From patchwork Wed Jan 24 21:09:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7488 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4TKxRn3y5mz3wyG for ; Wed, 24 Jan 2024 21:09:57 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4TKxRl68Qmz22G; Wed, 24 Jan 2024 21:09:55 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4TKxRl2MQMz32bK; Wed, 24 Jan 2024 21:09:55 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4TKxRh0Pkyz308D for ; Wed, 24 Jan 2024 21:09:52 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4TKxRd1xrdz22G; Wed, 24 Jan 2024 21:09:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1706130589; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NxkwnuytKKF4NiIH7NZ82kbNVYLGrSFeByFSttqajk0=; b=D1kteDfTa8suEw1W8bTvkDcF4XiZwdXpFT+gUWozxBx26aERX6mttBmuUhx4kchHd9Vp/F EeaScvYf+K73nKll+6bumyXLJzcscQ1MOmCrbCzVwQnMf6RtEOU0R2QQGZ1eRX5fG1vlnh CQ9bL6ADC3NYZ30dGBcoLsfuddiZVr0KWXnJUpd2RDZd+T95HwVLyzYjJw2QOyeOCEif/t VZcMnX83iXdNWZfNIMNKQ1OKzneN+D8LJ00euWqOMMRjd5wDraZbVBVtvM3ubkSNgk1m7k H7HfvyKggZIBGXAwFUxee6f5gYtWsDpNFSZy1USWr8CGAVga4w2YPEapWlWxwQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1706130589; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NxkwnuytKKF4NiIH7NZ82kbNVYLGrSFeByFSttqajk0=; b=0FETxPfwCY9SVpbL9/tncu1XUZ0kRPVS5tgfFqjSRovOuiq2ylsQnF/PfjtzSQ9mzg/mbO wYo6a4tS+SrxRbDQ== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 1/5] frr: Update to version 9.1 Date: Wed, 24 Jan 2024 22:09:40 +0100 Message-ID: <20240124210944.1258100-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: MIRIQYDGBGKM2ZOSLFVETX3XQ3P4V62Y X-Message-ID-Hash: MIRIQYDGBGKM2ZOSLFVETX3XQ3P4V62Y X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Update from version 8.5.2 to 9.1 - Update of rootfile - Build dependencies of frr now include protobuf-c. protobuf-c requires protobuf. protobuf requires abseil-cpp. - Build dependency of libyang will have a minimum version requirement of 2.1.128 coming out of an issue. Minimum version for frr-9.1 is 2.1.80 but excluding 2.1.111 due to API issues. Based on the near future requirement being 2.1.128 will move to current latest version of 2.1.148 - This patch set includes the above build dependencies - Changelog 9.1 FRR 9.1 brings a long list of enhancements and fixes with 941 commits from 73 developers. OSPFv2 HMAC-SHA Cryptographic Authentication Specify that HMAC cryptographic authentication must be used on a specific interface using a key chain. BGP MAC-VRF Site-Of-Origin support In some EVPN deployments, it is useful to associate a logical VTEP’s Layer 2 domain (MAC-VRF) with a Site-of-Origin “site” identifier. This provides a BGP topology-independent means of marking and import-filtering EVPN routes originating from a particular L2 domain. One situation where this is valuable is when deploying EVPN using anycast VTEPs, i.e. Active/Active MLAG, as it can be used to avoid ownership conflicts between the two control planes (EVPN vs MLAG). BGP Dynamic capability support Added support for Graceful-Restart, Long-lived Graceful-Restart, Software-version, and Role BGP capabilities to be adjusted dynamically using BGP dynamic capability. Dynamic BGP capability allows the dynamic update of capabilities over an established BGP session. This capability would facilitate non-disruptive capability changes by BGP speakers. IS-IS SRv6 uSID support (RFC 9352) The Segment Routing (SR) architecture allows a flexible definition of the end-to-end path by encoding it as a sequence of topological elements called "segments". It can be implemented over the MPLS or the IPv6 data plane. This feature enables extensions in IS-IS to support Segment Routing over the IPv6 data plane (SRv6) as per RFC 9352. Next-hop resolution via the default route Changed the default for a traditional profile to be enabled. The datacenter profile is left as disabled. Add support for VLAN, ECN, DSCP mangling/filtering PBR maps are a way to specify a set of rules that are applied to packets received on individual interfaces. If a received packet matches a rule, the rule’s next-hop-group or next-hop is used to forward it; any other actions specified in the rule are also applied to the packet. With this change, we added more commands for PBR maps, like matching src-ip, dst-ip, src-port, dst-port, vlan, dscp, ecn, and more. libyang 2.1.80 related breaking changes prefix-list matching in route-maps is fundamentally broken with libyang 2.1.111. If you have this version, please downgrade to the most stable version 2.1.80. More details CESNET/libyang#2090 Other significant changes Zebra support for route replace semantics in FPM link New command for BGP neighbor x addpath-tx-best-selected link New command for BGP mpls bgp l3vpn-multi-domain-switching link A couple more new BGP route-map commands: set as-path exclude all link set as-path exclude as-path-access-list link set extended-comm-list delete link set as-path replace [] link set as-path replace as-path-access-list WORD [] link match community-list X any UPDATE Deprecations Deprecate pre-standard outbound route filtering capability Deprecate pre-standard route refresh capability Drop deprecated capability A complete log of changes can be found by browsing the commit history of the FRR 9.1 tag 9.0.2 Fixed CVE-2023-47235 More details: https://frrouting.org/security/cve-2023-47235 Bug Fixes bgpd Fix aggregate-address summary-only suppressed export to EVPN Allow using attribute number 255 for path attr discard/withdraw cmds Check mandatory attributes more carefully for the UPDATE message Do not suppress conditional advertisement updates if triggered Fix Extended community memory leak Fix the no set as-path prepend command Fix heap-use-after-free for bgp_best_selection() Fix crash in SNMP BGP4V2-MIB bgpv2PeerErrorsTable() Fix clear bgp ipv6 unicast ... command Flush attributes only if we don't have to announce a conditional route (avoid use-after-free) Free memory for SRv6 functions and locator chunks Handle MP_UNREACH_NLRI malformed packets with session reset Ignore handling NLRIs if we received the MP_UNREACH_NLRI attribute Initialise timebuf arrays to zeros for dampening reuse timer Initialise buffer in bgp_notify_admin_message() before using it LTTng add EVPN route trace events Make sure dampening is enabled for the specified AFI/SAFI Use proper AFI when dumping information for dampening stuff Treat the AS4-PATH attribute as withdrawn if malformed Treat PMSI tunnel attribute as withdrawn if malformed Treat EOR as withdrawn to avoid unwanted handling of malformed attrs eigrpd Use the correct memory pool on interface deletion mgmtd Change mgmtd_vty_port to 2623 Fix crash on show mgmtd datastore-contents ospf6d Fix setting of the forwarding address in as-external LSAs Set loopback interface cost to 0 ospfd Fixing infinite loop when listing OSPF interfaces pathd Add no msd command Add no pcep command pbrd Fix show pbr map detail json command Free memory in pbr_map_delete() pim6d Fix valgrind issues pimd Fix missing pimreg interface tools Fix the frr-reload interface description command Fix the frr-reload route-map description command Make --quiet actually suppress output vtysh Fix entering configuration node in file-lock mode Fix configure terminal argument descriptions Fix working in file-lock mode Fix show route map json output zebra Add encap type when building packet for FPM Display ptmStatus order in interface JSON Fix connected route deletion when multiple entry exists Fix FPM multipath encap addition Fix link update for veth interfaces Fix zebra crash when replacing nhe during shutdown Prevent null pointer dereference 9.0.1 Bug Fixes bgpd Add peers back to peer hash when peer_xfer_conn fails Check the length of the rcv software version Do not explicitly print maxttl value for ebgp-multihop vty output Do not process nlris if the attribute length is zero Don't read the first byte of orf header if we are ahead of stream Evpn code was not properly unlocking rd_dest Fix show bgp all rpki notfound Make sure we have enough data to read two bytes when validating aigp Use treat-as-withdraw for tunnel encapsulation attribute zebra Fix evpn nexthop config order lib Allow unsetting walltime-warning and cpu-warning ospfd Prevent use after free( and crash of ospf ) when no router ospf pimd Prevent crash when receiving register message when the rp() is unknown When receiving a packet be more careful with length in pim_pim_packet vtysh Print uniq lines when parsing no service ... 8.5.4 Fixed CVE-2023-47235 More details: https://frrouting.org/security/cve-2023-47235 Bug Fixes bgpd Check mandatory attributes more carefully for the UPDATE message Do not suppress conditional advertisement updates if triggered Fix crash in SNMP BGP4V2-MIB bgpv2PeerErrorsTable() Handle MP_UNREACH_NLRI malformed packets with session reset Ignore handling NLRIs if we received the MP_UNREACH_NLRI attribute Initialise timebuf arrays to zeros for dampening reuse timer Initialise buffer in bgp_notify_admin_message() before using it Make sure dampening is enabled for the specified AFI/SAFI Use proper AFI when dumping information for dampening stuff Treat EOR as withdrawn to avoid unwanted handling of malformed attrs eigrpd Use the correct memory pool on interface deletion vtysh Fix show route map JSON output ospfd Fix infinite loop when listing OSPF interfaces pbrd Fix show pbr map detail json output zebra Add encap type when building packet for FPM Display ptmStatus order in interface JSON Fix connected route deletion when multiple entry exists Fix FPM multipath encap addition Fix link update for veth interfaces Fix zebra crash when replacing nhe during shutdown Prevent null pointer dereference 8.5.3 Bug Fixes bgpd Add peers back to peer hash when peer_xfer_conn fails Do not explicitly print maxttl value for ebgp-multihop vty output Do not process nlris if the attribute length is zero Do not try to redistribute routes if we are shutting down Don't read the first byte of orf header if we are ahead of stream Evpn code was not properly unlocking rd_dest Fix show bgp all rpki notfound Fix session reset issue caused by malformed core attributes Free bgp vpn policy Free previously dup'ed aspath attribute for aggregate routes Free temporary memory after using argv_concat() Intern attributes before putting into rib-out Make sure we have enough data to read two bytes when validating aigp Prevent use after free Rfapi memleak fixes, clean ce tables at exit Unlock dest if we return earlier for aggregate install Use treat-as-withdraw for tunnel encapsulation attribute zebra Fix evpn nexthop config order Abstract dplane_ctx_route_init to init route without copying Fix crash when dplane_fpm_nl fails to process received routes Further handle route replace semantics Fix command ipv6 nht xxx lib Allow unsetting walltime-warning and cpu-warning Skip route-map optimization if !af_inet(6) Use max_bitlen instead of magic number ospf6d Fix crash because neighbor structure was freed Stop crash in ospf6_write ospfd Check for nulls in vty code Prevent use after free( and crash of ospf ) when no router ospf pbrd Fix crash with match command pimd Prevent crash when receiving register message when the rp() is unknown When receiving a packet be more careful with length in pim_pim_packet ripd, ripngd Revert "Cleanup memory allocations on shutdown" tools Add what frr thinks as the fib routes for support_bundle vtysh Print uniq lines when parsing no service ... Signed-off-by: Adolf Belka --- config/rootfiles/packages/frr | 28 ++++++++++++++++++++++++++-- lfs/frr | 8 ++++---- 2 files changed, 30 insertions(+), 6 deletions(-) diff --git a/config/rootfiles/packages/frr b/config/rootfiles/packages/frr index 092460ff6..92b31ffe9 100644 --- a/config/rootfiles/packages/frr +++ b/config/rootfiles/packages/frr @@ -1,7 +1,10 @@ etc/rc.d/init.d/frr usr/bin/vtysh #usr/include/frr +#usr/include/frr/admin_group.h +#usr/include/frr/affinitymap.h #usr/include/frr/agg_table.h +#usr/include/frr/asn.h #usr/include/frr/assert.h #usr/include/frr/atomlist.h #usr/include/frr/base64.h @@ -17,6 +20,7 @@ usr/bin/vtysh #usr/include/frr/compiler.h #usr/include/frr/cspf.h #usr/include/frr/csv.h +#usr/include/frr/darr.h #usr/include/frr/db.h #usr/include/frr/debug.h #usr/include/frr/defaults.h @@ -27,14 +31,15 @@ usr/bin/vtysh #usr/include/frr/eigrpd/eigrpd.h #usr/include/frr/ferr.h #usr/include/frr/filter.h +#usr/include/frr/flex_algo.h #usr/include/frr/freebsd-queue.h #usr/include/frr/frr_pthread.h #usr/include/frr/frratomic.h #usr/include/frr/frrcu.h +#usr/include/frr/frrevent.h #usr/include/frr/frrlua.h #usr/include/frr/frrscript.h #usr/include/frr/frrstr.h -#usr/include/frr/getopt.h #usr/include/frr/graph.h #usr/include/frr/hash.h #usr/include/frr/hook.h @@ -44,6 +49,7 @@ usr/bin/vtysh #usr/include/frr/if_rmap.h #usr/include/frr/imsg.h #usr/include/frr/ipaddr.h +#usr/include/frr/iso.h #usr/include/frr/jhash.h #usr/include/frr/json.h #usr/include/frr/keychain.h @@ -59,6 +65,13 @@ usr/bin/vtysh #usr/include/frr/log_vty.h #usr/include/frr/md5.h #usr/include/frr/memory.h +#usr/include/frr/mgmt.pb-c.h +#usr/include/frr/mgmt_be_client.h +#usr/include/frr/mgmt_fe_client.h +#usr/include/frr/mgmt_msg.h +#usr/include/frr/mgmt_pb.h +#usr/include/frr/mgmtd +#usr/include/frr/mgmtd/mgmt_defines.h #usr/include/frr/mlag.h #usr/include/frr/module.h #usr/include/frr/monotime.h @@ -101,6 +114,7 @@ usr/bin/vtysh #usr/include/frr/routemap.h #usr/include/frr/routing_nb.h #usr/include/frr/sbuf.h +#usr/include/frr/segment_routing.h #usr/include/frr/seqlock.h #usr/include/frr/sha256.h #usr/include/frr/sigevent.h @@ -117,7 +131,6 @@ usr/bin/vtysh #usr/include/frr/table.h #usr/include/frr/tc.h #usr/include/frr/termtable.h -#usr/include/frr/thread.h #usr/include/frr/trace.h #usr/include/frr/typerb.h #usr/include/frr/typesafe.h @@ -154,10 +167,18 @@ usr/bin/vtysh #usr/lib/libfrr.so usr/lib/libfrr.so.0 usr/lib/libfrr.so.0.0.0 +#usr/lib/libfrr_pb.la +#usr/lib/libfrr_pb.so +usr/lib/libfrr_pb.so.0 +usr/lib/libfrr_pb.so.0.0.0 #usr/lib/libfrrcares.la #usr/lib/libfrrcares.so usr/lib/libfrrcares.so.0 usr/lib/libfrrcares.so.0.0.0 +#usr/lib/libmgmt_be_nb.la +#usr/lib/libmgmt_be_nb.so +usr/lib/libmgmt_be_nb.so.0 +usr/lib/libmgmt_be_nb.so.0.0.0 usr/sbin/bgpd usr/sbin/fabricd usr/sbin/frr @@ -167,6 +188,7 @@ usr/sbin/frr_babeltrace.py usr/sbin/frrcommon.sh usr/sbin/frrinit.sh usr/sbin/generate_support_bundle.py +usr/sbin/mgmtd usr/sbin/ospfd usr/sbin/pathd usr/sbin/pim6d @@ -176,6 +198,7 @@ usr/sbin/vrrpd usr/sbin/watchfrr usr/sbin/watchfrr.sh usr/sbin/zebra +#usr/share/yang/frr-affinity-map.yang #usr/share/yang/frr-bgp-bmp.yang #usr/share/yang/frr-bgp-common-multiprotocol.yang #usr/share/yang/frr-bgp-common-structure.yang @@ -189,6 +212,7 @@ usr/sbin/zebra #usr/share/yang/frr-bgp.yang #usr/share/yang/frr-deviations-bgp-datacenter.yang #usr/share/yang/frr-filter.yang +#usr/share/yang/frr-if-rmap.yang #usr/share/yang/frr-interface.yang #usr/share/yang/frr-module-translator.yang #usr/share/yang/frr-nexthop.yang diff --git a/lfs/frr b/lfs/frr index e61df8421..a1555af64 100644 --- a/lfs/frr +++ b/lfs/frr @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2023 IPFire Team # +# Copyright (C) 2007-2024 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -26,7 +26,7 @@ include Config SUMMARY = FRRouting Routing daemon -VER = 8.5.2 +VER = 9.1 THISAPP = frr-frr-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = frr -PAK_VER = 6 +PAK_VER = 7 DEPS = elfutils @@ -50,7 +50,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 2e2aca4e42757f66c9ca4725826c6cc1d611930490eed2a175ca5b56910f2c09a9d842b2a9370a64a9fdac6a6314bd4573be609d14dbf956049d9fbf49310404 +$(DL_FILE)_BLAKE2 = ba64f9455c38441f8cadce4eed435fb86344244e98bd1b675335887fb098be29adc035d722d3c128e136a4c6b0aa1adcbdc0e22815702e52170da940a5caf20a install : $(TARGET)