Relase Overview:
* BFD the ability to listen for specific VRFs only
- Configure which VRFs the BFD daemon will listen to. By default, BFD listens to all VRFs
present in the system, including the default VRF. Default VRF must be specified as `default`.
* BGP SRv6/MPLS coexistence
- Allow MPLS and SRv6 to coexist on the same L3VRF, even for a given prefix. This feature is
important in brown fields where some operators want to migrate from MPLS to SRv6 backbone.
* BGP SRv6 locator per VRF support
- Ability to choose SRv6 locator per VRF.
* BGP Error handling (RFC 7606) for iBGP peers
- Before 10.5.0, once we received a malformed packet between iBGP peers, we always reset the
session, and with this release, we handle malformed packets the same way as for eBGP
(by withdrawing or discarding the malformed packets).
* BGP IPv6 Link-Local Capability is disabled by default
- In 10.4.0, this capability was enabled by default for a “datacenter” profile, but it’s disabled
for 10.5.0 and will be backported to 10.4.2 as well. The problem arises when the receiver has
configured a route-map with `set ipv6 next-hop prefer-global` and we send only an IPv6 Link-Local
address; therefore, it was decided to revert it to be disabled by default.
* BGP BGPID Next-Hop Characteristic
- In some cases, the BGP speaker sending a route might encode only a link-local address and no
global address. To provide uniqueness in this case, it is sufficient to associate the BGP
Identifier and AS Number of the route's sender. The BGP Identifier Characteristic
(BGPID) provides a way to convey this information if required.
* BGP EVPN flooding per VNI support
- Add an ability to adjust BUM flooding per VNI, instead of just globally. E.g., disable flooding
only for an arbitrary VNI.
* BGP RPKI strict mode
- RPKI strict mode prevents BGP from establishing a session if no RPKI cache server
is connected.
* BGP rejects AS_SET by default**
- Until 10.5.0, it was disabled by default, and since RFC 9774 was published, we switched this on
by default (to reject).
* BGP has lots of improvements for Graceful-Restart**
* PIM/PIMv6 route-map support to allow users to filter IGMP/MLD joins using source, group, and
interface combinations
* Support for multiple SRv6 locators
- This extends the SRv6 SID Manager to add support for multiple locators.
* Zebra 16-bit next hop weights support
- The weights used in ECMP’s consistent hashing have been widened from 8 bits to 16 bits since
the 6.12 Linux kernel.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop the "datacenter" PACKAGECONFIG, because it became obsolete:
"The --enable-datacenter compile time option is deprecated. Please modify the init script to pass -F datacenter to the daemons instead."
Note: grpc PACKAGECONFIG seems to be broken (it was broken in the previous version also).
At the first sight it looks that the application's Makefile enforces c++11 standard,
but abseil (which is a dependency of grpc) requires at least c++17.
Changelog:
10.4.1:
- bgpd: initialize local variable
- ospfd: Use after free cleanup of lsa
- vtysh: copy config from file should actually apply
- Revert PR #18358: BGP evpn testing and bug fixes related to non default EVPN backbone
- topotests: improve embedded RP test reliability
- lib, zebra: mark singleton nexthops inactive/active on link state changes for wecmp
- bgpd: LL next-hop capabilty fixes
- eigrp: validate hello packets and tlvs better
- bgpd: Fix compilation error in bgpd module: Update TP_ARGS for bgp
- bgpd: Ensure addpath does not withdraw selected route in some situations
- bgpd: [GR] fixed selectionDeferralTimer to display select_defer_time val
- bgpd: LL next-hop capabilty fixes (round 2)
- lib: compute link-state zapi message size
- zebra: Fix buffer overflows found by fuzzing.
10.4:
- BGP BFD Strict-Mode
- BGP Link-Local Next Hop Capability [draft-ietf-idr-linklocal-capability]
- BGP Transparent mode
- BGP Next Hop Dependent Characteristics Attribute [draft-ietf-idr-entropy-label]
- IGMP and MLD group/source limits
- PIM dense and sparse-dense mode support [RFC3973]
- IGMPv2/MLDv1 immediate leave
- v4-via-v6 nexthop support for static routes
- Timeout for vtysh
- Discover PREF64 in Router Advertisements [RFC8781]
10.3.2:
- bgpd: correct no form commands
- bgpd: fix to show exist/non-exist-map in 'show run' properly
- redhat: make FRR RPM build to work on RedHat 10
- build: check for libunwind.h, not unwind.h
- bgpd: use AS4B format for BGP loc-rib messages.
- bgpd: fix for the validity and the presence of prefixes in the BGP VPN table.
- bgpd: Force adj-rib-out updates if MRAI is kicked in
- zebra: Provide SID value when sending SRv6 SID release notify message
- bgpd: Fix crash when fetching statistics for bgp instance
- nhrpd: fix crash when accessing invalid memory zone
- zebra: Initialize RB tree for router tables
- zebra: fix null pointer dereference in zebra_evpn_sync_neigh_del
- zebra: fix stale NHG in kernel
- bgpd: Fix incorrect stripping of transitive extended communities
- lib: Fix no on-match goto NUM command
- bgpd: Fix extended community check for IP non-transitive type
- bgpd: Fix DEREF_OF_NULL.EX.COND in bgp_updgrp_packet
- lib: revert addition of vtysh_flush() call in vty_out()
- bgpd: Extract link bandwidth value from extcommunity before using for WCMP
- Use ipv4 class E addresses (240.0.0.0/4) as connected routes by default
- bfdd: Set bfd.LocalDiag when transitioning to AdminDown
- zebra: clean up a json object leak
- bgpd: Do not try to reuse freed route-maps
- lib: fix routemap crash
- bgpd: initialize local variable
- ospfd: Use after free cleanup of lsa
- vtysh: copy config from file should actually apply
- bgpd : Fix compilation error in bgpd module: Update TP_ARGS for bgp
- bgpd: Ensure addpath does not withdraw selected route in some situations
- lib, zebra: mark singleton nexthops inactive/active on link state changes for wecmp
- eigrp: validate hello packets and tlvs better
- bgpd: [GR] fixed selectionDeferralTimer to display select_defer_time val
10.3.1:
- Check valid babel port
- Fix incorrect type assignment in parse_request_subtlv
- Fix `set evpn gateway-ip ipv[46]` route-map
- Fix bmp heap use after free on non connected session
- Fix evpn attributes being dropped on input
- Fix holdtime not working properly when busy
- Fix leaked memory when showing some bgp routes
- Fixed crash upon bgp network import-check command
- On shutdown free up memory leak found by topotest
- Prevent crash when issuing a show rpki connections
- Remove unused defines from bgp_label.h
- Retain the routes if we do a clear with n-bit set for graceful-restart
- Set the label for mp_unreach_nlri 0x800000 instead of 0x000000
- Treat the peer as not active due to bfd down only if established
- Fix incorrect bestpath reasoning in some situations
- Fix show bgp vpn rd json
- Add total path count for bgp net in json output
- Fix import all adj-rib-in and loc-rib after bmp connects
- On shutdown prefix/access list memory was being leaked
- Fix srv6_sid memory leak
- Free up leaked prefix-list memory on shutdown
- Create vrf if needed
- Return duplicate ipv6 prefix-list entry test
- Return duplicate prefix-list entry test
- Add hop count validation before forwarding in nhrp_peer_recv()
- Disable and delete ospfv3 areas that no longer have interfaces or configuration.
- Fix lsa memory leaks related to graceful restart
- Fix crash when ospf client connects before doing 'router ospf'
- Fix for crash during networking restart
- Fix memory leak on shutdown
- Initialize gm proxy to false
- Make docs and rpki optional for rpm package build
- Make sure zeromq is always disabled
- Revert - Add option to build pkg without docs and rpki support
- Add Workaround for inet_ntop replacement which breaks rpms
- Avoid requesting srv6 sid from zebra when loc and sid block dont match
- Add more tests to bgp_rpki_topo1 test
- Add nb test binary to .gitignore
- Add route-map evpn set gateway-ip topotest
- Check if routes are marked as stale and retained with n-bit for gr
- Fix typo when configuring delayopen timer
- Fix wait times in test_ospf6_gr_topo1 topotest
- Use label 0x800000 instead of 0x000000 for bmp tests
- Use little-endian order for libyang api
- Fix reload script for srv6 locators and formats
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Please see
https://git.yoctoproject.org/poky/commit/?id=4dd321f8b83afecd962393101b2a6861275b5265
for what changes are needed, and sed commands that can be used to make them en masse.
I've verified that bitbake -c patch world works with these, but did not run a world
build; the majority of recipes shouldn't need further fixups, but if there are
some that still fall out, they can be fixed in followups.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Error: Transaction test error:
file /usr/share/yang/ietf-netconf-acm.yang conflicts between attempted installs of libsmi-yang-0.5.0-r0.aarch64 and frr-10.0-r0.aarch64
file /usr/share/yang/ietf-netconf-with-defaults.yang conflicts between attempted installs of libsmi-yang-0.5.0-r0.aarch64 and frr-10.0-r0.aarch64
file /usr/share/yang/ietf-netconf.yang conflicts between attempted installs of libsmi-yang-0.5.0-r0.aarch64 and frr-10.0-r0.aarch64
libsmi also uses the doc 'ietf-netconf-acm.yang ietf-netconf-with-defaults.yang ietf-netconf.yang'.
libsmi has a priority of 50.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Replace references of WORKDIR with UNPACKDIR where it makes sense to do
so in preparation for changing the default value of UNPACKDIR.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* as oe-core did in:
https://git.openembedded.org/openembedded-core/commit/?id=d4c346e8ab
* when people are have to maintain own PRs for recipes in oe-core, they
might add them for meta-oe recipes at the same time when upgrading
to next LTS
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Error: Transaction test error:
file /usr/share/yang/ietf-interfaces.yang conflicts between attempted installs of libsmi-yang-0.5.0-r0.cortexa57 and frr-9.1-r1.cortexa57
libsmi also uses the doc 'ietf-interfaces.yang'.
libsmi has a priority of 50.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
0001-tools-make-quiet-actually-suppress-output.patch
CVE-2023-46752.patch
CVE-2023-46753.patch
CVE-2023-47234.patch
CVE-2023-47235.patch
removed since they're included in 9.1
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE-2023-3748:
A flaw was found in FRRouting when parsing certain babeld unicast hello
messages that are intended to be ignored. This issue may allow an
attacker to send specially crafted hello messages with the unicast flag
set, the interval field set to 0, or any TLV that contains a sub-TLV
with the Mandatory flag set to enter an infinite loop and cause a denial
of service.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-3748
Patch from:
ae1e0e1fed
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Now frr can support more arches as libyang can be built on all arches.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add UPSTREAM_CHECK_GITTAGREGEX to check the correct latest stable
verison.
Before the patch:
$ devtool latest-version frr
INFO: Current version: 8.4.2
INFO: Latest version: 9.0
INFO: Latest version's commit: 16c38045b1a84f899da473398779cc593d82d2bd
Version 9.0 is a development tag[1].
After the patch:
$ devtool latest-version frr
INFO: Current version: 8.4.2
INFO: Latest version: 8.4.2
INFO: Latest version's commit: 9e25d07412e92bdcd1f69c4755dc7564b23023c0
[1] https://github.com/FRRouting/frr/tags
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE-2022-37032:
An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 may
lead to a segmentation fault and denial of service. This occurs in
bgp_capability_msg_parse in bgpd/bgp_packet.c.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-37032
Patch from:
066770ac1c
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Backport patches to fix build error with --disable-ospfapi and
CVE-2022-37035.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
There is a parallel build error in separate build directory:
| /home/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/core2-64-poky-linux/frr/8.2.2-r0/recipe-sysroot-native/usr/lib/clippy ../git/python/clidef.py -o isisd/isis_cli_clippy.c ../git/isisd/isis_cli.c
| Traceback (most recent call last):
| File "../git/python/clidef.py", line 466, in <module>
| clippy.wrdiff(
| File "/home/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/core2-64-poky-linux/frr/8.2.2-r0/git/python/clippy/__init__.py", line 78, in wrdiff
| with open(newname, "w") as out:
| FileNotFoundError: [Errno 2] No such file or directory: 'isisd/isis_cli_clippy.c.new-372541'
| make[1]: Leaving directory '/home/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/core2-64-poky-linux/frr/8.2.2-r0/build'
| make[1]: *** [Makefile:17386: isisd/isis_cli_clippy.c] Error 1
This is beacuse clidef.py only creates new file but doesn't check if
parent directory exists. Inherit autotools-brokensep can fix this issue
as these parent directories always exist in source directory.
Also set ac_cv_path_PERL to '/usr/bin/env perl' to avoid path too long.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The Forwarding Plane Manager support is optional, make it as
PACKAGECONFIG.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
FRRouting (FRR) is a free and open source Internet routing protocol
suite for Linux and Unix platforms. It implements BGP, OSPF, RIP, IS-IS,
PIM, LDP, BFD, Babel, PBR, OpenFabric and VRRP, with alpha support for
EIGRP and NHRP.
FRRouting is a fork of Quagga. The main git lives on
https://github.com/frrouting/frr.git
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
