tests: Use `show module` to get bgp's pidThe topotest is using `pidof bgpd` which is ok
when you run a test by itself, but when you
are running the topotests in parallel, this
is a bit of a problem. Fix.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
ci: fail topotest step when parallel run lacks JUnit failuresWhen the parallel pytest run exits non-zero but analyze.py finds no
failures in topotests.xml, fail the step instead of treating it as a pass.
Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
topotests: avoid hang opening ExaBGP peer FIFOsBlocking open() on per-peer FIFOs waits for exa_readpipe.py, which only
starts after ExaBGP finishes slow hostname lookups under parallel runs.
Use non-blocking open with retries and add peer names to /etc/hosts in
the Docker entrypoint so Rocky/container runs do not stall indefinitely.
Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
topotests: reap mutini children during munet and xdist teardownParallel pytest-xdist runs could hang at session end when workers left
mutini namespace processes as unreaped zombies. cleanup_pid() sent
SIGKILL without waitpid(), and session cleanup only ran on the controller.
Reap PIDs after SIGKILL, sweep zombies after async_cleanup_proc(), run
cleanup_current() on every worker, and waitpid in stop_topology().
Signed-off-by: Jafar Al-Gharaibeh <jafar@atc...
bfdd, doc, topotests: add support for meticulous algorithmAdd configuration command to enable authentication meticulous algorithm.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bfdd: add authentication cleartext and sha1 errorsAdd rx authentication errors related to cleartext and sha1 password cases.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
topotests: add bfd authentication testEstablish BFD sessions between 2 peers, and test the simple and sha1
authentication mechanisms. Check also the configuration changes, ensure
that the BFD behaves like the RFC.
Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bfdd: add sha1 support for bfd authenticationAdd SHA1 support for BFD keychain based authentication:
- send sha1 authentication packet
- receive and check sha1 authentication packet
Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bfdd: add authentication display in peers and profilesThe `__diplay_peer` and `__display_peer_json` function
is modified to check if authentication is enabled for a
session. If it is, a new "authentication" JSON
object is added to the output.
The 'show bfd profile' command is also appended with the same
information.
> # show running-config
> key chain KC1
> key 0
> key-string mysecret
> exit
> exit
> bfd
> profile test
> authentication key...
bfdd: add bfd_process_keychain_updateRegister and implement bfd_process_keychain_update hook.
This hook updates bfdd states on keychain changes.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bfdd: add bfd_process_keychain_removeRegister and implement bfd_process_keychain_remove hook.
This hook updates bfdd states on keychain changes.
Take into account the precendence config on peer config instead of
profile configuration.
Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bfdd: add keychain new sessionWhen creating a new BFD session,
the authentication key chain name
from the peer configuration (`bpc`)
was not being applied to the
session's internal peer profile.
This change ensures that if an authentication
key chain is specified in the peer
configuration, its name is copied to the
BFD session's peer profile, allowing
authentication to be correctly set up for
the session.
Signed-...
bfdd: apply keychain to profile and session in bfd.c`bfd_session_apply` function now introduces
a clear and centralized logic for determining
and applying authentication settings to a BFD session.
Previously, the application of authentication
settings from different configuration sources
(peer-specific vs. named profiles) was not
explicitly handled. This change establishes
a clear order of precedence to resolve potential
conflicts and en...
bfdd, yang: northbound sessions sbfd,(single,multi)-hop keychainThis commit introduces the necessary YANG data model structures to
support BFD session authentication. Add the northbound CLI that goes
with the change.
Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bfdd: rework ptm_bfd_snd()Use a pointer instead of the direct memory variable to fill in the bfd
packet options. This change is needed before next commit.
Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bfdd: add bfd_keychain_key_find_active() apiThis API is a wrapper of key_find_active().
It returns the first available valid key from the passed key chain name.
This function takes into considerations constraints from BFD
authentication:
- the check on the passphrase length is done for clear text method
- the non presence of a key-string is an invalid situation
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
yang, bfdd: northbound add peer auth modify,destroyThis commit introduces the foundational support
for configuring BFD peer authentication. It adds
the necessary CLI commands and northbound (NB)
YANG callbacks to manage authentication
settings for BFD peers.
Key changes include:
CLI Implementation:
A new command [no] authentication key-chain <name>
is added under the BFD peer configuration context,
and the BFD template co...
bfdd: add bfd_auth_type_get_description() functionThis function will help display the authentication type selected.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bfdd, lib: add cleartext type to keychainAdd cleartext definitions in bfdd, and lib keychain.
This cleartext password keychain based password can be used
in BFD.
Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bfdd: add map_keychain_algo_to_bfd_auth_typeThis commit introduces a helper function,
map_keychain_algo_to_bfd_auth_type,
to translate keychain hash algorithms
into their corresponding BFD authentication types.
This function is necessary to integrate BFD
authentication with a centralized keychain
configuration. It decouples the BFD session
setup from the specifics of the keychain implementation.
The mapping supports:
Simple P...
bfdd, lib: dplane fill session with keychain_key_findThis commit enables the propagation of BFD
simple password authentication settings,
including those derived from a keychain,
to the data plane.
The data plane message for BFD sessions only
supports "None" or "Simple Password" authentication
types. Previously, authentication configuration was
not passed, effectively disabling offloaded
authentication.
This change introduces the followin...
bfdd: enable configuration of keychain in bfddkeychain is now registered to bfdd daemon.
Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bfdd: add keychain-related fields to bfd,lib structuresThis commit introduces support for BFD (Bidirectional
Forwarding Detection) authentication as defined in RFC 5880.
This feature enhances security by allowing BFD peers to
authenticate control packets before processing them.
Key changes include:
Authentication Configuration:
Added new structures (auth_config) to the global,
profile, and peer configurations to enable and
define...
lib: add keychain_(create,delete)This commit updates the northbound callback
functions for keychain and key creation to
associate the newly created C-structs with
their corresponding data nodes in the
running configuration.
By calling `nb_running_set_entry()`, we
establish a direct link from the configuration
data to the live, operational objects. This allows
other subsystems to retrieve the `struct keychain`
or `stru...
lib: add keychain_removed hookThis commit introduces a mechanism to
notify daemons when a keychain is deleted.
Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
lib: add keychain_updated hookThis patch created a keychain update hook function call.
The key changes are:
- **lib:** A new `keychain_updated` hook is
introduced. This hook is triggered by the
northbound interface whenever a keychain's
configuration is created, modified, or deleted.
Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
lib: add null authenticationThis commit introduces support for a "null"
password type in the keychain configuration.
This allows for storing unencrypted,
plain-text passwords.
The command-line interface has been updated
to include "null" as a valid cryptographic
algorithm option.
Additionally, this commit fixes a bug in the
algorithm name matching logic. The previous
check for "md5" was too broad and has been
co...
bfdd: move bfd packet size used in code in a single placeUse a define to host BFD packet size used in bfd code.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
tests: bgp_conditional_advertisement_track_peer: extend convergence waitIssue:
bgp_conditional_advertisement_track_peer.test_bgp_conditional_advertisement_track_peer test_bgp_conditional_advertisement_track_peer
failing intermittently.
AssertionError: R1 SHOULD receive 172.16.255.2/32 from R2
assert Generated JSON diff error report:
> $->routes: expected has key '172.16.255.2/32' which is not present in output
E AssertionError: R1 SHOULD receive 172.16.255.2/3...
bgpd: do not flag old best as multipath when it is also the new bestIssue:
Recent PR's face inconsistent CI failures in
"bgp_soo.test_bgp_soo test_bgp_soo_ipv4_advertised_routes_brief_json"
Assert:
$->advertisedRoutes->192.168.2.0/24->multiPathCount: output has element
with value '3' but in expected it has value '2'
Issue is present in bgp code, the test just exposes it inconsistently.
Commit 7ca3e9676f ("bgpd: fix incorrect BGP_PATH_MULTIPATH flag on
invali...
lib, zebra: bound SRv6 locator name length in ZAPIzread_srv6_manager_get_srv6_sid() and zread_srv6_manager_get_locator()
read a uint16_t length from the ZAPI stream and pass it directly to
STREAM_GET() to copy into a 256-byte stack buffer (SRV6_LOCNAME_SIZE),
without bounding the length first. STREAM_GET() only validates the
source side of the read; the destination is a raw memcpy. A malformed
ZAPI message with len >= SRV6_LOCNAME_SIZE writes ...
tests: fix one more format warningTests weren't using the frr-format plugin before. One more warning to
address.
Signed-off-by: David 'equinox' Lamparter <equinox@opensourcerouting.org>
bgpd: clang-format for previous commitLeft separate because that makes the previous commit easier to read.
Signed-off-by: David 'equinox' Lamparter <equinox@opensourcerouting.org>
David Lamparter
Donald Sharp
Jafar Al-Gharaibeh
Philippe Guibert
James Raphael Tiovalen