- Update from version 8.5.2 to 9.1
- Update of rootfile
- Build dependencies of frr now include protobuf-c. protobuf-c requires protobuf.
protobuf requires abseil-cpp.
- Build dependency of libyang will have a minimum version requirement of 2.1.128 coming
out of an issue. Minimum version for frr-9.1 is 2.1.80 but excluding 2.1.111 due to
API issues. Based on the near future requirement being 2.1.128 will move to current
latest version of 2.1.148
- This patch set includes the above build dependencies
- Changelog
9.1
FRR 9.1 brings a long list of enhancements and fixes with 941 commits from 73
developers.
OSPFv2 HMAC-SHA Cryptographic Authentication
Specify that HMAC cryptographic authentication must be used on a
specific interface using a key chain.
BGP MAC-VRF Site-Of-Origin support
In some EVPN deployments, it is useful to associate a logical VTEP’s
Layer 2 domain (MAC-VRF) with a Site-of-Origin “site” identifier. This
provides a BGP topology-independent means of marking and
import-filtering EVPN routes originating from a particular L2 domain.
One situation where this is valuable is when deploying EVPN using
anycast VTEPs, i.e. Active/Active MLAG, as it can be used to avoid
ownership conflicts between the two control planes (EVPN vs MLAG).
BGP Dynamic capability support
Added support for Graceful-Restart, Long-lived Graceful-Restart,
Software-version, and Role BGP capabilities to be adjusted dynamically
using BGP dynamic capability.
Dynamic BGP capability allows the dynamic update of capabilities over an
established BGP session. This capability would facilitate
non-disruptive capability changes by BGP speakers.
IS-IS SRv6 uSID support (RFC 9352)
The Segment Routing (SR) architecture allows a flexible definition of
the end-to-end path by encoding it as a sequence of topological
elements called "segments". It can be implemented over the MPLS or the
IPv6 data plane. This feature enables extensions in IS-IS to support
Segment Routing over the IPv6 data plane (SRv6) as per RFC 9352.
Next-hop resolution via the default route
Changed the default for a traditional profile to be enabled. The
datacenter profile is left as disabled.
Add support for VLAN, ECN, DSCP mangling/filtering
PBR maps are a way to specify a set of rules that are applied to packets
received on individual interfaces. If a received packet matches a rule,
the rule’s next-hop-group or next-hop is used to forward it; any other
actions specified in the rule are also applied to the packet.
With this change, we added more commands for PBR maps, like matching
src-ip, dst-ip, src-port, dst-port, vlan, dscp, ecn, and more.
libyang 2.1.80 related breaking changes
prefix-list matching in route-maps is fundamentally broken with
libyang 2.1.111. If you have this version, please downgrade to the most
stable version 2.1.80.
More details CESNET/libyang#2090
Other significant changes
Zebra support for route replace semantics in FPM link
New command for BGP neighbor x addpath-tx-best-selected link
New command for BGP mpls bgp l3vpn-multi-domain-switching link
A couple more new BGP route-map commands:
set as-path exclude all link
set as-path exclude as-path-access-list link
set extended-comm-list delete link
set as-path replace <any|ASN> [<ASN>] link
set as-path replace as-path-access-list WORD [<ASN>] link
match community-list X any UPDATE
Deprecations
Deprecate pre-standard outbound route filtering capability
Deprecate pre-standard route refresh capability
Drop deprecated capability
A complete log of changes can be found by browsing the commit history of the
FRR 9.1 tag
9.0.2
Fixed CVE-2023-47235
More details: https://frrouting.org/security/cve-2023-47235
Bug Fixes
bgpd
Fix aggregate-address summary-only suppressed export to EVPN
Allow using attribute number 255 for path attr discard/withdraw cmds
Check mandatory attributes more carefully for the UPDATE message
Do not suppress conditional advertisement updates if triggered
Fix Extended community memory leak
Fix the no set as-path prepend command
Fix heap-use-after-free for bgp_best_selection()
Fix crash in SNMP BGP4V2-MIB bgpv2PeerErrorsTable()
Fix clear bgp ipv6 unicast ... command
Flush attributes only if we don't have to announce a conditional route
(avoid use-after-free)
Free memory for SRv6 functions and locator chunks
Handle MP_UNREACH_NLRI malformed packets with session reset
Ignore handling NLRIs if we received the MP_UNREACH_NLRI attribute
Initialise timebuf arrays to zeros for dampening reuse timer
Initialise buffer in bgp_notify_admin_message() before using it
LTTng add EVPN route trace events
Make sure dampening is enabled for the specified AFI/SAFI
Use proper AFI when dumping information for dampening stuff
Treat the AS4-PATH attribute as withdrawn if malformed
Treat PMSI tunnel attribute as withdrawn if malformed
Treat EOR as withdrawn to avoid unwanted handling of malformed attrs
eigrpd
Use the correct memory pool on interface deletion
mgmtd
Change mgmtd_vty_port to 2623
Fix crash on show mgmtd datastore-contents
ospf6d
Fix setting of the forwarding address in as-external LSAs
Set loopback interface cost to 0
ospfd
Fixing infinite loop when listing OSPF interfaces
pathd
Add no msd command
Add no pcep command
pbrd
Fix show pbr map detail json command
Free memory in pbr_map_delete()
pim6d
Fix valgrind issues
pimd
Fix missing pimreg interface
tools
Fix the frr-reload interface description command
Fix the frr-reload route-map description command
Make --quiet actually suppress output
vtysh
Fix entering configuration node in file-lock mode
Fix configure terminal argument descriptions
Fix working in file-lock mode
Fix show route map json output
zebra
Add encap type when building packet for FPM
Display ptmStatus order in interface JSON
Fix connected route deletion when multiple entry exists
Fix FPM multipath encap addition
Fix link update for veth interfaces
Fix zebra crash when replacing nhe during shutdown
Prevent null pointer dereference
9.0.1
Bug Fixes
bgpd
Add peers back to peer hash when peer_xfer_conn fails
Check the length of the rcv software version
Do not explicitly print maxttl value for ebgp-multihop vty output
Do not process nlris if the attribute length is zero
Don't read the first byte of orf header if we are ahead of stream
Evpn code was not properly unlocking rd_dest
Fix show bgp all rpki notfound
Make sure we have enough data to read two bytes when validating aigp
Use treat-as-withdraw for tunnel encapsulation attribute
zebra
Fix evpn nexthop config order
lib
Allow unsetting walltime-warning and cpu-warning
ospfd
Prevent use after free( and crash of ospf ) when no router ospf
pimd
Prevent crash when receiving register message when the rp() is unknown
When receiving a packet be more careful with length in pim_pim_packet
vtysh
Print uniq lines when parsing no service ...
8.5.4
Fixed CVE-2023-47235
More details: https://frrouting.org/security/cve-2023-47235
Bug Fixes
bgpd
Check mandatory attributes more carefully for the UPDATE message
Do not suppress conditional advertisement updates if triggered
Fix crash in SNMP BGP4V2-MIB bgpv2PeerErrorsTable()
Handle MP_UNREACH_NLRI malformed packets with session reset
Ignore handling NLRIs if we received the MP_UNREACH_NLRI attribute
Initialise timebuf arrays to zeros for dampening reuse timer
Initialise buffer in bgp_notify_admin_message() before using it
Make sure dampening is enabled for the specified AFI/SAFI
Use proper AFI when dumping information for dampening stuff
Treat EOR as withdrawn to avoid unwanted handling of malformed attrs
eigrpd
Use the correct memory pool on interface deletion
vtysh
Fix show route map JSON output
ospfd
Fix infinite loop when listing OSPF interfaces
pbrd
Fix show pbr map detail json output
zebra
Add encap type when building packet for FPM
Display ptmStatus order in interface JSON
Fix connected route deletion when multiple entry exists
Fix FPM multipath encap addition
Fix link update for veth interfaces
Fix zebra crash when replacing nhe during shutdown
Prevent null pointer dereference
8.5.3
Bug Fixes
bgpd
Add peers back to peer hash when peer_xfer_conn fails
Do not explicitly print maxttl value for ebgp-multihop vty output
Do not process nlris if the attribute length is zero
Do not try to redistribute routes if we are shutting down
Don't read the first byte of orf header if we are ahead of stream
Evpn code was not properly unlocking rd_dest
Fix show bgp all rpki notfound
Fix session reset issue caused by malformed core attributes
Free bgp vpn policy
Free previously dup'ed aspath attribute for aggregate routes
Free temporary memory after using argv_concat()
Intern attributes before putting into rib-out
Make sure we have enough data to read two bytes when validating aigp
Prevent use after free
Rfapi memleak fixes, clean ce tables at exit
Unlock dest if we return earlier for aggregate install
Use treat-as-withdraw for tunnel encapsulation attribute
zebra
Fix evpn nexthop config order
Abstract dplane_ctx_route_init to init route without copying
Fix crash when dplane_fpm_nl fails to process received routes
Further handle route replace semantics
Fix command ipv6 nht xxx
lib
Allow unsetting walltime-warning and cpu-warning
Skip route-map optimization if !af_inet(6)
Use max_bitlen instead of magic number
ospf6d
Fix crash because neighbor structure was freed
Stop crash in ospf6_write
ospfd
Check for nulls in vty code
Prevent use after free( and crash of ospf ) when no router ospf
pbrd
Fix crash with match command
pimd
Prevent crash when receiving register message when the rp() is unknown
When receiving a packet be more careful with length in pim_pim_packet
ripd, ripngd
Revert "Cleanup memory allocations on shutdown"
tools
Add what frr thinks as the fib routes for support_bundle
vtysh
Print uniq lines when parsing no service ...
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 8.0.1 to 8.5.2
- Update of rootfile
- tar.xz versions are no longer provided by the developers. They onl provide the tar.gz
that is automatically created by github. This started shortly after 8.0.1 was released
- Changelog is too large to include here. For full details see the changelog details at
https://github.com/FRRouting/frr/releases
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Since we have extended services.cgi that it reads the Services field
from the Pakfire metadata, we will need to make sure that that metadata
is going to be on those systems.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
Bumping across one of our scripts with very long trailing whitespaces, I
thought it might be a good idea to clean these up. Doing so, some
missing or inconsistent licence headers were fixed.
There is no need in shipping all these files en bloc, as their
functionality won't change.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
* Add a Summary and Services field to all pak lfs files
* Replace occurances of INSTALL_INITSCRIPT with new INSTALL_INITSCRIPTS
macro in all pak lfs files.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- This v2 version used the frr-8.0.1 source instead of the frr-frr-8.0 source
- Update from 6.0 to 8.0.1
- 8.0.1 requires libyang for the build. Introduced with separate patch in this series.
- 6.0 is only compilable with python2.
python3 compatability was introduced in version 7.4
- Previously confirmed that building frr-8.0 was successful with only python3 available
- Added --disable-static to the ./configure options.
- Rootfile updated
- Changelog from 6.0 to 8.0.1 is too large to include here. It can be viewed to obtain
more details at https://github.com/FRRouting/frr/releases
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Not sure why this has ever been there. This simply makes it
nicer to read and edit because we can have line-breaks now.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
