Commit graph

54 commits

Author SHA1 Message Date
Maria Matejka
fd9f0c0640 Configuration strings are constant.
This is merely a const propagation. There was no problem in there.
2020-04-09 15:37:14 +02:00
Ondrej Zajicek (work)
757cab18d6 BGP: Support for MD5SIG together with remote range
When dynamic BGP with remote range is configured, MD5SIG needs to use
newer socket option (TCP_MD5SIG_EXT) to specify remote addres range for
listening socket.

Thanks to Adam Kułagowski for the suggestion.
2020-02-27 17:29:17 +01:00
Ondrej Zajicek (work)
70a4320bdd RAdv: Allow solicited RAs to be sent as unicast
Add option to send solicited router advertisements as unicast directly
to soliciting nodes instead of as multicast to all-nodes group.
2019-08-12 00:43:19 +02:00
Ondrej Zajicek (work)
46434a3cad Merge commit '7b2c5f3d2826e3175bf31b1c36056c9efc587a2b' into int-new 2017-12-07 18:35:46 +01:00
Ondrej Zajicek (work)
943478b00f Basic VRF support
Add basic VRF (virtual routing and forwarding) support. Protocols can be
associated with VRFs, such protocols will be restricted to interfaces
assigned to the VRF (as reported by Linux kernel) and will use sockets
bound to the VRF. E.g., different multihop BGP instances can use diffent
kernel routing tables to handle BGP TCP connections.

The VRF support is preliminary, currently there are several limitations:

- Recent Linux kernels (4.11) do not handle correctly sockets bound
to interaces that are part of VRF, so most protocols other than multihop
BGP do not work. This will be fixed by future kernel versions.

- Neighbor cache ignores VRFs. Breaks config with the same prefix on
local interfaces in different VRFs. Not much problem as single hop
protocols do not work anyways.

- Olock code ignores VRFs. Breaks config with multiple BGP peers with the
same IP address in different VRFs.

- Incoming BGP connections are not dispatched according to VRFs.
Breaks config with multiple BGP peers with the same IP address in
different VRFs. Perhaps we would need some kernel API to read VRF of
incoming connection? Or probably use multiple listening sockets in
int-new branch.

- We should handle master VRF interface up/down events and perhaps
disable associated protocols when VRF goes down. Or at least disable
associated interfaces.

- Also we should check if the master iface is really VRF iface and
not some other kind of master iface.

- BFD session request dispatch should be aware of VRFs.

- Perhaps kernel protocol should read default kernel table ID from VRF
iface so it is not necessary to configure it.

- Perhaps we should have per-VRF default table.
2017-09-06 17:38:48 +02:00
Jan Moskyto Matejka
ad88b94bca Merge branch 'int-new-rpki-squashed' (early part) into int-new 2016-12-07 15:30:46 +01:00
Jan Moskyto Matejka
af62c0f9f1 LibSSH may be switched off together with RPKI 2016-12-07 14:15:35 +01:00
Pavel Tvrdík
65d2a88dd2 RPKI protocol with one cache server per protocol
The RPKI protocol (RFC 6810) using the RTRLib
(http://rpki.realmv6.org/) that is integrated inside
the BIRD's code.

Implemeted transports are:
 - unprotected transport over TCP
 - secure transport over SSHv2

Example configuration of bird.conf:
  ...
  roa4 table r4;
  roa6 table r6;

  protocol rpki {
    debug all;

    # Import both IPv4 and IPv6 ROAs
    roa4 { table r4; };
    roa6 { table r6; };

    # Set cache server (validator) address,
    # overwrite default port 323
    remote "rpki-validator.realmv6.org" port 8282;

    # Overwrite default time intervals
    retry   10;         # Default 600 seconds
    refresh 60;         # Default 3600 seconds
    expire 600;         # Default 7200 seconds
  }

  protocol rpki {
    debug all;

    # Import only IPv4 routes
    roa4 { table r4; };

    # Set cache server address to localhost,
    # use default ports tcp => 323 or ssh => 22
    remote 127.0.0.1;

    # Use SSH transport instead of unprotected transport over TCP
    ssh encryption {
      bird private key "/home/birdgeek/.ssh/id_rsa";
      remote public key "/home/birdgeek/.ssh/known_hosts";
      user "birdgeek";
    };
  }
  ...
2016-12-07 09:35:24 +01:00
Ondrej Zajicek (work)
8860e991f6 Merge branch 'master' into int-new 2016-11-08 19:27:58 +01:00
Jan Moskyto Matejka
3e236955c9 Build: switch on -Wextra, get rid of most of the warnings
There are several unresolved -Wmissing-field-initializers on older
versions of GCC than 5.1, all of them false positive.
2016-11-01 14:52:54 +01:00
Ondrej Zajicek (work)
08b3a24da5 IO: Minor changes in socket AF handing
AF can be specified implicitly by saddr or daddr, flags SKF_V4ONLY and
SKF_V6ONLY are to be removed.
2016-05-17 15:21:49 +02:00
Ondrej Zajicek (work)
af678af0d5 Merge remote-tracking branch 'origin/master' into int-new 2016-05-12 18:03:23 +02:00
Ondrej Zajicek (work)
a7baa09862 BSD: Add the IPsec SA/SP database entries control
Add code for manipulation with TCP-MD5 keys in the IPsec SA/SP database
at FreeBSD systems. Now, BGP MD5 authentication (RFC 2385) keys are
handled automatically on both Linux and FreeBSD.

Based on patches from Pavel Tvrdik.
2016-04-13 14:37:09 +02:00
Jan Moskyto Matejka
7a7ac65682 Merge branch 'master' into int-new-channels 2016-04-08 12:28:33 +02:00
Ondrej Zajicek (work)
9e7b3ebdf9 IO: Replace RX priority heuristic with explicit mark
In BIRD, RX has lower priority than TX with the exception of RX from
control socket. The patch replaces heuristic based on socket type with
explicit mark and uses it for both control socket and BGP session waiting
to be established.

This should avoid an issue when during heavy load, outgoing connection
could connect (TX event), send open, but then failed to receive OPEN /
establish in time, not sending notifications between and therefore
got hold timer expired error from the neighbor immediately after it
finally established the connection.
2016-04-06 11:49:34 +02:00
Jan Moskyto Matejka
6ffa8f5393 Hidden AF_INET* inside sysdep/ 2016-01-11 09:29:51 +01:00
Jan Moskyto Matejka
70b90dde23 Better fix of missing AF_INET6? definition in lib/socket.h
Moved the code to sysdep.
2015-12-22 09:45:09 +01:00
Jan Moskyto Matejka
67aa88336a BSD wants to include sys/socket.h in lib/socket.h (AF_INET6? definitions) 2015-12-21 18:23:08 +01:00
Ondrej Zajicek (work)
23c212e7f1 Follow-up work on integration 2015-12-21 03:33:18 +01:00
Pavel Tvrdík
ae80a2de95 unsigned [int] -> uint 2015-06-08 02:24:08 +02:00
Ondrej Zajicek
9c89560e6c Use IP_PORTRANGE_HIGH for BFD where available 2015-02-22 20:14:14 +01:00
Ondrej Zajicek
88a183c6c9 Integrated IP functions. 2014-10-24 11:11:43 +02:00
Ondrej Zajicek
05476c4d04 IPv4/IPv6 integrated socket code. 2014-05-18 11:42:26 +02:00
Ondrej Zajicek
48e5f32db6 Many changes in I/O and OSPF sockets and packet handling.
I/O:
 - BSD: specify src addr on IP sockets by IP_HDRINCL
 - BSD: specify src addr on UDP sockets by IP_SENDSRCADDR
 - Linux: specify src addr on IP/UDP sockets by IP_PKTINFO
 - IPv6: specify src addr on IP/UDP sockets by IPV6_PKTINFO
 - Alternative SKF_BIND flag for binding to IP address
 - Allows IP/UDP sockets without tx_hook, on these
   sockets a packet is discarded when TX queue is full
 - Use consistently SOL_ for socket layer values.

OSPF:
 - Packet src addr is always explicitly set
 - Support for secondary addresses in BSD
 - Dynamic RX/TX buffers
 - Fixes some minor buffer overruns
 - Interface option 'tx length'
 - Names for vlink pseudoifaces (vlinkX)
 - Vlinks use separate socket for TX
 - Vlinks do not use fixed associated iface
 - Fixes TTL for direct unicast packets
 - Fixes DONTROUTE for OSPF sockets
 - Use ifa->ifname instead of ifa->iface->name
2014-02-06 17:46:01 +01:00
Ondrej Zajicek
bf139664aa Initial BFD commit, work in progress. 2013-09-10 12:09:36 +02:00
Ondrej Zajicek
70e212f913 Implements TTL security for OSPF and RIP.
Interfaces for OSPF and RIP could be configured to use (and request)
TTL 255 for traffic to direct neighbors.

Thanks to Simon Dickhoven for the original patch for RIPng.
2013-06-25 15:39:44 +02:00
Ondrej Zajicek
ef4a50be10 Better packet priority and traffic class handling.
Implements support for IPv6 traffic class, sets higher priority for OSPF
and RIP outgoing packets by default and allows to configure ToS/DS/TClass
IP header field and the local priority of outgoing packets.
2013-06-24 16:37:30 +02:00
Ondrej Zajicek
c4b76d7b19 Rename sk_new() to avoid name collision with OpenSSL. 2012-07-18 19:35:30 +02:00
Ondrej Zajicek
eb1451a3a0 Better support for link-local addresses in IO code. 2012-01-08 15:27:04 +01:00
Ondrej Zajicek
b1b1943360 The generalized TTL security mechanism (RFC 5082) support.
Thanks to Alexander V. Chernikov for the patch.
2011-08-16 23:13:05 +02:00
Ondrej Zajicek
93e868c730 Implements Router Advertisement protocol. 2011-03-13 11:33:50 +01:00
Ondrej Zajicek
54305181f6 Merge branch 'new' into socket2 2010-03-11 18:55:59 +01:00
Ondrej Zajicek
e81b440f68 Fix configure to enable warnings and fix most of them. 2010-02-21 14:34:53 +01:00
Ondrej Zajicek
a2ea1bac60 Moves errno.h include. 2010-02-11 21:19:20 +01:00
Ondrej Zajicek
353729f513 Temporary OSPF commit - socket changes. 2010-02-11 10:23:35 +01:00
Ondrej Zajicek
0741e68750 Socket table update. 2010-01-08 10:21:51 +01:00
Ondrej Zajicek
4ac7c8341c Use IPv6 checksums in OSPFv3. 2009-11-09 23:22:53 +01:00
Ondrej Zajicek
3f22fa9e74 Merge branch 'dev' into ospf3 2009-11-09 22:54:39 +01:00
Ondrej Zajicek
ea89da381f Workaround for stupid callback scheduler.
There is no reak callback scheduler and previous behavior causes
bad things during hard congestion (like BGP hold timeouts).

Smart callback scheduler is still missing, but main loop was
changed such that it first processes all tx callbacks (which
are fast enough) (but max 4* per socket) + rx callbacks for CLI,
and in the second phase it processes one rx callback per
socket up to four sockets (as rx callback can be slow when
there are too many protocols, because route redistribution
is done synchronously inside rx callback). If there is event
callback ready, second phase is skipped in 90% of iterations
(to speed up CLI during congestion).
2009-10-11 18:56:16 +02:00
Ondrej Zajicek
f9c799a00e Temporary OSPFv3 development commit (changing multicast support). 2009-09-04 11:06:51 +02:00
Ondrej Zajicek
789772ed45 Implements option that changes BGP listening socket parametres. 2009-06-18 19:20:07 +02:00
Ondrej Zajicek
a39b165e45 Multihop BGP was completely broken, because listening socket has always
ttl 1.
2008-11-01 16:58:40 +01:00
Ondrej Zajicek
d51aa28190 Implementation of MD5 authentication of BGP sessions. 2008-10-26 22:42:39 +01:00
Ondrej Filip
e7ef86a58c OSPF is ready for changing MTU. 2004-06-04 18:51:29 +00:00
Martin Mares
38a608c55a Rewritten the I/O loop. All socket operations are now safe, meaning that
you can delete the socket from anywhere in the hooks and nothing should break.
Also, the receive/transmit buffers are now regular xmalloc()'ed buffers,
not separate resources which would need shuffling around between pools.

sk_close() is gone, use rfree() instead.
2004-05-31 21:48:19 +00:00
Martin Mares
320f417357 Defined sk_close() which closes the socket safely even if called from
socket hook. Replaces the SK_DELETED hack.

Squashed a couple of bugs in handling of TCP sockets.
2000-03-30 10:43:37 +00:00
Martin Mares
b93abffae4 Implemented unix-domain sockets. 1999-10-29 12:09:29 +00:00
Martin Mares
139ca21d05 Added sk_send_buffer_empty(). 1999-05-31 13:21:07 +00:00
Martin Mares
5a99ade413 Fixed a couple of bugs in handling of multicast sockets.
See comments in lib/socket.h for a detailed guide on how to use them.
1999-04-12 14:57:46 +00:00
Martin Mares
b4b3b39e20 Added SK_MAGIC type sockets for internal use by system dependent code,
especially for netlink communication.
1999-03-01 22:30:33 +00:00