rgirada [Thu, 23 Jun 2022 14:37:28 +0000 (07:37 -0700)]
vtysh: Account validity should be verified when authenticating users with PAM.
Description:
SonarQube detects the following behaviour as a vulanarability.
When authenticating users using PAM, it is strongly recommended to
check the validity of the account (not locked, not expired ...),
otherwise it leads to unauthorized access to resources.
pam_acct_mgmt() should be called for account validity after
calling pam_authenticate().
rgirada [Thu, 23 Jun 2022 13:40:19 +0000 (06:40 -0700)]
ospfd: fixing few coverity issue in 'show_ip_ospf_neighbour_brief'
Description:
timerval data structure is being used without initialization.
Using these uninitialized parameters can lead unexpected results
so initializing before using it.
rgirada [Sun, 19 Jun 2022 18:04:39 +0000 (11:04 -0700)]
ospfd: Fixing "show ip ospf neighbour <nbrid>" command
Description:
"show ip ospf neighbour [nbrid] [json]" is expected to give brief output
of the specific neighbour. But it gives the detailed output without
the detail keyword.
"show ip ospf neighbour [nbrid] [deatil] [json]" command is failed to
fetch the ecpected o/p. Corrected it.
Ex o/p:
frr(config-if)# do show ip ospf neighbor
Neighbor ID Pri State Up Time Dead Time Address Interface RXmtL RqstL DBsmL
8.8.8.8 1 Full/DR 17m03s 31.192s 20.1.1.194 ens192:20.1.1.220 0 0 0
30.1.1.100 1 Full/DR 56.229s 32.000s 30.1.1.100 ens224:30.1.1.220 0 0 0
frr(config-if)#
frr(config-if)#
frr(config-if)# do show ip ospf neighbor 8.8.8.8
Neighbor 8.8.8.8, interface address 20.1.1.194
In the area 0.0.0.0 via interface ens192
Neighbor priority is 1, State is Full/DR, 6 state changes
Most recent state change statistics:
Progressive change 17m18s ago
DR is 20.1.1.194, BDR is 20.1.1.220
Options 2 *|-|-|-|-|-|E|-
Dead timer due in 35.833s
Database Summary List 0
Link State Request List 0
Link State Retransmission List 0
Thread Inactivity Timer on
Thread Database Description Retransmision off
Thread Link State Request Retransmission on
Thread Link State Update Retransmission on
Graceful restart Helper info:
Graceful Restart HELPER Status : None
frr(config-if)# do show ip ospf neighbor 8.8.8.8 detail
No such interface.
frr(config-if)# do show ip ospf neighbor 8.8.8.8 detail json
{}
frr(config-if)#
nguggarigoud [Tue, 21 Jun 2022 07:42:45 +0000 (00:42 -0700)]
tests: Removing invalid step from ospf tests.
1. Removed the step from hello test case with hello
timer of 65535. This test works in some platforms
and does not work in others, affecting stability.
Donald Sharp [Fri, 17 Jun 2022 17:43:30 +0000 (13:43 -0400)]
bgpd: Display useful values when using json for missing neighbor state
When a peer has not established connection yet, these values:
`hostLocal`, `portLocal`, `hostForeign`, `portForeign` might
not have any values and json output will not display anything
for them. Modify the code to display some nominal values in
this situation so that parsers are not surprised.
Mark Stapp [Fri, 17 Jun 2022 15:47:55 +0000 (11:47 -0400)]
ospf6: permit route delete without nexthops
It's possible for ospf6 to decide to delete a route after it's
removed all of the route's nexthops. It's ok to delete a prefix
alone - be a little more forgiving when preparing a route delete.
Christian Hopps [Fri, 17 Jun 2022 06:04:51 +0000 (02:04 -0400)]
lib: cleanup red-herring memleaks in parent of daemonizing fork
- The parent of the daemonizing fork reports memleaks for the early
northbound allocations (libyang). If these were real memleaks these
would show up in the child as well; however, ignoring all memleaks in
the parent of the fork is too hard a sale. Instead, spend some CPU
cycles cleaning up the allocations in the parent after the fork and
immeidatley prior to exiting the parent after the daemonizing fork.
Donald Sharp [Fri, 29 Oct 2021 12:16:13 +0000 (08:16 -0400)]
zebra: Add a timer to nexthop group deletion
Before deleting nexthop groups, that are installed,
from the system, start a timer and hold the nexthop
group for that time.
Suppose you have this scenario
a) create a static route with 1 x ecmp
creates a nhg with 1 x ecmp
b) create a static route with 2 x ecmp
creates a nhg with 2 x ecmp
deletes a's nhg
c) create a static route with 3 x ecmp
creates a nhg with 3 x ecmp
deletes b's nhg
d) create a different route with 1 x ecmp
creates another 1 x ecmp ( since a's ecmp was deleted )
e) create a different route with 2 x ecmp
creates another 2 x ecmp ( since b's ecmp was deleted )
If you don't delete the nhg, start a timer, the nhg's used
in steps a and b can be reused for steps d and e. This reduces
overhead work with zebra <-> kernel interactions and improves
the speed of the system.
So modify the code to note that an installed nexthop group should
be kept around a bit and hopefully reused.
Donald Sharp [Wed, 15 Jun 2022 20:27:07 +0000 (16:27 -0400)]
zebra: Move where zebra marks a nhg as uninstalled in fib
Currently the code is marking the nhg as uninstalled but not
causing that to flood up to the dependent nhgs:
nhg 3 is a group of 1/2
1 -> interface A
2 -> interface B
Suppose A goes down, old code would mark nhg 1 as !VALID and !INSTALLED.
Suppose B then goes down, old code would mark nhg 2 as !VALID and !INSTALLED
But would not mark nhg 3 as !VALID and !INSTALLED (sort of assuming that
it would just be cleaned up by NHG refcounts ). I would prefer that
the code is pedantic about nhg 3 actually being removed from the system.
This code moves the setting of !INSTALLED into zebra_nhg.c where it
really belongs.
Quentin Young [Mon, 6 Dec 2021 04:06:16 +0000 (23:06 -0500)]
tools: print daemon start cmd, vtysh_b cmd
When starting a daemon, print the full command run by the init script to
start it. This gives more information and is especially helpful when
debugging wrap commands.
Also add some more logs to vtysh_b to print the command used there,
log when we exit early because frr.conf doesn't exist, and simplify the
code path for creating the command to use.
Quentin Young [Mon, 6 Dec 2021 04:03:52 +0000 (23:03 -0500)]
tools: improve explanation of watchfrr_options
The explanation block for watchfrr_options was split into two blocks,
one explaining the --netns option and one making a vague statement that
the init script provides the list of daemons to start. The former can be
merged with the latter and the latter is more useful when stated as a
caveat for what you should actually use watchfrr_options for.
Quentin Young [Mon, 6 Dec 2021 04:03:11 +0000 (23:03 -0500)]
tools: improve explanation of 'wrap' options
We support 'wrap' variables in /etc/frr/daemons, but the explanation
given there doesn't touch on some of the subtleties of using these
variables.
The variables were designed for use with Valgrind, which has special
behavior when run with programs that daemonize; Valgrind will intercept
the fork()'d child process and run itself instead of the child. This
behavior allows it to follow the same forking semantics as the target
program.
For virtually every other wrapper, the wrap variables do not work as
demonstrated because the wrapper programs do not daemonize. If the
wrappers do not daemonize, they will block the init script. The examples
given with "perf" for example simply do not work, because perf remains
in the foreground even as it tracks forked children.
This patch adds an explanation of the behavior expected by the init
script and offers a solution for getting that behavior.
Renato Westphal [Wed, 15 Jun 2022 14:39:48 +0000 (11:39 -0300)]
tests: fix ldp_vpls_topo1 to work as expected
In the last step of this test, r1's link to r2 is shut down but
both routers stay connected through a multi-hop LDP session. That
happens because r1 and r2 have a targeted adjacency created by
the pseudowire. The test then checks whether the pseudowire is
still up, using an alternate path for nexthop resolution.
Everything's fine except for the fact that LDP GTSM (aka
ttl-security) is enabled by default. This means that messages sent
over a multi-hop session are not delivered. In the case of this
test, it can prevent PW-Status notifications from being delivered,
which in turn can prevent the pseudowire from coming back up.
Fix the test by disabling GTSM so that LDP multi-hop sessions can
work normally. This is in accordance with RFC6720 which mentions
that GTSM should be disabled (statically or dynamically) for
multi-hop sessions.
Donald Sharp [Wed, 15 Jun 2022 12:27:32 +0000 (08:27 -0400)]
zebra: On linux let interface data come in through netlink messaging
Consolidate on linux to using the netlink api for gathering all data
about a interface. Leave this interface alone in the meantime for
other OS's.
This also has the side effect of reducing the amount of work
being done on linux in that FRR was handling shut/no shut
events 2 times. Once for the ioctl question asked and
once for the netlink message received.
Donald Sharp [Wed, 15 Jun 2022 11:31:53 +0000 (07:31 -0400)]
zebra: Attempt to make ioctl.c have a bit more useful log messges
While examining the code, it was noticed that there was a chance
to improve the log output in some cases to give a fuller understanding
of what went wrong where.
Donald Sharp [Wed, 15 Jun 2022 14:32:53 +0000 (10:32 -0400)]
bgpd, ospfd: Remove extra newline for `show debugging`
This extra newline was adding a weird output to `show debugging`
display where there would be extra newlines sometims and not
others. Make it consistent.
projects / mirror_frr.git / log