Commit graph

3765 commits

Author SHA1 Message Date
Alexander Zubkov
77042292ff Doc: Document min/max operators for lists 2021-12-28 04:09:36 +01:00
Alexander Zubkov
0e1fd7ea6a Filter: Add operators to find minimum and maximum element of sets
Add operators .min and .max to find minumum or maximum element in sets
of types: clist, eclist, lclist. Example usage:

bgp_community.min
bgp_ext_community.max
filter(bgp_large_community, [(as1, as2, *)]).min

Signed-off-by: Alexander Zubkov <green@qrator.net>
2021-12-28 04:07:09 +01:00
Alexander Zubkov
e15e465720 Doc: Document community components access operators 2021-12-28 04:07:09 +01:00
Alexander Zubkov
a2a268da4f Filter: Add operators to pick community components
Add operators that can be used to pick components from
pair (standard community) or lc (large community) types.
For example:

(10, 20).asn --> 10
(10, 20).data --> 20

(10, 20, 30).asn --> 10
(10, 20, 30).data1 --> 20
(10, 20, 30).data2 --> 30

Signed-off-by: Alexander Zubkov <green@qrator.net>
2021-12-28 04:07:00 +01:00
Ondrej Zajicek (work)
a39cd2cc0b BSD: Assume onlink flag on ifaces with only host addresses
The BSD kernel does not support the onlink flag and BIRD does not use
direct routes for next hop validation, instead depends on interface
address ranges. We would like to handle PtMP cases with only host
addresses configured, like:

  ifconfig wg0 192.168.0.10/32
  route add 192.168.0.4 -iface wg0
  route add 192.168.0.8 -iface wg0

To accept BIRD routes with onlink next-hop, like:

  route 192.168.42.0/24 via 192.168.0.4%wg0 onlink

BIRD would dismiss the route when receiving from the kernel, as the
next-hop 192.168.0.4 is not part of any interface subnet and onlink
flag is not kept by the BSD kernel.

The commit fixes this by assuming that for routes received from the
kernel, any next-hop is onlink on ifaces with only host addresses.

Thanks to Stefan Haller for the original patch.
2021-12-27 21:00:04 +01:00
Job Snijders
b9f38727a7 RPKI: Add contextual out-of-bound checks in RTR Prefix PDU handler
RFC 6810 and RFC 8210 specify that the "Max Length" value MUST NOT be
less than the Prefix Length element (underflow). On the other side,
overflow of the Max Length element also is possible, it being an 8-bit
unsigned integer allows for values larger than 32 or 128. This also
implicitly ensures there is no overflow of "Length" value.

When a PDU is received where the Max Length field is corrputed, the RTR
client (BIRD) should immediately terminate the session, flush all data
learned from that cache, and log an error for the operator.

Minor changes done by commiter.
2021-12-18 16:35:28 +01:00
Simon Ruderich
00410fd6c1 Doc: bgp: remove "advertise ipv4"
The option was removed in d15b0b0a ("BGP redesign", 2016-12-07)
but the documentation wasn't updated.
2021-12-18 03:17:48 +01:00
Ondrej Zajicek (work)
b21104c97e Nest: Do not ignore secondary flag changes in ifa updates
Compare all IA_* flags that are set by sysdep iface code.

The old code ignores IA_SECONDARY flag when comparing whether iface
address updates from kernel changed anything. This is usually not an
issue as kernel removes all secondary addresses due to removal of the
primary one, but it breaks when sysctl 'promote_secondaries' is enabled
and kernel promotes secondary addresses to primary ones.

Thanks to 'Alexander' for the bugreport.
2021-12-18 01:09:52 +01:00
Maria Matejka
f772afc525 Memory statistics split into Effective and Overhead
This feature is intended mostly for checking that BIRD's allocation
strategies don't consume much memory space. There are some cases where
withdrawing routes in a specific order lead to memory fragmentation and
this output should give the user at least a notion of how much memory is
actually used for data storage and how much memory is "just allocated"
or used for overhead.

Also raising the "system allocator overhead estimation" from 8 to 16
bytes; it is probably even more. I've found 16 as a local minimum in
best scenarios among reachable machines. I couldn't find any reasonable
method to estimate this value when BIRD starts up.

This commit also fixes the inaccurate computation of memory overhead for
slabs where the "system allocater overhead estimation" was improperly
added to the size of mmap-ed memory.
2021-11-27 22:54:15 +01:00
Maria Matejka
644e9ca94e Directly mapped pages are kept for future use if temporarily not needed 2021-11-24 19:42:52 +00:00
Ondrej Zajicek (work)
9f24fef5e9 Conf: Fix crash during shutdown
BIRD implements shutdown by reconfiguring to fake empty configuration.
Such fake config structure is created from the last running config and
shares some data, including symbol table. This allows access to (removed)
routing tables and causes crash when 'show route' command is used during
shutdown.

Clean up symbol table, table list and links to default tables, so removed
routing tables cannot be accessed during shutdown.
2021-10-20 01:51:28 +02:00
Ondrej Zajicek (work)
f761be6b30 Nest: Clean up main channel handling
Remove assumption that main channel is the only channel.
2021-06-17 16:56:51 +02:00
Ondrej Zajicek (work)
1b9bf4e192 Nest: Fix export of tmpattrs through pipes
Pipes copy the original rte with old values, so they require rte to be
exported with stored tmpattrs. Other protocols access stored attributes
using eattr list, so they require rte to be exported with expanded
tmpattrs. This is temporary hack, we plan to remove whoe tmpattr mechanism.

Thanks to Paul Donohue for the bugreport.
2021-06-14 20:02:50 +02:00
Ondrej Zajicek (work)
3ebabab277 Revert "Nest: Fix export of tmpattrs through pipes"
This reverts commit f8e273b5e7.
2021-06-14 17:58:37 +02:00
Ondrej Zajicek (work)
f8e273b5e7 Nest: Fix export of tmpattrs through pipes
In most cases of export there is no need to store back temporary
attributes to rte, as receivers (protocols) access eattr list anyway.
But pipe copies the original rte with old values, so we should store
tmpattrs also during export.

Thanks to Paul Donohue for the bugreport.
2021-06-14 16:30:59 +02:00
Ondrej Zajicek (work)
3f19100f5a CI: Allow Babel tests 2021-06-11 01:31:10 +02:00
Ondrej Zajicek (work)
596f2e32e3 Nest: Allow both 'password' and 'key' keywords for authentication keys 2021-06-09 19:54:01 +02:00
Ondrej Zajicek (work)
6d26f85395 Babel: Simplify auth expiration
Just use hello_expiry for that, keep init_expiry for initial
unauthentized neighbors.
2021-06-09 19:31:55 +02:00
Ondrej Zajicek (work)
8eea396baf Nest: Fix password list parsing code
One of previous patches broke password list parsing code, fix that.
2021-06-06 19:10:33 +02:00
Ondrej Zajicek (work)
ee9516dbe8 Lib: Fix static assert macro 2021-06-06 17:23:45 +02:00
Ondrej Zajicek (work)
b174cc0abc Babel: Add MAC authentication support - update
Some cleanups and bugfixes to the previous patch, including:

 - Fix rate limiting in index mismatch check

 - Fix missing BABEL_AUTH_INDEX_LEN in auth_tx_overhead computation

 - Fix missing auth_tx_overhead recalculation during reconfiguration

 - Fix pseudoheader construction in babel_auth_sign() (sport vs fport)

 - Fix typecasts for ptrdiffs in log messages

 - Make auth log messages similar to corresponding RIP/OSPF ones

 - Change auth log messages for events that happen during regular
   operation to debug messages

 - Switch meaning of babel_auth_check*() functions for consistency
   with corresponding RIP/OSPF ones

 - Remove requirement for min/max key length, only those required by
   given MAC code are enforced
2021-06-06 16:28:18 +02:00
Toke Høiland-Jørgensen
b218a28f61 Babel: Add MAC authentication support
This implements support for MAC authentication in the Babel protocol, as
specified by RFC 8967. The implementation seeks to follow the RFC as close
as possible, with the only deliberate deviation being the addition of
support for all the HMAC algorithms already supported by Bird, as well as
the Blake2b variant of the Blake algorithm.

For description of applicability, assumptions and security properties,
see RFC 8967 sections 1.1 and 1.2.
2021-06-06 16:28:18 +02:00
Toke Høiland-Jørgensen
69d10132a6 Babel: Refactor TLV parsing code for easier reuse
In preparation for adding authentication checks, refactor the TLV
walking code so it can be reused for a separate pass of the packet
for authentication checks.
2021-06-06 16:28:18 +02:00
Toke Høiland-Jørgensen
589f7d1e4f Nest: Allow MAC algorithms to specify min/max key length
Add min/max key length fields to the MAC algorithm description and
validate configured keys before they are used.
2021-06-06 16:28:18 +02:00
Toke Høiland-Jørgensen
35f88b305a Nest: Allow specifying security keys as hex bytes as well as strings
Add support for specifying a password in hexadecimal format, The result
is the same whether a password is specified as a quoted string or a
hex-encoded byte string, this just makes it more convenient to input
high-entropy byte strings as MAC keys.
2021-06-06 16:28:18 +02:00
Toke Høiland-Jørgensen
f1a824190c Lib: Add tests for blake2s and blake2b
Import the blake2-kat.h header with test vector output from the blake
reference implementation, and add tests to mac_test.c to compare the
output of the Bird MAC algorithm implementations with that reference
output.

Since the reference implementation only has test vectors for the full
output size, there are no tests for the smaller-sized output variants.
2021-06-06 16:28:09 +02:00
Toke Høiland-Jørgensen
725d9af94a Lib: Add Blake2s and Blake2b hash functions
The Babel MAC authentication RFC recommends implementing Blake2s as one of
the supported algorithms. In order to achieve do this, add the blake2b and
blake2s hash functions for MAC authentication. The hashing function
implementations are the reference implementations from blake2.net.

The Blake2 algorithms allow specifying an arbitrary output size, and the
Babel MAC spec says to implement Blake2s with 128-bit output. To satisfy
this, we add two different variants of each of the algorithms, one using
the default size (256 bits for Blake2s, 512 bits for Blake2b), and one
using half the default output size.

Update to BIRD coding style done by committer.
2021-06-06 16:26:58 +02:00
Ondrej Zajicek (work)
e5724f71d2 sysdep: Add wrapper to get random bytes - update
Simplify the code and fix an issue with getentropy() return value.
2021-06-06 16:26:06 +02:00
Toke Høiland-Jørgensen
c48ebde5ce sysdep: Add wrapper to get random bytes
Add a wrapper function in sysdep to get random bytes, and required checks
in configure.ac to select how to do it. The configure script tries, in
order, getrandom(), getentropy() and reading from /dev/urandom.
2021-06-06 16:26:06 +02:00
Ondrej Zajicek (work)
91d0458389 BGP: Ensure that freed neighbor entry is not accessed
Routes from downed protocols stay in rtable (until next rtable prune
cycle ends) and may be even exported to another protocol. In BGP case,
source BGP protocol is examined, although dynamic parts (including
neighbor entries) are already freed. That may lead to crash under some
race conditions. Ensure that freed neighbor entry is not accessed to
avoid this issue.
2021-06-01 02:20:26 +02:00
Maria Matejka
ebd5751cde Babel: Seqno requests are properly decoupled from neighbors when the underlying interface disappears
When an interface disappears, all the neighbors are freed as well. Seqno
requests were anyway not decoupled from them, leading to strange
segfaults. This fix adds a proper seqno request list inside neighbors to
make sure that no pointer to neighbor is kept after free.
2021-05-30 13:29:21 +02:00
Ondrej Zajicek (work)
10498b8e89 OSPF: Fix OSPFv3 in IPv4 mode with multiple areas
Some area handling code got confused by IPv4 setup in OSPFv3 mode.
2021-05-26 18:57:32 +02:00
Ondrej Zajicek (work)
8650e26dd1 CI: Try different locale for Centos 7 2021-05-20 15:02:48 +02:00
Matous Holinka
0c4dca7ffd CI: Package build for more platforms
.gitlab-ci.yml:
+ pkg targets for some distros added
+ artifacts added
- some distros were commented out (due to errors).

misc/docker/*:
+ Dockerfiles updated with the necessary packages.
2021-05-20 04:21:26 +02:00
Ondrej Zajicek (work)
98ef34c0c7 CI: Try utf-8 locale to workaround apkg issue 2021-05-19 17:22:12 +02:00
Ondrej Zajicek (work)
445d0e699f CI: Build documentation where tools are available 2021-05-19 17:22:12 +02:00
Ondrej Zajicek (work)
656c744080 CI: Update docker images for building of documentation 2021-05-19 17:22:12 +02:00
Ondrej Zajicek (work)
5ea3c5bfee Pkg: Enable docs subpackage for Debian 2021-05-19 17:22:12 +02:00
Ondrej Zajicek (work)
81666d2f12 CI: Test of apkg build
Also temporarily disable cf-ospf-auth, as there is some problem with it.
2021-05-19 17:22:12 +02:00
Ondrej Zajicek (work)
312aeda393 Tools: Improve make-dev-archive
Use git-archive to avoid unrelated and temporary files and fix some
minor issues (e.g. dependency on bash as system shell).
2021-05-19 17:22:12 +02:00
Jakub Ružička
280d133a9b ubuntu: use any init-system-helpers
init-system-helpers (>= 1.56~) can't be satisfied on:

* Ubuntu 18.04 (1.51)
* Ubuntu 16.04 (1.29)
* Debian 9 (1.48)

Remove the specific version requirement in order to enable build on
older platforms.
2021-05-19 17:22:11 +02:00
Jakub Ružička
53cabf94f8 suse: fix bird.spec to work on SUSE
SUSE is more strict about .spec.

* use SPDX license id
* add missing %ghost file directive
2021-05-19 17:22:11 +02:00
Jakub Ružička
60167856af docs: disable docs subpackage to fix FTBFS
Adressing following FTBFS on all older debian/ubuntu distros:

    Can't locate LinuxDocTools/Data/Latin1ToSgml.pm in @INC (you may need to install the LinuxDocTools::Data::Latin1ToSgml module)
2021-05-19 17:22:11 +02:00
Jakub Ružička
329d6e3fbc add apkg-powered upstream packaging for deb, rpm
Files in a single new distro/ dir allow apkg to build BIRD packages for
various distros directly from upstream sources as well as from upstream
archives.

Please see distro/README.md for more detail as well as apkg docs:

https://apkg.rtfd.io

I've used these files to build bird-2.0.8 on all currently supported
releases of following distros:

* Debian
* Ubuntu
* Fedora
* CentOS
* openSUSE

Please note that latest apkg with accumulated fixes for bird is needed:
https://gitlab.nic.cz/packaging/apkg/-/merge_requests/35
2021-05-19 17:22:11 +02:00
Ondrej Zajicek (work)
c3c691e95c Flowspec: Documentation update 2021-05-18 20:41:01 +02:00
Ondrej Zajicek (work)
abc9ccc5cb Flowspec: Label field should use numeric operator and not bitmask operator 2021-05-18 20:23:08 +02:00
Ondrej Zajicek (work)
dd8481cc1c Flowspec: Do not use comma for bitmask operators
For numeric operators, comma is used for disjunction in expressions like
"10, 20, 30..40". But for bitmask operators, comma is used for
conjunction in a way that does not really make much sense. Use always
explicit logical operators (&& and ||) to connect bitmask operators.

Thanks to Matt Corallo for the bugreport.
2021-05-18 19:54:18 +02:00
Trisha Biswas
e5468d1685 Filter: Add MPLS label route attribute
Add support to set or read outgoing MPLS labels using filters. Currently
this supports the addition of one label per route for the first next hop.

Minor changes by committer.
2021-05-17 17:50:04 +02:00
Ondrej Zajicek (work)
d114959e3a Flowspec: Fix values for true/false operators
RFC 8955 is pretty clear that 000 is false and 111 is true.
2021-05-14 18:44:52 +02:00
Ondrej Zajicek (work)
69a33c92ff Flowspec: Add code for conversion of flowspec parts to interval lists
Implement function flow_explicate_part() to convert flowspec numeric
expressions to a simple list of (disjoint, sorted) intervals. That could
be used in filters to build f_tree-based int-sets from them.
2021-05-14 18:33:15 +02:00