[quagga-dev 8136] Re: [PATCH 05/10] BGP: GTSM support

Balaji G balajig81 at gmail.com
Sun Aug 8 14:57:41 BST 2010


Applied, Thanks.

Cheers,
  - Balaji


On Sun, Aug 8, 2010 at 4:40 PM, Balaji G <balajig81 at gmail.com> wrote:

> Hi Stephen
>
> When i do a git apply --check on this patch, i get the following error.
>
> error: patch failed: lib/sockunion.c:537
> error: lib/sockunion.c: patch does not apply
> error: patch failed: lib/sockunion.h:102
> error: lib/sockunion.h: patch does not apply
>
>
> Thanks,
> Cheers,
>   - Balaji
>
>
>
>
>
>
>
> On Thu, Aug 5, 2010 at 10:56 PM, Stephen Hemminger <shemminger at vyatta.com>wrote:
>
>> This is a revison of previously submitted patch to
>> add support for BGP TTL security.
>>  http://www.gossamer-threads.com/lists/quagga/dev/17389
>>
>> I fixed a number of problems like allowing hops value to
>> be cleared, adn setting TTL on listen socket.
>>
>> Signed-off-by: Stephen Hemminger <shemminger at vyatta.com>
>>
>> ---
>>  bgpd/bgp_network.c |   18 +++++-
>>  bgpd/bgp_vty.c     |   52 +++++++++++++++--
>>  bgpd/bgpd.c        |  158
>> ++++++++++++++++++++++++++++++++++++++++++++++++++++-
>>  bgpd/bgpd.h        |    7 ++
>>  lib/sockunion.c    |   22 +++++++
>>  lib/sockunion.h    |    1
>>  6 files changed, 248 insertions(+), 10 deletions(-)
>>
>> --- a/bgpd/bgp_network.c        2010-08-05 09:56:06.000000000 -0700
>> +++ b/bgpd/bgp_network.c        2010-08-05 10:01:36.001117598 -0700
>> @@ -173,8 +173,12 @@ bgp_accept (struct thread *thread)
>>     }
>>
>>   /* In case of peer is EBGP, we should set TTL for this connection.  */
>> -  if (peer_sort (peer1) == BGP_PEER_EBGP)
>> +  if (peer_sort (peer1) == BGP_PEER_EBGP) {
>>     sockopt_ttl (peer1->su.sa.sa_family, bgp_sock, peer1->ttl);
>> +    if (peer1->gtsm_hops)
>> +      sockopt_minttl (peer1->su.sa.sa_family, bgp_sock,
>> +                     MAXTTL + 1 - peer1->gtsm_hops);
>> +  }
>>
>>   /* Make dummy peer until read Open packet. */
>>   if (BGP_DEBUG (events, EVENTS))
>> @@ -314,8 +318,12 @@ bgp_connect (struct peer *peer)
>>     return -1;
>>
>>   /* If we can get socket for the peer, adjest TTL and make connection. */
>> -  if (peer_sort (peer) == BGP_PEER_EBGP)
>> +  if (peer_sort (peer) == BGP_PEER_EBGP) {
>>     sockopt_ttl (peer->su.sa.sa_family, peer->fd, peer->ttl);
>> +    if (peer->gtsm_hops)
>> +      sockopt_minttl (peer->su.sa.sa_family, peer->fd,
>> +                     MAXTTL + 1 - peer->gtsm_hops);
>> +  }
>>
>>   sockopt_reuseaddr (peer->fd);
>>   sockopt_reuseport (peer->fd);
>> @@ -463,6 +471,9 @@ bgp_socket (unsigned short port, const c
>>          continue;
>>        }
>>
>> +      /* if we intend to implement ttl-security, this socket needs
>> ttl=255 */
>> +      sockopt_ttl (ainfo->ai_family, sock, MAXTTL);
>> +
>>       ret = bgp_listener (sock, ainfo->ai_addr, ainfo->ai_addrlen);
>>       if (ret == 0)
>>        ++count;
>> @@ -495,6 +506,9 @@ bgp_socket (unsigned short port, const c
>>       return sock;
>>     }
>>
>> +  /* if we intend to implement ttl-security, this socket needs ttl=255 */
>> +  sockopt_ttl (AF_INET, sock, MAXTTL);
>> +
>>   memset (&sin, 0, sizeof (struct sockaddr_in));
>>   sin.sin_family = AF_INET;
>>   sin.sin_port = htons (port);
>> --- a/bgpd/bgp_vty.c    2010-08-05 09:46:42.000000000 -0700
>> +++ b/bgpd/bgp_vty.c    2010-08-05 10:01:12.479632027 -0700
>> @@ -213,6 +213,9 @@ bgp_vty_return (struct vty *vty, int ret
>>     case BGP_ERR_TCPSIG_FAILED:
>>       str = "Error while applying TCP-Sig to session(s)";
>>       break;
>> +    case BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK:
>> +      str = "ebgp-multihop and ttl-security cannot be configured
>> together";
>> +      break;
>>     }
>>   if (str)
>>     {
>> @@ -2636,9 +2639,8 @@ peer_ebgp_multihop_set_vty (struct vty *
>>   else
>>     VTY_GET_INTEGER_RANGE ("TTL", ttl, ttl_str, 1, 255);
>>
>> -  peer_ebgp_multihop_set (peer, ttl);
>> -
>> -  return CMD_SUCCESS;
>> +  return bgp_vty_return (vty,
>> +                        peer_ebgp_multihop_set (peer, ttl) );
>>  }
>>
>>  static int
>> @@ -2650,9 +2652,7 @@ peer_ebgp_multihop_unset_vty (struct vty
>>   if (! peer)
>>     return CMD_WARNING;
>>
>> -  peer_ebgp_multihop_unset (peer);
>> -
>> -  return CMD_SUCCESS;
>> +  return bgp_vty_return (vty, peer_ebgp_multihop_unset (peer));
>>  }
>>
>>  /* neighbor ebgp-multihop. */
>> @@ -3954,6 +3954,42 @@ DEFUN (no_neighbor_allowas_in,
>>   return bgp_vty_return (vty, ret);
>>  }
>>
>> +DEFUN (neighbor_ttl_security,
>> +       neighbor_ttl_security_cmd,
>> +       NEIGHBOR_CMD2 "ttl-security hops <1-254>",
>> +       NEIGHBOR_STR
>> +       NEIGHBOR_ADDR_STR2
>> +       "Specify the maximum number of hops to the BGP peer\n")
>> +{
>> +  struct peer *peer;
>> +  int gtsm_hops;
>> +
>> +  peer = peer_and_group_lookup_vty (vty, argv[0]);
>> +  if (! peer)
>> +    return CMD_WARNING;
>> +
>> +  VTY_GET_INTEGER_RANGE ("", gtsm_hops, argv[1], 1, 254);
>> +
>> +  return bgp_vty_return (vty, peer_ttl_security_hops_set (peer,
>> gtsm_hops));
>> +}
>> +
>> +DEFUN (no_neighbor_ttl_security,
>> +       no_neighbor_ttl_security_cmd,
>> +       NO_NEIGHBOR_CMD2 "ttl-security hops <1-254>",
>> +       NO_STR
>> +       NEIGHBOR_STR
>> +       NEIGHBOR_ADDR_STR2
>> +       "Specify the maximum number of hops to the BGP peer\n")
>> +{
>> +  struct peer *peer;
>> +
>> +  peer = peer_and_group_lookup_vty (vty, argv[0]);
>> +  if (! peer)
>> +    return CMD_WARNING;
>> +
>> +  return bgp_vty_return (vty, peer_ttl_security_hops_unset (peer));
>> +}
>> +
>>  /* Address family configuration.  */
>>  DEFUN (address_family_ipv4,
>>        address_family_ipv4_cmd,
>> @@ -9909,6 +9945,10 @@ bgp_vty_init (void)
>>   install_element (BGP_IPV6_NODE,
>> &no_bgp_redistribute_ipv6_metric_rmap_cmd);
>>  #endif /* HAVE_IPV6 */
>>
>> +  /* ttl_security commands */
>> +  install_element (BGP_NODE, &neighbor_ttl_security_cmd);
>> +  install_element (BGP_NODE, &no_neighbor_ttl_security_cmd);
>> +
>>   /* "show bgp memory" commands. */
>>   install_element (VIEW_NODE, &show_bgp_memory_cmd);
>>   install_element (RESTRICTED_NODE, &show_bgp_memory_cmd);
>> --- a/bgpd/bgpd.c       2010-08-05 09:46:42.000000000 -0700
>> +++ b/bgpd/bgpd.c       2010-08-05 10:02:53.716931995 -0700
>> @@ -1379,6 +1379,7 @@ peer_group_get (struct bgp *bgp, const c
>>   group->conf->group = group;
>>   group->conf->as = 0;
>>   group->conf->ttl = 1;
>> +  group->conf->gtsm_hops = 0;
>>   group->conf->v_routeadv = BGP_DEFAULT_EBGP_ROUTEADV;
>>   UNSET_FLAG (group->conf->config, PEER_CONFIG_TIMER);
>>   UNSET_FLAG (group->conf->config, PEER_CONFIG_CONNECT);
>> @@ -1416,6 +1417,9 @@ peer_group2peer_config_copy (struct peer
>>   /* TTL */
>>   peer->ttl = conf->ttl;
>>
>> +  /* GTSM hops */
>> +  peer->gtsm_hops = conf->gtsm_hops;
>> +
>>   /* Weight */
>>   peer->weight = conf->weight;
>>
>> @@ -2663,10 +2667,36 @@ peer_ebgp_multihop_set (struct peer *pee
>>  {
>>   struct peer_group *group;
>>   struct listnode *node, *nnode;
>> +  struct peer *peer1;
>>
>>   if (peer_sort (peer) == BGP_PEER_IBGP)
>>     return 0;
>>
>> +  /* see comment in peer_ttl_security_hops_set() */
>> +  if (ttl != MAXTTL)
>> +    {
>> +      if (CHECK_FLAG (peer->sflags, PEER_STATUS_GROUP))
>> +        {
>> +          group = peer->group;
>> +          if (group->conf->gtsm_hops != 0)
>> +            return BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK;
>> +
>> +          for (ALL_LIST_ELEMENTS (group->peer, node, nnode, peer1))
>> +            {
>> +              if (peer_sort (peer1) == BGP_PEER_IBGP)
>> +                continue;
>> +
>> +              if (peer1->gtsm_hops != 0)
>> +                return BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK;
>> +            }
>> +        }
>> +      else
>> +        {
>> +          if (peer->gtsm_hops != 0)
>> +            return BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK;
>> +        }
>> +    }
>> +
>>   peer->ttl = ttl;
>>
>>   if (! CHECK_FLAG (peer->sflags, PEER_STATUS_GROUP))
>> @@ -2700,6 +2730,9 @@ peer_ebgp_multihop_unset (struct peer *p
>>   if (peer_sort (peer) == BGP_PEER_IBGP)
>>     return 0;
>>
>> +  if (peer->gtsm_hops != 0 && peer->ttl != MAXTTL)
>> +      return BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK;
>> +
>>   if (peer_group_active (peer))
>>     peer->ttl = peer->group->conf->ttl;
>>   else
>> @@ -4331,6 +4364,122 @@ peer_maximum_prefix_unset (struct peer *
>>   return 0;
>>  }
>>
>> +/* Set # of hops between us and BGP peer. */
>> +int
>> +peer_ttl_security_hops_set (struct peer *peer, int gtsm_hops)
>> +{
>> +  struct peer_group *group;
>> +  struct listnode *node, *nnode;
>> +  struct peer *peer1;
>> +  int ret;
>> +
>> +  zlog_debug ("peer_ttl_security_hops_set: set gtsm_hops to %d for %s",
>> gtsm_hops, peer->host);
>> +
>> +  if (peer_sort (peer) == BGP_PEER_IBGP)
>> +    return 0;
>> +
>> +  /* We cannot configure ttl-security hops when ebgp-multihop is already
>> +     set.  For non peer-groups, the check is simple.  For peer-groups,
>> it's
>> +     slightly messy, because we need to check both the peer-group
>> structure
>> +     and all peer-group members for any trace of ebgp-multihop
>> configuration
>> +     before actually applying the ttl-security rules.  Cisco really made
>> a
>> +     mess of this configuration parameter, and OpenBGPD got it right.
>> +  */
>> +  if (peer->gtsm_hops == 0) {
>> +    if (CHECK_FLAG (peer->sflags, PEER_STATUS_GROUP))
>> +      {
>> +       group = peer->group;
>> +       if (group->conf->ttl != 1)
>> +         return BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK;
>> +
>> +       for (ALL_LIST_ELEMENTS (group->peer, node, nnode, peer1))
>> +         {
>> +           if (peer_sort (peer1) == BGP_PEER_IBGP)
>> +             continue;
>> +
>> +           if (peer1->ttl != 1)
>> +             return BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK;
>> +         }
>> +      }
>> +    else
>> +      {
>> +       if (peer->ttl != 1)
>> +         return BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK;
>> +      }
>> +
>> +    /* specify MAXTTL on outgoing packets */
>> +    ret = peer_ebgp_multihop_set (peer, MAXTTL);
>> +    if (ret != 0)
>> +      return ret;
>> +  }
>> +
>> +  peer->gtsm_hops = gtsm_hops;
>> +
>> +  if (! CHECK_FLAG (peer->sflags, PEER_STATUS_GROUP))
>> +    {
>> +      if (peer->fd >= 0 && peer_sort (peer) != BGP_PEER_IBGP)
>> +       sockopt_minttl (peer->su.sa.sa_family, peer->fd, MAXTTL + 1 -
>> gtsm_hops);
>> +    }
>> +  else
>> +    {
>> +      group = peer->group;
>> +      for (ALL_LIST_ELEMENTS (group->peer, node, nnode, peer))
>> +       {
>> +         if (peer_sort (peer) == BGP_PEER_IBGP)
>> +           continue;
>> +
>> +         peer->gtsm_hops = group->conf->gtsm_hops;
>> +
>> +         if (peer->fd >= 0 && peer->gtsm_hops != 0)
>> +            sockopt_minttl (peer->su.sa.sa_family, peer->fd, MAXTTL + 1 -
>> peer->gtsm_hops);
>> +       }
>> +    }
>> +
>> +  return 0;
>> +}
>> +
>> +int
>> +peer_ttl_security_hops_unset (struct peer *peer)
>> +{
>> +  struct peer_group *group;
>> +  struct listnode *node, *nnode;
>> +  struct peer *opeer;
>> +
>> +  zlog_debug ("peer_ttl_security_hops_unset: set gtsm_hops to zero for
>> %s", peer->host);
>> +
>> +  if (peer_sort (peer) == BGP_PEER_IBGP)
>> +      return 0;
>> +
>> +  /* if a peer-group member, then reset to peer-group default rather than
>> 0 */
>> +  if (peer_group_active (peer))
>> +    peer->gtsm_hops = peer->group->conf->gtsm_hops;
>> +  else
>> +    peer->gtsm_hops = 0;
>> +
>> +  opeer = peer;
>> +  if (! CHECK_FLAG (peer->sflags, PEER_STATUS_GROUP))
>> +    {
>> +      if (peer->fd >= 0 && peer_sort (peer) != BGP_PEER_IBGP)
>> +       sockopt_minttl (peer->su.sa.sa_family, peer->fd, 0);
>> +    }
>> +  else
>> +    {
>> +      group = peer->group;
>> +      for (ALL_LIST_ELEMENTS (group->peer, node, nnode, peer))
>> +       {
>> +         if (peer_sort (peer) == BGP_PEER_IBGP)
>> +           continue;
>> +
>> +         peer->gtsm_hops = 0;
>> +
>> +         if (peer->fd >= 0)
>> +           sockopt_minttl (peer->su.sa.sa_family, peer->fd, 0);
>> +       }
>> +    }
>> +
>> +  return peer_ebgp_multihop_unset (opeer);
>> +}
>> +
>>  int
>>  peer_clear (struct peer *peer)
>>  {
>> @@ -4635,12 +4784,19 @@ bgp_config_write_peer (struct vty *vty,
>>          vty_out (vty, " neighbor %s passive%s", addr, VTY_NEWLINE);
>>
>>       /* EBGP multihop.  */
>> -      if (peer_sort (peer) != BGP_PEER_IBGP && peer->ttl != 1)
>> +      if (peer_sort (peer) != BGP_PEER_IBGP && peer->ttl != 1 &&
>> +                   !(peer->gtsm_hops != 0 && peer->ttl == MAXTTL))
>>         if (! peer_group_active (peer) ||
>>            g_peer->ttl != peer->ttl)
>>          vty_out (vty, " neighbor %s ebgp-multihop %d%s", addr, peer->ttl,
>>                   VTY_NEWLINE);
>>
>> +     /* ttl-security hops */
>> +      if (peer_sort (peer) != BGP_PEER_IBGP && peer->gtsm_hops != 0)
>> +        if (! peer_group_active (peer) || g_peer->gtsm_hops !=
>> peer->gtsm_hops)
>> +          vty_out (vty, " neighbor %s ttl-security hops %d%s", addr,
>> +                   peer->gtsm_hops, VTY_NEWLINE);
>> +
>>       /* disable-connected-check.  */
>>       if (CHECK_FLAG (peer->flags, PEER_FLAG_DISABLE_CONNECTED_CHECK))
>>        if (! peer_group_active (peer) ||
>> --- a/bgpd/bgpd.h       2010-08-05 09:46:42.000000000 -0700
>> +++ b/bgpd/bgpd.h       2010-08-05 10:01:12.487631170 -0700
>> @@ -303,6 +303,7 @@ struct peer
>>   /* Peer information */
>>   int fd;                      /* File descriptor */
>>   int ttl;                     /* TTL of TCP connection to the peer. */
>> +  int gtsm_hops;               /* minimum hopcount to peer */
>>   char *desc;                  /* Description of the peer. */
>>   unsigned short port;          /* Destination port for peer */
>>   char *host;                  /* Printable address of the peer. */
>> @@ -800,7 +801,8 @@ enum bgp_clear_type
>>  #define BGP_ERR_LOCAL_AS_ALLOWED_ONLY_FOR_EBGP  -27
>>  #define BGP_ERR_CANNOT_HAVE_LOCAL_AS_SAME_AS    -28
>>  #define BGP_ERR_TCPSIG_FAILED                  -29
>> -#define BGP_ERR_MAX                             -30
>> +#define BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK  -30
>> +#define BGP_ERR_MAX                            -31
>>
>>  extern struct bgp_master *bm;
>>
>> @@ -953,4 +955,7 @@ extern int peer_maximum_prefix_unset (st
>>  extern int peer_clear (struct peer *);
>>  extern int peer_clear_soft (struct peer *, afi_t, safi_t, enum
>> bgp_clear_type);
>>
>> +extern int peer_ttl_security_hops_set (struct peer *, int);
>> +extern int peer_ttl_security_hops_unset (struct peer *);
>> +
>>  #endif /* _QUAGGA_BGPD_H */
>> --- a/lib/sockunion.c   2010-08-05 09:56:08.000000000 -0700
>> +++ b/lib/sockunion.c   2010-08-05 10:01:12.487631170 -0700
>> @@ -537,6 +537,28 @@ sockopt_cork (int sock, int onoff)
>>  #endif
>>  }
>>
>> +int
>> +sockopt_minttl (int family, int sock, int minttl)
>> +{
>> +#ifdef IP_MINTTL
>> +  int ret;
>> +
>> +  ret = setsockopt (sock, IPPROTO_IP, IP_MINTTL, &minttl,
>> sizeof(minttl));
>> +  if (ret < 0)
>> +    {
>> +      zlog (NULL, LOG_WARNING,
>> +           "can't set sockopt IP_MINTTL to %d on socket %d: %s",
>> +           minttl, sock, safe_strerror (errno));
>> +      return -1;
>> +    }
>> +
>> +  return 0;
>> +#else
>> +  errno = EOPNOTSUPP;
>> +  return -1;
>> +#endif /* IP_MINTTL */
>> +}
>> +
>>  /* If same family and same prefix return 1. */
>>  int
>>  sockunion_same (union sockunion *su1, union sockunion *su2)
>> --- a/lib/sockunion.h   2010-08-05 09:56:08.000000000 -0700
>> +++ b/lib/sockunion.h   2010-08-05 10:01:12.487631170 -0700
>> @@ -102,6 +102,7 @@ extern int sockopt_reuseport (int);
>>  extern int sockunion_bind (int sock, union sockunion *,
>>                            unsigned short, union sockunion *);
>>  extern int sockopt_ttl (int family, int sock, int ttl);
>> +extern int sockopt_minttl (int family, int sock, int minttl);
>>  extern int sockopt_cork (int sock, int onoff);
>>  extern int sockunion_socket (union sockunion *su);
>>  extern const char *inet_sutop (union sockunion *su, char *str);
>>
>>
>> _______________________________________________
>> Quagga-dev mailing list
>> Quagga-dev at lists.quagga.net
>> http://lists.quagga.net/mailman/listinfo/quagga-dev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.quagga.net/pipermail/quagga-dev/attachments/20100808/a93b6833/attachment-0001.html>


More information about the Quagga-dev mailing list