diff --git a/.frr.metadata b/.frr.metadata new file mode 100644 index 0000000..02cfdb0 --- /dev/null +++ b/.frr.metadata @@ -0,0 +1 @@ +5e4505f1289ede3a0d2ce216acfb3f2b2730f09a SOURCES/frr-8.0.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..648891d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/frr-8.0.tar.gz diff --git a/SOURCES/0000-remove-babeld-and-ldpd.patch b/SOURCES/0000-remove-babeld-and-ldpd.patch new file mode 100644 index 0000000..37c416a --- /dev/null +++ b/SOURCES/0000-remove-babeld-and-ldpd.patch @@ -0,0 +1,55 @@ +diff --git a/Makefile.am b/Makefile.am +index 5be3264..33abc1d 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -130,8 +130,6 @@ include ospf6d/subdir.am + include ospfclient/subdir.am + include isisd/subdir.am + include nhrpd/subdir.am +-include ldpd/subdir.am +-include babeld/subdir.am + include eigrpd/subdir.am + include sharpd/subdir.am + include pimd/subdir.am +@@ -182,7 +180,6 @@ EXTRA_DIST += \ + snapcraft/defaults \ + snapcraft/helpers \ + snapcraft/snap \ +- babeld/Makefile \ + bgpd/Makefile \ + bgpd/rfp-example/librfp/Makefile \ + bgpd/rfp-example/rfptest/Makefile \ +@@ -193,7 +190,6 @@ EXTRA_DIST += \ + fpm/Makefile \ + grpc/Makefile \ + isisd/Makefile \ +- ldpd/Makefile \ + lib/Makefile \ + nhrpd/Makefile \ + ospf6d/Makefile \ +diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons +index f6d512b..6d4831d 100644 +--- a/tools/etc/frr/daemons ++++ b/tools/etc/frr/daemons +@@ -21,10 +21,8 @@ ripd=no + ripngd=no + isisd=no + pimd=no +-ldpd=no + nhrpd=no + eigrpd=no +-babeld=no + sharpd=no + pbrd=no + bfdd=no +@@ -45,10 +43,8 @@ ripd_options=" -A 127.0.0.1" + ripngd_options=" -A ::1" + isisd_options=" -A 127.0.0.1" + pimd_options=" -A 127.0.0.1" +-ldpd_options=" -A 127.0.0.1" + nhrpd_options=" -A 127.0.0.1" + eigrpd_options=" -A 127.0.0.1" +-babeld_options=" -A 127.0.0.1" + sharpd_options=" -A 127.0.0.1" + pbrd_options=" -A 127.0.0.1" + staticd_options="-A 127.0.0.1" diff --git a/SOURCES/0002-enable-openssl.patch b/SOURCES/0002-enable-openssl.patch new file mode 100644 index 0000000..a0068ee --- /dev/null +++ b/SOURCES/0002-enable-openssl.patch @@ -0,0 +1,78 @@ +diff --git a/lib/subdir.am b/lib/subdir.am +index 0b7af18..0533e24 100644 +--- a/lib/subdir.am ++++ b/lib/subdir.am +@@ -41,7 +41,6 @@ lib_libfrr_la_SOURCES = \ + lib/log.c \ + lib/log_filter.c \ + lib/log_vty.c \ +- lib/md5.c \ + lib/memory.c \ + lib/mlag.c \ + lib/module.c \ +@@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \ + lib/routemap_northbound.c \ + lib/sbuf.c \ + lib/seqlock.c \ +- lib/sha256.c \ + lib/sigevent.c \ + lib/skiplist.c \ + lib/sockopt.c \ +@@ -170,7 +170,6 @@ pkginclude_HEADERS += \ + lib/link_state.h \ + lib/log.h \ + lib/log_vty.h \ +- lib/md5.h \ + lib/memory.h \ + lib/module.h \ + lib/monotime.h \ +@@ -191,7 +190,6 @@ pkginclude_HEADERS += \ + lib/routemap.h \ + lib/sbuf.h \ + lib/seqlock.h \ +- lib/sha256.h \ + lib/sigevent.h \ + lib/skiplist.h \ + lib/smux.h \ +diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c +index 1991666..2e4fe55 100644 +--- a/isisd/isis_lsp.c ++++ b/isisd/isis_lsp.c +@@ -35,7 +35,9 @@ + #include "hash.h" + #include "if.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "table.h" + #include "srcdest_table.h" + #include "lib_errors.h" +diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c +index 9c63311..7cf594c 100644 +--- a/isisd/isis_pdu.c ++++ b/isisd/isis_pdu.c +@@ -33,7 +33,9 @@ + #include "prefix.h" + #include "if.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "lib_errors.h" + + #include "isisd/isis_constants.h" +diff --git a/isisd/isis_te.c b/isisd/isis_te.c +index 4ea6c2c..72ff0d2 100644 +--- a/isisd/isis_te.c ++++ b/isisd/isis_te.c +@@ -38,7 +38,9 @@ + #include "if.h" + #include "vrf.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "sockunion.h" + #include "network.h" + #include "sbuf.h" diff --git a/SOURCES/0003-disable-eigrp-crypto.patch b/SOURCES/0003-disable-eigrp-crypto.patch new file mode 100644 index 0000000..cd43569 --- /dev/null +++ b/SOURCES/0003-disable-eigrp-crypto.patch @@ -0,0 +1,252 @@ +diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c +index bedaf15..8dc09bf 100644 +--- a/eigrpd/eigrp_packet.c ++++ b/eigrpd/eigrp_packet.c +@@ -40,8 +40,10 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" + #include "sha256.h" ++#endif + #include "lib_errors.h" + + #include "eigrpd/eigrp_structs.h" +@@ -95,8 +97,12 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s, + struct key *key = NULL; + struct keychain *keychain; + ++ + unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN]; ++#ifdef CRYPTO_OPENSSL ++#elif CRYPTO_INTERNAL + MD5_CTX ctx; ++#endif + uint8_t *ibuf; + size_t backup_get, backup_end; + struct TLV_MD5_Authentication_Type *auth_TLV; +@@ -119,6 +125,9 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s, + return EIGRP_AUTH_TYPE_NONE; + } + ++#ifdef CRYPTO_OPENSSL ++//TBD when this is fixed in upstream ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + MD5Init(&ctx); + +@@ -146,7 +155,7 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s, + } + + MD5Final(digest, &ctx); +- ++#endif + /* Append md5 digest to the end of the stream. */ + memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_MD5_LEN); + +@@ -162,7 +171,10 @@ int eigrp_check_md5_digest(struct stream *s, + struct TLV_MD5_Authentication_Type *authTLV, + struct eigrp_neighbor *nbr, uint8_t flags) + { ++#ifdef CRYPTO_OPENSSL ++#elif CRYPTO_INTERNAL + MD5_CTX ctx; ++#endif + unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN]; + unsigned char orig[EIGRP_AUTH_TYPE_MD5_LEN]; + struct key *key = NULL; +@@ -203,6 +215,9 @@ int eigrp_check_md5_digest(struct stream *s, + return 0; + } + ++#ifdef CRYPTO_OPENSSL ++ //TBD when eigrpd crypto is fixed in upstream ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + MD5Init(&ctx); + +@@ -230,6 +245,7 @@ int eigrp_check_md5_digest(struct stream *s, + } + + MD5Final(digest, &ctx); ++#endif + + /* compare the two */ + if (memcmp(orig, digest, EIGRP_AUTH_TYPE_MD5_LEN) != 0) { +@@ -254,7 +270,11 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, + unsigned char digest[EIGRP_AUTH_TYPE_SHA256_LEN]; + unsigned char buffer[1 + PLAINTEXT_LENGTH + 45 + 1] = {0}; + ++#ifdef CRYPTO_OPENSSL ++ //TBD when eigrpd crypto is fixed in upstream ++#elif CRYPTO_INTERNAL + HMAC_SHA256_CTX ctx; ++#endif + void *ibuf; + size_t backup_get, backup_end; + struct TLV_SHA256_Authentication_Type *auth_TLV; +@@ -283,6 +303,9 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, + + inet_ntop(AF_INET, &ei->address.u.prefix4, source_ip, PREFIX_STRLEN); + ++#ifdef CRYPTO_OPENSSL ++ //TBD when eigrpd crypto is fixed in upstream ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + buffer[0] = '\n'; + memcpy(buffer + 1, key, strlen(key->string)); +@@ -291,7 +314,7 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, + 1 + strlen(key->string) + strlen(source_ip)); + HMAC__SHA256_Update(&ctx, ibuf, strlen(ibuf)); + HMAC__SHA256_Final(digest, &ctx); +- ++#endif + + /* Put hmac-sha256 digest to it's place */ + memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_SHA256_LEN); +diff --git a/eigrpd/eigrp_filter.c b/eigrpd/eigrp_filter.c +index 93eed94..f1c7347 100644 +--- a/eigrpd/eigrp_filter.c ++++ b/eigrpd/eigrp_filter.c +@@ -47,7 +47,9 @@ + #include "if_rmap.h" + #include "plist.h" + #include "distribute.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "keychain.h" + #include "privs.h" + #include "vrf.h" +diff --git a/eigrpd/eigrp_hello.c b/eigrpd/eigrp_hello.c +index dacd5ca..b232cc5 100644 +--- a/eigrpd/eigrp_hello.c ++++ b/eigrpd/eigrp_hello.c +@@ -43,7 +43,9 @@ + #include "sockopt.h" + #include "checksum.h" + #include "vty.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + + #include "eigrpd/eigrp_structs.h" + #include "eigrpd/eigrpd.h" +diff --git a/eigrpd/eigrp_query.c b/eigrpd/eigrp_query.c +index 84dcf5e..a2575e3 100644 +--- a/eigrpd/eigrp_query.c ++++ b/eigrpd/eigrp_query.c +@@ -38,7 +38,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + + #include "eigrpd/eigrp_structs.h" +diff --git a/eigrpd/eigrp_reply.c b/eigrpd/eigrp_reply.c +index ccf0496..2902365 100644 +--- a/eigrpd/eigrp_reply.c ++++ b/eigrpd/eigrp_reply.c +@@ -42,7 +42,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + #include "keychain.h" + #include "plist.h" +diff --git a/eigrpd/eigrp_siaquery.c b/eigrpd/eigrp_siaquery.c +index ff38325..09b9369 100644 +--- a/eigrpd/eigrp_siaquery.c ++++ b/eigrpd/eigrp_siaquery.c +@@ -38,7 +38,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + + #include "eigrpd/eigrp_structs.h" +diff --git a/eigrpd/eigrp_siareply.c b/eigrpd/eigrp_siareply.c +index d3dd123..f6a2bd6 100644 +--- a/eigrpd/eigrp_siareply.c ++++ b/eigrpd/eigrp_siareply.c +@@ -37,7 +37,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + + #include "eigrpd/eigrp_structs.h" +diff --git a/eigrpd/eigrp_snmp.c b/eigrpd/eigrp_snmp.c +index 21c9238..cfb8890 100644 +--- a/eigrpd/eigrp_snmp.c ++++ b/eigrpd/eigrp_snmp.c +@@ -42,7 +42,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "keychain.h" + #include "smux.h" + +diff --git a/eigrpd/eigrp_update.c b/eigrpd/eigrp_update.c +index 8db4903..2a4f0bb 100644 +--- a/eigrpd/eigrp_update.c ++++ b/eigrpd/eigrp_update.c +@@ -42,7 +42,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + #include "plist.h" + #include "plist_int.h" +diff --git a/eigrpd/eigrp_cli.c b/eigrpd/eigrp_cli.c +index a93d4c8..b01e121 100644 +--- a/eigrpd/eigrp_cli.c ++++ b/eigrpd/eigrp_cli.c +@@ -25,6 +25,7 @@ + #include "lib/command.h" + #include "lib/log.h" + #include "lib/northbound_cli.h" ++#include "lib/libfrr.h" + + #include "eigrp_structs.h" + #include "eigrpd.h" +@@ -726,6 +726,20 @@ DEFPY( + "Keyed message digest\n" + "HMAC SHA256 algorithm \n") + { ++ //EIGRP authentication is currently broken in FRR ++ switch (frr_get_cli_mode()) { ++ case FRR_CLI_CLASSIC: ++ vty_out(vty, "%% Eigrp Authentication is disabled\n\n"); ++ break; ++ case FRR_CLI_TRANSACTIONAL: ++ vty_out(vty, ++ "%% Failed to edit candidate configuration - " ++ "Eigrp Authentication is disabled.\n\n"); ++ break; ++ } ++ ++ return CMD_WARNING_CONFIG_FAILED; ++ + char xpath[XPATH_MAXLEN], xpath_auth[XPATH_MAXLEN + 64]; + + snprintf(xpath, sizeof(xpath), "./frr-eigrpd:eigrp/instance[asn='%s']", diff --git a/SOURCES/0004-fips-mode.patch b/SOURCES/0004-fips-mode.patch new file mode 100644 index 0000000..e8efeb7 --- /dev/null +++ b/SOURCES/0004-fips-mode.patch @@ -0,0 +1,103 @@ +diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c +index 631465f..e084ff3 100644 +--- a/ospfd/ospf_vty.c ++++ b/ospfd/ospf_vty.c +@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink, + + if (argv_find(argv, argc, "message-digest", &idx)) { + /* authentication message-digest */ ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } + vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC; + } else if (argv_find(argv, argc, "null", &idx)) { + /* "authentication null" */ +@@ -1993,6 +1998,15 @@ DEFUN (ospf_area_authentication_message_digest, + ? OSPF_AUTH_NULL + : OSPF_AUTH_CRYPTOGRAPHIC; + ++ if(area->auth_type == OSPF_AUTH_CRYPTOGRAPHIC) ++ { ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } ++ } ++ + return CMD_SUCCESS; + } + +@@ -6665,6 +6679,11 @@ DEFUN (ip_ospf_authentication_args, + + /* Handle message-digest authentication */ + if (argv[idx_encryption]->arg[0] == 'm') { ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } + SET_IF_PARAM(params, auth_type); + params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC; + return CMD_SUCCESS; +@@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key, + "The OSPF password (key)\n" + "Address of interface\n") + { ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } + VTY_DECLVAR_CONTEXT(interface, ifp); + struct crypt_key *ck; + uint8_t key_id; +diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c +index 81b4b39..cce33d9 100644 +--- a/isisd/isis_circuit.c ++++ b/isisd/isis_circuit.c +@@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit, + return ferr_code_bug( + "circuit password too long (max 254 chars)"); + ++ //When in FIPS mode, the password never gets set in MD5 ++ if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode()) ++ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled"); ++ + circuit->passwd.len = len; + strlcpy((char *)circuit->passwd.passwd, passwd, + sizeof(circuit->passwd.passwd)); +diff --git a/isisd/isisd.c b/isisd/isisd.c +index 419127c..a6c36af 100644 +--- a/isisd/isisd.c ++++ b/isisd/isisd.c +@@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level, + if (len > 254) + return -1; + ++ //When in FIPS mode, the password never get set in MD5 ++ if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode())) ++ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled"); ++ + modified.len = len; + strlcpy((char *)modified.passwd, passwd, + sizeof(modified.passwd)); +diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c +index 5bb81ef..02a09ef 100644 +--- a/ripd/rip_cli.c ++++ b/ripd/rip_cli.c +@@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode, + value = "20"; + } + ++ if(strmatch(mode, "md5") && FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication id disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } ++ + nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY, + strmatch(mode, "md5") ? "md5" : "plain-text"); + if (strmatch(mode, "md5")) diff --git a/SOURCES/0005-use-python3.patch b/SOURCES/0005-use-python3.patch new file mode 100644 index 0000000..8c1bf62 --- /dev/null +++ b/SOURCES/0005-use-python3.patch @@ -0,0 +1,10 @@ +diff --git a/tools/frr-reload.py b/tools/frr-reload.py +index c28a971..72ac201 100755 +--- a/tools/frr-reload.py ++++ b/tools/frr-reload.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python3 + # Frr Reloader + # Copyright (C) 2014 Cumulus Networks, Inc. + # diff --git a/SOURCES/0006-prefix-list-duplication.patch b/SOURCES/0006-prefix-list-duplication.patch new file mode 100644 index 0000000..c35aebc --- /dev/null +++ b/SOURCES/0006-prefix-list-duplication.patch @@ -0,0 +1,343 @@ +From 667dcc277c15c0bddc785f9b949d658f8d815818 Mon Sep 17 00:00:00 2001 +From: Igor Ryzhov +Date: Tue, 10 Aug 2021 21:46:37 +0300 +Subject: [PATCH] lib: fix prefix-list duplication check + +Currently, when we check the new prefix-list entry for duplication, we +only take filled in fields into account and ignore optional fields. +For example, if we already have `ip prefix-list A 0.0.0.0/0 le 32` and +we try to add `ip prefix-list A 0.0.0.0/0`, it is treated as duplicate. +We should always compare all prefix-list fields when doing the check. + +Fixes #9355. + +Signed-off-by: Igor Ryzhov +--- + lib/filter.h | 9 ++--- + lib/filter_cli.c | 102 ++++++++++------------------------------------- + lib/filter_nb.c | 85 ++++++++++++++++++++++----------------- + 3 files changed, 74 insertions(+), 122 deletions(-) + +diff --git a/lib/filter.h b/lib/filter.h +index 941fabd38b8..d1956ec019f 100644 +--- a/lib/filter.h ++++ b/lib/filter.h +@@ -207,11 +207,10 @@ struct plist_dup_args { + /** Entry action. */ + const char *pda_action; + +-#define PDA_MAX_VALUES 4 +- /** Entry XPath for value. */ +- const char *pda_xpath[PDA_MAX_VALUES]; +- /** Entry value to match. */ +- const char *pda_value[PDA_MAX_VALUES]; ++ bool any; ++ struct prefix prefix; ++ int ge; ++ int le; + + /** Duplicated entry found in list? */ + bool pda_found; +diff --git a/lib/filter_cli.c b/lib/filter_cli.c +index f030ce1b335..45c7544a3b4 100644 +--- a/lib/filter_cli.c ++++ b/lib/filter_cli.c +@@ -1196,11 +1196,9 @@ static int plist_remove_if_empty(struct vty *vty, const char *iptype, + + static int plist_remove(struct vty *vty, const char *iptype, const char *name, + const char *seq, const char *action, +- const char *prefix_str, const char *ge_str, +- const char *le_str) ++ union prefixconstptr prefix, int ge, int le) + { + int64_t sseq; +- int arg_idx = 0; + struct plist_dup_args pda = {}; + char xpath[XPATH_MAXLEN]; + char xpath_entry[XPATH_MAXLEN + 32]; +@@ -1225,43 +1223,13 @@ static int plist_remove(struct vty *vty, const char *iptype, const char *name, + pda.pda_type = iptype; + pda.pda_name = name; + pda.pda_action = action; +- if (prefix_str) { +- if (strmatch(iptype, "ipv4")) { +- pda.pda_xpath[arg_idx] = "./ipv4-prefix"; +- pda.pda_value[arg_idx] = prefix_str; +- arg_idx++; +- if (ge_str) { +- pda.pda_xpath[arg_idx] = +- "./ipv4-prefix-length-greater-or-equal"; +- pda.pda_value[arg_idx] = ge_str; +- arg_idx++; +- } +- if (le_str) { +- pda.pda_xpath[arg_idx] = +- "./ipv4-prefix-length-lesser-or-equal"; +- pda.pda_value[arg_idx] = le_str; +- arg_idx++; +- } +- } else { +- pda.pda_xpath[arg_idx] = "./ipv6-prefix"; +- pda.pda_value[arg_idx] = prefix_str; +- arg_idx++; +- if (ge_str) { +- pda.pda_xpath[arg_idx] = +- "./ipv6-prefix-length-greater-or-equal"; +- pda.pda_value[arg_idx] = ge_str; +- arg_idx++; +- } +- if (le_str) { +- pda.pda_xpath[arg_idx] = +- "./ipv6-prefix-length-lesser-or-equal"; +- pda.pda_value[arg_idx] = le_str; +- arg_idx++; +- } +- } ++ if (prefix.p) { ++ prefix_copy(&pda.prefix, prefix); ++ apply_mask(&pda.prefix); ++ pda.ge = ge; ++ pda.le = le; + } else { +- pda.pda_xpath[0] = "./any"; +- pda.pda_value[0] = ""; ++ pda.any = true; + } + + if (plist_is_dup(vty->candidate_config->dnode, &pda)) +@@ -1298,7 +1266,6 @@ DEFPY_YANG( + "Maximum prefix length\n") + { + int64_t sseq; +- int arg_idx = 0; + struct plist_dup_args pda = {}; + char xpath[XPATH_MAXLEN]; + char xpath_entry[XPATH_MAXLEN + 128]; +@@ -1312,24 +1279,11 @@ DEFPY_YANG( + pda.pda_name = name; + pda.pda_action = action; + if (prefix_str) { +- pda.pda_xpath[arg_idx] = "./ipv4-prefix"; +- pda.pda_value[arg_idx] = prefix_str; +- arg_idx++; +- if (ge_str) { +- pda.pda_xpath[arg_idx] = +- "./ipv4-prefix-length-greater-or-equal"; +- pda.pda_value[arg_idx] = ge_str; +- arg_idx++; +- } +- if (le_str) { +- pda.pda_xpath[arg_idx] = +- "./ipv4-prefix-length-lesser-or-equal"; +- pda.pda_value[arg_idx] = le_str; +- arg_idx++; +- } ++ prefix_copy(&pda.prefix, prefix); ++ pda.ge = ge; ++ pda.le = le; + } else { +- pda.pda_xpath[0] = "./any"; +- pda.pda_value[0] = ""; ++ pda.any = true; + } + + /* Duplicated entry without sequence, just quit. */ +@@ -1408,8 +1362,8 @@ DEFPY_YANG( + "Maximum prefix length to be matched\n" + "Maximum prefix length\n") + { +- return plist_remove(vty, "ipv4", name, seq_str, action, prefix_str, +- ge_str, le_str); ++ return plist_remove(vty, "ipv4", name, seq_str, action, ++ prefix_str ? prefix : NULL, ge, le); + } + + DEFPY_YANG( +@@ -1421,7 +1375,7 @@ DEFPY_YANG( + PREFIX_LIST_NAME_STR + ACCESS_LIST_SEQ_STR) + { +- return plist_remove(vty, "ipv4", name, seq_str, NULL, NULL, NULL, NULL); ++ return plist_remove(vty, "ipv4", name, seq_str, NULL, NULL, 0, 0); + } + + DEFPY_YANG( +@@ -1516,7 +1470,6 @@ DEFPY_YANG( + "Minimum prefix length\n") + { + int64_t sseq; +- int arg_idx = 0; + struct plist_dup_args pda = {}; + char xpath[XPATH_MAXLEN]; + char xpath_entry[XPATH_MAXLEN + 128]; +@@ -1530,24 +1483,11 @@ DEFPY_YANG( + pda.pda_name = name; + pda.pda_action = action; + if (prefix_str) { +- pda.pda_xpath[arg_idx] = "./ipv6-prefix"; +- pda.pda_value[arg_idx] = prefix_str; +- arg_idx++; +- if (ge_str) { +- pda.pda_xpath[arg_idx] = +- "./ipv6-prefix-length-greater-or-equal"; +- pda.pda_value[arg_idx] = ge_str; +- arg_idx++; +- } +- if (le_str) { +- pda.pda_xpath[arg_idx] = +- "./ipv6-prefix-length-lesser-or-equal"; +- pda.pda_value[arg_idx] = le_str; +- arg_idx++; +- } ++ prefix_copy(&pda.prefix, prefix); ++ pda.ge = ge; ++ pda.le = le; + } else { +- pda.pda_xpath[0] = "./any"; +- pda.pda_value[0] = ""; ++ pda.any = true; + } + + /* Duplicated entry without sequence, just quit. */ +@@ -1626,8 +1566,8 @@ DEFPY_YANG( + "Minimum prefix length to be matched\n" + "Minimum prefix length\n") + { +- return plist_remove(vty, "ipv6", name, seq_str, action, prefix_str, +- ge_str, le_str); ++ return plist_remove(vty, "ipv6", name, seq_str, action, ++ prefix_str ? prefix : NULL, ge, le); + } + + DEFPY_YANG( +@@ -1639,7 +1579,7 @@ DEFPY_YANG( + PREFIX_LIST_NAME_STR + ACCESS_LIST_SEQ_STR) + { +- return plist_remove(vty, "ipv6", name, seq_str, NULL, NULL, NULL, NULL); ++ return plist_remove(vty, "ipv6", name, seq_str, NULL, NULL, 0, 0); + } + + DEFPY_YANG( +diff --git a/lib/filter_nb.c b/lib/filter_nb.c +index 85805ffa47c..80ea7a57cb2 100644 +--- a/lib/filter_nb.c ++++ b/lib/filter_nb.c +@@ -387,10 +387,50 @@ static bool acl_zebra_is_dup(const struct lyd_node *dnode, + return acl_is_dup(entry_dnode, &ada); + } + ++static void plist_dnode_to_prefix(const struct lyd_node *dnode, bool *any, ++ struct prefix *p, int *ge, int *le) ++{ ++ *any = false; ++ *ge = 0; ++ *le = 0; ++ ++ if (yang_dnode_exists(dnode, "./any")) { ++ *any = true; ++ return; ++ } ++ ++ switch (yang_dnode_get_enum(dnode, "../type")) { ++ case YPLT_IPV4: ++ yang_dnode_get_prefix(p, dnode, "./ipv4-prefix"); ++ if (yang_dnode_exists(dnode, ++ "./ipv4-prefix-length-greater-or-equal")) ++ *ge = yang_dnode_get_uint8( ++ dnode, "./ipv4-prefix-length-greater-or-equal"); ++ if (yang_dnode_exists(dnode, ++ "./ipv4-prefix-length-lesser-or-equal")) ++ *le = yang_dnode_get_uint8( ++ dnode, "./ipv4-prefix-length-lesser-or-equal"); ++ break; ++ case YPLT_IPV6: ++ yang_dnode_get_prefix(p, dnode, "./ipv6-prefix"); ++ if (yang_dnode_exists(dnode, ++ "./ipv6-prefix-length-greater-or-equal")) ++ *ge = yang_dnode_get_uint8( ++ dnode, "./ipv6-prefix-length-greater-or-equal"); ++ if (yang_dnode_exists(dnode, ++ "./ipv6-prefix-length-lesser-or-equal")) ++ *le = yang_dnode_get_uint8( ++ dnode, "./ipv6-prefix-length-lesser-or-equal"); ++ break; ++ } ++} ++ + static int _plist_is_dup(const struct lyd_node *dnode, void *arg) + { + struct plist_dup_args *pda = arg; +- int idx; ++ struct prefix p; ++ int ge, le; ++ bool any; + + /* This entry is the caller, so skip it. */ + if (pda->pda_entry_dnode +@@ -400,19 +440,14 @@ static int _plist_is_dup(const struct lyd_node *dnode, void *arg) + if (strcmp(yang_dnode_get_string(dnode, "action"), pda->pda_action)) + return YANG_ITER_CONTINUE; + +- /* Check if all values match. */ +- for (idx = 0; idx < PDA_MAX_VALUES; idx++) { +- /* No more values. */ +- if (pda->pda_xpath[idx] == NULL) +- break; ++ plist_dnode_to_prefix(dnode, &any, &p, &ge, &le); + +- /* Not same type, just skip it. */ +- if (!yang_dnode_exists(dnode, pda->pda_xpath[idx])) ++ if (pda->any) { ++ if (!any) + return YANG_ITER_CONTINUE; +- +- /* Check if different value. */ +- if (strcmp(yang_dnode_get_string(dnode, pda->pda_xpath[idx]), +- pda->pda_value[idx])) ++ } else { ++ if (!prefix_same(&pda->prefix, &p) || pda->ge != ge ++ || pda->le != le) + return YANG_ITER_CONTINUE; + } + +@@ -439,17 +474,6 @@ static bool plist_is_dup_nb(const struct lyd_node *dnode) + const struct lyd_node *entry_dnode = + yang_dnode_get_parent(dnode, "entry"); + struct plist_dup_args pda = {}; +- int idx = 0, arg_idx = 0; +- static const char *entries[] = { +- "./ipv4-prefix", +- "./ipv4-prefix-length-greater-or-equal", +- "./ipv4-prefix-length-lesser-or-equal", +- "./ipv6-prefix", +- "./ipv6-prefix-length-greater-or-equal", +- "./ipv6-prefix-length-lesser-or-equal", +- "./any", +- NULL +- }; + + /* Initialize. */ + pda.pda_type = yang_dnode_get_string(entry_dnode, "../type"); +@@ -457,19 +481,8 @@ static bool plist_is_dup_nb(const struct lyd_node *dnode) + pda.pda_action = yang_dnode_get_string(entry_dnode, "action"); + pda.pda_entry_dnode = entry_dnode; + +- /* Load all values/XPaths. */ +- while (entries[idx] != NULL) { +- if (!yang_dnode_exists(entry_dnode, entries[idx])) { +- idx++; +- continue; +- } +- +- pda.pda_xpath[arg_idx] = entries[idx]; +- pda.pda_value[arg_idx] = +- yang_dnode_get_string(entry_dnode, entries[idx]); +- arg_idx++; +- idx++; +- } ++ plist_dnode_to_prefix(entry_dnode, &pda.any, &pda.prefix, &pda.ge, ++ &pda.le); + + return plist_is_dup(entry_dnode, &pda); + } diff --git a/SOURCES/frr-tmpfiles.conf b/SOURCES/frr-tmpfiles.conf new file mode 100644 index 0000000..c1613b2 --- /dev/null +++ b/SOURCES/frr-tmpfiles.conf @@ -0,0 +1 @@ +d /run/frr 0755 frr frr - diff --git a/SPECS/frr.spec b/SPECS/frr.spec new file mode 100644 index 0000000..81c4c25 --- /dev/null +++ b/SPECS/frr.spec @@ -0,0 +1,314 @@ +%global frr_libdir %{_libexecdir}/frr + +%global _hardened_build 1 +%define _legacy_common_support 1 + +Name: frr +Version: 8.0 +Release: 3%{?checkout}%{?dist} +Summary: Routing daemon +License: GPLv2+ +URL: http://www.frrouting.org +Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz +Source1: %{name}-tmpfiles.conf +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: bison >= 2.7 +BuildRequires: c-ares-devel +BuildRequires: flex +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: git-core +BuildRequires: groff +BuildRequires: json-c-devel +BuildRequires: libcap-devel +BuildRequires: libtool +BuildRequires: libyang-devel >= 2.0.0 +BuildRequires: make +BuildRequires: ncurses +BuildRequires: ncurses-devel +BuildRequires: net-snmp-devel +BuildRequires: pam-devel +BuildRequires: patch +BuildRequires: perl-XML-LibXML +BuildRequires: perl-generators +BuildRequires: python3-devel +BuildRequires: python3-pytest +BuildRequires: python3-sphinx +BuildRequires: readline-devel +BuildRequires: systemd-devel +BuildRequires: systemd-rpm-macros +BuildRequires: texinfo + +Requires: net-snmp +Requires: ncurses +Requires(post): systemd +Requires(post): /sbin/install-info +Requires(post): hostname +Requires(preun): systemd +Requires(preun): /sbin/install-info +Requires(postun): systemd +Conflicts: quagga +Provides: routingdaemon = %{version}-%{release} + +Patch0000: 0000-remove-babeld-and-ldpd.patch +Patch0002: 0002-enable-openssl.patch +Patch0003: 0003-disable-eigrp-crypto.patch +Patch0004: 0004-fips-mode.patch +Patch0005: 0005-use-python3.patch +#Adding a patch from frr after rebase +#We would have hit this surely later, better apply the patch now +Patch0006: 0006-prefix-list-duplication.patch + +%description +FRRouting is free software that manages TCP/IP based routing protocols. It takes +a multi-server and multi-threaded approach to resolve the current complexity +of the Internet. + +FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD. + +FRRouting is a fork of Quagga. + +%prep +%autosetup -S git + +%build +autoreconf -ivf + +%configure \ + --sbindir=%{frr_libdir} \ + --sysconfdir=%{_sysconfdir}/frr \ + --libdir=%{_libdir}/frr \ + --libexecdir=%{_libexecdir}/frr \ + --localstatedir=%{_localstatedir}/run/frr \ + --enable-multipath=64 \ + --enable-vtysh=yes \ + --disable-ospfclient \ + --disable-ospfapi \ + --enable-snmp=agentx \ + --enable-user=frr \ + --enable-group=frr \ + --enable-vty-group=frrvty \ + --enable-rtadv \ + --disable-exampledir \ + --enable-systemd=yes \ + --enable-static=no \ + --disable-ldpd \ + --disable-babeld \ + --with-moduledir=%{_libdir}/frr/modules \ + --with-crypto=openssl \ + --enable-fpm + +%make_build MAKEINFO="makeinfo --no-split" PYTHON=%{__python3} + +pushd doc +make info +popd + +%install +mkdir -p %{buildroot}/etc/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \ + %{buildroot}/var/log/frr %{buildroot}%{_infodir} \ + %{buildroot}%{_unitdir} + +mkdir -p -m 0755 %{buildroot}%{_libdir}/frr +mkdir -p %{buildroot}%{_tmpfilesdir} + +%make_install + +# Remove this file, as it is uninstalled and causes errors when building on RH9 +rm -rf %{buildroot}/usr/share/info/dir + +install -p -m 644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf +install -p -m 644 tools/etc/frr/daemons %{buildroot}/etc/frr/daemons +install -p -m 644 tools/frr.service %{buildroot}%{_unitdir}/frr.service +install -p -m 755 tools/frrinit.sh %{buildroot}%{frr_libdir}/frr +install -p -m 755 tools/frrcommon.sh %{buildroot}%{frr_libdir}/frrcommon.sh +install -p -m 755 tools/watchfrr.sh %{buildroot}%{frr_libdir}/watchfrr.sh + +install -p -m 644 redhat/frr.logrotate %{buildroot}/etc/logrotate.d/frr +install -p -m 644 redhat/frr.pam %{buildroot}/etc/pam.d/frr +install -d -m 775 %{buildroot}/run/frr + +# Delete libtool archives +find %{buildroot} -type f -name "*.la" -delete -print + +#Upstream does not maintain a stable API, these headers from -devel subpackage are no longer needed +rm %{buildroot}%{_libdir}/frr/*.so +rm -r %{buildroot}%{_includedir}/frr/ + +%pre +getent group frrvty >/dev/null 2>&1 || groupadd -r frrvty >/dev/null 2>&1 || : +getent group frr >/dev/null 2>&1 || groupadd -r frr >/dev/null 2>&1 || : +getent passwd frr >/dev/null 2>&1 || useradd -M -r -g frr -s /sbin/nologin \ + -c "FRRouting routing suite" -d %{_localstatedir}/run/frr frr || : +usermod -aG frrvty frr + +%post +%systemd_post frr.service + +if [ -f %{_infodir}/%{name}.inf* ]; then + install-info %{_infodir}/frr.info %{_infodir}/dir || : +fi + +# Create dummy files if they don't exist so basic functions can be used. +# Only create frr.conf when first installing, otherwise it can change +# the behavior of the package +if [ $1 -eq 1 ]; then + if [ ! -e %{_sysconfdir}/frr/frr.conf ]; then + echo "hostname `hostname`" > %{_sysconfdir}/frr/frr.conf + chown frr:frr %{_sysconfdir}/frr/frr.conf + chmod 640 %{_sysconfdir}/frr/frr.conf + fi +fi + +#still used by vtysh, this way no error is produced when using vtysh +if [ ! -e %{_sysconfdir}/frr/vtysh.conf ]; then + touch %{_sysconfdir}/frr/vtysh.conf + chmod 640 %{_sysconfdir}/frr/vtysh.conf + chown frr:frrvty %{_sysconfdir}/frr/vtysh.conf +fi + + +%postun +%systemd_postun_with_restart frr.service + +%preun +%systemd_preun frr.service + +#only when removing frr +if [ $1 -eq 0 ]; then + if [ -f %{_infodir}/%{name}.inf* ]; then + install-info --delete %{_infodir}/frr.info %{_infodir}/dir || : + fi +fi + +%check +make check PYTHON=%{__python3} + +%files +%defattr(-,root,root) +%license COPYING +%doc doc/mpls +%dir %attr(750,frr,frr) %{_sysconfdir}/frr +%dir %attr(755,frr,frr) /var/log/frr +%dir %attr(755,frr,frr) /run/frr +%{_infodir}/*info* +%{_mandir}/man*/* +%dir %{frr_libdir}/ +%{frr_libdir}/* +%{_bindir}/* +%dir %{_libdir}/frr +%{_libdir}/frr/*.so.* +%dir %{_libdir}/frr/modules +%{_libdir}/frr/modules/* +%config(noreplace) %attr(644,root,root) /etc/logrotate.d/frr +%config(noreplace) %attr(644,frr,frr) /etc/frr/daemons +%config(noreplace) /etc/pam.d/frr +%{_unitdir}/*.service +%dir /usr/share/yang +/usr/share/yang/*.yang +%{_tmpfilesdir}/%{name}.conf + +%changelog +* Mon Aug 16 2021 Michal Ruprich - 8.0-3 +- Related: #1990858 - Fixing prefix-list duplication check + +* Thu Aug 12 2021 Michal Ruprich - 8.0-2 +- Related: #1990858 - Frr needs higher version of libyang + +* Tue Aug 10 2021 Michal Ruprich - 8.0-1 +- Resolves: #1990858 - Possible rebase of frr to version 8.0 + +* Mon Aug 09 2021 Mohan Boddu - 7.5.1-7 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jul 21 2021 Michal Ruprich - 7.5.1-6 +- Resolves: #1983967 - ospfd crashes in route_node_delete with assertion fail + +* Wed Jun 16 2021 Mohan Boddu - 7.5.1-5 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Fri Jun 04 2021 Michal Ruprich - 7.5.1-4 +- Resolves: #1958155 - Upgrading frr unconditionally creates /etc/frr/frr.conf, breaking existing configuration + +* Fri Apr 23 2021 Michal Ruprich - 7.5.1-3 +- Resolves: #1939456 - /etc/frr permissions are bogus +- Resolves: #1951303 - FTBFS in CentOS Stream + +* Thu Apr 15 2021 Mohan Boddu - 7.5.1-2 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Tue Mar 16 2021 Michal Ruprich - 7.5.1-1 +- New version 7.5.1 +- Enabling grpc, adding hostname for post scriptlet +- Moving files to libexec due to selinux issues + +* Tue Feb 16 2021 Michal Ruprich - 7.5-3 +- Fixing FTBS - icc options are confusing the new gcc + +* Tue Jan 26 2021 Fedora Release Engineering - 7.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Fri Jan 01 2021 Michal Ruprich - 7.5-1 +- New version 7.5 + +* Mon Sep 21 2020 Michal Ruprich - 7.4-1 +- New version 7.4 + +* Thu Aug 27 2020 Josef Řídký - 7.3.1-4 +- Rebuilt for new net-snmp release + +* Mon Jul 27 2020 Fedora Release Engineering - 7.3.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu Jun 18 2020 Michal Ruprich - 7.3.1-1 +- New version 7.3.1 +- Fixes a couple of bugs(#1832259, #1835039, #1830815, #1830808, #1830806, #1830800, #1830798, #1814773) + +* Tue May 19 2020 Michal Ruprich - 7.3-6 +- Removing texi2html, it is not available in Rawhide anymore + +* Mon May 18 2020 Michal Ruprich - 7.3-5 +- Rebuild for new version of libyang + +* Tue Apr 21 2020 Björn Esser - 7.3-4 +- Rebuild (json-c) + +* Mon Apr 13 2020 Björn Esser - 7.3-3 +- Update json-c-0.14 patch with a solution from upstream + +* Mon Apr 13 2020 Björn Esser - 7.3-2 +- Add support for upcoming json-c 0.14.0 + +* Wed Feb 19 2020 Michal Ruprich - 7.3-1 +- New version 7.3 + +* Tue Jan 28 2020 Fedora Release Engineering - 7.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Dec 16 2019 Michal Ruprich - 7.2-1 +- New version 7.2 + +* Tue Nov 12 2019 Michal Ruprich - 7.1-5 +- Rebuilding for new version of libyang + +* Mon Oct 07 2019 Michal Ruprich - 7.1-4 +- Adding noreplace to the /etc/frr/daemons file + +* Fri Sep 13 2019 Michal Ruprich - 7.1-3 +- New way of finding python version during build +- Replacing crypto of all routing daemons with openssl +- Disabling EIGRP crypto because it is broken +- Disabling crypto in FIPS mode + +* Thu Jul 25 2019 Fedora Release Engineering - 7.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Jun 25 2019 Michal Ruprich - 7.1-1 +- New version 7.1 + +* Wed Jun 19 2019 Michal Ruprich - 7.0-2 +- Initial build +