1 /* BGP network related fucntions
2 * Copyright (C) 1999 Kunihiro Ishiguro
4 * This file is part of GNU Zebra.
6 * GNU Zebra is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2, or (at your option) any
11 * GNU Zebra is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * General Public License for more details.
16 * You should have received a copy of the GNU General Public License along
17 * with this program; see the file COPYING; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
24 #include "sockunion.h"
38 #include "bgpd/bgpd.h"
39 #include "bgpd/bgp_open.h"
40 #include "bgpd/bgp_fsm.h"
41 #include "bgpd/bgp_attr.h"
42 #include "bgpd/bgp_debug.h"
43 #include "bgpd/bgp_network.h"
45 extern struct zebra_privs_t bgpd_privs
;
47 static int bgp_bind(struct peer
*);
49 /* BGP listening socket. */
53 struct thread
*thread
;
57 * Set MD5 key for the socket, for the given IPv4 peer address.
58 * If the password is NULL or zero-length, the option will be disabled.
60 static int bgp_md5_set_socket(int socket
, union sockunion
*su
,
65 #if HAVE_DECL_TCP_MD5SIG
67 #endif /* HAVE_TCP_MD5SIG */
71 #if HAVE_DECL_TCP_MD5SIG
72 /* Ensure there is no extraneous port information. */
73 memcpy(&su2
, su
, sizeof(union sockunion
));
74 if (su2
.sa
.sa_family
== AF_INET
)
77 su2
.sin6
.sin6_port
= 0;
78 ret
= sockopt_tcp_signature(socket
, &su2
, password
);
80 #endif /* HAVE_TCP_MD5SIG */
83 zlog_warn("can't set TCP_MD5SIG option on socket %d: %s",
84 socket
, safe_strerror(en
));
89 /* Helper for bgp_connect */
90 static int bgp_md5_set_connect(int socket
, union sockunion
*su
,
95 #if HAVE_DECL_TCP_MD5SIG
96 if (bgpd_privs
.change(ZPRIVS_RAISE
)) {
97 zlog_err("%s: could not raise privs", __func__
);
101 ret
= bgp_md5_set_socket(socket
, su
, password
);
103 if (bgpd_privs
.change(ZPRIVS_LOWER
))
104 zlog_err("%s: could not lower privs", __func__
);
105 #endif /* HAVE_TCP_MD5SIG */
110 static int bgp_md5_set_password(struct peer
*peer
, const char *password
)
112 struct listnode
*node
;
114 struct bgp_listener
*listener
;
116 if (bgpd_privs
.change(ZPRIVS_RAISE
)) {
117 zlog_err("%s: could not raise privs", __func__
);
121 /* Set or unset the password on the listen socket(s). Outbound
123 * are taken care of in bgp_connect() below.
125 for (ALL_LIST_ELEMENTS_RO(bm
->listen_sockets
, node
, listener
))
126 if (listener
->su
.sa
.sa_family
== peer
->su
.sa
.sa_family
) {
127 ret
= bgp_md5_set_socket(listener
->fd
, &peer
->su
,
132 if (bgpd_privs
.change(ZPRIVS_LOWER
))
133 zlog_err("%s: could not lower privs", __func__
);
138 int bgp_md5_set(struct peer
*peer
)
140 /* Set the password from listen socket. */
141 return bgp_md5_set_password(peer
, peer
->password
);
144 int bgp_md5_unset(struct peer
*peer
)
146 /* Unset the password from listen socket. */
147 return bgp_md5_set_password(peer
, NULL
);
150 int bgp_set_socket_ttl(struct peer
*peer
, int bgp_sock
)
152 char buf
[INET_ADDRSTRLEN
];
155 /* In case of peer is EBGP, we should set TTL for this connection. */
156 if (!peer
->gtsm_hops
&& (peer_sort(peer
) == BGP_PEER_EBGP
)) {
157 ret
= sockopt_ttl(peer
->su
.sa
.sa_family
, bgp_sock
, peer
->ttl
);
160 "%s: Can't set TxTTL on peer (rtrid %s) socket, err = %d",
161 __func__
, inet_ntop(AF_INET
, &peer
->remote_id
,
166 } else if (peer
->gtsm_hops
) {
167 /* On Linux, setting minttl without setting ttl seems to mess
169 outgoing ttl. Therefore setting both.
171 ret
= sockopt_ttl(peer
->su
.sa
.sa_family
, bgp_sock
, MAXTTL
);
174 "%s: Can't set TxTTL on peer (rtrid %s) socket, err = %d",
175 __func__
, inet_ntop(AF_INET
, &peer
->remote_id
,
180 ret
= sockopt_minttl(peer
->su
.sa
.sa_family
, bgp_sock
,
181 MAXTTL
+ 1 - peer
->gtsm_hops
);
184 "%s: Can't set MinTTL on peer (rtrid %s) socket, err = %d",
185 __func__
, inet_ntop(AF_INET
, &peer
->remote_id
,
196 * Obtain the BGP instance that the incoming connection should be processed
197 * against. This is important because more than one VRF could be using the
198 * same IP address space. The instance is got by obtaining the device to
199 * which the incoming connection is bound to. This could either be a VRF
200 * or it could be an interface, which in turn determines the VRF.
202 static int bgp_get_instance_for_inc_conn(int sock
, struct bgp
**bgp_inst
)
204 #ifndef SO_BINDTODEVICE
205 /* only Linux has SO_BINDTODEVICE, but we're in Linux-specific code here
206 * anyway since the assumption is that the interface name returned by
207 * getsockopt() is useful in identifying the VRF, particularly with
209 * VRF l3master device. The whole mechanism is specific to Linux, so...
210 * when other platforms add VRF support, this will need handling here as
211 * well. (or, some restructuring) */
212 *bgp_inst
= bgp_get_default();
216 char name
[VRF_NAMSIZ
+ 1];
217 socklen_t name_len
= VRF_NAMSIZ
;
220 struct listnode
*node
, *nnode
;
224 rc
= getsockopt(sock
, SOL_SOCKET
, SO_BINDTODEVICE
, name
, &name_len
);
226 #if defined(HAVE_CUMULUS)
227 zlog_err("[Error] BGP SO_BINDTODEVICE get failed (%s), sock %d",
228 safe_strerror(errno
), sock
);
234 *bgp_inst
= bgp_get_default();
235 return 0; /* default instance. */
238 /* First try match to instance; if that fails, check for interfaces. */
239 bgp
= bgp_lookup_by_name(name
);
241 if (!bgp
->vrf_id
) // unexpected
247 /* TODO - This will be optimized once interfaces move into the NS */
248 for (ALL_LIST_ELEMENTS(bm
->bgp
, node
, nnode
, bgp
)) {
249 struct interface
*ifp
;
251 if (bgp
->inst_type
== BGP_INSTANCE_TYPE_VIEW
)
254 ifp
= if_lookup_by_name(name
, bgp
->vrf_id
);
261 /* We didn't match to either an instance or an interface. */
266 /* Accept bgp connection. */
267 static int bgp_accept(struct thread
*thread
)
272 struct bgp_listener
*listener
= THREAD_ARG(thread
);
275 char buf
[SU_ADDRSTRLEN
];
276 struct bgp
*bgp
= NULL
;
280 /* Register accept thread. */
281 accept_sock
= THREAD_FD(thread
);
282 if (accept_sock
< 0) {
283 zlog_err("accept_sock is nevative value %d", accept_sock
);
286 listener
->thread
= NULL
;
287 thread_add_read(bm
->master
, bgp_accept
, listener
, accept_sock
,
290 /* Accept client connection. */
291 bgp_sock
= sockunion_accept(accept_sock
, &su
);
293 zlog_err("[Error] BGP socket accept failed (%s)",
294 safe_strerror(errno
));
297 set_nonblocking(bgp_sock
);
299 /* Obtain BGP instance this connection is meant for. */
300 if (bgp_get_instance_for_inc_conn(bgp_sock
, &bgp
)) {
301 if (bgp_debug_neighbor_events(NULL
))
303 "[Event] Could not get instance for incoming conn from %s",
304 inet_sutop(&su
, buf
));
309 /* Set socket send buffer size */
310 setsockopt_so_sendbuf(bgp_sock
, BGP_SOCKET_SNDBUF_SIZE
);
312 /* Check remote IP address */
313 peer1
= peer_lookup(bgp
, &su
);
316 peer1
= peer_lookup_dynamic_neighbor(bgp
, &su
);
318 /* Dynamic neighbor has been created, let it proceed */
319 peer1
->fd
= bgp_sock
;
320 bgp_fsm_change_status(peer1
, Active
);
322 peer1
->t_start
); /* created in peer_create() */
324 if (peer_active(peer1
))
325 BGP_EVENT_ADD(peer1
, TCP_connection_open
);
332 if (bgp_debug_neighbor_events(NULL
)) {
334 "[Event] %s connection rejected - not configured"
335 " and not valid for dynamic",
336 inet_sutop(&su
, buf
));
342 if (CHECK_FLAG(peer1
->flags
, PEER_FLAG_SHUTDOWN
)) {
343 if (bgp_debug_neighbor_events(peer1
))
345 "[Event] connection from %s rejected due to admin shutdown",
346 inet_sutop(&su
, buf
));
352 * Do not accept incoming connections in Clearing state. This can result
353 * in incorect state transitions - e.g., the connection goes back to
354 * Established and then the Clearing_Completed event is generated. Also,
355 * block incoming connection in Deleted state.
357 if (peer1
->status
== Clearing
|| peer1
->status
== Deleted
) {
358 if (bgp_debug_neighbor_events(peer1
))
360 "[Event] Closing incoming conn for %s (%p) state %d",
361 peer1
->host
, peer1
, peer1
->status
);
366 /* Check that at least one AF is activated for the peer. */
367 if (!peer_active(peer1
)) {
368 if (bgp_debug_neighbor_events(peer1
))
370 "%s - incoming conn rejected - no AF activated for peer",
376 if (bgp_debug_neighbor_events(peer1
))
377 zlog_debug("[Event] BGP connection from host %s fd %d",
378 inet_sutop(&su
, buf
), bgp_sock
);
380 if (peer1
->doppelganger
) {
381 /* We have an existing connection. Kill the existing one and run
384 if (bgp_debug_neighbor_events(peer1
))
386 "[Event] New active connection from peer %s, Killing"
387 " previous active connection",
389 peer_delete(peer1
->doppelganger
);
392 if (bgp_set_socket_ttl(peer1
, bgp_sock
) < 0)
393 if (bgp_debug_neighbor_events(peer1
))
395 "[Event] Unable to set min/max TTL on peer %s, Continuing",
398 peer
= peer_create(&su
, peer1
->conf_if
, peer1
->bgp
, peer1
->local_as
,
399 peer1
->as
, peer1
->as_type
, 0, 0, NULL
);
401 hash_release(peer
->bgp
->peerhash
, peer
);
402 hash_get(peer
->bgp
->peerhash
, peer
, hash_alloc_intern
);
404 peer_xfer_config(peer
, peer1
);
405 UNSET_FLAG(peer
->flags
, PEER_FLAG_CONFIG_NODE
);
407 peer
->doppelganger
= peer1
;
408 peer1
->doppelganger
= peer
;
411 bgp_fsm_change_status(peer
, Active
);
412 BGP_TIMER_OFF(peer
->t_start
); /* created in peer_create() */
414 SET_FLAG(peer
->sflags
, PEER_STATUS_ACCEPT_PEER
);
416 /* Make dummy peer until read Open packet. */
417 if (peer1
->status
== Established
418 && CHECK_FLAG(peer1
->sflags
, PEER_STATUS_NSF_MODE
)) {
419 /* If we have an existing established connection with graceful
421 * capability announced with one or more address families, then
423 * existing established connection and move state to connect.
425 peer1
->last_reset
= PEER_DOWN_NSF_CLOSE_SESSION
;
426 SET_FLAG(peer1
->sflags
, PEER_STATUS_NSF_WAIT
);
427 bgp_event_update(peer1
, TCP_connection_closed
);
430 if (peer_active(peer
)) {
431 BGP_EVENT_ADD(peer
, TCP_connection_open
);
437 /* BGP socket bind. */
438 static int bgp_bind(struct peer
*peer
)
440 #ifdef SO_BINDTODEVICE
445 /* If not bound to an interface or part of a VRF, we don't care. */
446 if (!peer
->bgp
->vrf_id
&& !peer
->ifname
&& !peer
->conf_if
)
449 if (peer
->su
.sa
.sa_family
!= AF_INET
450 && peer
->su
.sa
.sa_family
!= AF_INET6
)
451 return 0; // unexpected
453 /* For IPv6 peering, interface (unnumbered or link-local with interface)
454 * takes precedence over VRF. For IPv4 peering, explicit interface or
455 * VRF are the situations to bind.
457 if (peer
->su
.sa
.sa_family
== AF_INET6
)
458 name
= (peer
->conf_if
? peer
->conf_if
459 : (peer
->ifname
? peer
->ifname
462 name
= peer
->ifname
? peer
->ifname
: peer
->bgp
->name
;
467 if (bgp_debug_neighbor_events(peer
))
468 zlog_debug("%s Binding to interface %s", peer
->host
, name
);
470 if (bgpd_privs
.change(ZPRIVS_RAISE
))
471 zlog_err("bgp_bind: could not raise privs");
473 ret
= setsockopt(peer
->fd
, SOL_SOCKET
, SO_BINDTODEVICE
, name
,
477 if (bgpd_privs
.change(ZPRIVS_LOWER
))
478 zlog_err("bgp_bind: could not lower privs");
481 if (bgp_debug_neighbor_events(peer
))
482 zlog_debug("bind to interface %s failed, errno=%d",
486 #endif /* SO_BINDTODEVICE */
490 static int bgp_update_address(struct interface
*ifp
, const union sockunion
*dst
,
491 union sockunion
*addr
)
493 struct prefix
*p
, *sel
, d
;
494 struct connected
*connected
;
495 struct listnode
*node
;
498 sockunion2hostprefix(dst
, &d
);
502 for (ALL_LIST_ELEMENTS_RO(ifp
->connected
, node
, connected
)) {
503 p
= connected
->address
;
504 if (p
->family
!= d
.family
)
506 if (prefix_common_bits(p
, &d
) > common
) {
508 common
= prefix_common_bits(sel
, &d
);
515 prefix2sockunion(sel
, addr
);
519 /* Update source selection. */
520 static int bgp_update_source(struct peer
*peer
)
522 struct interface
*ifp
;
523 union sockunion addr
;
526 sockunion_init(&addr
);
528 /* Source is specified with interface name. */
529 if (peer
->update_if
) {
530 ifp
= if_lookup_by_name(peer
->update_if
, peer
->bgp
->vrf_id
);
534 if (bgp_update_address(ifp
, &peer
->su
, &addr
))
537 ret
= sockunion_bind(peer
->fd
, &addr
, 0, &addr
);
540 /* Source is specified with IP address. */
541 if (peer
->update_source
)
542 ret
= sockunion_bind(peer
->fd
, peer
->update_source
, 0,
543 peer
->update_source
);
548 #define DATAPLANE_MARK 254 /* main table ID */
550 /* BGP try to connect to the peer. */
551 int bgp_connect(struct peer
*peer
)
553 assert(!CHECK_FLAG(peer
->thread_flags
, PEER_THREAD_WRITES_ON
));
554 assert(!CHECK_FLAG(peer
->thread_flags
, PEER_THREAD_READS_ON
));
555 ifindex_t ifindex
= 0;
557 if (peer
->conf_if
&& BGP_PEER_SU_UNSPEC(peer
)) {
558 zlog_debug("Peer address not learnt: Returning from connect");
561 /* Make socket for the peer. */
562 peer
->fd
= sockunion_socket(&peer
->su
);
566 set_nonblocking(peer
->fd
);
568 /* Set socket send buffer size */
569 setsockopt_so_sendbuf(peer
->fd
, BGP_SOCKET_SNDBUF_SIZE
);
571 if (bgp_set_socket_ttl(peer
, peer
->fd
) < 0)
574 sockopt_reuseaddr(peer
->fd
);
575 sockopt_reuseport(peer
->fd
);
576 if (sockopt_mark_default(peer
->fd
, DATAPLANE_MARK
, &bgpd_privs
) < 0)
577 zlog_warn("Unable to set mark on FD for peer %s, err=%s",
578 peer
->host
, safe_strerror(errno
));
580 #ifdef IPTOS_PREC_INTERNETCONTROL
581 if (bgpd_privs
.change(ZPRIVS_RAISE
))
582 zlog_err("%s: could not raise privs", __func__
);
583 if (sockunion_family(&peer
->su
) == AF_INET
)
584 setsockopt_ipv4_tos(peer
->fd
, IPTOS_PREC_INTERNETCONTROL
);
585 else if (sockunion_family(&peer
->su
) == AF_INET6
)
586 setsockopt_ipv6_tclass(peer
->fd
, IPTOS_PREC_INTERNETCONTROL
);
587 if (bgpd_privs
.change(ZPRIVS_LOWER
))
588 zlog_err("%s: could not lower privs", __func__
);
592 bgp_md5_set_connect(peer
->fd
, &peer
->su
, peer
->password
);
597 /* Update source bind. */
598 if (bgp_update_source(peer
) < 0) {
599 return connect_error
;
602 if (peer
->conf_if
|| peer
->ifname
)
603 ifindex
= ifname2ifindex(peer
->conf_if
? peer
->conf_if
607 if (bgp_debug_neighbor_events(peer
))
608 zlog_debug("%s [Event] Connect start to %s fd %d", peer
->host
,
609 peer
->host
, peer
->fd
);
611 /* Connect to the remote peer. */
612 return sockunion_connect(peer
->fd
, &peer
->su
, htons(peer
->port
),
616 /* After TCP connection is established. Get local address and port. */
617 int bgp_getsockname(struct peer
*peer
)
619 if (peer
->su_local
) {
620 sockunion_free(peer
->su_local
);
621 peer
->su_local
= NULL
;
624 if (peer
->su_remote
) {
625 sockunion_free(peer
->su_remote
);
626 peer
->su_remote
= NULL
;
629 peer
->su_local
= sockunion_getsockname(peer
->fd
);
632 peer
->su_remote
= sockunion_getpeername(peer
->fd
);
633 if (!peer
->su_remote
)
636 if (bgp_nexthop_set(peer
->su_local
, peer
->su_remote
, &peer
->nexthop
,
638 #if defined(HAVE_CUMULUS)
640 "%s: nexthop_set failed, resetting connection - intf %p",
641 peer
->host
, peer
->nexthop
.ifp
);
650 static int bgp_listener(int sock
, struct sockaddr
*sa
, socklen_t salen
)
652 struct bgp_listener
*listener
;
655 sockopt_reuseaddr(sock
);
656 sockopt_reuseport(sock
);
658 if (bgpd_privs
.change(ZPRIVS_RAISE
))
659 zlog_err("%s: could not raise privs", __func__
);
661 #ifdef IPTOS_PREC_INTERNETCONTROL
662 if (sa
->sa_family
== AF_INET
)
663 setsockopt_ipv4_tos(sock
, IPTOS_PREC_INTERNETCONTROL
);
664 else if (sa
->sa_family
== AF_INET6
)
665 setsockopt_ipv6_tclass(sock
, IPTOS_PREC_INTERNETCONTROL
);
668 sockopt_v6only(sa
->sa_family
, sock
);
670 ret
= bind(sock
, sa
, salen
);
672 if (bgpd_privs
.change(ZPRIVS_LOWER
))
673 zlog_err("%s: could not lower privs", __func__
);
676 zlog_err("bind: %s", safe_strerror(en
));
680 ret
= listen(sock
, SOMAXCONN
);
682 zlog_err("listen: %s", safe_strerror(errno
));
686 listener
= XMALLOC(MTYPE_BGP_LISTENER
, sizeof(*listener
));
688 memcpy(&listener
->su
, sa
, salen
);
689 listener
->thread
= NULL
;
690 thread_add_read(bm
->master
, bgp_accept
, listener
, sock
,
692 listnode_add(bm
->listen_sockets
, listener
);
697 /* IPv6 supported version of BGP server socket setup. */
698 int bgp_socket(unsigned short port
, const char *address
)
700 struct addrinfo
*ainfo
;
701 struct addrinfo
*ainfo_save
;
702 static const struct addrinfo req
= {
703 .ai_family
= AF_UNSPEC
,
704 .ai_flags
= AI_PASSIVE
,
705 .ai_socktype
= SOCK_STREAM
,
708 char port_str
[BUFSIZ
];
710 snprintf(port_str
, sizeof(port_str
), "%d", port
);
711 port_str
[sizeof(port_str
) - 1] = '\0';
713 ret
= getaddrinfo(address
, port_str
, &req
, &ainfo_save
);
715 zlog_err("getaddrinfo: %s", gai_strerror(ret
));
720 for (ainfo
= ainfo_save
; ainfo
; ainfo
= ainfo
->ai_next
) {
723 if (ainfo
->ai_family
!= AF_INET
&& ainfo
->ai_family
!= AF_INET6
)
726 sock
= socket(ainfo
->ai_family
, ainfo
->ai_socktype
,
729 zlog_err("socket: %s", safe_strerror(errno
));
733 /* if we intend to implement ttl-security, this socket needs
735 sockopt_ttl(ainfo
->ai_family
, sock
, MAXTTL
);
737 ret
= bgp_listener(sock
, ainfo
->ai_addr
, ainfo
->ai_addrlen
);
743 freeaddrinfo(ainfo_save
);
745 zlog_err("%s: no usable addresses please check other programs usage of specified port %d",
747 zlog_err("%s: Program cannot continue", __func__
);
756 struct listnode
*node
, *next
;
757 struct bgp_listener
*listener
;
759 if (bm
->listen_sockets
== NULL
)
762 for (ALL_LIST_ELEMENTS(bm
->listen_sockets
, node
, next
, listener
)) {
763 thread_cancel(listener
->thread
);
765 listnode_delete(bm
->listen_sockets
, listener
);
766 XFREE(MTYPE_BGP_LISTENER
, listener
);