Show all enabled debugs.
-.. index:: [no] debug neighbor-events
-.. clicmd:: [no] debug neighbor-events
+.. index:: [no] debug bgp neighbor-events
+.. clicmd:: [no] debug bgp neighbor-events
Enable or disable debugging for neighbor events. This provides general
information on BGP events such as peer connection / disconnection, session
establishment / teardown, and capability negotiation.
-.. index:: [no] debug updates
-.. clicmd:: [no] debug updates
+.. index:: [no] debug bgp updates
+.. clicmd:: [no] debug bgp updates
Enable or disable debugging for BGP updates. This provides information on
BGP UPDATE messages transmitted and received between local and remote
instances.
-.. index:: [no] debug keepalives
-.. clicmd:: [no] debug keepalives
+.. index:: [no] debug bgp keepalives
+.. clicmd:: [no] debug bgp keepalives
Enable or disable debugging for BGP keepalives. This provides information on
BGP KEEPALIVE messages transmitted and received between local and remote
.. include:: rpki.rst
+.. include:: flowspec.rst
+
.. [#med-transitivity-rant] For some set of objects to have an order, there *must* be some binary ordering relation that is defined for *every* combination of those objects, and that relation *must* be transitive. I.e.:, if the relation operator is <, and if a < b and b < c then that relation must carry over and it *must* be that a < c for the objects to have an order. The ordering relation may allow for equality, i.e. a < b and b < a may both be true and imply that a and b are equal in the order and not distinguished by it, in which case the set has a partial order. Otherwise, if there is an order, all the objects have a distinct place in the order and the set has a total order)
.. [bgp-route-osci-cond] McPherson, D. and Gill, V. and Walton, D., "Border Gateway Protocol (BGP) Persistent Route Oscillation Condition", IETF RFC3345
.. [stable-flexible-ibgp] Flavel, A. and M. Roughan, "Stable and flexible iBGP", ACM SIGCOMM 2009
# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.
-exclude_patterns = ['_build', 'rpki.rst', 'routeserver.rst', 'ospf_fundamentals.rst']
+exclude_patterns = ['_build', 'rpki.rst', 'routeserver.rst',
+ 'ospf_fundamentals.rst', 'flowspec.rst']
# The reST default role (used for this markup: `text`) to use for all
# documents.
--- /dev/null
+.. _flowspec:
+
+Flowspec
+========
+
+.. _features-of-the-current-implementation-flowspec:
+
+Overview
+---------
+
+Flowspec introduces a new :abbr:`NLRI (Network Layer Reachability Information)`
+encoding format that is used to distribute traffic rule flow specifications.
+Basically, instead of simply relying on destination IP address for IP prefixes,
+the IP prefix is replaced by a n-tuple consisting of a rule. That rule can be a
+more or less complex combination of the following:
+
+
+- Network source/destination (can be one or the other, or both).
+- Layer 4 information for UDP/TCP : source port, destination port, or any port.
+- Layer 4 information for ICMP type and ICMP code.
+- Layer 4 information for TCP Flags.
+- Layer 3 information : DSCP value, Protocol type, packet length, fragmentation.
+- Misc layer 4 TCP flags.
+
+A combination of the above rules is applied for traffic filtering. This is
+encoded as part of specific BGP extended communities and the action can range
+from the obvious rerouting (to nexthop or to separate VRF) to shaping, or
+discard.
+
+The following IETF drafts and RFCs have been used to implement FRR Flowspec:
+
+- :rfc:`5575`
+- [Draft IETF IDR Flowspec redirect IP]_
+
+.. _design-principles-flowspec:
+
+Design Principles
+-----------------
+
+FRR implements the Flowspec client side, that is to say that BGP is able to
+receive Flowspec entries, but is not able to act as manager and send Flowspec
+entries.
+
+Linux provides the following mechanisms to implement policy based routing:
+
+- Filtering the traffic with ``Netfilter``.
+ ``Netfilter`` provides a set of tools like ``ipset`` and ``iptables`` that are
+ powerful enough to be able to filter such Flowspec filter rule.
+
+- using non standard routing tables via ``iproute2`` (via the ``ip rule``
+ command provided by ``iproute2``).
+ ``iproute2`` is already used by FRR's :ref:`pbr` daemon which provides basic
+ policy based routing based on IP source and destination criterion.
+
+Below example is an illustration of what Flowspec will inject in the underlying
+system:
+
+.. code-block:: shell
+
+ # linux shell
+ ipset create match0x102 hash:net,net counters
+ ipset add match0x102 32.0.0.0/16,40.0.0.0/16
+ iptables -N match0x102 -t mangle
+ iptables -A match0x102 -t mangle -j MARK --set-mark 102
+ iptables -A match0x102 -t mangle -j ACCEPT
+ iptables -i ntfp3 -t mangle -I PREROUTING -m set --match-set match0x102
+ src,dst -g match0x102
+ ip rule add fwmark 102 lookup 102
+ ip route add 40.0.0.0/16 via 44.0.0.2 table 102
+
+For handling an incoming Flowspec entry, the following workflow is applied:
+
+- incoming Flowspec entries are handled by *bgpd*, stored in the BGP RIB.
+- Flowspec entry is installed according to its complexity.
+
+It will be installed if one of the following filtering action is seen on the BGP
+extended community: either redirect IP, or redirect VRF, in conjunction with
+rate option, for redirecting traffic. Or rate option set to 0, for discarding
+traffic.
+
+According to the degree of complexity of the Flowspec entry, it will be
+installed in *zebra* RIB. For more information about what is supported in the
+FRR implementation as rule, see :ref:`flowspec-known-issues` chapter. Flowspec
+entry is split in several parts before being sent to *zebra*.
+
+- *zebra* daemon receives the policy routing configuration
+
+Policy Based Routing entities necessary to policy route the traffic in the
+underlying system, are received by *zebra*. Two filtering contexts will be
+created or appended in ``Netfilter``: ``ipset`` and ``iptable`` context. The
+former is used to define an IP filter based on multiple criterium. For instance,
+an ipset ``net:net`` is based on two ip addresses, while ``net,port,net`` is
+based on two ip addresses and one port ( for ICMP, UDP, or TCP). The way the
+filtering is used ( for example, is src port or dst port used ?) is defined by
+the latter filtering context. ``iptable`` command will reference the ``ipset``
+context and will tell how to filter and what to do. In our case, a marker will
+be set to indicate ``iproute2`` where to forward the traffic to. Sometimes, for
+dropping action, there is no need to add a marker; the ``iptable`` will tell to
+drop all packets matching the ``ipset`` entry.
+
+Configuration guide
+-------------------
+
+In order to configure an IPv4 Flowspec engine, use the following configuration.
+As of today, it is only possible to configure Flowspec on the default VRF.
+
+.. code-block:: frr
+
+ router bgp <AS>
+ neighbor <A.B.C.D> remote-as <remoteAS>
+ address-family ipv4 flowspec
+ neighbor <A.B.C.D> activate
+ exit
+ exit
+
+You can see Flowspec entries, by using one of the following show commands:
+
+.. index:: show bgp ipv4 flowspec [detail | A.B.C.D]
+.. clicmd:: show bgp ipv4 flowspec [detail | A.B.C.D]
+
+
+Per-Interface Configuration
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+One nice feature to use is the ability to apply Flowspec to a specific
+interface, instead of applying it to the whole machine. Despite the following
+IETF draft [Draft IETF IDR Flowspec Interface Set]_ is not implemented, it is
+possible to manually limit Flowspec application to some incoming interfaces.
+Actually, not using it can result to some unexpected behaviour like accounting
+twice the traffic, or slow down the traffic (filtering costs). To limit Flowspec
+to one specific interface, use the following command, under
+`flowspec address-family` node.
+
+.. index:: [no] local-install <IFNAME | any>
+.. clicmd:: [no] local-install <IFNAME | any>
+
+By default, Flowspec is activated on all interfaces. Installing it to a named
+interface will result in allowing only this interface. Conversely, enabling any
+interface will flush all previously configured interfaces.
+
+VRF redirection
+^^^^^^^^^^^^^^^
+
+Another nice feature to configure is the ability to redirect traffic to a
+separate VRF. This feature does not go against the ability to configure Flowspec
+only on default VRF. Actually, when you receive incoming BGP flowspec entries on
+that default VRF, you can redirect traffic to an other VRF.
+
+As a reminder, BGP flowspec entries have a BGP extended community that contains
+a Route Target. Finding out a local VRF based on Route Target consists in the
+following:
+
+- A configuration of each VRF must be done, with its Route Target set
+ Each VRF is being configured within a BGP VRF instance with its own Route
+ Target list. Route Target accepted format matches the following:
+ ``A.B.C.D:U16``, or ``U16:U32``, ``U32:U16``.
+
+- The first VRF with the matching Route Target will be selected to route traffic
+ to. Use the following command under ipv4 unicast address-family node
+
+.. index:: [no] rt redirect import RTLIST...
+.. clicmd:: [no] rt redirect import RTLIST...
+
+In order to illustrate, if the Route Target configured in the Flowspec entry is
+E.F.G.H:II, then a BGP VRF instance with the same Route Target will be set set.
+That VRF will then be selected. The below full configuration example depicts how
+Route Targets are configured and how VRFs and cross VRF configuration is done.
+Note that the VRF are mapped on Linux Network Namespaces. For data traffic to
+cross VRF boundaries, virtual ethernet interfaces are created with private IP
+adressing scheme.
+
+.. code-block:: frr
+
+ router bgp <ASx>
+ neighbor <A.B.C.D> remote-as <ASz>
+ address-family ipv4 flowspec
+ neighbor A.B.C.D activate
+ exit
+ exit
+ router bgp <ASy> vrf vrf2
+ address-family ipv4 unicast
+ rt redirect import <E.F.G.H:II>
+ exit
+ exit
+
+Flowspec Monitor and troubleshooting
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+You can monitor policy-routing objects by using one of the following commands.
+Those command rely on the filtering contexts configured from BGP, and get the
+statistics information retrieved from the underlying system. In other words,
+those statistics are retrieved from ``Netfilter``.
+
+.. index:: show pbr ipset IPSETNAME | iptable
+.. clicmd:: show pbr ipset IPSETNAME | iptable
+
+``IPSETNAME`` is the policy routing object name created by ``ipset``.
+About rule contexts, it is possible to know which rule has been configured to
+policy-route some specific traffic. The :clicmd:`show pbr iptable` command
+displays for forwarded traffic, which table is used. Then it is easy to use that
+table identifier to dump the routing table that the forwarded traffic will
+match.
+
+.. code-block:: frr
+
+ show ip route table TABLEID
+
+``TABLEID`` is the table number identifier referencing the non standard routing
+table used in this example.
+You can troubleshoot Flowspec, or BGP policy based routing. For instance, if you
+encounter some issues when decoding a Flowspec entry, you should enable
+:clicmd:`debug bgp flowspec`.
+
+.. index:: [no] debug bgp flowspec
+.. clicmd:: [no] debug bgp flowspec
+
+If you fail to apply the flowspec entry into *zebra*, there should be some
+relationship with policy routing mechanism. Here, :clicmd:`debug bgp pbr error`
+could help.
+
+.. index:: [no] debug bgp pbr [error]
+.. clicmd:: [no] debug bgp pbr [error]
+
+To get information about policy routing contexts created/removed, only use
+:clicmd:`debug bgp pbr` command.
+
+Ensuring that a Flowspec entry has been correctly installed and that incoming
+traffic is policy-routed correctly can be checked like illustrated below. First
+of all, you must check whether the Flowspec entry has been installed or not.
+
+.. code-block:: frr
+
+ CLI# show bgp ipv4 flowspec 5.5.5.2/32
+ BGP flowspec entry: (flags 0x418)
+ Destination Address 5.5.5.2/32
+ IP Protocol = 17
+ Destination Port >= 50 , <= 90
+ FS:redirect VRF RT:255.255.255.255:255
+ received for 18:41:37
+ installed in PBR (match0x271ce00)
+
+This means that the Flowspec entry has been installed in a `iptable`
+named `match0x271ce00`. Once you have confirmation it is installed, you can
+check whether you find the associate entry by executing following command. You
+can also check whether incoming traffic has been matched by looking at counter
+line.
+
+.. code-block:: frr
+
+ CLI# show pbr ipset match0x271ce00
+ IPset match0x271ce00 type net,port
+ to 5.5.5.0/24:proto 6:80-120 (8)
+ pkts 1000, bytes 1000000
+ to 5.5.5.2:proto 17:50-90 (5)
+ pkts 1692918, bytes 157441374
+
+As you can see, the entry is present. note that an `iptable` entry can be used
+to host several Flowspec entries. In order to know where the matching traffic is
+redirected to, you have to look at the policy routing rules. The policy-routing
+is done by forwarding traffic to a routing table number. That routing table
+number is reached by using a `iptable`. The relationship between the routing
+table number and the incoming traffic is a MARKER that is set by the IPtable
+referencing the IPSet. In Flowspec case, `iptable` referencing the `ipset`
+context have the same name. So it is easy to know which routing table is used by
+issuing following command:
+
+.. code-block:: frr
+
+ CLI# show pbr iptable
+ IPtable match0x271ce00 action redirect (5)
+ pkts 1700000, bytes 158000000
+ table 257, fwmark 257
+ ...
+
+As you can see, by using following Linux commands, the MARKER `0x101` is present
+in both ``iptable`` and ``ip rule`` contexts.
+
+.. code-block:: shell
+
+ # iptables -t mangle --list match0x271ce00 -v
+ Chain match0x271ce00 (1 references)
+ pkts bytes target prot opt in out source destination
+ 1700K 158M MARK all -- any any anywhere anywhere
+ MARK set 0x101
+ 1700K 158M ACCEPT all -- any any anywhere anywhere
+
+ # ip rule list
+ 0:from all lookup local
+ 0:from all fwmark 0x101 lookup 257
+ 32766:from all lookup main
+ 32767:from all lookup default
+
+This allows us to see where the traffic is forwarded to.
+
+.. _flowspec-known-issues:
+
+Limitations / Known issues
+--------------------------
+
+As you can see, Flowspec is rich and can be very complex.
+As of today, not all Flowspec rules will be able to be converted into Policy
+Based Routing actions.
+
+- The ``Netfilter`` driver is not integrated into FRR yet. Not having this piece
+ of code prevents from injecting flowspec entries into the underlying system.
+
+- There are some limitations around filtering contexts
+
+ If I take example of UDP ports, or TCP ports in Flowspec, the information
+ can be a range of ports, or a unique value. This case is handled.
+ However, complexity can be increased, if the flow is a combination of a list
+ of range of ports and an enumerate of unique values. Here this case is not
+ handled. Similarly, it is not possible to create a filter for both src port
+ and dst port. For instance, filter on src port from [1-1000] and dst port =
+ 80. The same kind of complexity is not possible for packet length, ICMP type,
+ ICMP code.
+
+There are some other known issues:
+
+- The validation procedure depicted in :rfc:`5575` is not available.
+
+ This validation procedure has not been implemented, as this feature was not
+ used in the existing setups you shared wih us.
+
+- The filtering action shaper value, if positive, is not used to apply shaping.
+
+ If value is positive, the traffic is redirected to the wished destination,
+ without any other action configured by Flowspec.
+ It is recommended to configure Quality of Service if needed, more globally on
+ a per interface basis.
+
+- upon crash or unknown event, *zebra* may not have time to flush pbr contexts.
+
+ That is to say ``ipset``, ``iptable`` and ``ip rule`` contexts. This is also a
+ consequence due to the fact that ip rule / ipset / iptables are not discovered
+ at startup (not able to read appropriate contexts coming from Flowspec).
+
+Appendix
+--------
+
+More information with a public presentation that explains the design of Flowspec
+inside FRRouting.
+
+[Presentation]_
+
+.. [Draft IETF IDR Flowspec redirect IP] <https://tools.ietf.org/id/draft-ietf-idr-flowspec-redirect-ip-02.txt>
+.. [Draft IETF IDR Flowspec Interface Set] <https://tools.ietf.org/id/draft-ietf-idr-flowspec-interfaceset-03.txt>
+.. [Presentation] <https://docs.google.com/presentation/d/1ekQygUAG5yvQ3wWUyrw4Wcag0LgmbW1kV02IWcU4iUg/edit#slide=id.g378f0e1b5e_1_44>
if (dash)
dash[0] = '\0';
- ret = sscanf(ver_string, "%d.%d", &FRR_MAJOR, &FRR_MINOR);
+ ret = sscanf(ver_string, "%" SCNu32 ".%" SCNu32, &FRR_MAJOR,
+ &FRR_MINOR);
if (ret != 2)
zlog_err("Did not Properly parse %s, please fix VERSION string",
VERSION);
// return -1;
/* If incoming interface is passive one, ignore it. */
- if (ei && eigrp_if_is_passive(ei)) {
+ if (eigrp_if_is_passive(ei)) {
char buf[3][INET_ADDRSTRLEN];
if (IS_DEBUG_EIGRP_TRANSMIT(0, RECV))
zlog_warn("stream_recvmsg failed: %s", safe_strerror(errno));
return NULL;
}
- if ((unsigned int)ret < sizeof(iph)) /* ret must be > 0 now */
+ if ((unsigned int)ret < sizeof(*iph)) /* ret must be > 0 now */
{
zlog_warn(
"eigrp_recv_packet: discarding runt packet of length %d "
"(ip header size is %u)",
- ret, (unsigned int)sizeof(iph));
+ ret, (unsigned int)sizeof(*iph));
return NULL;
}
buf[len] = 0;
debugf(NHRP_DEBUG_EVENT, "evmgr: msg: %s", buf);
- if (sscanf(buf, "eventid=%d", &eventid) != 1)
+ if (sscanf(buf, "eventid=%" SCNu32, &eventid) != 1)
continue;
if (sscanf(buf, "result=%63s", result) != 1)
continue;
if (!cie)
return NULL;
- if (cie->nbma_address_len + cie->nbma_subaddress_len) {
+ if (cie->nbma_address_len + cie->nbma_subaddress_len > 0) {
sockunion_set(nbma, afi2family(htons(hdr->afnum)),
zbuf_pulln(zb,
cie->nbma_address_len
uint32_t msglen;
uint8_t msgtype;
struct blob name;
- struct vici_message_ctx ctx;
+ struct vici_message_ctx ctx = { .nsections = 0 };
msglen = zbuf_get_be32(msg);
msgtype = zbuf_get8(msg);
if (!ospf_ri_enabled(vty))
return CMD_WARNING_CONFIG_FAILED;
- if (sscanf(argv[idx_number]->arg, "%d", &as) != 1) {
+ if (sscanf(argv[idx_number]->arg, "%" SCNu32, &as) != 1) {
vty_out(vty, "pce_domain: fscanf: %s\n", safe_strerror(errno));
return CMD_WARNING_CONFIG_FAILED;
}
uint32_t as;
struct ospf_pce_info *pce = &OspfRI.pce_info;
- if (sscanf(argv[idx_number]->arg, "%d", &as) != 1) {
+ if (sscanf(argv[idx_number]->arg, "%" SCNu32, &as) != 1) {
vty_out(vty, "no_pce_domain: fscanf: %s\n",
safe_strerror(errno));
return CMD_WARNING_CONFIG_FAILED;
if (!ospf_ri_enabled(vty))
return CMD_WARNING_CONFIG_FAILED;
- if (sscanf(argv[idx_number]->arg, "%d", &as) != 1) {
+ if (sscanf(argv[idx_number]->arg, "%" SCNu32, &as) != 1) {
vty_out(vty, "pce_neighbor: fscanf: %s\n",
safe_strerror(errno));
return CMD_WARNING_CONFIG_FAILED;
uint32_t as;
struct ospf_pce_info *pce = &OspfRI.pce_info;
- if (sscanf(argv[idx_number]->arg, "%d", &as) != 1) {
+ if (sscanf(argv[idx_number]->arg, "%" SCNu32, &as) != 1) {
vty_out(vty, "no_pce_neighbor: fscanf: %s\n",
safe_strerror(errno));
return CMD_WARNING_CONFIG_FAILED;
* If we have a pimreg device callback and it's for a specific
* table set the master appropriately
*/
- if (sscanf(ifp->name, "pimreg%d", &table_id) == 1) {
+ if (sscanf(ifp->name, "pimreg%" SCNu32, &table_id) == 1) {
struct vrf *vrf;
RB_FOREACH (vrf, vrf_name_head, &vrfs_by_name) {
if ((table_id == vrf->data.l.table_id)
#################### FRRouting (FRR) configure options #####################
# with-feature options
-%{!?with_pam: %global with_pam 0 }
-%{!?with_ospfclient: %global with_ospfclient 1 }
-%{!?with_ospfapi: %global with_ospfapi 1 }
-%{!?with_rtadv: %global with_rtadv 1 }
-%{!?with_ldpd: %global with_ldpd 1 }
-%{!?with_nhrpd: %global with_nhrpd 1 }
-%{!?with_eigrpd: %global with_eigrpd 1 }
%{!?with_babeld: %global with_babeld 1 }
-%{!?with_shared: %global with_shared 1 }
-%{!?with_multipath: %global with_multipath 256 }
-%{!?frr_user: %global frr_user frr }
-%{!?vty_group: %global vty_group frrvty }
-%{!?with_fpm: %global with_fpm 1 }
-%{!?with_watchfrr: %global with_watchfrr 1 }
%{!?with_bgp_vnc: %global with_bgp_vnc 0 }
+%{!?with_cumulus: %global with_cumulus 0 }
+%{!?with_eigrpd: %global with_eigrpd 1 }
+%{!?with_fpm: %global with_fpm 1 }
+%{!?with_ldpd: %global with_ldpd 1 }
+%{!?with_multipath: %global with_multipath 256 }
+%{!?with_nhrpd: %global with_nhrpd 1 }
+%{!?with_ospfapi: %global with_ospfapi 1 }
+%{!?with_ospfclient: %global with_ospfclient 1 }
+%{!?with_pam: %global with_pam 0 }
+%{!?with_pbrd: %global with_pbrd 1 }
%{!?with_pimd: %global with_pimd 1 }
%{!?with_rpki: %global with_rpki 0 }
-%{!?with_pbrd: %global with_pbrd 1 }
+%{!?with_rtadv: %global with_rtadv 1 }
+%{!?with_watchfrr: %global with_watchfrr 1 }
+
+# user and group
+%{!?frr_user: %global frr_user frr }
+%{!?vty_group: %global vty_group frrvty }
# path defines
-%define _sysconfdir /etc/frr
-%define _sbindir /usr/lib/frr
-%define zeb_src %{_builddir}/%{name}-%{frrversion}
-%define zeb_rh_src %{zeb_src}/redhat
-%define zeb_docs %{zeb_src}/doc
-%define frr_tools %{zeb_src}/tools
+%define configdir %{_sysconfdir}/%{name}
+%define _sbindir /usr/lib/frr
+%define zeb_src %{_builddir}/%{name}-%{frrversion}
+%define zeb_rh_src %{zeb_src}/redhat
+%define zeb_docs %{zeb_src}/doc
+%define frr_tools %{zeb_src}/tools
# defines for configure
-%define _localstatedir /var/run/frr
+%define rundir %{_localstatedir}/run/%{name}
# define for sphinx-build binary
%if 0%{?rhel} && 0%{?rhel} < 7
-%define sphinx sphinx-build2.7
+ %define sphinx sphinx-build2.7
%else
-%define sphinx sphinx-build
+ %define sphinx sphinx-build
%endif
############################################################################
%{!?frr_gid: %global frr_gid 92 }
%{!?vty_gid: %global vty_gid 85 }
-%define daemon_list zebra ripd ospfd bgpd isisd ripngd ospf6d pbrd
+%define daemon_list zebra ripd ospfd bgpd isisd ripngd ospf6d pbrd
%if %{with_ldpd}
-%define daemon_ldpd ldpd
+ %define daemon_ldpd ldpd
%else
-%define daemon_ldpd ""
+ %define daemon_ldpd ""
%endif
%if %{with_pimd}
-%define daemon_pimd pimd
+ %define daemon_pimd pimd
%else
-%define daemon_pimd ""
+ %define daemon_pimd ""
%endif
%if %{with_pbrd}
-%define daemon_pbrd pbrd
+ %define daemon_pbrd pbrd
%else
-%define daemon_pbrd ""
+ %define daemon_pbrd ""
%endif
%if %{with_nhrpd}
-%define daemon_nhrpd nhrpd
+ %define daemon_nhrpd nhrpd
%else
-%define daemon_nhrpd ""
+ %define daemon_nhrpd ""
%endif
%if %{with_eigrpd}
-%define daemon_eigrpd eigrpd
+ %define daemon_eigrpd eigrpd
%else
-%define daemon_eigrpd ""
+ %define daemon_eigrpd ""
%endif
%if %{with_babeld}
-%define daemon_babeld babeld
+ %define daemon_babeld babeld
%else
-%define daemon_babeld ""
+ %define daemon_babeld ""
%endif
%if %{with_watchfrr}
-%define daemon_watchfrr watchfrr
+ %define daemon_watchfrr watchfrr
%else
-%define daemon_watchfrr ""
+ %define daemon_watchfrr ""
%endif
%define all_daemons %{daemon_list} %{daemon_ldpd} %{daemon_pimd} %{daemon_nhrpd} %{daemon_eigrpd} %{daemon_babeld} %{daemon_watchfrr} %{daemon_pbrd}
-# allow build dir to be kept
-%{!?keep_build: %global keep_build 0 }
-
#release sub-revision (the two digits after the CONFDATE)
%{!?release_rev: %global release_rev 01 }
Group: System Environment/Daemons
Source0: https://github.com/FRRouting/frr/archive/%{name}-%{frrversion}.tar.gz
URL: https://www.frrouting.org
+Requires(pre): shadow-utils
Requires(preun): info
Requires(post): info
-BuildRequires: gcc patch libcap-devel
-BuildRequires: readline-devel ncurses-devel
-BuildRequires: json-c-devel bison >= 2.7 flex make
-BuildRequires: c-ares-devel texinfo
+BuildRequires: bison >= 2.7
+BuildRequires: c-ares-devel
+BuildRequires: flex
+BuildRequires: gcc
+BuildRequires: json-c-devel
+BuildRequires: libcap-devel
+BuildRequires: make
+BuildRequires: ncurses-devel
+BuildRequires: readline-devel
+BuildRequires: texinfo
%if 0%{?rhel} && 0%{?rhel} < 7
#python27-devel is available from ius community repo for RedHat/CentOS 6
-BuildRequires: python27-devel python27-sphinx
+BuildRequires: python27-devel
+BuildRequires: python27-sphinx
%else
-BuildRequires: python-devel >= 2.7 python-sphinx
+BuildRequires: python-devel >= 2.7
+BuildRequires: python-sphinx
%endif
-Requires: json-c initscripts
%if %{with_pam}
BuildRequires: pam-devel
%endif
BuildRequires: librtr-devel >= 0.5
%endif
%if "%{initsystem}" == "systemd"
-BuildRequires: systemd systemd-devel
+BuildRequires: systemd
+BuildRequires: systemd-devel
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
Requires(preun): chkconfig
# Initscripts > 5.60 is required for IPv6 support
Requires(pre): initscripts >= 5.60
+Requires: initscripts
%endif
Provides: routingdaemon = %{version}-%{release}
-BuildRoot: %{_tmppath}/%{name}-%{version}-root
Obsoletes: gated mrt zebra frr-sysvinit
Conflicts: bird
+
%description
FRRouting is a free software that manages TCP/IP based routing
protocol. It takes multi-server and multi-thread approach to resolve
FRRouting is a fork of Quagga.
+
%package contrib
Summary: contrib tools for frr
Group: System Environment/Daemons
%description contrib
Contributed/3rd party tools which may be of use with frr.
+
%package pythontools
Summary: python tools for frr
BuildRequires: python
%description pythontools
Contributed python 2.7 tools which may be of use with frr.
+
%package devel
Summary: Header and object files for frr development
Group: System Environment/Daemons
The frr-devel package contains the header and object files neccessary for
developing OSPF-API and frr applications.
+
%prep
-%setup -q -n frr-%{frrversion}
+%setup -q -n frr-%{frrversion}
+
%build
%configure \
--sbindir=%{_sbindir} \
- --sysconfdir=%{_sysconfdir} \
- --libdir=%{_libdir} \
- --libexecdir=%{_libexecdir} \
- --localstatedir=%{_localstatedir} \
+ --sysconfdir=%{configdir} \
+ --localstatedir=%{rundir} \
+ --disable-static \
--disable-werror \
--enable-irdp \
-%if !%{with_shared}
- --disable-shared \
-%endif
%if %{with_multipath}
--enable-multipath=%{with_multipath} \
%endif
--with-libpam \
%endif
%if 0%{?frr_user:1}
- --enable-user=%frr_user \
- --enable-group=%frr_user \
+ --enable-user=%{frr_user} \
+ --enable-group=%{frr_user} \
%endif
%if 0%{?vty_group:1}
- --enable-vty-group=%vty_group \
+ --enable-vty-group=%{vty_group} \
%endif
%if %{with_fpm}
--enable-fpm \
%else
--disable-watchfrr \
%endif
+%if %{with_cumulus}
+ --enable-cumulus \
+%endif
%if %{with_bgp_vnc}
--enable-bgp-vnc \
%else
--enable-systemd \
%endif
%if %{with_rpki}
- --enable-rpki \
+ --enable-rpki
+%else
+ --disable-rpki
%endif
- --enable-poll
make %{?_smp_mflags} MAKEINFO="makeinfo --no-split" SPHINXBUILD=%{sphinx}
make SPHINXBUILD=%{sphinx} info
popd
+
%install
-mkdir -p %{buildroot}/etc/{frr,sysconfig,logrotate.d,pam.d,default} \
- %{buildroot}/var/log/frr %{buildroot}%{_infodir}
+mkdir -p %{buildroot}%{_sysconfdir}/{frr,sysconfig,logrotate.d,pam.d,default} \
+ %{buildroot}%{_localstatedir}/log/frr %{buildroot}%{_infodir}
make DESTDIR=%{buildroot} INSTALL="install -p" CP="cp -p" SPHINXBUILD=%{sphinx} install
# Remove this file, as it is uninstalled and causes errors when building on RH9
# Remove debian init script if it was installed
rm -f %{buildroot}%{_sbindir}/frr
-# kill bogus libtool files for modules
-rm -f %{buildroot}%{_libdir}/frr/modules/*.la
+# kill bogus libtool files
+rm -vf %{buildroot}%{_libdir}/frr/modules/*.la
+rm -vf %{buildroot}%{_libdir}/*.la
# install /etc sources
%if "%{initsystem}" == "systemd"
mkdir -p %{buildroot}%{_unitdir}
-install -m644 %{zeb_rh_src}/frr.service \
- %{buildroot}%{_unitdir}/frr.service
-install %{zeb_rh_src}/frr.init \
- %{buildroot}%{_sbindir}/frr
+install -m644 %{zeb_rh_src}/frr.service %{buildroot}%{_unitdir}/frr.service
+install %{zeb_rh_src}/frr.init %{buildroot}%{_sbindir}/frr
%else
-mkdir -p %{buildroot}/etc/rc.d/init.d
-install %{zeb_rh_src}/frr.init \
- %{buildroot}%{_sbindir}/frr
-ln -s %{_sbindir}/frr \
- %{buildroot}/etc/rc.d/init.d/frr
+mkdir -p %{buildroot}%{_initddir}
+install %{zeb_rh_src}/frr.init %{buildroot}%{_sbindir}/frr
+ln -s %{_sbindir}/frr %{buildroot}%{_initddir}/frr
%endif
-install %{zeb_rh_src}/daemons %{buildroot}/etc/frr
-install -m644 %{zeb_rh_src}/frr.pam \
- %{buildroot}/etc/pam.d/frr
-install -m644 %{zeb_rh_src}/frr.logrotate \
- %{buildroot}/etc/logrotate.d/frr
-install -d -m750 %{buildroot}/var/run/frr
+install %{zeb_rh_src}/daemons %{buildroot}%{_sysconfdir}/frr
+install -m644 %{zeb_rh_src}/frr.pam %{buildroot}%{_sysconfdir}/pam.d/frr
+install -m644 %{zeb_rh_src}/frr.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/frr
+install -d -m750 %{buildroot}%{rundir}
+
%pre
# add vty_group
%if 0%{?vty_group:1}
-if getent group %vty_group > /dev/null ; then : ; else \
- /usr/sbin/groupadd -r -g %vty_gid %vty_group > /dev/null || : ; fi
+ getent group %{vty_group} >/dev/null || groupadd -r -g %{vty_gid} %{vty_group}
%endif
# add frr user and group
%if 0%{?frr_user:1}
-# Ensure that frr_gid gets correctly allocated
-if getent group %frr_user >/dev/null; then : ; else \
- /usr/sbin/groupadd -g %frr_gid %frr_user > /dev/null || : ; \
-fi
-if getent passwd %frr_user >/dev/null ; then : ; else \
- /usr/sbin/useradd -u %frr_uid -g %frr_gid \
- -M -r -s /sbin/nologin -c "FRRouting suite" \
- -d %_localstatedir %frr_user 2> /dev/null || : ; \
-fi
-%if 0%{?vty_group:1}
-/usr/sbin/usermod -a -G %vty_group %frr_user
-%endif
+ # Ensure that frr_gid gets correctly allocated
+ getent group %{frr_user} >/dev/null || groupadd -g %{frr_gid} %{frr_user}
+ getent passwd %{frr_user} >/dev/null || \
+ useradd -r -u %{frr_uid} -g %{frr_user} \
+ -s /sbin/nologin -c "FRRouting suite" \
+ -d %{rundir} %{frr_user}
+
+ %if 0%{?vty_group:1}
+ usermod -a -G %{vty_group} %{frr_user}
+ %endif
%endif
+exit 0
%post
zebra_spec_add_service ()
{
# Add port /etc/services entry if it isn't already there
- if [ -f /etc/services ] && \
- ! %__sed -e 's/#.*$//' /etc/services | %__grep -wq $1 ; then
- echo "$1 $2 # $3" >> /etc/services
+ if [ -f %{_sysconfdir}/services ] && \
+ ! %__sed -e 's/#.*$//' %{_sysconfdir}/services | %__grep -wq $1 ; then
+ echo "$1 $2 # $3" >> %{_sysconfdir}/services
fi
}
zebra_spec_add_service ospfd 2604/tcp "OSPFd vty"
zebra_spec_add_service bgpd 2605/tcp "BGPd vty"
zebra_spec_add_service ospf6d 2606/tcp "OSPF6d vty"
+zebra_spec_add_service isisd 2608/tcp "ISISd vty"
%if %{with_ospfapi}
-zebra_spec_add_service ospfapi 2607/tcp "OSPF-API"
+ zebra_spec_add_service ospfapi 2607/tcp "OSPF-API"
%endif
-zebra_spec_add_service isisd 2608/tcp "ISISd vty"
%if %{with_babeld}
-zebra_spec_add_service babeld 2609/tcp "BABELd vty"
+ zebra_spec_add_service babeld 2609/tcp "BABELd vty"
%endif
%if %{with_nhrpd}
-zebra_spec_add_service nhrpd 2610/tcp "NHRPd vty"
+ zebra_spec_add_service nhrpd 2610/tcp "NHRPd vty"
%endif
%if %{with_pimd}
-zebra_spec_add_service pimd 2611/tcp "PIMd vty"
+ zebra_spec_add_service pimd 2611/tcp "PIMd vty"
%endif
%if %{with_pbrd}
-zebra_spec_add_service pbrd 2615/tcp "PBRd vty"
+ zebra_spec_add_service pbrd 2615/tcp "PBRd vty"
%endif
%if %{with_ldpd}
-zebra_spec_add_service ldpd 2612/tcp "LDPd vty"
+ zebra_spec_add_service ldpd 2612/tcp "LDPd vty"
%endif
%if %{with_eigrpd}
-zebra_spec_add_service eigrpd 2613/tcp "EIGRPd vty"
+ zebra_spec_add_service eigrpd 2613/tcp "EIGRPd vty"
%endif
%if "%{initsystem}" == "systemd"
-for daemon in %all_daemons ; do
- %systemd_post frr.service
-done
+ for daemon in %all_daemons ; do
+ %systemd_post frr.service
+ done
%else
-/sbin/chkconfig --add frr
+ /sbin/chkconfig --add frr
%endif
# Fix bad path in previous config files
# Config files won't get replaced by default, so we do this ugly hack to fix it
-%__sed -i 's|/etc/init.d/|%{_sbindir}/|g' %{_sysconfdir}/daemons 2> /dev/null || true
+%__sed -i 's|/etc/init.d/|%{_sbindir}/|g' %{configdir}/daemons 2> /dev/null || true
# With systemd, watchfrr is mandatory. Fix config to make sure it's enabled if
# we install or upgrade to a frr built with systemd
%if "%{initsystem}" == "systemd"
- %__sed -i 's|watchfrr_enable=no|watchfrr_enable=yes|g' %{_sysconfdir}/daemons 2> /dev/null || true
+ %__sed -i 's|watchfrr_enable=no|watchfrr_enable=yes|g' %{configdir}/daemons 2> /dev/null || true
%endif
/sbin/install-info %{_infodir}/frr.info.gz %{_infodir}/dir
# Create dummy files if they don't exist so basic functions can be used.
-if [ ! -e %{_sysconfdir}/zebra.conf ]; then
- echo "hostname `hostname`" > %{_sysconfdir}/zebra.conf
+if [ ! -e %{configdir}/zebra.conf ]; then
+ echo "hostname `hostname`" > %{configdir}/zebra.conf
%if 0%{?frr_user:1}
- chown %frr_user:%frr_user %{_sysconfdir}/zebra.conf*
+ chown %{frr_user}:%{frr_user} %{configdir}/zebra.conf*
%endif
- chmod 640 %{_sysconfdir}/zebra.conf*
+ chmod 640 %{configdir}/zebra.conf*
fi
for daemon in %{all_daemons} ; do
if [ x"${daemon}" != x"" ] ; then
- if [ ! -e %{_sysconfdir}/${daemon}.conf ]; then
- touch %{_sysconfdir}/${daemon}.conf
+ if [ ! -e %{configdir}/${daemon}.conf ]; then
+ touch %{configdir}/${daemon}.conf
%if 0%{?frr_user:1}
- chown %frr_user:%frr_user %{_sysconfdir}/${daemon}.conf*
+ chown %{frr_user}:%{frr_user} %{configdir}/${daemon}.conf*
%endif
fi
fi
done
%if 0%{?frr_user:1}
- chown %frr_user:%frr_user %{_sysconfdir}/daemons
+ chown %{frr_user}:%{frr_user} %{configdir}/daemons
%endif
%if %{with_watchfrr}
# No config for watchfrr - this is part of /etc/sysconfig/frr
- rm -f %{_sysconfdir}/watchfrr.*
+ rm -f %{configdir}/watchfrr.*
%endif
-if [ ! -e %{_sysconfdir}/vtysh.conf ]; then
- touch %{_sysconfdir}/vtysh.conf
- chmod 640 %{_sysconfdir}/vtysh.conf
+if [ ! -e %{configdir}/vtysh.conf ]; then
+ touch %{configdir}/vtysh.conf
+ chmod 640 %{configdir}/vtysh.conf
%if 0%{?frr_user:1}
-%if 0%{?vty_group:1}
- chown %{frr_user}:%{vty_group} %{_sysconfdir}/vtysh.conf*
-%endif
+ %if 0%{?vty_group:1}
+ chown %{frr_user}:%{vty_group} %{configdir}/vtysh.conf*
+ %endif
%endif
fi
+
%postun
if [ "$1" -ge 1 ]; then
#
##
## init.d Version
##
- /etc/rc.d/init.d/frr restart >/dev/null 2>&1
+ service frr restart >/dev/null 2>&1
%endif
:
fi
+
%preun
%if "%{initsystem}" == "systemd"
##
## init.d Version
##
if [ $1 -eq 0 ] ; then
- /etc/rc.d/init.d/frr stop >/dev/null 2>&1
+ service frr stop >/dev/null 2>&1
/sbin/chkconfig --del frr
fi
%endif
/sbin/install-info --delete %{_infodir}/frr.info.gz %{_infodir}/dir
-%clean
-%if !0%{?keep_build:1}
-rm -rf %{buildroot}
-%endif
%files
-%defattr(-,root,root)
%doc */*.sample* AUTHORS COPYING
%doc doc/mpls
%doc ChangeLog NEWS README
%if 0%{?frr_user:1}
-%dir %attr(751,%frr_user,%frr_user) %{_sysconfdir}
-%dir %attr(750,%frr_user,%frr_user) /var/log/frr
-%dir %attr(751,%frr_user,%frr_user) /var/run/frr
+ %dir %attr(751,%{frr_user},%{frr_user}) %{configdir}
+ %dir %attr(750,%{frr_user},%{frr_user}) %{_localstatedir}/log/frr
+ %dir %attr(751,%{frr_user},%{frr_user}) %{rundir}
%else
-%dir %attr(750,root,root) %{_sysconfdir}
-%dir %attr(750,root,root) /var/log/frr
-%dir %attr(750,root,root) /var/run/frr
+ %dir %attr(750,root,root) %{configdir}
+ %dir %attr(750,root,root) %{_localstatedir}/log/frr
+ %dir %attr(750,root,root) %{rundir}
%endif
%if 0%{?vty_group:1}
-%attr(750,%frr_user,%vty_group) %{_sysconfdir}/vtysh.conf.sample
+ %attr(750,%{frr_user},%{vty_group}) %{configdir}/vtysh.conf.sample
%endif
%{_infodir}/frr.info.gz
%{_mandir}/man*/*
%if %{with_babeld}
%{_sbindir}/babeld
%endif
-%if %{with_shared}
-%{_libdir}/lib*.so
%{_libdir}/lib*.so.0
-%attr(755,root,root) %{_libdir}/lib*.so.0.*
-%endif
+%{_libdir}/lib*.so.0.*
%if %{with_fpm}
-%attr(755,root,root) %{_libdir}/frr/modules/zebra_fpm.so
+ %{_libdir}/frr/modules/zebra_fpm.so
%endif
%if %{with_rpki}
-%attr(755,root,root) %{_libdir}/frr/modules/bgpd_rpki.so
+ %{_libdir}/frr/modules/bgpd_rpki.so
%endif
-%attr(755,root,root) %{_libdir}/frr/modules/zebra_irdp.so
+%{_libdir}/frr/modules/zebra_irdp.so
%{_bindir}/*
-%config(noreplace) /etc/frr/[!v]*.conf*
-%config(noreplace) %attr(750,%frr_user,%frr_user) /etc/frr/daemons
+%config(noreplace) %{configdir}/[!v]*.conf*
+%config(noreplace) %attr(750,%{frr_user},%{frr_user}) %{configdir}/daemons
%if "%{initsystem}" == "systemd"
%{_unitdir}/frr.service
%else
- /etc/rc.d/init.d/frr
+ %{_initddir}/frr
%endif
%{_sbindir}/frr
-%config(noreplace) /etc/pam.d/frr
-%config(noreplace) /etc/logrotate.d/frr
+%config(noreplace) %{_sysconfdir}/pam.d/frr
+%config(noreplace) %{_sysconfdir}/logrotate.d/frr
%{_sbindir}/frr-reload
+
%files contrib
-%defattr(-,root,root)
%doc tools
+
%files pythontools
-%defattr(-,root,root)
%{_sbindir}/frr-reload.py
%{_sbindir}/frr-reload.pyc
%{_sbindir}/frr-reload.pyo
+
%files devel
-%defattr(-,root,root)
+%{_libdir}/lib*.so
%if %{with_ospfclient}
-%{_sbindir}/ospfclient
-%endif
-%{_libdir}/*.a
-%{_libdir}/*.la
-%dir %attr(755,root,root) %{_includedir}/%{name}
-%{_includedir}/%name/*.h
-%dir %attr(755,root,root) %{_includedir}/%{name}/ospfd
-%{_includedir}/%name/ospfd/*.h
+ %{_sbindir}/ospfclient
+%endif
+%dir %{_includedir}/%{name}
+%{_includedir}/%{name}/*.h
+%dir %{_includedir}/%{name}/ospfd
+%{_includedir}/%{name}/ospfd/*.h
%if %{with_ospfapi}
-%dir %attr(755,root,root) %{_includedir}/%{name}/ospfapi
-%{_includedir}/%name/ospfapi/*.h
+ %dir %{_includedir}/%{name}/ospfapi
+ %{_includedir}/%{name}/ospfapi/*.h
%endif
%if %{with_eigrpd}
-%dir %attr(755,root,root) %{_includedir}/%{name}/eigrpd
-%{_includedir}/%name/eigrpd/*.h
+ %dir %{_includedir}/%{name}/eigrpd
+ %{_includedir}/%{name}/eigrpd/*.h
%endif
+
%changelog
-* Sun May 20 2018 Martin Winter <mwinter@opensourcerouting.org> - %{version}
+* Sun May 20 2018 Martin Winter <mwinter@opensourcerouting.org>
- Fixed RPKI RPM build
* Sun Mar 4 2018 Martin Winter <mwinter@opensourcerouting.org>
for (ALL_LIST_ELEMENTS_RO(ifp->connected, node, connected)) {
struct prefix *p;
- struct route_node *node;
+ struct route_node *n;
p = connected->address;
address.prefix = p->u.prefix6;
address.prefixlen = IPV6_MAX_BITLEN;
- node = route_node_match(ripng_enable_network,
- (struct prefix *)&address);
- if (node) {
- route_unlock_node(node);
+ n = route_node_match(ripng_enable_network,
+ (struct prefix *)&address);
+ if (n) {
+ route_unlock_node(n);
return 1;
}
}