ospfd: prevent stale LSA from corrupting local OSPF DB after rebootEnsure local LSA's have the highest sequence number and neighbors
are refreshed in the event a stale LSA is detected.
Current behavior assuming we have two ospf routers: R1 <–> R2
- R1 and R2 are ospf neighbors
- R1 has a summary route being advertised to R2
This summary route has some LSA sequence number that is higher than 1
At this point everything is working fine. But then:
- R1 reboo...
tests: verify SSM delivery to h3 with collect_receiver_sourcesAdd test_ssm_r1_to_h3_multicast_traffic: r1 sends (192.168.1.1,
230.0.0.100) on the shared LAN, r3's static join-group on eth0 pulls the
(S,G) to r3, and h3 receives on r3-eth1 after joining the same source on
h3-eth0. Assert per-source RX counts via mcast-tester --report-sources
JSON instead of only checking MFC state.
Extend McastTesterHelper.run_join() with an optional source= argument
for ...
tests: verify SSM mroute split horizon in multicast_ssm_topo1Add test_ssm_mroute_no_iif_oif_loop to ensure (192.168.1.1, 230.0.0.100)
does not install a kernel MFC that lists the incoming interface as an OIF
when the source and r3's join-group are both on the shared LAN (rX-eth0).
The test sends traffic from r1-eth0, waits for an installed mroute on r3,
then checks show ip mroute json on r1–r3 so outboundInterface never equals
iif. This guards against t...
lib: warn once when process fd limit is very largeEach event_master_create() logged the same fd limit warning (e.g. zebra
main plus dplane pthreads).
Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
tests: Remove key-0 from acceptable on rt2The test is this: rt1 ---- rt2
Both rt1 and rt2 have a key 0 at first,
then the test removes key 0 and adds
key40 on rt1 and checks that the session
is down. Then on rt2 the code is adding
key40 but leaving key0. So rt2 continues
to transmit with key 0 and the session does
not come up. This is because there is no
test of the lifecycle part of key start/end
times. Modify the test to remove ...
*: Fix keychain acceptance of any keyIn bfd if you have this keychain configed on 2 routers, r1 and r2:
keychain a
key 0
cryptographic-algorithm hmac-sha-1
key-string mysecret123
end
And you have bfdd Configured to use keychain's between the two.
Then if you do this on rt1:
keychain a
no key 0
key 40
cryptographic-algoritm hmac-sha-1
key-string mysecret123
end
Notice that the key-string is the same for key 0 ...
tests: Use `show module` to get bgp's pidThe topotest is using `pidof bgpd` which is ok
when you run a test by itself, but when you
are running the topotests in parallel, this
is a bit of a problem. Fix.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
tests: tune multicast_ssm_topo1 for shared-LAN SSM debuggingr1: Add a static route for 224.0.0.0/4 via r1-eth0 so multicast traffic
from the sender is steered onto the shared transit segment (192.168.1.0/24)
rather than another interface.
r3: Add a second SSM join-group at source 192.168.1.1.
Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
pimd: clarify TIB IGMP loop protection vs split-horizon enforcementUpdate comments in tib_sg_oil_setup() to describe the division of
responsibility: non-DR routers still skip creating channel_oil when the
RPF nexthop VIF equals the IGMP interface, while DR routers may create
channel_oil but rely on pim_channel_add_oif() to avoid installing a
looped OIF=IIF MFC entry.
No functional change in this file; documentation only.
Signed-off-by: Jafar Al-Gharaibeh <ja...
pimd: reject adding an OIF that matches the MFC incoming interfaceAdd an early check in pim_channel_add_oif() for SSM (S,G) groups so
traffic is not forwarded back out the same VIF it arrived on. ASM is
excluded because the receiver interface may temporarily equal IIF during
RPT-to-SPT before the true RPF IIF is installed.
This is the primary entry point for IGMP/MLD-driven OIF adds
(tib_sg_gm_join) and complements pim_mroute_copy(), which already omits
IIF ...
pimd: enforce split horizon when installing (S,G) MFC entriesRemove the long-standing exception in pim_mroute_allow_iif_in_oil() that
permitted listing the incoming VIF on the OIL when the OIF was added by
IGMP/MLD (PIM_OIF_FLAG_PROTO_GM) and the router considered itself DR on
that interface.
That exception was meant to let the DR build upstream state when the
source and a local receiver share an interface (TODO T22). In practice
it installed kernel MFC...
tests: add multicast receiver source-reporting helperExtend mcast-tester with a bounded RX reporting mode that collects
per-source packet counts and emits JSON, then expose it through
McastTesterHelper.collect_receiver_sources() for topotests. This gives
tests a deterministic way to assert multicast source visibility without
shell parsing of external capture tools.
Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
ci: fail topotest step when parallel run lacks JUnit failuresWhen the parallel pytest run exits non-zero but analyze.py finds no
failures in topotests.xml, fail the step instead of treating it as a pass.
Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
tests: verify SSM (S,G) join stateAdd test_ssm_join_state to check that an SSM (S,G) appears in IGMP and
PIM on all routers on the shared LAN. Use a configured join-group on r3
only to inject local membership.
Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
tests: expand multicast_ssm_topo1 for SSM debuggingAdd a three-router shared LAN with per-router hosts, OSPFv2 on
inter-router and host-facing interfaces, and passive PIM/IGMP on all
interfaces. Run group-type checks on r1, r2, and r3.
Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
topotests: avoid hang opening ExaBGP peer FIFOsBlocking open() on per-peer FIFOs waits for exa_readpipe.py, which only
starts after ExaBGP finishes slow hostname lookups under parallel runs.
Use non-blocking open with retries and add peer names to /etc/hosts in
the Docker entrypoint so Rocky/container runs do not stall indefinitely.
Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
topotests: reap mutini children during munet and xdist teardownParallel pytest-xdist runs could hang at session end when workers left
mutini namespace processes as unreaped zombies. cleanup_pid() sent
SIGKILL without waitpid(), and session cleanup only ran on the controller.
Reap PIDs after SIGKILL, sweep zombies after async_cleanup_proc(), run
cleanup_current() on every worker, and waitpid in stop_topology().
Signed-off-by: Jafar Al-Gharaibeh <jafar@atc...
bfdd, doc, topotests: add support for meticulous algorithmAdd configuration command to enable authentication meticulous algorithm.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bfdd: add authentication cleartext and sha1 errorsAdd rx authentication errors related to cleartext and sha1 password cases.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
topotests: add bfd authentication testEstablish BFD sessions between 2 peers, and test the simple and sha1
authentication mechanisms. Check also the configuration changes, ensure
that the BFD behaves like the RFC.
Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bfdd: add sha1 support for bfd authenticationAdd SHA1 support for BFD keychain based authentication:
- send sha1 authentication packet
- receive and check sha1 authentication packet
Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bfdd: add authentication display in peers and profilesThe `__diplay_peer` and `__display_peer_json` function
is modified to check if authentication is enabled for a
session. If it is, a new "authentication" JSON
object is added to the output.
The 'show bfd profile' command is also appended with the same
information.
> # show running-config
> key chain KC1
> key 0
> key-string mysecret
> exit
> exit
> bfd
> profile test
> authentication key...
bfdd: add bfd_process_keychain_updateRegister and implement bfd_process_keychain_update hook.
This hook updates bfdd states on keychain changes.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bfdd: add bfd_process_keychain_removeRegister and implement bfd_process_keychain_remove hook.
This hook updates bfdd states on keychain changes.
Take into account the precendence config on peer config instead of
profile configuration.
Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bfdd: add keychain new sessionWhen creating a new BFD session,
the authentication key chain name
from the peer configuration (`bpc`)
was not being applied to the
session's internal peer profile.
This change ensures that if an authentication
key chain is specified in the peer
configuration, its name is copied to the
BFD session's peer profile, allowing
authentication to be correctly set up for
the session.
Signed-...
bfdd: apply keychain to profile and session in bfd.c`bfd_session_apply` function now introduces
a clear and centralized logic for determining
and applying authentication settings to a BFD session.
Previously, the application of authentication
settings from different configuration sources
(peer-specific vs. named profiles) was not
explicitly handled. This change establishes
a clear order of precedence to resolve potential
conflicts and en...
bfdd, yang: northbound sessions sbfd,(single,multi)-hop keychainThis commit introduces the necessary YANG data model structures to
support BFD session authentication. Add the northbound CLI that goes
with the change.
Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bfdd: rework ptm_bfd_snd()Use a pointer instead of the direct memory variable to fill in the bfd
packet options. This change is needed before next commit.
Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bfdd: add bfd_keychain_key_find_active() apiThis API is a wrapper of key_find_active().
It returns the first available valid key from the passed key chain name.
This function takes into considerations constraints from BFD
authentication:
- the check on the passphrase length is done for clear text method
- the non presence of a key-string is an invalid situation
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
yang, bfdd: northbound add peer auth modify,destroyThis commit introduces the foundational support
for configuring BFD peer authentication. It adds
the necessary CLI commands and northbound (NB)
YANG callbacks to manage authentication
settings for BFD peers.
Key changes include:
CLI Implementation:
A new command [no] authentication key-chain <name>
is added under the BFD peer configuration context,
and the BFD template co...
bfdd: add bfd_auth_type_get_description() functionThis function will help display the authentication type selected.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bfdd, lib: add cleartext type to keychainAdd cleartext definitions in bfdd, and lib keychain.
This cleartext password keychain based password can be used
in BFD.
Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bfdd: add map_keychain_algo_to_bfd_auth_typeThis commit introduces a helper function,
map_keychain_algo_to_bfd_auth_type,
to translate keychain hash algorithms
into their corresponding BFD authentication types.
This function is necessary to integrate BFD
authentication with a centralized keychain
configuration. It decouples the BFD session
setup from the specifics of the keychain implementation.
The mapping supports:
Simple P...
bfdd, lib: dplane fill session with keychain_key_findThis commit enables the propagation of BFD
simple password authentication settings,
including those derived from a keychain,
to the data plane.
The data plane message for BFD sessions only
supports "None" or "Simple Password" authentication
types. Previously, authentication configuration was
not passed, effectively disabling offloaded
authentication.
This change introduces the followin...
bfdd: enable configuration of keychain in bfddkeychain is now registered to bfdd daemon.
Signed-off-by: Dmytro Shytyi <dmytro.shytyi@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
bfdd: add keychain-related fields to bfd,lib structuresThis commit introduces support for BFD (Bidirectional
Forwarding Detection) authentication as defined in RFC 5880.
This feature enhances security by allowing BFD peers to
authenticate control packets before processing them.
Key changes include:
Authentication Configuration:
Added new structures (auth_config) to the global,
profile, and peer configurations to enable and
define...
lib: add keychain_(create,delete)This commit updates the northbound callback
functions for keychain and key creation to
associate the newly created C-structs with
their corresponding data nodes in the
running configuration.
By calling `nb_running_set_entry()`, we
establish a direct link from the configuration
data to the live, operational objects. This allows
other subsystems to retrieve the `struct keychain`
or `stru...
Jafar Al-Gharaibeh
Donald Sharp
Philippe Guibert