
  * @v1: first value
@@ -149,6 +161,8 @@ val_compare(struct f_val v1, struct f_val v2)
     return uint_cmp(v1.val.i, v2.val.i);
   case T_EC:
     return u64_cmp(v1.val.ec, v2.val.ec);
+  case T_LC:
+    return lcomm_cmp(v1.val.lc, v2.val.lc);
   case T_IP:
     return ipa_compare(v1.val.px.ip, v2.val.px.ip);
   case T_PREFIX:
@@ -214,6 +228,7 @@ val_same(struct f_val v1, struct f_val v2)
   case T_PATH:
   case T_CLIST:
   case T_ECLIST:
+  case T_LCLIST:
     return adata_same(v1.val.ad, v2.val.ad);
   case T_SET:
     return same_tree(v1.val.t, v2.val.t);
@@ -266,6 +281,10 @@ static inline int
 eclist_set_type(struct f_tree *set)
 { return set->from.type == T_EC; }
 
+static inline int
+lclist_set_type(struct f_tree *set)
+{ return set->from.type == T_LC; }
+
 static int
 clist_match_set(struct adata *clist, struct f_tree *set)
 {
@@ -311,6 +330,30 @@ eclist_match_set(struct adata *list, struct f_tree *set)
   return 0;
 }
 
+static int
+lclist_match_set(struct adata *list, struct f_tree *set)
+{
+  if (!list)
+    return 0;
+
+  if (!lclist_set_type(set))
+    return CMP_ERROR;
+
+  struct f_val v;
+  u32 *l = int_set_get_data(list);
+  int len = int_set_get_size(list);
+  int i;
+
+  v.type = T_LC;
+  for (i = 0; i < len; i += 3) {
+    v.val.lc = lc_get(l, i);
+    if (find_tree(set, v))
+      return 1;
+  }
+
+  return 0;
+}
+
 static struct adata *
 clist_filter(struct linpool *pool, struct adata *list, struct f_val set, int pos)
 {
@@ -380,6 +423,38 @@ eclist_filter(struct linpool *pool, struct adata *list, struct f_val set, int po
   return res;
 }
 
+static struct adata *
+lclist_filter(struct linpool *pool, struct adata *list, struct f_val set, int pos)
+{
+  if (!list)
+    return NULL;
+
+  int tree = (set.type == T_SET);	/* 1 -> set is T_SET, 0 -> set is T_CLIST */
+  struct f_val v;
+
+  int len = int_set_get_size(list);
+  u32 *l = int_set_get_data(list);
+  u32 tmp[len];
+  u32 *k = tmp;
+  int i;
+
+  v.type = T_LC;
+  for (i = 0; i < len; i += 3) {
+    v.val.lc = lc_get(l, i);
+    /* pos && member(val, set) || !pos && !member(val, set),  member() depends on tree */
+    if ((tree ? !!find_tree(set.val.t, v) : lc_set_contains(set.val.ad, v.val.lc)) == pos)
+      k = lc_copy(k, l+i);
+  }
+
+  int nl = (k - tmp) * 4;
+  if (nl == list->length)
+    return list;
+
+  struct adata *res = adata_empty(pool, nl);
+  memcpy(res->data, tmp, nl);
+  return res;
+}
+
 /**
  * val_in_range - implement |~| operator
  * @v1: element
@@ -407,6 +482,9 @@ val_in_range(struct f_val v1, struct f_val v2)
   if ((v1.type == T_EC) && (v2.type == T_ECLIST))
     return ec_set_contains(v2.val.ad, v1.val.ec);
 
+  if ((v1.type == T_LC) && (v2.type == T_LCLIST))
+    return lc_set_contains(v2.val.ad, v1.val.lc);
+
   if ((v1.type == T_STRING) && (v2.type == T_STRING))
     return patmatch(v2.val.s, v1.val.s);
 
@@ -433,6 +511,9 @@ val_in_range(struct f_val v1, struct f_val v2)
   if (v1.type == T_ECLIST)
     return eclist_match_set(v1.val.ad, v2.val.t);
 
+  if (v1.type == T_LCLIST)
+    return lclist_match_set(v1.val.ad, v2.val.t);
+
   if (v1.type == T_PATH)
     return as_path_match_set(v1.val.ad, v2.val.t);
 
@@ -457,12 +538,14 @@ val_format(struct f_val v, buffer *buf)
   case T_PAIR:	buffer_print(buf, "(%u,%u)", v.val.i >> 16, v.val.i & 0xffff); return;
   case T_QUAD:	buffer_print(buf, "%R", v.val.i); return;
   case T_EC:	ec_format(buf2, v.val.ec); buffer_print(buf, "%s", buf2); return;
+  case T_LC:	lc_format(buf2, v.val.lc); buffer_print(buf, "%s", buf2); return;
   case T_PREFIX_SET: trie_format(v.val.ti, buf); return;
   case T_SET:	tree_format(v.val.t, buf); return;
   case T_ENUM:	buffer_print(buf, "(enum %x)%u", v.type, v.val.i); return;
   case T_PATH:	as_path_format(v.val.ad, buf2, 1000); buffer_print(buf, "(path %s)", buf2); return;
   case T_CLIST:	int_set_format(v.val.ad, 1, -1, buf2, 1000); buffer_print(buf, "(clist %s)", buf2); return;
   case T_ECLIST: ec_set_format(v.val.ad, -1, buf2, 1000); buffer_print(buf, "(eclist %s)", buf2); return;
+  case T_LCLIST: lc_set_format(v.val.ad, -1, buf2, 1000); buffer_print(buf, "(lclist %s)", buf2); return;
   case T_PATH_MASK: pm_format(v.val.path_mask, buf); return;
   default:	buffer_print(buf, "[unknown type %x]", v.type); return;
   }
@@ -656,6 +739,7 @@ interpret(struct f_inst *what)
 	runtime("Can't operate with value of non-integer type in EC constructor");
       val = v2.val.i;
 
+      /* XXXX */
       res.type = T_EC;
 
       if (what->aux == EC_GENERIC) {
@@ -677,6 +761,24 @@ interpret(struct f_inst *what)
       break;
     }
 
+  case P('m','l'):
+    {
+      TWOARGS;
+
+      /* Third argument hack */
+      struct f_val v3 = interpret(INST3(what).p);
+      if (v3.type & T_RETURN)
+	return v3;
+
+      if ((v1.type != T_INT) || (v2.type != T_INT) || (v3.type != T_INT))
+	runtime( "Can't operate with value of non-integer type in LC constructor" );
+
+      res.type = T_LC;
+      res.val.lc = (lcomm) { v1.val.i, v2.val.i, v3.val.i };
+
+      break;
+    }
+
 /* Relational operators */
 
 #define COMPARE(x) \
@@ -912,6 +1014,13 @@ interpret(struct f_inst *what)
 	  break;
 	}
 
+	/* The same special case for lc_set */
+	if ((what->aux & EAF_TYPE_MASK) == EAF_TYPE_LC_SET) {
+	  res.type = T_LCLIST;
+	  res.val.ad = adata_empty(f_pool, 0);
+	  break;
+	}
+
 	/* Undefined value */
 	res.type = T_VOID;
 	break;
@@ -951,6 +1060,10 @@ interpret(struct f_inst *what)
 	res.type = T_ECLIST;
 	res.val.ad = e->u.ptr;
 	break;
+      case EAF_TYPE_LC_SET:
+	res.type = T_LCLIST;
+	res.val.ad = e->u.ptr;
+	break;
       case EAF_TYPE_UNDEF:
 	res.type = T_VOID;
 	break;
@@ -1041,6 +1154,11 @@ interpret(struct f_inst *what)
 	  runtime( "Setting eclist attribute to non-eclist value" );
 	l->attrs[0].u.ptr = v1.val.ad;
 	break;
+      case EAF_TYPE_LC_SET:
+	if (v1.type != T_LCLIST)
+	  runtime( "Setting lclist attribute to non-lclist value" );
+	l->attrs[0].u.ptr = v1.val.ad;
+	break;
       case EAF_TYPE_UNDEF:
 	if (v1.type != T_VOID)
 	  runtime( "Setting void attribute to non-void value" );
@@ -1082,6 +1200,7 @@ interpret(struct f_inst *what)
     case T_PATH:   res.val.i = as_path_getlen(v1.val.ad); break;
     case T_CLIST:  res.val.i = int_set_get_size(v1.val.ad); break;
     case T_ECLIST: res.val.i = ec_set_get_size(v1.val.ad); break;
+    case T_LCLIST: res.val.i = lc_set_get_size(v1.val.ad); break;
     default: runtime( "Prefix, path, clist or eclist expected" );
     }
     break;
@@ -1277,7 +1396,7 @@ interpret(struct f_inst *what)
       else if (v2.type == T_ECLIST)
 	arg_set = 2;
       else if (v2.type != T_EC)
-	runtime("Can't add/delete non-pair");
+	runtime("Can't add/delete non-ec");
 
       res.type = T_ECLIST;
       switch (what->aux)
@@ -1308,8 +1427,50 @@ interpret(struct f_inst *what)
 	bug("unknown Ca operation");
       }
     }
+    else if (v1.type == T_LCLIST)
+    {
+      /* Large community list */
+      int arg_set = 0;
+
+      /* v2.val is either LC or LC-set */
+      if ((v2.type == T_SET) && lclist_set_type(v2.val.t))
+	arg_set = 1;
+      else if (v2.type == T_LCLIST)
+	arg_set = 2;
+      else if (v2.type != T_LC)
+	runtime("Can't add/delete non-lc");
+
+      res.type = T_LCLIST;
+      switch (what->aux)
+      {
+      case 'a':
+	if (arg_set == 1)
+	  runtime("Can't add set");
+	else if (!arg_set)
+	  res.val.ad = lc_set_add(f_pool, v1.val.ad, v2.val.lc);
+	else
+	  res.val.ad = lc_set_union(f_pool, v1.val.ad, v2.val.ad);
+	break;
+
+      case 'd':
+	if (!arg_set)
+	  res.val.ad = lc_set_del(f_pool, v1.val.ad, v2.val.lc);
+	else
+	  res.val.ad = lclist_filter(f_pool, v1.val.ad, v2, 0);
+	break;
+
+      case 'f':
+	if (!arg_set)
+	  runtime("Can't filter lc");
+	res.val.ad = lclist_filter(f_pool, v1.val.ad, v2, 1);
+	break;
+
+      default:
+	bug("unknown Ca operation");
+      }
+    }
     else
-      runtime("Can't add/delete to non-(e)clist");
+      runtime("Can't add/delete to non-[e|l]clist");
 
     break;
 
@@ -1401,6 +1562,12 @@ i_same(struct f_inst *f1, struct f_inst *f2)
   case '~': TWOARGS; break;
   case P('d','e'): ONEARG; break;
 
+  case P('m','l'):
+    TWOARGS;
+    if (!i_same(INST3(f1).p, INST3(f2).p))
+      return 0;
+    break;
+
   case 's':
     ARG(v2, a2.p);
     {
diff --git a/filter/filter.h b/filter/filter.h
index e59c8226..e0f34e4f 100644
--- a/filter/filter.h
+++ b/filter/filter.h
@@ -38,6 +38,17 @@ struct f_inst_roa_check {
   struct roa_table_config *rtc;	
 };
 
+struct f_inst3 {
+  struct f_inst i;
+  union {
+    int i;
+    void *p;
+  } a3;
+};
+
+#define INST3(x) (((struct f_inst3 *) x)->a3)
+
+
 struct f_prefix {
   ip_addr ip;
   int len;
@@ -53,6 +64,7 @@ struct f_val {
   union {
     uint i;
     u64 ec;
+    lcomm lc;
     /*    ip_addr ip; Folded into prefix */	
     struct f_prefix px;
     char *s;
@@ -168,8 +180,10 @@ void val_format(struct f_val v, buffer *buf);
 #define T_PATH_MASK 0x23	/* mask for BGP path */
 #define T_PATH 0x24		/* BGP path */
 #define T_CLIST 0x25		/* Community list */
-#define T_ECLIST 0x26		/* Extended community list */
-#define T_EC 0x27		/* Extended community value, u64 */
+#define T_EC 0x26		/* Extended community value, u64 */
+#define T_ECLIST 0x27		/* Extended community list */
+#define T_LC 0x28		/* Large community value, lcomm */
+#define T_LCLIST 0x29		/* Large community list */
 
 #define T_RETURN 0x40
 #define T_SET 0x80
diff --git a/filter/test.conf b/filter/test.conf
index f61f0658..e8873fbf 100644
--- a/filter/test.conf
+++ b/filter/test.conf
@@ -27,6 +27,11 @@ function 'mkpair-a'(int a)
 	return (1, a);
 }
 
+function mktrip(int a)
+{
+	return (a, 2*a, 3*a);
+}
+
 function mkpath(int a; int b)
 {
 	return [= a b 3 2 1 =];
@@ -89,6 +94,7 @@ clist l;
 clist l2;
 eclist el;
 eclist el2;
+lclist ll;
 {
 	print "Entering path test...";
 	pm1 =  / 4 3 2 1 /;
@@ -203,6 +209,17 @@ eclist el2;
 	print "eclist A isect B: ", filter( el, el2 );
 	print "eclist A \  B: ", delete( el, el2 );
 
+	ll = --- empty ---;
+	ll = add(ll, (ten, 20, 30));
+	ll = add(ll, (1000, 2000, 3000));
+	ll = add(ll, mktrip(100000));
+	print "LC list (10, 20, 30) (1000, 2000, 3000) (100000, 200000, 300000):";
+	print ll;
+	print "LC len: ", el.len;
+	print "Should be true: ", mktrip(1000) ~ ll, " ", ll ~ [(5,10,15), (10,20,30)], " ", ll ~ [(10,15..25,*)], " ", ll ~ [(ten, *, *)];
+	print "Should be false: ", mktrip(100) ~ ll, " ", ll ~ [(5,10,15), (10,21,30)], " ", ll ~ [(10,21..25,*)], " ", ll ~ [(11, *, *)];
+	print "LC filtered: ", filter(ll, [(5..15, *, *), (100000, 500..500000, *)]);
+
 #	test_roa();
 }
 
diff --git a/nest/a-set.c b/nest/a-set.c
index a6116022..0484ab98 100644
--- a/nest/a-set.c
+++ b/nest/a-set.c
@@ -116,7 +116,7 @@ int
 ec_set_format(struct adata *set, int from, byte *buf, uint size)
 {
   u32 *z = int_set_get_data(set);
-  byte *end = buf + size - 24;
+  byte *end = buf + size - 64;
   int from2 = MAX(from, 0);
   int to = int_set_get_size(set);
   int i;
@@ -141,6 +141,43 @@ ec_set_format(struct adata *set, int from, byte *buf, uint size)
   return 0;
 }
 
+int
+lc_format(byte *buf, lcomm lc)
+{
+  return bsprintf(buf, "(%d, %d, %d)", lc.asn, lc.ldp1, lc.ldp2);
+}
+
+int
+lc_set_format(struct adata *set, int from, byte *buf, uint bufsize)
+{
+  u32 *d = (u32 *) set->data;
+  byte *end = buf + bufsize - 64;
+  int from2 = MAX(from, 0);
+  int to = set->length / 4;
+  int i;
+
+  for (i = from2; i < to; i += 3)
+    {
+      if (buf > end)
+	{
+	  if (from < 0)
+	    strcpy(buf, "...");
+	  else
+	    buf[-1] = 0;
+	  return i;
+	}
+
+      buf += bsprintf(buf, "(%d, %d, %d)", d[i], d[i+1], d[i+2]);
+      *buf++ = ' ';
+    }
+
+  if (i != from2)
+    buf--;
+
+  *buf = 0;
+  return 0;
+}
+
 int
 int_set_contains(struct adata *list, u32 val)
 {
@@ -177,6 +214,24 @@ ec_set_contains(struct adata *list, u64 val)
   return 0;
 }
 
+int
+lc_set_contains(struct adata *list, lcomm val)
+{
+  if (!list)
+    return 0;
+
+  u32 *l = int_set_get_data(list);
+  int len = int_set_get_size(list);
+  int i;
+
+  for (i = 0; i < len; i += 3)
+    if (lc_match(l, i, val))
+      return 1;
+
+  return 0;
+}
+
+
 struct adata *
 int_set_add(struct linpool *pool, struct adata *list, u32 val)
 {
@@ -208,13 +263,30 @@ ec_set_add(struct linpool *pool, struct adata *list, u64 val)
   if (list)
     memcpy(res->data, list->data, list->length);
 
-  u32 *l = (u32 *) (res->data + res->length - 8);
+  u32 *l = (u32 *) (res->data + olen);
   l[0] = ec_hi(val);
   l[1] = ec_lo(val);
 
   return res;
 }
 
+struct adata *
+lc_set_add(struct linpool *pool, struct adata *list, lcomm val)
+{
+  if (lc_set_contains(list, val))
+    return list;
+
+  int olen = list ? list->length : 0;
+  struct adata *res = lp_alloc(pool, sizeof(struct adata) + olen + LCOMM_LENGTH);
+  res->length = olen + LCOMM_LENGTH;
+
+  if (list)
+    memcpy(res->data, list->data, list->length);
+
+  lc_put((u32 *) (res->data + olen), val);
+
+  return res;
+}
 
 struct adata *
 int_set_del(struct linpool *pool, struct adata *list, u32 val)
@@ -265,6 +337,27 @@ ec_set_del(struct linpool *pool, struct adata *list, u64 val)
   return res;
 }
 
+struct adata *
+lc_set_del(struct linpool *pool, struct adata *list, lcomm val)
+{
+  if (!lc_set_contains(list, val))
+    return list;
+
+  struct adata *res;
+  res = lp_alloc(pool, sizeof(struct adata) + list->length - LCOMM_LENGTH);
+  res->length = list->length - LCOMM_LENGTH;
+
+  u32 *l = int_set_get_data(list);
+  u32 *k = int_set_get_data(res);
+  int len = int_set_get_size(list);
+  int i;
+
+  for (i=0; i < len; i += 3)
+    if (! lc_match(l, i, val))
+      k = lc_copy(k, l+i);
+
+  return res;
+}
 
 struct adata *
 int_set_union(struct linpool *pool, struct adata *l1, struct adata *l2)
@@ -328,3 +421,33 @@ ec_set_union(struct linpool *pool, struct adata *l1, struct adata *l2)
   memcpy(res->data + l1->length, tmp, len);
   return res;
 }
+
+struct adata *
+lc_set_union(struct linpool *pool, struct adata *l1, struct adata *l2)
+{
+  if (!l1)
+    return l2;
+  if (!l2)
+    return l1;
+
+  struct adata *res;
+  int len = int_set_get_size(l2);
+  u32 *l = int_set_get_data(l2);
+  u32 tmp[len];
+  u32 *k = tmp;
+  int i;
+
+  for (i = 0; i < len; i += 3)
+    if (!lc_set_contains(l1, lc_get(l, i)))
+      k = lc_copy(k, l+i);
+
+  if (k == tmp)
+    return l1;
+
+  len = (k - tmp) * 4;
+  res = lp_alloc(pool, sizeof(struct adata) + l1->length + len);
+  res->length = l1->length + len;
+  memcpy(res->data, l1->data, l1->length);
+  memcpy(res->data + l1->length, tmp, len);
+  return res;
+}
diff --git a/nest/attrs.h b/nest/attrs.h
index 670b048f..548d71a9 100644
--- a/nest/attrs.h
+++ b/nest/attrs.h
@@ -68,6 +68,7 @@ int as_path_match(struct adata *path, struct f_path_mask *mask);
 /* Transitive bit (for first u32 half of EC) */
 #define EC_TBIT 0x40000000
 
+#define ECOMM_LENGTH 8
 
 static inline int int_set_get_size(struct adata *list)
 { return list->length / 4; }
@@ -75,6 +76,9 @@ static inline int int_set_get_size(struct adata *list)
 static inline int ec_set_get_size(struct adata *list)
 { return list->length / 8; }
 
+static inline int lc_set_get_size(struct adata *list)
+{ return list->length / 12; }
+
 static inline u32 *int_set_get_data(struct adata *list)
 { return (u32 *) list->data; }
 
@@ -98,17 +102,45 @@ static inline u64 ec_ip4(u64 kind, u64 key, u64 val)
 static inline u64 ec_generic(u64 key, u64 val)
 { return (key << 32) | val; }
 
+/* Large community value */
+typedef struct lcomm {
+  u32 asn;
+  u32 ldp1;
+  u32 ldp2;
+} lcomm;
+
+#define LCOMM_LENGTH 12
+
+static inline lcomm lc_get(const u32 *l, int i)
+{ return (lcomm) { l[i], l[i+1], l[i+2] }; }
+
+static inline void lc_put(u32 *l, lcomm v)
+{ l[0] = v.asn; l[1] = v.ldp1; l[2] = v.ldp2; }
+
+static inline int lc_match(const u32 *l, int i, lcomm v)
+{ return (l[i] == v.asn && l[i+1] == v.ldp1 && l[i+2] == v.ldp2); }
+
+static inline u32 *lc_copy(u32 *dst, const u32 *src)
+{ memcpy(dst, src, LCOMM_LENGTH); return dst + 3; }
+
+
 int int_set_format(struct adata *set, int way, int from, byte *buf, uint size);
 int ec_format(byte *buf, u64 ec);
 int ec_set_format(struct adata *set, int from, byte *buf, uint size);
+int lc_format(byte *buf, lcomm lc);
+int lc_set_format(struct adata *set, int from, byte *buf, uint size);
 int int_set_contains(struct adata *list, u32 val);
 int ec_set_contains(struct adata *list, u64 val);
+int lc_set_contains(struct adata *list, lcomm val);
 struct adata *int_set_add(struct linpool *pool, struct adata *list, u32 val);
 struct adata *ec_set_add(struct linpool *pool, struct adata *list, u64 val);
+struct adata *lc_set_add(struct linpool *pool, struct adata *list, lcomm val);
 struct adata *int_set_del(struct linpool *pool, struct adata *list, u32 val);
 struct adata *ec_set_del(struct linpool *pool, struct adata *list, u64 val);
+struct adata *lc_set_del(struct linpool *pool, struct adata *list, lcomm val);
 struct adata *int_set_union(struct linpool *pool, struct adata *l1, struct adata *l2);
 struct adata *ec_set_union(struct linpool *pool, struct adata *l1, struct adata *l2);
+struct adata *lc_set_union(struct linpool *pool, struct adata *l1, struct adata *l2);
 
 
 #endif
diff --git a/nest/route.h b/nest/route.h
index 2fcb189a..07320566 100644
--- a/nest/route.h
+++ b/nest/route.h
@@ -442,7 +442,7 @@ typedef struct eattr {
 #define EA_ALLOW_UNDEF 0x10000		/* ea_find: allow EAF_TYPE_UNDEF */
 #define EA_BIT(n) ((n) << 24)		/* Used in bitfield accessors */
 
-#define EAF_TYPE_MASK 0x0f		/* Mask with this to get type */
+#define EAF_TYPE_MASK 0x1f		/* Mask with this to get type */
 #define EAF_TYPE_INT 0x01		/* 32-bit unsigned integer number */
 #define EAF_TYPE_OPAQUE 0x02		/* Opaque byte string (not filterable) */
 #define EAF_TYPE_IP_ADDRESS 0x04	/* IP address */
@@ -451,7 +451,8 @@ typedef struct eattr {
 #define EAF_TYPE_BITFIELD 0x09		/* 32-bit embedded bitfield */
 #define EAF_TYPE_INT_SET 0x0a		/* Set of u32's (e.g., a community list) */
 #define EAF_TYPE_EC_SET 0x0e		/* Set of pairs of u32's - ext. community list */
-#define EAF_TYPE_UNDEF 0x0f		/* `force undefined' entry */
+#define EAF_TYPE_LC_SET 0x12		/* Set of triplets of u32's - large community list */
+#define EAF_TYPE_UNDEF 0x1f		/* `force undefined' entry */
 #define EAF_EMBEDDED 0x01		/* Data stored in eattr.u.data (part of type spec) */
 #define EAF_VAR_LENGTH 0x02		/* Attribute length is variable (part of type spec) */
 #define EAF_ORIGINATED 0x40		/* The attribute has originated locally */
diff --git a/nest/rt-attr.c b/nest/rt-attr.c
index ab0069b5..9aeca846 100644
--- a/nest/rt-attr.c
+++ b/nest/rt-attr.c
@@ -828,6 +828,18 @@ ea_show_ec_set(struct cli *c, struct adata *ad, byte *pos, byte *buf, byte *end)
     }
 }
 
+static inline void
+ea_show_lc_set(struct cli *c, struct adata *ad, byte *pos, byte *buf, byte *end)
+{
+  int i = lc_set_format(ad, 0, pos, end - pos);
+  cli_printf(c, -1012, "\t%s", buf);
+  while (i)
+    {
+      i = lc_set_format(ad, i, buf, end - buf - 1);
+      cli_printf(c, -1012, "\t\t%s", buf);
+    }
+}
+
 /**
  * ea_show - print an &eattr to CLI
  * @c: destination CLI
@@ -892,6 +904,9 @@ ea_show(struct cli *c, eattr *e)
 	case EAF_TYPE_EC_SET:
 	  ea_show_ec_set(c, ad, pos, buf, end);
 	  return;
+	case EAF_TYPE_LC_SET:
+	  ea_show_lc_set(c, ad, pos, buf, end);
+	  return;
 	case EAF_TYPE_UNDEF:
 	default:
 	  bsprintf(pos, "<type %02x>", e->type);
diff --git a/proto/bgp/attrs.c b/proto/bgp/attrs.c
index b8371f32..6fe34e56 100644
--- a/proto/bgp/attrs.c
+++ b/proto/bgp/attrs.c
@@ -289,6 +289,12 @@ bgp_check_ext_community(struct bgp_proto *p UNUSED, byte *a UNUSED, int len)
   return ((len % 8) == 0) ? 0 : WITHDRAW;
 }
 
+static int
+bgp_check_large_community(struct bgp_proto *p UNUSED, byte *a UNUSED, int len)
+{
+  return ((len % 12) == 0) ? 0 : WITHDRAW;
+}
+
 
 static struct attr_desc bgp_attr_table[] = {
   { NULL, -1, 0, 0, 0,								/* Undefined */
@@ -325,7 +331,10 @@ static struct attr_desc bgp_attr_table[] = {
   { "as4_path", -1, BAF_OPTIONAL | BAF_TRANSITIVE, EAF_TYPE_OPAQUE, 1,		/* BA_AS4_PATH */
     NULL, NULL },
   { "as4_aggregator", -1, BAF_OPTIONAL | BAF_TRANSITIVE, EAF_TYPE_OPAQUE, 1,	/* BA_AS4_PATH */
-    NULL, NULL }
+    NULL, NULL },
+  [BA_LARGE_COMMUNITY] =
+  { "large_community", -1, BAF_OPTIONAL | BAF_TRANSITIVE, EAF_TYPE_LC_SET, 1,
+    bgp_check_large_community, NULL }
 };
 
 /* BA_AS4_PATH is type EAF_TYPE_OPAQUE and not type EAF_TYPE_AS_PATH.
@@ -575,7 +584,7 @@ bgp_encode_attrs(struct bgp_proto *p, byte *w, ea_list *attrs, int remains)
       len = bgp_get_attr_len(a);
 
       /* Skip empty sets */ 
-      if (((type == EAF_TYPE_INT_SET) || (type == EAF_TYPE_EC_SET)) && (len == 0))
+      if (((type == EAF_TYPE_INT_SET) || (type == EAF_TYPE_EC_SET) || (type == EAF_TYPE_LC_SET)) && (len == 0))
 	continue; 
 
       if (remains < len + 4)
@@ -601,6 +610,7 @@ bgp_encode_attrs(struct bgp_proto *p, byte *w, ea_list *attrs, int remains)
 	    break;
 	  }
 	case EAF_TYPE_INT_SET:
+	case EAF_TYPE_LC_SET:
 	case EAF_TYPE_EC_SET:
 	  {
 	    u32 *z = int_set_get_data(a->u.ptr);
@@ -683,6 +693,25 @@ bgp_normalize_ec_set(struct adata *ad, u32 *src, int internal)
   qsort(dst, ad->length / 8, 8, (int(*)(const void *, const void *)) bgp_compare_ec);
 }
 
+static int
+bgp_compare_lc(const u32 *x, const u32 *y)
+{
+  if (x[0] != y[0])
+    return (x[0] > y[0]) ? 1 : -1;
+  if (x[1] != y[1])
+    return (x[1] > y[1]) ? 1 : -1;
+  if (x[2] != y[2])
+    return (x[2] > y[2]) ? 1 : -1;
+  return 0;
+}
+
+static inline void
+bgp_normalize_lc_set(u32 *dest, u32 *src, unsigned cnt)
+{
+  memcpy(dest, src, LCOMM_LENGTH * cnt);
+  qsort(dest, cnt, LCOMM_LENGTH, (int(*)(const void *, const void *)) bgp_compare_lc);
+}
+
 static void
 bgp_rehash_buckets(struct bgp_proto *p)
 {
@@ -827,6 +856,14 @@ bgp_get_bucket(struct bgp_proto *p, net *n, ea_list *attrs, int originate)
 	    d->u.ptr = z;
 	    break;
 	  }
+	case EAF_TYPE_LC_SET:
+	  {
+	    struct adata *z = alloca(sizeof(struct adata) + d->u.ptr->length);
+	    z->length = d->u.ptr->length;
+	    bgp_normalize_lc_set((u32 *) z->data, (u32 *) d->u.ptr->data, z->length / LCOMM_LENGTH);
+	    d->u.ptr = z;
+	    break;
+	  }
 	default: ;
 	}
       d++;
@@ -1797,6 +1834,7 @@ bgp_decode_attrs(struct bgp_conn *conn, byte *attr, uint len, struct linpool *po
 	  ipa_ntoh(*(ip_addr *)ad->data);
 	  break;
 	case EAF_TYPE_INT_SET:
+	case EAF_TYPE_LC_SET:
 	case EAF_TYPE_EC_SET:
 	  {
 	    u32 *z = (u32 *) ad->data;
diff --git a/proto/bgp/bgp.h b/proto/bgp/bgp.h
index b1cca2d9..d5747c18 100644
--- a/proto/bgp/bgp.h
+++ b/proto/bgp/bgp.h
@@ -308,6 +308,7 @@ void bgp_log_error(struct bgp_proto *p, u8 class, char *msg, unsigned code, unsi
 #define BA_EXT_COMMUNITY	0x10	/* [RFC4360] */
 #define BA_AS4_PATH             0x11    /* [RFC4893] */
 #define BA_AS4_AGGREGATOR       0x12
+#define BA_LARGE_COMMUNITY	0x1e	/* [draft-ietf-idr-large-community] */
 
 /* BGP connection states */
 
diff --git a/proto/bgp/config.Y b/proto/bgp/config.Y
index f3ba0e16..32ae88a3 100644
--- a/proto/bgp/config.Y
+++ b/proto/bgp/config.Y
@@ -27,7 +27,7 @@ CF_KEYWORDS(BGP, LOCAL, NEIGHBOR, AS, HOLD, TIME, CONNECT, RETRY,
 	INTERPRET, COMMUNITIES, BGP_ORIGINATOR_ID, BGP_CLUSTER_LIST, IGP,
 	TABLE, GATEWAY, DIRECT, RECURSIVE, MED, TTL, SECURITY, DETERMINISTIC,
 	SECONDARY, ALLOW, BFD, ADD, PATHS, RX, TX, GRACEFUL, RESTART, AWARE,
-	CHECK, LINK, PORT, EXTENDED, MESSAGES, SETKEY)
+	CHECK, LINK, PORT, EXTENDED, MESSAGES, SETKEY, BGP_LARGE_COMMUNITY)
 
 CF_GRAMMAR
 
@@ -159,6 +159,8 @@ CF_ADDTO(dynamic_attr, BGP_CLUSTER_LIST
 	{ $$ = f_new_dynamic_attr(EAF_TYPE_INT_SET, T_CLIST, EA_CODE(EAP_BGP, BA_CLUSTER_LIST)); })
 CF_ADDTO(dynamic_attr, BGP_EXT_COMMUNITY
 	{ $$ = f_new_dynamic_attr(EAF_TYPE_EC_SET, T_ECLIST, EA_CODE(EAP_BGP, BA_EXT_COMMUNITY)); })
+CF_ADDTO(dynamic_attr, BGP_LARGE_COMMUNITY
+	{ $$ = f_new_dynamic_attr(EAF_TYPE_LC_SET, T_LCLIST, EA_CODE(EAP_BGP, BA_LARGE_COMMUNITY)); })
 
 
 

From 60566c5c804070c145fafd75ef2c17efb489a1eb Mon Sep 17 00:00:00 2001
From: "Ondrej Zajicek (work)" <santiago@crfreenet.org>
Date: Sat, 1 Oct 2016 22:31:01 +0200
Subject: [PATCH 02/37] Filter: large community sets

Add support for lc sets to filter code. Grammar of (small) community sets
has to be updated to avoid parser collisions.
---
 filter/config.Y | 92 ++++++++++++++++++++++++++++++++-----------------
 1 file changed, 61 insertions(+), 31 deletions(-)

diff --git a/filter/config.Y b/filter/config.Y
index 79e274ab..29e3a734 100644
--- a/filter/config.Y
+++ b/filter/config.Y
@@ -67,6 +67,14 @@ f_merge_items(struct f_tree *a, struct f_tree *b)
 static inline struct f_tree *
 f_new_pair_item(int fa, int ta, int fb, int tb)
 {
+  check_u16(fa);
+  check_u16(ta);
+  check_u16(fb);
+  check_u16(tb);
+
+  if ((ta < fa) || (tb < fb))
+    cf_error( "From value cannot be higher that To value in pair sets");
+
   struct f_tree *t = f_new_tree();
   t->right = t;
   t->from.type = t->to.type = T_PAIR;
@@ -78,22 +86,26 @@ f_new_pair_item(int fa, int ta, int fb, int tb)
 static inline struct f_tree *
 f_new_pair_set(int fa, int ta, int fb, int tb)
 {
-  struct f_tree *lst = NULL;
-  int i;
+  check_u16(fa);
+  check_u16(ta);
+  check_u16(fb);
+  check_u16(tb);
 
-  if ((fa == ta) || ((fb == 0) && (tb == 0xFFFF)))
-    return f_new_pair_item(fa, ta, fb, tb);
-  
   if ((ta < fa) || (tb < fb))
     cf_error( "From value cannot be higher that To value in pair sets");
 
+  struct f_tree *lst = NULL;
+  int i;
+
   for (i = fa; i <= ta; i++)
     lst = f_merge_items(lst, f_new_pair_item(i, i, fb, tb));
 
   return lst;
 }
 
+#define CC_ALL 0xFFFF
 #define EC_ALL 0xFFFFFFFF
+#define LC_ALL 0xFFFFFFFF
 
 static struct f_tree *
 f_new_ec_item(u32 kind, u32 ipv4_used, u32 key, u32 vf, u32 vt)
@@ -133,6 +145,17 @@ f_new_ec_item(u32 kind, u32 ipv4_used, u32 key, u32 vf, u32 vt)
   return t;
 }
 
+static struct f_tree *
+f_new_lc_item(u32 f1, u32 t1, u32 f2, u32 t2, u32 f3, u32 t3)
+{
+  struct f_tree *t = f_new_tree();
+  t->right = t;
+  t->from.type = t->to.type = T_LC;
+  t->from.val.lc = (lcomm) {f1, f2, f3};
+  t->to.val.lc = (lcomm) {t1, t2, t3};
+  return t;
+}
+
 static inline struct f_inst *
 f_generate_empty(struct f_inst *dyn)
 { 
@@ -327,9 +350,9 @@ CF_KEYWORDS(FUNCTION, PRINT, PRINTN, UNSET, RETURN,
 
 %type <x> term block cmds cmds_int cmd function_body constant constructor print_one print_list var_list var_listn dynamic_attr static_attr function_call symbol bgp_path_expr
 %type <f> filter filter_body where_filter
-%type <i> type break_command pair_expr ec_kind
-%type <i32> pair_atom ec_expr
-%type <e> pair_item ec_item set_item switch_item set_items switch_items switch_body
+%type <i> type break_command ec_kind
+%type <i32> cnum
+%type <e> pair_item ec_item lc_item set_item switch_item set_items switch_items switch_body
 %type <trie> fprefix_set
 %type <v> set_atom switch_atom fprefix fprefix_s fipa
 %type <s> decls declsn one_decl function_params 
@@ -550,30 +573,23 @@ switch_atom:
  | ENUM  { $$.type = pair_a($1); $$.val.i = pair_b($1); }
  ;
 
-pair_expr:
-   term { $$ = f_eval_int($1); check_u16($$); }
-
-pair_atom:
-   pair_expr { $$ = pair($1, $1); }
- | pair_expr DDOT pair_expr { $$ = pair($1, $3); }
- | '*' { $$ = 0xFFFF; }
- ;
+cnum:
+   term { $$ = f_eval_int($1); }
 
 pair_item:
-   '(' pair_atom ',' pair_atom ')' {
-     $$ = f_new_pair_set(pair_a($2), pair_b($2), pair_a($4), pair_b($4));
-   }
- | '(' pair_atom ',' pair_atom ')' DDOT '(' pair_expr ',' pair_expr ')' {
-     /* Hack: $2 and $4 should be pair_expr, but that would cause shift/reduce conflict */
-     if ((pair_a($2) != pair_b($2)) || (pair_a($4) != pair_b($4)))
-       cf_error("syntax error");
-     $$ = f_new_pair_item(pair_b($2), $8, pair_b($4), $10); 
-   }
+   '(' cnum ',' cnum ')'		{ $$ = f_new_pair_item($2, $2, $4, $4); }
+ | '(' cnum ',' cnum DDOT cnum ')'	{ $$ = f_new_pair_item($2, $2, $4, $6); }
+ | '(' cnum ',' '*' ')'			{ $$ = f_new_pair_item($2, $2, 0, CC_ALL); }
+ | '(' cnum DDOT cnum ',' cnum ')'	{ $$ = f_new_pair_set($2, $4, $6, $6); }
+ | '(' cnum DDOT cnum ',' cnum DDOT cnum ')' { $$ = f_new_pair_set($2, $4, $6, $8); }
+ | '(' cnum DDOT cnum ',' '*' ')'	{ $$ = f_new_pair_item($2, $4, 0, CC_ALL); }
+ | '(' '*' ',' cnum ')'			{ $$ = f_new_pair_set(0, CC_ALL, $4, $4); }
+ | '(' '*' ',' cnum DDOT cnum ')'	{ $$ = f_new_pair_set(0, CC_ALL, $4, $6); }
+ | '(' '*' ',' '*' ')'			{ $$ = f_new_pair_item(0, CC_ALL, 0, CC_ALL); }
+ | '(' cnum ',' cnum ')' DDOT '(' cnum ',' cnum ')'
+   { $$ = f_new_pair_item($2, $8, $4, $10); }
  ;
 
-ec_expr:
-   term { $$ = f_eval_int($1); }
-
 ec_kind:
    RT { $$ = EC_RT; }
  | RO { $$ = EC_RO; }
@@ -582,14 +598,27 @@ ec_kind:
  ;
 
 ec_item:
-   '(' ec_kind ',' ec_expr ',' ec_expr ')' { $$ = f_new_ec_item($2, 0, $4, $6, $6); }
- | '(' ec_kind ',' ec_expr ',' ec_expr DDOT ec_expr ')' { $$ = f_new_ec_item($2, 0, $4, $6, $8); }
- | '(' ec_kind ',' ec_expr ',' '*' ')' {  $$ = f_new_ec_item($2, 0, $4, 0, EC_ALL); }
+   '(' ec_kind ',' cnum ',' cnum ')'		{ $$ = f_new_ec_item($2, 0, $4, $6, $6); }
+ | '(' ec_kind ',' cnum ',' cnum DDOT cnum ')'	{ $$ = f_new_ec_item($2, 0, $4, $6, $8); }
+ | '(' ec_kind ',' cnum ',' '*' ')'		{ $$ = f_new_ec_item($2, 0, $4, 0, EC_ALL); }
  ;
 
+lc_item:
+   '(' cnum ',' cnum ',' cnum ')'	    { $$ = f_new_lc_item($2, $2, $4, $4, $6, $6); }
+ | '(' cnum ',' cnum ',' cnum DDOT cnum ')' { $$ = f_new_lc_item($2, $2, $4, $4, $6, $8); }
+ | '(' cnum ',' cnum ',' '*' ')'	    { $$ = f_new_lc_item($2, $2, $4, $4, 0, LC_ALL); }
+ | '(' cnum ',' cnum DDOT cnum ',' '*' ')'  { $$ = f_new_lc_item($2, $2, $4, $6, 0, LC_ALL); }
+ | '(' cnum ',' '*' ',' '*' ')'		    { $$ = f_new_lc_item($2, $2, 0, LC_ALL, 0, LC_ALL); }
+ | '(' cnum DDOT cnum ',' '*' ',' '*' ')'   { $$ = f_new_lc_item($2, $4, 0, LC_ALL, 0, LC_ALL); }
+ | '(' '*' ',' '*' ',' '*' ')'		    { $$ = f_new_lc_item(0, LC_ALL, 0, LC_ALL, 0, LC_ALL); }
+ | '(' cnum ',' cnum ',' cnum ')' DDOT '(' cnum ',' cnum ',' cnum ')'
+   { $$ = f_new_lc_item($2, $10, $4, $12, $6, $14); }
+;
+
 set_item:
    pair_item
  | ec_item
+ | lc_item
  | set_atom { $$ = f_new_item($1, $1); }
  | set_atom DDOT set_atom { $$ = f_new_item($1, $3); }
  ;
@@ -597,6 +626,7 @@ set_item:
 switch_item:
    pair_item
  | ec_item
+ | lc_item
  | switch_atom { $$ = f_new_item($1, $1); }
  | switch_atom DDOT switch_atom { $$ = f_new_item($1, $3); }
  ;

From cec4a73ccb22ed412e87560e4210b6df40832aad Mon Sep 17 00:00:00 2001
From: "Ondrej Zajicek (work)" <santiago@crfreenet.org>
Date: Tue, 4 Oct 2016 00:31:43 +0200
Subject: [PATCH 03/37] Doc: Documentation for large communities

---
 doc/bird.sgml | 38 ++++++++++++++++++++++++++++++++++----
 1 file changed, 34 insertions(+), 4 deletions(-)

diff --git a/doc/bird.sgml b/doc/bird.sgml
index 26673f03..bb88dc61 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -1048,7 +1048,16 @@ foot).
 	for <cf/key/ and <cf/value/ parts, (e.g. <cf/(ro, myas, 3*10)/, where
 	<cf/myas/ is an integer variable).
 
-	<tag/int|pair|quad|ip|prefix|ec|enum set/
+	<tag/lc/
+	This is a specialized type used to represent BGP large community
+	values. It is essentially a triplet of 32bit values, where the first
+	value is reserved for the AS number of the issuer, while meaning of
+	remaining parts is defined by the issuer. Literals of this type are
+	written as <cf/(123, 456, 789)/, with any integer values. Similarly to
+	pairs, LCs can be constructed using expressions for its parts, (e.g.
+	<cf/(myas, 10+20, 3*10)/, where <cf/myas/ is an integer variable).
+
+	<tag/int|pair|quad|ip|prefix|ec|lc|enum set/
 	Filters recognize four types of sets. Sets are similar to strings: you
 	can pass them around but you can't modify them. Literals of type <cf>int
 	set</cf> look like <cf> [ 1, 2, 5..7 ]</cf>. As you can see, both simple
@@ -1067,9 +1076,15 @@ foot).
 	(like <cf/(rt, *, 3)/) are not allowed (as they usually have 4B range
 	for ASNs).
 
-	You can also use expressions for int, pair and EC set values. However it
-	must be possible to evaluate these expressions before daemon boots. So
-	you can use only constants inside them. E.g.
+	Also LC sets use similar expressions like pair sets. You can use ranges
+	and wildcards, but if one field uses that, more specific (later) fields
+	must be wildcards. E.g., <cf/(10, 20..30, *)/ or <cf/(10, 20, 30..40)/
+	is valid, while <cf/(10, *, 20..30)/ or <cf/(10, 20..30, 40)/ is not
+	valid.
+
+	You can also use expressions for int, pair, EC and LC set values.
+	However, it must be possible to evaluate these expressions before daemon
+	boots. So you can use only constants inside them. E.g.
 
 	<code>
 	 define one=1;
@@ -1205,6 +1220,13 @@ foot).
 	The same operations (like <cf/add/, <cf/delete/ or <cf/&tilde;/ and
 	<cf/!&tilde;/ membership operators) can be used to modify or test
 	eclists, with ECs instead of pairs as arguments.
+
+	<tag/lclist/
+	Lclist is a data type used for BGP large community lists. Like eclists,
+	lclists are very similar to clists, but they are sets of LCs instead of
+	pairs. The same operations (like <cf/add/, <cf/delete/ or <cf/&tilde;/
+	and <cf/!&tilde;/ membership operators) can be used to modify or test
+	lclists, with LCs instead of pairs as arguments.
 </descrip>
 
 
@@ -2193,6 +2215,14 @@ some of them (marked with `<tt/O/') are optional.
 	field. Individual community values are represented using an <cf/ec/ data
 	type inside the filters.
 
+	<tag>lclist <cf/bgp_large_community/ [O]</tag>
+	List of large community values associated with the route. Large BGP
+	communities is another variant of communities, but contrary to extended
+	communities they behave very much the same way as regular communities,
+	just larger -- they are uniform untyped triplets of 32bit numbers.
+	Individual community values are represented using an <cf/lc/ data type
+	inside the filters.
+
 	<tag>quad <cf/bgp_originator_id/ [I, O]</tag>
 	This attribute is created by the route reflector when reflecting the
 	route and contains the router ID of the originator of the route in the

From a46e01eeef17a7efe876618623397f60e62afe37 Mon Sep 17 00:00:00 2001
From: "Ondrej Zajicek (work)" <santiago@crfreenet.org>
Date: Tue, 4 Oct 2016 12:45:39 +0200
Subject: [PATCH 04/37] Nest: Fix signedness of large communities

---
 nest/a-set.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nest/a-set.c b/nest/a-set.c
index 0484ab98..fde34cab 100644
--- a/nest/a-set.c
+++ b/nest/a-set.c
@@ -144,7 +144,7 @@ ec_set_format(struct adata *set, int from, byte *buf, uint size)
 int
 lc_format(byte *buf, lcomm lc)
 {
-  return bsprintf(buf, "(%d, %d, %d)", lc.asn, lc.ldp1, lc.ldp2);
+  return bsprintf(buf, "(%u, %u, %u)", lc.asn, lc.ldp1, lc.ldp2);
 }
 
 int
@@ -167,7 +167,7 @@ lc_set_format(struct adata *set, int from, byte *buf, uint bufsize)
 	  return i;
 	}
 
-      buf += bsprintf(buf, "(%d, %d, %d)", d[i], d[i+1], d[i+2]);
+      buf += bsprintf(buf, "(%u, %u, %u)", d[i], d[i+1], d[i+2]);
       *buf++ = ' ';
     }
 

From a998836d4bd4df8820e67f51e16d81a5a8dc9e9b Mon Sep 17 00:00:00 2001
From: "Ondrej Zajicek (work)" <santiago@crfreenet.org>
Date: Tue, 4 Oct 2016 23:19:35 +0200
Subject: [PATCH 05/37] Filter: fix missing separator

---
 filter/trie.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/filter/trie.c b/filter/trie.c
index 8af9015e..fba395d1 100644
--- a/filter/trie.c
+++ b/filter/trie.c
@@ -297,7 +297,7 @@ trie_format(struct f_trie *t, buffer *buf)
   buffer_puts(buf, "[");
 
   if (t->zero)
-    buffer_print(buf, "%I/%d", IPA_NONE, 0);
+    buffer_print(buf, "%I/%d, ", IPA_NONE, 0);
   trie_node_format(t->root, buf);
 
   /* Undo last separator */

From 9faf72c8cc9a099b41c90ee1822e8bca22fd0596 Mon Sep 17 00:00:00 2001
From: Pavel Tvrdik <pawel.tvrdik@gmail.com>
Date: Thu, 29 Sep 2016 11:20:04 +0200
Subject: [PATCH 06/37] Doc: Fix whitespaces

---
 doc/sbase/dist/birddoc/groff/mapping   | 144 ++++++++++++-------------
 doc/sbase/dist/birddoc/html/mapping    |  60 +++++------
 doc/sbase/dist/birddoc/latex2e/mapping |  42 ++++----
 doc/sbase/dtd/birddoc.dtd              | 102 +++++++++---------
 4 files changed, 174 insertions(+), 174 deletions(-)

diff --git a/doc/sbase/dist/birddoc/groff/mapping b/doc/sbase/dist/birddoc/groff/mapping
index 71d2c935..3861a28d 100644
--- a/doc/sbase/dist/birddoc/groff/mapping
+++ b/doc/sbase/dist/birddoc/groff/mapping
@@ -6,7 +6,7 @@
 % Based on qwertz replacement file by Tom Gordon
 % linuxdoc mods by mdw
 
-% Groff dependencies are few.  To port to another roff: 
+% Groff dependencies are few.  To port to another roff:
 % 1. Check and modify, if necessary, font changes.  (e.g. In psroff the
 % same fonts have other names.)
 % 2. Check the code for including Encapsulated PostScript, generated
@@ -19,13 +19,13 @@
 
 			% Hacked by mdw
 			".nr PI 3n\n"
-			".ds CF \\\\n\%\n"	
+			".ds CF \\\\n\%\n"
 			".ds CH \\&\n"
 			".ds dR $\n"   % dollar, to avoid EQN conflicts
 
 			% Start with no TOC
 			".ds printtoc\n"
-			
+
 			% Footnote style
 			".nr FF 1\n"
 
@@ -51,16 +51,16 @@
                         ".nr HM 0i\n"
                         ".nr FM 0i\n"
 
-			% Turn off right-margin filling 
+			% Turn off right-margin filling
 			".na\n"
-			
+
 			% h is 1 if first paragraph after heading
 
-			".nr h 0\n" 
+			".nr h 0\n"
 
 			% initialize heading level
-			
-			".nr il 1\n"	
+
+			".nr il 1\n"
 
 			% Number registers for list
 
@@ -68,20 +68,20 @@
 			".nr ll 0\n"  % list level, stores current level
 			".nr el 0\n"  % current enumeration level
 
-			% Not all list levels are enumerations, as 
+			% Not all list levels are enumerations, as
 			% itemizations can be embedded within enumerations
 			% and vice versa
-			
+
 			% type of list level is in \n(t\n(ll, where
 			% 0 : itemize, 1 : enumerate, 2: description
 
 			% enumerator for an enumeration level is in
 			% \n(e\n(el -- i.e. \n(e1=2 means current item of
 			% enumeration level 1 is 2
-			
+
 			% context-sensitive paragraph macro
 
-% Bug: There's some problem using this to re-start paragraphs after the 
+% Bug: There's some problem using this to re-start paragraphs after the
 % </verb> and </code>, so after verb and code I insert .LP. That's fine
 % except that is loses indentation when using verb or code inside of a list.
 
@@ -95,21 +95,21 @@
 % for this enumeration level
 ".if \\\\n(t\\\\n(ll=1 \\{.IP \\\\n+(e\\\\n(el.\\}\n"
 % if first par element of descrip, do nothing
-".\\}\n"  
+".\\}\n"
 ".el .sp \n"		% subsequent par element of item
 ".\\}\n"
 ".el \\{\\\n"		     	% not within list
-".ie \\\\nh=1 \\{\\\n"	% first par after heading  
-".LP\n"	
+".ie \\\\nh=1 \\{\\\n"	% first par after heading
+".LP\n"
 ".nr h 0\n"	% reset h flag
-".\\}\n"	        
+".\\}\n"
 ".el .LP \n"   % Changed from .PP, mdw
 ".\\}\n"
 ".nh\n"
-"..\n"	
+"..\n"
+
+
 
-			
-			
 			% for each level, a number register is created
 			% to store its type and current item number, where
 			% -1=bullet of an itemized list.
@@ -141,7 +141,7 @@
 % set initial level of headings, in register il
 
 <article>		+	".nr il 0"		+
-</article>		+	".if '\\*[printtoc]'true' .PX\n" 
+</article>		+	".if '\\*[printtoc]'true' .PX\n"
 
 <report>		+ 	".nr il 1"		+
 </report>	+	".bp\n"
@@ -153,23 +153,23 @@
 			".bp\n"
 			".TC"			+
 
-<notes>		
+<notes>
 </notes>
 
 <manpage>	+	".nr il -1"		+
-</manpage>	
+</manpage>
 
 <progdoc>
 </progdoc>
 
 % Hacked up titlepag stuff to look more reasonable. Titles and author
 % names are now stored in strings, printed by the end of </titlepag>.
-% Wake up! This uses groff-like long string names. You must use groff 
+% Wake up! This uses groff-like long string names. You must use groff
 % to format this.
 
 <titlepag>	+	".ds mdwtitle\n"
 			".ds mdwsubtitle\n"
-			".ds mdwdate\n"		
+			".ds mdwdate\n"
 			".de printabstract\n"
 			"..\n"			+
 </titlepag>	+	"\\*[mdwtitle]\n"
@@ -181,10 +181,10 @@
 			"\\*[mdwdate]\n"
 			".br\n"
 			".printabstract\n"
-			".br\n"	
+			".br\n"
 
 %<title>		+	".TL"			+
-%</title>	
+%</title>
 
 <title>		+	".ds mdwtitle "
 </title>	+
@@ -194,13 +194,13 @@
 %			".SM"		+
 %</subtitle>	+	".LG"			+
 
-<subtitle>	+	".ds mdwsubtitle "	
+<subtitle>	+	".ds mdwsubtitle "
 </subtitle>	+
 
-<date>		+	".ds mdwdate "	
+<date>		+	".ds mdwdate "
 </date>		+
 
-<abstract>	+ 	".de printabstract\n"	
+<abstract>	+ 	".de printabstract\n"
 			".LP\n"
 </abstract>	+	".."			+
 
@@ -215,10 +215,10 @@
 <name>		+	".br"			+
 </name>
 
-<and>		
+<and>
 </and>
 
-<thanks>			"\\**\n"	
+<thanks>			"\\**\n"
 			".FS"			+
 </thanks>	+	".FE"			+
 
@@ -229,11 +229,11 @@
 <newline>	+	".br"
 </newline>
 
-<label>		
-</label>	
+<label>
+</label>
 
-<header>	
-</header>	
+<header>
+</header>
 
 <lhead>		+	".EH '"
 </lhead>		"'''"		+
@@ -263,13 +263,13 @@
 <toc>
 </toc>
 
-<lof>	
+<lof>
 </lof>
 
-<lot>	
+<lot>
 </lot>
 
-<chapt>		+	".bp\n"	
+<chapt>		+	".bp\n"
 			".NH \\n(il "		+
 </chapt>
 
@@ -283,7 +283,7 @@
 </sect2>
 
 <sect3>		+	".NH 4+\\n(il"		+
-</sect3>	
+</sect3>
 
 <sect4>		+	".NH 5+\\n(il"		+
 </sect4>
@@ -292,10 +292,10 @@
 </heading>	+	"\\*h\n"
 			".XS \\n%\n"
 			"\\*(SN \\*h\n"
-			".XE\n"		
+			".XE\n"
 			".nr h 1\n"  % set heading flag to true
 
-<p>		+	".Pp"			+   
+<p>		+	".Pp"			+
 </p>
 
 <itemize>	+	".nr ll +1\n"	   % increment list level
@@ -309,9 +309,9 @@
 			".af e\\n(el \\*(f\\n(el\n" % style of enumerator
 			".if \\n(ll>1 .RS"  +
 </enum>		+	".if \\n(ll>1 .RE\n"
-			".br\n"			
+			".br\n"
 			".nr el -1\n"	    % decrement enumeration level
-			".nr ll -1\n"	    % decrement list level 
+			".nr ll -1\n"	    % decrement list level
 
 <descrip>	+	".RS\n"
 			".nr ll +1\n"	    % increment list level
@@ -324,7 +324,7 @@
 % If bi=1 then the paragraph is the first one of the item.
 
 <item>		+	".nr bi 1\n.Pp"		+
-</item>	
+</item>
 
 <tag>		+	".IP \"\\fB"
 </tag>			"\\fR\"\n"
@@ -337,12 +337,12 @@
 </cf>			""
 
 <cite>		+	".\[\n[ID]\n.\]"	+
-</cite>	
+</cite>
 
 <ncite>		+	".\[\n[ID]\n.\]\n([NOTE])"
 </ncite>
 
-<footnote>		" (-- "	
+<footnote>		" (-- "
 </footnote>		"--)"			+
 
 <sq>			"\\*Q"
@@ -353,20 +353,20 @@
 </lq>		+	".nr LL \\n(LL+\\n(PI\n"
 			".RE"			+
 
-<em>			"\\fI"			
-</em>		 	"\\fP"			
+<em>			"\\fI"
+</em>		 	"\\fP"
 
-<bf>			"\\fB"			
-</bf>			"\\fR"			
+<bf>			"\\fB"
+</bf>			"\\fR"
 
-<it>			"\\fI"			
-</it>			"\\fR"		
+<it>			"\\fI"
+</it>			"\\fR"
 
-<sf>			"\\fR"		
-</sf>			"\\fR"			
+<sf>			"\\fR"
+</sf>			"\\fR"
 
-<sl>			"\\fI"		
-</sl>			"\\fR"			
+<sl>			"\\fI"
+</sl>			"\\fR"
 
 % Changed by mdw
 <tt>			"\\fC"
@@ -394,10 +394,10 @@
 <pageref>		"??"
 </pageref>
 
-<x>	
+<x>
 </x>
 
-<mc>			
+<mc>
 </mc>
 
 <biblio>	+	".\[\n"
@@ -423,7 +423,7 @@
 	 	%	".Pp"	+  % continue previous paragraph (changed mdw)
 			".LP"
 
-% tscreen added by mdw 
+% tscreen added by mdw
 <tscreen>       +       ".br\n"
                         ".po 0.75i\n"
                         ".ll 6.0i\n"
@@ -487,8 +487,8 @@
 
 % mathematics -- this nroff version needs work.
 
-<f>					
-</f>			
+<f>
+</f>
 
 <dm>		+	".DS L"		        +
 </dm>		+	".DE"			+
@@ -496,8 +496,8 @@
 <eq>		+	".DS L"			+
 </eq>		+	".DE"			+
 
-<fr>			
-</fr>		
+<fr>
+</fr>
 
 <nu>			"{"
 </nu>			"} over "
@@ -505,7 +505,7 @@
 <de>			"{"
 </de>			"}"
 
-<lim>			
+<lim>
 </lim>
 
 <op>
@@ -527,7 +527,7 @@
 </in>
 
 <sum>			" sum "
-</sum>		
+</sum>
 
 % limitation: eqn only does square roots!
 
@@ -539,7 +539,7 @@
 			"[ca]."			+
 </ar>		+	".TE"			+
 
-<arr>   		"\n"			
+<arr>   		"\n"
 </arr>
 
 <arc>   		"|"
@@ -567,8 +567,8 @@
 
 % limitation: no calligraphic characters, using helvetica italics instead.  Is there a better font?
 
-<fi>			"\\fI"	
-</fi>			"\\fP"	
+<fi>			"\\fI"
+</fi>			"\\fP"
 
 <phr>			" roman }"
 </phr>			"}"
@@ -584,12 +584,12 @@
 
 <eps>		+  	".if t .PSPIC [file].ps\n"
 			".if n .sp 4"	  	+
-</eps>                	
-            	
+</eps>
+
 % Are TeX units properly handled by this translation of ph?
 
 <ph>		+	".sp [VSPACE]"		+
-</ph>	
+</ph>
 
 <caption>	+	".sp\n.ce"		+
 </caption>
@@ -619,7 +619,7 @@
 <slides>	+ 	".nr PS 18"		+
 </slides>
 
-<slide>	
+<slide>
 </slide>	+	".bp\n\\&"			+
 
 % letters -- replacement for email, using mh format.
diff --git a/doc/sbase/dist/birddoc/html/mapping b/doc/sbase/dist/birddoc/html/mapping
index 353d7774..d95b1759 100644
--- a/doc/sbase/dist/birddoc/html/mapping
+++ b/doc/sbase/dist/birddoc/html/mapping
@@ -21,7 +21,7 @@
 </notes>	+	"<@@enddoc>"		+
 
 % Manual Pages are expected to be formatted using nroff (or groff), unless
-% they are included  as sections of other qwertz documents.  
+% they are included  as sections of other qwertz documents.
 
 <manpage>
 </manpage>
@@ -35,7 +35,7 @@
 <title>		+	"<@@title>"
 </title>
 
-<subtitle>	+	"<H2>"	
+<subtitle>	+	"<H2>"
 </subtitle>		"</H2>"			+
 
 <author>
@@ -48,26 +48,26 @@
 </and>
 
 <thanks>	+	"Thanks "
-</thanks>		
+</thanks>
 
 <inst>		+	"<H3>"
 </inst>			"</H3>"			+
 
 <newline>		"<BR>"
-	
+
 <label>		+	"<@@label>[ID]"		+
-	
-<header>	
-</header>	
+
+<header>
+</header>
 
 <lhead>		+	"<!-- "
-</lhead>		" -->"			+			
+</lhead>		" -->"			+
 
 <rhead>		+	"<!-- "
 </rhead>		" -->"			+
 
 <comment>	+	"<H4>Comment</H4>"	+
-</comment>		
+</comment>
 
 <abstract>	+	"<P><HR>\n<EM>"
 </abstract>		"</EM>\n<HR>"		+
@@ -99,7 +99,7 @@
 <sect3>		+	"<@@head>"
 </sect3>
 
-<sect4>		+	"<@@head>"		
+<sect4>		+	"<@@head>"
 </sect4>
 
 <heading>
@@ -203,7 +203,7 @@
 			"<@@endurl>"		+
 </htmlurl>
 
-% ref modified to have an optional name field 
+% ref modified to have an optional name field
 <ref>		+	"<@@ref>[ID]\n"
 			"[NAME]</A>\n"
 			"<@@endref>"		+
@@ -228,7 +228,7 @@
 </mc>			"</MC>"
 
 <biblio>	+	"<BIBLIO STYLE=\"[STYLE]\" FILES=\"[FILES]\">" +
-</biblio>	
+</biblio>
 
 <code>		+	"<HR>\n<PRE>"		+
 </code>		+	"</PRE>\n<HR>"		+
@@ -244,28 +244,28 @@
 
 % theorems and such
 
-<def>		+	"<DEF>"			
+<def>		+	"<DEF>"
 </def>		+	"</DEF>"		+
 
-<prop>		+	"<PROP>"		
+<prop>		+	"<PROP>"
 </prop>		+	"</PROP>"		+
 
-<lemma>		+	"<LEMMA>"		
+<lemma>		+	"<LEMMA>"
 </lemma>	+	"</LEMMA>"		+
 
-<coroll>	+	"<COROLL>"		
+<coroll>	+	"<COROLL>"
 </coroll>	+	"</COROLL>"		+
 
-<proof>		+	"<PROOF>"		
+<proof>		+	"<PROOF>"
 </proof>	+	"</PROOF>"		+
 
-<theorem>	+	"<THEOREM>"		
+<theorem>	+	"<THEOREM>"
 </theorem>	+	"</THEOREM>"		+
 
 <thtag>			"<THTAG>"
 </thtag>		"</THTAG>"
 
-% mathematics 
+% mathematics
 
 <f>
 </f>
@@ -315,11 +315,11 @@
 <ar>			"<AR>"
 </ar>			"</AR>"
 
-<arr>                   "<ARR>" 
-</arr>			
+<arr>                   "<ARR>"
+</arr>
 
 <arc>                   "<ARC>"
-</arc>		
+</arc>
 
 <sup>			"<SUP>"
 </sup>			"</SUP>"
@@ -354,13 +354,13 @@
 </figure>	+	"</FIGURE>"			+
 
 <eps>		+   	"<EPS FILE=\"[FILE]\">"  +
-</eps>                	
-            	
+</eps>
+
 <img>		+	"<IMG SRC=\"[SRC]\">"	+
 </img>
 
 <ph>		+	"<PH VSPACE=\"[VSPACE]\">"	+
-</ph>	
+</ph>
 
 <caption>	+	"<CAPTION>"
 </caption>		"</CAPTION>" 	+
@@ -403,7 +403,7 @@
 </opening>		"</OPENING>"		+
 
 
-<from>		+	"<FROM>"			
+<from>		+	"<FROM>"
 </from>		+	"</FROM>"	+
 
 
@@ -419,7 +419,7 @@
 <email>		+	"<EMAIL>"
 </email>		"</EMAIL>"	+
 
-<phone>		+	"<PHONE>"	
+<phone>		+	"<PHONE>"
 </phone>		"</PHONE>"	+
 
 
@@ -430,16 +430,16 @@
 </subject>		"</SUBJECT>"	+
 
 
-<sref>		+	"<SREF>"	
+<sref>		+	"<SREF>"
 </sref>			"</SREF>"	+
 
-<rref>		+	"<RREF>"	
+<rref>		+	"<RREF>"
 </rref>			"</RREF>"	+
 
 <rdate>		+	"<RDATE>"
 </rdate>		"</RDATE>"	+
 
-<closing>	+	"<CLOSING>"	
+<closing>	+	"<CLOSING>"
 </closing>		"</CLOSING>"	+
 
 <cc>		+	"<CC>"
diff --git a/doc/sbase/dist/birddoc/latex2e/mapping b/doc/sbase/dist/birddoc/latex2e/mapping
index 747d0d33..97ca1753 100644
--- a/doc/sbase/dist/birddoc/latex2e/mapping
+++ b/doc/sbase/dist/birddoc/latex2e/mapping
@@ -14,7 +14,7 @@
 </book>		+	"\\end{document}"	+
 
 % Manual Pages are expected to be formatted using nroff (or groff), unless
-% they are included  as sections of other qwertz documents.  
+% they are included  as sections of other qwertz documents.
 
 <manpage>
 </manpage>
@@ -26,17 +26,17 @@
 </titlepag>	+	"\n\n\\begin{document}\n"
 			"\\maketitle\n"		+
 
-<title>		+	"\\title{"	
+<title>		+	"\\title{"
 </title>		"}"		+
 
 <subtitle>		"\\\\\n"
 			"{\\large "
 </subtitle>		"}" +
 
-<author>	+	"\\author{"	
+<author>	+	"\\author{"
 </author>		"}"	+
 
-<name>		
+<name>
 </name>
 
 <and>			"\\and "	+
@@ -51,14 +51,14 @@
 <date>		+	"\\date{"
 </date>			"}"		  +
 
-<newline>		"\\\\ "		  
+<newline>		"\\\\ "
 </newline>
 
 <label>			"\\label{[ID]}"
 </label>	
 
 <header>	+	"\\markboth"
-</header>	
+</header>
 
 <lhead>			"{"
 </lhead>		"}"
@@ -73,7 +73,7 @@
 </comment>		"}"
 
 % Hacked by mdw to use linuxdoc-sgml \abstract{...}
-<abstract>	+	"\\abstract{"	
+<abstract>	+	"\\abstract{"
 </abstract>	 	"}"	+
 
 <appendix>	+	"\n \\appendix \n"	+
@@ -101,15 +101,15 @@
 </sect2>
 
 <sect3>		+	"\n\\paragraph"
-</sect3>	
+</sect3>
 
 <sect4>		+	"\n\\subparagraph"
 </sect4>
 
 <heading>		"{"
-</heading>		"}\n\n" 
+</heading>		"}\n\n"
 
-<p>		
+<p>
 </p>			"\n\n"
 
 <itemize>	+	"\\begin{itemize}"	+
@@ -236,16 +236,16 @@
 <htmlurl>		"\\onlynameurl{[NAME]}"
 </htmlurl>
 
-<x>	
+<x>
 </x>
 
-<mc>			
+<mc>
 </mc>
 
 <biblio>	+	"\\bibliographystyle{[STYLE]}\n"
 			"\\bibliography{[FILES]}\n"
 			"\\addbibtoc{}"	+
-</biblio>	
+</biblio>
 
 % <macro>		+	"\\macro{[ID]}{\\qw[ID]}"
 % </macro>
@@ -300,19 +300,19 @@
 <thtag>			"\["
 </thtag>		"\]"			+
 
-% mathematics 
+% mathematics
 
 <f>			"$"
 </f>			"$"
 
-<dm>		+	"\\\["	
+<dm>		+	"\\\["
 </dm>			"\\\]"  +
 
 <eq>		+	"\\begin{equation}"	+
 </eq>		+	"\\end{equation}\n"	+
 
 <fr>			"\\frac"
-</fr>		
+</fr>
 
 <nu>			"{"
 </nu>			"}"
@@ -320,7 +320,7 @@
 <de>			"{"
 </de>			"}"
 
-<lim>			
+<lim>
 </lim>
 
 <op>
@@ -342,7 +342,7 @@
 </in>
 
 <sum>			"\\sum"
-</sum>		
+</sum>
 
 <root>			"\\sqrt\[[n]\]{"
 </root>			"}"
@@ -390,11 +390,11 @@
 </figure>	+	"\\end{figure}\n"		+
 
 <eps>		+   	"\\centerline{\\epsfig{file=[FILE],height=[HEIGHT],angle=[ANGLE]}}"  +
-</eps>                	
-            	
+</eps>
+
 
 <ph>		+	"\\vspace{[VSPACE]}\n\\par"	+
-</ph>	
+</ph>
 
 <caption>	+	"\\caption{"
 </caption>		"}" 	+
diff --git a/doc/sbase/dtd/birddoc.dtd b/doc/sbase/dtd/birddoc.dtd
index 9cedcacc..1654b0e5 100644
--- a/doc/sbase/dtd/birddoc.dtd
+++ b/doc/sbase/dtd/birddoc.dtd
@@ -1,6 +1,6 @@
 <!-- This is a DTD, but will be read as -*- sgml -*-   -->
 <!-- ================================================= -->
-<!-- $Id$ 
+<!-- $Id$
 
 This was heavilly modified for use with bird! Don't you dare to use it
 anywhere else. <pavel@ucw.cz>
@@ -79,7 +79,7 @@ anywhere else. <pavel@ucw.cz>
      weren't in the original linuxdoc 1.3 DTD, and are
      superseded by the new if/unless facility.         -->
 <!-- BK/97/05/09: this is the original Linuxdoc DTD,
-     as of SGML Tools 0.99.0. It is not longer 
+     as of SGML Tools 0.99.0. It is not longer
      supported. Use only if in dire need, for backwards
      compabitlity. Backend support for undocumented
      QWERTZ leftovers not in the strict Linuxdoc DTD's
@@ -92,7 +92,7 @@ anywhere else. <pavel@ucw.cz>
      any changes to this, just replacing.              -->
 <!-- ================================================= -->
 
-<!entity % emph 
+<!entity % emph
 	" em|it|bf|sf|sl|tt|cf|m|cparam|const|func|struct|param|type|funcdef " >
 
 <!entity % index "idx|cdx|nidx|ncdx" >
@@ -101,27 +101,27 @@ anywhere else. <pavel@ucw.cz>
 <!entity % xref
 	" label|ref|pageref|cite|url|htmlurl|ncite " >
 
-<!entity % inline 
+<!entity % inline
 	" (#pcdata | f| x| %emph; |sq| %xref | %index | file )* " >
 
-<!entity % list 
+<!entity % list
         " list | itemize | enum | descrip " >
 
-<!entity % par 	
+<!entity % par
 	"  %list; | comment | lq | quote | tscreen | hrule " >
 
 <!entity % mathpar " dm | eq " >
 
-<!entity % thrm 
+<!entity % thrm
         " def | prop | lemma | coroll | proof | theorem " >
 
 <!entity % litprog " code | verb " >
 
-<!entity % sectpar 
-        " %par; | figure | tabular | table | %mathpar; | 
+<!entity % sectpar
+        " %par; | figure | tabular | table | %mathpar; |
 	  %thrm; | %litprog; | function ">
-<!element birddoc o o 
-        (sect | chapt | article | report | 
+<!element birddoc o o
+        (sect | chapt | article | report |
 	 book | letter | telefax | slides | notes | manpage ) >
 
 <!-- `general' entity replaced with ISO entities - kwm -->
@@ -150,7 +150,7 @@ anywhere else. <pavel@ucw.cz>
 <!element hrule - - EMPTY>
 
 <!shortref pmap
-	"&#RS;B" null 
+	"&#RS;B" null
 	"&#RS;B&#RE;" psplit
 	"&#RS;&#RE;" psplit
 --	'"' qtag  --
@@ -189,7 +189,7 @@ anywhere else. <pavel@ucw.cz>
 <!entity   ftag     '<f>'    -- formula begin -- >
 <!entity   qendtag  '</sq>'>
 
-<!shortref sqmap 
+<!shortref sqmap
       "&#RS;B" null
 --      '"' qendtag  --
       "[" lsqb
@@ -249,7 +249,7 @@ anywhere else. <pavel@ucw.cz>
 <!shortref bodymap
      "&#RS;B&#RE;" ptag
      "&#RS;&#RE;" ptag
-      '"' qtag 
+      '"' qtag
       "[" lsqb
       "~" nbsp
       "_" lowbar
@@ -285,7 +285,7 @@ anywhere else. <pavel@ucw.cz>
 
 <!shortref oneline
      "B&#RE;" space
-     "&#RS;&#RE;" null 
+     "&#RS;&#RE;" null
      "&#RS;B&#RE;" null
 --      '"' qtag  --
       "[" ftag
@@ -302,7 +302,7 @@ anywhere else. <pavel@ucw.cz>
 <!usemap oneline caption>
 
 <!entity % tabrow "(%inline, (colsep, %inline)*)" >
-<!element tabular - - 
+<!element tabular - -
        (hline?, %tabrow, (rowsep, hline?, %tabrow)*, caption?) >
 
 <!attlist tabular
@@ -323,7 +323,7 @@ anywhere else. <pavel@ucw.cz>
       "B&#RE;" null
       "BB"  space
       "@" rowsep
-      "|" colsep 
+      "|" colsep
       "[" ftag
 --      '"' qtag --
       "_" thinsp
@@ -344,7 +344,7 @@ anywhere else. <pavel@ucw.cz>
 
 <!shortref ttmap     -- also on one-line --
         "B&#RE;" space
-        "&#RS;&#RE;" null 
+        "&#RS;&#RE;" null
         "&#RS;B&#RE;" null
 	"&#RS;B" null
         '#'     num
@@ -365,14 +365,14 @@ anywhere else. <pavel@ucw.cz>
 <!entity % limits    "pr|in|sum" >
 <!entity % fbu       "fr|lim|ar|root" >
 <!entity % fph       "unl|ovl|sup|inf" >
-<!entity % fbutxt    "(%fbu;) | (%limits;) | 
+<!entity % fbutxt    "(%fbu;) | (%limits;) |
                       (%fcstxt;)|(%fscs;)|(%fph;)" >
 <!entity % fphtxt    "p|#pcdata" >
 <!element  f        - - ((%fbutxt;)*) >
 
 <!entity   fendtag  '</f>'   -- formula end -- >
 
-<!shortref fmap 
+<!shortref fmap
       "&#RS;B" null
       "&#RS;B&#RE;" null
       "&#RS;&#RE;" null
@@ -432,7 +432,7 @@ anywhere else. <pavel@ucw.cz>
 <!shortref arrmap
      "&#RE;" space
       "@" arr
-      "|" arc 
+      "|" arc
       "_" thinsp
       "~" nbsp
       "#" num
@@ -448,7 +448,7 @@ anywhere else. <pavel@ucw.cz>
 <!element  ovl - - ((%fbutxt;)*) >
 <!element  rf  - o (#pcdata) >
 <!element  phr - o ((%fphtxt;)*) >
-<!element  v   - o ((%fcstxt;)*) 
+<!element  v   - o ((%fcstxt;)*)
 	-(tu|%limits;|%fbu;|%fph;) >
 <!element  fi  - o (#pcdata) >
 <!element  tu  - o empty >
@@ -468,7 +468,7 @@ anywhere else. <pavel@ucw.cz>
 
 <!shortref global
       "&#RS;B" null  -- delete leading blanks --
-  --    '"' qtag -- 
+  --    '"' qtag --
       "[" ftag
       "~" nbsp
       "_" lowbar
@@ -485,19 +485,19 @@ anywhere else. <pavel@ucw.cz>
 
 <!-- ref modified to have an optional name field HG -->
 <!element ref - o empty>
-<!attlist ref   
+<!attlist ref
         id cdata #required
         name cdata "&refnam">
 
 <!-- url entity added to have direct url references HG -->
 <!element url - o empty>
-<!attlist url   
+<!attlist url
         url cdata #required
         name cdata "&urlnam" >
 
 <!-- htmlurl entity added to have quieter url references esr -->
 <!element htmlurl - o empty>
-<!attlist htmlurl   
+<!attlist htmlurl
         url cdata #required
         name cdata "&urlnam" >
 
@@ -510,22 +510,22 @@ anywhere else. <pavel@ucw.cz>
 
 <!-- Hacked by mdw to exclude abstract; abstract now part of titlepag -->
 <!element article - -
-        (titlepag, header?, 
-         toc?, lof?, lot?, p*, sect*, 
+        (titlepag, header?,
+         toc?, lof?, lot?, p*, sect*,
          (appendix, sect+)?, biblio?) +(footnote)>
 
 <!attlist article
         opts cdata "null">
 
 <!-- Hacked by mdw to exclude abstract; abstract now part of titlepag -->
-<!element report - - 
+<!element report - -
         (titlepag, header?, toc?, lof?, lot?, p*,
          chapt*, (appendix, chapt+)?, biblio?) +(footnote)>
 
 <!attlist report
         opts cdata "null">
-<!element book  - - 
-        (titlepag, header?, toc?, lof?, lot?, p*, chapt*, 
+<!element book  - -
+        (titlepag, header?, toc?, lof?, lot?, p*, chapt*,
          (appendix, chapt+)?, biblio?) +(footnote) >
 
 <!attlist book
@@ -536,7 +536,7 @@ anywhere else. <pavel@ucw.cz>
 <!element title - o (%inline, subtitle?) +(newline)>
 <!element subtitle - o (%inline)>
 <!usemap oneline titlepag>
-<!element author - o (name, thanks?, inst?, 
+<!element author - o (name, thanks?, inst?,
                         (and, name, thanks?, inst?)*)>
 <!element name o o (%inline) +(newline)>
 <!element and - o empty>
@@ -545,9 +545,9 @@ anywhere else. <pavel@ucw.cz>
 <!element date - o (#pcdata) >
 
 <!usemap global thanks>
- 
+
 <!element newline - o empty >
-<!entity nl "<newline>"> 
+<!entity nl "<newline>">
 
 <!element progdoc - o empty>
 
@@ -575,11 +575,11 @@ anywhere else. <pavel@ucw.cz>
 <!element footnote - - (%inline)>
 <!usemap global footnote>
 <!element cite - o empty>
-<!attlist cite 
+<!attlist cite
         id cdata #required>
 
 <!element ncite - o empty>
-<!attlist ncite 
+<!attlist ncite
         id cdata #required
 	note cdata #required>
 
@@ -599,41 +599,41 @@ anywhere else. <pavel@ucw.cz>
 <!attlist slides
 	opts cdata "null">
 <!element slide - o (title?, p+) >
-<!entity  % addr "(address?, email?, phone?, fax?)" >  
-	
-<!element letter - - 
+<!entity  % addr "(address?, email?, phone?, fax?)" >
+
+<!element letter - -
 	(from, %addr, to, %addr, cc?, subject?, sref?, rref?,
          rdate?, opening, p+, closing, encl?, ps?)>
 
 <!attlist letter
 	opts cdata "null">
-	
+
 <!element from		- o (#pcdata) >
 <!element to		- o (#pcdata) >
-	
+
 <!usemap oneline (from,to)>
-	
+
 <!element address 	- o (#pcdata) +(newline) >
 <!element email		- o (#pcdata) >
 <!element phone		- o (#pcdata) >
 <!element fax 		- o (#pcdata) >
-	
+
 <!element subject 	- o (%inline;) >
 <!element sref		- o (#pcdata) >
 <!element rref          - o (#pcdata) >
 <!element rdate         - o (#pcdata) >
-	
+
 <!element opening 	- o (%inline;) >
 <!usemap oneline opening>
-	
+
 <!element closing - o (%inline;) >
 <!element cc - o (%inline;) +(newline) >
 <!element encl - o (%inline;) +(newline) >
-	
+
 <!element ps - o (p+) >
 
-<!element telefax - - 
-	(from, %addr, to, address, email?, 
+<!element telefax - -
+	(from, %addr, to, address, email?,
          phone?, fax, cc?, subject?,
          opening, p+, closing, ps?)>
 
@@ -644,8 +644,8 @@ anywhere else. <pavel@ucw.cz>
 <!element notes - - (title?, p+) >
 <!attlist notes
 	opts cdata "null" >
-<!element manpage - - (sect1*) 
-	-(sect2 | f | %mathpar | figure | tabular | 
+<!element manpage - - (sect1*)
+	-(sect2 | f | %mathpar | figure | tabular |
           table | %xref | %thrm )>
 
 
@@ -673,5 +673,5 @@ anywhere else. <pavel@ucw.cz>
 <!--
      Local Variables:
      mode: sgml
-     End:                                              -->                 
+     End:                                              -->
 <!-- ================================================= -->

From a2df7c0303d235f4122969243e9df152a8a16dcb Mon Sep 17 00:00:00 2001
From: Pavel Tvrdik <pawel.tvrdik@gmail.com>
Date: Thu, 29 Sep 2016 14:05:25 +0200
Subject: [PATCH 07/37] Doc: Generate clickable PDF

---
 doc/Makefile                           | 6 +++++-
 doc/sbase/dist/birddoc/latex2e/mapping | 1 +
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/doc/Makefile b/doc/Makefile
index f88c3205..70b73943 100644
--- a/doc/Makefile
+++ b/doc/Makefile
@@ -13,7 +13,7 @@ endif
 
 docs: progdocs userdocs
 progdocs: prog.html prog.ps
-userdocs: bird.html bird.ps
+userdocs: bird.html bird.pdf
 
 prog.sgml:
 	$(srcdir)/tools/progdoc $(srcdir_abs)
@@ -28,6 +28,10 @@ prog.sgml:
 %.ps: %.dvi
 	dvips -D600 -ta4 -o $@ $<
 
+%.pdf: %.tex
+	pdflatex $<
+	pdflatex $<
+
 %.tex: %.sgml
 	./sgml2latex --output=tex $<
 
diff --git a/doc/sbase/dist/birddoc/latex2e/mapping b/doc/sbase/dist/birddoc/latex2e/mapping
index 97ca1753..bd11b2d0 100644
--- a/doc/sbase/dist/birddoc/latex2e/mapping
+++ b/doc/sbase/dist/birddoc/latex2e/mapping
@@ -3,6 +3,7 @@
 
 % The \relax is there to avoid sgml2latex rewriting the class
 <book>		+ "\\relax\\documentclass\[a4paper,10pt,openany\]{book}\n"
+			"\\usepackage\[colorlinks=true,linkcolor=blue,pdftitle={BIRD User's Guide}\]{hyperref}\n"
 			"\\usepackage{birddoc}\n"
 			"\\usepackage{qwertz}\n"
 			"\\usepackage{url}\n"

From b9864aa87193ac1a5ebbc04d24ec782a1fe9637a Mon Sep 17 00:00:00 2001
From: Pavel Tvrdik <pawel.tvrdik@gmail.com>
Date: Mon, 26 Sep 2016 18:00:59 +0200
Subject: [PATCH 08/37] Doc: Add labels to all chapters and options

---
 doc/bird.sgml                          | 776 +++++++++++++------------
 doc/sbase/dist/birddoc/html/mapping    |   1 +
 doc/sbase/dist/birddoc/latex2e/mapping |  12 +-
 doc/sbase/dtd/birddoc.dtd              |   4 +-
 4 files changed, 428 insertions(+), 365 deletions(-)

diff --git a/doc/bird.sgml b/doc/bird.sgml
index bb88dc61..f2001e75 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -39,11 +39,12 @@ This document contains user documentation for the BIRD Internet Routing Daemon p
 
 
 <chapt>Introduction
+<label id="intro">
 
 <sect>What is BIRD
+<label id="what-is-bird">
 
-<p><label id="intro">
-The name `BIRD' is actually an acronym standing for `BIRD Internet Routing
+<p>The name `BIRD' is actually an acronym standing for `BIRD Internet Routing
 Daemon'. Let's take a closer look at the meaning of the name:
 
 <p><em/BIRD/: Well, we think we have already explained that. It's an acronym
@@ -118,6 +119,7 @@ files, tools ...).
 
 
 <sect>Installing BIRD
+<label id="install">
 
 <p>On a recent UNIX system with GNU development tools (GCC, binutils, m4, make)
 and Perl, installing BIRD should be as easy as:
@@ -138,45 +140,46 @@ BIRD executable by configuring out routing protocols you don't use, and
 
 
 <sect>Running BIRD
+<label id="argv">
 
 <p>You can pass several command-line options to bird:
 
 <descrip>
-	<tag>-c <m/config name/</tag>
+	<tag><label id="argv-config">-c <m/config name/</tag>
 	use given configuration file instead of <it/prefix/<file>/etc/bird.conf</file>.
 
-	<tag>-d</tag>
+	<tag><label id="argv-debug">-d</tag>
 	enable debug messages and run bird in foreground.
 
-	<tag>-D <m/filename of debug log/</tag>
+	<tag><label id="argv-log-file">-D <m/filename of debug log/</tag>
 	log debugging information to given file instead of stderr.
 
-	<tag>-p</tag>
+	<tag><label id="argv-parse">-p</tag>
 	just parse the config file and exit. Return value is zero if the config
 	file is valid, nonzero if there are some errors.
 
-	<tag>-s <m/name of communication socket/</tag>
+	<tag><label id="argv-socket">-s <m/name of communication socket/</tag>
 	use given filename for a socket for communications with the client,
 	default is <it/prefix/<file>/var/run/bird.ctl</file>.
 
-	<tag>-P <m/name of PID file/</tag>
+	<tag><label id="argv-pid">-P <m/name of PID file/</tag>
 	create a PID file with given filename.
 
-	<tag>-u <m/user/</tag>
+	<tag><label id="argv-user">-u <m/user/</tag>
 	drop privileges and use that user ID, see the next section for details.
 
-	<tag>-g <m/group/</tag>
+	<tag><label id="argv-group">-g <m/group/</tag>
 	use that group ID, see the next section for details.
 
-	<tag>-f</tag>
+	<tag><label id="argv-foreground">-f</tag>
 	run bird in foreground.
 
-	<tag>-l</tag>
+	<tag><label id="argv-local">-l</tag>
 	look for a configuration file and a communication socket in the current
 	working directory instead of in default system locations. However, paths
 	specified by options <cf/-c/, <cf/-s/ have higher priority.
 
-	<tag>-R</tag>
+	<tag><label id="argv-recovery">-R</tag>
 	apply graceful restart recovery after start.
 </descrip>
 
@@ -184,6 +187,7 @@ BIRD executable by configuring out routing protocols you don't use, and
 
 
 <sect>Privileges
+<label id="privileges">
 
 <p>BIRD, as a routing daemon, uses several privileged operations (like setting
 routing table and using raw sockets). Traditionally, BIRD is executed and runs
@@ -208,6 +212,7 @@ the config file and create the control socket and the CAP_NET_* capabilities.
 
 
 <chapt>About routing tables
+<label id="routing-tables">
 
 <p>BIRD has one or more routing tables which may or may not be synchronized with
 OS kernel and which may or may not be synchronized with each other (see the Pipe
@@ -245,7 +250,7 @@ network. Note that although most protocols are interested in receiving just
 selected routes, some protocols (e.g. the <cf/Pipe/ protocol) receive and
 process all entries in routing tables (accepted by filters).
 
-<p><label id="dsc-sorted">Usually, a routing table just chooses a selected route
+<p><label id="dsc-table-sorted">Usually, a routing table just chooses a selected route
 from a list of entries for one network. But if the <cf/sorted/ option is
 activated, these lists of entries are kept completely sorted (according to
 preference or some protocol-dependent metric). This is needed for some features
@@ -259,6 +264,7 @@ is that it is slightly more computationally expensive.
 
 
 <sect>Graceful restart
+<label id="graceful-restart">
 
 <p>When BIRD is started after restart or crash, it repopulates routing tables in
 an uncoordinated manner, like after clean start. This may be impractical in some
@@ -274,8 +280,10 @@ particular boot by option <cf/-R/.
 
 
 <chapt>Configuration
+<label id="config">
 
 <sect>Introduction
+<label id="config-intro">
 
 <p>BIRD is configured using a text configuration file. Upon startup, BIRD reads
 <it/prefix/<file>/etc/bird.conf</file> (unless the <tt/-c/ command line option
@@ -319,15 +327,16 @@ protocol rip {
 
 
 <sect>Global options
+<label id="global-opts">
 
 <p><descrip>
-	<tag>include "<m/filename/"</tag>
+	<tag><label id="opt-include">include "<m/filename/"</tag>
 	This statement causes inclusion of a new file. <m/Filename/ could also
 	be a wildcard, in that case matching files are included in alphabetic
 	order. The maximal depth is 8. Note that this statement could be used
 	anywhere in the config file, not just as a top-level option.
 
-	<tag><label id="dsc-log">log "<m/filename/"|syslog [name <m/name/]|stderr all|{ <m/list of classes/ }</tag>
+	<tag><label id="opt-log">log "<m/filename/"|syslog [name <m/name/]|stderr all|{ <m/list of classes/ }</tag>
 	Set logging of messages having the given class (either <cf/all/ or
 	<cf/{ error, trace }/ etc.) into selected destination (a file specified
 	as a filename string, syslog with optional name argument, or the stderr
@@ -341,48 +350,48 @@ protocol rip {
 	You may specify more than one <cf/log/ line to establish logging to
 	multiple destinations. Default: log everything to the system log.
 
-	<tag>debug protocols all|off|{ states, routes, filters, interfaces, events, packets }</tag>
+	<tag><label id="opt-debug-protocols">debug protocols all|off|{ states, routes, filters, interfaces, events, packets }</tag>
 	Set global defaults of protocol debugging options. See <cf/debug/ in the
 	following section. Default: off.
 
-	<tag>debug commands <m/number/</tag>
+	<tag><label id="opt-debug-commands">debug commands <m/number/</tag>
 	Control logging of client connections (0 for no logging, 1 for logging
 	of connects and disconnects, 2 and higher for logging of all client
 	commands). Default: 0.
 
-	<tag>debug latency <m/switch/</tag>
+	<tag><label id="opt-debug-latency">debug latency <m/switch/</tag>
 	Activate tracking of elapsed time for internal events. Recent events
 	could be examined using <cf/dump events/ command. Default: off.
 
-	<tag>debug latency limit <m/time/</tag>
+	<tag><label id="opt-debug-latency-limit">debug latency limit <m/time/</tag>
 	If <cf/debug latency/ is enabled, this option allows to specify a limit
 	for elapsed time. Events exceeding the limit are logged. Default: 1 s.
 
-	<tag>watchdog warning <m/time/</tag>
+	<tag><label id="opt-watchdog-warn">watchdog warning <m/time/</tag>
 	Set time limit for I/O loop cycle. If one iteration took more time to
 	complete, a warning is logged. Default: 5 s.
 
-	<tag>watchdog timeout <m/time/</tag>
+	<tag><label id="opt-watchdog-timeout">watchdog timeout <m/time/</tag>
 	Set time limit for I/O loop cycle. If the limit is breached, BIRD is
 	killed by abort signal. The timeout has effective granularity of
 	seconds, zero means disabled. Default: disabled (0).
 
-	<tag>mrtdump "<m/filename/"</tag>
+	<tag><label id="opt-mrtdump">mrtdump "<m/filename/"</tag>
 	Set MRTdump file name. This option must be specified to allow MRTdump
 	feature. Default: no dump file.
 
-	<tag>mrtdump protocols all|off|{ states, messages }</tag>
+	<tag><label id="opt-mrtdump-protocols">mrtdump protocols all|off|{ states, messages }</tag>
 	Set global defaults of MRTdump options. See <cf/mrtdump/ in the
 	following section. Default: off.
 
-	<tag>filter <m/name local variables/{ <m/commands/ }</tag>
+	<tag><label id="opt-filter">filter <m/name local variables/{ <m/commands/ }</tag>
 	Define a filter. You can learn more about filters in the following
 	chapter.
 
-	<tag>function <m/name/ (<m/parameters/) <m/local variables/ { <m/commands/ }</tag>
+	<tag><label id="opt-function">function <m/name/ (<m/parameters/) <m/local variables/ { <m/commands/ }</tag>
 	Define a function. You can learn more about functions in the following chapter.
 
-	<tag>protocol rip|ospf|bgp|... [<m/name/ [from <m/name2/]] { <m>protocol options</m> }</tag>
+	<tag><label id="opt-protocol">protocol rip|ospf|bgp|... [<m/name/ [from <m/name2/]] { <m>protocol options</m> }</tag>
 	Define a protocol instance called <cf><m/name/</cf> (or with a name like
 	"rip5" generated automatically if you don't specify any
 	<cf><m/name/</cf>). You can learn more about configuring protocols in
@@ -391,7 +400,7 @@ protocol rip {
 	<cf><m/name2/</cf> You can run more than one instance of most protocols
 	(like RIP or BGP). By default, no instances are configured.
 
-	<tag>template rip|bgp|... [<m/name/ [from <m/name2/]] { <m>protocol options</m> }</tag>
+	<tag><label id="opt-template">template rip|bgp|... [<m/name/ [from <m/name2/]] { <m>protocol options</m> }</tag>
 	Define a protocol template instance called <m/name/ (or with a name like
 	"bgp1" generated automatically if you don't specify any	<m/name/).
 	Protocol templates can be used to group common options when many
@@ -400,25 +409,25 @@ protocol rip {
 	expression and the name of the template. At the moment templates (and
 	<cf/from/ expression) are not implemented for OSPF protocol.
 
-	<tag>define <m/constant/ = <m/expression/</tag>
+	<tag><label id="opt-define">define <m/constant/ = <m/expression/</tag>
 	Define a constant. You can use it later in every place you could use a
 	value of the same type. Besides, there are some predefined numeric
 	constants based on /etc/iproute2/rt_* files. A list of defined constants
 	can be seen (together with other symbols) using 'show symbols' command.
 
-	<tag>router id <m/IPv4 address/</tag>
- 	Set BIRD's router ID. It's a world-wide unique identification of your
+	<tag><label id="opt-router-id">router id <m/IPv4 address/</tag>
+	Set BIRD's router ID. It's a world-wide unique identification of your
 	router, usually one of router's IPv4 addresses. Default: in IPv4
 	version, the lowest IP address of a non-loopback interface. In IPv6
 	version, this option is mandatory.
 
-	<tag>router id from [-] [ "<m/mask/" ] [ <m/prefix/ ] [, ...]</tag>
+	<tag><label id="opt-router-id-from">router id from [-] [ "<m/mask/" ] [ <m/prefix/ ] [, ...]</tag>
 	Set BIRD's router ID based on an IP address of an interface specified by
 	an interface pattern. The option is applicable for IPv4 version only.
-	See <ref id="dsc-iface" name="interface"> section for detailed
+	See <ref id="proto-iface" name="interface"> section for detailed
 	description of interface patterns with extended clauses.
 
-	<tag>listen bgp [address <m/address/] [port <m/port/] [dual]</tag>
+	<tag><label id="opt-listen-bgp">listen bgp [address <m/address/] [port <m/port/] [dual]</tag>
 	This option allows to specify address and port where BGP protocol should
 	listen. It is global option as listening socket is common to all BGP
 	instances. Default is to listen on all addresses (0.0.0.0) and port 179.
@@ -427,13 +436,13 @@ protocol rip {
 	BIRD would accept IPv6 routes only). Such behavior was default in older
 	versions of BIRD.
 
-	<tag>graceful restart wait <m/number/</tag>
+	<tag><label id="opt-graceful-restart">graceful restart wait <m/number/</tag>
 	During graceful restart recovery, BIRD waits for convergence of routing
 	protocols. This option allows to specify a timeout for the recovery to
 	prevent waiting indefinitely if some protocols cannot converge. Default:
 	240 seconds.
 
-	<tag>timeformat route|protocol|base|log "<m/format1/" [<m/limit/ "<m/format2/"]</tag>
+	<tag><label id="opt-timeformat">timeformat route|protocol|base|log "<m/format1/" [<m/limit/ "<m/format2/"]</tag>
 	This option allows to specify a format of date/time used by BIRD. The
 	first argument specifies for which purpose such format is used.
 	<cf/route/ is a format used in 'show route' command output,
@@ -459,13 +468,13 @@ protocol rip {
 	hh:mm:ss) for <cf/base/ and <cf/log/. These timeformats could be set by
 	<cf/old short/ and <cf/old long/ compatibility shorthands.
 
-	<tag>table <m/name/ [sorted]</tag>
+	<tag><label id="opt-table">table <m/name/ [sorted]</tag>
 	Create a new routing table. The default routing table is created
 	implicitly, other routing tables have to be added by this command.
 	Option <cf/sorted/ can be used to enable sorting of routes, see
-	<ref id="dsc-sorted" name="sorted table"> description for details.
+	<ref id="dsc-table-sorted" name="sorted table"> description for details.
 
-	<tag>roa table <m/name/ [ { roa table options ... } ]</tag>
+	<tag><label id="opt-roa-table">roa table <m/name/ [ { roa table options ... } ]</tag>
 	Create a new ROA (Route Origin Authorization) table. ROA tables can be
 	used to validate route origination of BGP routes. A ROA table contains
 	ROA entries, each consist of a network prefix, a max prefix length and
@@ -479,12 +488,13 @@ protocol rip {
 	ROA entries. The option may be used multiple times. Other entries can be
 	added dynamically by <cf/add roa/ command.
 
-	<tag>eval <m/expr/</tag>
+	<tag><label id="opt-eval">eval <m/expr/</tag>
 	Evaluates given filter expression. It is used by us for	testing of filters.
 </descrip>
 
 
 <sect>Protocol options
+<label id="protocol-opts">
 
 <p>For each protocol instance, you can configure a bunch of options. Some of
 them (those described in this section) are generic, some are specific to the
@@ -497,16 +507,16 @@ disable it. An empty <m/switch/ is equivalent to <cf/on/ ("silence means
 agreement").
 
 <descrip>
-	<tag>preference <m/expr/</tag>
+	<tag><label id="proto-preference">preference <m/expr/</tag>
 	Sets the preference of routes generated by this protocol. Default:
 	protocol dependent.
 
-	<tag>disabled <m/switch/</tag>
+	<tag><label id="proto-disabled">disabled <m/switch/</tag>
 	Disables the protocol. You can change the disable/enable status from the
 	command line interface without needing to touch the configuration.
 	Disabled protocols are not activated. Default: protocol is enabled.
 
-	<tag>debug all|off|{ states, routes, filters, interfaces, events, packets }</tag>
+	<tag><label id="proto-debug">debug all|off|{ states, routes, filters, interfaces, events, packets }</tag>
 	Set protocol debugging options. If asked, each protocol is capable of
 	writing trace messages about its work to the log (with category
 	<cf/trace/). You can either request printing of <cf/all/ trace messages
@@ -517,7 +527,7 @@ agreement").
 	protocol, <cf/events/ for events internal to the protocol and <cf/packets/
 	for packets sent and received by the protocol. Default: off.
 
-	<tag>mrtdump all|off|{ states, messages }</tag>
+	<tag><label id="proto-mrtdump">mrtdump all|off|{ states, messages }</tag>
 	Set protocol MRTdump flags. MRTdump is a standard binary format for
 	logging information from routing protocols and daemons. These flags
 	control what kind of information is logged from the protocol to the
@@ -527,27 +537,27 @@ agreement").
 	BGP protocol, <cf/states/ logs BGP state changes and <cf/messages/ logs
 	received BGP messages. Other protocols does not support MRTdump yet.
 
-	<tag>router id <m/IPv4 address/</tag>
+	<tag><label id="proto-router-id">router id <m/IPv4 address/</tag>
 	This option can be used to override global router id for a given
 	protocol. Default: uses global router id.
 
-	<tag>import all | none | filter <m/name/ | filter { <m/filter commands/ } | where <m/filter expression/</tag>
+	<tag><label id="proto-import">import all | none | filter <m/name/ | filter { <m/filter commands/ } | where <m/filter expression/</tag>
 	Specify a filter to be used for filtering routes coming from the
 	protocol to the routing table. <cf/all/ is shorthand for <cf/where true/
 	and <cf/none/ is shorthand for <cf/where false/. Default: <cf/all/.
 
-	<tag>export <m/filter/</tag>
+	<tag><label id="proto-export">export <m/filter/</tag>
 	This is similar to the <cf>import</cf> keyword, except that it works in
 	the direction from the routing table to the protocol. Default: <cf/none/.
 
-	<tag>import keep filtered <m/switch/</tag>
+	<tag><label id="proto-import-keep-filtered">import keep filtered <m/switch/</tag>
 	Usually, if an import filter rejects a route, the route is forgotten.
 	When this option is active, these routes are kept in the routing table,
 	but they are hidden and not propagated to other protocols. But it is
 	possible to show them using <cf/show route filtered/. Note that this
 	option does not work for the pipe protocol. Default: off.
 
-	<tag><label id="import-limit">import limit [<m/number/ | off ] [action warn | block | restart | disable]</tag>
+	<tag><label id="proto-import-limit">import limit [<m/number/ | off ] [action warn | block | restart | disable]</tag>
 	Specify an import route limit (a maximum number of routes imported from
 	the protocol) and optionally the action to be taken when the limit is
 	hit. Warn action just prints warning log message. Block action discards
@@ -556,7 +566,7 @@ agreement").
 	action if an action is not explicitly specified. Note that limits are
 	reset during protocol reconfigure, reload or restart. Default: <cf/off/.
 
-	<tag>receive limit [<m/number/ | off ] [action warn | block | restart | disable]</tag>
+	<tag><label id="proto-receive-limit">receive limit [<m/number/ | off ] [action warn | block | restart | disable]</tag>
 	Specify an receive route limit (a maximum number of routes received from
 	the protocol and remembered). It works almost identically to <cf>import
 	limit</cf> option, the only difference is that if <cf/import keep
@@ -566,7 +576,7 @@ agreement").
 	on the contrary, counts accepted routes only and routes blocked by the
 	limit are handled like filtered routes. Default: <cf/off/.
 
-	<tag>export limit [ <m/number/ | off ] [action warn | block | restart | disable]</tag>
+	<tag><label id="proto-export-limit">export limit [ <m/number/ | off ] [action warn | block | restart | disable]</tag>
 	Specify an export route limit, works similarly to the <cf>import
 	limit</cf> option, but for the routes exported to the protocol. This
 	option is experimental, there are some problems in details of its
@@ -576,18 +586,18 @@ agreement").
 	updates of already accepted routes -- and these details will probably
 	change in the future. Default: <cf/off/.
 
-	<tag>description "<m/text/"</tag>
+	<tag><label id="proto-description">description "<m/text/"</tag>
 	This is an optional description of the protocol. It is displayed as a
 	part of the output of 'show route all' command.
 
-	<tag>table <m/name/</tag>
+	<tag><label id="proto-table">table <m/name/</tag>
 	Connect this protocol to a non-default routing table.
 </descrip>
 
 <p>There are several options that give sense only with certain protocols:
 
 <descrip>
-	<tag><label id="dsc-iface">interface [-] [ "<m/mask/" ] [ <m/prefix/ ] [, ...] [ { <m/option/ ; [...] } ]</tag>
+	<tag><label id="proto-iface">interface [-] [ "<m/mask/" ] [ <m/prefix/ ] [, ...] [ { <m/option/ ; [...] } ]</tag>
 	Specifies a set of interfaces on which the protocol is activated with
 	given interface-specific options. A set of interfaces specified by one
 	interface option is described using an interface pattern. The interface
@@ -634,7 +644,7 @@ agreement").
 	<cf>interface "eth*" 192.168.1.0/24;</cf> - start the protocol on all
 	ethernet interfaces that have address from 192.168.1.0/24.
 
-	<tag><label id="dsc-prio">tx class|dscp <m/num/</tag>
+	<tag><label id="proto-tx-class">tx class|dscp <m/num/</tag>
 	This option specifies the value of ToS/DS/Class field in IP headers of
 	the outgoing protocol packets. This may affect how the protocol packets
 	are processed by the network relative to the other network traffic. With
@@ -643,12 +653,12 @@ agreement").
 	keyword, the value (0-63) is used just for the DS field in the octet.
 	Default value is 0xc0 (DSCP 0x30 - CS6).
 
-	<tag>tx priority <m/num/</tag>
+	<tag><label id="proto-tx-priority">tx priority <m/num/</tag>
 	This option specifies the local packet priority. This may affect how the
 	protocol packets are processed in the local TX queues. This option is
 	Linux specific. Default value is 7 (highest priority, privileged traffic).
 
-	<tag><label id="dsc-pass">password "<m/password/" [ { id <m/num/; generate from <m/time/; generate to <m/time/; accept from <m/time/; accept to <m/time/; } ]</tag>
+	<tag><label id="proto-pass">password "<m/password/" [ { id <m/num/; generate from <m/time/; generate to <m/time/; accept from <m/time/; accept to <m/time/; } ]</tag>
 	Specifies a password that can be used by the protocol. Password option
 	can be used more times to specify more passwords. If more passwords are
 	specified, it is a protocol-dependent decision which one is really
@@ -659,35 +669,35 @@ agreement").
 	This option is allowed in OSPF and RIP protocols. BGP has also
 	<cf/password/ option, but it is slightly different and described
 	separately.
-
 	Default: none.
 </descrip>
 
 <p>Password option can contain section with some (not necessary all) password sub-options:
 
 <descrip>
-	<tag>id <M>num</M></tag>
+	<tag><label id="proto-pass-id">id <M>num</M></tag>
 	ID of the password, (1-255). If it is not used, BIRD will choose ID based
 	on an order of the password item in the interface. For example, second
 	password item in one interface will have default ID 2. ID is used by
 	some routing protocols to identify which password was used to
 	authenticate protocol packets.
 
-	<tag>generate from "<m/time/"</tag>
+	<tag><label id="proto-pass-gen-from">generate from "<m/time/"</tag>
 	The start time of the usage of the password for packet signing.
 	The format of <cf><m/time/</cf> is <tt>dd-mm-yyyy HH:MM:SS</tt>.
 
-	<tag>generate to "<m/time/"</tag>
+	<tag><label id="proto-pass-gen-to">generate to "<m/time/"</tag>
 	The last time of the usage of the password for packet signing.
 
-	<tag>accept from "<m/time/"</tag>
+	<tag><label id="proto-pass-accept-from">accept from "<m/time/"</tag>
 	The start time of the usage of the password for packet verification.
 
-	<tag>accept to "<m/time/"</tag>
+	<tag><label id="proto-pass-accept-to">accept to "<m/time/"</tag>
 	The last time of the usage of the password for packet verification.
 </descrip>
 
 <chapt>Remote control
+<label id="remote-control">
 
 <p>You can use the command-line client <file>birdc</file> to talk with a running
 BIRD. Communication is done using a <file/bird.ctl/ UNIX domain socket (unless
@@ -713,26 +723,26 @@ This argument can be omitted if there exists only a single instance.
 <p>Here is a brief list of supported functions:
 
 <descrip>
-	<tag>show status</tag>
+	<tag><label id="cli-show-status">show status</tag>
 	Show router status, that is BIRD version, uptime and time from last
 	reconfiguration.
 
-	<tag>show interfaces [summary]</tag>
+	<tag><label id="cli-show-interfaces">show interfaces [summary]</tag>
 	Show the list of interfaces. For each interface, print its type, state,
 	MTU and addresses assigned.
 
-	<tag>show protocols [all]</tag>
+	<tag><label id="cli-show-protocols">show protocols [all]</tag>
 	Show list of protocol instances along with tables they are connected to
 	and protocol status, possibly giving verbose information, if <cf/all/ is
 	specified.
 
-	<tag>show ospf interface [<m/name/] ["<m/interface/"]</tag>
+	<tag><label id="cli-show-ospf-iface">show ospf interface [<m/name/] ["<m/interface/"]</tag>
 	Show detailed information about OSPF interfaces.
 
-	<tag>show ospf neighbors [<m/name/] ["<m/interface/"]</tag>
+	<tag><label id="cli-show-ospf-neighbors">show ospf neighbors [<m/name/] ["<m/interface/"]</tag>
 	Show a list of OSPF neighbors and a state of adjacency to them.
 
-	<tag>show ospf state [all] [<m/name/]</tag>
+	<tag><label id="cli-show-ospf-state">show ospf state [all] [<m/name/]</tag>
 	Show detailed information about OSPF areas based on a content of the
 	link-state database. It shows network topology, stub networks,
 	aggregated networks and routers from other areas and external routes.
@@ -740,31 +750,31 @@ This argument can be omitted if there exists only a single instance.
 	<cf/all/ to show information about all network nodes in the link-state
 	database.
 
-	<tag>show ospf topology [all] [<m/name/]</tag>
+	<tag><label id="cli-show-ospf-topology">show ospf topology [all] [<m/name/]</tag>
 	Show a topology of OSPF areas based on a content of the link-state
 	database. It is just a stripped-down version of 'show ospf state'.
 
-	<tag>show ospf lsadb [global | area <m/id/ | link] [type <m/num/] [lsid <m/id/] [self | router <m/id/] [<m/name/] </tag>
+	<tag><label id="cli-show-ospf-lsadb">show ospf lsadb [global | area <m/id/ | link] [type <m/num/] [lsid <m/id/] [self | router <m/id/] [<m/name/] </tag>
 	Show contents of an OSPF LSA database. Options could be used to filter
 	entries.
 
-	<tag>show rip interfaces [<m/name/] ["<m/interface/"]</tag>
+	<tag><label id="cli-show-rip-interfaces">show rip interfaces [<m/name/] ["<m/interface/"]</tag>
 	Show detailed information about RIP interfaces.
 
-	<tag>show rip neighbors [<m/name/] ["<m/interface/"]</tag>
+	<tag><label id="cli-show-rip-neighbors">show rip neighbors [<m/name/] ["<m/interface/"]</tag>
 	Show a list of RIP neighbors and associated state.
 
-	<tag>show static [<m/name/]</tag>
+	<tag><label id="cli-show-static">show static [<m/name/]</tag>
 	Show detailed information about static routes.
 
-	<tag>show bfd sessions [<m/name/]</tag>
+	<tag><label id="cli-show-bfd-sessions">show bfd sessions [<m/name/]</tag>
 	Show information about BFD sessions.
 
-	<tag>show symbols [table|filter|function|protocol|template|roa|<m/symbol/]</tag>
+	<tag><label id="cli-show-symbols">show symbols [table|filter|function|protocol|template|roa|<m/symbol/]</tag>
 	Show the list of symbols defined in the configuration (names of
 	protocols, routing tables etc.).
 
-	<tag>show route [[for] <m/prefix/|<m/IP/] [table <m/sym/] [filter <m/f/|where <m/c/] [(export|preexport|noexport) <m/p/] [protocol <m/p/] [<m/options/]</tag>
+	<tag><label id="cli-show-route">show route [[for] <m/prefix/|<m/IP/] [table <m/sym/] [filter <m/f/|where <m/c/] [(export|preexport|noexport) <m/p/] [protocol <m/p/] [<m/options/]</tag>
 	Show contents of a routing table (by default of the main one or the
 	table attached to a respective protocol), that is routes, their metrics
 	and (in case the <cf/all/ switch is given) all their attributes.
@@ -799,7 +809,7 @@ This argument can be omitted if there exists only a single instance.
 	number of networks, number of routes before and after filtering). If
 	you use <cf/count/ instead, only the statistics will be printed.
 
-	<tag>show roa [<m/prefix/ | in <m/prefix/ | for <m/prefix/] [as <m/num/] [table <m/t/>]</tag>
+	<tag><label id="cli-show-roa">show roa [<m/prefix/ | in <m/prefix/ | for <m/prefix/] [as <m/num/] [table <m/t/>]</tag>
 	Show contents of a ROA table (by default of the first one). You can
 	specify a <m/prefix/ to print ROA entries for a specific network. If you
 	use <cf>for <m/prefix/</cf>, you'll get all entries relevant for route
@@ -808,19 +818,19 @@ This argument can be omitted if there exists only a single instance.
 	entries covered by the network prefix. You could also use <cf/as/ option
 	to show just entries for given AS.
 
-	<tag>add roa <m/prefix/ max <m/num/] as <m/num/ [table <m/t/>]</tag>
+	<tag><label id="cli-add-roa">add roa <m/prefix/ max <m/num/] as <m/num/ [table <m/t/>]</tag>
 	Add a new ROA entry to a ROA table. Such entry is called <it/dynamic/
 	compared to <it/static/ entries specified in the config file. These
 	dynamic entries survive reconfiguration.
 
-	<tag>delete roa <m/prefix/ max <m/num/] as <m/num/ [table <m/t/>]</tag>
+	<tag><label id="cli-delete-roa">delete roa <m/prefix/ max <m/num/] as <m/num/ [table <m/t/>]</tag>
 	Delete the specified ROA entry from a ROA table. Only dynamic ROA
 	entries (i.e., the ones added by <cf/add roa/ command) can be deleted.
 
-	<tag>flush roa [table <m/t/>]</tag>
+	<tag><label id="cli-flush-roa">flush roa [table <m/t/>]</tag>
 	Remove all dynamic ROA entries from a ROA table.
 
-	<tag>configure [soft] ["<m/config file/"] [timeout [<m/num/]]</tag>
+	<tag><label id="cli-configure">configure [soft] ["<m/config file/"] [timeout [<m/num/]]</tag>
 	Reload configuration from a given file. BIRD will smoothly switch itself
 	to the new configuration, protocols are reconfigured if possible,
 	restarted otherwise. Changes in filters usually lead to restart of
@@ -839,11 +849,11 @@ This argument can be omitted if there exists only a single instance.
 	config timeout expiration is equivalent to <cf/configure undo/
 	command. The timeout duration could be specified, default is 300 s.
 
-	<tag>configure confirm</tag>
+	<tag><label id="cli-configure-confirm">configure confirm</tag>
 	Deactivate the config undo timer and therefore confirm the current
 	configuration.
 
-	<tag>configure undo</tag>
+	<tag><label id="cli-configure-undo">configure undo</tag>
 	Undo the last configuration change and smoothly switch back to the
 	previous (stored) configuration. If the last configuration change was
 	soft, the undo change is also soft. There is only one level of undo, but
@@ -851,15 +861,15 @@ This argument can be omitted if there exists only a single instance.
 	immediately in a row and the intermediate ones are skipped then the undo
 	also skips them back.
 
-	<tag>configure check ["<m/config file/"]</tag>
+	<tag><label id="cli-configure-check">configure check ["<m/config file/"]</tag>
 	Read and parse given config file, but do not use it. useful for checking
 	syntactic and some semantic validity of an config file.
 
-	<tag>enable|disable|restart <m/name/|"<m/pattern/"|all</tag>
+	<tag><label id="cli-enable-disable-restart">enable|disable|restart <m/name/|"<m/pattern/"|all</tag>
 	Enable, disable or restart a given protocol instance, instances matching
 	the <cf><m/pattern/</cf> or <cf/all/ instances.
 
-	<tag>reload [in|out] <m/name/|"<m/pattern/"|all</tag>
+	<tag><label id="cli-reload">reload [in|out] <m/name/|"<m/pattern/"|all</tag>
 	Reload a given protocol instance, that means re-import routes from the
 	protocol instance and re-export preferred routes to the instance. If
 	<cf/in/ or <cf/out/ options are used, the command is restricted to one
@@ -876,27 +886,29 @@ This argument can be omitted if there exists only a single instance.
 	pipe protocol, both directions are always reloaded together (<cf/in/ or
 	<cf/out/ options are ignored in that case).
 
-	<tag/down/
+	<tag><label id="cli-down">down</tag>
 	Shut BIRD down.
 
-	<tag>debug <m/protocol/|<m/pattern/|all all|off|{ states | routes | filters | events | packets }</tag>
+	<tag><label id="cli-debug">debug <m/protocol/|<m/pattern/|all all|off|{ states | routes | filters | events | packets }</tag>
 	Control protocol debugging.
 
-	<tag>dump resources|sockets|interfaces|neighbors|attributes|routes|protocols</tag>
+	<tag><label id="cli-dump">dump resources|sockets|interfaces|neighbors|attributes|routes|protocols</tag>
 	Dump contents of internal data structures to the debugging output.
 
-	<tag>echo all|off|{ <m/list of log classes/ } [ <m/buffer-size/ ]</tag>
+	<tag><label id="cli-echo">echo all|off|{ <m/list of log classes/ } [ <m/buffer-size/ ]</tag>
 	Control echoing of log messages to the command-line output.
-	See <ref id="dsc-log" name="log option"> for a list of log classes.
+	See <ref id="opt-log" name="log option"> for a list of log classes.
 
-	<tag>eval <m/expr/</tag>
+	<tag><label id="cli-eval">eval <m/expr/</tag>
 	Evaluate given expression.
 </descrip>
 
 
 <chapt>Filters
+<label id="filters">
 
 <sect>Introduction
+<label id="filters-intro">
 
 <p>BIRD contains a simple programming language. (No, it can't yet read mail :-).
 There are two objects in this language: filters and functions. Filters are
@@ -984,33 +996,34 @@ bird>
 
 
 <sect>Data types
+<label id="data-types">
 
 <p>Each variable and each value has certain type. Booleans, integers and enums
 are incompatible with each other (that is to prevent you from shooting in the
 foot).
 
 <descrip>
-	<tag/bool/
+	<tag><label id="type-bool">bool</tag>
 	This is a boolean type, it can have only two values, <cf/true/ and
 	<cf/false/. Boolean is the only type you can use in <cf/if/ statements.
 
-	<tag/int/
+	<tag><label id="type-int">int</tag>
 	This is a general integer type. It is an unsigned 32bit type; i.e., you
 	can expect it to store values from 0 to 4294967295. Overflows are not
 	checked. You can use <cf/0x1234/ syntax to write hexadecimal values.
 
-	<tag/pair/
+	<tag><label id="type-pair">pair</tag>
 	This is a pair of two short integers. Each component can have values
 	from 0 to 65535. Literals of this type are written as <cf/(1234,5678)/.
 	The same syntax can also be used to construct a pair from two arbitrary
 	integer expressions (for example <cf/(1+2,a)/).
 
-	<tag/quad/
+	<tag><label id="type-quad">quad</tag>
 	This is a dotted quad of numbers used to represent router IDs (and
 	others). Each component can have a value from 0 to 255. Literals of
 	this type are written like IPv4 addresses.
 
-	<tag/string/
+	<tag><label id="type-string">string</tag>
 	This is a string of characters. There are no ways to modify strings in
 	filters. You can pass them between functions, assign them to variables
 	of type <cf/string/, print such variables, use standard string
@@ -1020,7 +1033,7 @@ foot).
 	!&tilde;/) operators could be used to match a string value against
 	a shell pattern (represented also as a string).
 
-	<tag/ip/
+	<tag><label id="type-ip">ip</tag>
 	This type can hold a single IP address. Depending on the compile-time
 	configuration of BIRD you are using, it is either an IPv4 or IPv6
 	address. IP addresses are written in the standard notation
@@ -1029,7 +1042,7 @@ foot).
 	first <cf><M>num</M></cf> bits from the IP address. So
 	<cf/1.2.3.4.mask(8) = 1.0.0.0/ is true.
 
-	<tag/prefix/
+	<tag><label id="type-prefix">prefix</tag>
 	This type can hold a network prefix consisting of IP address and prefix
 	length. Prefix literals are written as <cf><m/ipaddress//<m/pxlen/</cf>,
 	or <cf><m>ipaddress</m>/<m>netmask</m></cf>. There are two special
@@ -1037,7 +1050,7 @@ foot).
 	pair, and <cf/.len/, which separates prefix length from the pair.
 	So <cf>1.2.0.0/16.len = 16</cf> is true.
 
-	<tag/ec/
+	<tag><label id="type-ec">ec</tag>
 	This is a specialized type used to represent BGP extended community
 	values. It is essentially a 64bit value, literals of this type are
 	usually written as <cf>(<m/kind/, <m/key/, <m/value/)</cf>, where
@@ -1048,7 +1061,7 @@ foot).
 	for <cf/key/ and <cf/value/ parts, (e.g. <cf/(ro, myas, 3*10)/, where
 	<cf/myas/ is an integer variable).
 
-	<tag/lc/
+	<tag><label id="type-lc">lc</tag>
 	This is a specialized type used to represent BGP large community
 	values. It is essentially a triplet of 32bit values, where the first
 	value is reserved for the AS number of the issuer, while meaning of
@@ -1057,7 +1070,7 @@ foot).
 	pairs, LCs can be constructed using expressions for its parts, (e.g.
 	<cf/(myas, 10+20, 3*10)/, where <cf/myas/ is an integer variable).
 
-	<tag/int|pair|quad|ip|prefix|ec|lc|enum set/
+	<tag><label id="type-set">int|pair|quad|ip|prefix|ec|lc|enum set</tag>
 	Filters recognize four types of sets. Sets are similar to strings: you
 	can pass them around but you can't modify them. Literals of type <cf>int
 	set</cf> look like <cf> [ 1, 2, 5..7 ]</cf>. As you can see, both simple
@@ -1133,12 +1146,12 @@ foot).
 	<cf>192.168.0.0/16{16,24}</cf> and <cf>192.168.0.0/16 ge 24</cf> as
 	<cf>192.168.0.0/16{24,32}</cf>.
 
-	<tag/enum/
+	<tag><label id="type-enum">enum</tag>
 	Enumeration types are fixed sets of possibilities. You can't define your
 	own variables of such type, but some route attributes are of enumeration
 	type. Enumeration types are incompatible with each other.
 
-	<tag/bgppath/
+	<tag><label id="type-bgppath">bgppath</tag>
 	BGP path is a list of autonomous system numbers. You can't write
 	literals of this type. There are several special operators on bgppaths:
 
@@ -1171,7 +1184,7 @@ foot).
 	<cf><m/P/.prepend(<m/A/);</cf> if <m/P/ is appropriate route attribute
 	(for example <cf/bgp_path/). Similarly for <cf/delete/ and <cf/filter/.
 
-	<tag/bgpmask/
+	<tag><label id="type-bgpmask">bgpmask</tag>
 	BGP masks are patterns used for BGP path matching (using <cf>path
 	&tilde; [= 2 3 5 * =]</cf> syntax). The masks resemble wildcard patterns
 	as used by UNIX shells. Autonomous system numbers match themselves,
@@ -1185,7 +1198,7 @@ foot).
         There is also old (deprecated) syntax that uses / .. / instead of [= .. =]
         and ? instead of *.
 
-	<tag/clist/
+	<tag><label id="type-clist">clist</tag>
 	Clist is similar to a set, except that unlike other sets, it can be
 	modified. The type is used for community list (a set of pairs) and for
 	cluster list (a set of quads). There exist no literals of this type.
@@ -1214,7 +1227,7 @@ foot).
 	<cf><m/C/.add(<m/P/);</cf> if <m/C/ is appropriate route attribute (for
 	example <cf/bgp_community/). Similarly for <cf/delete/ and <cf/filter/.
 
-	<tag/eclist/
+	<tag><label id="type-eclist">eclist</tag>
 	Eclist is a data type used for BGP extended community lists. Eclists
 	are very similar to clists, but they are sets of ECs instead of pairs.
 	The same operations (like <cf/add/, <cf/delete/ or <cf/&tilde;/ and
@@ -1231,6 +1244,7 @@ foot).
 
 
 <sect>Operators
+<label id="operators">
 
 <p>The filter language supports common integer operators <cf>(+,-,*,/)</cf>,
 parentheses <cf/(a*(b+c))/, comparison <cf/(a=b, a!=b, a&lt;b, a&gt;=b)/.
@@ -1261,6 +1275,7 @@ prefix and an ASN as arguments.
 
 
 <sect>Control structures
+<label id="control-structures">
 
 <p>Filters support two control structures: conditions and case switches.
 
@@ -1296,6 +1311,7 @@ if 1234 = i then printn "."; else {
 
 
 <sect>Route attributes
+<label id="route-attributes">
 
 <p>A filter is implicitly passed a route, and it can access its attributes just
 like it accesses variables. Attempts to access undefined attribute result in a
@@ -1305,11 +1321,11 @@ rule are attributes of clist type, where undefined value is regarded as empty
 clist for most purposes.
 
 <descrip>
-	<tag><m/prefix/ net</tag>
+	<tag><label id="rta-net"><m/prefix/ net</tag>
 	Network the route is talking about. Read-only. (See the chapter about
 	routing tables.)
 
-	<tag><m/enum/ scope</tag>
+	<tag><label id="rta-scope"><m/enum/ scope</tag>
 	The scope of the route. Possible values: <cf/SCOPE_HOST/ for routes
 	local to this host, <cf/SCOPE_LINK/ for those specific for a physical
 	link, <cf/SCOPE_SITE/ and <cf/SCOPE_ORGANIZATION/ for private routes and
@@ -1317,33 +1333,33 @@ clist for most purposes.
 	interpreted by BIRD and can be used to mark routes in filters. The
 	default value for new routes is <cf/SCOPE_UNIVERSE/.
 
-	<tag><m/int/ preference</tag>
+	<tag><label id="rta-preference"><m/int/ preference</tag>
 	Preference of the route. Valid values are 0-65535. (See the chapter
 	about routing tables.)
 
-	<tag><m/ip/ from</tag>
+	<tag><label id="rta-from"><m/ip/ from</tag>
 	The router which the route has originated from.
 
-	<tag><m/ip/ gw</tag>
+	<tag><label id="rta-gw"><m/ip/ gw</tag>
 	Next hop packets routed using this route should be forwarded to.
 
-	<tag><m/string/ proto</tag>
+	<tag><label id="rta-proto"><m/string/ proto</tag>
 	The name of the protocol which the route has been imported from.
 	Read-only.
 
-	<tag><m/enum/ source</tag>
+	<tag><label id="rta-source"><m/enum/ source</tag>
 	what protocol has told me about this route. Possible values:
 	<cf/RTS_DUMMY/, <cf/RTS_STATIC/, <cf/RTS_INHERIT/, <cf/RTS_DEVICE/,
 	<cf/RTS_STATIC_DEVICE/, <cf/RTS_REDIRECT/, <cf/RTS_RIP/, <cf/RTS_OSPF/,
 	<cf/RTS_OSPF_IA/, <cf/RTS_OSPF_EXT1/, <cf/RTS_OSPF_EXT2/, <cf/RTS_BGP/,
 	<cf/RTS_PIPE/, <cf/RTS_BABEL/.
 
-	<tag><m/enum/ cast</tag>
+	<tag><label id="rta-cast"><m/enum/ cast</tag>
 	Route type (Currently <cf/RTC_UNICAST/ for normal routes,
 	<cf/RTC_BROADCAST/, <cf/RTC_MULTICAST/, <cf/RTC_ANYCAST/ will be used in
 	the future for broadcast, multicast and anycast routes). Read-only.
 
-	<tag><m/enum/ dest</tag>
+	<tag><label id="rta-dest"><m/enum/ dest</tag>
 	Type of destination the packets should be sent to
 	(<cf/RTD_ROUTER/ for forwarding to a neighboring router,
 	<cf/RTD_DEVICE/ for routing to a directly-connected network,
@@ -1354,18 +1370,18 @@ clist for most purposes.
 	messages). Can be changed, but only to <cf/RTD_BLACKHOLE/,
 	<cf/RTD_UNREACHABLE/ or <cf/RTD_PROHIBIT/.
 
-	<tag><m/string/ ifname</tag>
+	<tag><label id="rta-ifname"><m/string/ ifname</tag>
 	Name of the outgoing interface. Sink routes (like blackhole, unreachable
 	or prohibit) and multipath routes have no interface associated with
 	them, so <cf/ifname/ returns an empty string for such routes. Read-only.
 
-	<tag><m/int/ ifindex</tag>
+	<tag><label id="rta-ifindex"><m/int/ ifindex</tag>
 	Index of the outgoing interface. System wide index of the interface. May
 	be used for interface matching, however indexes might change on interface
 	creation/removal. Zero is returned for routes with undefined outgoing
 	interfaces. Read-only.
 
-	<tag><m/int/ igp_metric</tag>
+	<tag><label id="rta-igp-metric"><m/int/ igp_metric</tag>
 	The optional attribute that can be used to specify a distance to the
 	network for routes that do not have a native protocol metric attribute
 	(like <cf/ospf_metric1/ for OSPF routes). It is used mainly by BGP to
@@ -1379,34 +1395,38 @@ corresponding protocol sections.
 
 
 <sect>Other statements
+<label id="other-statements">
 
 <p>The following statements are available:
 
 <descrip>
-	<tag><m/variable/ = <m/expr/</tag>
+	<tag><label id="assignment"><m/variable/ = <m/expr/</tag>
 	Set variable to a given value.
 
-	<tag>accept|reject [ <m/expr/ ]</tag>
+	<tag><label id="filter-accept-reject">accept|reject [ <m/expr/ ]</tag>
 	Accept or reject the route, possibly printing <cf><m>expr</m></cf>.
 
-	<tag>return <m/expr/</tag>
+	<tag><label id="return">return <m/expr/</tag>
 	Return <cf><m>expr</m></cf> from the current function, the function ends
 	at this point.
 
-	<tag>print|printn <m/expr/ [<m/, expr.../]</tag>
+	<tag><label id="print">print|printn <m/expr/ [<m/, expr.../]</tag>
 	Prints given expressions; useful mainly while debugging filters. The
 	<cf/printn/ variant does not terminate the line.
 
-	<tag>quitbird</tag>
+	<tag><label id="quitbird">quitbird</tag>
 	Terminates BIRD. Useful when debugging the filter interpreter.
 </descrip>
 
 
 <chapt>Protocols
+<label id="protocols">
 
 <sect>Babel
+<label id="babel">
 
 <sect1>Introduction
+<label id="babel-intro">
 
 <p>The Babel protocol (RFC6126) is a loop-avoiding distance-vector routing
 protocol that is robust and efficient both in ordinary wired networks and in
@@ -1423,6 +1443,7 @@ just ignore extension messages).
 <p>The Babel protocol implementation in BIRD is currently in alpha stage.
 
 <sect1>Configuration
+<label id="babel-config">
 
 <p>Babel supports no global configuration options apart from those common to all
 other protocols, but supports the following per-interface configuration options:
@@ -1445,7 +1466,7 @@ protocol babel [<name>] {
 </code>
 
 <descrip>
-      <tag>type wired|wireless </tag>
+      <tag><label id="babel-type">type wired|wireless </tag>
       This option specifies the interface type: Wired or wireless. Wired
       interfaces are considered more reliable, and so the default hello
       interval is higher, and a neighbour is considered unreachable after only
@@ -1456,41 +1477,41 @@ protocol babel [<name>] {
       when packets are lost rather than the more binary up/down mechanism of
       wired type links. Default: <cf/wired/.
 
-      <tag>rxcost <m/num/</tag>
+      <tag><label id="babel-rxcost">rxcost <m/num/</tag>
       This specifies the RX cost of the interface. The route metrics will be
       computed from this value with a mechanism determined by the interface
       <cf/type/. Default: 96 for wired interfaces, 256 for wireless.
 
-      <tag>hello interval <m/num/</tag>
+      <tag><label id="babel-hello">hello interval <m/num/</tag>
       Interval at which periodic "hello" messages are sent on this interface,
       in seconds. Default: 4 seconds.
 
-      <tag>update interval <m/num/</tag>
+      <tag><label id="babel-update">update interval <m/num/</tag>
       Interval at which periodic (full) updates are sent. Default: 4 times the
       hello interval.
 
-      <tag>port <m/number/</tag>
+      <tag><label id="babel-port">port <m/number/</tag>
       This option selects an UDP port to operate on. The default is to operate
       on port 6696 as specified in the Babel RFC.
 
-      <tag>tx class|dscp|priority <m/number/</tag>
+      <tag><label id="babel-tx-class">tx class|dscp|priority <m/number/</tag>
       These options specify the ToS/DiffServ/Traffic class/Priority of the
-      outgoing Babel packets. See <ref id="dsc-prio" name="tx class"> common
+      outgoing Babel packets. See <ref id="proto-tx-class" name="tx class"> common
       option for detailed description.
 
-      <tag>rx buffer <m/number/</tag>
+      <tag><label id="babel-rx-buffer">rx buffer <m/number/</tag>
       This option specifies the size of buffers used for packet processing.
       The buffer size should be bigger than maximal size of received packets.
       The default value is the interface MTU, and the value will be clamped to a
       minimum of 512 bytes + IP packet overhead.
 
-      <tag>tx length <m/number/</tag>
+      <tag><label id="babel-tx-length">tx length <m/number/</tag>
       This option specifies the maximum length of generated Babel packets. To
       avoid IP fragmentation, it should not exceed the interface MTU value.
       The default value is the interface MTU value, and the value will be
       clamped to a minimum of 512 bytes + IP packet overhead.
 
-      <tag>check link <m/switch/</tag>
+      <tag><label id="babel-check-link">check link <m/switch/</tag>
       If set, the hardware link state (as reported by OS) is taken into
       consideration. When the link disappears (e.g. an ethernet cable is
       unplugged), neighbors are immediately considered unreachable and all
@@ -1500,12 +1521,14 @@ protocol babel [<name>] {
 </descrip>
 
 <sect1>Attributes
+<label id="babel-attr">
 
 <p>Babel defines just one attribute: the internal babel metric of the route. It
 is exposed as the <cf/babel_metric/ attribute and has range from 1 to infinity
 (65535).
 
 <sect1>Example
+<label id="babel-exam">
 
 <p><code>
 protocol babel {
@@ -1529,9 +1552,10 @@ protocol babel {
 
 
 <sect>BFD
-<label id="sect-bfd">
+<label id="bfd">
 
 <sect1>Introduction
+<label id="bfd-intro">
 
 <p>Bidirectional Forwarding Detection (BFD) is not a routing protocol itself, it
 is an independent tool providing liveness and failure detection. Routing
@@ -1569,6 +1593,7 @@ default a bit different dynamic port range than the IANA approved one
 <cf>/proc/sys/net/ipv4/ip_local_port_range</cf>
 
 <sect1>Configuration
+<label id="bfd-config">
 
 <p>BFD configuration consists mainly of multiple definitions of interfaces.
 Most BFD config options are session specific. When a new session is requested
@@ -1610,22 +1635,22 @@ protocol bfd [&lt;name&gt;] {
 </code>
 
 <descrip>
-	<tag>interface <m/pattern [, ...]/ { <m/options/ }</tag>
+	<tag><label id="bfd-iface">interface <m/pattern [, ...]/ { <m/options/ }</tag>
 	Interface definitions allow to specify options for sessions associated
 	with such interfaces and also may contain interface specific options.
-	See <ref id="dsc-iface" name="interface"> common option for a detailed
+	See <ref id="proto-iface" name="interface"> common option for a detailed
 	description of interface patterns. Note that contrary to the behavior of
 	<cf/interface/ definitions of other protocols, BFD protocol would accept
 	sessions (in default configuration) even on interfaces not covered by
 	such definitions.
 
-	<tag>multihop { <m/options/ }</tag>
+	<tag><label id="bfd-multihop">multihop { <m/options/ }</tag>
 	Multihop definitions allow to specify options for multihop BFD sessions,
 	in the same manner as <cf/interface/ definitions are used for directly
 	connected sessions. Currently only one such definition (for all multihop
 	sessions) could be used.
 
-	<tag>neighbor <m/ip/ [dev "<m/interface/"] [local <m/ip/] [multihop <m/switch/]</tag>
+	<tag><label id="bfd-neighbor">neighbor <m/ip/ [dev "<m/interface/"] [local <m/ip/] [multihop <m/switch/]</tag>
 	BFD sessions are usually created on demand as requested by other
 	protocols (like OSPF or BGP). This option allows to explicitly add
 	a BFD session to the specified neighbor regardless of such requests.
@@ -1640,33 +1665,33 @@ protocol bfd [&lt;name&gt;] {
 <p>Session specific options (part of <cf/interface/ and <cf/multihop/ definitions):
 
 <descrip>
-	<tag>interval <m/time/</tag>
+	<tag><label id="bfd-interval">interval <m/time/</tag>
 	BFD ensures availability of the forwarding path associated with the
 	session by periodically sending BFD control packets in both
 	directions. The rate of such packets is controlled by two options,
 	<cf/min rx interval/ and <cf/min tx interval/ (see below). This option
 	is just a shorthand to set both of these options together.
 
-	<tag>min rx interval <m/time/</tag>
+	<tag><label id="bfd-min-rx-interval">min rx interval <m/time/</tag>
 	This option specifies the minimum RX interval, which is announced to the
 	neighbor and used there to limit the neighbor's rate of generated BFD
 	control packets. Default: 10 ms.
 
-	<tag>min tx interval <m/time/</tag>
+	<tag><label id="bfd-min-tx-interval">min tx interval <m/time/</tag>
 	This option specifies the desired TX interval, which controls the rate
 	of generated BFD control packets (together with <cf/min rx interval/
 	announced by the neighbor). Note that this value is used only if the BFD
 	session is up, otherwise the value of <cf/idle tx interval/ is used
 	instead. Default: 100 ms.
 
-	<tag>idle tx interval <m/time/</tag>
+	<tag><label id="bfd-idle-tx-interval">idle tx interval <m/time/</tag>
 	In order to limit unnecessary traffic in cases where a neighbor is not
 	available or not running BFD, the rate of generated BFD control packets
 	is lower when the BFD session is not up. This option specifies the
 	desired TX interval in such cases instead of <cf/min tx interval/.
 	Default: 1 s.
 
-	<tag>multiplier <m/num/</tag>
+	<tag><label id="bfd-multiplier">multiplier <m/num/</tag>
 	Failure detection time for BFD sessions is based on established rate of
 	BFD control packets (<cf>min rx/tx interval</cf>) multiplied by this
 	multiplier, which is essentially (ignoring jitter) a number of missed
@@ -1674,7 +1699,7 @@ protocol bfd [&lt;name&gt;] {
 	multipliers could be different in each direction of a BFD session.
 	Default: 5.
 
-	<tag>passive <m/switch/</tag>
+	<tag><label id="bfd-passive">passive <m/switch/</tag>
 	Generally, both BFD session endpoints try to establish the session by
 	sending control packets to the other side. This option allows to enable
 	passive mode, which means that the router does not send BFD packets
@@ -1682,6 +1707,7 @@ protocol bfd [&lt;name&gt;] {
 </descrip>
 
 <sect1>Example
+<label id="bfd-exam">
 
 <p><code>
 protocol bfd {
@@ -1708,6 +1734,7 @@ protocol bfd {
 
 
 <sect>BGP
+<label id="bgp">
 
 <p>The Border Gateway Protocol is the routing protocol used for backbone level
 routing in the today's Internet. Contrary to other protocols, its convergence
@@ -1758,6 +1785,7 @@ and applied to IPv6 according to
 RFC 2545<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc2545.txt">.
 
 <sect1>Route selection rules
+<label id="bgp-route-select-rules">
 
 <p>BGP doesn't have any simple metric, so the rules for selection of an optimal
 route among multiple BGP routes with the same preference are a bit more complex
@@ -1777,6 +1805,7 @@ choose among them and so on.
 </itemize>
 
 <sect1>IGP routing table
+<label id="bgp-igp-routing-table">
 
 <p>BGP is mainly concerned with global network reachability and with routes to
 other autonomous systems. When such routes are redistributed to routers in the
@@ -1787,13 +1816,14 @@ boundary routers for the purpose of BGP route selection. In BIRD, there is
 usually one routing table used for both IGP routes and BGP routes.
 
 <sect1>Configuration
+<label id="bgp-config">
 
 <p>Each instance of the BGP corresponds to one neighboring router. This allows
 to set routing policy and all the other parameters differently for each neighbor
 using the following configuration parameters:
 
 <descrip>
-	<tag>local [<m/ip/] as <m/number/</tag>
+	<tag><label id="bgp-local">local [<m/ip/] as <m/number/</tag>
 	Define which AS we are part of. (Note that contrary to other IP routers,
 	BIRD is able to act as a router located in multiple AS'es simultaneously,
 	but in such cases you need to tweak the BGP paths manually in the filters
@@ -1801,7 +1831,7 @@ using the following configuration parameters:
 	address, equivalent to the <cf/source address/ option (see below). This
 	parameter is mandatory.
 
-	<tag>neighbor [<m/ip/] [port <m/number/] [as <m/number/]</tag>
+	<tag><label id="bgp-neighbor">neighbor [<m/ip/] [port <m/number/] [as <m/number/]</tag>
 	Define neighboring router this instance will be talking to and what AS
 	it is located in. In case the neighbor is in the same AS as we are, we
 	automatically switch to iBGP. Optionally, the remote port may also be
@@ -1810,20 +1840,20 @@ using the following configuration parameters:
 	<cf/neighbor 10.0.0.1; neighbor as 65000;/ are valid). This parameter is
 	mandatory.
 
-	<tag>interface <m/string/</tag>
+	<tag><label id="bgp-iface">interface <m/string/</tag>
 	Define interface we should use for link-local BGP IPv6 sessions.
 	Interface can also be specified as a part of <cf/neighbor address/
 	(e.g., <cf/neighbor fe80::1234%eth0 as 65000;/). It is an error to use
 	this parameter for non link-local sessions.
 
-	<tag>direct</tag>
+	<tag><label id="bgp-direct">direct</tag>
 	Specify that the neighbor is directly connected. The IP address of the
 	neighbor must be from a directly reachable IP range (i.e. associated
 	with one of your router's interfaces), otherwise the BGP session
 	wouldn't start but it would wait for such interface to appear. The
 	alternative is the <cf/multihop/ option. Default: enabled for eBGP.
 
-	<tag>multihop [<m/number/]</tag>
+	<tag><label id="bgp-multihop">multihop [<m/number/]</tag>
 	Configure multihop BGP session to a neighbor that isn't directly
 	connected. Accurately, this option should be used if the configured
 	neighbor IP address does not match with any local network subnets. Such
@@ -1835,22 +1865,22 @@ using the following configuration parameters:
 	path is counted; i.e., if two BGP speakers are separated by one router,
 	the number of hops is 2. Default: enabled for iBGP.
 
-	<tag>source address <m/ip/</tag>
+	<tag><label id="bgp-source-address">source address <m/ip/</tag>
 	Define local address we should use for next hop calculation and as a
 	source address for the BGP session. Default: the address of the local
 	end of the interface our neighbor is connected to.
 
-	<tag>next hop self</tag>
+	<tag><label id="bgp-next-hop-self">next hop self</tag>
 	Avoid calculation of the Next Hop attribute and always advertise our own
 	source address as a next hop. This needs to be used only occasionally to
 	circumvent misconfigurations of other routers. Default: disabled.
 
-	<tag>next hop keep</tag>
+	<tag><label id="bgp-next-hop-keep">next hop keep</tag>
 	Forward the received Next Hop attribute even in situations where the
 	local address should be used instead, like when the route is sent to an
 	interface with a different subnet. Default: disabled.
 
-	<tag>missing lladdr self|drop|ignore</tag>
+	<tag><label id="bgp-missing-lladdr">missing lladdr self|drop|ignore</tag>
 	Next Hop attribute in BGP-IPv6 sometimes contains just the global IPv6
 	address, but sometimes it has to contain both global and link-local IPv6
 	addresses. This option specifies what to do if BIRD have to send both
@@ -1864,7 +1894,7 @@ using the following configuration parameters:
 	route server (option <cf/rs client/), in that case default is <cf/ignore/,
 	because route servers usually do not forward packets themselves.
 
-	<tag>gateway direct|recursive</tag>
+	<tag><label id="bgp-gateway">gateway direct|recursive</tag>
 	For received routes, their <cf/gw/ (immediate next hop) attribute is
 	computed from received <cf/bgp_next_hop/ attribute. This option
 	specifies how it is computed. Direct mode means that the IP address from
@@ -1879,31 +1909,31 @@ using the following configuration parameters:
 	standard. Direct mode is simpler, does not require any routes in a
 	routing table, and was used in older versions of BIRD, but does not
 	handle well nontrivial iBGP setups and multihop. Recursive mode is
-	incompatible with <ref id="dsc-sorted" name="sorted tables">. Default:
+	incompatible with <ref id="dsc-table-sorted" name="sorted tables">. Default:
 	<cf/direct/ for direct sessions, <cf/recursive/ for multihop sessions.
 
-	<tag>igp table <m/name/</tag>
+	<tag><label id="bgp-igp-table">igp table <m/name/</tag>
 	Specifies a table that is used as an IGP routing table. Default: the
 	same as the table BGP is connected to.
 
-	<tag>check link <M>switch</M></tag>
+	<tag><label id="bgp-check-link">check link <M>switch</M></tag>
 	BGP could use hardware link state into consideration.  If enabled,
 	BIRD tracks the link state of the associated interface and when link
 	disappears (e.g. an ethernet cable is unplugged), the BGP session is
 	immediately shut down. Note that this option cannot be used with
 	multihop BGP. Default: disabled.
 
-	<tag>bfd <M>switch</M></tag>
+	<tag><label id="bgp-bfd">bfd <M>switch</M></tag>
 	BGP could use BFD protocol as an advisory mechanism for neighbor
 	liveness and failure detection. If enabled, BIRD setups a BFD session
 	for the BGP neighbor and tracks its liveness by it. This has an
 	advantage of an order of magnitude lower detection times in case of
 	failure. Note that BFD protocol also has to be configured, see
-	<ref id="sect-bfd" name="BFD"> section for details. Default: disabled.
+	<ref id="bfd" name="BFD"> section for details. Default: disabled.
 
-	<tag>ttl security <m/switch/</tag>
+	<tag><label id="bgp-ttl-security">ttl security <m/switch/</tag>
 	Use GTSM (RFC 5082 - the generalized TTL security mechanism). GTSM
-	protects against spoofed packets by ignoring received packets with a
+	protects against spoofed packets by ignoring doc/bird.sgmlreceived packets with a
 	smaller than expected TTL. To work properly, GTSM have to be enabled on
 	both sides of a BGP session. If both <cf/ttl security/ and <cf/multihop/
 	options are enabled, <cf/multihop/ option should specify proper hop
@@ -1912,12 +1942,12 @@ using the following configuration parameters:
 	(ICMP protection, for example) RFC 5082 support is provided by Linux
 	only. Default: disabled.
 
-	<tag>password <m/string/</tag>
+	<tag><label id="bgp-pass">password <m/string/</tag>
 	Use this password for MD5 authentication of BGP sessions (RFC 2385).
 	When used on BSD systems, see also <cf/setkey/ option below. Default:
 	no authentication.
 
-	<tag>setkey <m/switch/</tag>
+	<tag><label id="bgp-setkey">setkey <m/switch/</tag>
 	On BSD systems, keys for TCP MD5 authentication are stored in the global
 	SA/SP database, which can be accessed by external utilities (e.g.
 	setkey(8)). BIRD configures security associations in the SA/SP database
@@ -1928,16 +1958,16 @@ using the following configuration parameters:
 	set manually by an external utility on NetBSD and OpenBSD. Default:
 	enabled (ignored on non-FreeBSD).
 
-	<tag>passive <m/switch/</tag>
+	<tag><label id="bgp-passive">passive <m/switch/</tag>
 	Standard BGP behavior is both initiating outgoing connections and
-	accepting incoming connections. In passive mode, outgoing connections
+	accepting incoming connections. In passive modoc/bird.sgmlde, outgoing connections
 	are not initiated. Default: off.
 
-	<tag>rr client</tag>
+	<tag><label id="bgp-rr-client">rr client</tag>
 	Be a route reflector and treat the neighbor as a route reflection
 	client. Default: disabled.
 
-	<tag>rr cluster id <m/IPv4 address/</tag>
+	<tag><label id="bgp-rr-cluster-id">rr cluster id <m/IPv4 address/</tag>
 	Route reflectors use cluster id to avoid route reflection loops. When
 	there is one route reflector in a cluster it usually uses its router id
 	as a cluster id, but when there are more route reflectors in a cluster,
@@ -1945,7 +1975,7 @@ using the following configuration parameters:
 	id. Clients in a cluster need not know their cluster id and this option
 	is not allowed for them. Default: the same as router id.
 
-	<tag>rs client</tag>
+	<tag><label id="bgp-rs-client">rs client</tag>
 	Be a route server and treat the neighbor as a route server client.
 	A route server is used as a replacement for full mesh EBGP routing in
 	Internet exchange points in a similar way to route reflectors used in
@@ -1955,16 +1985,16 @@ using the following configuration parameters:
 	example does not prepend its AS number to AS PATH attribute and keeps
 	MED attribute). Default: disabled.
 
-	<tag>secondary <m/switch/</tag>
+	<tag><label id="bgp-secondary">secondary <m/switch/</tag>
 	Usually, if an export filter rejects a selected route, no other route is
 	propagated for that network. This option allows to try the next route in
 	order until one that is accepted is found or all routes for that network
 	are rejected. This can be used for route servers that need to propagate
 	different tables to each client but do not want to have these tables
 	explicitly (to conserve memory). This option requires that the connected
-	routing table is <ref id="dsc-sorted" name="sorted">. Default: off.
+	routing table is <ref id="dsc-table-sorted" name="sorted">. Default: off.
 
-	<tag>add paths <m/switch/|rx|tx</tag>
+	<tag><label id="bgp-add-paths">add paths <m/switch/|rx|tx</tag>
 	Standard BGP can propagate only one path (route) per destination network
 	(usually the selected one). This option controls the add-path protocol
 	extension, which allows to advertise any number of paths to a
@@ -1973,7 +2003,7 @@ using the following configuration parameters:
 	TX direction. When active, all available routes accepted by the export
 	filter are advertised to the neighbor. Default: off.
 
-	<tag>allow local as [<m/number/]</tag>
+	<tag><label id="bgp-allow-local-as">allow local as [<m/number/]</tag>
 	BGP prevents routing loops by rejecting received routes with the local
 	AS number in the AS path. This option allows to loose or disable the
 	check. Optional <cf/number/ argument can be used to specify the maximum
@@ -1982,7 +2012,7 @@ using the following configuration parameters:
 	completely disabled and you should ensure loop-free behavior by some
 	other means. Default: 0 (no local AS number allowed).
 
-	<tag>enable route refresh <m/switch/</tag>
+	<tag><label id="bgp-enable-route-refresh">enable route refresh <m/switch/</tag>
 	After the initial route exchange, BGP protocol uses incremental updates
 	to keep BGP speakers synchronized. Sometimes (e.g., if BGP speaker
 	changes its import filter, or if there is suspicion of inconsistency) it
@@ -1995,7 +2025,7 @@ using the following configuration parameters:
 	capabilities and supports related procedures. Note that even when
 	disabled, BIRD can send route refresh requests. Default: on.
 
-	<tag>graceful restart <m/switch/|aware</tag>
+	<tag><label id="bgp-graceful-restart">graceful restart <m/switch/|aware</tag>
 	When a BGP speaker restarts or crashes, neighbors will discard all
 	received paths from the speaker, which disrupts packet forwarding even
 	when the forwarding plane of the speaker remains intact. RFC 4724
@@ -2009,13 +2039,13 @@ using the following configuration parameters:
 	local graceful restart requires also configuration of other protocols.
 	Default: aware.
 
-	<tag>graceful restart time <m/number/</tag>
+	<tag><label id="bgp-graceful-restart-time">graceful restart time <m/number/</tag>
 	The restart time is announced in the BGP graceful restart capability
 	and specifies how long the neighbor would wait for the BGP session to
 	re-establish after a restart before deleting stale routes. Default:
 	120 seconds.
 
-	<tag>interpret communities <m/switch/</tag>
+	<tag><label id="bgp-interpret-communities">interpret communities <m/switch/</tag>
 	RFC 1997 demands that BGP speaker should process well-known communities
 	like no-export (65535, 65281) or no-advertise (65535, 65282). For
 	example, received route carrying a no-adverise community should not be
@@ -2026,7 +2056,7 @@ using the following configuration parameters:
 	disabled. In that case, similar behavior can be implemented in the
 	export filter. Default: on.
 
-	<tag>enable as4 <m/switch/</tag>
+	<tag><label id="bgp-enable-as4">enable as4 <m/switch/</tag>
 	BGP protocol was designed to use 2B AS numbers and was extended later to
 	allow 4B AS number. BIRD supports 4B AS extension, but by disabling this
 	option it can be persuaded not to advertise it and to maintain old-style
@@ -2034,12 +2064,12 @@ using the following configuration parameters:
 	in neighbor's implementation of 4B AS extension. Even when disabled
 	(off), BIRD behaves internally as AS4-aware BGP router. Default: on.
 
-	<tag>enable extended messages <m/switch/</tag>
+	<tag><label id="bgp-enable-extended-messages">enable extended messages <m/switch/</tag>
 	The BGP protocol uses maximum message length of 4096 bytes. This option
 	provides an extension to allow extended messages with length up
 	to 65535 bytes. Default: off.
 
-	<tag>capabilities <m/switch/</tag>
+	<tag><label id="bgp-capabilities">capabilities <m/switch/</tag>
 	Use capability advertisement to advertise optional capabilities. This is
 	standard behavior for newer BGP implementations, but there might be some
 	older BGP implementations that reject such connection attempts. When
@@ -2047,64 +2077,64 @@ using the following configuration parameters:
 	disabled. Default: on, with automatic fallback to off when received
 	capability-related error.
 
-	<tag>advertise ipv4 <m/switch/</tag>
+	<tag><label id="bgp-advertise-ipv4">advertise ipv4 <m/switch/</tag>
 	Advertise IPv4 multiprotocol capability. This is not a correct behavior
 	according to the strict interpretation of RFC 4760, but it is widespread
 	and required by some BGP implementations (Cisco and Quagga). This option
 	is relevant to IPv4 mode with enabled capability advertisement
 	only. Default: on.
 
-	<tag>route limit <m/number/</tag>
+	<tag><label id="bgp-route-limit">route limit <m/number/</tag>
 	The maximal number of routes that may be imported from the protocol. If
 	the route limit is exceeded, the connection is closed with an error.
 	Limit is currently implemented as <cf>import limit <m/number/ action
 	restart</cf>. This option is obsolete and it is replaced by
-	<ref id="import-limit" name="import limit option">. Default: no	limit.
+	<ref id="proto-import-limit" name="import limit option">. Default: no	limit.
 
-	<tag>disable after error <m/switch/</tag>
+	<tag><label id="bgp-disable-after-error">disable after error <m/switch/</tag>
 	When an error is encountered (either locally or by the other side),
 	disable the instance automatically and wait for an administrator to fix
 	the problem manually. Default: off.
 
-	<tag>hold time <m/number/</tag>
+	<tag><label id="bgp-hold-time">hold time <m/number/</tag>
 	Time in seconds to wait for a Keepalive message from the other side
 	before considering the connection stale. Default: depends on agreement
 	with the neighboring router, we prefer 240 seconds if the other side is
 	willing to accept it.
 
-	<tag>startup hold time <m/number/</tag>
+	<tag><label id="bgp-startup-hold-time">startup hold time <m/number/</tag>
 	Value of the hold timer used before the routers have a chance to exchange
 	open messages and agree on the real value. Default: 240	seconds.
 
-	<tag>keepalive time <m/number/</tag>
+	<tag><label id="bgp-keepalive-time">keepalive time <m/number/</tag>
 	Delay in seconds between sending of two consecutive Keepalive messages.
 	Default: One third of the hold time.
 
-	<tag>connect delay time <m/number/</tag>
+	<tag><label id="bgp-connect-delay-time">connect delay time <m/number/</tag>
 	Delay in seconds between protocol startup and the first attempt to
 	connect. Default: 5 seconds.
 
-	<tag>connect retry time <m/number/</tag>
+	<tag><label id="bgp-connect-retry-time">connect retry time <m/number/</tag>
 	Time in seconds to wait before retrying a failed attempt to connect.
 	Default: 120 seconds.
 
-	<tag>error wait time <m/number/,<m/number/</tag>
+	<tag><label id="bgp-error-wait-time">error wait time <m/number/,<m/number/</tag>
 	Minimum and maximum delay in seconds between a protocol failure (either
 	local or reported by the peer) and automatic restart. Doesn't apply
 	when <cf/disable after error/ is configured. If consecutive errors
 	happen, the delay is increased exponentially until it reaches the
 	maximum. Default: 60, 300.
 
-	<tag>error forget time <m/number/</tag>
+	<tag><label id="bgp-error-forget-time">error forget time <m/number/</tag>
 	Maximum time in seconds between two protocol failures to treat them as a
 	error sequence which makes <cf/error wait time/ increase exponentially.
 	Default: 300 seconds.
 
-	<tag>path metric <m/switch/</tag>
+	<tag><label id="bgp-path-metric">path metric <m/switch/</tag>
 	Enable comparison of path lengths when deciding which BGP route is the
 	best one. Default: on.
 
-	<tag>med metric <m/switch/</tag>
+	<tag><label id="bgp-med-metric">med metric <m/switch/</tag>
 	Enable comparison of MED attributes (during best route selection) even
 	between routes received from different ASes. This may be useful if all
 	MED attributes contain some consistent metric, perhaps enforced in
@@ -2112,7 +2142,7 @@ using the following configuration parameters:
 	attributes are compared only if routes are received from the same AS
 	(which is the standard behavior). Default: off.
 
-	<tag>deterministic med <m/switch/</tag>
+	<tag><label id="bgp-deterministic-med">deterministic med <m/switch/</tag>
 	BGP route selection algorithm is often viewed as a comparison between
 	individual routes (e.g. if a new route appears and is better than the
 	current best one, it is chosen as the new best one). But the proper
@@ -2124,23 +2154,23 @@ using the following configuration parameters:
 	option enables a different (and slower) algorithm implementing proper
 	RFC 4271 route selection, which is deterministic. Alternative way how to
 	get deterministic behavior is to use <cf/med metric/ option. This option
-	is incompatible with <ref id="dsc-sorted" name="sorted tables">.
+	is incompatible with <ref id="dsc-table-sorted" name="sorted tables">.
 	Default: off.
 
-	<tag>igp metric <m/switch/</tag>
+	<tag><label id="bgp-igp-metric">igp metric <m/switch/</tag>
 	Enable comparison of internal distances to boundary routers during best
  	route selection. Default: on.
 
-	<tag>prefer older <m/switch/</tag>
+	<tag><label id="bgp-prefer-older">prefer older <m/switch/</tag>
 	Standard route selection algorithm breaks ties by comparing router IDs.
 	This changes the behavior to prefer older routes (when both are external
 	and from different peer). For details, see RFC 5004. Default: off.
 
-	<tag>default bgp_med <m/number/</tag>
+	<tag><label id="bgp-default-med">default bgp_med <m/number/</tag>
 	Value of the Multiple Exit Discriminator to be used during route
 	selection when the MED attribute is missing. Default: 0.
 
-	<tag>default bgp_local_pref <m/number/</tag>
+	<tag><label id="bgp-default-local-pref">default bgp_local_pref <m/number/</tag>
 	A default value for the Local Preference attribute. It is used when
 	a new Local Preference attribute is attached to a route by the BGP
 	protocol itself (for example, if a route is received through eBGP and
@@ -2149,23 +2179,24 @@ using the following configuration parameters:
 </descrip>
 
 <sect1>Attributes
+<label id="bgp-attr">
 
 <p>BGP defines several route attributes. Some of them (those marked with
 `<tt/I/' in the table below) are available on internal BGP connections only,
 some of them (marked with `<tt/O/') are optional.
 
 <descrip>
-	<tag>bgppath <cf/bgp_path/</tag>
+	<tag><label id="rta-bgp-path">bgppath bgp_path/</tag>
 	Sequence of AS numbers describing the AS path the packet will travel
 	through when forwarded according to the particular route. In case of
 	internal BGP it doesn't contain the number of the local AS.
 
-	<tag>int <cf/bgp_local_pref/ [I]</tag>
+	<tag><label id="rta-bgp-local-pref">int bgp_local_pref/ [I]</tag>
 	Local preference value used for selection among multiple BGP routes (see
 	the selection rules above). It's used as an additional metric which is
 	propagated through the whole local AS.
 
-	<tag>int <cf/bgp_med/ [O]</tag>
+	<tag><label id="rta-bgp-med">int bgp_med/ [O]</tag>
 	The Multiple Exit Discriminator of the route is an optional attribute
 	which is used on external (inter-AS) links to convey to an adjacent AS
 	the optimal entry point into the local AS. The received attribute is
@@ -2176,20 +2207,20 @@ some of them (marked with `<tt/O/') are optional.
 	external BGP instance. See RFC 4451<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4451.txt">
 	for further discussion of BGP MED attribute.
 
-	<tag>enum <cf/bgp_origin/</tag>
+	<tag><label id="rta-bgp-origin">enum bgp_origin/</tag>
 	Origin of the route: either <cf/ORIGIN_IGP/ if the route has originated
 	in an interior routing protocol or <cf/ORIGIN_EGP/ if it's been imported
 	from the <tt>EGP</tt> protocol (nowadays it seems to be obsolete) or
 	<cf/ORIGIN_INCOMPLETE/ if the origin is unknown.
 
-	<tag>ip <cf/bgp_next_hop/</tag>
+	<tag><label id="rta-bgp-next-hop">ip bgp_next_hop/</tag>
 	Next hop to be used for forwarding of packets to this destination. On
 	internal BGP connections, it's an address of the originating router if
 	it's inside the local AS or a boundary router the packet will leave the
 	AS through if it's an exterior route, so each BGP speaker within the AS
 	has a chance to use the shortest interior path possible to this point.
 
-	<tag>void <cf/bgp_atomic_aggr/ [O]</tag>
+	<tag><label id="rta-bgp-atomic-aggr">void bgp_atomic_aggr/ [O]</tag>
 	This is an optional attribute which carries no value, but the sole
 	presence of which indicates that the route has been aggregated from
 	multiple routes by some router on the path from the originator.
@@ -2197,7 +2228,7 @@ some of them (marked with `<tt/O/') are optional.
 <!-- we don't handle aggregators right since they are of a very obscure type
 	<tag>bgp_aggregator</tag>
 -->
-	<tag>clist <cf/bgp_community/ [O]</tag>
+	<tag><label id="rta-bgp-community">clist bgp_community/ [O]</tag>
 	List of community values associated with the route. Each such value is a
 	pair (represented as a <cf/pair/ data type inside the filters) of 16-bit
 	integers, the first of them containing the number of the AS which
@@ -2208,14 +2239,14 @@ some of them (marked with `<tt/O/') are optional.
 	freedom about which community attributes it defines and what will their
 	semantics be.
 
-	<tag>eclist <cf/bgp_ext_community/ [O]</tag>
+	<tag><label id="rta-bgp-ext-community">eclist bgp_ext_community/ [O]</tag>
 	List of extended community values associated with the route. Extended
 	communities have similar usage as plain communities, but they have an
 	extended range (to allow 4B ASNs) and a nontrivial structure with a type
 	field. Individual community values are represented using an <cf/ec/ data
 	type inside the filters.
 
-	<tag>lclist <cf/bgp_large_community/ [O]</tag>
+	<tag><label id="rta-bgp-large-community">lclist <cf/bgp_large_community/ [O]</tag>
 	List of large community values associated with the route. Large BGP
 	communities is another variant of communities, but contrary to extended
 	communities they behave very much the same way as regular communities,
@@ -2223,17 +2254,18 @@ some of them (marked with `<tt/O/') are optional.
 	Individual community values are represented using an <cf/lc/ data type
 	inside the filters.
 
-	<tag>quad <cf/bgp_originator_id/ [I, O]</tag>
+	<tag><label id="rta-bgp-originator-id">quad bgp_originator_id/ [I, O]</tag>
 	This attribute is created by the route reflector when reflecting the
 	route and contains the router ID of the originator of the route in the
 	local AS.
 
-	<tag>clist <cf/bgp_cluster_list/ [I, O]</tag>
+	<tag><label id="rta-bgp-cluster-list">clist bgp_cluster_list/ [I, O]</tag>
 	This attribute contains a list of cluster IDs of route reflectors. Each
 	route reflector prepends its cluster ID when reflecting the route.
 </descrip>
 
 <sect1>Example
+<label id="bgp-exam">
 
 <p><code>
 protocol bgp {
@@ -2259,6 +2291,7 @@ protocol bgp {
 
 
 <sect>Device
+<label id="device">
 
 <p>The Device protocol is not a real routing protocol. It doesn't generate any
 routes and it only serves as a module for getting information about network
@@ -2269,17 +2302,18 @@ protocol in the configuration since almost all other protocols require network
 interfaces to be defined for them to work with.
 
 <sect1>Configuration
+<label id="device-config">
 
 <p><descrip>
 
-	<tag>scan time <m/number/</tag>
+	<tag><label id="device-scan-time">scan time <m/number/</tag>
 	Time in seconds between two scans of the network interface list. On
 	systems where we are notified about interface status changes
 	asynchronously (such as newer versions of Linux), we need to scan the
 	list only in order to avoid confusion by lost notification messages,
 	so the default time is set to a large value.
 
-	<tag>primary [ "<m/mask/" ] <m/prefix/</tag>
+	<tag><label id="device-primary">primary [ "<m/mask/" ] <m/prefix/</tag>
 	If a network interface has more than one network address, BIRD has to
 	choose one of them as a primary one. By default, BIRD chooses the
 	lexicographically smallest address as the primary one.
@@ -2307,6 +2341,7 @@ protocol device {
 
 
 <sect>Direct
+<label id="direct">
 
 <p>The Direct protocol is a simple generator of device routes for all the
 directly connected networks according to the list of interfaces provided by the
@@ -2332,16 +2367,16 @@ on Linux systems BIRD cannot change non-BIRD route in the kernel routing table.
 <p>There are just few configuration options for the Direct protocol:
 
 <p><descrip>
-	<tag>interface <m/pattern [, ...]/</tag>
+	<tag><label id="direct-iface">interface <m/pattern [, ...]/</tag>
 	By default, the Direct protocol will generate device routes for all the
 	interfaces available. If you want to restrict it to some subset of
 	interfaces or addresses (e.g. if you're using multiple routing tables
 	for policy routing and some of the policy domains don't contain all
-	interfaces), just use this clause. See <ref id="dsc-iface" name="interface">
+	interfaces), just use this clause. See <ref id="proto-iface" name="interface">
 	common option for detailed description. The Direct protocol uses
 	extended interface clauses.
 
-	<tag>check link <m/switch/</tag>
+	<tag><label id="direct-check-link">check link <m/switch/</tag>
 	If enabled, a hardware link state (reported by OS) is taken into
 	consideration. Routes for directly connected networks are generated only
 	if link up is reported and they are withdrawn when link disappears
@@ -2360,6 +2395,7 @@ protocol direct {
 
 
 <sect>Kernel
+<label id="krt">
 
 <p>The Kernel protocol is not a real routing protocol. Instead of communicating
 with other routers in the network, it performs synchronization of BIRD's routing
@@ -2392,34 +2428,35 @@ kernel protocols to the same routing table and changing route destination
 limitations can be overcome using another routing table and the pipe protocol.
 
 <sect1>Configuration
+<label id="krt-config">
 
 <p><descrip>
-	<tag>persist <m/switch/</tag>
+	<tag><label id="krt-persist">persist <m/switch/</tag>
 	Tell BIRD to leave all its routes in the routing tables when it exits
 	(instead of cleaning them up).
 
-	<tag>scan time <m/number/</tag>
+	<tag><label id="krt-scan-time">scan time <m/number/</tag>
 	Time in seconds between two consecutive scans of the kernel routing
 	table.
 
-	<tag>learn <m/switch/</tag>
+	<tag><label id="krt-learn">learn <m/switch/</tag>
 	Enable learning of routes added to the kernel routing tables by other
 	routing daemons or by the system administrator. This is possible only on
 	systems which support identification of route authorship.
 
-	<tag>device routes <m/switch/</tag>
+	<tag><label id="krt-device-routes">device routes <m/switch/</tag>
 	Enable export of device routes to the kernel routing table. By default,
 	such routes are rejected (with the exception of explicitly configured
 	device routes from the static protocol) regardless of the export filter
 	to protect device routes in kernel routing table (managed by OS itself)
 	from accidental overwriting or erasing.
 
-	<tag>kernel table <m/number/</tag>
+	<tag><label id="krt-kernel-table">kernel table <m/number/</tag>
 	Select which kernel table should this particular instance of the Kernel
 	protocol work with. Available only on systems supporting multiple
 	routing tables.
 
-	<tag>metric <m/number/</tag> (Linux)
+	<tag><label id="krt-metric">metric <m/number/</tag> (Linux)
 	Use specified value as a kernel metric (priority) for all routes sent to
 	the kernel. When multiple routes for the same network are in the kernel
 	routing table, the Linux kernel chooses one with lower metric. Also,
@@ -2430,13 +2467,13 @@ limitations can be overcome using another routing table and the pipe protocol.
 	or per-route metric can be set using <cf/krt_metric/ attribute. Default:
 	0 (undefined).
 
-	<tag>graceful restart <m/switch/</tag>
+	<tag><label id="krt-graceful-restart">graceful restart <m/switch/</tag>
 	Participate in graceful restart recovery. If this option is enabled and
 	a graceful restart recovery is active, the Kernel protocol will defer
 	synchronization of routing tables until the end of the recovery. Note
 	that import of kernel routes to BIRD is not affected.
 
-	<tag>merge paths <M>switch</M> [limit <M>number</M>]</tag>
+	<tag><label id="krt-merge-paths">merge paths <M>switch</M> [limit <M>number</M>]</tag>
 	Usually, only best routes are exported to the kernel protocol. With path
 	merging enabled, both best routes and equivalent non-best routes are
 	merged during export to generate one ECMP (equal-cost multipath) route
@@ -2450,32 +2487,33 @@ limitations can be overcome using another routing table and the pipe protocol.
 </descrip>
 
 <sect1>Attributes
+<label id="krt-attr">
 
 <p>The Kernel protocol defines several attributes. These attributes are
 translated to appropriate system (and OS-specific) route attributes. We support
 these attributes:
 
 <descrip>
-	<tag>int <cf/krt_source/</tag>
+	<tag><label id="rta-krt-source">int krt_source/</tag>
 	The original source of the imported kernel route. The value is
 	system-dependent. On Linux, it is a value of the protocol field of the
 	route. See /etc/iproute2/rt_protos for common values. On BSD, it is
 	based on STATIC and PROTOx flags. The attribute is read-only.
 
-	<tag>int <cf/krt_metric/</tag> (Linux)
+	<tag><label id="rta-krt-metric">int krt_metric/</tag> (Linux)
 	The kernel metric of the route. When multiple same routes are in a
 	kernel routing table, the Linux kernel chooses one with lower metric.
 	Note that preferred way to set kernel metric is to use protocol option
 	<cf/metric/, unless per-route metric values are needed.
 
-	<tag>ip <cf/krt_prefsrc/</tag> (Linux)
+	<tag><label id="rta-krt-prefsrc">ip krt_prefsrc/</tag> (Linux)
 	The preferred source address. Used in source address selection for
 	outgoing packets. Has to be one of the IP addresses of the router.
 
-	<tag>int <cf/krt_realm/</tag> (Linux)
+	<tag><label id="rta-krt-realm">int krt_realm/</tag> (Linux)
 	The realm of the route. Can be used for traffic classification.
 
-	<tag>int <cf/krt_scope/</tag> (Linux IPv4)
+	<tag><label id="rta-krt-scope">int krt_scope/</tag> (Linux IPv4)
 	The scope of the route. Valid values are 0-254, although Linux kernel
 	may reject some values depending on route type and nexthop. It is
 	supposed to represent `indirectness' of the route, where nexthops of
@@ -2500,6 +2538,7 @@ Supported attributes are:
 <cf/krt_feature_ecn/, <cf/krt_feature_allfrag/
 
 <sect1>Example
+<label id="krt-exam">
 
 <p>A simple configuration can look this way:
 
@@ -2529,8 +2568,10 @@ protocol kernel {		# Secondary routing table
 
 
 <sect>OSPF
+<label id="ospf">
 
 <sect1>Introduction
+<label id="ospf-intro">
 
 <p>Open Shortest Path First (OSPF) is a quite complex interior gateway
 protocol. The current IPv4 version (OSPFv2) is defined in RFC 2328
@@ -2565,6 +2606,7 @@ identical by flooding updates. The flooding process is reliable and ensures that
 each router detects all changes.
 
 <sect1>Configuration
+<label id="ospf-config">
 
 <p>In the main part of configuration, there can be multiple definitions of OSPF
 areas, each with a different id. These definitions includes many other switches
@@ -2658,12 +2700,12 @@ protocol ospf &lt;name&gt; {
 </code>
 
 <descrip>
-	<tag>rfc1583compat <M>switch</M></tag>
+	<tag><label id="ospf-rfc1583compat">rfc1583compat <M>switch</M></tag>
 	This option controls compatibility of routing table calculation with
 	RFC 1583 <htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc1583.txt">.
 	Default	value is no.
 
-	<tag>instance id <m/num/</tag>
+	<tag><label id="ospf-instance-id">instance id <m/num/</tag>
 	When multiple OSPF protocol instances are active on the same links, they
 	should use different instance IDs to distinguish their packets. Although
 	it could be done on per-interface basis, it is often preferred to set
@@ -2673,7 +2715,7 @@ protocol ospf &lt;name&gt; {
 	interfaces of the OSPF instance. Note that this option, if used, must
 	precede interface definitions. Default value is 0.
 
-	<tag>stub router <M>switch</M></tag>
+	<tag><label id="ospf-stub-router">stub router <M>switch</M></tag>
 	This option configures the router to be a stub router, i.e., a router
 	that participates in the OSPF topology but does not allow transit
 	traffic. In OSPFv2, this is implemented by advertising maximum metric
@@ -2682,13 +2724,13 @@ protocol ospf &lt;name&gt; {
 	<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc6987.txt"> for
 	details. Default value is no.
 
-	<tag>tick <M>num</M></tag>
+	<tag><label id="ospf-tick">tick <M>num</M></tag>
 	The routing table calculation and clean-up of areas' databases is not
 	performed when a single link state change arrives. To lower the CPU
 	utilization, it's processed later at periodical intervals of <m/num/
 	seconds. The default value is 1.
 
-	<tag>ecmp <M>switch</M> [limit <M>number</M>]</tag>
+	<tag><label id="ospf-ecmp">ecmp <M>switch</M> [limit <M>number</M>]</tag>
 	This option specifies whether OSPF is allowed to generate ECMP
 	(equal-cost multipath) routes. Such routes are used when there are
 	several directions to the destination, each with the same (computed)
@@ -2696,7 +2738,7 @@ protocol ospf &lt;name&gt; {
 	nexthops in one route. By default, ECMP is disabled. If enabled,
 	default	value of the limit is 16.
 
-	<tag>merge external <M>switch</M></tag>
+	<tag><label id="ospf-merge-external">merge external <M>switch</M></tag>
 	This option specifies whether OSPF should merge external routes from
 	different routers/LSAs for the same destination. When enabled together
 	with <cf/ecmp/, equal-cost external routes will be combined to multipath
@@ -2704,18 +2746,18 @@ protocol ospf &lt;name&gt; {
 	from different LSAs are treated as separate even if they represents the
 	same destination. Default value is no.
 
-	<tag>area <M>id</M></tag>
+	<tag><label id="ospf-area">area <M>id</M></tag>
 	This defines an OSPF area with given area ID (an integer or an IPv4
 	address, similarly to a router ID). The most important area is the
 	backbone (ID 0) to which every other area must be connected.
 
-	<tag>stub</tag>
+	<tag><label id="ospf-stub">stub</tag>
 	This option configures the area to be a stub area. External routes are
 	not flooded into stub areas. Also summary LSAs can be limited in stub
 	areas (see option <cf/summary/). By default, the area is not a stub
 	area.
 
-	<tag>nssa</tag>
+	<tag><label id="ospf-nssa">nssa</tag>
 	This option configures the area to be a NSSA (Not-So-Stubby Area). NSSA
 	is a variant of a stub area which allows a limited way of external route
 	propagation. Global external routes are not propagated into a NSSA, but
@@ -2723,7 +2765,7 @@ protocol ospf &lt;name&gt; {
 	(and possibly translated and/or aggregated on area boundary). By
 	default, the area is not NSSA.
 
-	<tag>summary <M>switch</M></tag>
+	<tag><label id="ospf-summary">summary <M>switch</M></tag>
 	This option controls propagation of summary LSAs into stub or NSSA
 	areas. If enabled, summary LSAs are propagated as usual, otherwise just
 	the default summary route (0.0.0.0/0) is propagated (this is sometimes
@@ -2731,43 +2773,43 @@ protocol ospf &lt;name&gt; {
 	routers, propagating summary LSAs could lead to more efficient routing
 	at the cost of larger link state database. Default value is no.
 
-	<tag>default nssa <M>switch</M></tag>
+	<tag><label id="ospf-default-nssa">default nssa <M>switch</M></tag>
 	When <cf/summary/ option is enabled, default summary route is no longer
 	propagated to the NSSA. In that case, this option allows to originate
 	default route as NSSA-LSA to the NSSA. Default value is no.
 
-	<tag>default cost <M>num</M></tag>
+	<tag><label id="ospf-default-cost">default cost <M>num</M></tag>
 	This option controls the cost of a default route propagated to stub and
 	NSSA areas. Default value is 1000.
 
-	<tag>default cost2 <M>num</M></tag>
+	<tag><label id="ospf-default-cost2">default cost2 <M>num</M></tag>
 	When a default route is originated as NSSA-LSA, its cost can use either
 	type 1 or type 2 metric. This option allows to specify the cost of a
 	default route in type 2 metric. By default, type 1 metric (option
 	<cf/default cost/) is used.
 
-	<tag>translator <M>switch</M></tag>
+	<tag><label id="ospf-translator">translator <M>switch</M></tag>
 	This option controls translation of NSSA-LSAs into external LSAs. By
 	default, one translator per NSSA is automatically elected from area
 	boundary routers. If enabled, this area boundary router would
 	unconditionally translate all NSSA-LSAs regardless of translator
 	election. Default value is no.
 
-	<tag>translator stability <M>num</M></tag>
+	<tag><label id="ospf-translator-stability">translator stability <M>num</M></tag>
 	This option controls the translator stability interval (in seconds).
 	When the new translator is elected, the old one keeps translating until
 	the interval is over. Default value is 40.
 
-	<tag>networks { <m/set/ }</tag>
+	<tag><label id="ospf-networks">networks { <m/set/ }</tag>
 	Definition of area IP ranges. This is used in summary LSA origination.
 	Hidden networks are not propagated into other areas.
 
-	<tag>external { <m/set/ }</tag>
+	<tag><label id="ospf-external">external { <m/set/ }</tag>
 	Definition of external area IP ranges for NSSAs. This is used for
 	NSSA-LSA translation. Hidden networks are not translated into external
 	LSAs. Networks can have configured route tag.
 
-	<tag>stubnet <m/prefix/ { <m/options/ }</tag>
+	<tag><label id="ospf-stubnet">stubnet <m/prefix/ { <m/options/ }</tag>
 	Stub networks are networks that are not transit networks between OSPF
 	routers. They are also propagated through an OSPF area as a part of a
 	link state database. By default, BIRD generates a stub network record
@@ -2783,9 +2825,9 @@ protocol ospf &lt;name&gt; {
 	that are subnetworks of given stub network are suppressed. This might be
 	used, for example, to aggregate generated stub networks.
 
-	<tag>interface <M>pattern</M> [instance <m/num/]</tag>
+	<tag><label id="ospf-iface">interface <M>pattern</M> [instance <m/num/]</tag>
 	Defines that the specified interfaces belong to the area being defined.
-	See <ref id="dsc-iface" name="interface"> common option for detailed
+	See <ref id="proto-iface" name="interface"> common option for detailed
 	description. In OSPFv2, extended interface clauses are used, because
 	each network prefix is handled as a separate virtual interface.
 
@@ -2796,54 +2838,54 @@ protocol ospf &lt;name&gt; {
 	<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc6549.txt">) and is
 	supposed to be set per-protocol. For OSPFv3, it is an integral feature.
 
-	<tag>virtual link <M>id</M> [instance <m/num/]</tag>
+	<tag><label id="ospf-virtual-link">virtual link <M>id</M> [instance <m/num/]</tag>
 	Virtual link to router with the router id. Virtual link acts as a
 	point-to-point interface belonging to backbone. The actual area is used
 	as a transport area. This item cannot be in the backbone. Like with
 	<cf/interface/ option, you could also use several virtual links to one
 	destination with different instance IDs.
 
-	<tag>cost <M>num</M></tag>
+	<tag><label id="ospf-cost">cost <M>num</M></tag>
 	Specifies output cost (metric) of an interface. Default value is 10.
 
-	<tag>stub <M>switch</M></tag>
+	<tag><label id="ospf-stub-iface">stub <M>switch</M></tag>
 	If set to interface it does not listen to any packet and does not send
 	any hello. Default value is no.
 
-	<tag>hello <M>num</M></tag>
+	<tag><label id="ospf-hello">hello <M>num</M></tag>
 	Specifies interval in seconds between sending of Hello messages. Beware,
 	all routers on the same network need to have the same hello interval.
 	Default value is 10.
 
-	<tag>poll <M>num</M></tag>
+	<tag><label id="ospf-poll">poll <M>num</M></tag>
 	Specifies interval in seconds between sending of Hello messages for some
 	neighbors on NBMA network. Default value is 20.
 
-	<tag>retransmit <M>num</M></tag>
+	<tag><label id="ospf-retransmit">retransmit <M>num</M></tag>
 	Specifies interval in seconds between retransmissions of unacknowledged
 	updates. Default value is 5.
 
-	<tag>priority <M>num</M></tag>
+	<tag><label id="ospf-priority">priority <M>num</M></tag>
 	On every multiple access network (e.g., the Ethernet) Designated Router
 	and Backup Designated router are elected. These routers have some special
 	functions in the flooding process. Higher priority increases preferences
 	in this election. Routers with priority 0 are not eligible. Default
 	value is 1.
 
-	<tag>wait <M>num</M></tag>
+	<tag><label id="ospf-wait">wait <M>num</M></tag>
 	After start, router waits for the specified number of seconds between
 	starting election and building adjacency. Default value is 4*<m/hello/.
 
-	<tag>dead count <M>num</M></tag>
+	<tag><label id="ospf-dead-count">dead count <M>num</M></tag>
 	When the router does not receive any messages from a neighbor in
 	<m/dead count/*<m/hello/ seconds, it will consider the neighbor down.
 
-	<tag>dead <M>num</M></tag>
+	<tag><label id="ospf-dead">dead <M>num</M></tag>
 	When the router does not receive any messages from a neighbor in
 	<m/dead/ seconds, it will consider the neighbor down. If both directives
 	<cf/dead count/ and <cf/dead/ are used, <cf/dead/ has precedence.
 
-	<tag>secondary <M>switch</M></tag>
+	<tag><label id="ospf-secondary">secondary <M>switch</M></tag>
 	On BSD systems, older versions of BIRD supported OSPFv2 only for the
 	primary IP address of an interface, other IP ranges on the interface
 	were handled as stub networks. Since v1.4.1, regular operation on
@@ -2853,14 +2895,14 @@ protocol ospf &lt;name&gt; {
 	behavior will be changed. On Linux systems, the option is irrelevant, as
 	operation on non-primary addresses is already the regular behavior.
 
-	<tag>rx buffer <M>num</M></tag>
+	<tag><label id="ospf-rx-buffer">rx buffer <M>num</M></tag>
 	This option allows to specify the size of buffers used for packet
 	processing. The buffer size should be bigger than maximal size of any
 	packets. By default, buffers are dynamically resized as needed, but a
 	fixed value could be specified. Value <cf/large/ means maximal allowed
 	packet size - 65535.
 
-	<tag>tx length <M>num</M></tag>
+	<tag><label id="ospf-tx-length">tx length <M>num</M></tag>
 	Transmitted OSPF messages that contain large amount of information are
 	segmented to separate OSPF packets to avoid IP fragmentation. This
 	option specifies the soft ceiling for the length of generated OSPF
@@ -2868,7 +2910,7 @@ protocol ospf &lt;name&gt; {
 	larger OSPF packets may still be generated if underlying OSPF messages
 	cannot be splitted (e.g. when one large LSA is propagated).
 
-	<tag>type broadcast|bcast</tag>
+	<tag><label id="ospf-type-bcast">type broadcast|bcast</tag>
 	BIRD detects a type of a connected network automatically, but sometimes
 	it's convenient to force use of a different type manually. On broadcast
 	networks (like ethernet), flooding and Hello messages are sent using
@@ -2878,7 +2920,7 @@ protocol ospf &lt;name&gt; {
 	on physically NBMA networks and on unnumbered networks (networks without
 	proper IP prefix).
 
-	<tag>type pointopoint|ptp</tag>
+	<tag><label id="ospf-type-ptp">type pointopoint|ptp</tag>
 	Point-to-point networks connect just 2 routers together. No election is
 	performed and no network LSA is originated, which makes it simpler and
 	faster to establish. This network type is useful not only for physically
@@ -2886,31 +2928,31 @@ protocol ospf &lt;name&gt; {
 	as PtP links. This network type cannot be used on physically NBMA
 	networks.
 
-	<tag>type nonbroadcast|nbma</tag>
+	<tag><label id="ospf-type-nbma">type nonbroadcast|nbma</tag>
 	On NBMA networks, the packets are sent to each neighbor separately
 	because of lack of multicast capabilities. Like on broadcast networks,
 	a designated router is elected, which plays a central role in propagation
 	of LSAs. This network type cannot be used on unnumbered networks.
 
-	<tag>type pointomultipoint|ptmp</tag>
+	<tag><label id="ospf-type-ptmp">type pointomultipoint|ptmp</tag>
 	This is another network type designed to handle NBMA networks. In this
 	case the NBMA network is treated as a collection of PtP links. This is
 	useful if not every pair of routers on the NBMA network has direct
 	communication, or if the NBMA network is used as an (possibly
 	unnumbered) PtP link.
 
-	<tag>link lsa suppression <m/switch/</tag>
+	<tag><label id="ospf-link-lsa-suppression">link lsa suppression <m/switch/</tag>
 	In OSPFv3, link LSAs are generated for each link, announcing link-local
 	IPv6 address of the router to its local neighbors. These are useless on
 	PtP or PtMP networks and this option allows to suppress the link LSA
 	origination for such interfaces. The option is ignored on other than PtP
 	or PtMP interfaces. Default value is no.
 
-	<tag>strict nonbroadcast <m/switch/</tag>
+	<tag><label id="ospf-strict-nonbroadcast">strict nonbroadcast <m/switch/</tag>
 	If set, don't send hello to any undefined neighbor. This switch is
 	ignored on other than NBMA or PtMP interfaces. Default value is no.
 
-	<tag>real broadcast <m/switch/</tag>
+	<tag><label id="ospf-real-broadcast">real broadcast <m/switch/</tag>
 	In <cf/type broadcast/ or <cf/type ptp/ network configuration, OSPF
 	packets are sent as IP multicast packets. This option changes the
 	behavior to using old-fashioned IP broadcast packets. This may be useful
@@ -2918,7 +2960,7 @@ protocol ospf &lt;name&gt; {
 	not work reliably. This is a non-standard option and probably is not
 	interoperable with other OSPF implementations. Default value is no.
 
-	<tag>ptp netmask <m/switch/</tag>
+	<tag><label id="ospf-ptp-netmask">ptp netmask <m/switch/</tag>
 	In <cf/type ptp/ network configurations, OSPFv2 implementations should
 	ignore received netmask field in hello packets and should send hello
 	packets with zero netmask field on unnumbered PtP links. But some OSPFv2
@@ -2928,7 +2970,7 @@ protocol ospf &lt;name&gt; {
 	compatibility problems related to this issue. Default value is no for
 	unnumbered PtP links, yes otherwise.
 
-	<tag>check link <M>switch</M></tag>
+	<tag><label id="ospf-check-link">check link <M>switch</M></tag>
 	If set, a hardware link state (reported by OS) is taken into consideration.
 	When a link disappears (e.g. an ethernet cable is unplugged), neighbors
 	are immediately considered unreachable and only the address of the iface
@@ -2936,15 +2978,15 @@ protocol ospf &lt;name&gt; {
 	some hardware drivers or platforms do not implement this feature.
 	Default value is no.
 
-	<tag>bfd <M>switch</M></tag>
+	<tag><label id="ospf-bfd">bfd <M>switch</M></tag>
 	OSPF could use BFD protocol as an advisory mechanism for neighbor
 	liveness and failure detection. If enabled, BIRD setups a BFD session
 	for each OSPF neighbor and tracks its liveness by it. This has an
 	advantage of an order of magnitude lower detection times in case of
 	failure. Note that BFD protocol also has to be configured, see
-	<ref id="sect-bfd" name="BFD"> section for details. Default value is no.
+	<ref id="bfd" name="BFD"> section for details. Default value is no.
 
-	<tag>ttl security [<m/switch/ | tx only]</tag>
+	<tag><label id="ospf-ttl-security">ttl security [<m/switch/ | tx only]</tag>
 	TTL security is a feature that protects routing protocols from remote
 	spoofed packets by using TTL 255 instead of TTL 1 for protocol packets
 	destined to neighbors. Because TTL is decremented when packets are
@@ -2957,35 +2999,35 @@ protocol ospf &lt;name&gt; {
 	set to <cf/tx only/, TTL 255 is used for sent packets, but is not
 	checked for received packets. Default value is no.
 
-	<tag>tx class|dscp|priority <m/num/</tag>
+	<tag><label id="ospf-tx-class">tx class|dscp|priority <m/num/</tag>
 	These options specify the ToS/DiffServ/Traffic class/Priority of the
-	outgoing OSPF packets. See <ref id="dsc-prio" name="tx class"> common
+	outgoing OSPF packets. See <ref id="proto-tx-class" name="tx class"> common
 	option for detailed description.
 
-	<tag>ecmp weight <M>num</M></tag>
+	<tag><label id="ospf-ecmp-weight">ecmp weight <M>num</M></tag>
 	When ECMP (multipath) routes are allowed, this value specifies a
 	relative weight used for nexthops going through the iface. Allowed
 	values are 1-256. Default value is 1.
 
-	<tag>authentication none</tag>
+	<tag><label id="ospf-auth-none">authentication none</tag>
 	No passwords are sent in OSPF packets. This is the default value.
 
-	<tag>authentication simple</tag>
+	<tag><label id="ospf-auth-simple">authentication simple</tag>
 	Every packet carries 8 bytes of password. Received packets lacking this
 	password are ignored. This authentication mechanism is very weak.
 
-	<tag>authentication cryptographic</tag>
+	<tag><label id="ospf-auth-cryptographic">authentication cryptographic</tag>
 	16-byte long MD5 digest is appended to every packet. For the digest
 	generation 16-byte long passwords are used. Those passwords are not sent
 	via network, so this mechanism is quite secure. Packets can still be
 	read by an attacker.
 
-	<tag>password "<M>text</M>"</tag>
+	<tag><label id="ospf-pass">password "<M>text</M>"</tag>
 	An 8-byte or 16-byte password used for authentication. See
-	<ref id="dsc-pass" name="password"> common option for detailed
+	<ref id="proto-pass" name="password"> common option for detailed
 	description.
 
-	<tag>neighbors { <m/set/ } </tag>
+	<tag><label id="ospf-neighbors">neighbors { <m/set/ } </tag>
 	A set of neighbors to which Hello messages on NBMA or PtMP networks are
 	to be sent. For NBMA networks, some of them could be marked as eligible.
 	In OSPFv3, link-local addresses should be used, using global ones is
@@ -2994,6 +3036,7 @@ protocol ospf &lt;name&gt; {
 </descrip>
 
 <sect1>Attributes
+<label id="ospf-attr">
 
 <p>OSPF defines four route attributes. Each internal route has a <cf/metric/.
 
@@ -3013,6 +3056,7 @@ network. This attribute is read-only. Default is <cf/ospf_metric2 = 10000/ and
 <cf/ospf_tag = 0/.
 
 <sect1>Example
+<label id="ospf-exam">
 
 <p><code>
 protocol ospf MyOSPF {
@@ -3079,8 +3123,10 @@ protocol ospf MyOSPF {
 
 
 <sect>Pipe
+<label id="pipe">
 
 <sect1>Introduction
+<label id="pipe-intro">
 
 <p>The Pipe protocol serves as a link between two routing tables, allowing
 routes to be passed from a table declared as primary (i.e., the one the pipe is
@@ -3115,21 +3161,24 @@ routes appear in which tables and also you can employ the Pipe protocol for
 exporting a selected subset of one table to another one.
 
 <sect1>Configuration
+<label id="pipe-config">
 
 <p><descrip>
-	<tag>peer table <m/table/</tag>
+	<tag><label id="pipe-peer-table">peer table <m/table/</tag>
 	Defines secondary routing table to connect to. The primary one is
 	selected by the <cf/table/ keyword.
 
-	<tag>mode opaque|transparent</tag>
+	<tag><label id="pipe-mode">mode opaque|transparent</tag>
 	Specifies the mode for the pipe to work in. Default is transparent.
 </descrip>
 
 <sect1>Attributes
+<label id="pipe-attr">
 
 <p>The Pipe protocol doesn't define any route attributes.
 
 <sect1>Example
+<label id="pipe-exam">
 
 <p>Let's consider a router which serves as a boundary router of two different
 autonomous systems, each of them connected to a subset of interfaces of the
@@ -3200,8 +3249,10 @@ protocol pipe {				# The Pipe
 
 
 <sect>RAdv
+<label id="radv">
 
 <sect1>Introduction
+<label id="radv-intro">
 
 <p>The RAdv protocol is an implementation of Router Advertisements, which are
 used in the IPv6 stateless autoconfiguration. IPv6 routers send (in irregular
@@ -3214,18 +3265,19 @@ and also the DNS extensions from
 RFC 6106<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc6106.txt">.
 
 <sect1>Configuration
+<label id="radv-config">
 
 <p>There are several classes of definitions in RAdv configuration -- interface
 definitions, prefix definitions and DNS definitions:
 
 <descrip>
-	<tag>interface <m/pattern [, ...]/ { <m/options/ }</tag>
+	<tag><label id="radv-iface">interface <m/pattern [, ...]/ { <m/options/ }</tag>
 	Interface definitions specify a set of interfaces on which the
 	protocol is activated and contain interface specific options.
-	See <ref id="dsc-iface" name="interface"> common options for
+	See <ref id="proto-iface" name="interface"> common options for
 	detailed description.
 
-	<tag>prefix <m/prefix/ { <m/options/ }</tag>
+	<tag><label id="radv-prefix">prefix <m/prefix/ { <m/options/ }</tag>
 	Prefix definitions allow to modify a list of advertised prefixes. By
 	default, the advertised prefixes are the same as the network prefixes
 	assigned to the interface. For each network prefix, the matching prefix
@@ -3239,7 +3291,7 @@ definitions, prefix definitions and DNS definitions:
 	prefix definition is matching if the network prefix is a subnet of the
 	prefix in prefix definition.
 
-	<tag>rdnss { <m/options/ }</tag>
+	<tag><label id="radv-rdnss">rdnss { <m/options/ }</tag>
 	RDNSS definitions allow to specify a list of advertised recursive DNS
 	servers together with their options. As options are seldom necessary,
 	there is also a short variant <cf>rdnss <m/address/</cf> that just
@@ -3247,15 +3299,15 @@ definitions, prefix definitions and DNS definitions:
 	definitions may also be interface-specific when used inside interface
 	options. By default, interface uses both global and interface-specific
 	options, but that can be changed by <cf/rdnss local/ option.
-
-	<tag>dnssl { <m/options/ }</tag>
+dsc-iface
+	<tag><label id="radv-dnssl">dnssl { <m/options/ }</tag>
 	DNSSL definitions allow to specify a list of advertised DNS search
 	domains together with their options. Like <cf/rdnss/ above, multiple
 	definitions are cumulative, they can be used also as interface-specific
 	options and there is a short variant <cf>dnssl <m/domain/</cf> that just
 	specifies one DNS search domain.
 
-	<label id="dsc-trigger"> <tag>trigger <m/prefix/</tag>
+	<tag><label id="radv-trigger">trigger <m/prefix/</tag>
 	RAdv protocol could be configured to change its behavior based on
 	availability of routes. When this option is used, the protocol waits in
 	suppressed state until a <it/trigger route/ (for the specified network)
@@ -3277,99 +3329,99 @@ definitions, prefix definitions and DNS definitions:
 <p>Interface specific options:
 
 <descrip>
-	<tag>max ra interval <m/expr/</tag>
+	<tag><label id="radv-iface-max-ra-interval">max ra interval <m/expr/</tag>
 	Unsolicited router advertisements are sent in irregular time intervals.
 	This option specifies the maximum length of these intervals, in seconds.
 	Valid values are 4-1800. Default: 600
 
-	<tag>min ra interval <m/expr/</tag>
+	<tag><label id="radv-iface-min-ra-interval">min ra interval <m/expr/</tag>
 	This option specifies the minimum length of that intervals, in seconds.
 	Must be at least 3 and at most 3/4 * <cf/max ra interval/. Default:
 	about 1/3 * <cf/max ra interval/.
 
-	<tag>min delay <m/expr/</tag>
+	<tag><label id="radv-iface-min-delay">min delay <m/expr/</tag>
 	The minimum delay between two consecutive router advertisements, in
 	seconds. Default: 3
 
-	<tag>managed <m/switch/</tag>
+	<tag><label id="radv-iface-managed">managed <m/switch/</tag>
 	This option specifies whether hosts should use DHCPv6 for IP address
 	configuration. Default: no
 
-	<tag>other config <m/switch/</tag>
+	<tag><label id="radv-iface-other-config">other config <m/switch/</tag>
 	This option specifies whether hosts should use DHCPv6 to receive other
 	configuration information. Default: no
 
-	<tag>link mtu <m/expr/</tag>
+	<tag><label id="radv-iface-link-mtu">link mtu <m/expr/</tag>
 	This option specifies which value of MTU should be used by hosts. 0
 	means unspecified. Default: 0
 
-	<tag>reachable time <m/expr/</tag>
+	<tag><label id="radv-iface-reachable-time">reachable time <m/expr/</tag>
 	This option specifies the time (in milliseconds) how long hosts should
 	assume a neighbor is reachable (from the last confirmation). Maximum is
 	3600000, 0 means unspecified. Default 0.
 
-	<tag>retrans timer <m/expr/</tag>
+	<tag><label id="radv-iface-retrans-timer">retrans timer <m/expr/</tag>
 	This option specifies the time (in milliseconds) how long hosts should
 	wait before retransmitting Neighbor Solicitation messages. 0 means
 	unspecified. Default 0.
 
-	<tag>current hop limit <m/expr/</tag>
+	<tag><label id="radv-iface-current-hop-limit">current hop limit <m/expr/</tag>
 	This option specifies which value of Hop Limit should be used by
 	hosts. Valid values are 0-255, 0 means unspecified. Default: 64
 
-	<tag>default lifetime <m/expr/ [sensitive <m/switch/]</tag>
+	<tag><label id="radv-iface-default-lifetime">default lifetime <m/expr/ [sensitive <m/switch/]</tag>
 	This option specifies the time (in seconds) how long (after the receipt
 	of RA) hosts may use the router as a default router. 0 means do not use
-	as a default router. For <cf/sensitive/ option, see <ref id="dsc-trigger" name="trigger">.
+	as a default router. For <cf/sensitive/ option, see <ref id="radv-trigger" name="trigger">.
 	Default: 3 * <cf/max ra	interval/, <cf/sensitive/ yes.
 
-	<tag>default preference low|medium|high</tag>
+	<tag><label id="radv-iface-default-preference-low">default preference low|medium|high</tag>
 	This option specifies the Default Router Preference value to advertise
 	to hosts. Default: medium.
 
-	<tag>rdnss local <m/switch/</tag>
+	<tag><label id="radv-iface-rdnss-local">rdnss local <m/switch/</tag>
 	Use only local (interface-specific) RDNSS definitions for this
 	interface. Otherwise, both global and local definitions are used. Could
 	also be used to disable RDNSS for given interface if no local definitons
 	are specified. Default: no.
 
-	<tag>dnssl local <m/switch/</tag>
+	<tag><label id="radv-iface-dnssl-local">dnssl local <m/switch/</tag>
 	Use only local DNSSL definitions for this interface. See <cf/rdnss local/
 	option above. Default: no.
 </descrip>
 
 
-<p>Prefix specific options:
+<p>Prefix specific options
 
 <descrip>
-	<tag>skip <m/switch/</tag>
+	<tag><label id="radv-prefix-skip">skip <m/switch/</tag>
 	This option allows to specify that given prefix should not be
 	advertised. This is useful for making exceptions from a default policy
 	of advertising all prefixes. Note that for withdrawing an already
 	advertised prefix it is more useful to advertise it with zero valid
 	lifetime. Default: no
 
-	<tag>onlink <m/switch/</tag>
+	<tag><label id="radv-prefix-onlink">onlink <m/switch/</tag>
 	This option specifies whether hosts may use the advertised prefix for
 	onlink determination. Default: yes
 
-	<tag>autonomous <m/switch/</tag>
+	<tag><label id="radv-prefix-autonomous">autonomous <m/switch/</tag>
 	This option specifies whether hosts may use the advertised prefix for
 	stateless autoconfiguration. Default: yes
 
-	<tag>valid lifetime <m/expr/ [sensitive <m/switch/]</tag>
+	<tag><label id="radv-prefix-valid-lifetime">valid lifetime <m/expr/ [sensitive <m/switch/]</tag>
 	This option specifies the time (in seconds) how long (after the
 	receipt of RA) the prefix information is valid, i.e., autoconfigured
 	IP addresses can be assigned and hosts with that IP addresses are
 	considered directly reachable. 0 means the prefix is no longer
-	valid. For <cf/sensitive/ option, see <ref id="dsc-trigger" name="trigger">.
+	valid. For <cf/sensitive/ option, see <ref id="radv-trigger" name="trigger">.
 	Default: 86400 (1 day), <cf/sensitive/ no.
 
-	<tag>preferred lifetime <m/expr/ [sensitive <m/switch/]</tag>
+	<tag><label id="radv-prefix-preferred-lifetime">preferred lifetime <m/expr/ [sensitive <m/switch/]</tag>
 	This option specifies the time (in seconds) how long (after the
 	receipt of RA) IP addresses generated from the prefix using stateless
 	autoconfiguration remain preferred. For <cf/sensitive/ option,
-	see <ref id="dsc-trigger" name="trigger">. Default: 14400 (4 hours),
+	see <ref id="radv-trigger" name="trigger">. Default: 14400 (4 hours),
 	<cf/sensitive/ no.
 </descrip>
 
@@ -3377,12 +3429,12 @@ definitions, prefix definitions and DNS definitions:
 <p>RDNSS specific options:
 
 <descrip>
-	<tag>ns <m/address/</tag>
+	<tag><label id="radv-rdnss-ns">ns <m/address/</tag>
 	This option specifies one recursive DNS server. Can be used multiple
 	times for multiple servers. It is mandatory to have at least one
 	<cf/ns/ option in <cf/rdnss/ definition.
 
-	<tag>lifetime [mult] <m/expr/</tag>
+	<tag><label id="radv-rdnss-lifetime">lifetime [mult] <m/expr/</tag>
 	This option specifies the time how long the RDNSS information may be
 	used by clients after the receipt of RA. It is expressed either in
 	seconds or (when <cf/mult/ is used) in multiples of <cf/max ra
@@ -3395,12 +3447,12 @@ definitions, prefix definitions and DNS definitions:
 <p>DNSSL specific options:
 
 <descrip>
-	<tag>domain <m/address/</tag>
+	<tag><label id="radv-dnssl-domain">domain <m/address/</tag>
 	This option specifies one DNS search domain. Can be used multiple times
 	for multiple domains. It is mandatory to have at least one <cf/domain/
 	option in <cf/dnssl/ definition.
 
-	<tag>lifetime [mult] <m/expr/</tag>
+	<tag><label id="radv-dnssl-lifetime">lifetime [mult] <m/expr/</tag>
 	This option specifies the time how long the DNSSL information may be
 	used by clients after the receipt of RA. Details are the same as for
 	RDNSS <cf/lifetime/ option above. Default: 3 * <cf/max ra interval/.
@@ -3408,6 +3460,7 @@ definitions, prefix definitions and DNS definitions:
 
 
 <sect1>Example
+<label id="radv-exam">
 
 <p><code>
 protocol radv {
@@ -3447,8 +3500,10 @@ protocol radv {
 
 
 <sect>RIP
+<label id="rip">
 
 <sect1>Introduction
+<label id="rip-intro">
 
 <p>The RIP protocol (also sometimes called Rest In Pieces) is a simple protocol,
 where each router broadcasts (to all its neighbors) distances to all networks it
@@ -3474,6 +3529,7 @@ convergence, big network load and inability to handle larger networks makes it
 pretty much obsolete. It is still usable on very small networks.
 
 <sect1>Configuration
+<label id="rip-config">
 
 <p>RIP configuration consists mainly of common protocol options and interface
 definitions, most RIP options are interface specific.
@@ -3516,11 +3572,11 @@ protocol rip [&lt;name&gt;] {
 </code>
 
 <descrip>
-	<tag>infinity <M>number</M></tag>
+	<tag><label id="rip-infinity">infinity <M>number</M></tag>
 	Selects the distance of infinity. Bigger values will make
 	protocol convergence even slower. The default value is 16.
 
-	<tag>ecmp <M>switch</M> [limit <M>number</M>]</tag>
+	<tag><label id="rip-ecmp">ecmp <M>switch</M> [limit <M>number</M>]</tag>
 	This option specifies whether RIP is allowed to generate ECMP
 	(equal-cost multipath) routes. Such routes are used when there are
 	several directions to the destination, each with the same (computed)
@@ -3528,42 +3584,42 @@ protocol rip [&lt;name&gt;] {
 	nexthops in one route. By default, ECMP is disabled. If enabled,
 	default	value of the limit is 16.
 
-	<tag>interface <m/pattern [, ...]/ { <m/options/ }</tag>
+	<tag><label id="rip-iface">interface <m/pattern [, ...]/ { <m/options/ }</tag>
 	Interface definitions specify a set of interfaces on which the
 	protocol is activated and contain interface specific options.
-	See <ref id="dsc-iface" name="interface"> common options for
+	See <ref id="proto-iface" name="interface"> common options for
 	detailed description.
 </descrip>
 
 <p>Interface specific options:
 
 <descrip>
-	<tag>metric <m/num/</tag>
+	<tag><label id="rip-iface-metric">metric <m/num/</tag>
 	This option specifies the metric of the interface. When a route is
 	received from the interface, its metric is increased by this value
 	before further processing. Valid values are 1-255, but values higher
 	than infinity has no further meaning. Default: 1.
 
-	<tag>mode multicast|broadcast</tag>
+	<tag><label id="rip-iface-mode">mode multicast|broadcast</tag>
 	This option selects the mode for RIP to use on the interface. The
 	default is multicast mode for RIPv2 and broadcast mode for RIPv1.
 	RIPng always uses the multicast mode.
 
-	<tag>passive <m/switch/</tag>
+	<tag><label id="rip-iface-passive">passive <m/switch/</tag>
 	Passive interfaces receive routing updates but do not transmit any
 	messages. Default: no.
 
-	<tag>address <m/ip/</tag>
+	<tag><label id="rip-iface-address">address <m/ip/</tag>
 	This option specifies a destination address used for multicast or
 	broadcast messages, the default is the official RIP (224.0.0.9) or RIPng
 	(ff02::9) multicast address, or an appropriate broadcast address in the
 	broadcast mode.
 
-	<tag>port <m/number/</tag>
+	<tag><label id="rip-iface-port">port <m/number/</tag>
 	This option selects an UDP port to operate on, the default is the
 	official RIP (520) or RIPng (521) port.
 
-	<tag>version 1|2</tag>
+	<tag><label id="rip-iface-version">version 1|2</tag>
 	This option selects the version of RIP used on the interface. For RIPv1,
 	automatic subnet aggregation is not implemented, only classful network
 	routes and host routes are propagated. Note that BIRD allows RIPv1 to be
@@ -3572,12 +3628,12 @@ protocol rip [&lt;name&gt;] {
 	RIP, the option is not supported for RIPng, as no further versions are
 	defined.
 
-	<tag>version only <m/switch/</tag>
+	<tag><label id="rip-iface-version-only">version only <m/switch/</tag>
 	Regardless of RIP version configured for the interface, BIRD accepts
 	incoming packets of any RIP version. This option restrict accepted
 	packets to the configured version. Default: no.
 
-	<tag>split horizon <m/switch/</tag>
+	<tag><label id="rip-iface-split-horizon">split horizon <m/switch/</tag>
 	Split horizon is a scheme for preventing routing loops. When split
 	horizon is active, routes are not regularly propagated back to the
 	interface from which they were received. They are either not propagated
@@ -3586,40 +3642,40 @@ protocol rip [&lt;name&gt;] {
 	on the interface will not consider the router as a part of an
 	independent path to the destination of the route. Default: yes.
 
-	<tag>poison reverse <m/switch/</tag>
+	<tag><label id="rip-iface-poison-reverse">poison reverse <m/switch/</tag>
 	When split horizon is active, this option specifies whether the poisoned
 	reverse variant (propagating routes back with an infinity metric) is
 	used. The poisoned reverse has some advantages in faster convergence,
 	but uses more network traffic. Default: yes.
 
-	<tag>check zero <m/switch/</tag>
+	<tag><label id="rip-iface-check-zero">check zero <m/switch/</tag>
 	Received RIPv1 packets with non-zero values in reserved fields should
 	be discarded. This option specifies whether the check is performed or
 	such packets are just processed as usual. Default: yes.
 
-	<tag>update time <m/number/</tag>
+	<tag><label id="rip-iface-update-time">update time <m/number/</tag>
 	Specifies the number of seconds between periodic updates. A lower number
 	will mean faster convergence but bigger network load. Default: 30.
 
-	<tag>timeout time <m/number/</tag>
+	<tag><label id="rip-iface-timeout-time">timeout time <m/number/</tag>
 	Specifies the time interval (in seconds) between the last received route
 	announcement and the route expiration. After that, the network is
 	considered unreachable, but still is propagated with infinity distance.
 	Default: 180.
 
-	<tag>garbage time <m/number/</tag>
+	<tag><label id="rip-iface-garbage-time">garbage time <m/number/</tag>
 	Specifies the time interval (in seconds) between the route expiration
 	and the removal of the unreachable network entry. The garbage interval,
 	when a route with infinity metric is propagated, is used for both
 	internal (after expiration) and external (after withdrawal) routes.
 	Default: 120.
 
-	<tag>ecmp weight <m/number/</tag>
+	<tag><label id="rip-iface-ecmp-weight">ecmp weight <m/number/</tag>
 	When ECMP (multipath) routes are allowed, this value specifies a
 	relative weight used for nexthops going through the iface. Valid
 	values are 1-256. Default value is 1.
 
-	<tag>authentication none|plaintext|cryptographic</tag>
+	<tag><label id="rip-iface-auth">authentication none|plaintext|cryptographic</tag>
 	Selects authentication method to be used. <cf/none/ means that packets
 	are not authenticated at all, <cf/plaintext/ means that a plaintext
 	password is embedded into each packet, and <cf/cryptographic/ means that
@@ -3627,11 +3683,11 @@ protocol rip [&lt;name&gt;] {
 	authentication to not-none, it is a good idea to add <cf>password</cf>
 	section. Default: none.
 
-	<tag>password "<m/text/"</tag>
-	Specifies a password used for authentication. See <ref id="dsc-pass"
+	<tag><label id="rip-iface-pass">password "<m/text/"</tag>
+	Specifies a password used for authentication. See <ref id="proto-pass"
 	name="password"> common option for detailed description.
 
-	<tag>ttl security [<m/switch/ | tx only]</tag>
+	<tag><label id="rip-iface-ttl-security">ttl security [<m/switch/ | tx only]</tag>
 	TTL security is a feature that protects routing protocols from remote
 	spoofed packets by using TTL 255 instead of TTL 1 for protocol packets
 	destined to neighbors. Because TTL is decremented when packets are
@@ -3648,22 +3704,22 @@ protocol rip [&lt;name&gt;] {
 	For RIPng, TTL security is a standard behavior (required by RFC 2080)
 	and therefore default value is yes. For IPv4 RIP, default value is no.
 
-	<tag>tx class|dscp|priority <m/number/</tag>
+	<tag><label id="rip-iface-tx-class">tx class|dscp|priority <m/number/</tag>
 	These options specify the ToS/DiffServ/Traffic class/Priority of the
-	outgoing RIP packets. See <ref id="dsc-prio" name="tx class"> common
+	outgoing RIP packets. See <ref id="proto-tx-class" name="tx class"> common
 	option for detailed description.
 
-	<tag>rx buffer <m/number/</tag>
+	<tag><label id="rip-iface-rx-buffer">rx buffer <m/number/</tag>
 	This option specifies the size of buffers used for packet processing.
 	The buffer size should be bigger than maximal size of received packets.
 	The default value is 532 for IPv4 RIP and interface MTU value for RIPng.
 
-	<tag>tx length <m/number/</tag>
+	<tag><label id="rip-iface-tx-length">tx length <m/number/</tag>
 	This option specifies the maximum length of generated RIP packets. To
 	avoid IP fragmentation, it should not exceed the interface MTU value.
 	The default value is 532 for IPv4 RIP and interface MTU value for RIPng.
 
-	<tag>check link <m/switch/</tag>
+	<tag><label id="rip-iface-check-link">check link <m/switch/</tag>
 	If set, the hardware link state (as reported by OS) is taken into
 	consideration. When the link disappears (e.g. an ethernet cable is
 	unplugged), neighbors are immediately considered unreachable and all
@@ -3673,17 +3729,18 @@ protocol rip [&lt;name&gt;] {
 </descrip>
 
 <sect1>Attributes
+<label id="rip-attr">
 
 <p>RIP defines two route attributes:
 
 <descrip>
-	<tag>int <cf/rip_metric/</tag>
+	<tag><label id="rta-rip-metric">int rip_metric/</tag>
 	RIP metric of the route (ranging from 0 to <cf/infinity/).  When routes
 	from different RIP instances are available and all of them have the same
 	preference, BIRD prefers the route with lowest <cf/rip_metric/. When a
 	non-RIP route is exported to RIP, the default metric is 1.
 
-	<tag>int <cf/rip_tag/</tag>
+	<tag><label id="rta-rip-tag">int rip_tag/</tag>
 	RIP route tag: a 16-bit number which can be used to carry additional
 	information with the route (for example, an originating AS number in
 	case of external routes). When a non-RIP route is exported to RIP, the
@@ -3691,6 +3748,7 @@ protocol rip [&lt;name&gt;] {
 </descrip>
 
 <sect1>Example
+<label id="rip-exam">
 
 <p><code>
 protocol rip {
@@ -3708,6 +3766,7 @@ protocol rip {
 
 
 <sect>Static
+<label id="static">
 
 <p>The Static protocol doesn't communicate with other routers in the network,
 but instead it allows you to define routes manually. This is often used for
@@ -3736,14 +3795,14 @@ definition of the protocol contains mainly a list of static routes.
 <p>Global options:
 
 <descrip>
-	<tag>check link <m/switch/</tag>
+	<tag><label id="static-check-link">check link <m/switch/</tag>
 	If set, hardware link states of network interfaces are taken into
 	consideration.  When link disappears (e.g. ethernet cable is unplugged),
 	static routes directing to that interface are removed. It is possible
 	that some hardware drivers or platforms do not implement this feature.
 	Default: off.
 
-	<tag>igp table <m/name/</tag>
+	<tag><label id="static-igp-table">igp table <m/name/</tag>
 	Specifies a table that is used for route table lookups of recursive
 	routes. Default: the same table as the protocol is connected to.
 </descrip>
@@ -3751,24 +3810,24 @@ definition of the protocol contains mainly a list of static routes.
 <p>Route definitions (each may also contain a block of per-route options):
 
 <descrip>
-	<tag>route <m/prefix/ via <m/ip/</tag>
+	<tag><label id="static-route-via-ip">route <m/prefix/ via <m/ip/</tag>
 	Static route through a neighboring router. For link-local next hops,
 	interface can be specified as a part of the address (e.g.,
 	<cf/via fe80::1234%eth0/).
 
-	<tag>route <m/prefix/ multipath via <m/ip/ [weight <m/num/] [bfd <m/switch/] [via ...]</tag>
+	<tag><label id="static-route-via-mpath">route <m/prefix/ multipath via <m/ip/ [weight <m/num/] [bfd <m/switch/] [via ...]</tag>
 	Static multipath route. Contains several nexthops (gateways), possibly
 	with their weights.
 
-	<tag>route <m/prefix/ via <m/"interface"/</tag>
+	<tag><label id="static-route-via-iface">route <m/prefix/ via <m/"interface"/</tag>
 	Static device route through an interface to hosts on a directly
 	connected network.
 
-	<tag>route <m/prefix/ recursive <m/ip/</tag>
+	<tag><label id="static-route-recursive">route <m/prefix/ recursive <m/ip/</tag>
 	Static recursive route, its nexthop depends on a route table lookup for
 	given IP address.
 
-	<tag>route <m/prefix/ blackhole|unreachable|prohibit</tag>
+	<tag><label id="static-route-drop">route <m/prefix/ blackhole|unreachable|prohibit</tag>
 	Special routes specifying to silently drop the packet, return it as
 	unreachable or return it as administratively prohibited. First two
 	targets are also known as <cf/drop/ and <cf/reject/.
@@ -3777,7 +3836,7 @@ definition of the protocol contains mainly a list of static routes.
 <p>Per-route options:
 
 <descrip>
-	<tag>bfd <m/switch/</tag>
+	<tag><label id="static-route-bfd">bfd <m/switch/</tag>
 	The Static protocol could use BFD protocol for next hop liveness
 	detection. If enabled, a BFD session to the route next hop is created
 	and the static route is BFD-controlled -- the static route is announced
@@ -3790,9 +3849,9 @@ definition of the protocol contains mainly a list of static routes.
 	This option can be used for static routes with a direct next hop, or
 	also for for individual next hops in a static multipath route (see
 	above). Note that BFD protocol also has to be configured, see
-	<ref id="sect-bfd" name="BFD"> section for details. Default value is no.
+	<ref id="bfd" name="BFD"> section for details. Default value is no.
 
-	<tag><m/filter expression/</tag>
+	<tag><label id="static-route-filter"><m/filter expression/</tag>
 	This is a special option that allows filter expressions to be configured
 	on per-route basis. Can be used multiple times. These expressions are
 	evaluated when the route is originated, similarly to the import filter
@@ -3829,8 +3888,10 @@ protocol static {
 
 
 <chapt>Conclusions
+<label id="conclusion">
 
 <sect>Future work
+<label id="future-work">
 
 <p>Although BIRD supports all the commonly used routing protocols, there are
 still some features which would surely deserve to be implemented in future
@@ -3846,6 +3907,7 @@ versions of BIRD:
 
 
 <sect>Getting more help
+<label id="help">
 
 <p>If you use BIRD, you're welcome to join the bird-users mailing list
 (<HTMLURL URL="mailto:bird-users@network.cz" name="bird-users@network.cz">)
diff --git a/doc/sbase/dist/birddoc/html/mapping b/doc/sbase/dist/birddoc/html/mapping
index d95b1759..d2370d29 100644
--- a/doc/sbase/dist/birddoc/html/mapping
+++ b/doc/sbase/dist/birddoc/html/mapping
@@ -56,6 +56,7 @@
 <newline>		"<BR>"
 
 <label>		+	"<@@label>[ID]"		+
+</label>
 
 <header>
 </header>
diff --git a/doc/sbase/dist/birddoc/latex2e/mapping b/doc/sbase/dist/birddoc/latex2e/mapping
index bd11b2d0..9b8962d8 100644
--- a/doc/sbase/dist/birddoc/latex2e/mapping
+++ b/doc/sbase/dist/birddoc/latex2e/mapping
@@ -56,7 +56,7 @@
 </newline>
 
 <label>			"\\label{[ID]}"
-</label>	
+</label>
 
 <header>	+	"\\markboth"
 </header>
@@ -110,7 +110,7 @@
 <heading>		"{"
 </heading>		"}\n\n"
 
-<p>
+<p>			"\\phantomsection{}"
 </p>			"\n\n"
 
 <itemize>	+	"\\begin{itemize}"	+
@@ -128,7 +128,7 @@
 <item>		+	"\\item "
 </item>
 
-<tag>		+	"\\item\[{\\ttfamily "
+<tag>		+	"\\phantomsection\\item\[{\\ttfamily "
 </tag>			"}\] \\hfil\\break\n"	+
 
 <tagp>		+	"\\item\[ "
@@ -224,17 +224,17 @@
 <cparam>		"\\cparam{"
 </cparam>		"}"
 
-<ref>			"\\ref{[ID]} {([NAME])}"
+<ref>			"\\hyperref\[[ID]\]{[NAME]} (p.\\,\\getpagerefnumber{[ID]})"
 </ref>
 
 <pageref>		"\\pageref{[ID]}"
 </pageref>
 
 %url added by HG
-<url>			"\\nameurl{[URL]}{[NAME]}"
+<url>			"\\href{[URL]}{[NAME]}"
 </url>
 
-<htmlurl>		"\\onlynameurl{[NAME]}"
+<htmlurl>		"\\href{[URL]}{[NAME]}"
 </htmlurl>
 
 <x>
diff --git a/doc/sbase/dtd/birddoc.dtd b/doc/sbase/dtd/birddoc.dtd
index 1654b0e5..6db5066a 100644
--- a/doc/sbase/dtd/birddoc.dtd
+++ b/doc/sbase/dtd/birddoc.dtd
@@ -564,9 +564,9 @@ anywhere else. <pavel@ucw.cz>
 <!element rhead - o (%inline)>
 <!entity % sect "heading, header?, p* " >
 <!element heading o o (%inline)>
-<!element chapt - o (%sect, sect*) +(footnote)> 
+<!element chapt - o (%sect, sect*) +(footnote)>
 <!element sect  - o (%sect, sect1*) +(footnote)>
-<!element sect1 - o (%sect, sect2*)>
+<!element sect1 - o (%sect, sect2*) +(footnote)>
 <!element sect2 - o (%sect, sect3*)>
 <!element sect3 - o (%sect, sect4*)>
 <!element sect4 - o (%sect)>

From 22558357d45c27583156f8c11412e37ce48a42e0 Mon Sep 17 00:00:00 2001
From: Pavel Tvrdik <pawel.tvrdik@gmail.com>
Date: Mon, 3 Oct 2016 10:22:24 +0200
Subject: [PATCH 09/37] Doc: Add command-line options --version, --help

---
 doc/bird.sgml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/doc/bird.sgml b/doc/bird.sgml
index f2001e75..5cc12b28 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -181,6 +181,12 @@ BIRD executable by configuring out routing protocols you don't use, and
 
 	<tag><label id="argv-recovery">-R</tag>
 	apply graceful restart recovery after start.
+
+	<tag><label id="argv-version">--version</tag>
+	display bird version.
+
+	<tag><label id="argv-help">-h, --help</tag>
+	display command-line options to bird.
 </descrip>
 
 <p>BIRD writes messages about its work to log files or syslog (according to config).

From f5952c7343841fe4b7b63b7a56e95aba104f2e82 Mon Sep 17 00:00:00 2001
From: Pavel Tvrdik <pawel.tvrdik@gmail.com>
Date: Mon, 3 Oct 2016 10:32:28 +0200
Subject: [PATCH 10/37] Doc: Daemon command-line options alphabet order

---
 doc/bird.sgml | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/doc/bird.sgml b/doc/bird.sgml
index 5cc12b28..68851e3a 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -154,39 +154,39 @@ BIRD executable by configuring out routing protocols you don't use, and
 	<tag><label id="argv-log-file">-D <m/filename of debug log/</tag>
 	log debugging information to given file instead of stderr.
 
-	<tag><label id="argv-parse">-p</tag>
-	just parse the config file and exit. Return value is zero if the config
-	file is valid, nonzero if there are some errors.
-
-	<tag><label id="argv-socket">-s <m/name of communication socket/</tag>
-	use given filename for a socket for communications with the client,
-	default is <it/prefix/<file>/var/run/bird.ctl</file>.
-
-	<tag><label id="argv-pid">-P <m/name of PID file/</tag>
-	create a PID file with given filename.
-
-	<tag><label id="argv-user">-u <m/user/</tag>
-	drop privileges and use that user ID, see the next section for details.
+	<tag><label id="argv-foreground">-f</tag>
+	run bird in foreground.
 
 	<tag><label id="argv-group">-g <m/group/</tag>
 	use that group ID, see the next section for details.
 
-	<tag><label id="argv-foreground">-f</tag>
-	run bird in foreground.
+	<tag><label id="argv-help">-h, --help</tag>
+	display command-line options to bird.
 
 	<tag><label id="argv-local">-l</tag>
 	look for a configuration file and a communication socket in the current
 	working directory instead of in default system locations. However, paths
 	specified by options <cf/-c/, <cf/-s/ have higher priority.
 
+	<tag><label id="argv-parse">-p</tag>
+	just parse the config file and exit. Return value is zero if the config
+	file is valid, nonzero if there are some errors.
+
+	<tag><label id="argv-pid">-P <m/name of PID file/</tag>
+	create a PID file with given filename.
+
 	<tag><label id="argv-recovery">-R</tag>
 	apply graceful restart recovery after start.
 
+	<tag><label id="argv-socket">-s <m/name of communication socket/</tag>
+	use given filename for a socket for communications with the client,
+	default is <it/prefix/<file>/var/run/bird.ctl</file>.
+
+	<tag><label id="argv-user">-u <m/user/</tag>
+	drop privileges and use that user ID, see the next section for details.
+
 	<tag><label id="argv-version">--version</tag>
 	display bird version.
-
-	<tag><label id="argv-help">-h, --help</tag>
-	display command-line options to bird.
 </descrip>
 
 <p>BIRD writes messages about its work to log files or syslog (according to config).

From f15dc6813870565d01378265ab20e017757af220 Mon Sep 17 00:00:00 2001
From: Pavel Tvrdik <pawel.tvrdik@gmail.com>
Date: Mon, 3 Oct 2016 10:59:43 +0200
Subject: [PATCH 11/37] Doc: Enable break lines in <tag></tag>

---
 doc/sbase/dist/birddoc/latex2e/mapping | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/doc/sbase/dist/birddoc/latex2e/mapping b/doc/sbase/dist/birddoc/latex2e/mapping
index 9b8962d8..161227d2 100644
--- a/doc/sbase/dist/birddoc/latex2e/mapping
+++ b/doc/sbase/dist/birddoc/latex2e/mapping
@@ -4,6 +4,7 @@
 % The \relax is there to avoid sgml2latex rewriting the class
 <book>		+ "\\relax\\documentclass\[a4paper,10pt,openany\]{book}\n"
 			"\\usepackage\[colorlinks=true,linkcolor=blue,pdftitle={BIRD User's Guide}\]{hyperref}\n"
+			"\\usepackage{enumitem}\n"
 			"\\usepackage{birddoc}\n"
 			"\\usepackage{qwertz}\n"
 			"\\usepackage{url}\n"
@@ -122,7 +123,7 @@
 <list>		+	"\\begin{list}{}{}\n"     +
 </list>		+	"\\end{list}"		+
 
-<descrip>	+	"\\begin{description}"	+
+<descrip>	+	"\\begin{description}\[style=unboxed\]"	+
 </descrip>	+	"\\end{description}"	+
 
 <item>		+	"\\item "

From 74d76f6c3877e4a745fb63b55486810322076153 Mon Sep 17 00:00:00 2001
From: Pavel Tvrdik <pawel.tvrdik@gmail.com>
Date: Mon, 3 Oct 2016 11:36:44 +0200
Subject: [PATCH 12/37] Doc: Fix unnecessary special chars

---
 doc/bird.sgml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/doc/bird.sgml b/doc/bird.sgml
index 68851e3a..591bb87a 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -815,7 +815,7 @@ This argument can be omitted if there exists only a single instance.
 	number of networks, number of routes before and after filtering). If
 	you use <cf/count/ instead, only the statistics will be printed.
 
-	<tag><label id="cli-show-roa">show roa [<m/prefix/ | in <m/prefix/ | for <m/prefix/] [as <m/num/] [table <m/t/>]</tag>
+	<tag><label id="cli-show-roa">show roa [<m/prefix/ | in <m/prefix/ | for <m/prefix/] [as <m/num/] [table <m/t/]</tag>
 	Show contents of a ROA table (by default of the first one). You can
 	specify a <m/prefix/ to print ROA entries for a specific network. If you
 	use <cf>for <m/prefix/</cf>, you'll get all entries relevant for route
@@ -824,16 +824,16 @@ This argument can be omitted if there exists only a single instance.
 	entries covered by the network prefix. You could also use <cf/as/ option
 	to show just entries for given AS.
 
-	<tag><label id="cli-add-roa">add roa <m/prefix/ max <m/num/] as <m/num/ [table <m/t/>]</tag>
+	<tag><label id="cli-add-roa">add roa <m/prefix/ max <m/num/ as <m/num/ [table <m/t/]</tag>
 	Add a new ROA entry to a ROA table. Such entry is called <it/dynamic/
 	compared to <it/static/ entries specified in the config file. These
 	dynamic entries survive reconfiguration.
 
-	<tag><label id="cli-delete-roa">delete roa <m/prefix/ max <m/num/] as <m/num/ [table <m/t/>]</tag>
+	<tag><label id="cli-delete-roa">delete roa <m/prefix/ max <m/num/ as <m/num/ [table <m/t/]</tag>
 	Delete the specified ROA entry from a ROA table. Only dynamic ROA
 	entries (i.e., the ones added by <cf/add roa/ command) can be deleted.
 
-	<tag><label id="cli-flush-roa">flush roa [table <m/t/>]</tag>
+	<tag><label id="cli-flush-roa">flush roa [table <m/t/]</tag>
 	Remove all dynamic ROA entries from a ROA table.
 
 	<tag><label id="cli-configure">configure [soft] ["<m/config file/"] [timeout [<m/num/]]</tag>

From f9bd11c337afcc3e95b459e3901a4ca28cb14b85 Mon Sep 17 00:00:00 2001
From: Pavel Tvrdik <pawel.tvrdik@gmail.com>
Date: Mon, 3 Oct 2016 11:39:56 +0200
Subject: [PATCH 13/37] Doc: Use [table t] or [table name]

---
 doc/bird.sgml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/bird.sgml b/doc/bird.sgml
index 591bb87a..159cac46 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -780,7 +780,7 @@ This argument can be omitted if there exists only a single instance.
 	Show the list of symbols defined in the configuration (names of
 	protocols, routing tables etc.).
 
-	<tag><label id="cli-show-route">show route [[for] <m/prefix/|<m/IP/] [table <m/sym/] [filter <m/f/|where <m/c/] [(export|preexport|noexport) <m/p/] [protocol <m/p/] [<m/options/]</tag>
+	<tag><label id="cli-show-route">show route [[for] <m/prefix/|<m/IP/] [table <m/t/] [filter <m/f/|where <m/c/] [(export|preexport|noexport) <m/p/] [protocol <m/p/] [<m/options/]</tag>
 	Show contents of a routing table (by default of the main one or the
 	table attached to a respective protocol), that is routes, their metrics
 	and (in case the <cf/all/ switch is given) all their attributes.

From 70104ef4fb5f8105422d6eb811a93b68aeae709d Mon Sep 17 00:00:00 2001
From: Pavel Tvrdik <pawel.tvrdik@gmail.com>
Date: Mon, 3 Oct 2016 11:46:40 +0200
Subject: [PATCH 14/37] Doc: Generate one-sided version

This removes jumping offset for odd and even pages for binding book.
---
 doc/sbase/dist/birddoc/latex2e/mapping | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/sbase/dist/birddoc/latex2e/mapping b/doc/sbase/dist/birddoc/latex2e/mapping
index 161227d2..7653cb78 100644
--- a/doc/sbase/dist/birddoc/latex2e/mapping
+++ b/doc/sbase/dist/birddoc/latex2e/mapping
@@ -2,7 +2,7 @@
 % birddoc to LaTeX replacement file
 
 % The \relax is there to avoid sgml2latex rewriting the class
-<book>		+ "\\relax\\documentclass\[a4paper,10pt,openany\]{book}\n"
+<book>		+ "\\relax\\documentclass\[a4paper,10pt,openany,oneside\]{book}\n"
 			"\\usepackage\[colorlinks=true,linkcolor=blue,pdftitle={BIRD User's Guide}\]{hyperref}\n"
 			"\\usepackage{enumitem}\n"
 			"\\usepackage{birddoc}\n"

From 963929df021ae54d8ff4cd18ca228932fc89dc13 Mon Sep 17 00:00:00 2001
From: Pavel Tvrdik <pawel.tvrdik@gmail.com>
Date: Mon, 3 Oct 2016 12:04:44 +0200
Subject: [PATCH 15/37] Doc: Do not use symlinks for files

---
 doc/sbase/dist/birddoc/html/mapping    | 3 +++
 doc/sbase/dist/birddoc/latex2e/mapping | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/doc/sbase/dist/birddoc/html/mapping b/doc/sbase/dist/birddoc/html/mapping
index d2370d29..6d080738 100644
--- a/doc/sbase/dist/birddoc/html/mapping
+++ b/doc/sbase/dist/birddoc/html/mapping
@@ -135,6 +135,9 @@
 <ncite>			"[<I>[NOTE] ([ID])</I>]"
 </ncite>
 
+<file>			"<CODE>"
+</file>			"</CODE>"
+
 <footnote>	+	"<BLOCKQUOTE>"
 </footnote>		"</BLOCKQUOTE>"		+
 
diff --git a/doc/sbase/dist/birddoc/latex2e/mapping b/doc/sbase/dist/birddoc/latex2e/mapping
index 7653cb78..e7c62e0a 100644
--- a/doc/sbase/dist/birddoc/latex2e/mapping
+++ b/doc/sbase/dist/birddoc/latex2e/mapping
@@ -156,7 +156,7 @@
 % The idea here is to automatically insert soft hyphens after every slash in
 % the filename, so long filenames will break naturally.  The url{} macro is
 % a kluge but it works,
-<file>			"\\url{"
+<file>			"{\\tt "
 </file>			"}"
 
 <footnote>		"\\footnote{"

From 9c20a8b7ae69487397392c720a5e75087c343df1 Mon Sep 17 00:00:00 2001
From: Pavel Tvrdik <pawel.tvrdik@gmail.com>
Date: Mon, 3 Oct 2016 12:35:36 +0200
Subject: [PATCH 16/37] Doc: Fix inline <htmlurl></htmlurl>

Don't make space before or after link name.
---
 doc/sbase/dist/birddoc/html/mapping | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/doc/sbase/dist/birddoc/html/mapping b/doc/sbase/dist/birddoc/html/mapping
index 6d080738..5ce36066 100644
--- a/doc/sbase/dist/birddoc/html/mapping
+++ b/doc/sbase/dist/birddoc/html/mapping
@@ -202,9 +202,7 @@
 			"<@@endurl>"		+
 </url>
 
-<htmlurl>	+	"<@@url>[URL]\n"
-			"[NAME]</A>\n"
-			"<@@endurl>"		+
+<htmlurl>		"<A HREF=\"[URL]\">[NAME]</A>"
 </htmlurl>
 
 % ref modified to have an optional name field

From 7935b9d21228dcd1eb95ebcb056b2a815e3e854b Mon Sep 17 00:00:00 2001
From: Pavel Tvrdik <pawel.tvrdik@gmail.com>
Date: Thu, 29 Sep 2016 18:08:40 +0200
Subject: [PATCH 17/37] Doc: Add tag for links to RFCs

---
 doc/bird.sgml                          | 238 +++++++++++--------------
 doc/sbase/dist/birddoc/html/mapping    |   4 +
 doc/sbase/dist/birddoc/latex2e/mapping |   3 +
 doc/sbase/dtd/birddoc.dtd              |   6 +-
 4 files changed, 118 insertions(+), 133 deletions(-)

diff --git a/doc/bird.sgml b/doc/bird.sgml
index 159cac46..24be3de0 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -73,8 +73,8 @@ running on background which does the dynamic part of Internet routing, that is
 it communicates with the other routers, calculates routing tables and sends them
 to the OS kernel which does the actual packet forwarding. There already exist
 other such routing daemons: routed (RIP only), GateD (non-free),
-Zebra <HTMLURL URL="http://www.zebra.org"> and
-MRTD <HTMLURL URL="http://sourceforge.net/projects/mrt">,
+<HTMLURL URL="http://www.zebra.org" name="Zebra"> and
+<HTMLURL URL="http://sourceforge.net/projects/mrt" name="MRTD">,
 but their capabilities are limited and they are relatively hard to configure
 and maintain.
 
@@ -485,9 +485,9 @@ protocol rip {
 	used to validate route origination of BGP routes. A ROA table contains
 	ROA entries, each consist of a network prefix, a max prefix length and
 	an AS number. A ROA entry specifies prefixes which could be originated
-	by that AS number. ROA tables could be filled with data from RPKI (RFC
-	6480) or from public databases like Whois. ROA tables are examined by
-	<cf/roa_check()/ operator in filters.
+	by that AS number. ROA tables could be filled with data from RPKI (<rfc
+	id="6480">) or from public databases like Whois. ROA tables are
+	examined by <cf/roa_check()/ operator in filters.
 
 	Currently, there is just one option, <cf>roa <m/prefix/ max <m/num/ as
 	<m/num/</cf>, which can be used to populate the ROA table with static
@@ -1270,9 +1270,9 @@ clist) or on clist and pair/quad set (returning true if there is an element of
 the clist that is also a member of the pair/quad set).
 
 <p>There is one operator related to ROA infrastructure - <cf/roa_check()/. It
-examines a ROA table and does RFC 6483 route origin validation for a given
-network prefix. The basic usage is <cf>roa_check(<m/table/)</cf>, which checks
-current route (which should be from BGP to have AS_PATH argument) in the
+examines a ROA table and does <rfc id="6483"> route origin validation for a
+given network prefix. The basic usage is <cf>roa_check(<m/table/)</cf>, which
+checks current route (which should be from BGP to have AS_PATH argument) in the
 specified ROA table and returns ROA_UNKNOWN if there is no relevant ROA,
 ROA_VALID if there is a matching ROA, or ROA_INVALID if there are some relevant
 ROAs but none of them match. There is also an extended variant
@@ -1434,11 +1434,12 @@ corresponding protocol sections.
 <sect1>Introduction
 <label id="babel-intro">
 
-<p>The Babel protocol (RFC6126) is a loop-avoiding distance-vector routing
-protocol that is robust and efficient both in ordinary wired networks and in
-wireless mesh networks. Babel is conceptually very simple in its operation and
-"just works" in its default configuration, though some configuration is possible
-and in some cases desirable.
+<p>The Babel protocol
+(<rfc id="6126">) is a loop-avoiding distance-vector routing protocol that is
+robust and efficient both in ordinary wired networks and in wireless mesh
+networks. Babel is conceptually very simple in its operation and "just works"
+in its default configuration, though some configuration is possible and in some
+cases desirable.
 
 <p>While the Babel protocol is dual stack (i.e., can carry both IPv4 and IPv6
 routes over the same IPv6 transport), BIRD presently implements only the IPv6
@@ -1580,14 +1581,10 @@ addresses and associated interfaces. When a session changes its state, these
 protocols are notified and act accordingly (e.g. break an OSPF adjacency when
 the BFD session went down).
 
-<p>BIRD implements basic BFD behavior as defined in
-RFC 5880<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5880.txt">
-(some advanced features like the echo mode or authentication are not implemented),
-IP transport for BFD as defined in
-RFC 5881<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5881.txt"> and
-RFC 5883<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5883.txt">
-and interaction with client protocols as defined in
-RFC 5882<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5882.txt">.
+<p>BIRD implements basic BFD behavior as defined in <rfc id="5880"> (some
+advanced features like the echo mode or authentication are not implemented), IP
+transport for BFD as defined in <rfc id="5881"> and <rfc id="5883"> and
+interaction with client protocols as defined in <rfc id="5882">.
 
 <p>Note that BFD implementation in BIRD is currently a new feature in
 development, expect some rough edges and possible UI and configuration changes
@@ -1764,31 +1761,16 @@ the packet will travel through if it uses the particular route) in order to
 avoid routing loops.
 
 <p>BIRD supports all requirements of the BGP4 standard as defined in
-RFC 4271<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4271.txt">
-It also supports the community attributes
-(RFC 1997<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc1997.txt">),
-capability negotiation
-(RFC 5492<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5492.txt">),
-MD5 password authentication
-(RFC 2385<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc2385.txt">),
-extended communities
-(RFC 4360<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4360.txt">),
-route reflectors
-(RFC 4456<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4456.txt">),
-graceful restart
-(RFC 4724<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4724.txt">),
-multiprotocol extensions
-(RFC 4760<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4760.txt">),
-4B AS numbers
-(RFC 4893<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4893.txt">),
-and 4B AS numbers in extended communities
-(RFC 5668<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5668.txt">).
+<rfc id="4271"> It also supports the community attributes (<rfc id="1997">),
+capability negotiation (<rfc id="5492">), MD5 password authentication (<rfc
+id="2385">), extended communities (<rfc id="4360">), route reflectors (<rfc
+id="4456">), graceful restart (<rfc id="4724">), multiprotocol extensions
+(<rfc id="4760">), 4B AS numbers (<rfc id="4893">), and 4B AS numbers in
+extended communities (<rfc id="5668">).
 
 
 For IPv6, it uses the standard multiprotocol extensions defined in
-RFC 4760<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4760.txt">
-and applied to IPv6 according to
-RFC 2545<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc2545.txt">.
+<rfc id="4760"> and applied to IPv6 according to <rfc id="2545">.
 
 <sect1>Route selection rules
 <label id="bgp-route-select-rules">
@@ -1938,20 +1920,20 @@ using the following configuration parameters:
 	<ref id="bfd" name="BFD"> section for details. Default: disabled.
 
 	<tag><label id="bgp-ttl-security">ttl security <m/switch/</tag>
-	Use GTSM (RFC 5082 - the generalized TTL security mechanism). GTSM
-	protects against spoofed packets by ignoring doc/bird.sgmlreceived packets with a
+	Use GTSM (<rfc id="5082"> - the generalized TTL security mechanism). GTSM
+	protects against spoofed packets by ignoring received packets with a
 	smaller than expected TTL. To work properly, GTSM have to be enabled on
-	both sides of a BGP session. If both <cf/ttl security/ and <cf/multihop/
-	options are enabled, <cf/multihop/ option should specify proper hop
-	value to compute expected TTL. Kernel support required: Linux: 2.6.34+
-	(IPv4), 2.6.35+ (IPv6), BSD: since long ago, IPv4 only. Note that full
-	(ICMP protection, for example) RFC 5082 support is provided by Linux
-	only. Default: disabled.
+	both sides of a BGP session. If both <cf/ttl security/ and
+	<cf/multihop/ options are enabled, <cf/multihop/ option should specify
+	proper hop value to compute expected TTL. Kernel support required:
+	Linux: 2.6.34+ (IPv4), 2.6.35+ (IPv6), BSD: since long ago, IPv4 only.
+	Note that full (ICMP protection, for example) <rfc id="5082"> support is
+	provided by Linux only. Default: disabled.
 
 	<tag><label id="bgp-pass">password <m/string/</tag>
-	Use this password for MD5 authentication of BGP sessions (RFC 2385).
-	When used on BSD systems, see also <cf/setkey/ option below. Default:
-	no authentication.
+	Use this password for MD5 authentication of BGP sessions (<rfc id="2385">). When
+	used on BSD systems, see also <cf/setkey/ option below. Default: no
+	authentication.
 
 	<tag><label id="bgp-setkey">setkey <m/switch/</tag>
 	On BSD systems, keys for TCP MD5 authentication are stored in the global
@@ -1966,7 +1948,7 @@ using the following configuration parameters:
 
 	<tag><label id="bgp-passive">passive <m/switch/</tag>
 	Standard BGP behavior is both initiating outgoing connections and
-	accepting incoming connections. In passive modoc/bird.sgmlde, outgoing connections
+	accepting incoming connections. In passive mode, outgoing connections
 	are not initiated. Default: off.
 
 	<tag><label id="bgp-rr-client">rr client</tag>
@@ -1985,11 +1967,11 @@ using the following configuration parameters:
 	Be a route server and treat the neighbor as a route server client.
 	A route server is used as a replacement for full mesh EBGP routing in
 	Internet exchange points in a similar way to route reflectors used in
-	IBGP routing. BIRD does not implement obsoleted RFC 1863, but uses
-	ad-hoc implementation, which behaves like plain EBGP but reduces
+	IBGP routing. BIRD does not implement obsoleted <rfc id="1863">, but
+	uses ad-hoc implementation, which behaves like plain EBGP but reduces
 	modifications to advertised route attributes to be transparent (for
-	example does not prepend its AS number to AS PATH attribute and keeps
-	MED attribute). Default: disabled.
+	example does not prepend its AS number to AS PATH attribute and
+	keeps MED attribute). Default: disabled.
 
 	<tag><label id="bgp-secondary">secondary <m/switch/</tag>
 	Usually, if an export filter rejects a selected route, no other route is
@@ -2023,27 +2005,28 @@ using the following configuration parameters:
 	to keep BGP speakers synchronized. Sometimes (e.g., if BGP speaker
 	changes its import filter, or if there is suspicion of inconsistency) it
 	is necessary to do a new complete route exchange. BGP protocol extension
-	Route Refresh (RFC 2918) allows BGP speaker to request re-advertisement
-	of all routes from its neighbor. BGP protocol extension Enhanced Route
-	Refresh (RFC 7313) specifies explicit begin and end for such exchanges,
-	therefore the receiver can remove stale routes that were not advertised
-	during the exchange. This option specifies whether BIRD advertises these
-	capabilities and supports related procedures. Note that even when
-	disabled, BIRD can send route refresh requests. Default: on.
+	Route Refresh (<rfc id="2918">) allows BGP speaker to request
+	re-advertisement of all routes from its neighbor. BGP protocol
+	extension Enhanced Route Refresh (<rfc id="7313">) specifies explicit
+	begin and end for such exchanges, therefore the receiver can remove
+	stale routes that were not advertised during the exchange. This option
+	specifies whether BIRD advertises these capabilities and supports
+	related procedures. Note that even when disabled, BIRD can send route
+	refresh requests.  Default: on.
 
 	<tag><label id="bgp-graceful-restart">graceful restart <m/switch/|aware</tag>
 	When a BGP speaker restarts or crashes, neighbors will discard all
 	received paths from the speaker, which disrupts packet forwarding even
-	when the forwarding plane of the speaker remains intact. RFC 4724
-	specifies an optional graceful restart mechanism to alleviate this
-	issue. This option controls the mechanism. It has three states:
-	Disabled, when no support is provided. Aware, when the graceful restart
-	support is announced and the support for restarting neighbors is
-	provided, but no local graceful restart is allowed (i.e. receiving-only
-	role). Enabled, when the full graceful restart support is provided
-	(i.e. both restarting and receiving role). Note that proper support for
-	local graceful restart requires also configuration of other protocols.
-	Default: aware.
+	when the forwarding plane of the speaker remains intact. <rfc
+	id="4724"> specifies an optional graceful restart mechanism to
+	alleviate this issue. This option controls the mechanism. It has three
+	states: Disabled, when no support is provided. Aware, when the graceful
+	restart support is announced and the support for restarting neighbors
+	is provided, but no local graceful restart is allowed (i.e.
+	receiving-only role). Enabled, when the full graceful restart
+	support is provided (i.e. both restarting and receiving role). Note
+	that proper support for local graceful restart requires also
+	configuration of other protocols.  Default: aware.
 
 	<tag><label id="bgp-graceful-restart-time">graceful restart time <m/number/</tag>
 	The restart time is announced in the BGP graceful restart capability
@@ -2052,15 +2035,15 @@ using the following configuration parameters:
 	120 seconds.
 
 	<tag><label id="bgp-interpret-communities">interpret communities <m/switch/</tag>
-	RFC 1997 demands that BGP speaker should process well-known communities
-	like no-export (65535, 65281) or no-advertise (65535, 65282). For
-	example, received route carrying a no-adverise community should not be
-	advertised to any of its neighbors. If this option is enabled (which is
-	by default), BIRD has such behavior automatically (it is evaluated when
-	a route is exported to the BGP protocol just before the export filter).
-	Otherwise, this integrated processing of well-known communities is
-	disabled. In that case, similar behavior can be implemented in the
-	export filter. Default: on.
+	<rfc id="1997"> demands that BGP speaker should process well-known
+	communities like no-export (65535, 65281) or no-advertise (65535,
+	65282). For example, received route carrying a no-adverise community
+	should not be advertised to any of its neighbors. If this option is
+	enabled (which is by default), BIRD has such behavior automatically (it
+	is evaluated when a route is exported to the BGP protocol just before
+	the export filter).  Otherwise, this integrated processing of
+	well-known communities is disabled. In that case, similar behavior can
+	be implemented in the export filter.  Default: on.
 
 	<tag><label id="bgp-enable-as4">enable as4 <m/switch/</tag>
 	BGP protocol was designed to use 2B AS numbers and was extended later to
@@ -2085,17 +2068,17 @@ using the following configuration parameters:
 
 	<tag><label id="bgp-advertise-ipv4">advertise ipv4 <m/switch/</tag>
 	Advertise IPv4 multiprotocol capability. This is not a correct behavior
-	according to the strict interpretation of RFC 4760, but it is widespread
-	and required by some BGP implementations (Cisco and Quagga). This option
-	is relevant to IPv4 mode with enabled capability advertisement
-	only. Default: on.
+	according to the strict interpretation of <rfc id="4760">, but it is
+	widespread and required by some BGP implementations (Cisco and Quagga).
+	This option is relevant to IPv4 mode with enabled capability
+	advertisement only. Default: on.
 
 	<tag><label id="bgp-route-limit">route limit <m/number/</tag>
 	The maximal number of routes that may be imported from the protocol. If
 	the route limit is exceeded, the connection is closed with an error.
 	Limit is currently implemented as <cf>import limit <m/number/ action
 	restart</cf>. This option is obsolete and it is replaced by
-	<ref id="proto-import-limit" name="import limit option">. Default: no	limit.
+	<ref id="proto-import-limit" name="import limit option">. Default: no limit.
 
 	<tag><label id="bgp-disable-after-error">disable after error <m/switch/</tag>
 	When an error is encountered (either locally or by the other side),
@@ -2152,16 +2135,16 @@ using the following configuration parameters:
 	BGP route selection algorithm is often viewed as a comparison between
 	individual routes (e.g. if a new route appears and is better than the
 	current best one, it is chosen as the new best one). But the proper
-	route selection, as specified by RFC 4271, cannot be fully implemented
-	in that way. The problem is mainly in handling the MED attribute. BIRD,
-	by default, uses an simplification based on individual route comparison,
-	which in some cases may lead to temporally dependent behavior (i.e. the
-	selection is dependent on the order in which routes appeared). This
-	option enables a different (and slower) algorithm implementing proper
-	RFC 4271 route selection, which is deterministic. Alternative way how to
-	get deterministic behavior is to use <cf/med metric/ option. This option
-	is incompatible with <ref id="dsc-table-sorted" name="sorted tables">.
-	Default: off.
+	route selection, as specified by <rfc id="4271">, cannot be fully
+	implemented in that way. The problem is mainly in handling the MED
+	attribute. BIRD, by default, uses an simplification based on individual
+	route comparison, which in some cases may lead to temporally dependent
+	behavior (i.e. the selection is dependent on the order in which routes
+	appeared). This option enables a different (and slower) algorithm
+	implementing proper <rfc id="4271"> route selection, which is
+	deterministic. Alternative way how to get deterministic behavior is to
+	use <cf/med metric/ option. This option is incompatible with <ref
+	id="dsc-table-sorted" name="sorted tables">.  Default: off.
 
 	<tag><label id="bgp-igp-metric">igp metric <m/switch/</tag>
 	Enable comparison of internal distances to boundary routers during best
@@ -2170,7 +2153,7 @@ using the following configuration parameters:
 	<tag><label id="bgp-prefer-older">prefer older <m/switch/</tag>
 	Standard route selection algorithm breaks ties by comparing router IDs.
 	This changes the behavior to prefer older routes (when both are external
-	and from different peer). For details, see RFC 5004. Default: off.
+	and from different peer). For details, see <rfc id="5004">. Default: off.
 
 	<tag><label id="bgp-default-med">default bgp_med <m/number/</tag>
 	Value of the Multiple Exit Discriminator to be used during route
@@ -2210,8 +2193,8 @@ some of them (marked with `<tt/O/') are optional.
 	when a route is exported to an external BGP instance to ensure that the
 	attribute received from a neighboring AS is not propagated to other
 	neighboring ASes. A new value might be set in the export filter of an
-	external BGP instance. See RFC 4451<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4451.txt">
-	for further discussion of BGP MED attribute.
+	external BGP instance. See <rfc id="4451"> for further discussion of
+	BGP MED attribute.
 
 	<tag><label id="rta-bgp-origin">enum bgp_origin/</tag>
 	Origin of the route: either <cf/ORIGIN_IGP/ if the route has originated
@@ -2580,15 +2563,13 @@ protocol kernel {		# Secondary routing table
 <label id="ospf-intro">
 
 <p>Open Shortest Path First (OSPF) is a quite complex interior gateway
-protocol. The current IPv4 version (OSPFv2) is defined in RFC 2328
-<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc2328.txt">
-and the current IPv6 version (OSPFv3) is defined in RFC 5340
-<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5340.txt">
-It's a link state (a.k.a. shortest path first) protocol -- each router maintains
-a database describing the autonomous system's topology. Each participating
-router has an identical copy of the database and all routers run the same
-algorithm calculating a shortest path tree with themselves as a root. OSPF
-chooses the least cost path as the best path.
+protocol. The current IPv4 version (OSPFv2) is defined in <rfc id="2328"> and
+the current IPv6 version (OSPFv3) is defined in <rfc id="5340"> It's a link
+state (a.k.a. shortest path first) protocol -- each router maintains a database
+describing the autonomous system's topology. Each participating router has an
+identical copy of the database and all routers run the same algorithm
+calculating a shortest path tree with themselves as a root. OSPF chooses the
+least cost path as the best path.
 
 <p>In OSPF, the autonomous system can be split to several areas in order to
 reduce the amount of resources consumed for exchanging the routing information
@@ -2708,8 +2689,7 @@ protocol ospf &lt;name&gt; {
 <descrip>
 	<tag><label id="ospf-rfc1583compat">rfc1583compat <M>switch</M></tag>
 	This option controls compatibility of routing table calculation with
-	RFC 1583 <htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc1583.txt">.
-	Default	value is no.
+	<rfc id="1583">. Default value is no.
 
 	<tag><label id="ospf-instance-id">instance id <m/num/</tag>
 	When multiple OSPF protocol instances are active on the same links, they
@@ -2726,9 +2706,8 @@ protocol ospf &lt;name&gt; {
 	that participates in the OSPF topology but does not allow transit
 	traffic. In OSPFv2, this is implemented by advertising maximum metric
 	for outgoing links. In OSPFv3, the stub router behavior is announced by
-	clearing the R-bit in the router LSA. See RFC 6987
-	<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc6987.txt"> for
-	details. Default value is no.
+	clearing the R-bit in the router LSA. See <rfc id="6987"> for details.
+	Default value is no.
 
 	<tag><label id="ospf-tick">tick <M>num</M></tag>
 	The routing table calculation and clean-up of areas' databases is not
@@ -2839,10 +2818,9 @@ protocol ospf &lt;name&gt; {
 
 	You can specify alternative instance ID for the interface definition,
 	therefore it is possible to have several instances of that interface
-	with different options or even in different areas. For OSPFv2,
-	instance ID support is an extension (RFC 6549
-	<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc6549.txt">) and is
-	supposed to be set per-protocol. For OSPFv3, it is an integral feature.
+	with different options or even in different areas. For OSPFv2, instance
+	ID support is an extension (<rfc id="6549">) and is supposed to be set
+	per-protocol. For OSPFv3, it is an integral feature.
 
 	<tag><label id="ospf-virtual-link">virtual link <M>id</M> [instance <m/num/]</tag>
 	Virtual link to router with the router id. Virtual link acts as a
@@ -3266,9 +3244,7 @@ time intervals or as an answer to a request) advertisement packets to connected
 networks. These packets contain basic information about a local network (e.g. a
 list of network prefixes), which allows network hosts to autoconfigure network
 addresses and choose a default route. BIRD implements router behavior as defined
-in RFC 4861<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4861.txt">
-and also the DNS extensions from
-RFC 6106<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc6106.txt">.
+in <rfc id="4861"> and also the DNS extensions from <rfc id="6106">.
 
 <sect1>Configuration
 <label id="radv-config">
@@ -3523,12 +3499,9 @@ counting to infinity is necessary, because it is slow. Due to infinity being 16,
 you can't use RIP on networks where maximal distance is higher than 15
 hosts.
 
-<p>BIRD supports RIPv1
-(RFC 1058<htmlurl url="http://www.rfc-editor.org/rfc/rfc1058.txt">),
-RIPv2 (RFC 2453<htmlurl url="http://www.rfc-editor.org/rfc/rfc2453.txt">),
-RIPng (RFC 2080<htmlurl url="http://www.rfc-editor.org/rfc/rfc2080.txt">),
-and RIP cryptographic authentication (SHA-1 not implemented)
-(RFC 4822<htmlurl url="http://www.rfc-editor.org/rfc/rfc4822.txt">).
+<p>BIRD supports RIPv1 (<rfc id="1058">), RIPv2 (<rfc id="2453">), RIPng (<rfc
+id="2080">), and RIP cryptographic authentication (SHA-1 not implemented)
+(<rfc id="4822">).
 
 <p>RIP is a very simple protocol, and it has a lot of shortcomings. Slow
 convergence, big network load and inability to handle larger networks makes it
@@ -3707,8 +3680,9 @@ protocol rip [&lt;name&gt;] {
 	compatibility with neighbors regardless of whether they use ttl
 	security.
 
-	For RIPng, TTL security is a standard behavior (required by RFC 2080)
-	and therefore default value is yes. For IPv4 RIP, default value is no.
+	For RIPng, TTL security is a standard behavior (required by <rfc
+	id="2080">) and therefore default value is yes. For IPv4 RIP, default
+	value is no.
 
 	<tag><label id="rip-iface-tx-class">tx class|dscp|priority <m/number/</tag>
 	These options specify the ToS/DiffServ/Traffic class/Priority of the
diff --git a/doc/sbase/dist/birddoc/html/mapping b/doc/sbase/dist/birddoc/html/mapping
index 5ce36066..1f05070c 100644
--- a/doc/sbase/dist/birddoc/html/mapping
+++ b/doc/sbase/dist/birddoc/html/mapping
@@ -205,6 +205,10 @@
 <htmlurl>		"<A HREF=\"[URL]\">[NAME]</A>"
 </htmlurl>
 
+<rfc>			"<A HREF=\"http://www.rfc-editor.org/info/rfc[ID]\">RFC [ID]</A>"
+</rfc>
+
+
 % ref modified to have an optional name field
 <ref>		+	"<@@ref>[ID]\n"
 			"[NAME]</A>\n"
diff --git a/doc/sbase/dist/birddoc/latex2e/mapping b/doc/sbase/dist/birddoc/latex2e/mapping
index e7c62e0a..f53bbbe4 100644
--- a/doc/sbase/dist/birddoc/latex2e/mapping
+++ b/doc/sbase/dist/birddoc/latex2e/mapping
@@ -238,6 +238,9 @@
 <htmlurl>		"\\href{[URL]}{[NAME]}"
 </htmlurl>
 
+<rfc>			"\\href{http://www.rfc-editor.org/info/rfc[ID]}{RFC [ID]}"
+</rfc>
+
 <x>
 </x>
 
diff --git a/doc/sbase/dtd/birddoc.dtd b/doc/sbase/dtd/birddoc.dtd
index 6db5066a..1db2af6c 100644
--- a/doc/sbase/dtd/birddoc.dtd
+++ b/doc/sbase/dtd/birddoc.dtd
@@ -99,7 +99,7 @@ anywhere else. <pavel@ucw.cz>
 
 <!-- url added by HG; htmlurl added by esr -->
 <!entity % xref
-	" label|ref|pageref|cite|url|htmlurl|ncite " >
+	" label|ref|pageref|cite|url|htmlurl|rfc|ncite " >
 
 <!entity % inline
 	" (#pcdata | f| x| %emph; |sq| %xref | %index | file )* " >
@@ -501,6 +501,10 @@ anywhere else. <pavel@ucw.cz>
         url cdata #required
         name cdata "&urlnam" >
 
+<!element rfc - o empty>
+<!attlist rfc
+        id cdata #required>
+
 <!element pageref - o empty>
 <!attlist pageref
         id cdata #required>

From c2564d34af9e01a828c24b0be7f269e5b036b5da Mon Sep 17 00:00:00 2001
From: Pavel Tvrdik <pawel.tvrdik@gmail.com>
Date: Sat, 1 Oct 2016 12:50:29 +0200
Subject: [PATCH 18/37] Tree/Trie: Check the end of buffer

We set buffer->pos to buffer->end in function buffer_print() when
bvsnprintf() failed, so there would be uninitialized memory between
the old buffer->pos and the current buffer->pos.
---
 filter/tree.c | 3 +++
 filter/trie.c | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/filter/tree.c b/filter/tree.c
index 328c7184..1196e630 100644
--- a/filter/tree.c
+++ b/filter/tree.c
@@ -165,6 +165,9 @@ tree_format(struct f_tree *t, buffer *buf)
  
   tree_node_format(t, buf);
 
+  if (buf->pos == buf->end)
+    return;
+
   /* Undo last separator */
   if (buf->pos[-1] != '[')
     buf->pos -= 2;
diff --git a/filter/trie.c b/filter/trie.c
index fba395d1..565ae82f 100644
--- a/filter/trie.c
+++ b/filter/trie.c
@@ -300,6 +300,9 @@ trie_format(struct f_trie *t, buffer *buf)
     buffer_print(buf, "%I/%d, ", IPA_NONE, 0);
   trie_node_format(t->root, buf);
 
+  if (buf->pos == buf->end)
+    return;
+
   /* Undo last separator */
   if (buf->pos[-1] != '[')
     buf->pos -= 2;

From 3d28f0145382feddcf7f66c0a20b6c5b3e0edbc9 Mon Sep 17 00:00:00 2001
From: Pavel Tvrdik <pawel.tvrdik@gmail.com>
Date: Mon, 26 Sep 2016 18:05:51 +0200
Subject: [PATCH 19/37] Doc: Fix deprecated unescaped braces in perl script

This commit should fix warning `make docs'

./sgml2html bird.sgml Unescaped left brace in regex is deprecated,
  passed through in regex; marked by <-- HERE in m/\\nameurl{ <-- HERE
    (.*)}{(.*)}/ at fmt_latex2e.pl line 287.
---
 doc/sbase/dist/fmt_latex2e.pl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/sbase/dist/fmt_latex2e.pl b/doc/sbase/dist/fmt_latex2e.pl
index 1f121743..d0656b7d 100644
--- a/doc/sbase/dist/fmt_latex2e.pl
+++ b/doc/sbase/dist/fmt_latex2e.pl
@@ -284,11 +284,11 @@ $latex2e->{postASP} = sub
 	# for nameurl
 	   if ( /\\nameurl/ )
 	     {
-		($urlid, $urlnam) = ($_ =~ /\\nameurl{(.*)}{(.*)}/);
+		($urlid, $urlnam) = ($_ =~ /\\nameurl\{(.*)\}\{(.*)\}/);
 		print $urlnum . ": " . $urlid . "\n" if ( $global->{debug} );
 
 		$urldef = latex2e_defnam($urlnum) . "url";
-		s/\\nameurl{.*}{.*}/{\\em $urlnam} {\\tt \\$urldef}/;
+		s/\\nameurl\{.*\}\{.*\}/{\\em $urlnam} {\\tt \\$urldef}/;
 		push @urlnames, $_;
 		push @urldefines, "\\urldef{\\$urldef} \\url{$urlid}\n";
 		$urlnum++;

From 9fcb9637b55d234dfedfcb54bd76ed5a9570b7a1 Mon Sep 17 00:00:00 2001
From: Pavel Tvrdik <pawel.tvrdik@gmail.com>
Date: Mon, 19 Sep 2016 16:01:29 +0200
Subject: [PATCH 20/37] Nest: Remove trailing whitespaces

---
 nest/config.Y | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/nest/config.Y b/nest/config.Y
index ca705640..b03f1a7f 100644
--- a/nest/config.Y
+++ b/nest/config.Y
@@ -87,7 +87,7 @@ CF_GRAMMAR
 
 CF_ADDTO(conf, rtrid)
 
-rtrid: 
+rtrid:
    ROUTER ID idval ';' { new_config->router_id = $3; }
  | ROUTER ID FROM iface_patt ';' { new_config->router_id_from = this_ipatt; }
  ;
@@ -125,7 +125,7 @@ listen_opts:
  | listen_opts listen_opt
  ;
 
-listen_opt: 
+listen_opt:
    ADDRESS ipa { new_config->listen_bgp_addr = $2; }
  | PORT expr { new_config->listen_bgp_port = $2; }
  | V6ONLY { new_config->listen_bgp_flags = 0; }
@@ -293,7 +293,7 @@ iface_negate:
  ;
 
 iface_patt_node:
-   iface_patt_node_init iface_negate iface_patt_node_body 
+   iface_patt_node_init iface_negate iface_patt_node_body
  ;
 
 
@@ -397,7 +397,7 @@ password_list:
  | password_item
 ;
 
-password_items: 
+password_items:
     /* empty */
   | password_item ';' password_items
 ;
@@ -426,7 +426,7 @@ password_item_begin:
 ;
 
 password_item_params:
-   /* empty */ { } 
+   /* empty */ { }
  | GENERATE FROM datetime ';' password_item_params { this_p_item->genfrom = $3; }
  | GENERATE TO datetime ';' password_item_params { this_p_item->gento = $3; }
  | ACCEPT FROM datetime ';' password_item_params { this_p_item->accfrom = $3; }
@@ -602,7 +602,7 @@ sym_args:
 
 
 roa_table_arg:
-   /* empty */ { 
+   /* empty */ {
      if (roa_table_default == NULL)
        cf_error("No ROA table defined");
      $$ = roa_table_default;

From 9df52a98e2eae28f219510d4c3d65ec43a50c394 Mon Sep 17 00:00:00 2001
From: Pavel Tvrdik <pawel.tvrdik@gmail.com>
Date: Mon, 5 Sep 2016 11:20:28 +0200
Subject: [PATCH 21/37] Doc: Change debug to { flag1|flag2|flag3  [, ...] }
 style

Thanks to Micah Anderson for bug report and Ondrej Zajicek for the idea!
---
 doc/bird.sgml | 32 ++++++++++++++++----------------
 nest/config.Y |  6 +++---
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/doc/bird.sgml b/doc/bird.sgml
index 24be3de0..a07201ce 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -344,7 +344,7 @@ protocol rip {
 
 	<tag><label id="opt-log">log "<m/filename/"|syslog [name <m/name/]|stderr all|{ <m/list of classes/ }</tag>
 	Set logging of messages having the given class (either <cf/all/ or
-	<cf/{ error, trace }/ etc.) into selected destination (a file specified
+	<cf/{ error|trace [, <m/.../] }/ etc.) into selected destination (a file specified
 	as a filename string, syslog with optional name argument, or the stderr
 	output). Classes are:
 	<cf/info/, <cf/warning/, <cf/error/ and <cf/fatal/ for messages about local problems,
@@ -356,7 +356,7 @@ protocol rip {
 	You may specify more than one <cf/log/ line to establish logging to
 	multiple destinations. Default: log everything to the system log.
 
-	<tag><label id="opt-debug-protocols">debug protocols all|off|{ states, routes, filters, interfaces, events, packets }</tag>
+	<tag><label id="opt-debug-protocols">debug protocols all|off|{ states|routes|filters|interfaces|events|packets [, <m/.../] }</tag>
 	Set global defaults of protocol debugging options. See <cf/debug/ in the
 	following section. Default: off.
 
@@ -386,7 +386,7 @@ protocol rip {
 	Set MRTdump file name. This option must be specified to allow MRTdump
 	feature. Default: no dump file.
 
-	<tag><label id="opt-mrtdump-protocols">mrtdump protocols all|off|{ states, messages }</tag>
+	<tag><label id="opt-mrtdump-protocols">mrtdump protocols all|off|{ states|messages [, <m/.../] }</tag>
 	Set global defaults of MRTdump options. See <cf/mrtdump/ in the
 	following section. Default: off.
 
@@ -397,7 +397,7 @@ protocol rip {
 	<tag><label id="opt-function">function <m/name/ (<m/parameters/) <m/local variables/ { <m/commands/ }</tag>
 	Define a function. You can learn more about functions in the following chapter.
 
-	<tag><label id="opt-protocol">protocol rip|ospf|bgp|... [<m/name/ [from <m/name2/]] { <m>protocol options</m> }</tag>
+	<tag><label id="opt-protocol">protocol rip|ospf|bgp|<m/.../ [<m/name/ [from <m/name2/]] { <m>protocol options</m> }</tag>
 	Define a protocol instance called <cf><m/name/</cf> (or with a name like
 	"rip5" generated automatically if you don't specify any
 	<cf><m/name/</cf>). You can learn more about configuring protocols in
@@ -406,7 +406,7 @@ protocol rip {
 	<cf><m/name2/</cf> You can run more than one instance of most protocols
 	(like RIP or BGP). By default, no instances are configured.
 
-	<tag><label id="opt-template">template rip|bgp|... [<m/name/ [from <m/name2/]] { <m>protocol options</m> }</tag>
+	<tag><label id="opt-template">template rip|bgp|<m/.../ [<m/name/ [from <m/name2/]] { <m>protocol options</m> }</tag>
 	Define a protocol template instance called <m/name/ (or with a name like
 	"bgp1" generated automatically if you don't specify any	<m/name/).
 	Protocol templates can be used to group common options when many
@@ -427,7 +427,7 @@ protocol rip {
 	version, the lowest IP address of a non-loopback interface. In IPv6
 	version, this option is mandatory.
 
-	<tag><label id="opt-router-id-from">router id from [-] [ "<m/mask/" ] [ <m/prefix/ ] [, ...]</tag>
+	<tag><label id="opt-router-id-from">router id from [-] [ "<m/mask/" ] [ <m/prefix/ ] [, <m/.../]</tag>
 	Set BIRD's router ID based on an IP address of an interface specified by
 	an interface pattern. The option is applicable for IPv4 version only.
 	See <ref id="proto-iface" name="interface"> section for detailed
@@ -480,7 +480,7 @@ protocol rip {
 	Option <cf/sorted/ can be used to enable sorting of routes, see
 	<ref id="dsc-table-sorted" name="sorted table"> description for details.
 
-	<tag><label id="opt-roa-table">roa table <m/name/ [ { roa table options ... } ]</tag>
+	<tag><label id="opt-roa-table">roa table <m/name/ [ { <m/roa table options .../ } ]</tag>
 	Create a new ROA (Route Origin Authorization) table. ROA tables can be
 	used to validate route origination of BGP routes. A ROA table contains
 	ROA entries, each consist of a network prefix, a max prefix length and
@@ -522,7 +522,7 @@ agreement").
 	command line interface without needing to touch the configuration.
 	Disabled protocols are not activated. Default: protocol is enabled.
 
-	<tag><label id="proto-debug">debug all|off|{ states, routes, filters, interfaces, events, packets }</tag>
+	<tag><label id="proto-debug">debug all|off|{ states|routes|filters|interfaces|events|packets [, <m/.../] }</tag>
 	Set protocol debugging options. If asked, each protocol is capable of
 	writing trace messages about its work to the log (with category
 	<cf/trace/). You can either request printing of <cf/all/ trace messages
@@ -533,7 +533,7 @@ agreement").
 	protocol, <cf/events/ for events internal to the protocol and <cf/packets/
 	for packets sent and received by the protocol. Default: off.
 
-	<tag><label id="proto-mrtdump">mrtdump all|off|{ states, messages }</tag>
+	<tag><label id="proto-mrtdump">mrtdump all|off|{ states|messages [, <m/.../] }</tag>
 	Set protocol MRTdump flags. MRTdump is a standard binary format for
 	logging information from routing protocols and daemons. These flags
 	control what kind of information is logged from the protocol to the
@@ -603,7 +603,7 @@ agreement").
 <p>There are several options that give sense only with certain protocols:
 
 <descrip>
-	<tag><label id="proto-iface">interface [-] [ "<m/mask/" ] [ <m/prefix/ ] [, ...] [ { <m/option/ ; [...] } ]</tag>
+	<tag><label id="proto-iface">interface [-] [ "<m/mask/" ] [ <m/prefix/ ] [, <m/.../] [ { <m/option/; [<m/.../] } ]</tag>
 	Specifies a set of interfaces on which the protocol is activated with
 	given interface-specific options. A set of interfaces specified by one
 	interface option is described using an interface pattern. The interface
@@ -895,7 +895,7 @@ This argument can be omitted if there exists only a single instance.
 	<tag><label id="cli-down">down</tag>
 	Shut BIRD down.
 
-	<tag><label id="cli-debug">debug <m/protocol/|<m/pattern/|all all|off|{ states | routes | filters | events | packets }</tag>
+	<tag><label id="cli-debug">debug <m/protocol/|<m/pattern/|all all|off|{ states|routes|filters|events|packets [, <m/.../] }</tag>
 	Control protocol debugging.
 
 	<tag><label id="cli-dump">dump resources|sockets|interfaces|neighbors|attributes|routes|protocols</tag>
@@ -1638,7 +1638,7 @@ protocol bfd [&lt;name&gt;] {
 </code>
 
 <descrip>
-	<tag><label id="bfd-iface">interface <m/pattern [, ...]/ { <m/options/ }</tag>
+	<tag><label id="bfd-iface">interface <m/pattern/ [, <m/.../] { <m/options/ }</tag>
 	Interface definitions allow to specify options for sessions associated
 	with such interfaces and also may contain interface specific options.
 	See <ref id="proto-iface" name="interface"> common option for a detailed
@@ -2356,7 +2356,7 @@ on Linux systems BIRD cannot change non-BIRD route in the kernel routing table.
 <p>There are just few configuration options for the Direct protocol:
 
 <p><descrip>
-	<tag><label id="direct-iface">interface <m/pattern [, ...]/</tag>
+	<tag><label id="direct-iface">interface <m/pattern/ [, <m/.../]</tag>
 	By default, the Direct protocol will generate device routes for all the
 	interfaces available. If you want to restrict it to some subset of
 	interfaces or addresses (e.g. if you're using multiple routing tables
@@ -3253,7 +3253,7 @@ in <rfc id="4861"> and also the DNS extensions from <rfc id="6106">.
 definitions, prefix definitions and DNS definitions:
 
 <descrip>
-	<tag><label id="radv-iface">interface <m/pattern [, ...]/ { <m/options/ }</tag>
+	<tag><label id="radv-iface">interface <m/pattern/ [, <m/.../] { <m/options/ }</tag>
 	Interface definitions specify a set of interfaces on which the
 	protocol is activated and contain interface specific options.
 	See <ref id="proto-iface" name="interface"> common options for
@@ -3563,7 +3563,7 @@ protocol rip [&lt;name&gt;] {
 	nexthops in one route. By default, ECMP is disabled. If enabled,
 	default	value of the limit is 16.
 
-	<tag><label id="rip-iface">interface <m/pattern [, ...]/ { <m/options/ }</tag>
+	<tag><label id="rip-iface">interface <m/pattern/ [, <m/.../] { <m/options/ }</tag>
 	Interface definitions specify a set of interfaces on which the
 	protocol is activated and contain interface specific options.
 	See <ref id="proto-iface" name="interface"> common options for
@@ -3795,7 +3795,7 @@ definition of the protocol contains mainly a list of static routes.
 	interface can be specified as a part of the address (e.g.,
 	<cf/via fe80::1234%eth0/).
 
-	<tag><label id="static-route-via-mpath">route <m/prefix/ multipath via <m/ip/ [weight <m/num/] [bfd <m/switch/] [via ...]</tag>
+	<tag><label id="static-route-via-mpath">route <m/prefix/ multipath via <m/ip/ [weight <m/num/] [bfd <m/switch/] [via <m/.../]</tag>
 	Static multipath route. Contains several nexthops (gateways), possibly
 	with their weights.
 
diff --git a/nest/config.Y b/nest/config.Y
index b03f1a7f..3e76581a 100644
--- a/nest/config.Y
+++ b/nest/config.Y
@@ -658,7 +658,7 @@ CF_CLI(EVAL, term, <expr>, [[Evaluate an expression]])
 { cmd_eval($2); } ;
 
 CF_CLI_HELP(ECHO, ..., [[Control echoing of log messages]])
-CF_CLI(ECHO, echo_mask echo_size, (all | off | { debug | trace | info | remote | warning | error | auth }) [<buffer-size>], [[Control echoing of log messages]]) {
+CF_CLI(ECHO, echo_mask echo_size, (all | off | { debug|trace|info|remote|warning|error|auth [, ...] }) [<buffer-size>], [[Control echoing of log messages]]) {
   cli_set_log_echo(this_cli, $2, $3);
   cli_msg(0, "");
 } ;
@@ -691,11 +691,11 @@ CF_CLI(RELOAD OUT, proto_patt, <protocol> | \"<pattern>\" | all, [[Reload protoc
 { proto_apply_cmd($3, proto_cmd_reload, 1, CMD_RELOAD_OUT); } ;
 
 CF_CLI_HELP(DEBUG, ..., [[Control protocol debugging via BIRD logs]])
-CF_CLI(DEBUG, proto_patt debug_mask, (<protocol> | <pattern> | all) (all | off | { states | routes | filters | interfaces | events | packets }), [[Control protocol debugging via BIRD logs]])
+CF_CLI(DEBUG, proto_patt debug_mask, (<protocol> | \"<pattern>\" | all) (all | off | { states|routes|filters|interfaces|events|packets [, ...] }), [[Control protocol debugging via BIRD logs]])
 { proto_apply_cmd($2, proto_cmd_debug, 1, $3); } ;
 
 CF_CLI_HELP(MRTDUMP, ..., [[Control protocol debugging via MRTdump files]])
-CF_CLI(MRTDUMP, proto_patt mrtdump_mask, (<protocol> | <pattern> | all) (all | off | { states | messages }), [[Control protocol debugging via MRTdump format]])
+CF_CLI(MRTDUMP, proto_patt mrtdump_mask, (<protocol> | \"<pattern>\" | all) (all | off | { states|messages [, ...] }), [[Control protocol debugging via MRTdump format]])
 { proto_apply_cmd($2, proto_cmd_mrtdump, 1, $3); } ;
 
 CF_CLI(RESTRICT,,,[[Restrict current CLI session to safe commands]])

From 2e7fb11a6e31324151c6db98df2fe26d2d6cffab Mon Sep 17 00:00:00 2001
From: Jan Moskyto Matejka <mq@ucw.cz>
Date: Wed, 12 Oct 2016 14:16:34 +0200
Subject: [PATCH 22/37] Fixed memory bloating on kernel merge paths together
 with export filter.

Some memory was being allocated from bad linpool, not from the given one
as they should.

Thanks to Madhu and Justin Cattle for reporting this.
---
 nest/rt-table.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nest/rt-table.c b/nest/rt-table.c
index d3aba085..00476069 100644
--- a/nest/rt-table.c
+++ b/nest/rt-table.c
@@ -65,7 +65,7 @@ make_tmp_attrs(struct rte *rt, struct linpool *pool)
 {
   struct ea_list *(*mta)(struct rte *rt, struct linpool *pool);
   mta = rt->attrs->src->proto->make_tmp_attrs;
-  return mta ? mta(rt, rte_update_pool) : NULL;
+  return mta ? mta(rt, pool) : NULL;
 }
 
 /* Like fib_route(), but skips empty net entries */
@@ -596,7 +596,7 @@ mpnh_merge_rta(struct mpnh *nhs, rta *a, linpool *pool, int max)
 {
   struct mpnh nh = { .gw = a->gw, .iface = a->iface };
   struct mpnh *nh2 = (a->dest == RTD_MULTIPATH) ? a->nexthops : &nh;
-  return mpnh_merge(nhs, nh2, 1, 0, max, rte_update_pool);
+  return mpnh_merge(nhs, nh2, 1, 0, max, pool);
 }
 
 rte *

From 5fd7dacadc3cd8f91f66cb56e3a9ef81028aa102 Mon Sep 17 00:00:00 2001
From: Pavel Tvrdik <pawel.tvrdik@gmail.com>
Date: Thu, 13 Oct 2016 15:17:41 +0200
Subject: [PATCH 23/37] Filter: Expand testing of large community sets

---
 filter/test.conf | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/filter/test.conf b/filter/test.conf
index e8873fbf..7623953a 100644
--- a/filter/test.conf
+++ b/filter/test.conf
@@ -95,6 +95,7 @@ clist l2;
 eclist el;
 eclist el2;
 lclist ll;
+lclist ll2;
 {
 	print "Entering path test...";
 	pm1 =  / 4 3 2 1 /;
@@ -220,6 +221,22 @@ lclist ll;
 	print "Should be false: ", mktrip(100) ~ ll, " ", ll ~ [(5,10,15), (10,21,30)], " ", ll ~ [(10,21..25,*)], " ", ll ~ [(11, *, *)];
 	print "LC filtered: ", filter(ll, [(5..15, *, *), (100000, 500..500000, *)]);
 
+	ll = --- empty ---;
+	ll = add(ll, (10, 10, 10));
+	ll = add(ll, (20, 20, 20));
+	ll = add(ll, (30, 30, 30));
+
+	ll2 = --- empty ---;
+	ll2 = add(ll2, (20, 20, 20));
+	ll2 = add(ll2, (30, 30, 30));
+	ll2 = add(ll2, (40, 40, 40));
+
+	print "lclist A (10,20,30): ", ll;
+	print "lclist B (30,40,50): ", ll2;
+	print "lclist A union B: ", add(ll, ll2);
+	print "lclist A isect B: ", filter(ll, ll2);
+	print "lclist A \  B: ", delete(ll, ll2);
+
 #	test_roa();
 }
 

From 3c09af416939d26c252aa1b339b52fd8f9f8e774 Mon Sep 17 00:00:00 2001
From: Pavel Tvrdik <pawel.tvrdik@gmail.com>
Date: Thu, 13 Oct 2016 16:57:21 +0200
Subject: [PATCH 24/37] Clist: The add() function will append a new value

The add() function used to prepend a new community to clist, but after
this fix the add() function appends new community.
---
 nest/a-set.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/nest/a-set.c b/nest/a-set.c
index fde34cab..bd244e2e 100644
--- a/nest/a-set.c
+++ b/nest/a-set.c
@@ -244,9 +244,13 @@ int_set_add(struct linpool *pool, struct adata *list, u32 val)
   len = list ? list->length : 0;
   res = lp_alloc(pool, sizeof(struct adata) + len + 4);
   res->length = len + 4;
-  * (u32 *) res->data = val;
+
   if (list)
-    memcpy((char *) res->data + 4, list->data, list->length);
+    memcpy(res->data, list->data, list->length);
+
+  u32 *c = (u32 *) (res->data + len);
+  *c = val;
+
   return res;
 }
 

From c68e8cd374f16a1d659c80f9ebe503f2dd0d4acb Mon Sep 17 00:00:00 2001
From: "Ondrej Zajicek (work)" <santiago@crfreenet.org>
Date: Tue, 18 Oct 2016 13:06:05 +0200
Subject: [PATCH 25/37] Filter: Minor formatting changes in test.conf

---
 filter/test.conf | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/filter/test.conf b/filter/test.conf
index 7623953a..676b47d1 100644
--- a/filter/test.conf
+++ b/filter/test.conf
@@ -161,7 +161,7 @@ lclist ll2;
 	print "Community list (1,2) (3,1) (3,5) ", l, " len: ", l.len;
 	l = add( l, (3,2) );
 	l = add( l, (4,5) );
-	print "Community list (1,2) (3,1) (3,2) (3,5) (4,5) ", l, " len: ", l.len;
+	print "Community list (1,2) (3,1) (3,5) (3,2) (4,5) ", l, " len: ", l.len;
 	print "Should be true: ", l ~ [(*,2)], " ", l ~ [(*,5)], " ", l ~ [(*, one)];
 	print "Should be false: ", l ~ [(*,3)], " ", l ~ [(*,(one+6))], " ", l ~ [(*, (one+one+one))];
 	l = delete( l, [(*,(one+onef(3)))] );
@@ -176,7 +176,7 @@ lclist ll2;
 	print "clist B (3..6): ", l2;
 	print "clist A union B: ", add( l2, l );
 	print "clist A isect B: ", filter( l, l2 );
-	print "clist A \  B: ", delete( l, l2 );
+	print "clist A \ B: ", delete( l, l2 );
 
 	el = -- empty --;
 	el = add(el, (rt, 10, 20));
@@ -208,7 +208,7 @@ lclist ll2;
 	print "eclist B (30,40,50): ", el2;
 	print "eclist A union B: ", add( el2, el );
 	print "eclist A isect B: ", filter( el, el2 );
-	print "eclist A \  B: ", delete( el, el2 );
+	print "eclist A \ B: ", delete( el, el2 );
 
 	ll = --- empty ---;
 	ll = add(ll, (ten, 20, 30));
@@ -232,10 +232,10 @@ lclist ll2;
 	ll2 = add(ll2, (40, 40, 40));
 
 	print "lclist A (10,20,30): ", ll;
-	print "lclist B (30,40,50): ", ll2;
+	print "lclist B (20,30,40): ", ll2;
 	print "lclist A union B: ", add(ll, ll2);
 	print "lclist A isect B: ", filter(ll, ll2);
-	print "lclist A \  B: ", delete(ll, ll2);
+	print "lclist A \ B: ", delete(ll, ll2);
 
 #	test_roa();
 }

From 3213273d8261c69a343fcd7d4c9607385dfdbb65 Mon Sep 17 00:00:00 2001
From: Ondrej Filip <feela@network.cz>
Date: Thu, 27 Oct 2016 11:08:28 +0200
Subject: [PATCH 26/37] IANA assigned a different number to large BGP
 communities - changed.

---
 proto/bgp/bgp.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/proto/bgp/bgp.h b/proto/bgp/bgp.h
index d5747c18..a865b99d 100644
--- a/proto/bgp/bgp.h
+++ b/proto/bgp/bgp.h
@@ -308,7 +308,7 @@ void bgp_log_error(struct bgp_proto *p, u8 class, char *msg, unsigned code, unsi
 #define BA_EXT_COMMUNITY	0x10	/* [RFC4360] */
 #define BA_AS4_PATH             0x11    /* [RFC4893] */
 #define BA_AS4_AGGREGATOR       0x12
-#define BA_LARGE_COMMUNITY	0x1e	/* [draft-ietf-idr-large-community] */
+#define BA_LARGE_COMMUNITY	0x20	/* [draft-ietf-idr-large-community] */
 
 /* BGP connection states */
 

From 17fe57d8dcc89aea520788914b252cf49cf060ff Mon Sep 17 00:00:00 2001
From: "Ondrej Zajicek (work)" <santiago@crfreenet.org>
Date: Tue, 1 Nov 2016 11:37:49 +0100
Subject: [PATCH 27/37] Log: Fix broken syslog name

BIRD passed string from configuration to openlog(), which kept it
internally. After reconfiguration the old string was freed, therefore
openlog had invalid copy.

Thanks to Chris Caputo for the original patch.
---
 lib/string.h      |  9 +++++++++
 sysdep/unix/log.c | 18 +++++++++++-------
 2 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/lib/string.h b/lib/string.h
index 9af49b9e..bf0b7cb0 100644
--- a/lib/string.h
+++ b/lib/string.h
@@ -30,6 +30,15 @@ static inline char *xbasename(const char *str)
   return s ? s+1 : (char *) str;
 }
 
+static inline char *
+xstrdup(const char *c)
+{
+  size_t l = strlen(c) + 1;
+  char *z = xmalloc(l);
+  memcpy(z, c, l);
+  return z;
+}
+
 #define ROUTER_ID_64_LENGTH 23
 
 #endif
diff --git a/sysdep/unix/log.c b/sysdep/unix/log.c
index 1fd64426..b89e6b7a 100644
--- a/sysdep/unix/log.c
+++ b/sysdep/unix/log.c
@@ -288,18 +288,22 @@ log_switch(int debug, list *l, char *new_syslog_name)
   current_log_list = l;
 
 #ifdef HAVE_SYSLOG
-  char *old_syslog_name = current_syslog_name;
-  current_syslog_name = new_syslog_name;
-
-  if (old_syslog_name && new_syslog_name &&
-      !strcmp(old_syslog_name, new_syslog_name))
+  if (current_syslog_name && new_syslog_name &&
+      !strcmp(current_syslog_name, new_syslog_name))
     return;
 
-  if (old_syslog_name)
+  if (current_syslog_name)
+  {
     closelog();
+    xfree(current_syslog_name);
+    current_syslog_name = NULL;
+  }
 
   if (new_syslog_name)
-    openlog(new_syslog_name, LOG_CONS | LOG_NDELAY, LOG_DAEMON);
+  {
+    current_syslog_name = xstrdup(new_syslog_name);
+    openlog(current_syslog_name, LOG_CONS | LOG_NDELAY, LOG_DAEMON);
+  }
 #endif
 }
 

From 3e236955c9369475872b9b86a58502fa777b50b9 Mon Sep 17 00:00:00 2001
From: Jan Moskyto Matejka <mq@ucw.cz>
Date: Fri, 14 Oct 2016 15:37:04 +0200
Subject: [PATCH 28/37] Build: switch on -Wextra, get rid of most of the
 warnings

There are several unresolved -Wmissing-field-initializers on older
versions of GCC than 5.1, all of them false positive.
---
 client/birdcl.c        |  2 +-
 client/util.c          |  2 +-
 conf/Makefile          |  2 +
 conf/conf.c            |  2 +-
 configure.in           |  4 +-
 filter/filter.c        |  6 +--
 lib/birdlib.h          |  7 ++++
 lib/hash.h             |  8 ++--
 lib/socket.h           |  2 +-
 nest/a-path.c          |  2 +-
 nest/bfd.h             |  2 +-
 nest/iface.c           |  2 +-
 nest/locks.c           |  3 +-
 nest/route.h           |  1 -
 nest/rt-attr.c         |  4 +-
 nest/rt-table.c        | 18 ++++-----
 proto/babel/babel.c    |  4 +-
 proto/babel/babel.h    |  2 +-
 proto/babel/packets.c  | 84 ++++++++++++++++++++++--------------------
 proto/bfd/bfd.c        |  6 +--
 proto/bfd/packets.c    |  4 +-
 proto/bgp/attrs.c      |  2 +-
 proto/bgp/bgp.c        |  2 +-
 proto/bgp/bgp.h        |  4 +-
 proto/bgp/packets.c    | 29 +++++++--------
 proto/ospf/dbdes.c     |  2 +-
 proto/ospf/hello.c     |  5 ++-
 proto/ospf/lsalib.c    |  2 +-
 proto/ospf/lsalib.h    |  2 +-
 proto/ospf/lsupd.c     |  6 +--
 proto/ospf/neighbor.c  |  2 +-
 proto/ospf/ospf.h      |  8 ++--
 proto/ospf/packet.c    |  4 +-
 proto/ospf/rt.c        |  2 +-
 proto/ospf/topology.c  |  8 ++--
 proto/radv/packets.c   |  6 +--
 proto/radv/radv.c      |  2 +-
 proto/radv/radv.h      |  2 +-
 proto/rip/packets.c    |  8 ++--
 proto/rip/rip.c        |  4 +-
 proto/static/static.c  |  4 +-
 sysdep/bsd/krt-sock.c  |  6 +--
 sysdep/bsd/krt-sys.h   |  2 +-
 sysdep/bsd/sysio.h     | 19 ++++++----
 sysdep/linux/krt-sys.h |  2 +-
 sysdep/linux/netlink.c |  4 +-
 sysdep/unix/io.c       | 12 +++---
 sysdep/unix/krt.c      |  4 +-
 sysdep/unix/main.c     |  6 +--
 sysdep/unix/unix.h     | 10 ++---
 50 files changed, 179 insertions(+), 157 deletions(-)

diff --git a/client/birdcl.c b/client/birdcl.c
index 7b567a9f..4508185c 100644
--- a/client/birdcl.c
+++ b/client/birdcl.c
@@ -125,7 +125,7 @@ more_end(void)
 }
 
 static void
-sig_handler(int signal)
+sig_handler(int signal UNUSED)
 {
   cleanup();
   exit(0);
diff --git a/client/util.c b/client/util.c
index 2d6c074d..1d83e518 100644
--- a/client/util.c
+++ b/client/util.c
@@ -24,7 +24,7 @@ vlog(const char *msg, va_list args)
   int n = vsnprintf(buf, sizeof(buf), msg, args);
   if (n < 0)
     snprintf(buf, sizeof(buf), "???");
-  if (n >= sizeof(buf))
+  else if (n >= (int) sizeof(buf))
     snprintf(buf + sizeof(buf) - 100, 100, " ... <too long>");
   fputs(buf, stderr);
   fputc('\n', stderr);
diff --git a/conf/Makefile b/conf/Makefile
index 5d729a42..cd78c821 100644
--- a/conf/Makefile
+++ b/conf/Makefile
@@ -29,3 +29,5 @@ cf-lex.c: cf-lex.l
 	$(FLEX) $(FLEX_DEBUG) -s -B -8 -ocf-lex.c -Pcf_ cf-lex.l
 
 depend: keywords.h commands.h cf-parse.tab.c cf-lex.c
+
+cf-lex.o: CFLAGS+=-Wno-sign-compare -Wno-unused-function
diff --git a/conf/conf.c b/conf/conf.c
index efaeedeb..029814c6 100644
--- a/conf/conf.c
+++ b/conf/conf.c
@@ -450,7 +450,7 @@ config_undo(void)
 extern void cmd_reconfig_undo_notify(void);
 
 static void
-config_timeout(struct timer *t)
+config_timeout(struct timer *t UNUSED)
 {
   log(L_INFO "Config timeout expired, starting undo");
   cmd_reconfig_undo_notify();
diff --git a/configure.in b/configure.in
index 16a0b414..57fa0079 100644
--- a/configure.in
+++ b/configure.in
@@ -111,11 +111,13 @@ fi
 
 if test "$bird_cflags_default" = yes ; then
 	BIRD_CHECK_GCC_OPTION(bird_cv_c_option_wno_pointer_sign, -Wno-pointer-sign, -Wall)
+	BIRD_CHECK_GCC_OPTION(bird_cv_c_option_wno_missing_init, -Wno-missing-field-initializers, -Wall -Wextra)
 	BIRD_CHECK_GCC_OPTION(bird_cv_c_option_fno_strict_aliasing, -fno-strict-aliasing)
 	BIRD_CHECK_GCC_OPTION(bird_cv_c_option_fno_strict_overflow, -fno-strict-overflow)
 
-	CFLAGS="$CFLAGS -Wall -Wstrict-prototypes -Wno-parentheses"
+	CFLAGS="$CFLAGS -Wall -Wextra -Wstrict-prototypes -Wno-parentheses"
 	BIRD_ADD_GCC_OPTION(bird_cv_c_option_wno_pointer_sign, -Wno-pointer-sign)
+	BIRD_ADD_GCC_OPTION(bird_cv_c_option_wno_missing_init, -Wno-missing-field-initializers)
 	BIRD_ADD_GCC_OPTION(bird_cv_c_option_fno_strict_aliasing, -fno-strict-aliasing)
 	BIRD_ADD_GCC_OPTION(bird_cv_c_option_fno_strict_overflow, -fno-strict-overflow)
 fi
diff --git a/filter/filter.c b/filter/filter.c
index 510303a7..85a06258 100644
--- a/filter/filter.c
+++ b/filter/filter.c
@@ -380,7 +380,7 @@ clist_filter(struct linpool *pool, struct adata *list, struct f_val set, int pos
       *k++ = v.val.i;
   }
 
-  int nl = (k - tmp) * 4;
+  uint nl = (k - tmp) * sizeof(u32);
   if (nl == list->length)
     return list;
 
@@ -414,7 +414,7 @@ eclist_filter(struct linpool *pool, struct adata *list, struct f_val set, int po
     }
   }
 
-  int nl = (k - tmp) * 4;
+  uint nl = (k - tmp) * sizeof(u32);
   if (nl == list->length)
     return list;
 
@@ -446,7 +446,7 @@ lclist_filter(struct linpool *pool, struct adata *list, struct f_val set, int po
       k = lc_copy(k, l+i);
   }
 
-  int nl = (k - tmp) * 4;
+  uint nl = (k - tmp) * sizeof(u32);
   if (nl == list->length)
     return list;
 
diff --git a/lib/birdlib.h b/lib/birdlib.h
index 904544cb..37337078 100644
--- a/lib/birdlib.h
+++ b/lib/birdlib.h
@@ -62,6 +62,13 @@
 #define UNUSED __attribute__((unused))
 #define PACKED __attribute__((packed))
 
+#ifdef IPV6
+#define UNUSED4
+#define UNUSED6 UNUSED
+#else
+#define UNUSED4 UNUSED
+#define UNUSED6
+#endif
 
 /* Microsecond time */
 
diff --git a/lib/hash.h b/lib/hash.h
index a73f647a..fc5fea14 100644
--- a/lib/hash.h
+++ b/lib/hash.h
@@ -2,7 +2,7 @@
 
 #define HASH(type)		struct { type **data; uint count, order; }
 #define HASH_TYPE(v)		typeof(** (v).data)
-#define HASH_SIZE(v)		(1 << (v).order)
+#define HASH_SIZE(v)		(1U << (v).order)
 
 #define HASH_EQ(v,id,k1,k2...)	(id##_EQ(k1, k2))
 #define HASH_FN(v,id,key...)	((u32) (id##_FN(key)) >> (32 - (v).order))
@@ -116,12 +116,12 @@
 
 #define HASH_MAY_RESIZE_DOWN_(v,pool,rehash_fn,args)			\
   ({                                                                    \
-    int _o = (v).order;							\
-    while (((v).count < ((1 << _o) REHASH_LO_MARK(args))) &&		\
+    uint _o = (v).order;							\
+    while (((v).count < ((1U << _o) REHASH_LO_MARK(args))) &&		\
 	   (_o > (REHASH_LO_BOUND(args))))				\
       _o -= (REHASH_LO_STEP(args));					\
     if (_o < (v).order)							\
-      rehash_fn(&(v), pool, _o - (int) (v).order);			\
+      rehash_fn(&(v), pool, _o - (v).order);				\
   })
 
 
diff --git a/lib/socket.h b/lib/socket.h
index 6babfa7b..2da52127 100644
--- a/lib/socket.h
+++ b/lib/socket.h
@@ -30,7 +30,7 @@ typedef struct birdsock {
   byte *rbuf, *rpos;			/* NULL=allocate automatically */
   uint fast_rx;				/* RX has higher priority in event loop */
   uint rbsize;
-  int (*rx_hook)(struct birdsock *, int size); /* NULL=receiving turned off, returns 1 to clear rx buffer */
+  int (*rx_hook)(struct birdsock *, uint size); /* NULL=receiving turned off, returns 1 to clear rx buffer */
 
   byte *tbuf, *tpos;			/* NULL=allocate automatically */
   byte *ttx;				/* Internal */
diff --git a/nest/a-path.c b/nest/a-path.c
index e1031b7b..b453f702 100644
--- a/nest/a-path.c
+++ b/nest/a-path.c
@@ -370,7 +370,7 @@ as_path_filter(struct linpool *pool, struct adata *path, struct f_tree *set, u32
 	}
   }
 
-  int nl = d - buf;
+  uint nl = d - buf;
   if (nl == path->length)
     return path;
 
diff --git a/nest/bfd.h b/nest/bfd.h
index f1e95cb2..b0ebe31d 100644
--- a/nest/bfd.h
+++ b/nest/bfd.h
@@ -42,7 +42,7 @@ struct bfd_request {
 
 struct bfd_request * bfd_request_session(pool *p, ip_addr addr, ip_addr local, struct iface *iface, void (*hook)(struct bfd_request *), void *data);
 
-static inline void cf_check_bfd(int use) { }
+static inline void cf_check_bfd(int use UNUSED) { }
 
 #else
 
diff --git a/nest/iface.c b/nest/iface.c
index 4d73c2a4..a23cdf4f 100644
--- a/nest/iface.c
+++ b/nest/iface.c
@@ -584,7 +584,7 @@ ifa_delete(struct ifa *a)
 }
 
 u32
-if_choose_router_id(struct iface_patt *mask, u32 old_id)
+if_choose_router_id(struct iface_patt *mask UNUSED6, u32 old_id UNUSED6)
 {
 #ifndef IPV6
   struct iface *i;
diff --git a/nest/locks.c b/nest/locks.c
index ad2af493..84b8b0ae 100644
--- a/nest/locks.c
+++ b/nest/locks.c
@@ -100,7 +100,8 @@ static struct resclass olock_class = {
   sizeof(struct object_lock),
   olock_free,
   olock_dump,
-  NULL
+  NULL,
+  NULL,
 };
 
 /**
diff --git a/nest/route.h b/nest/route.h
index 07320566..383f4def 100644
--- a/nest/route.h
+++ b/nest/route.h
@@ -274,7 +274,6 @@ rte *rte_find(net *net, struct rte_src *src);
 rte *rte_get_temp(struct rta *);
 void rte_update2(struct announce_hook *ah, net *net, rte *new, struct rte_src *src);
 static inline void rte_update(struct proto *p, net *net, rte *new) { rte_update2(p->main_ahook, net, new, p->main_source); }
-void rte_discard(rtable *tab, rte *old);
 int rt_examine(rtable *t, ip_addr prefix, int pxlen, struct proto *p, struct filter *filter);
 rte *rt_export_merged(struct announce_hook *ah, net *net, rte **rt_free, struct ea_list **tmpa, linpool *pool, int silent);
 void rt_refresh_begin(rtable *t, struct announce_hook *ah);
diff --git a/nest/rt-attr.c b/nest/rt-attr.c
index 9aeca846..edf27d44 100644
--- a/nest/rt-attr.c
+++ b/nest/rt-attr.c
@@ -103,7 +103,7 @@ static inline int u32_cto(uint x) { return ffs(~x) - 1; }
 static inline u32
 rte_src_alloc_id(void)
 {
-  int i, j;
+  uint i, j;
   for (i = src_id_pos; i < src_id_size; i++)
     if (src_ids[i] != 0xffffffff)
       goto found;
@@ -785,7 +785,7 @@ static inline void
 opaque_format(struct adata *ad, byte *buf, uint size)
 {
   byte *bound = buf + size - 10;
-  int i;
+  uint i;
 
   for(i = 0; i < ad->length; i++)
     {
diff --git a/nest/rt-table.c b/nest/rt-table.c
index 00476069..c6e48c38 100644
--- a/nest/rt-table.c
+++ b/nest/rt-table.c
@@ -1282,8 +1282,8 @@ rte_announce_i(rtable *tab, unsigned type, net *net, rte *new, rte *old,
   rte_update_unlock();
 }
 
-void
-rte_discard(rtable *t, rte *old)	/* Non-filtered route deletion, used during garbage collection */
+static inline void
+rte_discard(rte *old)	/* Non-filtered route deletion, used during garbage collection */
 {
   rte_update_lock();
   rte_recalculate(old->sender, old->net, NULL, old->attrs->src);
@@ -1606,7 +1606,7 @@ again:
 		return 0;
 	      }
 
-	    rte_discard(tab, e);
+	    rte_discard(e);
 	    (*limit)--;
 
 	    goto rescan;
@@ -1712,7 +1712,7 @@ rta_apply_hostentry(rta *a, struct hostentry *he)
 }
 
 static inline rte *
-rt_next_hop_update_rte(rtable *tab, rte *old)
+rt_next_hop_update_rte(rtable *tab UNUSED, rte *old)
 {
   rta a;
   memcpy(&a, old->attrs, sizeof(rta));
@@ -2104,11 +2104,11 @@ hc_remove(struct hostcache *hc, struct hostentry *he)
 static void
 hc_alloc_table(struct hostcache *hc, unsigned order)
 {
-  unsigned hsize = 1 << order;
+  uint hsize = 1 << order;
   hc->hash_order = order;
   hc->hash_shift = 16 - order;
-  hc->hash_max = (order >= HC_HI_ORDER) ? ~0 : (hsize HC_HI_MARK);
-  hc->hash_min = (order <= HC_LO_ORDER) ?  0 : (hsize HC_LO_MARK);
+  hc->hash_max = (order >= HC_HI_ORDER) ? ~0U : (hsize HC_HI_MARK);
+  hc->hash_min = (order <= HC_LO_ORDER) ?  0U : (hsize HC_LO_MARK);
 
   hc->hash_table = mb_allocz(rt_table_pool, hsize * sizeof(struct hostentry *));
 }
@@ -2116,10 +2116,10 @@ hc_alloc_table(struct hostcache *hc, unsigned order)
 static void
 hc_resize(struct hostcache *hc, unsigned new_order)
 {
-  unsigned old_size = 1 << hc->hash_order;
   struct hostentry **old_table = hc->hash_table;
   struct hostentry *he, *hen;
-  int i;
+  uint old_size = 1 << hc->hash_order;
+  uint i;
 
   hc_alloc_table(hc, new_order);
   for (i = 0; i < old_size; i++)
diff --git a/proto/babel/babel.c b/proto/babel/babel.c
index 9d73a264..38be6909 100644
--- a/proto/babel/babel.c
+++ b/proto/babel/babel.c
@@ -1723,7 +1723,7 @@ babel_dump(struct proto *P)
 }
 
 static void
-babel_get_route_info(rte *rte, byte *buf, ea_list *attrs)
+babel_get_route_info(rte *rte, byte *buf, ea_list *attrs UNUSED)
 {
   buf += bsprintf(buf, " (%d/%d) [%lR]", rte->pref, rte->u.babel.metric, rte->u.babel.router_id);
 }
@@ -1965,7 +1965,7 @@ babel_store_tmp_attrs(struct rte *rt, struct ea_list *attrs)
  */
 static void
 babel_rt_notify(struct proto *P, struct rtable *table UNUSED, struct network *net,
-		struct rte *new, struct rte *old, struct ea_list *attrs)
+		struct rte *new, struct rte *old UNUSED, struct ea_list *attrs UNUSED)
 {
   struct babel_proto *p = (void *) P;
   struct babel_entry *e;
diff --git a/proto/babel/babel.h b/proto/babel/babel.h
index 481c88a7..6a95d82f 100644
--- a/proto/babel/babel.h
+++ b/proto/babel/babel.h
@@ -111,7 +111,7 @@ struct babel_iface_config {
   u16 rxcost;
   u8 type;
   u8 check_link;
-  int port;
+  uint port;
   u16 hello_interval;
   u16 ihu_interval;
   u16 update_interval;
diff --git a/proto/babel/packets.c b/proto/babel/packets.c
index 65dd6853..08054832 100644
--- a/proto/babel/packets.c
+++ b/proto/babel/packets.c
@@ -146,6 +146,7 @@ struct babel_write_state {
 #define TLV_HDR(tlv,t,l) ({ tlv->type = t; tlv->length = l - sizeof(struct babel_tlv); })
 #define TLV_HDR0(tlv,t) TLV_HDR(tlv, t, tlv_data[t].min_length)
 
+#define BYTES(n) ((((uint) n) + 7) / 8)
 
 static inline u16
 get_time16(const void *p)
@@ -161,18 +162,18 @@ put_time16(void *p, u16 v)
 }
 
 static inline ip6_addr
-get_ip6_px(const void *p, int plen)
+get_ip6_px(const void *p, uint plen)
 {
   ip6_addr addr = IPA_NONE;
-  memcpy(&addr, p, (plen + 7) / 8);
+  memcpy(&addr, p, BYTES(plen));
   return ip6_ntoh(addr);
 }
 
 static inline void
-put_ip6_px(void *p, ip6_addr addr, int plen)
+put_ip6_px(void *p, ip6_addr addr, uint plen)
 {
   addr = ip6_hton(addr);
-  memcpy(p, &addr, (plen + 7) / 8);
+  memcpy(p, &addr, BYTES(plen));
 }
 
 static inline ip6_addr
@@ -202,21 +203,21 @@ static int babel_read_update(struct babel_tlv *hdr, union babel_msg *msg, struct
 static int babel_read_route_request(struct babel_tlv *hdr, union babel_msg *msg, struct babel_parse_state *state);
 static int babel_read_seqno_request(struct babel_tlv *hdr, union babel_msg *msg, struct babel_parse_state *state);
 
-static int babel_write_ack(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, int max_len);
-static int babel_write_hello(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, int max_len);
-static int babel_write_ihu(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, int max_len);
-static int babel_write_update(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, int max_len);
-static int babel_write_route_request(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, int max_len);
-static int babel_write_seqno_request(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, int max_len);
+static uint babel_write_ack(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, uint max_len);
+static uint babel_write_hello(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, uint max_len);
+static uint babel_write_ihu(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, uint max_len);
+static uint babel_write_update(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, uint max_len);
+static uint babel_write_route_request(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, uint max_len);
+static uint babel_write_seqno_request(struct babel_tlv *hdr, union babel_msg *msg, struct babel_write_state *state, uint max_len);
 
 struct babel_tlv_data {
   u8 min_length;
   int (*read_tlv)(struct babel_tlv *hdr, union babel_msg *m, struct babel_parse_state *state);
-  int (*write_tlv)(struct babel_tlv *hdr, union babel_msg *m, struct babel_write_state *state, int max_len);
+  uint (*write_tlv)(struct babel_tlv *hdr, union babel_msg *m, struct babel_write_state *state, uint max_len);
   void (*handle_tlv)(union babel_msg *m, struct babel_iface *ifa);
 };
 
-const static struct babel_tlv_data tlv_data[BABEL_TLV_MAX] = {
+static const struct babel_tlv_data tlv_data[BABEL_TLV_MAX] = {
   [BABEL_TLV_ACK_REQ] = {
     sizeof(struct babel_tlv_ack_req),
     babel_read_ack_req,
@@ -291,9 +292,9 @@ babel_read_ack_req(struct babel_tlv *hdr, union babel_msg *m,
   return PARSE_SUCCESS;
 }
 
-static int
+static uint
 babel_write_ack(struct babel_tlv *hdr, union babel_msg *m,
-                struct babel_write_state *state, int max_len)
+                struct babel_write_state *state UNUSED, uint max_len UNUSED)
 {
   struct babel_tlv_ack *tlv = (void *) hdr;
   struct babel_msg_ack *msg = &m->ack;
@@ -319,9 +320,9 @@ babel_read_hello(struct babel_tlv *hdr, union babel_msg *m,
   return PARSE_SUCCESS;
 }
 
-static int
+static uint
 babel_write_hello(struct babel_tlv *hdr, union babel_msg *m,
-                  struct babel_write_state *state, int max_len)
+                  struct babel_write_state *state UNUSED, uint max_len UNUSED)
 {
   struct babel_tlv_hello *tlv = (void *) hdr;
   struct babel_msg_hello *msg = &m->hello;
@@ -363,9 +364,9 @@ babel_read_ihu(struct babel_tlv *hdr, union babel_msg *m,
   return PARSE_SUCCESS;
 }
 
-static int
+static uint
 babel_write_ihu(struct babel_tlv *hdr, union babel_msg *m,
-                struct babel_write_state *state, int max_len)
+                struct babel_write_state *state UNUSED, uint max_len)
 {
   struct babel_tlv_ihu *tlv = (void *) hdr;
   struct babel_msg_ihu *msg = &m->ihu;
@@ -401,9 +402,9 @@ babel_read_router_id(struct babel_tlv *hdr, union babel_msg *m UNUSED,
 }
 
 /* This is called directly from babel_write_update() */
-static int
+static uint
 babel_write_router_id(struct babel_tlv *hdr, u64 router_id,
-		      struct babel_write_state *state, int max_len UNUSED)
+		      struct babel_write_state *state, uint max_len UNUSED)
 {
   struct babel_tlv_router_id *tlv = (void *) hdr;
 
@@ -467,10 +468,10 @@ babel_read_update(struct babel_tlv *hdr, union babel_msg *m,
   msg->metric = get_u16(&tlv->metric);
 
   /* Length of received prefix data without omitted part */
-  int len = (tlv->plen + 7)/8 - (int) tlv->omitted;
+  int len = BYTES(tlv->plen) - (int) tlv->omitted;
   u8 buf[16] = {};
 
-  if ((len < 0) || (len > TLV_OPT_LENGTH(tlv)))
+  if ((len < 0) || ((uint) len > TLV_OPT_LENGTH(tlv)))
     return PARSE_ERROR;
 
   switch (tlv->ae)
@@ -536,13 +537,13 @@ babel_read_update(struct babel_tlv *hdr, union babel_msg *m,
   return PARSE_SUCCESS;
 }
 
-static int
+static uint
 babel_write_update(struct babel_tlv *hdr, union babel_msg *m,
-                   struct babel_write_state *state, int max_len)
+                   struct babel_write_state *state, uint max_len)
 {
   struct babel_tlv_update *tlv = (void *) hdr;
   struct babel_msg_update *msg = &m->update;
-  int len0 = 0;
+  uint len0 = 0;
 
   /*
    * When needed, we write Router-ID TLV before Update TLV and return size of
@@ -558,7 +559,7 @@ babel_write_update(struct babel_tlv *hdr, union babel_msg *m,
     tlv = (struct babel_tlv_update *) NEXT_TLV(tlv);
   }
 
-  int len = sizeof(struct babel_tlv_update) + (msg->plen + 7)/8;
+  uint len = sizeof(struct babel_tlv_update) + BYTES(msg->plen);
 
   if (len0 + len > max_len)
     return 0;
@@ -587,7 +588,7 @@ babel_write_update(struct babel_tlv *hdr, union babel_msg *m,
 
 static int
 babel_read_route_request(struct babel_tlv *hdr, union babel_msg *m,
-                         struct babel_parse_state *state)
+                         struct babel_parse_state *state UNUSED)
 {
   struct babel_tlv_route_request *tlv = (void *) hdr;
   struct babel_msg_route_request *msg = &m->route_request;
@@ -612,7 +613,7 @@ babel_read_route_request(struct babel_tlv *hdr, union babel_msg *m,
     if (tlv->plen > MAX_PREFIX_LENGTH)
       return PARSE_ERROR;
 
-    if (TLV_OPT_LENGTH(tlv) < (tlv->plen + 7)/8)
+    if (TLV_OPT_LENGTH(tlv) < BYTES(tlv->plen))
       return PARSE_ERROR;
 
     msg->plen = tlv->plen;
@@ -629,14 +630,14 @@ babel_read_route_request(struct babel_tlv *hdr, union babel_msg *m,
   return PARSE_IGNORE;
 }
 
-static int
+static uint
 babel_write_route_request(struct babel_tlv *hdr, union babel_msg *m,
-			  struct babel_write_state *state, int max_len)
+			  struct babel_write_state *state UNUSED, uint max_len)
 {
   struct babel_tlv_route_request *tlv = (void *) hdr;
   struct babel_msg_route_request *msg = &m->route_request;
 
-  int len = sizeof(struct babel_tlv_route_request) + (msg->plen + 7)/8;
+  uint len = sizeof(struct babel_tlv_route_request) + BYTES(msg->plen);
 
   if (len > max_len)
     return 0;
@@ -687,7 +688,7 @@ babel_read_seqno_request(struct babel_tlv *hdr, union babel_msg *m,
     if (tlv->plen > MAX_PREFIX_LENGTH)
       return PARSE_ERROR;
 
-    if (TLV_OPT_LENGTH(tlv) < (tlv->plen + 7)/8)
+    if (TLV_OPT_LENGTH(tlv) < BYTES(tlv->plen))
       return PARSE_ERROR;
 
     msg->plen = tlv->plen;
@@ -704,14 +705,14 @@ babel_read_seqno_request(struct babel_tlv *hdr, union babel_msg *m,
   return PARSE_IGNORE;
 }
 
-static int
+static uint
 babel_write_seqno_request(struct babel_tlv *hdr, union babel_msg *m,
-			  struct babel_write_state *state, int max_len)
+			  struct babel_write_state *state UNUSED, uint max_len)
 {
   struct babel_tlv_seqno_request *tlv = (void *) hdr;
   struct babel_msg_seqno_request *msg = &m->seqno_request;
 
-  int len = sizeof(struct babel_tlv_seqno_request) + (msg->plen + 7)/8;
+  uint len = sizeof(struct babel_tlv_seqno_request) + BYTES(msg->plen);
 
   if (len > max_len)
     return 0;
@@ -744,11 +745,11 @@ babel_read_tlv(struct babel_tlv *hdr,
   return tlv_data[hdr->type].read_tlv(hdr, msg, state);
 }
 
-static int
+static uint
 babel_write_tlv(struct babel_tlv *hdr,
 		union babel_msg *msg,
 		struct babel_write_state *state,
-		int max_len)
+		uint max_len)
 {
   if ((msg->type <= BABEL_TLV_PADN) ||
       (msg->type >= BABEL_TLV_MAX) ||
@@ -792,7 +793,7 @@ babel_send_to(struct babel_iface *ifa, ip_addr dest)
  *
  * The TLVs in the queue are freed after they are written to the buffer.
  */
-static int
+static uint
 babel_write_queue(struct babel_iface *ifa, list *queue)
 {
   struct babel_proto *p = ifa->proto;
@@ -813,6 +814,9 @@ babel_write_queue(struct babel_iface *ifa, list *queue)
   struct babel_msg_node *msg;
   WALK_LIST_FIRST(msg, *queue)
   {
+    if (pos >= end)
+      break;
+
     int len = babel_write_tlv((struct babel_tlv *) pos, &msg->msg, &state, end - pos);
 
     if (!len)
@@ -823,7 +827,7 @@ babel_write_queue(struct babel_iface *ifa, list *queue)
     sl_free(p->msg_slab, msg);
   }
 
-  int plen = pos - (byte *) pkt;
+  uint plen = pos - (byte *) pkt;
   put_u16(&pkt->length, plen - sizeof(struct babel_pkt_header));
 
   return plen;
@@ -1027,7 +1031,7 @@ babel_tx_hook(sock *sk)
 
 
 static int
-babel_rx_hook(sock *sk, int len)
+babel_rx_hook(sock *sk, uint len)
 {
   struct babel_iface *ifa = sk->data;
   struct babel_proto *p = ifa->proto;
diff --git a/proto/bfd/bfd.c b/proto/bfd/bfd.c
index 5de2f556..e7be6a8a 100644
--- a/proto/bfd/bfd.c
+++ b/proto/bfd/bfd.c
@@ -796,7 +796,7 @@ bfd_start_neighbor(struct bfd_proto *p, struct bfd_neighbor *n)
 }
 
 static void
-bfd_stop_neighbor(struct bfd_proto *p, struct bfd_neighbor *n)
+bfd_stop_neighbor(struct bfd_proto *p UNUSED, struct bfd_neighbor *n)
 {
   if (n->neigh)
     n->neigh->data = NULL;
@@ -853,7 +853,7 @@ void pipe_drain(int fd);
 void pipe_kick(int fd);
 
 static int
-bfd_notify_hook(sock *sk, int len)
+bfd_notify_hook(sock *sk, uint len UNUSED)
 {
   struct bfd_proto *p = sk->data;
   struct bfd_session *s;
@@ -1060,7 +1060,7 @@ bfd_preconfig(struct protocol *P UNUSED, struct config *c UNUSED)
 }
 
 static void
-bfd_copy_config(struct proto_config *dest, struct proto_config *src)
+bfd_copy_config(struct proto_config *dest, struct proto_config *src UNUSED)
 {
   struct bfd_config *d = (struct bfd_config *) dest;
   // struct bfd_config *s = (struct bfd_config *) src;
diff --git a/proto/bfd/packets.c b/proto/bfd/packets.c
index cb40bcda..deb501fc 100644
--- a/proto/bfd/packets.c
+++ b/proto/bfd/packets.c
@@ -39,7 +39,7 @@ static inline u8 bfd_pkt_get_diag(struct bfd_ctl_packet *pkt)
 static inline u8 bfd_pkt_get_state(struct bfd_ctl_packet *pkt)
 { return pkt->flags >> 6; }
 
-static inline void bfd_pkt_set_state(struct bfd_ctl_packet *pkt, u8 val)
+static inline void UNUSED bfd_pkt_set_state(struct bfd_ctl_packet *pkt, u8 val)
 { pkt->flags = val << 6; }
 
 
@@ -97,7 +97,7 @@ bfd_send_ctl(struct bfd_proto *p, struct bfd_session *s, int final)
 #define DROP(DSC,VAL) do { err_dsc = DSC; err_val = VAL; goto drop; } while(0)
 
 static int
-bfd_rx_hook(sock *sk, int len)
+bfd_rx_hook(sock *sk, uint len)
 {
   struct bfd_proto *p =  sk->data;
   struct bfd_ctl_packet *pkt = (struct bfd_ctl_packet *) sk->rbuf;
diff --git a/proto/bgp/attrs.c b/proto/bgp/attrs.c
index 6fe34e56..0309c1f7 100644
--- a/proto/bgp/attrs.c
+++ b/proto/bgp/attrs.c
@@ -191,7 +191,7 @@ validate_as4_path(struct bgp_proto *p, struct adata *path)
 }
 
 static int
-bgp_check_next_hop(struct bgp_proto *p UNUSED, byte *a, int len)
+bgp_check_next_hop(struct bgp_proto *p UNUSED, byte *a UNUSED6, int len UNUSED6)
 {
 #ifdef IPV6
   return IGNORE;
diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c
index 2014525e..8ef4b990 100644
--- a/proto/bgp/bgp.c
+++ b/proto/bgp/bgp.c
@@ -807,7 +807,7 @@ bgp_find_proto(sock *sk)
  * closes the new connection by sending a Notification message.
  */
 static int
-bgp_incoming_connection(sock *sk, int dummy UNUSED)
+bgp_incoming_connection(sock *sk, uint dummy UNUSED)
 {
   struct bgp_proto *p;
   int acc, hops;
diff --git a/proto/bgp/bgp.h b/proto/bgp/bgp.h
index a865b99d..b4067f3a 100644
--- a/proto/bgp/bgp.h
+++ b/proto/bgp/bgp.h
@@ -191,7 +191,7 @@ struct bgp_bucket {
 #define BGP_RX_BUFFER_EXT_SIZE	65535
 #define BGP_TX_BUFFER_EXT_SIZE	65535
 
-static inline int bgp_max_packet_length(struct bgp_proto *p)
+static inline uint bgp_max_packet_length(struct bgp_proto *p)
 { return p->ext_messages ? BGP_MAX_EXT_MSG_LENGTH : BGP_MAX_MESSAGE_LENGTH; }
 
 extern struct linpool *bgp_linpool;
@@ -268,7 +268,7 @@ void mrt_dump_bgp_state_change(struct bgp_conn *conn, unsigned old, unsigned new
 void bgp_schedule_packet(struct bgp_conn *conn, int type);
 void bgp_kick_tx(void *vconn);
 void bgp_tx(struct birdsock *sk);
-int bgp_rx(struct birdsock *sk, int size);
+int bgp_rx(struct birdsock *sk, uint size);
 const char * bgp_error_dsc(unsigned code, unsigned subcode);
 void bgp_log_error(struct bgp_proto *p, u8 class, char *msg, unsigned code, unsigned subcode, byte *data, unsigned len);
 
diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c
index 0cf38edf..3e816839 100644
--- a/proto/bgp/packets.c
+++ b/proto/bgp/packets.c
@@ -191,7 +191,7 @@ bgp_put_cap_gr1(struct bgp_proto *p, byte *buf)
 }
 
 static byte *
-bgp_put_cap_gr2(struct bgp_proto *p, byte *buf)
+bgp_put_cap_gr2(struct bgp_proto *p UNUSED, byte *buf)
 {
   *buf++ = 64;		/* Capability 64: Support for graceful restart */
   *buf++ = 2;		/* Capability data length */
@@ -931,7 +931,7 @@ bgp_parse_options(struct bgp_conn *conn, byte *opt, int len)
 }
 
 static void
-bgp_rx_open(struct bgp_conn *conn, byte *pkt, int len)
+bgp_rx_open(struct bgp_conn *conn, byte *pkt, uint len)
 {
   struct bgp_conn *other;
   struct bgp_proto *p = conn->bgp;
@@ -944,7 +944,7 @@ bgp_rx_open(struct bgp_conn *conn, byte *pkt, int len)
     { bgp_error(conn, 5, fsm_err_subcode[conn->state], NULL, 0); return; }
 
   /* Check message contents */
-  if (len < 29 || len != 29 + pkt[28])
+  if (len < 29 || len != 29U + pkt[28])
     { bgp_error(conn, 1, 2, pkt+16, 2); return; }
   if (pkt[19] != BGP_VERSION)
     { bgp_error(conn, 2, 1, pkt+19, 1); return; } /* RFC 1771 says 16 bits, draft-09 tells to use 8 */
@@ -1256,16 +1256,15 @@ bgp_do_rx_update(struct bgp_conn *conn,
 #else			/* IPv6 version */
 
 #define DO_NLRI(name)					\
-  start = x = p->name##_start;				\
+  x = p->name##_start;				\
   len = len0 = p->name##_len;				\
   if (len)						\
     {							\
       if (len < 3) { err=9; goto done; }		\
       af = get_u16(x);					\
-      sub = x[2];					\
       x += 3;						\
       len -= 3;						\
-      DBG("\tNLRI AF=%d sub=%d len=%d\n", af, sub, len);\
+      DBG("\tNLRI AF=%d sub=%d len=%d\n", af, x[-1], len);\
     }							\
   else							\
     af = 0;						\
@@ -1291,15 +1290,15 @@ bgp_attach_next_hop(rta *a0, byte *x)
 
 static void
 bgp_do_rx_update(struct bgp_conn *conn,
-		 byte *withdrawn, int withdrawn_len,
-		 byte *nlri, int nlri_len,
+		 byte *withdrawn UNUSED, int withdrawn_len,
+		 byte *nlri UNUSED, int nlri_len,
 		 byte *attrs, int attr_len)
 {
   struct bgp_proto *p = conn->bgp;
   struct rte_src *src = p->p.main_source;
-  byte *start, *x;
+  byte *x;
   int len, len0;
-  unsigned af, sub;
+  unsigned af;
   rta *a0, *a = NULL;
   ip_addr prefix;
   int pxlen, err = 0;
@@ -1375,11 +1374,11 @@ bgp_do_rx_update(struct bgp_conn *conn,
 #endif
 
 static void
-bgp_rx_update(struct bgp_conn *conn, byte *pkt, int len)
+bgp_rx_update(struct bgp_conn *conn, byte *pkt, uint len)
 {
   struct bgp_proto *p = conn->bgp;
   byte *withdrawn, *attrs, *nlri;
-  int withdrawn_len, attr_len, nlri_len;
+  uint withdrawn_len, attr_len, nlri_len;
 
   BGP_TRACE_RL(&rl_rcv_update, D_PACKETS, "Got UPDATE");
 
@@ -1525,7 +1524,7 @@ bgp_log_error(struct bgp_proto *p, u8 class, char *msg, unsigned code, unsigned
 }
 
 static void
-bgp_rx_notification(struct bgp_conn *conn, byte *pkt, int len)
+bgp_rx_notification(struct bgp_conn *conn, byte *pkt, uint len)
 {
   struct bgp_proto *p = conn->bgp;
   if (len < 21)
@@ -1591,7 +1590,7 @@ bgp_rx_keepalive(struct bgp_conn *conn)
 }
 
 static void
-bgp_rx_route_refresh(struct bgp_conn *conn, byte *pkt, int len)
+bgp_rx_route_refresh(struct bgp_conn *conn, byte *pkt, uint len)
 {
   struct bgp_proto *p = conn->bgp;
 
@@ -1680,7 +1679,7 @@ bgp_rx_packet(struct bgp_conn *conn, byte *pkt, unsigned len)
  * bgp_rx_packet().
  */
 int
-bgp_rx(sock *sk, int size)
+bgp_rx(sock *sk, uint size)
 {
   struct bgp_conn *conn = sk->data;
   struct bgp_proto *p = conn->bgp;
diff --git a/proto/ospf/dbdes.c b/proto/ospf/dbdes.c
index 195b03ad..d6904343 100644
--- a/proto/ospf/dbdes.c
+++ b/proto/ospf/dbdes.c
@@ -39,7 +39,7 @@ struct ospf_dbdes3_packet
 
 
 static inline uint
-ospf_dbdes_hdrlen(struct ospf_proto *p)
+ospf_dbdes_hdrlen(struct ospf_proto *p UNUSED4 UNUSED6)
 {
   return ospf_is_v2(p) ?
     sizeof(struct ospf_dbdes2_packet) : sizeof(struct ospf_dbdes3_packet);
diff --git a/proto/ospf/hello.c b/proto/ospf/hello.c
index 50cf1407..e00487dc 100644
--- a/proto/ospf/hello.c
+++ b/proto/ospf/hello.c
@@ -222,9 +222,12 @@ ospf_receive_hello(struct ospf_packet *pkt, struct ospf_iface *ifa,
     rcv_priority = ps->priority;
 
     int pxlen = u32_masklen(ntohl(ps->netmask));
+    if (pxlen < 0)
+      DROP("prefix garbled", ntohl(ps->netmask));
+
     if ((ifa->type != OSPF_IT_VLINK) &&
 	(ifa->type != OSPF_IT_PTP) &&
-	(pxlen != ifa->addr->pxlen))
+	((uint) pxlen != ifa->addr->pxlen))
       DROP("prefix length mismatch", pxlen);
 
     neighbors = ps->neighbors;
diff --git a/proto/ospf/lsalib.c b/proto/ospf/lsalib.c
index 1bbd1372..cb7b186a 100644
--- a/proto/ospf/lsalib.c
+++ b/proto/ospf/lsalib.c
@@ -463,7 +463,7 @@ lsa_validate_sum3_net(struct ospf_lsa_header *lsa, struct ospf_lsa_sum3_net *bod
 }
 
 static int
-lsa_validate_sum3_rt(struct ospf_lsa_header *lsa, struct ospf_lsa_sum3_rt *body)
+lsa_validate_sum3_rt(struct ospf_lsa_header *lsa, struct ospf_lsa_sum3_rt *body UNUSED)
 {
   if (lsa->length != (HDRLEN + sizeof(struct ospf_lsa_sum3_rt)))
     return 0;
diff --git a/proto/ospf/lsalib.h b/proto/ospf/lsalib.h
index ae6af044..638b3525 100644
--- a/proto/ospf/lsalib.h
+++ b/proto/ospf/lsalib.h
@@ -41,7 +41,7 @@ void lsa_get_type_domain_(u32 itype, struct ospf_iface *ifa, u32 *otype, u32 *do
 static inline void lsa_get_type_domain(struct ospf_lsa_header *lsa, struct ospf_iface *ifa, u32 *otype, u32 *domain)
 { lsa_get_type_domain_(lsa->type_raw, ifa, otype, domain); }
 
-static inline u32 lsa_get_etype(struct ospf_lsa_header *h, struct ospf_proto *p)
+static inline u32 lsa_get_etype(struct ospf_lsa_header *h, struct ospf_proto *p UNUSED4 UNUSED6)
 { return ospf_is_v2(p) ? (h->type_raw & LSA_T_V2_MASK) : h->type_raw; }
 
 
diff --git a/proto/ospf/lsupd.c b/proto/ospf/lsupd.c
index c6a734ca..157d9628 100644
--- a/proto/ospf/lsupd.c
+++ b/proto/ospf/lsupd.c
@@ -105,7 +105,7 @@ invalid:
 
 
 static inline void
-ospf_lsa_lsrq_down(struct top_hash_entry *req, struct ospf_neighbor *n, struct ospf_neighbor *from)
+ospf_lsa_lsrq_down(struct top_hash_entry *req, struct ospf_neighbor *n)
 {
   if (req == n->lsrqi)
     n->lsrqi = SNODE_NEXT(req);
@@ -188,7 +188,7 @@ ospf_enqueue_lsa(struct ospf_proto *p, struct top_hash_entry *en, struct ospf_if
   {
     /* If we already have full queue, we send some packets */
     uint sent = ospf_flood_lsupd(p, ifa->flood_queue, ifa->flood_queue_used, ifa->flood_queue_used / 2, ifa);
-    int i;
+    uint i;
 
     for (i = 0; i < sent; i++)
       ifa->flood_queue[i]->ret_count--;
@@ -275,7 +275,7 @@ ospf_flood_lsa(struct ospf_proto *p, struct top_hash_entry *en, struct ospf_neig
 
 	  /* If same or newer, remove LSA from the link state request list */
 	  if (cmp > CMP_OLDER)
-	    ospf_lsa_lsrq_down(req, n, from);
+	    ospf_lsa_lsrq_down(req, n);
 
 	  /* If older or same, skip processing of this neighbor */
 	  if (cmp < CMP_NEWER)
diff --git a/proto/ospf/neighbor.c b/proto/ospf/neighbor.c
index 0223ccdf..9fe3c028 100644
--- a/proto/ospf/neighbor.c
+++ b/proto/ospf/neighbor.c
@@ -359,7 +359,7 @@ can_do_adj(struct ospf_neighbor *n)
 }
 
 
-static inline u32 neigh_get_id(struct ospf_proto *p, struct ospf_neighbor *n)
+static inline u32 neigh_get_id(struct ospf_proto *p UNUSED4 UNUSED6, struct ospf_neighbor *n)
 { return ospf_is_v2(p) ? ipa_to_u32(n->ip) : n->rid; }
 
 static struct ospf_neighbor *
diff --git a/proto/ospf/ospf.h b/proto/ospf/ospf.h
index a4e525ec..ca30e4e0 100644
--- a/proto/ospf/ospf.h
+++ b/proto/ospf/ospf.h
@@ -766,7 +766,7 @@ lsa_get_ipv6_addr(u32 *buf, ip_addr *addr)
 }
 
 static inline u32 *
-put_ipv6_prefix(u32 *buf, ip_addr addr, u8 pxlen, u8 pxopts, u16 lh)
+put_ipv6_prefix(u32 *buf, ip_addr addr UNUSED4, u8 pxlen UNUSED4, u8 pxopts UNUSED4, u16 lh UNUSED4)
 {
 #ifdef IPV6
   *buf++ = ((pxlen << 24) | (pxopts << 16) | lh);
@@ -840,7 +840,7 @@ static inline int ospf_is_v2(struct ospf_proto *p)
 static inline int ospf_is_v3(struct ospf_proto *p)
 { return ! p->ospf2; }
 */
-static inline int ospf_get_version(struct ospf_proto *p)
+static inline int ospf_get_version(struct ospf_proto *p UNUSED4 UNUSED6)
 { return ospf_is_v2(p) ? 2 : 3; }
 
 struct ospf_area *ospf_find_area(struct ospf_proto *p, u32 aid);
@@ -897,7 +897,7 @@ void ospf_sh_neigh_info(struct ospf_neighbor *n);
 /* packet.c */
 void ospf_pkt_fill_hdr(struct ospf_iface *ifa, void *buf, u8 h_type);
 uint ospf_pkt_maxsize(struct ospf_iface *ifa);
-int ospf_rx_hook(sock * sk, int size);
+int ospf_rx_hook(sock * sk, uint size);
 // void ospf_tx_hook(sock * sk);
 void ospf_err_hook(sock * sk, int err);
 void ospf_verr_hook(sock *sk, int err);
@@ -922,7 +922,7 @@ static inline void ospf_send_to_des(struct ospf_iface *ifa)
 #define SKIP(DSC) do { err_dsc = DSC; goto skip; } while(0)
 #endif
 
-static inline uint ospf_pkt_hdrlen(struct ospf_proto *p)
+static inline uint ospf_pkt_hdrlen(struct ospf_proto *p UNUSED4 UNUSED6)
 { return ospf_is_v2(p) ? (sizeof(struct ospf_packet) + sizeof(union ospf_auth)) : sizeof(struct ospf_packet); }
 
 static inline void * ospf_tx_buffer(struct ospf_iface *ifa)
diff --git a/proto/ospf/packet.c b/proto/ospf/packet.c
index 04f0d47c..aa90aa51 100644
--- a/proto/ospf/packet.c
+++ b/proto/ospf/packet.c
@@ -124,7 +124,7 @@ ospf_pkt_finalize(struct ospf_iface *ifa, struct ospf_packet *pkt)
 
 /* We assume OSPFv2 in ospf_pkt_checkauth() */
 static int
-ospf_pkt_checkauth(struct ospf_neighbor *n, struct ospf_iface *ifa, struct ospf_packet *pkt, int len)
+ospf_pkt_checkauth(struct ospf_neighbor *n, struct ospf_iface *ifa, struct ospf_packet *pkt, uint len)
 {
   struct ospf_proto *p = ifa->oa->po;
   union ospf_auth *auth = (void *) (pkt + 1);
@@ -214,7 +214,7 @@ drop:
  * non generic functions.
  */
 int
-ospf_rx_hook(sock *sk, int len)
+ospf_rx_hook(sock *sk, uint len)
 {
   /* We want just packets from sk->iface. Unfortunately, on BSD we cannot filter
      out other packets at kernel level and we receive all packets on all sockets */
diff --git a/proto/ospf/rt.c b/proto/ospf/rt.c
index cdf8012a..8b3feda9 100644
--- a/proto/ospf/rt.c
+++ b/proto/ospf/rt.c
@@ -1049,7 +1049,7 @@ check_sum_rt_lsa(struct ospf_proto *p, ort *nf)
 }
 
 static inline int
-decide_nssa_lsa(struct ospf_proto *p, ort *nf, struct ospf_lsa_ext_local *rt)
+decide_nssa_lsa(struct ospf_proto *p UNUSED4 UNUSED6, ort *nf, struct ospf_lsa_ext_local *rt)
 {
   struct ospf_area *oa = nf->n.oa;
   struct top_hash_entry *en = nf->n.en;
diff --git a/proto/ospf/topology.c b/proto/ospf/topology.c
index 7558d4a0..341eff87 100644
--- a/proto/ospf/topology.c
+++ b/proto/ospf/topology.c
@@ -515,7 +515,7 @@ ospf_update_lsadb(struct ospf_proto *p)
 
 
 static inline u32
-ort_to_lsaid(struct ospf_proto *p, ort *nf)
+ort_to_lsaid(struct ospf_proto *p UNUSED4 UNUSED6, ort *nf)
 {
   /*
    * In OSPFv2, We have to map IP prefixes to u32 in such manner that resulting
@@ -607,7 +607,7 @@ lsab_offset(struct ospf_proto *p, uint offset)
   return ((byte *) p->lsab) + offset;
 }
 
-static inline void *
+static inline void * UNUSED
 lsab_end(struct ospf_proto *p)
 {
   return ((byte *) p->lsab) + p->lsab_used;
@@ -1545,7 +1545,7 @@ static void
 add_link_lsa(struct ospf_proto *p, struct ospf_lsa_link *ll, int offset, int *pxc)
 {
   u32 *pxb = ll->rest;
-  int j;
+  uint j;
 
   for (j = 0; j < ll->pxcount; pxb = prefix_advance(pxb), j++)
   {
@@ -1748,7 +1748,7 @@ ospf_top_hash(struct top_graph *f, u32 domain, u32 lsaid, u32 rtrid, u32 type)
  * and request lists of OSPF neighbors.
  */
 struct top_graph *
-ospf_top_new(struct ospf_proto *p, pool *pool)
+ospf_top_new(struct ospf_proto *p UNUSED4 UNUSED6, pool *pool)
 {
   struct top_graph *f;
 
diff --git a/proto/radv/packets.c b/proto/radv/packets.c
index 3862af8d..4bf960c3 100644
--- a/proto/radv/packets.c
+++ b/proto/radv/packets.c
@@ -157,12 +157,12 @@ radv_process_domain(struct radv_dnssl_config *cf)
   char *dom = cf->domain;
   char *dom_end = dom; /* Just to  */
   u8 *dlen_save = &cf->dlen_first;
-  int len;
+  uint len;
 
   while (dom_end)
   {
     dom_end = strchr(dom, '.');
-    len = dom_end ? (dom_end - dom) : strlen(dom);
+    len = dom_end ? (uint)(dom_end - dom) : strlen(dom);
 
     if (len < 1 || len > 63)
       return -1;
@@ -348,7 +348,7 @@ radv_send_ra(struct radv_iface *ifa, int shutdown)
 
 
 static int
-radv_rx_hook(sock *sk, int size)
+radv_rx_hook(sock *sk, uint size)
 {
   struct radv_iface *ifa = sk->data;
   struct proto_radv *ra = ifa->ra;
diff --git a/proto/radv/radv.c b/proto/radv/radv.c
index 6370e006..5c52217d 100644
--- a/proto/radv/radv.c
+++ b/proto/radv/radv.c
@@ -240,7 +240,7 @@ radv_if_notify(struct proto *p, unsigned flags, struct iface *iface)
 }
 
 static void
-radv_ifa_notify(struct proto *p, unsigned flags, struct ifa *a)
+radv_ifa_notify(struct proto *p, unsigned flags UNUSED, struct ifa *a)
 {
   struct proto_radv *ra = (struct proto_radv *) p;
 
diff --git a/proto/radv/radv.h b/proto/radv/radv.h
index 48ba9c1a..e2bf07ba 100644
--- a/proto/radv/radv.h
+++ b/proto/radv/radv.h
@@ -84,7 +84,7 @@ struct radv_prefix_config
 {
   node n;
   ip_addr prefix;
-  int pxlen;
+  uint pxlen;
 
   u8 skip;			/* Do not include this prefix to RA */
   u8 onlink;			/* Standard options from RFC 4261 */
diff --git a/proto/rip/packets.c b/proto/rip/packets.c
index 9f10fd67..e026eaea 100644
--- a/proto/rip/packets.c
+++ b/proto/rip/packets.c
@@ -108,7 +108,7 @@ static inline uint rip_pkt_hdrlen(struct rip_iface *ifa)
 { return sizeof(struct rip_packet) + (ifa->cf->auth_type ? RIP_BLOCK_LENGTH : 0); }
 
 static inline void
-rip_put_block(struct rip_proto *p, byte *pos, struct rip_block *rte)
+rip_put_block(struct rip_proto *p UNUSED4 UNUSED6, byte *pos, struct rip_block *rte)
 {
   if (rip_is_v2(p))
   {
@@ -131,7 +131,7 @@ rip_put_block(struct rip_proto *p, byte *pos, struct rip_block *rte)
 }
 
 static inline void
-rip_put_next_hop(struct rip_proto *p, byte *pos, struct rip_block *rte)
+rip_put_next_hop(struct rip_proto *p UNUSED, byte *pos, struct rip_block *rte UNUSED4)
 {
   struct rip_block_ng *block = (void *) pos;
   block->prefix = ip6_hton(ipa_to_ip6(rte->next_hop));
@@ -141,7 +141,7 @@ rip_put_next_hop(struct rip_proto *p, byte *pos, struct rip_block *rte)
 }
 
 static inline int
-rip_get_block(struct rip_proto *p, byte *pos, struct rip_block *rte)
+rip_get_block(struct rip_proto *p UNUSED4 UNUSED6, byte *pos, struct rip_block *rte)
 {
   if (rip_is_v2(p))
   {
@@ -630,7 +630,7 @@ rip_receive_response(struct rip_proto *p, struct rip_iface *ifa, struct rip_pack
 }
 
 static int
-rip_rx_hook(sock *sk, int len)
+rip_rx_hook(sock *sk, uint len)
 {
   struct rip_iface *ifa = sk->data;
   struct rip_proto *p = ifa->rip;
diff --git a/proto/rip/rip.c b/proto/rip/rip.c
index 36527253..37cfa9ac 100644
--- a/proto/rip/rip.c
+++ b/proto/rip/rip.c
@@ -1027,7 +1027,7 @@ rip_prepare_attrs(struct linpool *pool, ea_list *next, u8 metric, u16 tag)
 }
 
 static int
-rip_import_control(struct proto *P, struct rte **rt, struct ea_list **attrs, struct linpool *pool)
+rip_import_control(struct proto *P UNUSED, struct rte **rt, struct ea_list **attrs, struct linpool *pool)
 {
   /* Prepare attributes with initial values */
   if ((*rt)->attrs->source != RTS_RIP)
@@ -1144,7 +1144,7 @@ rip_reconfigure(struct proto *P, struct proto_config *c)
 }
 
 static void
-rip_get_route_info(rte *rte, byte *buf, ea_list *attrs)
+rip_get_route_info(rte *rte, byte *buf, ea_list *attrs UNUSED)
 {
   buf += bsprintf(buf, " (%d/%d)", rte->pref, rte->u.rip.metric);
 
diff --git a/proto/static/static.c b/proto/static/static.c
index d54302a8..0c088cd7 100644
--- a/proto/static/static.c
+++ b/proto/static/static.c
@@ -250,7 +250,7 @@ static_add(struct proto *p, struct static_config *cf, struct static_route *r)
 }
 
 static void
-static_rte_cleanup(struct proto *p, struct static_route *r)
+static_rte_cleanup(struct proto *p UNUSED, struct static_route *r)
 {
   struct static_route *r2;
 
@@ -435,7 +435,7 @@ static_if_notify(struct proto *p, unsigned flags, struct iface *i)
 }
 
 int
-static_rte_mergable(rte *pri, rte *sec)
+static_rte_mergable(rte *pri UNUSED, rte *sec UNUSED)
 {
   return 1;
 }
diff --git a/sysdep/bsd/krt-sock.c b/sysdep/bsd/krt-sock.c
index f2ae81c3..9c9df51d 100644
--- a/sysdep/bsd/krt-sock.c
+++ b/sysdep/bsd/krt-sock.c
@@ -898,7 +898,7 @@ kif_do_scan(struct kif_proto *p)
 /* Kernel sockets */
 
 static int
-krt_sock_hook(sock *sk, int size UNUSED)
+krt_sock_hook(sock *sk, uint size UNUSED)
 {
   struct ks_msg msg;
   int l = read(sk->fd, (char *)&msg, sizeof(msg));
@@ -918,7 +918,7 @@ krt_sock_err_hook(sock *sk, int e UNUSED)
 }
 
 static sock *
-krt_sock_open(pool *pool, void *data, int table_id)
+krt_sock_open(pool *pool, void *data, int table_id UNUSED)
 {
   sock *sk;
   int fd;
@@ -1074,7 +1074,7 @@ kif_sys_shutdown(struct kif_proto *p)
 
 
 struct ifa *
-kif_get_primary_ip(struct iface *i)
+kif_get_primary_ip(struct iface *i UNUSED6)
 {
 #ifndef IPV6
   static int fd = -1;
diff --git a/sysdep/bsd/krt-sys.h b/sysdep/bsd/krt-sys.h
index a63f8caf..353ffcec 100644
--- a/sysdep/bsd/krt-sys.h
+++ b/sysdep/bsd/krt-sys.h
@@ -45,7 +45,7 @@ struct krt_state {
 static inline void krt_sys_io_init(void) { }
 static inline void krt_sys_init(struct krt_proto *p UNUSED) { }
 
-static inline int krt_sys_get_attr(eattr *a UNUSED, byte *buf UNUSED, int buflen UNUSED) { }
+static inline int krt_sys_get_attr(eattr *a UNUSED, byte *buf UNUSED, int buflen UNUSED) { return 0; }
 
 
 #endif
diff --git a/sysdep/bsd/sysio.h b/sysdep/bsd/sysio.h
index 6c20733f..8d87a3c3 100644
--- a/sysdep/bsd/sysio.h
+++ b/sysdep/bsd/sysio.h
@@ -28,7 +28,9 @@
 #endif
 
 
+#ifndef SA_LEN
 #define SA_LEN(x) (x).sa.sa_len
+#endif
 
 
 /*
@@ -133,12 +135,12 @@ sk_process_cmsg4_ttl(sock *s, struct cmsghdr *cm)
     s->rcv_ttl = * (byte *) CMSG_DATA(cm);
 }
 
+#ifdef IP_SENDSRCADDR
 static inline void
 sk_prepare_cmsgs4(sock *s, struct msghdr *msg, void *cbuf, size_t cbuflen)
 {
   /* Unfortunately, IP_SENDSRCADDR does not work for raw IP sockets on BSD kernels */
 
-#ifdef IP_SENDSRCADDR
   struct cmsghdr *cm;
   struct in_addr *sa;
   int controllen = 0;
@@ -156,10 +158,13 @@ sk_prepare_cmsgs4(sock *s, struct msghdr *msg, void *cbuf, size_t cbuflen)
   *sa = ipa_to_in4(s->saddr);
 
   msg->msg_controllen = controllen;
-#endif
 }
+#else
+static inline void
+sk_prepare_cmsgs4(sock *s UNUSED, struct msghdr *msg UNUSED, void *cbuf UNUSED, size_t cbuflen UNUSED) { }
+#endif
 
-static void
+static void UNUSED
 sk_prepare_ip_header(sock *s, void *hdr, int dlen)
 {
   struct ip *ip = hdr;
@@ -200,7 +205,7 @@ sk_prepare_ip_header(sock *s, void *hdr, int dlen)
 #endif
 
 int
-sk_set_md5_auth(sock *s, ip_addr local, ip_addr remote, struct iface *ifa, char *passwd, int setkey UNUSED)
+sk_set_md5_auth(sock *s, ip_addr local UNUSED, ip_addr remote UNUSED, struct iface *ifa UNUSED, char *passwd, int setkey UNUSED)
 {
 #ifdef USE_MD5SIG_SETKEY
   if (setkey)
@@ -235,20 +240,20 @@ sk_set_min_ttl4(sock *s, int ttl)
 }
 
 static inline int
-sk_set_min_ttl6(sock *s, int ttl)
+sk_set_min_ttl6(sock *s, int ttl UNUSED)
 {
   ERR_MSG("Kernel does not support IPv6 TTL security");
 }
 
 static inline int
-sk_disable_mtu_disc4(sock *s)
+sk_disable_mtu_disc4(sock *s UNUSED)
 {
   /* TODO: Set IP_DONTFRAG to 0 ? */
   return 0;
 }
 
 static inline int
-sk_disable_mtu_disc6(sock *s)
+sk_disable_mtu_disc6(sock *s UNUSED)
 {
   /* TODO: Set IPV6_DONTFRAG to 0 ? */
   return 0;
diff --git a/sysdep/linux/krt-sys.h b/sysdep/linux/krt-sys.h
index 6d6586d1..76ae29b7 100644
--- a/sysdep/linux/krt-sys.h
+++ b/sysdep/linux/krt-sys.h
@@ -27,7 +27,7 @@ static inline void kif_sys_postconfig(struct kif_config *c UNUSED) { }
 static inline void kif_sys_init_config(struct kif_config *c UNUSED) { }
 static inline void kif_sys_copy_config(struct kif_config *d UNUSED, struct kif_config *s UNUSED) { }
 
-static inline struct ifa * kif_get_primary_ip(struct iface *i) { return NULL; }
+static inline struct ifa * kif_get_primary_ip(struct iface *i UNUSED) { return NULL; }
 
 
 /* Kernel routes */
diff --git a/sysdep/linux/netlink.c b/sysdep/linux/netlink.c
index 79dd1405..368e0ef9 100644
--- a/sysdep/linux/netlink.c
+++ b/sysdep/linux/netlink.c
@@ -487,7 +487,7 @@ nl_parse_multipath(struct krt_proto *p, struct rtattr *ra)
   struct rtattr *a[BIRD_RTA_MAX];
   struct rtnexthop *nh = RTA_DATA(ra);
   struct mpnh *rv, *first, **last;
-  int len = RTA_PAYLOAD(ra);
+  unsigned len = RTA_PAYLOAD(ra);
 
   first = NULL;
   last = &first;
@@ -1473,7 +1473,7 @@ nl_async_msg(struct nlmsghdr *h)
 }
 
 static int
-nl_async_hook(sock *sk, int size UNUSED)
+nl_async_hook(sock *sk, uint size UNUSED)
 {
   struct iovec iov = { nl_async_rx_buffer, NL_RX_SIZE };
   struct sockaddr_nl sa;
diff --git a/sysdep/unix/io.c b/sysdep/unix/io.c
index 3ceadd98..873b5805 100644
--- a/sysdep/unix/io.c
+++ b/sysdep/unix/io.c
@@ -507,11 +507,11 @@ tm_format_datetime(char *x, struct timeformat *fmt_spec, bird_clock_t t)
  *	Sockaddr helper functions
  */
 
-static inline int sockaddr_length(int af)
+static inline int UNUSED sockaddr_length(int af)
 { return (af == AF_INET) ? sizeof(struct sockaddr_in) : sizeof(struct sockaddr_in6); }
 
 static inline void
-sockaddr_fill4(struct sockaddr_in *sa, ip_addr a, struct iface *ifa, uint port)
+sockaddr_fill4(struct sockaddr_in *sa, ip_addr a, uint port)
 {
   memset(sa, 0, sizeof(struct sockaddr_in));
 #ifdef HAVE_SIN_LEN
@@ -542,7 +542,7 @@ void
 sockaddr_fill(sockaddr *sa, int af, ip_addr a, struct iface *ifa, uint port)
 {
   if (af == AF_INET)
-    sockaddr_fill4((struct sockaddr_in *) sa, a, ifa, port);
+    sockaddr_fill4((struct sockaddr_in *) sa, a, port);
   else if (af == AF_INET6)
     sockaddr_fill6((struct sockaddr_in6 *) sa, a, ifa, port);
   else
@@ -550,7 +550,7 @@ sockaddr_fill(sockaddr *sa, int af, ip_addr a, struct iface *ifa, uint port)
 }
 
 static inline void
-sockaddr_read4(struct sockaddr_in *sa, ip_addr *a, struct iface **ifa, uint *port)
+sockaddr_read4(struct sockaddr_in *sa, ip_addr *a, uint *port)
 {
   *port = ntohs(sa->sin_port);
   *a = ipa_from_in4(sa->sin_addr);
@@ -573,7 +573,7 @@ sockaddr_read(sockaddr *sa, int af, ip_addr *a, struct iface **ifa, uint *port)
     goto fail;
 
   if (af == AF_INET)
-    sockaddr_read4((struct sockaddr_in *) sa, a, ifa, port);
+    sockaddr_read4((struct sockaddr_in *) sa, a, port);
   else if (af == AF_INET6)
     sockaddr_read6((struct sockaddr_in6 *) sa, a, ifa, port);
   else
@@ -770,7 +770,7 @@ sk_set_tos6(sock *s, int tos)
 }
 
 static inline int
-sk_set_high_port(sock *s)
+sk_set_high_port(sock *s UNUSED)
 {
   /* Port range setting is optional, ignore it if not supported */
 
diff --git a/sysdep/unix/krt.c b/sysdep/unix/krt.c
index ef98cb3a..07a55c0d 100644
--- a/sysdep/unix/krt.c
+++ b/sysdep/unix/krt.c
@@ -909,7 +909,7 @@ krt_scan_timer_start(struct krt_proto *p)
 }
 
 static void
-krt_scan_timer_stop(struct krt_proto *p)
+krt_scan_timer_stop(struct krt_proto *p UNUSED)
 {
   krt_scan_count--;
 
@@ -998,7 +998,7 @@ krt_store_tmp_attrs(rte *rt, struct ea_list *attrs)
 }
 
 static int
-krt_import_control(struct proto *P, rte **new, ea_list **attrs, struct linpool *pool)
+krt_import_control(struct proto *P, rte **new, ea_list **attrs UNUSED, struct linpool *pool UNUSED)
 {
   struct krt_proto *p = (struct krt_proto *) P;
   rte *e = *new;
diff --git a/sysdep/unix/main.c b/sysdep/unix/main.c
index a7989920..35bc3fd1 100644
--- a/sysdep/unix/main.c
+++ b/sysdep/unix/main.c
@@ -73,7 +73,7 @@ async_dump(void)
 #else
 
 static inline void
-drop_uid(uid_t uid)
+drop_uid(uid_t uid UNUSED)
 {
   die("Cannot change user on this platform");
 }
@@ -419,7 +419,7 @@ cli_get_command(cli *c)
 }
 
 static int
-cli_rx(sock *s, int size UNUSED)
+cli_rx(sock *s, uint size UNUSED)
 {
   cli_kick(s->data);
   return 0;
@@ -439,7 +439,7 @@ cli_err(sock *s, int err)
 }
 
 static int
-cli_connect(sock *s, int size UNUSED)
+cli_connect(sock *s, uint size UNUSED)
 {
   cli *c;
 
diff --git a/sysdep/unix/unix.h b/sysdep/unix/unix.h
index 4e0ff841..3ef2e3ef 100644
--- a/sysdep/unix/unix.h
+++ b/sysdep/unix/unix.h
@@ -63,16 +63,16 @@ typedef struct sockaddr_bird {
 #endif
 
 
-static inline ip_addr ipa_from_in4(struct in_addr a)
+static inline ip_addr ipa_from_in4(struct in_addr a UNUSED6)
 { return ipa_from_u32(ntohl(a.s_addr)); }
 
-static inline ip_addr ipa_from_in6(struct in6_addr a)
+static inline ip_addr ipa_from_in6(struct in6_addr a UNUSED4)
 { return ipa_build6(ntohl(a.s6_addr32[0]), ntohl(a.s6_addr32[1]), ntohl(a.s6_addr32[2]), ntohl(a.s6_addr32[3])); }
 
-static inline ip_addr ipa_from_sa4(sockaddr *sa)
+static inline ip_addr ipa_from_sa4(sockaddr *sa UNUSED6)
 { return ipa_from_in4(((struct sockaddr_in *) sa)->sin_addr); }
 
-static inline ip_addr ipa_from_sa6(sockaddr *sa)
+static inline ip_addr ipa_from_sa6(sockaddr *sa UNUSED4)
 { return ipa_from_in6(((struct sockaddr_in6 *) sa)->sin6_addr); }
 
 static inline struct in_addr ipa_to_in4(ip_addr a)
@@ -83,7 +83,7 @@ static inline struct in6_addr ipa_to_in6(ip_addr a)
 { return (struct in6_addr) { .s6_addr32 = { htonl(_I0(a)), htonl(_I1(a)), htonl(_I2(a)), htonl(_I3(a)) } }; }
 #else
 /* Temporary dummy */
-static inline struct in6_addr ipa_to_in6(ip_addr a)
+static inline struct in6_addr ipa_to_in6(ip_addr a UNUSED)
 { return (struct in6_addr) { .s6_addr32 = { 0, 0, 0, 0 } }; }
 #endif
 

From 7eec3988758cb4c19a0ab3bf90cab2a4914165be Mon Sep 17 00:00:00 2001
From: "Ondrej Zajicek (work)" <santiago@crfreenet.org>
Date: Tue, 1 Nov 2016 16:18:27 +0100
Subject: [PATCH 29/37] BSD: Fix build on OpenBSD broken by previous commit

---
 sysdep/bsd/sysio.h | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/sysdep/bsd/sysio.h b/sysdep/bsd/sysio.h
index 8d87a3c3..2610a47b 100644
--- a/sysdep/bsd/sysio.h
+++ b/sysdep/bsd/sysio.h
@@ -28,9 +28,8 @@
 #endif
 
 
-#ifndef SA_LEN
+#undef  SA_LEN
 #define SA_LEN(x) (x).sa.sa_len
-#endif
 
 
 /*

From de2a27e255b6ec834d11c005909b28a150c7c0db Mon Sep 17 00:00:00 2001
From: "Ondrej Zajicek (work)" <santiago@crfreenet.org>
Date: Tue, 25 Oct 2016 17:04:17 +0200
Subject: [PATCH 30/37] Add generic message authentication interface

Add generic interface for generating and verifying MACs (message
authentication codes). Replace multiple HMAC implementation with
a generic one.
---
 lib/Doc             |   1 +
 lib/Modules         |   2 +
 lib/mac.c           | 289 ++++++++++++++++++++++++++++++++++++++++++++
 lib/mac.h           | 117 ++++++++++++++++++
 lib/md5.c           |  81 ++-----------
 lib/md5.h           |  21 +---
 lib/sha1.c          |  95 ++-------------
 lib/sha1.h          |  30 +----
 lib/sha256.c        | 150 +++--------------------
 lib/sha256.h        |  42 ++-----
 lib/sha512.c        | 150 +++--------------------
 lib/sha512.h        |  44 ++-----
 nest/password.c     |   2 +-
 nest/password.h     |   2 +-
 proto/ospf/packet.c |   5 +-
 proto/rip/packets.c |   5 +-
 16 files changed, 493 insertions(+), 543 deletions(-)
 create mode 100644 lib/mac.c
 create mode 100644 lib/mac.h

diff --git a/lib/Doc b/lib/Doc
index 8af1c669..632bf1f6 100644
--- a/lib/Doc
+++ b/lib/Doc
@@ -2,6 +2,7 @@ H Library functions
 S ip.c
 S lists.c
 S checksum.c bitops.c patmatch.c printf.c xmalloc.c tbf.c
+S mac.c
 D resource.sgml
 S resource.c
 S mempool.c
diff --git a/lib/Modules b/lib/Modules
index 745306d9..0e30b488 100644
--- a/lib/Modules
+++ b/lib/Modules
@@ -11,6 +11,8 @@ ip.h
 ip.c
 lists.c
 lists.h
+mac.c
+mac.h
 md5.c
 md5.h
 mempool.c
diff --git a/lib/mac.c b/lib/mac.c
new file mode 100644
index 00000000..977d6559
--- /dev/null
+++ b/lib/mac.c
@@ -0,0 +1,289 @@
+/*
+ *	BIRD Library -- Message Authentication Codes
+ *
+ *	(c) 2016 Ondrej Zajicek <santiago@crfreenet.org>
+ *	(c) 2016 CZ.NIC z.s.p.o.
+ *
+ *	Can be freely distributed and used under the terms of the GNU GPL.
+ */
+
+/**
+ * DOC: Message authentication codes
+ *
+ * MAC algorithms are simple cryptographic tools for message authentication.
+ * They use shared a secret key a and message text to generate authentication
+ * code, which is then passed with the message to the other side, where the code
+ * is verified. There are multiple families of MAC algorithms based on different
+ * cryptographic primitives, BIRD implements two MAC families which use hash
+ * functions.
+ *
+ * The first family is simply a cryptographic hash camouflaged as MAC algorithm.
+ * Originally supposed to be (m|k)-hash (message is concatenated with key, and
+ * that is hashed), but later it turned out that a raw hash is more practical.
+ * This is used for cryptographic authentication in OSPFv2, RIP and BFD.
+ *
+ * The second family is the standard HMAC (RFC 2104), using inner and outer hash
+ * to process key and message. HMAC (with SHA) is used in advanced OSPF and RIP
+ * authentication (RFC 5709, RFC 4822).
+ */
+
+#include "lib/mac.h"
+#include "lib/md5.h"
+#include "lib/sha1.h"
+#include "lib/sha256.h"
+#include "lib/sha512.h"
+
+
+/*
+ *	Internal hash calls
+ */
+
+static inline void
+hash_init(struct mac_context *mctx, struct hash_context *hctx)
+{ mctx->type->hash_init(hctx); }
+
+static inline void
+hash_update(struct mac_context *mctx, struct hash_context *hctx, const byte *buf, uint len)
+{ mctx->type->hash_update(hctx, buf, len); }
+
+static inline byte *
+hash_final(struct mac_context *mctx, struct hash_context *hctx)
+{ return mctx->type->hash_final(hctx); }
+
+static inline void
+hash_buffer(struct mac_context *mctx, byte *outbuf, const byte *buffer, uint length)
+{
+  struct hash_context hctx;
+
+  hash_init(mctx, &hctx);
+  hash_update(mctx, &hctx, buffer, length);
+  memcpy(outbuf, hash_final(mctx, &hctx), mctx->type->hash_size);
+}
+
+
+/*
+ *	(not-really-MAC) Hash
+ */
+
+static void
+nrmh_init(struct mac_context *ctx, const byte *key UNUSED, uint keylen UNUSED)
+{
+  struct nrmh_context *ct = (void *) ctx;
+  hash_init(ctx, &ct->ictx);
+}
+
+static void
+nrmh_update(struct mac_context *ctx, const byte *data, uint datalen)
+{
+  struct nrmh_context *ct = (void *) ctx;
+  hash_update(ctx, &ct->ictx, data, datalen);
+}
+
+static byte *
+nrmh_final(struct mac_context *ctx)
+{
+  struct nrmh_context *ct = (void *) ctx;
+  return hash_final(ctx, &ct->ictx);
+}
+
+
+/*
+ *	HMAC
+ */
+
+static void
+hmac_init(struct mac_context *ctx, const byte *key, uint keylen)
+{
+  struct hmac_context *ct = (void *) ctx;
+  uint block_size = ctx->type->block_size;
+  uint hash_size = ctx->type->hash_size;
+
+  byte *keybuf = alloca(block_size);
+  byte *buf = alloca(block_size);
+  uint i;
+
+  /* Hash the key if necessary */
+  if (keylen <= block_size)
+  {
+    memcpy(keybuf, key, keylen);
+    memset(keybuf + keylen, 0, block_size - keylen);
+  }
+  else
+  {
+    hash_buffer(ctx, keybuf, key, keylen);
+    memset(keybuf + hash_size, 0, block_size - hash_size);
+  }
+
+  /* Initialize the inner digest */
+  hash_init(ctx, &ct->ictx);
+  for (i = 0; i < block_size; i++)
+    buf[i] = keybuf[i] ^ 0x36;
+  hash_update(ctx, &ct->ictx, buf, block_size);
+
+  /* Initialize the outer digest */
+  hash_init(ctx, &ct->octx);
+  for (i = 0; i < block_size; i++)
+    buf[i] = keybuf[i] ^ 0x5c;
+  hash_update(ctx, &ct->octx, buf, block_size);
+}
+
+static void
+hmac_update(struct mac_context *ctx, const byte *data, uint datalen)
+{
+  struct hmac_context *ct = (void *) ctx;
+
+  /* Just update the inner digest */
+  hash_update(ctx, &ct->ictx, data, datalen);
+}
+
+static byte *
+hmac_final(struct mac_context *ctx)
+{
+  struct hmac_context *ct = (void *) ctx;
+
+  /* Finish the inner digest */
+  byte *isha = hash_final(ctx, &ct->ictx);
+
+  /* Finish the outer digest */
+  hash_update(ctx, &ct->octx, isha, ctx->type->hash_size);
+  return hash_final(ctx, &ct->octx);
+}
+
+
+/*
+ *	Common code
+ */
+
+#define HASH_DESC(name, px, PX) \
+  { name, PX##_SIZE, sizeof(struct nrmh_context), nrmh_init, nrmh_update, nrmh_final, \
+    PX##_SIZE, PX##_BLOCK_SIZE, px##_init, px##_update, px##_final }
+
+#define HMAC_DESC(name, px, PX)						\
+  { name, PX##_SIZE, sizeof(struct hmac_context), hmac_init, hmac_update, hmac_final, \
+    PX##_SIZE, PX##_BLOCK_SIZE, px##_init, px##_update, px##_final }
+
+const struct mac_desc mac_table[ALG_MAX] = {
+  [ALG_MD5] =		HASH_DESC("Keyed MD5",		md5,	MD5),
+  [ALG_SHA1] =		HASH_DESC("Keyed SHA-1",	sha1,	SHA1),
+  [ALG_SHA224] =	HASH_DESC("Keyed SHA-224",	sha224,	SHA224),
+  [ALG_SHA256] = 	HASH_DESC("Keyed SHA-256",	sha256,	SHA256),
+  [ALG_SHA384] = 	HASH_DESC("Keyed SHA-384",	sha384,	SHA384),
+  [ALG_SHA512] = 	HASH_DESC("Keyed SHA-512",	sha512,	SHA512),
+  [ALG_HMAC_MD5] = 	HMAC_DESC("HMAC-MD5",		md5,	MD5),
+  [ALG_HMAC_SHA1] = 	HMAC_DESC("HMAC-SHA-1",		sha1,	SHA1),
+  [ALG_HMAC_SHA224] = 	HMAC_DESC("HMAC-SHA-224",	sha224,	SHA224),
+  [ALG_HMAC_SHA256] = 	HMAC_DESC("HMAC-SHA-256",	sha256,	SHA256),
+  [ALG_HMAC_SHA384] = 	HMAC_DESC("HMAC-SHA-384",	sha384,	SHA384),
+  [ALG_HMAC_SHA512] = 	HMAC_DESC("HMAC-SHA-512",	sha512,	SHA512),
+};
+
+
+/**
+ * mac_init - initialize MAC algorithm
+ * @ctx: context to initialize
+ * @id: MAC algorithm ID
+ * @key: MAC key
+ * @keylen: MAC key length
+ *
+ * Initialize MAC context @ctx for algorithm @id (e.g., %ALG_HMAC_SHA1), with
+ * key @key of length @keylen. After that, message data could be added using
+ * mac_update() function.
+ */
+void
+mac_init(struct mac_context *ctx, uint id, const byte *key, uint keylen)
+{
+  ctx->type = &mac_table[id];
+  ctx->type->init(ctx, key, keylen);
+}
+
+#if 0
+/**
+ * mac_update - add more data to MAC algorithm
+ * @ctx: MAC context
+ * @data: data to add
+ * @datalen: length of data
+ *
+ * Push another @datalen bytes of data pointed to by @data into the MAC
+ * algorithm currently in @ctx. Can be called multiple times for the same MAC
+ * context. It has the same effect as concatenating all the data together and
+ * passing them at once.
+ */
+void mac_update(struct mac_context *ctx, const byte *data, uint datalen)
+{ DUMMY; }
+
+/**
+ * mac_final - finalize MAC algorithm
+ * @ctx: MAC context
+ *
+ * Finish MAC computation and return a pointer to the result. No more
+ * @mac_update() calls could be done, but the context may be reinitialized
+ * later.
+ *
+ * Note that the returned pointer points into data in the @ctx context. If it
+ * ceases to exist, the pointer becomes invalid.
+ */
+byte *mac_final(struct mac_context *ctx)
+{ DUMMY; }
+
+/**
+ * mac_cleanup - cleanup MAC context
+ * @ctx: MAC context
+ *
+ * Cleanup MAC context after computation (by filling with zeros). Not strictly
+ * necessary, just to erase sensitive data from stack. This also invalidates the
+ * pointer returned by @mac_final().
+ */
+void mac_cleanup(struct mac_context *ctx)
+{ DUMMY; }
+
+#endif
+
+/**
+ * mac_fill - compute and fill MAC
+ * @id: MAC algorithm ID
+ * @key: secret key
+ * @keylen: key length
+ * @data: message data
+ * @datalen: message length
+ * @mac: place to fill MAC
+ *
+ * Compute MAC for specified key @key and message @data using algorithm @id and
+ * copy it to buffer @mac. mac_fill() is a shortcut function doing all usual
+ * steps for transmitted messages.
+ */
+void
+mac_fill(uint id, const byte *key, uint keylen, const byte *data, uint datalen, byte *mac)
+{
+  struct mac_context ctx;
+
+  mac_init(&ctx, id, key, keylen);
+  mac_update(&ctx, data, datalen);
+  memcpy(mac, mac_final(&ctx), mac_get_length(&ctx));
+  mac_cleanup(&ctx);
+}
+
+/**
+ * mac_verify - compute and verify MAC
+ * @id: MAC algorithm ID
+ * @key: secret key
+ * @keylen: key length
+ * @data: message data
+ * @datalen: message length
+ * @mac: received MAC
+ *
+ * Compute MAC for specified key @key and message @data using algorithm @id and
+ * compare it with received @mac, return whether they are the same. mac_verify()
+ * is a shortcut function doing all usual steps for received messages.
+ */
+int
+mac_verify(uint id, const byte *key, uint keylen, const byte *data, uint datalen, const byte *mac)
+{
+  struct mac_context ctx;
+
+  mac_init(&ctx, id, key, keylen);
+  mac_update(&ctx, data, datalen);
+  int res = !memcmp(mac, mac_final(&ctx), mac_get_length(&ctx));
+  mac_cleanup(&ctx);
+
+  return res;
+}
diff --git a/lib/mac.h b/lib/mac.h
new file mode 100644
index 00000000..9dba8f89
--- /dev/null
+++ b/lib/mac.h
@@ -0,0 +1,117 @@
+/*
+ *	BIRD Library -- Message Authentication Codes
+ *
+ *	(c) 2016 Ondrej Zajicek <santiago@crfreenet.org>
+ *	(c) 2016 CZ.NIC z.s.p.o.
+ *
+ *	Can be freely distributed and used under the terms of the GNU GPL.
+ */
+
+#ifndef _BIRD_MAC_H_
+#define _BIRD_MAC_H_
+
+#include "nest/bird.h"
+#include "lib/sha512.h"
+
+
+#define ALG_UNDEFINED		0
+#define ALG_MD5			0x01
+#define ALG_SHA1		0x02
+#define ALG_SHA224		0x03
+#define ALG_SHA256		0x04
+#define ALG_SHA384		0x05
+#define ALG_SHA512		0x06
+#define ALG_HMAC_MD5		0x11
+#define ALG_HMAC_SHA1		0x12
+#define ALG_HMAC_SHA224		0x13
+#define ALG_HMAC_SHA256		0x14
+#define ALG_HMAC_SHA384		0x15
+#define ALG_HMAC_SHA512		0x16
+#define ALG_MAX			0x17
+
+/* These are maximums for HASH/MAC lengths and required context space */
+#define MAX_HASH_SIZE		SHA512_SIZE
+#define HASH_STORAGE		sizeof(struct sha512_context)
+#define MAC_STORAGE		sizeof(struct hmac_context)
+
+/* Generic context used by hash functions */
+struct hash_context
+{
+  u8 data[HASH_STORAGE];
+  u64 align[0];
+};
+
+/* Context for embedded hash (not-really-MAC hash) */
+struct nrmh_context {
+  const struct mac_desc *type;
+  struct hash_context ictx;
+};
+
+/* Context for hash based HMAC */
+struct hmac_context {
+  const struct mac_desc *type;
+  struct hash_context ictx;
+  struct hash_context octx;
+};
+
+/* Generic context used by MAC functions */
+struct mac_context
+{
+  const struct mac_desc *type;
+  u8 data[MAC_STORAGE - sizeof(void *)];
+  u64 align[0];
+};
+
+/* Union to satisfy C aliasing rules */
+union mac_context_union {
+  struct mac_context mac;
+  struct nrmh_context nrmh;
+  struct hmac_context hmac;
+};
+
+
+struct mac_desc {
+  const char *name;			/* Name of MAC algorithm */
+  uint mac_length;			/* Length of authentication code */
+  uint ctx_length;			/* Length of algorithm context */
+  void (*init)(struct mac_context *ctx, const byte *key, uint keylen);
+  void (*update)(struct mac_context *ctx, const byte *data, uint datalen);
+  byte *(*final)(struct mac_context *ctx);
+
+  uint hash_size;			/* Hash length, for hash-based MACs */
+  uint block_size;			/* Hash block size, for hash-based MACs */
+  void (*hash_init)(struct hash_context *ctx);
+  void (*hash_update)(struct hash_context *ctx, const byte *data, uint datalen);
+  byte *(*hash_final)(struct hash_context *ctx);
+};
+
+const struct mac_desc mac_table[ALG_MAX];
+
+static inline const char *mac_type_name(uint id)
+{ return mac_table[id].name; }
+
+static inline uint mac_type_length(uint id)
+{ return mac_table[id].mac_length; }
+
+static inline const char *mac_get_name(struct mac_context *ctx)
+{ return ctx->type->name; }
+
+static inline uint mac_get_length(struct mac_context *ctx)
+{ return ctx->type->mac_length; }
+
+void mac_init(struct mac_context *ctx, uint id, const byte *key, uint keylen);
+
+static inline void mac_update(struct mac_context *ctx, const byte *data, uint datalen)
+{ ctx->type->update(ctx, data, datalen); }
+
+static inline byte *mac_final(struct mac_context *ctx)
+{ return ctx->type->final(ctx); }
+
+static inline void mac_cleanup(struct mac_context *ctx)
+{ memset(ctx, 0, ctx->type->ctx_length); }
+
+void mac_fill(uint id, const byte *key, uint keylen, const byte *data, uint datalen, byte *mac);
+int mac_verify(uint id, const byte *key, uint keylen, const byte *data, uint datalen, const byte *mac);
+
+
+#endif /* _BIRD_MAC_H_ */
diff --git a/lib/md5.c b/lib/md5.c
index 8efa62d6..df49de5d 100644
--- a/lib/md5.c
+++ b/lib/md5.c
@@ -39,8 +39,10 @@ static void md5_transform(u32 buf[4], u32 const in[16]);
  * initialization constants.
  */
 void
-md5_init(struct md5_context *ctx)
+md5_init(struct hash_context *CTX)
 {
+  struct md5_context *ctx = (void *) CTX;
+
   ctx->buf[0] = 0x67452301;
   ctx->buf[1] = 0xefcdab89;
   ctx->buf[2] = 0x98badcfe;
@@ -55,8 +57,9 @@ md5_init(struct md5_context *ctx)
  * of bytes.
  */
 void
-md5_update(struct md5_context *ctx, const byte *buf, uint len)
+md5_update(struct hash_context *CTX, const byte *buf, uint len)
 {
+  struct md5_context *ctx = (void *) CTX;
   u32 t;
 
   /* Update bitcount */
@@ -105,8 +108,9 @@ md5_update(struct md5_context *ctx, const byte *buf, uint len)
  * 1 0* (64-bit count of bits processed, MSB-first)
  */
 byte *
-md5_final(struct md5_context *ctx)
+md5_final(struct hash_context *CTX)
 {
+  struct md5_context *ctx = (void *) CTX;
   uint count;
   byte *p;
 
@@ -149,13 +153,6 @@ md5_final(struct md5_context *ctx)
   return (byte*) ctx->buf;
 }
 
-/* I am a hard paranoid */
-void
-md5_erase_ctx(struct md5_context *ctx)
-{
-  memset((char *) ctx, 0, sizeof(*ctx));	/* In case it's sensitive */
-}
-
 /* The four core functions - F1 is optimized somewhat */
 
 /* #define F1(x, y, z) (x & y | ~x & z) */
@@ -256,67 +253,3 @@ md5_transform(u32 buf[4], u32 const in[16])
   buf[2] += c;
   buf[3] += d;
 }
-
-
-/*
- * 	MD5-HMAC
- */
-
-static void
-md5_hash_buffer(byte *outbuf, const byte *buffer, size_t length)
-{
-  struct md5_context hd_tmp;
-
-  md5_init(&hd_tmp);
-  md5_update(&hd_tmp, buffer, length);
-  memcpy(outbuf, md5_final(&hd_tmp), MD5_SIZE);
-}
-
-void
-md5_hmac_init(struct md5_hmac_context *ctx, const byte *key, size_t keylen)
-{
-  byte keybuf[MD5_BLOCK_SIZE], buf[MD5_BLOCK_SIZE];
-
-  /* Hash the key if necessary */
-  if (keylen <= MD5_BLOCK_SIZE)
-  {
-    memcpy(keybuf, key, keylen);
-    bzero(keybuf + keylen, MD5_BLOCK_SIZE - keylen);
-  }
-  else
-  {
-    md5_hash_buffer(keybuf, key, keylen);
-    bzero(keybuf + MD5_SIZE, MD5_BLOCK_SIZE - MD5_SIZE);
-  }
-
-  /* Initialize the inner digest */
-  md5_init(&ctx->ictx);
-  int i;
-  for (i = 0; i < MD5_BLOCK_SIZE; i++)
-    buf[i] = keybuf[i] ^ 0x36;
-  md5_update(&ctx->ictx, buf, MD5_BLOCK_SIZE);
-
-  /* Initialize the outer digest */
-  md5_init(&ctx->octx);
-  for (i = 0; i < MD5_BLOCK_SIZE; i++)
-    buf[i] = keybuf[i] ^ 0x5c;
-  md5_update(&ctx->octx, buf, MD5_BLOCK_SIZE);
-}
-
-void
-md5_hmac_update(struct md5_hmac_context *ctx, const byte *buf, size_t buflen)
-{
-  /* Just update the inner digest */
-  md5_update(&ctx->ictx, buf, buflen);
-}
-
-byte *
-md5_hmac_final(struct md5_hmac_context *ctx)
-{
-  /* Finish the inner digest */
-  byte *isha = md5_final(&ctx->ictx);
-
-  /* Finish the outer digest */
-  md5_update(&ctx->octx, isha, MD5_SIZE);
-  return md5_final(&ctx->octx);
-}
diff --git a/lib/md5.h b/lib/md5.h
index 034d764c..4e001851 100644
--- a/lib/md5.h
+++ b/lib/md5.h
@@ -19,29 +19,18 @@
 #define MD5_BLOCK_SIZE		64
 
 
+struct hash_context;
+
 struct md5_context {
   u32 buf[4];
   u32 bits[2];
   byte in[64];
 };
 
-void md5_init(struct md5_context *ctx);
-void md5_update(struct md5_context *ctx, const byte *buf, uint len);
-byte *md5_final(struct md5_context *ctx);
 
-
-/*
- *	HMAC-MD5
- */
-
-struct md5_hmac_context {
-  struct md5_context ictx;
-  struct md5_context octx;
-};
-
-void md5_hmac_init(struct md5_hmac_context *ctx, const byte *key, size_t keylen);
-void md5_hmac_update(struct md5_hmac_context *ctx, const byte *buf, size_t buflen);
-byte *md5_hmac_final(struct md5_hmac_context *ctx);
+void md5_init(struct hash_context *ctx);
+void md5_update(struct hash_context *ctx, const byte *buf, uint len);
+byte *md5_final(struct hash_context *ctx);
 
 
 #endif /* _BIRD_MD5_H_ */
diff --git a/lib/sha1.c b/lib/sha1.c
index 73b4b280..d6298b89 100644
--- a/lib/sha1.c
+++ b/lib/sha1.c
@@ -1,5 +1,5 @@
 /*
- *	BIRD Library -- SHA-1 Hash Function (FIPS 180-1, RFC 3174) and HMAC-SHA-1
+ *	BIRD Library -- SHA-1 Hash Function (FIPS 180-1, RFC 3174)
  *
  *	(c) 2015 CZ.NIC z.s.p.o.
  *
@@ -17,8 +17,10 @@
 
 
 void
-sha1_init(struct sha1_context *ctx)
+sha1_init(struct hash_context *CTX)
 {
+  struct sha1_context *ctx = (void *) CTX;
+
   ctx->h0 = 0x67452301;
   ctx->h1 = 0xefcdab89;
   ctx->h2 = 0x98badcfe;
@@ -167,8 +169,10 @@ sha1_transform(struct sha1_context *ctx, const byte *data)
  * Update the message digest with the contents of BUF with length LEN.
  */
 void
-sha1_update(struct sha1_context *ctx, const byte *buf, uint len)
+sha1_update(struct hash_context *CTX, const byte *buf, uint len)
 {
+  struct sha1_context *ctx = (void *) CTX;
+
   if (ctx->count)
   {
     /* Fill rest of internal buffer */
@@ -209,11 +213,12 @@ sha1_update(struct sha1_context *ctx, const byte *buf, uint len)
  * Returns: 20 bytes representing the digest.
  */
 byte *
-sha1_final(struct sha1_context *ctx)
+sha1_final(struct hash_context *CTX)
 {
+  struct sha1_context *ctx = (void *) CTX;
   u32 t, msb, lsb;
 
-  sha1_update(ctx, NULL, 0);	/* flush */
+  sha1_update(CTX, NULL, 0);	/* flush */
 
   t = ctx->nblocks;
   /* multiply by 64 to make a byte count */
@@ -242,7 +247,7 @@ sha1_final(struct sha1_context *ctx)
     ctx->buf[ctx->count++] = 0x80; /* pad character */
     while (ctx->count < 64)
       ctx->buf[ctx->count++] = 0;
-    sha1_update(ctx, NULL, 0);	/* flush */
+    sha1_update(CTX, NULL, 0);	/* flush */
     memset(ctx->buf, 0, 56); /* fill next block with zeroes */
   }
 
@@ -268,81 +273,3 @@ sha1_final(struct sha1_context *ctx)
 
   return ctx->buf;
 }
-
-
-/*
- *	SHA1-HMAC
- */
-
-/*
- * Shortcut function which puts the hash value of the supplied buffer
- * into outbuf which must have a size of 20 bytes.
- */
-void
-sha1_hash_buffer(byte *outbuf, const byte *buffer, uint length)
-{
-  struct sha1_context ctx;
-
-  sha1_init(&ctx);
-  sha1_update(&ctx, buffer, length);
-  memcpy(outbuf, sha1_final(&ctx), SHA1_SIZE);
-}
-
-void
-sha1_hmac_init(struct sha1_hmac_context *ctx, const byte *key, uint keylen)
-{
-  byte keybuf[SHA1_BLOCK_SIZE], buf[SHA1_BLOCK_SIZE];
-
-  /* Hash the key if necessary */
-  if (keylen <= SHA1_BLOCK_SIZE)
-  {
-    memcpy(keybuf, key, keylen);
-    memset(keybuf + keylen, 0, SHA1_BLOCK_SIZE - keylen);
-  }
-  else
-  {
-    sha1_hash_buffer(keybuf, key, keylen);
-    memset(keybuf + SHA1_SIZE, 0, SHA1_BLOCK_SIZE - SHA1_SIZE);
-  }
-
-  /* Initialize the inner digest */
-  sha1_init(&ctx->ictx);
-  int i;
-  for (i = 0; i < SHA1_BLOCK_SIZE; i++)
-    buf[i] = keybuf[i] ^ 0x36;
-  sha1_update(&ctx->ictx, buf, SHA1_BLOCK_SIZE);
-
-  /* Initialize the outer digest */
-  sha1_init(&ctx->octx);
-  for (i = 0; i < SHA1_BLOCK_SIZE; i++)
-    buf[i] = keybuf[i] ^ 0x5c;
-  sha1_update(&ctx->octx, buf, SHA1_BLOCK_SIZE);
-}
-
-void
-sha1_hmac_update(struct sha1_hmac_context *ctx, const byte *data, uint datalen)
-{
-  /* Just update the inner digest */
-  sha1_update(&ctx->ictx, data, datalen);
-}
-
-byte *
-sha1_hmac_final(struct sha1_hmac_context *ctx)
-{
-  /* Finish the inner digest */
-  byte *isha = sha1_final(&ctx->ictx);
-
-  /* Finish the outer digest */
-  sha1_update(&ctx->octx, isha, SHA1_SIZE);
-  return sha1_final(&ctx->octx);
-}
-
-void
-sha1_hmac(byte *outbuf, const byte *key, uint keylen, const byte *data, uint datalen)
-{
-  struct sha1_hmac_context ctx;
-
-  sha1_hmac_init(&ctx, key, keylen);
-  sha1_hmac_update(&ctx, data, datalen);
-  memcpy(outbuf, sha1_hmac_final(&ctx), SHA1_SIZE);
-}
diff --git a/lib/sha1.h b/lib/sha1.h
index c019bb49..8666a651 100644
--- a/lib/sha1.h
+++ b/lib/sha1.h
@@ -1,5 +1,5 @@
 /*
- *	BIRD Library -- SHA-1 Hash Function (FIPS 180-1, RFC 3174) and HMAC-SHA-1
+ *	BIRD Library -- SHA-1 Hash Function (FIPS 180-1, RFC 3174)
  *
  *	(c) 2015 CZ.NIC z.s.p.o.
  *
@@ -27,6 +27,8 @@
  * Internal SHA1 state.
  * You should use it just as an opaque handle only.
  */
+struct hash_context;
+
 struct sha1_context {
   u32 h0, h1, h2, h3, h4;
   byte buf[SHA1_BLOCK_SIZE];
@@ -34,15 +36,14 @@ struct sha1_context {
   uint count;
 };
 
-
-void sha1_init(struct sha1_context *ctx); /* Initialize new algorithm run in the @ctx context. **/
+void sha1_init(struct hash_context *ctx); /* Initialize new algorithm run in the @ctx context. **/
 /*
  * Push another @len bytes of data pointed to by @buf onto the SHA1 hash
  * currently in @ctx. You can call this any times you want on the same hash (and
  * you do not need to reinitialize it by @sha1_init()). It has the same effect
  * as concatenating all the data together and passing them at once.
  */
-void sha1_update(struct sha1_context *ctx, const byte *buf, uint len);
+void sha1_update(struct hash_context *ctx, const byte *buf, uint len);
 /*
  * No more @sha1_update() calls will be done. This terminates the hash and
  * returns a pointer to it.
@@ -50,7 +51,7 @@ void sha1_update(struct sha1_context *ctx, const byte *buf, uint len);
  * Note that the pointer points into data in the @ctx context. If it ceases to
  * exist, the pointer becomes invalid.
  */
-byte *sha1_final(struct sha1_context *ctx);
+byte *sha1_final(struct hash_context *ctx);
 
 /*
  * A convenience one-shot function for SHA1 hash. It is equivalent to this
@@ -63,24 +64,5 @@ byte *sha1_final(struct sha1_context *ctx);
  */
 void sha1_hash_buffer(byte *outbuf, const byte *buffer, uint length);
 
-/*
- * SHA1 HMAC message authentication. If you provide @key and @data, the result
- * will be stored in @outbuf.
- */
-void sha1_hmac(byte *outbuf, const byte *key, uint keylen, const byte *data, uint datalen);
-
-/*
- * The HMAC also exists in a stream version in a way analogous to the plain
- * SHA1. Pass this as a context.
- */
-struct sha1_hmac_context {
-  struct sha1_context ictx;
-  struct sha1_context octx;
-};
-
-void sha1_hmac_init(struct sha1_hmac_context *ctx, const byte *key, uint keylen);	/* Initialize HMAC with context @ctx and the given key. See sha1_init(). */
-void sha1_hmac_update(struct sha1_hmac_context *ctx, const byte *data, uint datalen);	/* Hash another @datalen bytes of data. See sha1_update(). */
-byte *sha1_hmac_final(struct sha1_hmac_context *ctx);					/* Terminate the HMAC and return a pointer to the allocated hash. See sha1_final(). */
-
 
 #endif /* _BIRD_SHA1_H_ */
diff --git a/lib/sha256.c b/lib/sha256.c
index 440245d5..11ff2b05 100644
--- a/lib/sha256.c
+++ b/lib/sha256.c
@@ -1,6 +1,5 @@
 /*
- *	BIRD Library -- SHA-256 and SHA-224 Hash Functions,
- *			HMAC-SHA-256 and HMAC-SHA-224 Functions
+ *	BIRD Library -- SHA-256 and SHA-224 Hash Functions
  *
  *	(c) 2015 CZ.NIC z.s.p.o.
  *
@@ -17,8 +16,10 @@
 // #define SHA256_UNROLLED
 
 void
-sha256_init(struct sha256_context *ctx)
+sha256_init(struct hash_context *CTX)
 {
+  struct sha256_context *ctx = (void *) CTX;
+
   ctx->h0 = 0x6a09e667;
   ctx->h1 = 0xbb67ae85;
   ctx->h2 = 0x3c6ef372;
@@ -33,8 +34,10 @@ sha256_init(struct sha256_context *ctx)
 }
 
 void
-sha224_init(struct sha224_context *ctx)
+sha224_init(struct hash_context *CTX)
 {
+  struct sha224_context *ctx = (void *) CTX;
+
   ctx->h0 = 0xc1059ed8;
   ctx->h1 = 0x367cd507;
   ctx->h2 = 0x3070dd17;
@@ -219,8 +222,10 @@ sha256_transform(struct sha256_context *ctx, const byte *data)
    not have any meaning but writing after finalize is sometimes
    helpful to mitigate timing attacks. */
 void
-sha256_update(struct sha256_context *ctx, const byte *buf, size_t len)
+sha256_update(struct hash_context *CTX, const byte *buf, uint len)
 {
+  struct sha256_context *ctx = (void *) CTX;
+
   if (ctx->count)
   {
     /* Fill rest of internal buffer */
@@ -261,11 +266,12 @@ sha256_update(struct sha256_context *ctx, const byte *buf, size_t len)
  * Returns: 32 bytes with the message the digest. 28 bytes for SHA-224.
  */
 byte *
-sha256_final(struct sha256_context *ctx)
+sha256_final(struct hash_context *CTX)
 {
+  struct sha256_context *ctx = (void *) CTX;
   u32 t, th, msb, lsb;
 
-  sha256_update(ctx, NULL, 0);	/* flush */
+  sha256_update(CTX, NULL, 0);	/* flush */
 
   t = ctx->nblocks;
   th = 0;
@@ -296,7 +302,7 @@ sha256_final(struct sha256_context *ctx)
     ctx->buf[ctx->count++] = 0x80; /* pad character */
     while (ctx->count < 64)
       ctx->buf[ctx->count++] = 0;
-    sha256_update(ctx, NULL, 0);  /* flush */;
+    sha256_update(CTX, NULL, 0);  /* flush */;
     memset(ctx->buf, 0, 56 ); /* fill next block with zeroes */
   }
 
@@ -319,131 +325,3 @@ sha256_final(struct sha256_context *ctx)
 
   return ctx->buf;
 }
-
-
-/*
- *	SHA256-HMAC
- */
-
-static void
-sha256_hash_buffer(byte *outbuf, const byte *buffer, size_t length)
-{
-  struct sha256_context ctx;
-
-  sha256_init(&ctx);
-  sha256_update(&ctx, buffer, length);
-  memcpy(outbuf, sha256_final(&ctx), SHA256_SIZE);
-}
-
-void
-sha256_hmac_init(struct sha256_hmac_context *ctx, const byte *key, size_t keylen)
-{
-  byte keybuf[SHA256_BLOCK_SIZE], buf[SHA256_BLOCK_SIZE];
-
-  /* Hash the key if necessary */
-  if (keylen <= SHA256_BLOCK_SIZE)
-  {
-    memcpy(keybuf, key, keylen);
-    memset(keybuf + keylen, 0, SHA256_BLOCK_SIZE - keylen);
-  }
-  else
-  {
-    sha256_hash_buffer(keybuf, key, keylen);
-    memset(keybuf + SHA256_SIZE, 0, SHA256_BLOCK_SIZE - SHA256_SIZE);
-  }
-
-  /* Initialize the inner digest */
-  sha256_init(&ctx->ictx);
-  int i;
-  for (i = 0; i < SHA256_BLOCK_SIZE; i++)
-    buf[i] = keybuf[i] ^ 0x36;
-  sha256_update(&ctx->ictx, buf, SHA256_BLOCK_SIZE);
-
-  /* Initialize the outer digest */
-  sha256_init(&ctx->octx);
-  for (i = 0; i < SHA256_BLOCK_SIZE; i++)
-    buf[i] = keybuf[i] ^ 0x5c;
-  sha256_update(&ctx->octx, buf, SHA256_BLOCK_SIZE);
-}
-
-void
-sha256_hmac_update(struct sha256_hmac_context *ctx, const byte *buf, size_t buflen)
-{
-  /* Just update the inner digest */
-  sha256_update(&ctx->ictx, buf, buflen);
-}
-
-byte *
-sha256_hmac_final(struct sha256_hmac_context *ctx)
-{
-  /* Finish the inner digest */
-  byte *isha = sha256_final(&ctx->ictx);
-
-  /* Finish the outer digest */
-  sha256_update(&ctx->octx, isha, SHA256_SIZE);
-  return sha256_final(&ctx->octx);
-}
-
-
-/*
- *	SHA224-HMAC
- */
-
-static void
-sha224_hash_buffer(byte *outbuf, const byte *buffer, size_t length)
-{
-  struct sha224_context ctx;
-
-  sha224_init(&ctx);
-  sha224_update(&ctx, buffer, length);
-  memcpy(outbuf, sha224_final(&ctx), SHA224_SIZE);
-}
-
-void
-sha224_hmac_init(struct sha224_hmac_context *ctx, const byte *key, size_t keylen)
-{
-  byte keybuf[SHA224_BLOCK_SIZE], buf[SHA224_BLOCK_SIZE];
-
-  /* Hash the key if necessary */
-  if (keylen <= SHA224_BLOCK_SIZE)
-  {
-    memcpy(keybuf, key, keylen);
-    memset(keybuf + keylen, 0, SHA224_BLOCK_SIZE - keylen);
-  }
-  else
-  {
-    sha224_hash_buffer(keybuf, key, keylen);
-    memset(keybuf + SHA224_SIZE, 0, SHA224_BLOCK_SIZE - SHA224_SIZE);
-  }
-
-  /* Initialize the inner digest */
-  sha224_init(&ctx->ictx);
-  int i;
-  for (i = 0; i < SHA224_BLOCK_SIZE; i++)
-    buf[i] = keybuf[i] ^ 0x36;
-  sha224_update(&ctx->ictx, buf, SHA224_BLOCK_SIZE);
-
-  /* Initialize the outer digest */
-  sha224_init(&ctx->octx);
-  for (i = 0; i < SHA224_BLOCK_SIZE; i++)
-    buf[i] = keybuf[i] ^ 0x5c;
-  sha224_update(&ctx->octx, buf, SHA224_BLOCK_SIZE);
-}
-
-void
-sha224_hmac_update(struct sha224_hmac_context *ctx, const byte *buf, size_t buflen)
-{
-  /* Just update the inner digest */
-  sha256_update(&ctx->ictx, buf, buflen);
-}
-
-byte *
-sha224_hmac_final(struct sha224_hmac_context *ctx)
-{
-  /* Finish the inner digest */
-  byte *isha = sha224_final(&ctx->ictx);
-
-  /* Finish the outer digest */
-  sha224_update(&ctx->octx, isha, SHA224_SIZE);
-  return sha224_final(&ctx->octx);
-}
diff --git a/lib/sha256.h b/lib/sha256.h
index 381200a9..88a948eb 100644
--- a/lib/sha256.h
+++ b/lib/sha256.h
@@ -1,6 +1,5 @@
 /*
- *	BIRD Library -- SHA-256 and SHA-224 Hash Functions,
- *			HMAC-SHA-256 and HMAC-SHA-224 Functions
+ *	BIRD Library -- SHA-256 and SHA-224 Hash Functions
  *
  *	(c) 2015 CZ.NIC z.s.p.o.
  *
@@ -25,6 +24,8 @@
 #define SHA256_BLOCK_SIZE 	64
 
 
+struct hash_context;
+
 struct sha256_context {
   u32  h0, h1, h2, h3, h4, h5, h6, h7;
   byte buf[SHA256_BLOCK_SIZE];
@@ -35,39 +36,14 @@ struct sha256_context {
 #define sha224_context sha256_context
 
 
-void sha256_init(struct sha256_context *ctx);
-void sha224_init(struct sha224_context *ctx);
+void sha256_init(struct hash_context *ctx);
+void sha224_init(struct hash_context *ctx);
 
-void sha256_update(struct sha256_context *ctx, const byte *buf, size_t len);
-static inline void sha224_update(struct sha224_context *ctx, const byte *buf, size_t len)
-{ sha256_update(ctx, buf, len); }
+void sha256_update(struct hash_context *ctx, const byte *buf, uint len);
+#define sha224_update sha256_update
 
-byte *sha256_final(struct sha256_context *ctx);
-static inline byte *sha224_final(struct sha224_context *ctx)
-{ return sha256_final(ctx); }
-
-
-/*
- *	HMAC-SHA256, HMAC-SHA224
- */
-
-struct sha256_hmac_context
-{
-  struct sha256_context ictx;
-  struct sha256_context octx;
-};
-
-#define sha224_hmac_context sha256_hmac_context
-
-
-void sha256_hmac_init(struct sha256_hmac_context *ctx, const byte *key, size_t keylen);
-void sha224_hmac_init(struct sha224_hmac_context *ctx, const byte *key, size_t keylen);
-
-void sha256_hmac_update(struct sha256_hmac_context *ctx, const byte *buf, size_t buflen);
-void sha224_hmac_update(struct sha224_hmac_context *ctx, const byte *buf, size_t buflen);
-
-byte *sha256_hmac_final(struct sha256_hmac_context *ctx);
-byte *sha224_hmac_final(struct sha224_hmac_context *ctx);
+byte *sha256_final(struct hash_context *ctx);
+#define sha224_final sha256_final
 
 
 #endif /* _BIRD_SHA256_H_ */
diff --git a/lib/sha512.c b/lib/sha512.c
index 37e660f7..576ae1e8 100644
--- a/lib/sha512.c
+++ b/lib/sha512.c
@@ -1,6 +1,5 @@
 /*
- *	BIRD Library -- SHA-512 and SHA-384 Hash Functions,
- *			HMAC-SHA-512 and HMAC-SHA-384 Functions
+ *	BIRD Library -- SHA-512 and SHA-384 Hash Functions
  *
  *	(c) 2015 CZ.NIC z.s.p.o.
  *
@@ -17,8 +16,10 @@
 // #define SHA512_UNROLLED
 
 void
-sha512_init(struct sha512_context *ctx)
+sha512_init(struct hash_context *CTX)
 {
+  struct sha512_context *ctx = (void *) CTX;
+
   ctx->h0 = U64(0x6a09e667f3bcc908);
   ctx->h1 = U64(0xbb67ae8584caa73b);
   ctx->h2 = U64(0x3c6ef372fe94f82b);
@@ -33,8 +34,10 @@ sha512_init(struct sha512_context *ctx)
 }
 
 void
-sha384_init(struct sha384_context *ctx)
+sha384_init(struct hash_context *CTX)
 {
+  struct sha384_context *ctx = (void *) CTX;
+
   ctx->h0 = U64(0xcbbb9d5dc1059ed8);
   ctx->h1 = U64(0x629a292a367cd507);
   ctx->h2 = U64(0x9159015a3070dd17);
@@ -389,8 +392,10 @@ sha512_transform(struct sha512_context *ctx, const byte *data)
 }
 
 void
-sha512_update(struct sha512_context *ctx, const byte *buf, size_t len)
+sha512_update(struct hash_context *CTX, const byte *buf, uint len)
 {
+  struct sha512_context *ctx = (void *) CTX;
+
   if (ctx->count)
   {
     /* Fill rest of internal buffer */
@@ -432,11 +437,12 @@ sha512_update(struct sha512_context *ctx, const byte *buf, size_t len)
  * first 48 of those bytes.
  */
 byte *
-sha512_final(struct sha512_context *ctx)
+sha512_final(struct hash_context *CTX)
 {
+  struct sha512_context *ctx = (void *) CTX;
   u64 t, th, msb, lsb;
 
-  sha512_update(ctx, NULL, 0);	/* flush */
+  sha512_update(CTX, NULL, 0);	/* flush */
 
   t = ctx->nblocks;
   th = 0;
@@ -467,7 +473,7 @@ sha512_final(struct sha512_context *ctx)
     ctx->buf[ctx->count++] = 0x80;	/* pad character */
     while(ctx->count < 128)
       ctx->buf[ctx->count++] = 0;
-    sha512_update(ctx, NULL, 0); 	/* flush */
+    sha512_update(CTX, NULL, 0); 	/* flush */
     memset(ctx->buf, 0, 112);		/* fill next block with zeroes */
   }
 
@@ -490,131 +496,3 @@ sha512_final(struct sha512_context *ctx)
 
   return ctx->buf;
 }
-
-
-/*
- *	SHA512-HMAC
- */
-
-static void
-sha512_hash_buffer(byte *outbuf, const byte *buffer, size_t length)
-{
-  struct sha512_context ctx;
-
-  sha512_init(&ctx);
-  sha512_update(&ctx, buffer, length);
-  memcpy(outbuf, sha512_final(&ctx), SHA512_SIZE);
-}
-
-void
-sha512_hmac_init(struct sha512_hmac_context *ctx, const byte *key, size_t keylen)
-{
-  byte keybuf[SHA512_BLOCK_SIZE], buf[SHA512_BLOCK_SIZE];
-
-  /* Hash the key if necessary */
-  if (keylen <= SHA512_BLOCK_SIZE)
-  {
-    memcpy(keybuf, key, keylen);
-    memset(keybuf + keylen, 0, SHA512_BLOCK_SIZE - keylen);
-  }
-  else
-  {
-    sha512_hash_buffer(keybuf, key, keylen);
-    memset(keybuf + SHA512_SIZE, 0, SHA512_BLOCK_SIZE - SHA512_SIZE);
-  }
-
-  /* Initialize the inner digest */
-  sha512_init(&ctx->ictx);
-  int i;
-  for (i = 0; i < SHA512_BLOCK_SIZE; i++)
-    buf[i] = keybuf[i] ^ 0x36;
-  sha512_update(&ctx->ictx, buf, SHA512_BLOCK_SIZE);
-
-  /* Initialize the outer digest */
-  sha512_init(&ctx->octx);
-  for (i = 0; i < SHA512_BLOCK_SIZE; i++)
-    buf[i] = keybuf[i] ^ 0x5c;
-  sha512_update(&ctx->octx, buf, SHA512_BLOCK_SIZE);
-}
-
-void
-sha512_hmac_update(struct sha512_hmac_context *ctx, const byte *buf, size_t buflen)
-{
-  /* Just update the inner digest */
-  sha512_update(&ctx->ictx, buf, buflen);
-}
-
-byte *
-sha512_hmac_final(struct sha512_hmac_context *ctx)
-{
-  /* Finish the inner digest */
-  byte *isha = sha512_final(&ctx->ictx);
-
-  /* Finish the outer digest */
-  sha512_update(&ctx->octx, isha, SHA512_SIZE);
-  return sha512_final(&ctx->octx);
-}
-
-
-/*
- *	SHA384-HMAC
- */
-
-static void
-sha384_hash_buffer(byte *outbuf, const byte *buffer, size_t length)
-{
-  struct sha384_context ctx;
-
-  sha384_init(&ctx);
-  sha384_update(&ctx, buffer, length);
-  memcpy(outbuf, sha384_final(&ctx), SHA384_SIZE);
-}
-
-void
-sha384_hmac_init(struct sha384_hmac_context *ctx, const byte *key, size_t keylen)
-{
-  byte keybuf[SHA384_BLOCK_SIZE], buf[SHA384_BLOCK_SIZE];
-
-  /* Hash the key if necessary */
-  if (keylen <= SHA384_BLOCK_SIZE)
-  {
-    memcpy(keybuf, key, keylen);
-    memset(keybuf + keylen, 0, SHA384_BLOCK_SIZE - keylen);
-  }
-  else
-  {
-    sha384_hash_buffer(keybuf, key, keylen);
-    memset(keybuf + SHA384_SIZE, 0, SHA384_BLOCK_SIZE - SHA384_SIZE);
-  }
-
-  /* Initialize the inner digest */
-  sha384_init(&ctx->ictx);
-  int i;
-  for (i = 0; i < SHA384_BLOCK_SIZE; i++)
-    buf[i] = keybuf[i] ^ 0x36;
-  sha384_update(&ctx->ictx, buf, SHA384_BLOCK_SIZE);
-
-  /* Initialize the outer digest */
-  sha384_init(&ctx->octx);
-  for (i = 0; i < SHA384_BLOCK_SIZE; i++)
-    buf[i] = keybuf[i] ^ 0x5c;
-  sha384_update(&ctx->octx, buf, SHA384_BLOCK_SIZE);
-}
-
-void
-sha384_hmac_update(struct sha384_hmac_context *ctx, const byte *buf, size_t buflen)
-{
-  /* Just update the inner digest */
-  sha384_update(&ctx->ictx, buf, buflen);
-}
-
-byte *
-sha384_hmac_final(struct sha384_hmac_context *ctx)
-{
-  /* Finish the inner digest */
-  byte *isha = sha384_final(&ctx->ictx);
-
-  /* Finish the outer digest */
-  sha384_update(&ctx->octx, isha, SHA384_SIZE);
-  return sha384_final(&ctx->octx);
-}
diff --git a/lib/sha512.h b/lib/sha512.h
index 1614a3ac..02220c93 100644
--- a/lib/sha512.h
+++ b/lib/sha512.h
@@ -1,6 +1,5 @@
 /*
- *	BIRD Library -- SHA-512 and SHA-384 Hash Functions,
- *			HMAC-SHA-512 and HMAC-SHA-384 Functions
+ *	BIRD Library -- SHA-512 and SHA-384 Hash Functions
  *
  *	(c) 2015 CZ.NIC z.s.p.o.
  *
@@ -25,8 +24,10 @@
 #define SHA512_BLOCK_SIZE	128
 
 
+struct hash_context;
+
 struct sha512_context {
-  u64 h0, h1, h2, h3, h4, h5, h6, h7;
+  u64  h0, h1, h2, h3, h4, h5, h6, h7;
   byte buf[SHA512_BLOCK_SIZE];
   uint nblocks;
   uint count;
@@ -35,39 +36,14 @@ struct sha512_context {
 #define sha384_context sha512_context
 
 
-void sha512_init(struct sha512_context *ctx);
-void sha384_init(struct sha384_context *ctx);
+void sha512_init(struct hash_context *ctx);
+void sha384_init(struct hash_context *ctx);
 
-void sha512_update(struct sha512_context *ctx, const byte *buf, size_t len);
-static inline void sha384_update(struct sha384_context *ctx, const byte *buf, size_t len)
-{ sha512_update(ctx, buf, len); }
+void sha512_update(struct hash_context *ctx, const byte *buf, uint len);
+#define sha384_update sha512_update
 
-byte *sha512_final(struct sha512_context *ctx);
-static inline byte *sha384_final(struct sha384_context *ctx)
-{ return sha512_final(ctx); }
-
-
-/*
- *	HMAC-SHA512, HMAC-SHA384
- */
-
-struct sha512_hmac_context
-{
-  struct sha512_context ictx;
-  struct sha512_context octx;
-};
-
-#define sha384_hmac_context sha512_hmac_context
-
-
-void sha512_hmac_init(struct sha512_hmac_context *ctx, const byte *key, size_t keylen);
-void sha384_hmac_init(struct sha384_hmac_context *ctx, const byte *key, size_t keylen);
-
-void sha512_hmac_update(struct sha512_hmac_context *ctx, const byte *buf, size_t buflen);
-void sha384_hmac_update(struct sha384_hmac_context *ctx, const byte *buf, size_t buflen);
-
-byte *sha512_hmac_final(struct sha512_hmac_context *ctx);
-byte *sha384_hmac_final(struct sha384_hmac_context *ctx);
+byte *sha512_final(struct hash_context *ctx);
+#define sha384_final sha512_final
 
 
 #endif /* _BIRD_SHA512_H_ */
diff --git a/nest/password.c b/nest/password.c
index 91aaa418..d6e2087f 100644
--- a/nest/password.c
+++ b/nest/password.c
@@ -37,7 +37,7 @@ password_find(list *l, int first_fit)
 }
 
 struct password_item *
-password_find_by_id(list *l, int id)
+password_find_by_id(list *l, uint id)
 {
   struct password_item *pi;
 
diff --git a/nest/password.h b/nest/password.h
index 1d9de53c..a45261e6 100644
--- a/nest/password.h
+++ b/nest/password.h
@@ -21,7 +21,7 @@ struct password_item {
 extern struct password_item *last_password_item;
 
 struct password_item *password_find(list *l, int first_fit);
-struct password_item *password_find_by_id(list *l, int id);
+struct password_item *password_find_by_id(list *l, uint id);
 struct password_item *password_find_by_value(list *l, char *pass, uint size);
 
 static inline int password_verify(struct password_item *p1, char *p2, uint size)
diff --git a/proto/ospf/packet.c b/proto/ospf/packet.c
index aa90aa51..a2fbd089 100644
--- a/proto/ospf/packet.c
+++ b/proto/ospf/packet.c
@@ -11,6 +11,7 @@
 #include "ospf.h"
 #include "nest/password.h"
 #include "lib/md5.h"
+#include "lib/mac.h"
 #include "lib/socket.h"
 
 void
@@ -109,7 +110,7 @@ ospf_pkt_finalize(struct ospf_iface *ifa, struct ospf_packet *pkt)
     char password[OSPF_AUTH_CRYPT_SIZE];
     strncpy(password, passwd->password, sizeof(password));
 
-    struct md5_context ctx;
+    struct hash_context ctx;
     md5_init(&ctx);
     md5_update(&ctx, (char *) pkt, plen);
     md5_update(&ctx, password, OSPF_AUTH_CRYPT_SIZE);
@@ -180,7 +181,7 @@ ospf_pkt_checkauth(struct ospf_neighbor *n, struct ospf_iface *ifa, struct ospf_
     memcpy(received, tail, OSPF_AUTH_CRYPT_SIZE);
     strncpy(tail, pass->password, OSPF_AUTH_CRYPT_SIZE);
 
-    struct md5_context ctx;
+    struct hash_context ctx;
     md5_init(&ctx);
     md5_update(&ctx, (byte *) pkt, plen + OSPF_AUTH_CRYPT_SIZE);
     char *computed = md5_final(&ctx);
diff --git a/proto/rip/packets.c b/proto/rip/packets.c
index e026eaea..381b4771 100644
--- a/proto/rip/packets.c
+++ b/proto/rip/packets.c
@@ -11,6 +11,7 @@
 
 #include "rip.h"
 #include "lib/md5.h"
+#include "lib/mac.h"
 
 
 #define RIP_CMD_REQUEST		1	/* want info */
@@ -241,7 +242,7 @@ rip_fill_authentication(struct rip_proto *p, struct rip_iface *ifa, struct rip_p
 
     *plen += sizeof(struct rip_auth_tail) + RIP_MD5_LENGTH;
 
-    struct md5_context ctx;
+    struct hash_context ctx;
     md5_init(&ctx);
     md5_update(&ctx, (byte *) pkt, *plen);
     memcpy(tail->auth_data, md5_final(&ctx), RIP_MD5_LENGTH);
@@ -315,7 +316,7 @@ rip_check_authentication(struct rip_proto *p, struct rip_iface *ifa, struct rip_
     memcpy(received, tail->auth_data, RIP_MD5_LENGTH);
     strncpy(tail->auth_data, pass->password, RIP_MD5_LENGTH);
 
-    struct md5_context ctx;
+    struct hash_context ctx;
     md5_init(&ctx);
     md5_update(&ctx, (byte *) pkt, *plen);
     char *computed = md5_final(&ctx);

From 56cb3bedc2634a44ea41587566c2889f5b5f5b5b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Tvrd=C3=ADk?= <pawel.tvrdik@gmail.com>
Date: Tue, 26 Jan 2016 16:45:13 +0100
Subject: [PATCH 31/37] Nest: Add support for MAC algorithms in grammar

---
 nest/config.Y      | 22 ++++++++++++++++++++--
 nest/password.h    |  7 +++++--
 proto/rip/config.Y |  2 +-
 3 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/nest/config.Y b/nest/config.Y
index 3e76581a..878224fe 100644
--- a/nest/config.Y
+++ b/nest/config.Y
@@ -13,6 +13,7 @@ CF_HDR
 #include "nest/password.h"
 #include "nest/cmds.h"
 #include "lib/lists.h"
+#include "lib/mac.h"
 
 CF_DEFINES
 
@@ -57,6 +58,7 @@ CF_KEYWORDS(ROUTER, ID, PROTOCOL, TEMPLATE, PREFERENCE, DISABLED, DEBUG, ALL, OF
 CF_KEYWORDS(INTERFACE, IMPORT, EXPORT, FILTER, NONE, TABLE, STATES, ROUTES, FILTERS)
 CF_KEYWORDS(RECEIVE, LIMIT, ACTION, WARN, BLOCK, RESTART, DISABLE, KEEP, FILTERED)
 CF_KEYWORDS(PASSWORD, FROM, PASSIVE, TO, ID, EVENTS, PACKETS, PROTOCOLS, INTERFACES)
+CF_KEYWORDS(ALGORITHM, KEYED, HMAC, MD5, SHA1, SHA256, SHA384, SHA512)
 CF_KEYWORDS(PRIMARY, STATS, COUNT, FOR, COMMANDS, PREEXPORT, NOEXPORT, GENERATE, ROA)
 CF_KEYWORDS(LISTEN, BGP, V6ONLY, DUAL, ADDRESS, PORT, PASSWORDS, DESCRIPTION, SORTED)
 CF_KEYWORDS(RELOAD, IN, OUT, MRTDUMP, MESSAGES, RESTRICT, MEMORY, IGP_METRIC, CLASS, DSCP)
@@ -77,7 +79,7 @@ CF_ENUM(T_ENUM_ROA, ROA_, UNKNOWN, VALID, INVALID)
 %type <ro> roa_args
 %type <rot> roa_table_arg
 %type <sd> sym_args
-%type <i> proto_start echo_mask echo_size debug_mask debug_list debug_flag mrtdump_mask mrtdump_list mrtdump_flag export_mode roa_mode limit_action tab_sorted tos
+%type <i> proto_start echo_mask echo_size debug_mask debug_list debug_flag mrtdump_mask mrtdump_list mrtdump_flag export_mode roa_mode limit_action tab_sorted tos password_algorithm
 %type <ps> proto_patt proto_patt2
 %type <g> limit_spec
 
@@ -416,11 +418,13 @@ password_item_begin:
      }
      this_p_item = cfg_alloc(sizeof (struct password_item));
      this_p_item->password = $2;
+     this_p_item->length = strlen($2);
      this_p_item->genfrom = 0;
      this_p_item->gento = TIME_INFINITY;
      this_p_item->accfrom = 0;
      this_p_item->accto = TIME_INFINITY;
      this_p_item->id = password_id++;
+     this_p_item->alg = ALG_UNDEFINED;
      add_tail(this_p_list, &this_p_item->n);
    }
 ;
@@ -431,10 +435,24 @@ password_item_params:
  | GENERATE TO datetime ';' password_item_params { this_p_item->gento = $3; }
  | ACCEPT FROM datetime ';' password_item_params { this_p_item->accfrom = $3; }
  | ACCEPT TO datetime ';' password_item_params { this_p_item->accto = $3; }
+ | FROM datetime ';' password_item_params { this_p_item->genfrom = this_p_item->accfrom = $2; }
+ | TO datetime ';' password_item_params { this_p_item->gento = this_p_item->accto = $2; }
  | ID expr ';' password_item_params { this_p_item->id = $2; if ($2 <= 0) cf_error("Password ID has to be greated than zero."); }
+ | ALGORITHM password_algorithm ';' password_item_params { this_p_item->alg = $2; }
  ;
 
-
+password_algorithm:
+   KEYED MD5	{ $$ = ALG_MD5; }
+ | KEYED SHA1	{ $$ = ALG_SHA1; }
+ | KEYED SHA256	{ $$ = ALG_SHA256; }
+ | KEYED SHA384	{ $$ = ALG_SHA384; }
+ | KEYED SHA512	{ $$ = ALG_SHA512; }
+ | HMAC MD5	{ $$ = ALG_HMAC_MD5; }
+ | HMAC SHA1	{ $$ = ALG_HMAC_SHA1; }
+ | HMAC SHA256	{ $$ = ALG_HMAC_SHA256; }
+ | HMAC SHA384	{ $$ = ALG_HMAC_SHA384; }
+ | HMAC SHA512	{ $$ = ALG_HMAC_SHA512; }
+ ;
 
 /* Core commands */
 CF_CLI_HELP(SHOW, ..., [[Show status information]])
diff --git a/nest/password.h b/nest/password.h
index a45261e6..7392389b 100644
--- a/nest/password.h
+++ b/nest/password.h
@@ -9,12 +9,15 @@
 
 #ifndef PASSWORD_H
 #define PASSWORD_H
+
 #include "lib/timer.h"
 
 struct password_item {
   node n;
-  char *password;
-  int id;
+  char *password;			/* Key data, null terminated */
+  uint length;				/* Key length, without null */
+  uint id;				/* Key ID */
+  uint alg;				/* MAC algorithm */
   bird_clock_t accfrom, accto, genfrom, gento;
 };
 
diff --git a/proto/rip/config.Y b/proto/rip/config.Y
index 083d2e91..e15599e0 100644
--- a/proto/rip/config.Y
+++ b/proto/rip/config.Y
@@ -147,7 +147,7 @@ rip_auth:
    NONE			{ $$ = RIP_AUTH_NONE; }
  | PLAINTEXT		{ $$ = RIP_AUTH_PLAIN; }
  | CRYPTOGRAPHIC	{ $$ = RIP_AUTH_CRYPTO; }
- | MD5			{ $$ = RIP_AUTH_CRYPTO; }
+ | MD5			{ $$ = RIP_AUTH_CRYPTO; }	/* For backward compatibility */
  ;
 
 rip_iface_opts:

From 64385aee0cc2dfae8297f29ce6724cedf7cc4736 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Tvrd=C3=ADk?= <pawel.tvrdik@gmail.com>
Date: Thu, 28 Jan 2016 17:05:15 +0100
Subject: [PATCH 32/37] DOC: Password algorithm option

---
 doc/bird.sgml | 78 +++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 57 insertions(+), 21 deletions(-)

diff --git a/doc/bird.sgml b/doc/bird.sgml
index a07201ce..7c34c208 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -664,13 +664,13 @@ agreement").
 	protocol packets are processed in the local TX queues. This option is
 	Linux specific. Default value is 7 (highest priority, privileged traffic).
 
-	<tag><label id="proto-pass">password "<m/password/" [ { id <m/num/; generate from <m/time/; generate to <m/time/; accept from <m/time/; accept to <m/time/; } ]</tag>
-	Specifies a password that can be used by the protocol. Password option
-	can be used more times to specify more passwords. If more passwords are
-	specified, it is a protocol-dependent decision which one is really
-	used. Specifying passwords does not mean that authentication is enabled,
-	authentication can be enabled by separate, protocol-dependent
-	<cf/authentication/ option.
+	<tag><label id="proto-pass">password "<m/password/" [ { <m>password options</m> } ]</tag>
+	Specifies a password that can be used by the protocol as a shared secret
+	key. Password option can be used more times to specify more passwords.
+	If more passwords are specified, it is a protocol-dependent decision
+	which one is really used. Specifying passwords does not mean that
+	authentication is enabled, authentication can be enabled by separate,
+	protocol-dependent <cf/authentication/ option.
 
 	This option is allowed in OSPF and RIP protocols. BGP has also
 	<cf/password/ option, but it is slightly different and described
@@ -700,6 +700,19 @@ agreement").
 
 	<tag><label id="proto-pass-accept-to">accept to "<m/time/"</tag>
 	The last time of the usage of the password for packet verification.
+
+	<tag><label id="proto-pass-from">from "<m/time/"</tag>
+	Shorthand for setting both <cf/generate from/ and <cf/accept from/.
+
+	<tag><label id="proto-pass-to">to "<m/time/"</tag>
+	Shorthand for setting both <cf/generate to/ and <cf/accept to/.
+
+	<tag><label id="proto-pass-algorithm">algorithm ( keyed md5 | keyed sha1 | hmac sha1 | hmac sha256 | hmac sha384 | hmac sha512 )</tag>
+	The message authentication algorithm for the password when cryptographic
+	authentication is enabled. The default value depends on the protocol.
+	For RIP and OSPFv2 it is Keyed-MD5 (for compatibility), for OSPFv3
+	protocol it is HMAC-SHA-256.
+
 </descrip>
 
 <chapt>Remote control
@@ -2659,7 +2672,7 @@ protocol ospf &lt;name&gt; {
 			ttl security [&lt;switch&gt;; | tx only]
 			tx class|dscp &lt;num&gt;;
 			tx priority &lt;num&gt;;
-			authentication [none|simple|cryptographic];
+			authentication none|simple|cryptographic;
 			password "&lt;text&gt;";
 			password "&lt;text&gt;" {
 				id &lt;num&gt;;
@@ -2667,6 +2680,9 @@ protocol ospf &lt;name&gt; {
 				generate to "&lt;date&gt;";
 				accept from "&lt;date&gt;";
 				accept to "&lt;date&gt;";
+				from "&lt;date&gt;";
+				to "&lt;date&gt;";
+				algorithm ( keyed md5 | keyed sha1 | hmac sha1 | hmac sha256 | hmac sha384 | hmac sha512 );
 			};
 			neighbors {
 				&lt;ip&gt;;
@@ -2679,8 +2695,18 @@ protocol ospf &lt;name&gt; {
 			wait &lt;num&gt;;
 			dead count &lt;num&gt;;
 			dead &lt;num&gt;;
-			authentication [none|simple|cryptographic];
+			authentication none|simple|cryptographic;
 			password "&lt;text&gt;";
+			password "&lt;text&gt;" {
+				id &lt;num&gt;;
+				generate from "&lt;date&gt;";
+				generate to "&lt;date&gt;";
+				accept from "&lt;date&gt;";
+				accept to "&lt;date&gt;";
+				from "&lt;date&gt;";
+				to "&lt;date&gt;";
+				algorithm ( keyed md5 | keyed sha1 | hmac sha1 | hmac sha256 | hmac sha384 | hmac sha512 );
+			};
 		};
 	};
 }
@@ -2999,15 +3025,18 @@ protocol ospf &lt;name&gt; {
 	<tag><label id="ospf-auth-simple">authentication simple</tag>
 	Every packet carries 8 bytes of password. Received packets lacking this
 	password are ignored. This authentication mechanism is very weak.
+	This option is not available in OSPFv3.
 
 	<tag><label id="ospf-auth-cryptographic">authentication cryptographic</tag>
-	16-byte long MD5 digest is appended to every packet. For the digest
-	generation 16-byte long passwords are used. Those passwords are not sent
-	via network, so this mechanism is quite secure. Packets can still be
-	read by an attacker.
+	An authentication code is appended to every packet. The specific
+	cryptographic algorithm is selected by option <cf/algorithm/ for each
+	key. The default cryptographic algorithm for OSPFv2 keys is Keyed-MD5
+	and for OSPFv3 keys is HMAC-SHA-256. Passwords are not sent open via
+	network, so this mechanism is quite secure. Packets can still be read by
+	an attacker.
 
 	<tag><label id="ospf-pass">password "<M>text</M>"</tag>
-	An 8-byte or 16-byte password used for authentication. See
+	Specifies a password used for authentication. See
 	<ref id="proto-pass" name="password"> common option for detailed
 	description.
 
@@ -3069,11 +3098,13 @@ protocol ospf MyOSPF {
 				id 1;
 				generate to "22-04-2003 11:00:06";
 				accept from "17-01-2001 12:01:05";
+				algorithm hmac sha384;
 			};
 			password "def" {
 				id 2;
 				generate to "22-07-2005 17:03:21";
 				accept from "22-02-2001 11:34:06";
+				algorithm hmac sha512;
 			};
 		};
 		interface "arc0" {
@@ -3500,8 +3531,7 @@ you can't use RIP on networks where maximal distance is higher than 15
 hosts.
 
 <p>BIRD supports RIPv1 (<rfc id="1058">), RIPv2 (<rfc id="2453">), RIPng (<rfc
-id="2080">), and RIP cryptographic authentication (SHA-1 not implemented)
-(<rfc id="4822">).
+id="2080">), and RIP cryptographic authentication (<rfc id="4822">).
 
 <p>RIP is a very simple protocol, and it has a lot of shortcomings. Slow
 convergence, big network load and inability to handle larger networks makes it
@@ -3545,6 +3575,9 @@ protocol rip [&lt;name&gt;] {
 			generate to "&lt;date&gt;";
 			accept from "&lt;date&gt;";
 			accept to "&lt;date&gt;";
+			from "&lt;date&gt;";
+			to "&lt;date&gt;";
+			algorithm ( keyed md5 | keyed sha1 | hmac sha1 | hmac sha256 | hmac sha384 | hmac sha512 );
 		};
 	};
 }
@@ -3658,7 +3691,9 @@ protocol rip [&lt;name&gt;] {
 	Selects authentication method to be used. <cf/none/ means that packets
 	are not authenticated at all, <cf/plaintext/ means that a plaintext
 	password is embedded into each packet, and <cf/cryptographic/ means that
-	packets are authenticated using a MD5 cryptographic hash. If you set
+	packets are authenticated using some cryptographic hash function
+	selected by option <cf/algorithm/ for each key. The default
+	cryptographic algorithm for RIP keys is Keyed-MD5. If you set
 	authentication to not-none, it is a good idea to add <cf>password</cf>
 	section. Default: none.
 
@@ -3704,8 +3739,8 @@ protocol rip [&lt;name&gt;] {
 	consideration. When the link disappears (e.g. an ethernet cable is
 	unplugged), neighbors are immediately considered unreachable and all
 	routes received from them are withdrawn. It is possible that some
-	hardware drivers or platforms do not implement this feature. Default:
-	no.
+	hardware drivers or platforms do not implement this feature.
+	Default: no.
 </descrip>
 
 <sect1>Attributes
@@ -3737,8 +3772,9 @@ protocol rip {
         period 12;
         garbage time 60;
         interface "eth0" { metric 3; mode multicast; };
-	interface "eth*" { metric 2; mode broadcast; };
-        authentication none;
+        interface "eth*" { metric 2; mode broadcast; };
+        authentication cryptographic;
+        password "secret-shared-key" { algorithm hmac sha256; };
         import filter { print "importing"; accept; };
         export filter { print "exporting"; accept; };
 }

From 390601f038b69d5de3841c691f92af0fcd088454 Mon Sep 17 00:00:00 2001
From: "Ondrej Zajicek (work)" <santiago@crfreenet.org>
Date: Wed, 26 Oct 2016 16:07:45 +0200
Subject: [PATCH 33/37] RIP: Use message authentication interface

Based on former commit from Pavel Tvrdik
---
 lib/mac.h           |  4 +++
 lib/string.h        | 10 +++++++
 nest/password.c     | 15 ++++++++++
 nest/password.h     |  2 ++
 proto/rip/config.Y  | 22 +++++++++++---
 proto/rip/packets.c | 72 +++++++++++++++++++++++++++++----------------
 proto/rip/rip.c     |  7 ++---
 proto/rip/rip.h     |  2 +-
 8 files changed, 100 insertions(+), 34 deletions(-)

diff --git a/lib/mac.h b/lib/mac.h
index 9dba8f89..5fc216fd 100644
--- a/lib/mac.h
+++ b/lib/mac.h
@@ -21,6 +21,7 @@
 #define ALG_SHA256		0x04
 #define ALG_SHA384		0x05
 #define ALG_SHA512		0x06
+#define ALG_HMAC		0x10
 #define ALG_HMAC_MD5		0x11
 #define ALG_HMAC_SHA1		0x12
 #define ALG_HMAC_SHA224		0x13
@@ -34,6 +35,9 @@
 #define HASH_STORAGE		sizeof(struct sha512_context)
 #define MAC_STORAGE		sizeof(struct hmac_context)
 
+/* This value is used by several IETF protocols for padding */
+#define HMAC_MAGIC		htonl(0x878FE1F3)
+
 /* Generic context used by hash functions */
 struct hash_context
 {
diff --git a/lib/string.h b/lib/string.h
index bf0b7cb0..75cb88dd 100644
--- a/lib/string.h
+++ b/lib/string.h
@@ -39,6 +39,16 @@ xstrdup(const char *c)
   return z;
 }
 
+static inline void
+memset32(void *D, u32 val, uint n)
+{
+  u32 *dst = D;
+  uint i;
+
+  for (i = 0; i < n; i++)
+    dst[i] = val;
+}
+
 #define ROUTER_ID_64_LENGTH 23
 
 #endif
diff --git a/nest/password.c b/nest/password.c
index d6e2087f..e4813741 100644
--- a/nest/password.c
+++ b/nest/password.c
@@ -10,6 +10,7 @@
 #include "nest/bird.h"
 #include "nest/password.h"
 #include "lib/string.h"
+#include "lib/mac.h"
 
 struct password_item *last_password_item = NULL;
 
@@ -66,3 +67,17 @@ password_find_by_value(list *l, char *pass, uint size)
   return NULL;
 }
 
+uint
+max_mac_length(list *l)
+{
+  struct password_item *pi;
+  uint val = 0;
+
+  if (!l)
+    return 0;
+
+  WALK_LIST(pi, *l)
+    val = MAX(val, mac_type_length(pi->alg));
+
+  return val;
+}
diff --git a/nest/password.h b/nest/password.h
index 7392389b..f21483c4 100644
--- a/nest/password.h
+++ b/nest/password.h
@@ -34,4 +34,6 @@ static inline int password_verify(struct password_item *p1, char *p2, uint size)
   return !memcmp(buf, p2, size);
 }
 
+uint max_mac_length(list *l);
+
 #endif
diff --git a/proto/rip/config.Y b/proto/rip/config.Y
index e15599e0..4ec45c7a 100644
--- a/proto/rip/config.Y
+++ b/proto/rip/config.Y
@@ -98,15 +98,29 @@ rip_iface_start:
 
 rip_iface_finish:
 {
+  /* Default mode is broadcast for RIPv1, multicast for RIPv2 and RIPng */
+  if (!RIP_IFACE->mode)
+    RIP_IFACE->mode = (rip_cfg_is_v2() && (RIP_IFACE->version == RIP_V1)) ?
+      RIP_IM_BROADCAST : RIP_IM_MULTICAST;
+
   RIP_IFACE->passwords = get_passwords();
 
   if (!RIP_IFACE->auth_type != !RIP_IFACE->passwords)
     log(L_WARN "Authentication and password options should be used together");
 
-  /* Default mode is broadcast for RIPv1, multicast for RIPv2 and RIPng */
-  if (!RIP_IFACE->mode)
-    RIP_IFACE->mode = (rip_cfg_is_v2() && (RIP_IFACE->version == RIP_V1)) ?
-      RIP_IM_BROADCAST : RIP_IM_MULTICAST;
+  if (RIP_IFACE->passwords)
+  {
+    struct password_item *pass;
+    WALK_LIST(pass, *RIP_IFACE->passwords)
+    {
+      if (pass->alg && (RIP_IFACE->auth_type != RIP_AUTH_CRYPTO))
+	cf_error("Password algorithm option requires cryptographic authentication");
+
+      /* Set default crypto algorithm (MD5) */
+      if (!pass->alg && (RIP_IFACE->auth_type == RIP_AUTH_CRYPTO))
+	pass->alg = ALG_MD5;
+    }
+  }
 
   RIP_CFG->min_timeout_time = MIN_(RIP_CFG->min_timeout_time, RIP_IFACE->timeout_time);
   RIP_CFG->max_garbage_time = MAX_(RIP_CFG->max_garbage_time, RIP_IFACE->garbage_time);
diff --git a/proto/rip/packets.c b/proto/rip/packets.c
index 381b4771..468927e6 100644
--- a/proto/rip/packets.c
+++ b/proto/rip/packets.c
@@ -10,7 +10,6 @@
  */
 
 #include "rip.h"
-#include "lib/md5.h"
 #include "lib/mac.h"
 
 
@@ -18,9 +17,7 @@
 #define RIP_CMD_RESPONSE	2	/* responding to request */
 
 #define RIP_BLOCK_LENGTH	20
-
 #define RIP_PASSWD_LENGTH	16
-#define RIP_MD5_LENGTH		16
 
 #define RIP_AF_IPV4		2
 #define RIP_AF_AUTH		0xffff
@@ -73,7 +70,7 @@ struct rip_auth_tail
 {
   u16 must_be_ffff;
   u16 must_be_0001;
-  byte auth_data[];
+  byte auth_data[0];
 };
 
 /* Internal representation of RTE block data */
@@ -221,16 +218,24 @@ rip_fill_authentication(struct rip_proto *p, struct rip_iface *ifa, struct rip_p
     auth->auth_type = htons(RIP_AUTH_CRYPTO);
     auth->packet_len = htons(*plen);
     auth->key_id = pass->id;
-    auth->auth_len = sizeof(struct rip_auth_tail) + RIP_MD5_LENGTH;
+    auth->auth_len = mac_type_length(pass->alg);
     auth->seq_num = ifa->csn_ready ? htonl(ifa->csn) : 0;
     auth->unused1 = 0;
     auth->unused2 = 0;
     ifa->csn_ready = 1;
 
+    if (pass->alg < ALG_HMAC)
+      auth->auth_len += sizeof(struct rip_auth_tail);
+
     /*
      * Note that RFC 4822 is unclear whether auth_len should cover whole
      * authentication trailer or just auth_data length.
      *
+     * FIXME: We should use just auth_data length by default. Currently we put
+     * the whole auth trailer length in keyed hash case to keep old behavior,
+     * but we put just auth_data length in the new HMAC case. Note that Quagga
+     * has config option for this.
+     *
      * Crypto sequence numbers are increased by sender in rip_update_csn().
      * First CSN should be zero, this is handled by csn_ready.
      */
@@ -238,14 +243,18 @@ rip_fill_authentication(struct rip_proto *p, struct rip_iface *ifa, struct rip_p
     struct rip_auth_tail *tail = (void *) ((byte *) pkt + *plen);
     tail->must_be_ffff = htons(0xffff);
     tail->must_be_0001 = htons(0x0001);
-    strncpy(tail->auth_data, pass->password, RIP_MD5_LENGTH);
 
-    *plen += sizeof(struct rip_auth_tail) + RIP_MD5_LENGTH;
+    uint auth_len = mac_type_length(pass->alg);
+    *plen += sizeof(struct rip_auth_tail) + auth_len;
 
-    struct hash_context ctx;
-    md5_init(&ctx);
-    md5_update(&ctx, (byte *) pkt, *plen);
-    memcpy(tail->auth_data, md5_final(&ctx), RIP_MD5_LENGTH);
+    /* Append key for keyed hash, append padding for HMAC (RFC 4822 2.5) */
+    if (pass->alg < ALG_HMAC)
+      strncpy(tail->auth_data, pass->password, auth_len);
+    else
+      memset32(tail->auth_data, HMAC_MAGIC, auth_len / 4);
+
+    mac_fill(pass->alg, pass->password, pass->length,
+	     (byte *) pkt, *plen, tail->auth_data);
     return;
 
   default:
@@ -288,13 +297,25 @@ rip_check_authentication(struct rip_proto *p, struct rip_iface *ifa, struct rip_
       DROP("no suitable password found", auth->key_id);
 
     uint data_len = ntohs(auth->packet_len);
-    uint auth_len = sizeof(struct rip_auth_tail) + RIP_MD5_LENGTH;
+    uint auth_len = mac_type_length(pass->alg);
+    uint auth_len2 = sizeof(struct rip_auth_tail) + auth_len;
 
-    if (data_len + auth_len != *plen)
-      DROP("packet length mismatch", data_len);
+    /*
+     * Ideally, first check should be check for internal consistency:
+     *   (data_len + sizeof(struct rip_auth_tail) + auth->auth_len) != *plen
+     *
+     * Second one should check expected code length:
+     *   auth->auth_len != auth_len
+     *
+     * But as auth->auth_len has two interpretations, we simplify this
+     */
 
-    if ((auth->auth_len != RIP_MD5_LENGTH) && (auth->auth_len != auth_len))
-      DROP("authentication data length mismatch", auth->auth_len);
+    if (data_len + auth_len2 != *plen)
+      DROP("packet length mismatch", *plen);
+
+    /* Warning: two interpretations of auth_len field */
+    if ((auth->auth_len != auth_len) && (auth->auth_len != auth_len2))
+      DROP("wrong authentication length", auth->auth_len);
 
     struct rip_auth_tail *tail = (void *) ((byte *) pkt + data_len);
     if ((tail->must_be_ffff != htons(0xffff)) || (tail->must_be_0001 != htons(0x0001)))
@@ -312,17 +333,18 @@ rip_check_authentication(struct rip_proto *p, struct rip_iface *ifa, struct rip_
       return 0;
     }
 
-    char received[RIP_MD5_LENGTH];
-    memcpy(received, tail->auth_data, RIP_MD5_LENGTH);
-    strncpy(tail->auth_data, pass->password, RIP_MD5_LENGTH);
+    byte *auth_data = alloca(auth_len);
+    memcpy(auth_data, tail->auth_data, auth_len);
 
-    struct hash_context ctx;
-    md5_init(&ctx);
-    md5_update(&ctx, (byte *) pkt, *plen);
-    char *computed = md5_final(&ctx);
+    /* Append key for keyed hash, append padding for HMAC (RFC 4822 2.5) */
+    if (pass->alg < ALG_HMAC)
+      strncpy(tail->auth_data, pass->password, auth_len);
+    else
+      memset32(tail->auth_data, HMAC_MAGIC, auth_len / 4);
 
-    if (memcmp(received, computed, RIP_MD5_LENGTH))
-      DROP("wrong MD5 digest", pass->id);
+    if (!mac_verify(pass->alg, pass->password, pass->length,
+		    (byte *) pkt, *plen, auth_data))
+      DROP("wrong authentication code", pass->id);
 
     *plen = data_len;
     n->csn = rcv_csn;
diff --git a/proto/rip/rip.c b/proto/rip/rip.c
index 37cfa9ac..7b380097 100644
--- a/proto/rip/rip.c
+++ b/proto/rip/rip.c
@@ -590,7 +590,7 @@ rip_iface_update_buffers(struct rip_iface *ifa)
   ifa->tx_plen = tbsize - headers;
 
   if (ifa->cf->auth_type == RIP_AUTH_CRYPTO)
-    ifa->tx_plen -= RIP_AUTH_TAIL_LENGTH;
+    ifa->tx_plen -= RIP_AUTH_TAIL_LENGTH + max_mac_length(ifa->cf->passwords);
 }
 
 static inline void
@@ -702,12 +702,11 @@ rip_reconfigure_iface(struct rip_proto *p, struct rip_iface *ifa, struct rip_ifa
 
   ifa->cf = new;
 
+  rip_iface_update_buffers(ifa);
+
   if (ifa->next_regular > (now + new->update_time))
     ifa->next_regular = now + (random() % new->update_time) + 1;
 
-  if ((new->tx_length != old->tx_length) || (new->rx_buffer != old->rx_buffer))
-    rip_iface_update_buffers(ifa);
-
   if (new->check_link != old->check_link)
     rip_iface_update_state(ifa);
 
diff --git a/proto/rip/rip.h b/proto/rip/rip.h
index f245e612..b24d9536 100644
--- a/proto/rip/rip.h
+++ b/proto/rip/rip.h
@@ -40,7 +40,7 @@
 #define RIP_NG_PORT		521	/* RIPng */
 
 #define RIP_MAX_PKT_LENGTH	532	/* 512 + IP4_HEADER_LENGTH */
-#define RIP_AUTH_TAIL_LENGTH	20	/* 4 + MD5 length */
+#define RIP_AUTH_TAIL_LENGTH	4	/* Without auth_data */
 
 #define RIP_DEFAULT_ECMP_LIMIT	16
 #define RIP_DEFAULT_INFINITY	16

From 29239ba2bbee3e9ec7d17793b25936a1bfc795ca Mon Sep 17 00:00:00 2001
From: "Ondrej Zajicek (work)" <santiago@crfreenet.org>
Date: Thu, 27 Oct 2016 20:58:21 +0200
Subject: [PATCH 34/37] OSPF: Use message authentication interface

Based on former commit from Pavel Tvrdik
---
 proto/ospf/config.Y |  14 ++++++
 proto/ospf/iface.c  |  24 ++++++++--
 proto/ospf/ospf.h   |  21 +++++----
 proto/ospf/packet.c | 108 ++++++++++++++++++++------------------------
 4 files changed, 94 insertions(+), 73 deletions(-)

diff --git a/proto/ospf/config.Y b/proto/ospf/config.Y
index c859960f..7b35b191 100644
--- a/proto/ospf/config.Y
+++ b/proto/ospf/config.Y
@@ -42,6 +42,20 @@ ospf_iface_finish(void)
 
   if ((ip->autype == OSPF_AUTH_NONE) && (ip->passwords != NULL))
     log(L_WARN "Password option without authentication option does not make sense");
+
+  if (ip->passwords)
+  {
+    struct password_item *pass;
+    WALK_LIST(pass, *ip->passwords)
+    {
+      if (pass->alg && (ip->autype != OSPF_AUTH_CRYPT))
+	cf_error("Password algorithm option requires cryptographic authentication");
+
+      /* Set default OSPF crypto algorithms */
+      if (!pass->alg && (ip->autype == OSPF_AUTH_CRYPT))
+	pass->alg = ospf_cfg_is_v2() ? ALG_MD5 : ALG_HMAC_SHA256;
+    }
+  }
 }
 
 static void
diff --git a/proto/ospf/iface.c b/proto/ospf/iface.c
index 67ae094d..280fa4c1 100644
--- a/proto/ospf/iface.c
+++ b/proto/ospf/iface.c
@@ -9,6 +9,7 @@
  */
 
 #include "ospf.h"
+#include "nest/password.h"
 
 
 const char *ospf_is_names[] = {
@@ -51,6 +52,18 @@ ifa_tx_length(struct ospf_iface *ifa)
   return ifa->cf->tx_length ?: ifa->iface->mtu;
 }
 
+static inline uint
+ifa_tx_hdrlen(struct ospf_iface *ifa)
+{
+  uint hlen = SIZE_OF_IP_HEADER;
+
+  /* Relevant just for OSPFv2 */
+  if (ifa->autype == OSPF_AUTH_CRYPT)
+    hlen += max_mac_length(ifa->passwords);
+
+  return hlen;
+}
+
 static inline uint
 ifa_bufsize(struct ospf_iface *ifa)
 {
@@ -67,11 +80,7 @@ ifa_flood_queue_size(struct ospf_iface *ifa)
 int
 ospf_iface_assure_bufsize(struct ospf_iface *ifa, uint plen)
 {
-  plen += SIZE_OF_IP_HEADER;
-
-  /* This is relevant just for OSPFv2 */
-  if (ifa->autype == OSPF_AUTH_CRYPT)
-    plen += OSPF_AUTH_CRYPT_SIZE;
+  plen += ifa->tx_hdrlen;
 
   if (plen <= ifa->sk->tbsize)
     return 0;
@@ -574,6 +583,7 @@ ospf_iface_new(struct ospf_area *oa, struct ifa *addr, struct ospf_iface_patt *i
   ifa->stub = ospf_iface_stubby(ip, addr);
   ifa->ioprob = OSPF_I_OK;
   ifa->tx_length = ifa_tx_length(ifa);
+  ifa->tx_hdrlen = ifa_tx_hdrlen(ifa);
   ifa->check_link = ip->check_link;
   ifa->ecmp_weight = ip->ecmp_weight;
   ifa->check_ttl = (ip->ttl_security == 1);
@@ -684,6 +694,7 @@ ospf_iface_new_vlink(struct ospf_proto *p, struct ospf_iface_patt *ip)
   ifa->deadint = ip->deadint;
   ifa->inftransdelay = ip->inftransdelay;
   ifa->tx_length = ospf_is_v2(p) ? IP4_MIN_MTU : IP6_MIN_MTU;
+  ifa->tx_hdrlen = ifa_tx_hdrlen(ifa);
   ifa->autype = ip->autype;
   ifa->passwords = ip->passwords;
   ifa->instance_id = ip->instance_id;
@@ -824,6 +835,9 @@ ospf_iface_reconfigure(struct ospf_iface *ifa, struct ospf_iface_patt *new)
   /* Update passwords */
   ifa->passwords = new->passwords;
 
+  /* Update header length */
+  ifa->tx_hdrlen = ifa_tx_hdrlen(ifa);
+
   /* Remaining options are just for proper interfaces */
   if (ifa->type == OSPF_IT_VLINK)
     return 1;
diff --git a/proto/ospf/ospf.h b/proto/ospf/ospf.h
index ca30e4e0..81c610d5 100644
--- a/proto/ospf/ospf.h
+++ b/proto/ospf/ospf.h
@@ -180,11 +180,7 @@ struct ospf_iface_patt
 
 #define OSPF_RXBUF_MINSIZE 256	/* Minimal allowed size */
   u8 instance_id;
-  u8 autype;			/* Not really used in OSPFv3 */
-#define OSPF_AUTH_NONE 0
-#define OSPF_AUTH_SIMPLE 1
-#define OSPF_AUTH_CRYPT 2
-#define OSPF_AUTH_CRYPT_SIZE 16
+  u8 autype;			/* OSPF_AUTH_*, not really used in OSPFv3 */
   u8 strictnbma;
   u8 check_link;
   u8 ecmp_weight;
@@ -334,6 +330,7 @@ struct ospf_iface
   u8 marked;			/* Used in OSPF reconfigure, 2 for force restart */
   u16 rxbuf;			/* Buffer size */
   u16 tx_length;		/* Soft TX packet length limit, usually MTU */
+  u16 tx_hdrlen;		/* Expected packet header length, less than tx_length */
   u8 check_link;		/* Whether iface link change is used */
   u8 ecmp_weight;		/* Weight used for ECMP */
   u8 link_lsa_suppression;	/* Suppression of Link-LSA origination */
@@ -424,6 +421,11 @@ struct ospf_neighbor
 #define ISM_UNLOOP	5	/* Link up */
 #define ISM_DOWN	6	/* Interface down */
 
+/* OSPF authentication types */
+#define OSPF_AUTH_NONE	0
+#define OSPF_AUTH_SIMPLE 1
+#define OSPF_AUTH_CRYPT	2
+
 
 /* OSPF neighbor states */
 #define NEIGHBOR_DOWN	0
@@ -455,7 +457,6 @@ struct ospf_neighbor
 #define TRANS_WAIT	2	/* Waiting before the end of translation */
 
 
-
 /* Generic option flags */
 #define OPT_V6		0x01	/* OSPFv3, LSA relevant for IPv6 routing calculation */
 #define OPT_E		0x02	/* Related to AS-external LSAs */
@@ -491,7 +492,7 @@ struct ospf_packet
   u8 autype;			/* Undefined for OSPFv3 */
 };
 
-struct ospf_md5
+struct ospf_auth_crypto
 {
   u16 zero;
   u8 keyid;
@@ -502,7 +503,7 @@ struct ospf_md5
 union ospf_auth
 {
   u8 password[8];
-  struct ospf_md5 md5;
+  struct ospf_auth_crypto c32;
 };
 
 /* Packet types */
@@ -896,7 +897,6 @@ void ospf_sh_neigh_info(struct ospf_neighbor *n);
 
 /* packet.c */
 void ospf_pkt_fill_hdr(struct ospf_iface *ifa, void *buf, u8 h_type);
-uint ospf_pkt_maxsize(struct ospf_iface *ifa);
 int ospf_rx_hook(sock * sk, uint size);
 // void ospf_tx_hook(sock * sk);
 void ospf_err_hook(sock * sk, int err);
@@ -905,6 +905,9 @@ void ospf_send_to(struct ospf_iface *ifa, ip_addr ip);
 void ospf_send_to_agt(struct ospf_iface *ifa, u8 state);
 void ospf_send_to_bdr(struct ospf_iface *ifa);
 
+static inline uint ospf_pkt_maxsize(struct ospf_iface *ifa)
+{ return ifa->tx_length - ifa->tx_hdrlen; }
+
 static inline void ospf_send_to_all(struct ospf_iface *ifa)
 { ospf_send_to(ifa, ifa->all_routers); }
 
diff --git a/proto/ospf/packet.c b/proto/ospf/packet.c
index a2fbd089..6b6a97a4 100644
--- a/proto/ospf/packet.c
+++ b/proto/ospf/packet.c
@@ -32,25 +32,12 @@ ospf_pkt_fill_hdr(struct ospf_iface *ifa, void *buf, u8 h_type)
   pkt->autype = ifa->autype;
 }
 
-uint
-ospf_pkt_maxsize(struct ospf_iface *ifa)
-{
-  uint headers = SIZE_OF_IP_HEADER;
-
-  /* Relevant just for OSPFv2 */
-  if (ifa->autype == OSPF_AUTH_CRYPT)
-    headers += OSPF_AUTH_CRYPT_SIZE;
-
-  return ifa->tx_length - headers;
-}
-
 /* We assume OSPFv2 in ospf_pkt_finalize() */
 static void
-ospf_pkt_finalize(struct ospf_iface *ifa, struct ospf_packet *pkt)
+ospf_pkt_finalize(struct ospf_iface *ifa, struct ospf_packet *pkt, uint *plen)
 {
-  struct password_item *passwd = NULL;
+  struct password_item *pass = NULL;
   union ospf_auth *auth = (void *) (pkt + 1);
-  uint plen = ntohs(pkt->length);
 
   pkt->checksum = 0;
   pkt->autype = ifa->autype;
@@ -62,25 +49,25 @@ ospf_pkt_finalize(struct ospf_iface *ifa, struct ospf_packet *pkt)
   switch (ifa->autype)
   {
   case OSPF_AUTH_SIMPLE:
-    passwd = password_find(ifa->passwords, 1);
-    if (!passwd)
+    pass = password_find(ifa->passwords, 1);
+    if (!pass)
     {
       log(L_ERR "No suitable password found for authentication");
       return;
     }
-    strncpy(auth->password, passwd->password, sizeof(auth->password));
+    strncpy(auth->password, pass->password, sizeof(auth->password));
 
   case OSPF_AUTH_NONE:
     {
       void *body = (void *) (auth + 1);
-      uint blen = plen - sizeof(struct ospf_packet) - sizeof(union ospf_auth);
+      uint blen = *plen - sizeof(struct ospf_packet) - sizeof(union ospf_auth);
       pkt->checksum = ipsum_calculate(pkt, sizeof(struct ospf_packet), body, blen, NULL);
     }
     break;
 
   case OSPF_AUTH_CRYPT:
-    passwd = password_find(ifa->passwords, 0);
-    if (!passwd)
+    pass = password_find(ifa->passwords, 0);
+    if (!pass)
     {
       log(L_ERR "No suitable password found for authentication");
       return;
@@ -101,20 +88,25 @@ ospf_pkt_finalize(struct ospf_iface *ifa, struct ospf_packet *pkt)
 
     ifa->csn_use = now;
 
-    auth->md5.zero = 0;
-    auth->md5.keyid = passwd->id;
-    auth->md5.len = OSPF_AUTH_CRYPT_SIZE;
-    auth->md5.csn = htonl(ifa->csn);
+    uint auth_len = mac_type_length(pass->alg);
+    byte *auth_tail = ((byte *) pkt + *plen);
+    *plen += auth_len;
 
-    void *tail = ((void *) pkt) + plen;
-    char password[OSPF_AUTH_CRYPT_SIZE];
-    strncpy(password, passwd->password, sizeof(password));
+    ASSERT(*plen < ifa->sk->tbsize);
 
-    struct hash_context ctx;
-    md5_init(&ctx);
-    md5_update(&ctx, (char *) pkt, plen);
-    md5_update(&ctx, password, OSPF_AUTH_CRYPT_SIZE);
-    memcpy((byte *) tail, md5_final(&ctx), MD5_SIZE);
+    auth->c32.zero = 0;
+    auth->c32.keyid = pass->id;
+    auth->c32.len = auth_len;
+    auth->c32.csn = htonl(ifa->csn);
+
+    /* Append key for keyed hash, append padding for HMAC (RFC 5709 3.3) */
+    if (pass->alg < ALG_HMAC)
+      strncpy(auth_tail, pass->password, auth_len);
+    else
+      memset32(auth_tail, HMAC_MAGIC, auth_len / 4);
+
+    mac_fill(pass->alg, pass->password, pass->length,
+	     (byte *) pkt, *plen, auth_tail);
     break;
 
   default:
@@ -155,13 +147,19 @@ ospf_pkt_checkauth(struct ospf_neighbor *n, struct ospf_iface *ifa, struct ospf_
     return 1;
 
   case OSPF_AUTH_CRYPT:
-    if (auth->md5.len != OSPF_AUTH_CRYPT_SIZE)
-      DROP("invalid MD5 digest length", auth->md5.len);
+    pass = password_find_by_id(ifa->passwords, auth->c32.keyid);
+    if (!pass)
+      DROP("no suitable password found", auth->c32.keyid);
 
-    if (plen + OSPF_AUTH_CRYPT_SIZE > len)
-      DROP("length mismatch", len);
+    uint auth_len = mac_type_length(pass->alg);
 
-    u32 rcv_csn = ntohl(auth->md5.csn);
+    if (plen + auth->c32.len > len)
+      DROP("packet length mismatch", len);
+
+    if (auth->c32.len != auth_len)
+      DROP("wrong authentication length", auth->c32.len);
+
+    u32 rcv_csn = ntohl(auth->c32.csn);
     if (n && (rcv_csn < n->csn))
       // DROP("lower sequence number", rcv_csn);
     {
@@ -172,22 +170,19 @@ ospf_pkt_checkauth(struct ospf_neighbor *n, struct ospf_iface *ifa, struct ospf_
       return 0;
     }
 
-    pass = password_find_by_id(ifa->passwords, auth->md5.keyid);
-    if (!pass)
-      DROP("no suitable password found", auth->md5.keyid);
+    byte *auth_tail = ((byte *) pkt) + plen;
+    byte *auth_data = alloca(auth_len);
+    memcpy(auth_data, auth_tail, auth_len);
 
-    byte *tail = ((byte *) pkt) + plen;
-    char received[OSPF_AUTH_CRYPT_SIZE];
-    memcpy(received, tail, OSPF_AUTH_CRYPT_SIZE);
-    strncpy(tail, pass->password, OSPF_AUTH_CRYPT_SIZE);
+    /* Append key for keyed hash, append padding for HMAC (RFC 5709 3.3) */
+    if (pass->alg < ALG_HMAC)
+      strncpy(auth_tail, pass->password, auth_len);
+    else
+      memset32(auth_tail, HMAC_MAGIC, auth_len / 4);
 
-    struct hash_context ctx;
-    md5_init(&ctx);
-    md5_update(&ctx, (byte *) pkt, plen + OSPF_AUTH_CRYPT_SIZE);
-    char *computed = md5_final(&ctx);
-
-    if (memcmp(received, computed, OSPF_AUTH_CRYPT_SIZE))
-      DROP("wrong MD5 digest", pass->id);
+    if (!mac_verify(pass->alg, pass->password, pass->length,
+		    (byte *) pkt, plen + auth_len, auth_data))
+      DROP("wrong authentication code", pass->id);
 
     if (n)
       n->csn = rcv_csn;
@@ -473,15 +468,10 @@ ospf_send_to(struct ospf_iface *ifa, ip_addr dst)
 {
   sock *sk = ifa->sk;
   struct ospf_packet *pkt = (struct ospf_packet *) sk->tbuf;
-  int plen = ntohs(pkt->length);
+  uint plen = ntohs(pkt->length);
 
   if (ospf_is_v2(ifa->oa->po))
-  {
-    if (ifa->autype == OSPF_AUTH_CRYPT)
-      plen += OSPF_AUTH_CRYPT_SIZE;
-
-    ospf_pkt_finalize(ifa, pkt);
-  }
+    ospf_pkt_finalize(ifa, pkt, &plen);
 
   int done = sk_send_to(sk, plen, dst, 0);
   if (!done)

From e03dc6a984555e3c943735d50376cada2220bac8 Mon Sep 17 00:00:00 2001
From: "Ondrej Zajicek (work)" <santiago@crfreenet.org>
Date: Sun, 30 Oct 2016 23:51:23 +0100
Subject: [PATCH 35/37] BFD: Authentication

Implement BFD authentication (part of RFC 5880). Supports plaintext
passwords and cryptographic MD5 / SHA-1 authentication.

Based on former commit from Pavel Tvrdik
---
 doc/bird.sgml       |  41 +++++++-
 proto/bfd/bfd.c     |   2 +
 proto/bfd/bfd.h     |  19 +++-
 proto/bfd/config.Y  |  46 ++++++++-
 proto/bfd/packets.c | 245 +++++++++++++++++++++++++++++++++++++++++---
 5 files changed, 333 insertions(+), 20 deletions(-)

diff --git a/doc/bird.sgml b/doc/bird.sgml
index 7c34c208..6af0e0f6 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -672,7 +672,7 @@ agreement").
 	authentication is enabled, authentication can be enabled by separate,
 	protocol-dependent <cf/authentication/ option.
 
-	This option is allowed in OSPF and RIP protocols. BGP has also
+	This option is allowed in BFD, OSPF and RIP protocols. BGP has also
 	<cf/password/ option, but it is slightly different and described
 	separately.
 	Default: none.
@@ -1637,6 +1637,19 @@ protocol bfd [&lt;name&gt;] {
 		idle tx interval &lt;time&gt;;
 		multiplier &lt;num&gt;;
 		passive &lt;switch&gt;;
+		authentication none;
+		authentication simple;
+		authentication [meticulous] keyed md5|sha1;
+		password "&lt;text&gt;";
+		password "&lt;text&gt;" {
+			id &lt;num&gt;;
+			generate from "&lt;date&gt;";
+			generate to "&lt;date&gt;";
+			accept from "&lt;date&gt;";
+			accept to "&lt;date&gt;";
+			from "&lt;date&gt;";
+			to "&lt;date&gt;";
+		};
 	};
 	multihop {
 		interval &lt;time&gt;;
@@ -1720,6 +1733,32 @@ protocol bfd [&lt;name&gt;] {
 	sending control packets to the other side. This option allows to enable
 	passive mode, which means that the router does not send BFD packets
 	until it has received one from the other side. Default: disabled.
+
+	<tag>authentication none</tag>
+	No passwords are sent in BFD packets. This is the default value.
+
+	<tag>authentication simple</tag>
+	Every packet carries 16 bytes of password. Received packets lacking this
+	password are ignored. This authentication mechanism is very weak.
+
+	<tag>authentication [meticulous] keyed md5|sha1</tag>
+	An authentication code is appended to each packet. The cryptographic
+	algorithm is keyed MD5 or keyed SHA-1. Note that the algorithm is common
+	for all keys (on one interface), in contrast to OSPF or RIP, where it
+	is a per-key option. Passwords (keys) are not sent open via network.
+
+	The <cf/meticulous/ variant means that cryptographic sequence numbers
+	are increased for each sent packet, while in the basic variant they are
+	increased about once per second. Generally, the <cf/meticulous/ variant
+	offers better resistance to replay attacks but may require more
+	computation.
+
+	<tag>password "<M>text</M>"</tag>
+	Specifies a password used for authentication. See <ref id="dsc-pass"
+	name="password"> common option for detailed description. Note that
+	password option <cf/algorithm/ is not available in BFD protocol. The
+	algorithm is selected by <cf/authentication/ option for all passwords.
+
 </descrip>
 
 <sect1>Example
diff --git a/proto/bfd/bfd.c b/proto/bfd/bfd.c
index e7be6a8a..79135fae 100644
--- a/proto/bfd/bfd.c
+++ b/proto/bfd/bfd.c
@@ -316,6 +316,7 @@ bfd_session_timeout(struct bfd_session *s)
   s->rem_min_rx_int = 1;
   s->rem_demand_mode = 0;
   s->rem_detect_mult = 0;
+  s->rx_csn_known = 0;
 
   s->poll_active = 0;
   s->poll_scheduled = 0;
@@ -429,6 +430,7 @@ bfd_add_session(struct bfd_proto *p, ip_addr addr, ip_addr local, struct iface *
   s->rem_min_rx_int = 1;
   s->detect_mult = ifa->cf->multiplier;
   s->passive = ifa->cf->passive;
+  s->tx_csn = random_u32();
 
   s->tx_timer = tm2_new_init(p->tpool, bfd_tx_timer_hook, s, 0, 0);
   s->hold_timer = tm2_new_init(p->tpool, bfd_hold_timer_hook, s, 0, 0);
diff --git a/proto/bfd/bfd.h b/proto/bfd/bfd.h
index 9b61be64..46e09879 100644
--- a/proto/bfd/bfd.h
+++ b/proto/bfd/bfd.h
@@ -14,6 +14,7 @@
 #include "nest/iface.h"
 #include "nest/protocol.h"
 #include "nest/route.h"
+#include "nest/password.h"
 #include "conf/conf.h"
 #include "lib/hash.h"
 #include "lib/resource.h"
@@ -52,6 +53,8 @@ struct bfd_iface_config
   u32 idle_tx_int;
   u8 multiplier;
   u8 passive;
+  u8 auth_type;				/* Authentication type (BFD_AUTH_*) */
+  list *passwords;			/* Passwords for authentication */
 };
 
 struct bfd_neighbor
@@ -114,7 +117,7 @@ struct bfd_session
   u8 passive;
   u8 poll_active;
   u8 poll_scheduled;
-  
+
   u8 loc_state;
   u8 rem_state;
   u8 loc_diag;
@@ -141,6 +144,11 @@ struct bfd_session
   list request_list;			/* List of client requests (struct bfd_request) */
   bird_clock_t last_state_change;	/* Time of last state change */
   u8 notify_running;			/* 1 if notify hooks are running */
+
+  u8 rx_csn_known;			/* Received crypto sequence number is known */
+  u32 rx_csn;				/* Last received crypto sequence number */
+  u32 tx_csn;				/* Last transmitted crypto sequence number */
+  u32 tx_csn_time;			/* Timestamp of last tx_csn change */
 };
 
 
@@ -172,6 +180,15 @@ extern const char *bfd_state_names[];
 #define BFD_FLAG_DEMAND		(1 << 1)
 #define BFD_FLAG_MULTIPOINT	(1 << 0)
 
+#define BFD_AUTH_NONE			0
+#define BFD_AUTH_SIMPLE			1
+#define BFD_AUTH_KEYED_MD5		2
+#define BFD_AUTH_METICULOUS_KEYED_MD5	3
+#define BFD_AUTH_KEYED_SHA1		4
+#define BFD_AUTH_METICULOUS_KEYED_SHA1	5
+
+extern const u8 bfd_auth_type_to_hash_alg[];
+
 
 static inline void bfd_lock_sessions(struct bfd_proto *p) { pthread_spin_lock(&p->lock); }
 static inline void bfd_unlock_sessions(struct bfd_proto *p) { pthread_spin_unlock(&p->lock); }
diff --git a/proto/bfd/config.Y b/proto/bfd/config.Y
index 4affb927..73414362 100644
--- a/proto/bfd/config.Y
+++ b/proto/bfd/config.Y
@@ -22,11 +22,12 @@ extern struct bfd_config *bfd_cf;
 CF_DECLS
 
 CF_KEYWORDS(BFD, MIN, IDLE, RX, TX, INTERVAL, MULTIPLIER, PASSIVE,
-	INTERFACE, MULTIHOP, NEIGHBOR, DEV, LOCAL)
+	INTERFACE, MULTIHOP, NEIGHBOR, DEV, LOCAL, AUTHENTICATION,
+	NONE, SIMPLE, METICULOUS, KEYED, MD5, SHA1)
 
 %type <iface> bfd_neigh_iface
 %type <a> bfd_neigh_local
-%type <i> bfd_neigh_multihop
+%type <i> bfd_neigh_multihop bfd_auth_type
 
 CF_GRAMMAR
 
@@ -62,12 +63,35 @@ bfd_proto:
 bfd_iface_start:
 {
   this_ipatt = cfg_allocz(sizeof(struct bfd_iface_config));
+  add_tail(&BFD_CFG->patt_list, NODE this_ipatt);
   init_list(&this_ipatt->ipn_list);
 
   BFD_IFACE->min_rx_int = BFD_DEFAULT_MIN_RX_INT;
   BFD_IFACE->min_tx_int = BFD_DEFAULT_MIN_TX_INT;
   BFD_IFACE->idle_tx_int = BFD_DEFAULT_IDLE_TX_INT;
   BFD_IFACE->multiplier = BFD_DEFAULT_MULTIPLIER;
+
+  reset_passwords();
+};
+
+bfd_iface_finish:
+{
+  BFD_IFACE->passwords = get_passwords();
+
+  if (!BFD_IFACE->auth_type != !BFD_IFACE->passwords)
+    log(L_WARN "Authentication and password options should be used together");
+
+  if (BFD_IFACE->passwords)
+  {
+    struct password_item *pass;
+    WALK_LIST(pass, *BFD_IFACE->passwords)
+    {
+      if (pass->alg)
+        cf_error("Password algorithm option not available in BFD protocol");
+
+      pass->alg = bfd_auth_type_to_hash_alg[BFD_IFACE->auth_type];
+    }
+  }
 };
 
 bfd_iface_item:
@@ -77,6 +101,17 @@ bfd_iface_item:
  | IDLE TX INTERVAL expr_us { BFD_IFACE->idle_tx_int = $4; }
  | MULTIPLIER expr { BFD_IFACE->multiplier = $2; }
  | PASSIVE bool { BFD_IFACE->passive = $2; }
+ | AUTHENTICATION bfd_auth_type { BFD_IFACE->auth_type = $2; }
+ | password_list {}
+ ;
+
+bfd_auth_type:
+   NONE			 { $$ = BFD_AUTH_NONE; }
+ | SIMPLE 		 { $$ = BFD_AUTH_SIMPLE; }
+ | KEYED MD5		 { $$ = BFD_AUTH_KEYED_MD5; }
+ | KEYED SHA1   	 { $$ = BFD_AUTH_KEYED_SHA1; }
+ | METICULOUS KEYED MD5	 { $$ = BFD_AUTH_METICULOUS_KEYED_MD5; }
+ | METICULOUS KEYED SHA1 { $$ = BFD_AUTH_METICULOUS_KEYED_SHA1; }
  ;
 
 bfd_iface_opts:
@@ -89,10 +124,11 @@ bfd_iface_opt_list:
  | '{' bfd_iface_opts '}'
  ;
 
-bfd_iface: bfd_iface_start iface_patt_list_nopx bfd_iface_opt_list
-{ add_tail(&BFD_CFG->patt_list, NODE this_ipatt); };
+bfd_iface:
+  bfd_iface_start iface_patt_list_nopx bfd_iface_opt_list bfd_iface_finish;
 
-bfd_multihop: bfd_iface_start bfd_iface_opt_list
+bfd_multihop:
+  bfd_iface_start bfd_iface_opt_list bfd_iface_finish
 { BFD_CFG->multihop = BFD_IFACE; };
 
 
diff --git a/proto/bfd/packets.c b/proto/bfd/packets.c
index deb501fc..129db72f 100644
--- a/proto/bfd/packets.c
+++ b/proto/bfd/packets.c
@@ -5,24 +5,60 @@
  */
 
 #include "bfd.h"
+#include "lib/mac.h"
 
 
 struct bfd_ctl_packet
 {
-  u8 vdiag;			/* version and diagnostic */
-  u8 flags;			/* state and flags */
+  u8 vdiag;				/* Version and diagnostic */
+  u8 flags;				/* State and flags */
   u8 detect_mult;
-  u8 length;
-  u32 snd_id;			/* sender ID, aka 'my discriminator' */
-  u32 rcv_id;			/* receiver ID, aka 'your discriminator' */
+  u8 length;				/* Whole packet length */
+  u32 snd_id;				/* Sender ID, aka 'my discriminator' */
+  u32 rcv_id;				/* Receiver ID, aka 'your discriminator' */
   u32 des_min_tx_int;
   u32 req_min_rx_int;
   u32 req_min_echo_rx_int;
 };
 
+struct bfd_auth
+{
+  u8 type;				/* Authentication type (BFD_AUTH_*) */
+  u8 length;				/* Authentication section length */
+};
+
+struct bfd_simple_auth
+{
+  u8 type;				/* BFD_AUTH_SIMPLE */
+  u8 length;				/* Length of bfd_simple_auth + pasword length */
+  u8 key_id;				/* Key ID */
+  byte password[0];			/* Password itself, variable length */
+};
+
+#define BFD_MAX_PASSWORD_LENGTH 16
+
+struct bfd_crypto_auth
+{
+  u8 type;				/* BFD_AUTH_*_MD5 or BFD_AUTH_*_SHA1 */
+  u8 length;				/* Length of bfd_crypto_auth + hash length */
+  u8 key_id;				/* Key ID */
+  u8 zero;				/* Reserved, zero on transmit */
+  u32 csn;				/* Cryptographic sequence number */
+  byte data[0];				/* Authentication key/hash, length 16 or 20 */
+};
+
 #define BFD_BASE_LEN	sizeof(struct bfd_ctl_packet)
 #define BFD_MAX_LEN	64
 
+#define DROP(DSC,VAL) do { err_dsc = DSC; err_val = VAL; goto drop; } while(0)
+
+#define LOG_PKT(msg, args...) \
+  log(L_REMOTE "%s: " msg, p->p.name, args)
+
+#define LOG_PKT_AUTH(msg, args...) \
+  log(L_AUTH "%s: " msg, p->p.name, args)
+
+
 static inline u8 bfd_pack_vdiag(u8 version, u8 diag)
 { return (version << 5) | diag; }
 
@@ -59,6 +95,189 @@ bfd_format_flags(u8 flags, char *buf)
   return buf;
 }
 
+const u8 bfd_auth_type_to_hash_alg[] = {
+    [BFD_AUTH_NONE] = 			ALG_UNDEFINED,
+    [BFD_AUTH_SIMPLE] = 		ALG_UNDEFINED,
+    [BFD_AUTH_KEYED_MD5] = 		ALG_MD5,
+    [BFD_AUTH_METICULOUS_KEYED_MD5] = 	ALG_MD5,
+    [BFD_AUTH_KEYED_SHA1] = 		ALG_SHA1,
+    [BFD_AUTH_METICULOUS_KEYED_SHA1] = 	ALG_SHA1,
+};
+
+
+/* Fill authentication section and modifies final length in control section packet */
+static void
+bfd_fill_authentication(struct bfd_proto *p, struct bfd_session *s, struct bfd_ctl_packet *pkt)
+{
+  struct bfd_iface_config *cf = s->ifa->cf;
+  struct password_item *pass = password_find(cf->passwords, 0);
+  uint meticulous = 0;
+
+  if (!pass)
+  {
+    /* FIXME: This should not happen */
+    log(L_ERR "%s: No suitable password found for authentication", p->p.name);
+    return;
+  }
+
+  switch (cf->auth_type)
+  {
+  case BFD_AUTH_SIMPLE:
+  {
+    struct bfd_simple_auth *auth = (void *) (pkt + 1);
+    uint pass_len = MIN(pass->length, BFD_MAX_PASSWORD_LENGTH);
+
+    auth->type = BFD_AUTH_SIMPLE;
+    auth->length = sizeof(struct bfd_simple_auth) + pass_len;
+    auth->key_id = pass->id;
+
+    pkt->flags |= BFD_FLAG_AP;
+    pkt->length += auth->length;
+
+    memcpy(auth->password, pass->password, pass_len);
+    return;
+  }
+
+  case BFD_AUTH_METICULOUS_KEYED_MD5:
+  case BFD_AUTH_METICULOUS_KEYED_SHA1:
+    meticulous = 1;
+
+  case BFD_AUTH_KEYED_MD5:
+  case BFD_AUTH_KEYED_SHA1:
+  {
+    struct bfd_crypto_auth *auth = (void *) (pkt + 1);
+    uint hash_alg = bfd_auth_type_to_hash_alg[cf->auth_type];
+    uint hash_len = mac_type_length(pass->alg);
+
+    /* Increase CSN about one time per second */
+    u32  new_time = (u64) current_time() >> 20;
+    if ((new_time != s->tx_csn_time) || meticulous)
+    {
+      s->tx_csn++;
+      s->tx_csn_time = new_time;
+    }
+
+    DBG("[%I] CSN: %u\n", s->addr, s->last_tx_csn);
+
+    auth->type = cf->auth_type;
+    auth->length = sizeof(struct bfd_crypto_auth) + hash_len;
+    auth->key_id = pass->id;
+    auth->zero = 0;
+    auth->csn = htonl(s->tx_csn);
+
+    pkt->flags |= BFD_FLAG_AP;
+    pkt->length += auth->length;
+
+    strncpy(auth->data, pass->password, hash_len);
+    mac_fill(hash_alg, NULL, 0, (byte *) pkt, pkt->length, auth->data);
+    return;
+  }
+  }
+}
+
+static int
+bfd_check_authentication(struct bfd_proto *p, struct bfd_session *s, struct bfd_ctl_packet *pkt)
+{
+  struct bfd_iface_config *cf = s->ifa->cf;
+  const char *err_dsc = NULL;
+  uint err_val = 0;
+  uint auth_type = 0;
+  uint meticulous = 0;
+
+  if (pkt->flags & BFD_FLAG_AP)
+  {
+    struct bfd_auth *auth = (void *) (pkt + 1);
+
+    if ((pkt->length < (BFD_BASE_LEN + sizeof(struct bfd_auth))) ||
+	(pkt->length < (BFD_BASE_LEN + auth->length)))
+      DROP("packet length mismatch", pkt->length);
+
+    /* Zero is reserved, we use it as BFD_AUTH_NONE internally */
+    if (auth->type == 0)
+      DROP("reserved authentication type", 0);
+
+    auth_type = auth->type;
+  }
+
+  if (auth_type != cf->auth_type)
+    DROP("authentication method mismatch", auth_type);
+
+  switch (auth_type)
+  {
+  case BFD_AUTH_NONE:
+    return 1;
+
+  case BFD_AUTH_SIMPLE:
+  {
+    struct bfd_simple_auth *auth = (void *) (pkt + 1);
+
+    if (auth->length < sizeof(struct bfd_simple_auth))
+      DROP("wrong authentication length", auth->length);
+
+    struct password_item *pass = password_find_by_id(cf->passwords, auth->key_id);
+    if (!pass)
+      DROP("no suitable password found", auth->key_id);
+
+    uint pass_len = MIN(pass->length, BFD_MAX_PASSWORD_LENGTH);
+    uint auth_len = sizeof(struct bfd_simple_auth) + pass_len;
+
+    if ((auth->length != auth_len) || memcmp(auth->password, pass->password, pass_len))
+      DROP("wrong password", pass->id);
+
+    return 1;
+  }
+
+  case BFD_AUTH_METICULOUS_KEYED_MD5:
+  case BFD_AUTH_METICULOUS_KEYED_SHA1:
+    meticulous = 1;
+
+  case BFD_AUTH_KEYED_MD5:
+  case BFD_AUTH_KEYED_SHA1:
+  {
+    struct bfd_crypto_auth *auth = (void *) (pkt + 1);
+    uint hash_alg = bfd_auth_type_to_hash_alg[cf->auth_type];
+    uint hash_len = mac_type_length(hash_alg);
+
+    if (auth->length != (sizeof(struct bfd_crypto_auth) + hash_len))
+      DROP("wrong authentication length", auth->length);
+
+    struct password_item *pass = password_find_by_id(cf->passwords, auth->key_id);
+    if (!pass)
+      DROP("no suitable password found", auth->key_id);
+
+    /* BFD CSNs are in 32-bit circular number space */
+    u32 csn = ntohl(auth->csn);
+    if (s->rx_csn_known &&
+	(((csn - s->rx_csn) > (3 * s->detect_mult)) ||
+	 (meticulous && (csn == s->rx_csn))))
+    {
+      /* We want to report both new and old CSN */
+      LOG_PKT_AUTH("Authentication failed for %I - "
+		   "wrong sequence number (rcv %u, old %u)",
+		   s->addr, csn, s->rx_csn);
+      return 0;
+    }
+
+    byte *auth_data = alloca(hash_len);
+    memcpy(auth_data, auth->data, hash_len);
+    strncpy(auth->data, pass->password, hash_len);
+
+    if (!mac_verify(hash_alg, NULL, 0, (byte *) pkt, pkt->length, auth_data))
+      DROP("wrong authentication code", pass->id);
+
+    s->rx_csn = csn;
+    s->rx_csn_known = 1;
+
+    return 1;
+  }
+  }
+
+drop:
+  LOG_PKT_AUTH("Authentication failed for %I - %s (%u)",
+	       s->addr, err_dsc, err_val);
+  return 0;
+}
+
 void
 bfd_send_ctl(struct bfd_proto *p, struct bfd_session *s, int final)
 {
@@ -85,6 +304,9 @@ bfd_send_ctl(struct bfd_proto *p, struct bfd_session *s, int final)
   else if (s->poll_active)
     pkt->flags |= BFD_FLAG_POLL;
 
+  if (s->ifa->cf->auth_type)
+    bfd_fill_authentication(p, s, pkt);
+
   if (sk->tbuf != sk->tpos)
     log(L_WARN "%s: Old packet overwritten in TX buffer", p->p.name);
 
@@ -94,8 +316,6 @@ bfd_send_ctl(struct bfd_proto *p, struct bfd_session *s, int final)
   sk_send_to(sk, pkt->length, s->addr, sk->dport);
 }
 
-#define DROP(DSC,VAL) do { err_dsc = DSC; err_val = VAL; goto drop; } while(0)
-
 static int
 bfd_rx_hook(sock *sk, uint len)
 {
@@ -151,10 +371,9 @@ bfd_rx_hook(sock *sk, uint len)
       return 1;
   }
 
-  /* FIXME: better authentication handling and message */
-  if (pkt->flags & BFD_FLAG_AP)
-    DROP("authentication not supported", 0);
-
+  /* bfd_check_authentication() has its own error logging */
+  if (!bfd_check_authentication(p, s, pkt))
+    return 1;
 
   u32 old_tx_int = s->des_min_tx_int;
   u32 old_rx_int = s->rem_min_rx_int;
@@ -173,8 +392,8 @@ bfd_rx_hook(sock *sk, uint len)
   bfd_session_process_ctl(s, pkt->flags, old_tx_int, old_rx_int);
   return 1;
 
- drop:
-  log(L_REMOTE "%s: Bad packet from %I - %s (%u)", p->p.name, sk->faddr, err_dsc, err_val);
+drop:
+  LOG_PKT("Bad packet from %I - %s (%u)", sk->faddr, err_dsc, err_val);
   return 1;
 }
 

From 920a86e8493fe25008f084f67f368aea9b197efd Mon Sep 17 00:00:00 2001
From: "Ondrej Zajicek (work)" <santiago@crfreenet.org>
Date: Thu, 3 Nov 2016 09:53:53 +0100
Subject: [PATCH 36/37] Add missing extern

---
 lib/mac.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/mac.h b/lib/mac.h
index 5fc216fd..b6f3af52 100644
--- a/lib/mac.h
+++ b/lib/mac.h
@@ -89,7 +89,7 @@ struct mac_desc {
   byte *(*hash_final)(struct hash_context *ctx);
 };
 
-const struct mac_desc mac_table[ALG_MAX];
+extern const struct mac_desc mac_table[ALG_MAX];
 
 static inline const char *mac_type_name(uint id)
 { return mac_table[id].name; }

From c8cafc8ebb5320ac7c6117c17e6460036f0fdf62 Mon Sep 17 00:00:00 2001
From: "Ondrej Zajicek (work)" <santiago@crfreenet.org>
Date: Tue, 8 Nov 2016 17:46:29 +0100
Subject: [PATCH 37/37] Minor code cleanups

---
 conf/cf-lex.l          |  2 +-
 conf/conf.c            |  6 +++---
 conf/conf.h            |  6 +++---
 conf/confbase.Y        |  2 +-
 filter/config.Y        | 26 +++++++++++++-------------
 filter/filter.h        | 24 ++++++++++++------------
 filter/tree.c          |  6 +++---
 lib/buffer.h           | 16 +++++++++++++++-
 lib/hash.h             | 11 +++++++++++
 proto/ospf/rt.c        |  4 ++--
 sysdep/linux/syspriv.h |  9 +++++++++
 sysdep/unix/io.c       |  5 ++++-
 sysdep/unix/main.c     |  4 +++-
 13 files changed, 80 insertions(+), 41 deletions(-)

diff --git a/conf/cf-lex.l b/conf/cf-lex.l
index d2aa6402..e9e385a6 100644
--- a/conf/cf-lex.l
+++ b/conf/cf-lex.l
@@ -589,7 +589,7 @@ cf_lex_init(int is_cli, struct config *c)
     cf_lex_init_kh();
 
   ifs_head = ifs = push_ifs(NULL);
-  if (!is_cli) 
+  if (!is_cli)
     {
       ifs->file_name = c->file_name;
       ifs->fd = c->file_fd;
diff --git a/conf/conf.c b/conf/conf.c
index 029814c6..0a4e3f8c 100644
--- a/conf/conf.c
+++ b/conf/conf.c
@@ -85,7 +85,7 @@ int undo_available;			/* Undo was not requested from last reconfiguration */
  * further use. Returns a pointer to the structure.
  */
 struct config *
-config_alloc(byte *name)
+config_alloc(const byte *name)
 {
   pool *p = rp_new(&root_pool, "Config");
   linpool *l = lp_new(p, 4080);
@@ -405,7 +405,7 @@ config_confirm(void)
  * if it's been queued due to another reconfiguration being in progress now,
  * %CONF_UNQUEUED if a scheduled reconfiguration is removed, %CONF_NOTHING
  * if there is no relevant configuration to undo (the previous config request
- * was config_undo() too)  or %CONF_SHUTDOWN if BIRD is in shutdown mode and 
+ * was config_undo() too)  or %CONF_SHUTDOWN if BIRD is in shutdown mode and
  * no new configuration changes  are accepted.
  */
 int
@@ -530,7 +530,7 @@ cf_error(char *msg, ...)
  * and we want to preserve it for further use.
  */
 char *
-cfg_strdup(char *c)
+cfg_strdup(const char *c)
 {
   int l = strlen(c) + 1;
   char *z = cfg_allocu(l);
diff --git a/conf/conf.h b/conf/conf.h
index 89a2c5b7..41cb434f 100644
--- a/conf/conf.h
+++ b/conf/conf.h
@@ -21,7 +21,7 @@ struct config {
   list protos;				/* Configured protocol instances (struct proto_config) */
   list tables;				/* Configured routing tables (struct rtable_config) */
   list roa_tables;			/* Configured ROA tables (struct roa_table_config) */
-  list logfiles;			/* Configured log fils (sysdep) */
+  list logfiles;			/* Configured log files (sysdep) */
 
   int mrtdump_file;			/* Configured MRTDump file (sysdep, fd in unix) */
   char *syslog_name;			/* Name used for syslog (NULL -> no syslog) */
@@ -61,7 +61,7 @@ struct config {
 extern struct config *config;		/* Currently active configuration */
 extern struct config *new_config;	/* Configuration being parsed */
 
-struct config *config_alloc(byte *name);
+struct config *config_alloc(const byte *name);
 int config_parse(struct config *);
 int cli_parse(struct config *);
 void config_free(struct config *);
@@ -95,7 +95,7 @@ extern linpool *cfg_mem;
 #define cfg_alloc(size) lp_alloc(cfg_mem, size)
 #define cfg_allocu(size) lp_allocu(cfg_mem, size)
 #define cfg_allocz(size) lp_allocz(cfg_mem, size)
-char *cfg_strdup(char *c);
+char *cfg_strdup(const char *c);
 void cfg_copy_list(list *dest, list *src, unsigned node_size);
 
 /* Lexer */
diff --git a/conf/confbase.Y b/conf/confbase.Y
index c14c23c7..96b32028 100644
--- a/conf/confbase.Y
+++ b/conf/confbase.Y
@@ -138,7 +138,7 @@ expr_us:
 /* Switches */
 
 bool:
-   expr {$$ = !!$1; }
+   expr { $$ = !!$1; }
  | ON { $$ = 1; }
  | YES { $$ = 1; }
  | OFF { $$ = 0; }
diff --git a/filter/config.Y b/filter/config.Y
index 29e3a734..5ea83f81 100644
--- a/filter/config.Y
+++ b/filter/config.Y
@@ -158,7 +158,7 @@ f_new_lc_item(u32 f1, u32 t1, u32 f2, u32 t2, u32 f3, u32 t3)
 
 static inline struct f_inst *
 f_generate_empty(struct f_inst *dyn)
-{ 
+{
   struct f_inst *e = f_new_inst();
   e->code = 'E';
 
@@ -261,7 +261,7 @@ f_generate_ec(u16 kind, struct f_inst *tk, struct f_inst *tv)
 
   if (c1 && c2) {
     u64 ec;
-  
+
     if (kind == EC_GENERIC) {
       ec = ec_generic(key, val2);
     }
@@ -280,7 +280,7 @@ f_generate_ec(u16 kind, struct f_inst *tk, struct f_inst *tv)
     NEW_F_VAL;
     rv = f_new_inst();
     rv->code = 'C';
-    rv->a1.p = val;    
+    rv->a1.p = val;
     val->type = T_EC;
     val->val.ec = ec;
   }
@@ -355,7 +355,7 @@ CF_KEYWORDS(FUNCTION, PRINT, PRINTN, UNSET, RETURN,
 %type <e> pair_item ec_item lc_item set_item switch_item set_items switch_items switch_body
 %type <trie> fprefix_set
 %type <v> set_atom switch_atom fprefix fprefix_s fipa
-%type <s> decls declsn one_decl function_params 
+%type <s> decls declsn one_decl function_params
 %type <h> bgp_path bgp_path_tail1 bgp_path_tail2
 
 CF_GRAMMAR
@@ -391,7 +391,7 @@ type:
  | CLIST { $$ = T_CLIST; }
  | ECLIST { $$ = T_ECLIST; }
  | LCLIST { $$ = T_LCLIST; }
- | type SET { 
+ | type SET {
 	switch ($1) {
 	  case T_INT:
 	  case T_PAIR:
@@ -506,7 +506,7 @@ function_def:
    } function_params function_body {
      $2->def = $5;
      $2->aux2 = $4;
-     DBG("Hmm, we've got one function here - %s\n", $2->name); 
+     DBG("Hmm, we've got one function here - %s\n", $2->name);
      cf_pop_scope();
    }
  ;
@@ -652,7 +652,7 @@ fprefix:
    fprefix_s { $$ = $1; }
  | fprefix_s '+' { $$ = $1; $$.val.px.len |= LEN_PLUS; }
  | fprefix_s '-' { $$ = $1; $$.val.px.len |= LEN_MINUS; }
- | fprefix_s '{' NUM ',' NUM '}' { 
+ | fprefix_s '{' NUM ',' NUM '}' {
      if (! ((0 <= $3) && ($3 <= $5) && ($5 <= MAX_PREFIX_LENGTH))) cf_error("Invalid prefix pattern range: {%d, %d}.", $3, $5);
      $$ = $1; $$.val.px.len |= LEN_RANGE | ($3 << 16) | ($5 << 8);
    }
@@ -671,7 +671,7 @@ switch_body: /* EMPTY */ { $$ = NULL; }
        t->data = $4;
      $$ = f_merge_items($1, $2);
    }
- | switch_body ELSECOL cmds { 
+ | switch_body ELSECOL cmds {
      struct f_tree *t = f_new_tree();
      t->from.type = t->to.type = T_VOID;
      t->right = t;
@@ -683,7 +683,7 @@ switch_body: /* EMPTY */ { $$ = NULL; }
 /* CONST '(' expr ')' { $$ = f_new_inst(); $$->code = 'c'; $$->aux = T_INT; $$->a2.i = $3; } */
 
 bgp_path_expr:
-   symbol       { $$ = $1; }   
+   symbol       { $$ = $1; }
  | '(' term ')' { $$ = $2; }
  ;
 
@@ -836,8 +836,8 @@ term:
  | '-' EMPTY '-' { $$ = f_new_inst(); $$->code = 'E'; $$->aux = T_CLIST; }
  | '-' '-' EMPTY '-' '-' { $$ = f_new_inst(); $$->code = 'E'; $$->aux = T_ECLIST; }
  | '-' '-' '-' EMPTY '-' '-' '-' { $$ = f_new_inst(); $$->code = 'E'; $$->aux = T_LCLIST; }
- | PREPEND '(' term ',' term ')' { $$ = f_new_inst(); $$->code = P('A','p'); $$->a1.p = $3; $$->a2.p = $5; } 
- | ADD '(' term ',' term ')' { $$ = f_new_inst(); $$->code = P('C','a'); $$->a1.p = $3; $$->a2.p = $5; $$->aux = 'a'; } 
+ | PREPEND '(' term ',' term ')' { $$ = f_new_inst(); $$->code = P('A','p'); $$->a1.p = $3; $$->a2.p = $5; }
+ | ADD '(' term ',' term ')' { $$ = f_new_inst(); $$->code = P('C','a'); $$->a1.p = $3; $$->a2.p = $5; $$->aux = 'a'; }
  | DELETE '(' term ',' term ')' { $$ = f_new_inst(); $$->code = P('C','a'); $$->a1.p = $3; $$->a2.p = $5; $$->aux = 'd'; }
  | FILTER '(' term ',' term ')' { $$ = f_new_inst(); $$->code = P('C','a'); $$->a1.p = $3; $$->a2.p = $5; $$->aux = 'f'; }
 
@@ -892,7 +892,7 @@ print_list: /* EMPTY */ { $$ = NULL; }
    }
  ;
 
-var_listn: term { 
+var_listn: term {
      $$ = f_new_inst();
      $$->code = 's';
      $$->a1.p = NULL;
@@ -960,7 +960,7 @@ cmd:
      $$ = f_new_inst();
      $$->code = P('P','S');
      $$->a1.p = $3;
-   } 
+   }
  | UNSET '(' rtadot dynamic_attr ')' ';' {
      $$ = $4;
      $$->aux = EAF_TYPE_UNDEF | EAF_TEMP;
diff --git a/filter/filter.h b/filter/filter.h
index e0f34e4f..049ceb76 100644
--- a/filter/filter.h
+++ b/filter/filter.h
@@ -35,7 +35,7 @@ struct f_inst {		/* Instruction */
 /* Not enough fields in f_inst for three args used by roa_check() */
 struct f_inst_roa_check {
   struct f_inst i;
-  struct roa_table_config *rtc;	
+  struct roa_table_config *rtc;
 };
 
 struct f_inst3 {
@@ -65,7 +65,7 @@ struct f_val {
     uint i;
     u64 ec;
     lcomm lc;
-    /*    ip_addr ip; Folded into prefix */	
+    /*    ip_addr ip; Folded into prefix */
     struct f_prefix px;
     char *s;
     struct f_tree *t;
@@ -190,16 +190,16 @@ void val_format(struct f_val v, buffer *buf);
 #define T_PREFIX_SET 0x81
 
 
-#define SA_FROM		 1    
-#define SA_GW		 2      
-#define SA_NET		 3     
-#define SA_PROTO	 4   
-#define SA_SOURCE	 5  
-#define SA_SCOPE	 6   
-#define SA_CAST    	 7
-#define SA_DEST    	 8
-#define SA_IFNAME  	 9
-#define SA_IFINDEX    	10
+#define SA_FROM		 1
+#define SA_GW		 2
+#define SA_NET		 3
+#define SA_PROTO	 4
+#define SA_SOURCE	 5
+#define SA_SCOPE	 6
+#define SA_CAST		 7
+#define SA_DEST		 8
+#define SA_IFNAME	 9
+#define SA_IFINDEX	10
 
 
 struct f_tree {
diff --git a/filter/tree.c b/filter/tree.c
index 1196e630..f8379fa8 100644
--- a/filter/tree.c
+++ b/filter/tree.c
@@ -63,7 +63,7 @@ tree_compare(const void *p1, const void *p2)
  * build_tree
  * @from: degenerated tree (linked by @tree->left) to be transformed into form suitable for find_tree()
  *
- * Transforms denerated tree into balanced tree.
+ * Transforms degenerated tree into balanced tree.
  */
 struct f_tree *
 build_tree(struct f_tree *from)
@@ -162,7 +162,7 @@ void
 tree_format(struct f_tree *t, buffer *buf)
 {
   buffer_puts(buf, "[");
- 
+
   tree_node_format(t, buf);
 
   if (buf->pos == buf->end)
@@ -171,6 +171,6 @@ tree_format(struct f_tree *t, buffer *buf)
   /* Undo last separator */
   if (buf->pos[-1] != '[')
     buf->pos -= 2;
- 
+
   buffer_puts(buf, "]");
 }
diff --git a/lib/buffer.h b/lib/buffer.h
index cf073e88..2a53f211 100644
--- a/lib/buffer.h
+++ b/lib/buffer.h
@@ -1,3 +1,17 @@
+/*
+ *	BIRD Library -- Generic Buffer Structure
+ *
+ *	(c) 2013 Ondrej Zajicek <santiago@crfreenet.org>
+ *	(c) 2013 CZ.NIC z.s.p.o.
+ *
+ *	Can be freely distributed and used under the terms of the GNU GPL.
+ */
+
+#ifndef _BIRD_BUFFER_H_
+#define _BIRD_BUFFER_H_
+
+#include "lib/resource.h"
+#include "sysdep/config.h"
 
 #define BUFFER(type)		struct { type *data; uint used, size; }
 
@@ -32,4 +46,4 @@
 
 #define BUFFER_FLUSH(v)		({ (v).used = 0; })
 
-
+#endif /* _BIRD_BUFFER_H_ */
diff --git a/lib/hash.h b/lib/hash.h
index fc5fea14..4239b1d8 100644
--- a/lib/hash.h
+++ b/lib/hash.h
@@ -1,4 +1,14 @@
+/*
+ *	BIRD Library -- Generic Hash Table
+ *
+ *	(c) 2013 Ondrej Zajicek <santiago@crfreenet.org>
+ *	(c) 2013 CZ.NIC z.s.p.o.
+ *
+ *	Can be freely distributed and used under the terms of the GNU GPL.
+ */
 
+#ifndef _BIRD_HASH_H_
+#define _BIRD_HASH_H_
 
 #define HASH(type)		struct { type **data; uint count, order; }
 #define HASH_TYPE(v)		typeof(** (v).data)
@@ -178,3 +188,4 @@
 
 #define HASH_WALK_FILTER_END } while (0)
 
+#endif
diff --git a/proto/ospf/rt.c b/proto/ospf/rt.c
index 8b3feda9..19f2d074 100644
--- a/proto/ospf/rt.c
+++ b/proto/ospf/rt.c
@@ -678,7 +678,7 @@ link_back(struct ospf_area *oa, struct top_hash_entry *en, struct top_hash_entry
      which may be later used as the next hop. */
 
   /* In OSPFv2, en->lb is set here. In OSPFv3, en->lb is just cleared here,
-     it is set in process_prefixes() to any global addres in the area */
+     it is set in process_prefixes() to any global address in the area */
 
   en->lb = IPA_NONE;
   en->lb_id = 0;
@@ -930,7 +930,7 @@ ospf_rt_sum_tr(struct ospf_area *oa)
   }
 }
 
-/* Decide about originating or flushing summary LSAs for condended area networks */
+/* Decide about originating or flushing summary LSAs for condensed area networks */
 static int
 decide_anet_lsa(struct ospf_area *oa, struct area_net *anet, struct ospf_area *anet_oa)
 {
diff --git a/sysdep/linux/syspriv.h b/sysdep/linux/syspriv.h
index d2ba95dd..8b210f06 100644
--- a/sysdep/linux/syspriv.h
+++ b/sysdep/linux/syspriv.h
@@ -1,4 +1,11 @@
+#ifndef _BIRD_SYSPRIV_H_
+#define _BIRD_SYSPRIV_H_
 
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
+
+#include <unistd.h>
 #include <sys/prctl.h>
 #include <linux/capability.h>
 
@@ -70,3 +77,5 @@ drop_uid(uid_t uid)
   if (setresuid(uid, uid, uid) < 0)
     die("setresuid: %m");
 }
+
+#endif /* _BIRD_SYSPRIV_H_ */
diff --git a/sysdep/unix/io.c b/sysdep/unix/io.c
index 873b5805..644a4fcd 100644
--- a/sysdep/unix/io.c
+++ b/sysdep/unix/io.c
@@ -9,7 +9,9 @@
 
 /* Unfortunately, some glibc versions hide parts of RFC 3542 API
    if _GNU_SOURCE is not defined. */
-#define _GNU_SOURCE 1
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -2046,6 +2048,7 @@ watchdog_stop(void)
 
 volatile int async_config_flag;		/* Asynchronous reconfiguration/dump scheduled */
 volatile int async_dump_flag;
+volatile int async_shutdown_flag;
 
 void
 io_init(void)
diff --git a/sysdep/unix/main.c b/sysdep/unix/main.c
index 35bc3fd1..8aa19fce 100644
--- a/sysdep/unix/main.c
+++ b/sysdep/unix/main.c
@@ -8,7 +8,9 @@
 
 #undef LOCAL_DEBUG
 
-#define _GNU_SOURCE 1
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
 
 #include <stdio.h>
 #include <stdlib.h>