Move setting of the shutdown reason to session_stop()

Also make sure that something is logged when a session is stopped.
Part of a bigger diff which was OK tb@

rename field ibuf to imsgbuf in struct ctl_conn
OK tb@

Update the control.c code to use the new imsg API.

OK tb@

Rename struct imsgbuf *ibuf to *imsgbuf in all places.
ibuf should be reserved for struct ibuf * values.
OK tb@

Enforce NUL termination of the neighbor shutdown reason sent from
bgpctl before calling strlcpy() with that string.
OK tb@ some long time ago

Instead of forcing a NUL into struct ctl_neighbor descr adjust the
peer matching code to only match at maximum sizeof(n->descr) bytes
using strncmp().
OK tb@

Use sizeof(destination) not sizeof(source) in strlcpy() calls.
OK tb@

Implement IMSG_CTL_SHOW_FLOWSPEC and IMSG_FLOWSPEC_FLUSH and add bits for
IMSG_FLOWSPEC_ADD and IMSG_FLOWSPEC_REMOVE received from bgpctl via SE.
OK tb@

Instead of relaying struct peer from the SE to the RDE to fill out 10
stat numbers, just send the peerid and have the RDE response with the
stats. The control code will then merge these counters into the real
peer struct and send that to bgpctl. This reduces the number of bytes
sent around a fair bit.
OK tb@

Convert bzero() to memset(), bcmp() to memcmp() and bcopy() to memcpy().

The memory regions passed to memcpy() can not overlap so no need for memmove().
OK tb@ deraadt@

whitespace found during a read-thru; ok claudio

Rename sockaddr_un sun to sa_un since sun is defined on illumos systems.
OK dlg@

Add IMSG_CTL_SHOW_RTR to the list of restriced control messages.

Add RTR support to OpenBGPD. Add basic support for the protocol.
The RTR client runs in a new process where the protocol handling is done
and when new data is available all sources are merged into one ROA set
which is then loaded into the RDE. The roa-set from the config is also
handled by the new RTR engine.
Tested by and ok job@

Implement IMSG_CTL_SHOW_SET to get information about roa-set, as-sets and
prefix-sets loaded into the RDE. For now only the number of prefixes or
asnumbers are shown plus the time since the last change was done to the table.
OK benno@

Make the timer code independent of struct peer this way it can be used
in other places as well.
ok procter@

Refactor the control code to be more like a module.
Change control_dispatch_msg() to return the change of control connection
count since the return value was not used before.
Add control_fill_pfds() to replace the TAILQ_FOREACH loop in session.c.
This allows to move the ctl_conns symbol to control.c (from session.h
where it caused issues when compiled with -fno-common).
OK benno@

In bgpctl argument parser, re-arrange 'reason' parsing ('nei action [reason]')
to be more generic, then change 'reload' to take take a '[reason]' also,
which will be logged by bgpd.
ok kn claudio

Reset the IdleHoldTime and the session error count when doing a admin
command that clears or starts a neighbor. This way an admin reset does
what people expect since it makes the session behave like a brand new one.
OK job@ deraadt@ sthen@

Use O_CLOEXEC or SOCK_CLOEXEC on every open or socket call. Even though
some sockets are open for a short time it does not hurt and it ensures
that there is no file descriptor leak.
OK deraadt@ bluhm@

Switch the peer TAILQ to a RB tree indexed by the peer id. This way
getpeerbyid() gets a lot quicker at finding the peer when many peers
are configured. In my test case the difference is around 20% runtime.
OK denis@

Move the struct peer into bgpd_config and switch it to a TAILQ instead of
the hand-rolled list. This changes the way peers are reloaded since now
both parent and session engine are now merging the lists.
OK denis@

Handle the abnormal case of not having any neighbors defined a bit better
when it comes to handling bgpctl show requests.
OK phessler@

Support group descriptions in control messages that accept a neighbor
description. With this it is possible to show rib a group of peers, to show
or signal a group of peers all at once.
OK sthen@ benno@

Check if a control socket or address is already in use befor using it.
If it is used abort startup or let a reload fail.
Sockets are now not unlinked anymore on regular shutdown.

This helps a lot when one tries to do a config check without -n.

Inputs and OK claudio@

bgpctl can cause bgpd to do a lot of work (e.g. dumping all of the RIB)
but then bgpctl can quickly exit and bgpd still has to do all the work.
Instead introduce a terminate imsg to stop such long running commands if
bgpctl closes the connection before the run is over.
OK benno@, sthen@, deraadt@

Start reworking community handling. Merge standard communities and large
communities into one filter_community struct and allow it that more then
one community can be used in filter rules (currently up to 3).
Also rework the code handling bgpctl show rib commands. The special IMSG
types for the various filters are gone and the code is in general simpler.
OK job@, phessler@

softreconfig in and out are on by default for ever and machines now have
enough memory that it does not make sense to provide these knobs anymore.
They just make the code more complex for no much gain.
OK phessler@, benno@

handle extended communities in bgpctl.
From Dennis Fondras, thanks!
ok phessler@

Implement an XON/XOFF protocol between the RDE and the SE to throttle
per control session and peer the generation of imsg in the RDE. This
reduces the memory pressure in the SE substantially and also a bit in
the RDE. Makes the RDE more responsive for bgpctl commands.
Tested by me with 100 peers * 2000 prefixes and by phessler@ on an AMS-IX
border router with 200+ session. Convergance time got quite a bit better.
OK phessler@

draft-ietf-idr-shutdown extends to support a message on either of
"Administrative Shutdown" or "Administrative Reset"

patch submitted by Job Snijders, thanks!

sync log.c from relayd et al to bgpd.

there is still a little difference regarding handling of the verbosity
value that will be handled later.

ok claudio@ florian@

Add support for draft-ietf-idr-shutdown

BGP state = Idle, marked down with shutdown reason "goodbye, we are
upgrading to openbsd 6.1", down for 00:00:17

developed by Peter van Dijk <peter.van.dijk@powerdns.com> and Job
Snijders <job@ntt.net>, thank you!

OK benno@

Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with
TAILQ_FOREACH().

No intentional functional change.

ok reyk@

Add support for draft-ietf-idr-large-community

Joint work with Job Snijders, many thanks!
OK benno@ deraadt@

cleanup some log messages with wrong function names etc.
ok henning,claudio

EAGAIN handling for imsg_read. OK henning@ benno@

Rename imsg_compose_parent and imsg_compose_rde to imsg_ctl_parent and
imsg_ctl_rde since these function should only be used by the control
code. Also switch ibuf_rde to ibuf_rde_ctl so that the control imsgs
don't need to queue behind all the incoming bgp UPDATES. This speeds
up 'bgpctl show' from taking minutes to a few seconds. The RDE was doing
this since a very long time but it seems the SE was not adjusted. Yikes

"bgpctl sh rib in" and "bgpctl sh rib out" require a neighbor argument
to work. send an error if none is given.
ok claudio@

Do no accept fds on the control socket; including the restricted socket.

OK gilles@ eric@

mlarkin asks "bgpctl checks the length of the control socket path to
make sure it fits. When browsing around last night I saw that bgpd
does not. Any reason it shouldn't? Please commit"

Add a check in parse.y to check this when reading the configuration.
ok phessler@ henning@

Kill session_socket_blockmode() and replace it with SOCK_CLOEXEC or
SOCK_NONBLOCK and accept4(). OK henning@ tested & OK benno@

from claudio
"Let msgbuf_write return -1 with errno EAGAIN. The users then must
check if this was the case and readd the event or poll again. The
current handling in the imsg code is wrong for sure."

ok gilles, benno

handle ECONNABORTED errors from accept(). In many code blocks they can be
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directories...

Implements a few missing bits for better templates support:
- on config reload also adjust the cloned neighbors so that they get the
config changes as well.
- clean up sessions that are 1h idle but in state active (instead of down)
- add bits to allow bgpctl to destroy cloned neighbors
Tested by sthen@ some time ago, OK phessler@

Extend the network code to allow attributes to be passed in with prefixes.
In the end this will allow anyone to use MRT table dumps to load prefixes
into a bgpd instance. For example you can download the RIPE dumps and load
full-feeds onto your laptop until the poor thing dies.
OK henning@ sthen@

accept() pacing for bgpd based on similar work done on other daemons.
OK henning@ sthen@

malloc -> calloc for ctl_conn
pt out by cppcheck/jasper, ok sthen claudio

Make it possible to load multiple routing tables at the same time and use
those for alternate RIBs. This allows to use "rde rib TESTIT rtable 1".
NOTE: nexthop verification has changed for alternate tables. For now
nexthop will only be verified against the main routing table (id 0).
Because of this "nexthop qualify via bgp" may now compare the nexthops
against bgpd routes from a different RIB.
Tested by sthen@, OK to move on by henning@

Add support for BGP MPLS VPN aka RFC 4364. This is only the RDE part so
that it is possible to use OpenBGPD as a route-reflector for VPNv4.
Some clean up of the BGP MP code so that multiple protocols are easier
supported. kroute/kernel support not yet done but comming.
OK henning@, reyk@

porcesses -> processes

A bgpctl nei XY clear should not restart neighbors that are administrativly
down. So after a bgpctl reload clearing a neighbor will bring that neighbor
into the configured state (in this case down). OK henning@

log_warn() consistency.

`OK' claudio

Use an artificial address family id in struct bgpd_addr and almost everywhere
else. Adds conversion functions to map AFI/SAFI and the Unix AF_ values
from and into AID used in bgpd. This is needed to support things like MPLS
VPN and other upcomming changes that need to play a lot with AFI/SAFI pairs.
Mostly mechanical change, henning@ has no particular issues with this.
Must go in so that I can continue working.

Implement IMSG_CTL_LOG_VERBOSE similar to ospfd. Even though bgpd has almost
no log_debug() it makes more sense to make all routing daemons behave the same.

Implement all of RFC 4486 BGP Cease Notification Message Subcodes.
The other side should now see why a session was dropped. e.g:
bgpd: ... received notification: Cease, administratively down
OK henning

check that an IMSG_CTL_SHOW_RIB_PREFIX request has a valid
address family before passing it to the RDE.

ok henning@ claudio@

allow IMSG_CONTROL_SHOW_TIMER on restricted sockets

make sure we always send back something on IMSG_CTL_SHOW_NEIGHBOR
namely, the "no such neighbor" case was missing.
problem spotted by martin,ok claudio

do not leak confd on malloc failure in control_accept()
found by Igor Zinovik <zinovik@cs.karelia.ru>

send timers for bgpctlshow neighbor foo timer in seperate messages after
the peer data. makes bgpctl display code independent from timer
implementation internals. only running timers are displayed now, stopped
ones are skipped.

rework timers.
stop changing tienmr values directly, always use new
timer_(get/set/stop/running) functions. preparation for more to come :)
ok claudio

add IMSG_CTL_SHOW_RIB_COMMUNITY, rib by given community
mostly from rivo nurges <rix@estpak.ee>, ok claudio

when our red/recv/recvmsg in imsg_read gives EINTR or EAGAIN, do not
signal "connection closed" upstream.
spotted by Valentin Kozamernik <tin@komna.com>

Extend show rib interface code so that it is possible to show the adj-rib-in
and adj-rib-out. Additionally it is now possible to limit the output to a
specified peer. OK henning@

Pass a IMSG_CTL_RESULT messgae back to bgpctl on reloads to indicate if
the reload was successful or not. OK henning@

Cleanup with lint. Make the poll fd indexes unsigned and because of that
control_accept should also return a unsigned int. Remove old prototype.

allow bgpd to request a route refresh from a neighbor if that neighbor
announced route refresh capabilities

introduce "bgpctl show summary terse", shows summary in an easy to parse
format, intended for monitoring puposes. claudio ok

zap now unused var

introduce a second control socket, which is restricted to certain messages,
nameley the show ones. needed for looking glass style applications,
monitoring etc. claudio ok

Track some (memory) statistics in the RDE. Accessible via bgpctl.

for "bgpctl neighbor foo up/down/clear", make bgpctl not exit after sending
the request, but wait for the new IMSG_CTL_RESULT message, which contains
a status code to indicate wether the request was processed successfully
or wether an error occured and if so what kind of error.
no more "IMSG_CTL_NEIGHBOR_ with unknown neighbor foobaz" in the log
when you mistyped foobar - no bgpctl itself complains
claudio ok

on "bgpctl neighbor foo clear", we used to send a STOP event immediately
followed by a START event. Instead of sending START immediately, start the
IdleHoldTimer with a very low value (5 seconds) so that we restart the
session these seconds later. some other implementations deal poorly with
our previously superfast reconnects, namely, that commercial one from
san jose, claudio ok

move umask() song and dance closer around the bind, being more careful about errors; ok claudio

unlink() control socket in error path. Spotted by Theo.

allo the "bgpctl show neighbor " commands to take the neighbor descr
too, claudio ok

allow "bgpctl neighbor" to take the peer's descr as argument as well
as its address
so "bgpctl neighbor upstream1 clear" now works and you don't have to
remember IPs
claudio ok

Switch from a single filter_set to a linked list of sets. With this change
it is possible to specify multiple communities. This is also the first step
to better bgpd filters. OK henning@

imsg API cleanup:
-kill imsg_compose_pid, imsg_compose_fdpass and imsg_create_pid
-extend the original imsg_compose/_create API to take pid & fd too
-make imsg_compose do imsg_create + imsg_add + imsg_close instead of
duplicating the code
-adjust all callers to the new API
ok claudio

missing space in log message.

add IMSG_CTL_NEIGHBOR_CLEAR, takes a session down and restarts it,
claudio ok

merge IMSG_CTL_NEIGHBOR_UP and _DOWN handling, kills some duplicate code,
claudio ok

Forward IMSG_CTL_SHOW_NEIGHBOR messages to the rde so that we can report
the current and max prefix count back to bgpctl. OK henning@

at least somewhat consistently name the TAILQ_ENTRYs... this confused me
more than once

move to a dynamically allocated struct pollfd array.
we used a ststic one with OPEN_MAX entries, which is a rather arbitary limit
as OPEN_MAX is _not_ the max # of open fds we can have, but just a default
for that setting.
in the same move we have to allocate the peer_l array, basically there
for pfd-index to peer pointers to prevent peer list scans all time,
dynamiccaly to. we overallocate a little and use that reserve until we
have to realloc again later to prevent reallocs for every single control
connection or a single flapping peer.
help & ok claudio

Add support for dynamic announcements. Usefule to annouce temporary
blackhole routes or to make network announcements dependent on a external
state (e.g. for carp setups) OK henning@

remove unused argument to control_dispatch_msg(), lint

sock -> fd; ok henning

missing return; noticed by Joris Vink <amni@pandora.be> but I fixed in
another way

use getpeerbyaddr() instead of using the v4 part of the af independent
struct manually

remove getpeereid() call so that those who have write access to the socket
(root:wheel 0640) can send queries, claudio ok

Framework for rib lookups by prefix. OK henning@

plug memory leak: when a control connection is closed we need to clear
its write buffers, noticed by claudio

of course the control socket needs to be nonblocking as well, i could have
sworn it was... noticed by & fixed with claudio

show rib infrastructure. At least full dumps and per as dumps. Per prefix
dump need some more work. OK henning@

close socket on error in control_init
From: Patrick Latifi <pat@eyeo.org>

use log_warnx and log_info. reclassify a few messages in the process and fix
a few messages.

ok claudio@

s/log_err/log_warn/
it is like warn(3), nor err(3). so use a less confusing name.

fix error logging on connection attempts from !root user

allow the interfaces as bgpd sees 'em to be queried via imsgs

new message IMSG_CTL_SHOW_NEXTHOP: request/send lost of BGP nexthops and
the result of their validity check

for IMSG_CTL_KROUTEs allow matching based on flags,
add IMGS_CTL_KROUTE_ADDR to match the route for a given address

ok claudio@

get us a stateful imsg relaying framework, and the first receiver,
IMSG_CTL_KROUTE, to have the kroute structs forming the fib sent to a
control socket.

ok claudio@

you must not try to read(2) without checking (pfd->revents & POLLIN)
you must not try to read(2) without checking (pfd->revents & POLLIN)
you must not try to read(2) without checking (pfd->revents & POLLIN)
[...]
you must not try to read(2) without checking (pfd->revents & POLLIN)

two new imsg types, IMSG_CTL_NEIGHBOR_UP and _DOWN, on their receival on the
control socket the given neighbor session is sent a START / STOP signal.

ok claudio@

2004

allow fib couple/decouple based on an imsg received on the control socket
by the SE and passed on to the main process

-new imsg CTL_RELOAD
-upong receival in the SE forward to parent
-make sending messages from SE to parent work for that (was not required before)
-parent reacts to that just like a SIGHUP, reread config file

allow "show neighbor" to be limited to one specific neighbor

decouple the peer list from bgpd_config.
so many parts of bgpd are not at all interested in the session specific peer
structs... allows for some further cleaning

change imsg_read semantics so that the number of bytes read is returned.
that means that the callers can (and must) coope with closed connections
themselves, what is exactly the desired behaviour.

send an imsg as list end indicator

fix umask, noticed by theo

umask setting and unlink before bind() the unix socket, chmod and umask
restore afterwards
help & ok theo

move the socket name #define to bgpd.h and get rid of bgpdctl*

listen on a AF_LOCAL socket for imsgs too.
only implemented type yet is IMSG_CTL_SHOW_NEIGHBOR which sends back
the struct peer for all neighbors.
will be used by bgpdctl

rename field ibuf to imsgbuf in struct ctl_conn
OK tb@

Update the control.c code to use the new imsg API.

OK tb@

Rename struct imsgbuf *ibuf to *imsgbuf in all places.
ibuf should be reserved for struct ibuf * values.
OK tb@

Enforce NUL termination of the neighbor shutdown reason sent from
bgpctl before calling strlcpy() with that string.
OK tb@ some long time ago

Instead of forcing a NUL into struct ctl_neighbor descr adjust the
peer matching code to only match at maximum sizeof(n->descr) bytes
using strncmp().
OK tb@

Use sizeof(destination) not sizeof(source) in strlcpy() calls.
OK tb@

Implement IMSG_CTL_SHOW_FLOWSPEC and IMSG_FLOWSPEC_FLUSH and add bits for
IMSG_FLOWSPEC_ADD and IMSG_FLOWSPEC_REMOVE received from bgpctl via SE.
OK tb@

Instead of relaying struct peer from the SE to the RDE to fill out 10
stat numbers, just send the peerid and have the RDE response with the
stats. The control code will then merge these counters into the real
peer struct and send that to bgpctl. This reduces the number of bytes
sent around a fair bit.
OK tb@

Convert bzero() to memset(), bcmp() to memcmp() and bcopy() to memcpy().

The memory regions passed to memcpy() can not overlap so no need for memmove().
OK tb@ deraadt@

whitespace found during a read-thru; ok claudio

Rename sockaddr_un sun to sa_un since sun is defined on illumos systems.
OK dlg@

Add IMSG_CTL_SHOW_RTR to the list of restriced control messages.

Add RTR support to OpenBGPD. Add basic support for the protocol.
The RTR client runs in a new process where the protocol handling is done
and when new data is available all sources are merged into one ROA set
which is then loaded into the RDE. The roa-set from the config is also
handled by the new RTR engine.
Tested by and ok job@

Implement IMSG_CTL_SHOW_SET to get information about roa-set, as-sets and
prefix-sets loaded into the RDE. For now only the number of prefixes or
asnumbers are shown plus the time since the last change was done to the table.
OK benno@

Make the timer code independent of struct peer this way it can be used
in other places as well.
ok procter@

Refactor the control code to be more like a module.
Change control_dispatch_msg() to return the change of control connection
count since the return value was not used before.
Add control_fill_pfds() to replace the TAILQ_FOREACH loop in session.c.
This allows to move the ctl_conns symbol to control.c (from session.h
where it caused issues when compiled with -fno-common).
OK benno@

In bgpctl argument parser, re-arrange 'reason' parsing ('nei action [reason]')
to be more generic, then change 'reload' to take take a '[reason]' also,
which will be logged by bgpd.
ok kn claudio

Reset the IdleHoldTime and the session error count when doing a admin
command that clears or starts a neighbor. This way an admin reset does
what people expect since it makes the session behave like a brand new one.
OK job@ deraadt@ sthen@

Use O_CLOEXEC or SOCK_CLOEXEC on every open or socket call. Even though
some sockets are open for a short time it does not hurt and it ensures
that there is no file descriptor leak.
OK deraadt@ bluhm@

Switch the peer TAILQ to a RB tree indexed by the peer id. This way
getpeerbyid() gets a lot quicker at finding the peer when many peers
are configured. In my test case the difference is around 20% runtime.
OK denis@

Move the struct peer into bgpd_config and switch it to a TAILQ instead of
the hand-rolled list. This changes the way peers are reloaded since now
both parent and session engine are now merging the lists.
OK denis@

Handle the abnormal case of not having any neighbors defined a bit better
when it comes to handling bgpctl show requests.
OK phessler@

Support group descriptions in control messages that accept a neighbor
description. With this it is possible to show rib a group of peers, to show
or signal a group of peers all at once.
OK sthen@ benno@

Check if a control socket or address is already in use befor using it.
If it is used abort startup or let a reload fail.
Sockets are now not unlinked anymore on regular shutdown.

This helps a lot when one tries to do a config check without -n.

Inputs and OK claudio@

bgpctl can cause bgpd to do a lot of work (e.g. dumping all of the RIB)
but then bgpctl can quickly exit and bgpd still has to do all the work.
Instead introduce a terminate imsg to stop such long running commands if
bgpctl closes the connection before the run is over.
OK benno@, sthen@, deraadt@

Start reworking community handling. Merge standard communities and large
communities into one filter_community struct and allow it that more then
one community can be used in filter rules (currently up to 3).
Also rework the code handling bgpctl show rib commands. The special IMSG
types for the various filters are gone and the code is in general simpler.
OK job@, phessler@

softreconfig in and out are on by default for ever and machines now have
enough memory that it does not make sense to provide these knobs anymore.
They just make the code more complex for no much gain.
OK phessler@, benno@

handle extended communities in bgpctl.
From Dennis Fondras, thanks!
ok phessler@

Implement an XON/XOFF protocol between the RDE and the SE to throttle
per control session and peer the generation of imsg in the RDE. This
reduces the memory pressure in the SE substantially and also a bit in
the RDE. Makes the RDE more responsive for bgpctl commands.
Tested by me with 100 peers * 2000 prefixes and by phessler@ on an AMS-IX
border router with 200+ session. Convergance time got quite a bit better.
OK phessler@

draft-ietf-idr-shutdown extends to support a message on either of
"Administrative Shutdown" or "Administrative Reset"

patch submitted by Job Snijders, thanks!

sync log.c from relayd et al to bgpd.

there is still a little difference regarding handling of the verbosity
value that will be handled later.

ok claudio@ florian@

Add support for draft-ietf-idr-shutdown

BGP state = Idle, marked down with shutdown reason "goodbye, we are
upgrading to openbsd 6.1", down for 00:00:17

developed by Peter van Dijk <peter.van.dijk@powerdns.com> and Job
Snijders <job@ntt.net>, thank you!

OK benno@

Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with
TAILQ_FOREACH().

No intentional functional change.

ok reyk@

Add support for draft-ietf-idr-large-community

Joint work with Job Snijders, many thanks!
OK benno@ deraadt@

cleanup some log messages with wrong function names etc.
ok henning,claudio

EAGAIN handling for imsg_read. OK henning@ benno@

Rename imsg_compose_parent and imsg_compose_rde to imsg_ctl_parent and
imsg_ctl_rde since these function should only be used by the control
code. Also switch ibuf_rde to ibuf_rde_ctl so that the control imsgs
don't need to queue behind all the incoming bgp UPDATES. This speeds
up 'bgpctl show' from taking minutes to a few seconds. The RDE was doing
this since a very long time but it seems the SE was not adjusted. Yikes

"bgpctl sh rib in" and "bgpctl sh rib out" require a neighbor argument
to work. send an error if none is given.
ok claudio@

Do no accept fds on the control socket; including the restricted socket.

OK gilles@ eric@

mlarkin asks "bgpctl checks the length of the control socket path to
make sure it fits. When browsing around last night I saw that bgpd
does not. Any reason it shouldn't? Please commit"

Add a check in parse.y to check this when reading the configuration.
ok phessler@ henning@

Kill session_socket_blockmode() and replace it with SOCK_CLOEXEC or
SOCK_NONBLOCK and accept4(). OK henning@ tested & OK benno@

from claudio
"Let msgbuf_write return -1 with errno EAGAIN. The users then must
check if this was the case and readd the event or poll again. The
current handling in the imsg code is wrong for sure."

ok gilles, benno

handle ECONNABORTED errors from accept(). In many code blocks they can be
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directories...

Implements a few missing bits for better templates support:
- on config reload also adjust the cloned neighbors so that they get the
config changes as well.
- clean up sessions that are 1h idle but in state active (instead of down)
- add bits to allow bgpctl to destroy cloned neighbors
Tested by sthen@ some time ago, OK phessler@

Extend the network code to allow attributes to be passed in with prefixes.
In the end this will allow anyone to use MRT table dumps to load prefixes
into a bgpd instance. For example you can download the RIPE dumps and load
full-feeds onto your laptop until the poor thing dies.
OK henning@ sthen@

accept() pacing for bgpd based on similar work done on other daemons.
OK henning@ sthen@

malloc -> calloc for ctl_conn
pt out by cppcheck/jasper, ok sthen claudio

Make it possible to load multiple routing tables at the same time and use
those for alternate RIBs. This allows to use "rde rib TESTIT rtable 1".
NOTE: nexthop verification has changed for alternate tables. For now
nexthop will only be verified against the main routing table (id 0).
Because of this "nexthop qualify via bgp" may now compare the nexthops
against bgpd routes from a different RIB.
Tested by sthen@, OK to move on by henning@

Add support for BGP MPLS VPN aka RFC 4364. This is only the RDE part so
that it is possible to use OpenBGPD as a route-reflector for VPNv4.
Some clean up of the BGP MP code so that multiple protocols are easier
supported. kroute/kernel support not yet done but comming.
OK henning@, reyk@

porcesses -> processes

A bgpctl nei XY clear should not restart neighbors that are administrativly
down. So after a bgpctl reload clearing a neighbor will bring that neighbor
into the configured state (in this case down). OK henning@

log_warn() consistency.

`OK' claudio

Use an artificial address family id in struct bgpd_addr and almost everywhere
else. Adds conversion functions to map AFI/SAFI and the Unix AF_ values
from and into AID used in bgpd. This is needed to support things like MPLS
VPN and other upcomming changes that need to play a lot with AFI/SAFI pairs.
Mostly mechanical change, henning@ has no particular issues with this.
Must go in so that I can continue working.

Implement IMSG_CTL_LOG_VERBOSE similar to ospfd. Even though bgpd has almost
no log_debug() it makes more sense to make all routing daemons behave the same.

Implement all of RFC 4486 BGP Cease Notification Message Subcodes.
The other side should now see why a session was dropped. e.g:
bgpd: ... received notification: Cease, administratively down
OK henning

check that an IMSG_CTL_SHOW_RIB_PREFIX request has a valid
address family before passing it to the RDE.

ok henning@ claudio@

allow IMSG_CONTROL_SHOW_TIMER on restricted sockets

make sure we always send back something on IMSG_CTL_SHOW_NEIGHBOR
namely, the "no such neighbor" case was missing.
problem spotted by martin,ok claudio

do not leak confd on malloc failure in control_accept()
found by Igor Zinovik <zinovik@cs.karelia.ru>

send timers for bgpctlshow neighbor foo timer in seperate messages after
the peer data. makes bgpctl display code independent from timer
implementation internals. only running timers are displayed now, stopped
ones are skipped.

rework timers.
stop changing tienmr values directly, always use new
timer_(get/set/stop/running) functions. preparation for more to come :)
ok claudio

add IMSG_CTL_SHOW_RIB_COMMUNITY, rib by given community
mostly from rivo nurges <rix@estpak.ee>, ok claudio

when our red/recv/recvmsg in imsg_read gives EINTR or EAGAIN, do not
signal "connection closed" upstream.
spotted by Valentin Kozamernik <tin@komna.com>

Extend show rib interface code so that it is possible to show the adj-rib-in
and adj-rib-out. Additionally it is now possible to limit the output to a
specified peer. OK henning@

Pass a IMSG_CTL_RESULT messgae back to bgpctl on reloads to indicate if
the reload was successful or not. OK henning@

Cleanup with lint. Make the poll fd indexes unsigned and because of that
control_accept should also return a unsigned int. Remove old prototype.

allow bgpd to request a route refresh from a neighbor if that neighbor
announced route refresh capabilities

introduce "bgpctl show summary terse", shows summary in an easy to parse
format, intended for monitoring puposes. claudio ok

zap now unused var

introduce a second control socket, which is restricted to certain messages,
nameley the show ones. needed for looking glass style applications,
monitoring etc. claudio ok

Track some (memory) statistics in the RDE. Accessible via bgpctl.

for "bgpctl neighbor foo up/down/clear", make bgpctl not exit after sending
the request, but wait for the new IMSG_CTL_RESULT message, which contains
a status code to indicate wether the request was processed successfully
or wether an error occured and if so what kind of error.
no more "IMSG_CTL_NEIGHBOR_ with unknown neighbor foobaz" in the log
when you mistyped foobar - no bgpctl itself complains
claudio ok

on "bgpctl neighbor foo clear", we used to send a STOP event immediately
followed by a START event. Instead of sending START immediately, start the
IdleHoldTimer with a very low value (5 seconds) so that we restart the
session these seconds later. some other implementations deal poorly with
our previously superfast reconnects, namely, that commercial one from
san jose, claudio ok

move umask() song and dance closer around the bind, being more careful about errors; ok claudio

unlink() control socket in error path. Spotted by Theo.

allo the "bgpctl show neighbor " commands to take the neighbor descr
too, claudio ok

allow "bgpctl neighbor" to take the peer's descr as argument as well
as its address
so "bgpctl neighbor upstream1 clear" now works and you don't have to
remember IPs
claudio ok

Switch from a single filter_set to a linked list of sets. With this change
it is possible to specify multiple communities. This is also the first step
to better bgpd filters. OK henning@

imsg API cleanup:
-kill imsg_compose_pid, imsg_compose_fdpass and imsg_create_pid
-extend the original imsg_compose/_create API to take pid & fd too
-make imsg_compose do imsg_create + imsg_add + imsg_close instead of
duplicating the code
-adjust all callers to the new API
ok claudio

missing space in log message.

add IMSG_CTL_NEIGHBOR_CLEAR, takes a session down and restarts it,
claudio ok

merge IMSG_CTL_NEIGHBOR_UP and _DOWN handling, kills some duplicate code,
claudio ok

Forward IMSG_CTL_SHOW_NEIGHBOR messages to the rde so that we can report
the current and max prefix count back to bgpctl. OK henning@

at least somewhat consistently name the TAILQ_ENTRYs... this confused me
more than once

move to a dynamically allocated struct pollfd array.
we used a ststic one with OPEN_MAX entries, which is a rather arbitary limit
as OPEN_MAX is _not_ the max # of open fds we can have, but just a default
for that setting.
in the same move we have to allocate the peer_l array, basically there
for pfd-index to peer pointers to prevent peer list scans all time,
dynamiccaly to. we overallocate a little and use that reserve until we
have to realloc again later to prevent reallocs for every single control
connection or a single flapping peer.
help & ok claudio

Add support for dynamic announcements. Usefule to annouce temporary
blackhole routes or to make network announcements dependent on a external
state (e.g. for carp setups) OK henning@

remove unused argument to control_dispatch_msg(), lint

sock -> fd; ok henning

missing return; noticed by Joris Vink <amni@pandora.be> but I fixed in
another way

use getpeerbyaddr() instead of using the v4 part of the af independent
struct manually

remove getpeereid() call so that those who have write access to the socket
(root:wheel 0640) can send queries, claudio ok

Framework for rib lookups by prefix. OK henning@

plug memory leak: when a control connection is closed we need to clear
its write buffers, noticed by claudio

of course the control socket needs to be nonblocking as well, i could have
sworn it was... noticed by & fixed with claudio

show rib infrastructure. At least full dumps and per as dumps. Per prefix
dump need some more work. OK henning@

close socket on error in control_init
From: Patrick Latifi <pat@eyeo.org>

use log_warnx and log_info. reclassify a few messages in the process and fix
a few messages.

ok claudio@

s/log_err/log_warn/
it is like warn(3), nor err(3). so use a less confusing name.

fix error logging on connection attempts from !root user

allow the interfaces as bgpd sees 'em to be queried via imsgs

new message IMSG_CTL_SHOW_NEXTHOP: request/send lost of BGP nexthops and
the result of their validity check

for IMSG_CTL_KROUTEs allow matching based on flags,
add IMGS_CTL_KROUTE_ADDR to match the route for a given address

ok claudio@

get us a stateful imsg relaying framework, and the first receiver,
IMSG_CTL_KROUTE, to have the kroute structs forming the fib sent to a
control socket.

ok claudio@

you must not try to read(2) without checking (pfd->revents & POLLIN)
you must not try to read(2) without checking (pfd->revents & POLLIN)
you must not try to read(2) without checking (pfd->revents & POLLIN)
[...]
you must not try to read(2) without checking (pfd->revents & POLLIN)

two new imsg types, IMSG_CTL_NEIGHBOR_UP and _DOWN, on their receival on the
control socket the given neighbor session is sent a START / STOP signal.

ok claudio@

2004

allow fib couple/decouple based on an imsg received on the control socket
by the SE and passed on to the main process

-new imsg CTL_RELOAD
-upong receival in the SE forward to parent
-make sending messages from SE to parent work for that (was not required before)
-parent reacts to that just like a SIGHUP, reread config file

allow "show neighbor" to be limited to one specific neighbor

decouple the peer list from bgpd_config.
so many parts of bgpd are not at all interested in the session specific peer
structs... allows for some further cleaning

change imsg_read semantics so that the number of bytes read is returned.
that means that the callers can (and must) coope with closed connections
themselves, what is exactly the desired behaviour.

send an imsg as list end indicator

fix umask, noticed by theo

umask setting and unlink before bind() the unix socket, chmod and umask
restore afterwards
help & ok theo

move the socket name #define to bgpd.h and get rid of bgpdctl*

listen on a AF_LOCAL socket for imsgs too.
only implemented type yet is IMSG_CTL_SHOW_NEIGHBOR which sends back
the struct peer for all neighbors.
will be used by bgpdctl

rename field ibuf to imsgbuf in struct ctl_conn
OK tb@

Update the control.c code to use the new imsg API.

OK tb@

Rename struct imsgbuf *ibuf to *imsgbuf in all places.
ibuf should be reserved for struct ibuf * values.
OK tb@

Enforce NUL termination of the neighbor shutdown reason sent from
bgpctl before calling strlcpy() with that string.
OK tb@ some long time ago

Instead of forcing a NUL into struct ctl_neighbor descr adjust the
peer matching code to only match at maximum sizeof(n->descr) bytes
using strncmp().
OK tb@

Use sizeof(destination) not sizeof(source) in strlcpy() calls.
OK tb@

Implement IMSG_CTL_SHOW_FLOWSPEC and IMSG_FLOWSPEC_FLUSH and add bits for
IMSG_FLOWSPEC_ADD and IMSG_FLOWSPEC_REMOVE received from bgpctl via SE.
OK tb@

Instead of relaying struct peer from the SE to the RDE to fill out 10
stat numbers, just send the peerid and have the RDE response with the
stats. The control code will then merge these counters into the real
peer struct and send that to bgpctl. This reduces the number of bytes
sent around a fair bit.
OK tb@

Convert bzero() to memset(), bcmp() to memcmp() and bcopy() to memcpy().

The memory regions passed to memcpy() can not overlap so no need for memmove().
OK tb@ deraadt@

whitespace found during a read-thru; ok claudio

Rename sockaddr_un sun to sa_un since sun is defined on illumos systems.
OK dlg@

Add IMSG_CTL_SHOW_RTR to the list of restriced control messages.

Add RTR support to OpenBGPD. Add basic support for the protocol.
The RTR client runs in a new process where the protocol handling is done
and when new data is available all sources are merged into one ROA set
which is then loaded into the RDE. The roa-set from the config is also
handled by the new RTR engine.
Tested by and ok job@

Implement IMSG_CTL_SHOW_SET to get information about roa-set, as-sets and
prefix-sets loaded into the RDE. For now only the number of prefixes or
asnumbers are shown plus the time since the last change was done to the table.
OK benno@

Make the timer code independent of struct peer this way it can be used
in other places as well.
ok procter@

Refactor the control code to be more like a module.
Change control_dispatch_msg() to return the change of control connection
count since the return value was not used before.
Add control_fill_pfds() to replace the TAILQ_FOREACH loop in session.c.
This allows to move the ctl_conns symbol to control.c (from session.h
where it caused issues when compiled with -fno-common).
OK benno@

In bgpctl argument parser, re-arrange 'reason' parsing ('nei action [reason]')
to be more generic, then change 'reload' to take take a '[reason]' also,
which will be logged by bgpd.
ok kn claudio

Reset the IdleHoldTime and the session error count when doing a admin
command that clears or starts a neighbor. This way an admin reset does
what people expect since it makes the session behave like a brand new one.
OK job@ deraadt@ sthen@

Use O_CLOEXEC or SOCK_CLOEXEC on every open or socket call. Even though
some sockets are open for a short time it does not hurt and it ensures
that there is no file descriptor leak.
OK deraadt@ bluhm@

Switch the peer TAILQ to a RB tree indexed by the peer id. This way
getpeerbyid() gets a lot quicker at finding the peer when many peers
are configured. In my test case the difference is around 20% runtime.
OK denis@

Move the struct peer into bgpd_config and switch it to a TAILQ instead of
the hand-rolled list. This changes the way peers are reloaded since now
both parent and session engine are now merging the lists.
OK denis@

Handle the abnormal case of not having any neighbors defined a bit better
when it comes to handling bgpctl show requests.
OK phessler@

Support group descriptions in control messages that accept a neighbor
description. With this it is possible to show rib a group of peers, to show
or signal a group of peers all at once.
OK sthen@ benno@

Check if a control socket or address is already in use befor using it.
If it is used abort startup or let a reload fail.
Sockets are now not unlinked anymore on regular shutdown.

This helps a lot when one tries to do a config check without -n.

Inputs and OK claudio@

bgpctl can cause bgpd to do a lot of work (e.g. dumping all of the RIB)
but then bgpctl can quickly exit and bgpd still has to do all the work.
Instead introduce a terminate imsg to stop such long running commands if
bgpctl closes the connection before the run is over.
OK benno@, sthen@, deraadt@

Start reworking community handling. Merge standard communities and large
communities into one filter_community struct and allow it that more then
one community can be used in filter rules (currently up to 3).
Also rework the code handling bgpctl show rib commands. The special IMSG
types for the various filters are gone and the code is in general simpler.
OK job@, phessler@

softreconfig in and out are on by default for ever and machines now have
enough memory that it does not make sense to provide these knobs anymore.
They just make the code more complex for no much gain.
OK phessler@, benno@

handle extended communities in bgpctl.
From Dennis Fondras, thanks!
ok phessler@

Implement an XON/XOFF protocol between the RDE and the SE to throttle
per control session and peer the generation of imsg in the RDE. This
reduces the memory pressure in the SE substantially and also a bit in
the RDE. Makes the RDE more responsive for bgpctl commands.
Tested by me with 100 peers * 2000 prefixes and by phessler@ on an AMS-IX
border router with 200+ session. Convergance time got quite a bit better.
OK phessler@

draft-ietf-idr-shutdown extends to support a message on either of
"Administrative Shutdown" or "Administrative Reset"

patch submitted by Job Snijders, thanks!

sync log.c from relayd et al to bgpd.

there is still a little difference regarding handling of the verbosity
value that will be handled later.

ok claudio@ florian@

Add support for draft-ietf-idr-shutdown

BGP state = Idle, marked down with shutdown reason "goodbye, we are
upgrading to openbsd 6.1", down for 00:00:17

developed by Peter van Dijk <peter.van.dijk@powerdns.com> and Job
Snijders <job@ntt.net>, thank you!

OK benno@

Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with
TAILQ_FOREACH().

No intentional functional change.

ok reyk@

Add support for draft-ietf-idr-large-community

Joint work with Job Snijders, many thanks!
OK benno@ deraadt@

cleanup some log messages with wrong function names etc.
ok henning,claudio

EAGAIN handling for imsg_read. OK henning@ benno@

Rename imsg_compose_parent and imsg_compose_rde to imsg_ctl_parent and
imsg_ctl_rde since these function should only be used by the control
code. Also switch ibuf_rde to ibuf_rde_ctl so that the control imsgs
don't need to queue behind all the incoming bgp UPDATES. This speeds
up 'bgpctl show' from taking minutes to a few seconds. The RDE was doing
this since a very long time but it seems the SE was not adjusted. Yikes

"bgpctl sh rib in" and "bgpctl sh rib out" require a neighbor argument
to work. send an error if none is given.
ok claudio@

Do no accept fds on the control socket; including the restricted socket.

OK gilles@ eric@

mlarkin asks "bgpctl checks the length of the control socket path to
make sure it fits. When browsing around last night I saw that bgpd
does not. Any reason it shouldn't? Please commit"

Add a check in parse.y to check this when reading the configuration.
ok phessler@ henning@

Kill session_socket_blockmode() and replace it with SOCK_CLOEXEC or
SOCK_NONBLOCK and accept4(). OK henning@ tested & OK benno@

from claudio
"Let msgbuf_write return -1 with errno EAGAIN. The users then must
check if this was the case and readd the event or poll again. The
current handling in the imsg code is wrong for sure."

ok gilles, benno

handle ECONNABORTED errors from accept(). In many code blocks they can be
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directories...

Implements a few missing bits for better templates support:
- on config reload also adjust the cloned neighbors so that they get the
config changes as well.
- clean up sessions that are 1h idle but in state active (instead of down)
- add bits to allow bgpctl to destroy cloned neighbors
Tested by sthen@ some time ago, OK phessler@

Extend the network code to allow attributes to be passed in with prefixes.
In the end this will allow anyone to use MRT table dumps to load prefixes
into a bgpd instance. For example you can download the RIPE dumps and load
full-feeds onto your laptop until the poor thing dies.
OK henning@ sthen@

accept() pacing for bgpd based on similar work done on other daemons.
OK henning@ sthen@

malloc -> calloc for ctl_conn
pt out by cppcheck/jasper, ok sthen claudio

Make it possible to load multiple routing tables at the same time and use
those for alternate RIBs. This allows to use "rde rib TESTIT rtable 1".
NOTE: nexthop verification has changed for alternate tables. For now
nexthop will only be verified against the main routing table (id 0).
Because of this "nexthop qualify via bgp" may now compare the nexthops
against bgpd routes from a different RIB.
Tested by sthen@, OK to move on by henning@

Add support for BGP MPLS VPN aka RFC 4364. This is only the RDE part so
that it is possible to use OpenBGPD as a route-reflector for VPNv4.
Some clean up of the BGP MP code so that multiple protocols are easier
supported. kroute/kernel support not yet done but comming.
OK henning@, reyk@

porcesses -> processes

A bgpctl nei XY clear should not restart neighbors that are administrativly
down. So after a bgpctl reload clearing a neighbor will bring that neighbor
into the configured state (in this case down). OK henning@

log_warn() consistency.

`OK' claudio

Use an artificial address family id in struct bgpd_addr and almost everywhere
else. Adds conversion functions to map AFI/SAFI and the Unix AF_ values
from and into AID used in bgpd. This is needed to support things like MPLS
VPN and other upcomming changes that need to play a lot with AFI/SAFI pairs.
Mostly mechanical change, henning@ has no particular issues with this.
Must go in so that I can continue working.

Implement IMSG_CTL_LOG_VERBOSE similar to ospfd. Even though bgpd has almost
no log_debug() it makes more sense to make all routing daemons behave the same.

Implement all of RFC 4486 BGP Cease Notification Message Subcodes.
The other side should now see why a session was dropped. e.g:
bgpd: ... received notification: Cease, administratively down
OK henning

check that an IMSG_CTL_SHOW_RIB_PREFIX request has a valid
address family before passing it to the RDE.

ok henning@ claudio@

allow IMSG_CONTROL_SHOW_TIMER on restricted sockets

make sure we always send back something on IMSG_CTL_SHOW_NEIGHBOR
namely, the "no such neighbor" case was missing.
problem spotted by martin,ok claudio

do not leak confd on malloc failure in control_accept()
found by Igor Zinovik <zinovik@cs.karelia.ru>

send timers for bgpctlshow neighbor foo timer in seperate messages after
the peer data. makes bgpctl display code independent from timer
implementation internals. only running timers are displayed now, stopped
ones are skipped.

rework timers.
stop changing tienmr values directly, always use new
timer_(get/set/stop/running) functions. preparation for more to come :)
ok claudio

add IMSG_CTL_SHOW_RIB_COMMUNITY, rib by given community
mostly from rivo nurges <rix@estpak.ee>, ok claudio

when our red/recv/recvmsg in imsg_read gives EINTR or EAGAIN, do not
signal "connection closed" upstream.
spotted by Valentin Kozamernik <tin@komna.com>

Extend show rib interface code so that it is possible to show the adj-rib-in
and adj-rib-out. Additionally it is now possible to limit the output to a
specified peer. OK henning@

Pass a IMSG_CTL_RESULT messgae back to bgpctl on reloads to indicate if
the reload was successful or not. OK henning@

Cleanup with lint. Make the poll fd indexes unsigned and because of that
control_accept should also return a unsigned int. Remove old prototype.

allow bgpd to request a route refresh from a neighbor if that neighbor
announced route refresh capabilities

introduce "bgpctl show summary terse", shows summary in an easy to parse
format, intended for monitoring puposes. claudio ok

zap now unused var

introduce a second control socket, which is restricted to certain messages,
nameley the show ones. needed for looking glass style applications,
monitoring etc. claudio ok

Track some (memory) statistics in the RDE. Accessible via bgpctl.

for "bgpctl neighbor foo up/down/clear", make bgpctl not exit after sending
the request, but wait for the new IMSG_CTL_RESULT message, which contains
a status code to indicate wether the request was processed successfully
or wether an error occured and if so what kind of error.
no more "IMSG_CTL_NEIGHBOR_ with unknown neighbor foobaz" in the log
when you mistyped foobar - no bgpctl itself complains
claudio ok

on "bgpctl neighbor foo clear", we used to send a STOP event immediately
followed by a START event. Instead of sending START immediately, start the
IdleHoldTimer with a very low value (5 seconds) so that we restart the
session these seconds later. some other implementations deal poorly with
our previously superfast reconnects, namely, that commercial one from
san jose, claudio ok

move umask() song and dance closer around the bind, being more careful about errors; ok claudio

unlink() control socket in error path. Spotted by Theo.

allo the "bgpctl show neighbor " commands to take the neighbor descr
too, claudio ok

allow "bgpctl neighbor" to take the peer's descr as argument as well
as its address
so "bgpctl neighbor upstream1 clear" now works and you don't have to
remember IPs
claudio ok

Switch from a single filter_set to a linked list of sets. With this change
it is possible to specify multiple communities. This is also the first step
to better bgpd filters. OK henning@

imsg API cleanup:
-kill imsg_compose_pid, imsg_compose_fdpass and imsg_create_pid
-extend the original imsg_compose/_create API to take pid & fd too
-make imsg_compose do imsg_create + imsg_add + imsg_close instead of
duplicating the code
-adjust all callers to the new API
ok claudio

missing space in log message.

add IMSG_CTL_NEIGHBOR_CLEAR, takes a session down and restarts it,
claudio ok

merge IMSG_CTL_NEIGHBOR_UP and _DOWN handling, kills some duplicate code,
claudio ok

Forward IMSG_CTL_SHOW_NEIGHBOR messages to the rde so that we can report
the current and max prefix count back to bgpctl. OK henning@

at least somewhat consistently name the TAILQ_ENTRYs... this confused me
more than once

move to a dynamically allocated struct pollfd array.
we used a ststic one with OPEN_MAX entries, which is a rather arbitary limit
as OPEN_MAX is _not_ the max # of open fds we can have, but just a default
for that setting.
in the same move we have to allocate the peer_l array, basically there
for pfd-index to peer pointers to prevent peer list scans all time,
dynamiccaly to. we overallocate a little and use that reserve until we
have to realloc again later to prevent reallocs for every single control
connection or a single flapping peer.
help & ok claudio

Add support for dynamic announcements. Usefule to annouce temporary
blackhole routes or to make network announcements dependent on a external
state (e.g. for carp setups) OK henning@

remove unused argument to control_dispatch_msg(), lint

sock -> fd; ok henning

missing return; noticed by Joris Vink <amni@pandora.be> but I fixed in
another way

use getpeerbyaddr() instead of using the v4 part of the af independent
struct manually

remove getpeereid() call so that those who have write access to the socket
(root:wheel 0640) can send queries, claudio ok

Framework for rib lookups by prefix. OK henning@

plug memory leak: when a control connection is closed we need to clear
its write buffers, noticed by claudio

of course the control socket needs to be nonblocking as well, i could have
sworn it was... noticed by & fixed with claudio

show rib infrastructure. At least full dumps and per as dumps. Per prefix
dump need some more work. OK henning@

close socket on error in control_init
From: Patrick Latifi <pat@eyeo.org>

use log_warnx and log_info. reclassify a few messages in the process and fix
a few messages.

ok claudio@

s/log_err/log_warn/
it is like warn(3), nor err(3). so use a less confusing name.

fix error logging on connection attempts from !root user

allow the interfaces as bgpd sees 'em to be queried via imsgs

new message IMSG_CTL_SHOW_NEXTHOP: request/send lost of BGP nexthops and
the result of their validity check

for IMSG_CTL_KROUTEs allow matching based on flags,
add IMGS_CTL_KROUTE_ADDR to match the route for a given address

ok claudio@

get us a stateful imsg relaying framework, and the first receiver,
IMSG_CTL_KROUTE, to have the kroute structs forming the fib sent to a
control socket.

ok claudio@

you must not try to read(2) without checking (pfd->revents & POLLIN)
you must not try to read(2) without checking (pfd->revents & POLLIN)
you must not try to read(2) without checking (pfd->revents & POLLIN)
[...]
you must not try to read(2) without checking (pfd->revents & POLLIN)

two new imsg types, IMSG_CTL_NEIGHBOR_UP and _DOWN, on their receival on the
control socket the given neighbor session is sent a START / STOP signal.

ok claudio@

2004

allow fib couple/decouple based on an imsg received on the control socket
by the SE and passed on to the main process

-new imsg CTL_RELOAD
-upong receival in the SE forward to parent
-make sending messages from SE to parent work for that (was not required before)
-parent reacts to that just like a SIGHUP, reread config file

allow "show neighbor" to be limited to one specific neighbor

decouple the peer list from bgpd_config.
so many parts of bgpd are not at all interested in the session specific peer
structs... allows for some further cleaning

change imsg_read semantics so that the number of bytes read is returned.
that means that the callers can (and must) coope with closed connections
themselves, what is exactly the desired behaviour.

send an imsg as list end indicator

fix umask, noticed by theo

umask setting and unlink before bind() the unix socket, chmod and umask
restore afterwards
help & ok theo

move the socket name #define to bgpd.h and get rid of bgpdctl*

listen on a AF_LOCAL socket for imsgs too.
only implemented type yet is IMSG_CTL_SHOW_NEIGHBOR which sends back
the struct peer for all neighbors.
will be used by bgpdctl

Rename struct imsgbuf *ibuf to *imsgbuf in all places.
ibuf should be reserved for struct ibuf * values.
OK tb@

Enforce NUL termination of the neighbor shutdown reason sent from
bgpctl before calling strlcpy() with that string.
OK tb@ some long time ago

Instead of forcing a NUL into struct ctl_neighbor descr adjust the
peer matching code to only match at maximum sizeof(n->descr) bytes
using strncmp().
OK tb@

Use sizeof(destination) not sizeof(source) in strlcpy() calls.
OK tb@

Implement IMSG_CTL_SHOW_FLOWSPEC and IMSG_FLOWSPEC_FLUSH and add bits for
IMSG_FLOWSPEC_ADD and IMSG_FLOWSPEC_REMOVE received from bgpctl via SE.
OK tb@

Instead of relaying struct peer from the SE to the RDE to fill out 10
stat numbers, just send the peerid and have the RDE response with the
stats. The control code will then merge these counters into the real
peer struct and send that to bgpctl. This reduces the number of bytes
sent around a fair bit.
OK tb@

Convert bzero() to memset(), bcmp() to memcmp() and bcopy() to memcpy().

The memory regions passed to memcpy() can not overlap so no need for memmove().
OK tb@ deraadt@

whitespace found during a read-thru; ok claudio

Rename sockaddr_un sun to sa_un since sun is defined on illumos systems.
OK dlg@

Add IMSG_CTL_SHOW_RTR to the list of restriced control messages.

Add RTR support to OpenBGPD. Add basic support for the protocol.
The RTR client runs in a new process where the protocol handling is done
and when new data is available all sources are merged into one ROA set
which is then loaded into the RDE. The roa-set from the config is also
handled by the new RTR engine.
Tested by and ok job@

Implement IMSG_CTL_SHOW_SET to get information about roa-set, as-sets and
prefix-sets loaded into the RDE. For now only the number of prefixes or
asnumbers are shown plus the time since the last change was done to the table.
OK benno@

Make the timer code independent of struct peer this way it can be used
in other places as well.
ok procter@

Refactor the control code to be more like a module.
Change control_dispatch_msg() to return the change of control connection
count since the return value was not used before.
Add control_fill_pfds() to replace the TAILQ_FOREACH loop in session.c.
This allows to move the ctl_conns symbol to control.c (from session.h
where it caused issues when compiled with -fno-common).
OK benno@

In bgpctl argument parser, re-arrange 'reason' parsing ('nei action [reason]')
to be more generic, then change 'reload' to take take a '[reason]' also,
which will be logged by bgpd.
ok kn claudio

Reset the IdleHoldTime and the session error count when doing a admin
command that clears or starts a neighbor. This way an admin reset does
what people expect since it makes the session behave like a brand new one.
OK job@ deraadt@ sthen@

Use O_CLOEXEC or SOCK_CLOEXEC on every open or socket call. Even though
some sockets are open for a short time it does not hurt and it ensures
that there is no file descriptor leak.
OK deraadt@ bluhm@

Switch the peer TAILQ to a RB tree indexed by the peer id. This way
getpeerbyid() gets a lot quicker at finding the peer when many peers
are configured. In my test case the difference is around 20% runtime.
OK denis@

Move the struct peer into bgpd_config and switch it to a TAILQ instead of
the hand-rolled list. This changes the way peers are reloaded since now
both parent and session engine are now merging the lists.
OK denis@

Handle the abnormal case of not having any neighbors defined a bit better
when it comes to handling bgpctl show requests.
OK phessler@

Support group descriptions in control messages that accept a neighbor
description. With this it is possible to show rib a group of peers, to show
or signal a group of peers all at once.
OK sthen@ benno@

Check if a control socket or address is already in use befor using it.
If it is used abort startup or let a reload fail.
Sockets are now not unlinked anymore on regular shutdown.

This helps a lot when one tries to do a config check without -n.

Inputs and OK claudio@

bgpctl can cause bgpd to do a lot of work (e.g. dumping all of the RIB)
but then bgpctl can quickly exit and bgpd still has to do all the work.
Instead introduce a terminate imsg to stop such long running commands if
bgpctl closes the connection before the run is over.
OK benno@, sthen@, deraadt@

Start reworking community handling. Merge standard communities and large
communities into one filter_community struct and allow it that more then
one community can be used in filter rules (currently up to 3).
Also rework the code handling bgpctl show rib commands. The special IMSG
types for the various filters are gone and the code is in general simpler.
OK job@, phessler@

softreconfig in and out are on by default for ever and machines now have
enough memory that it does not make sense to provide these knobs anymore.
They just make the code more complex for no much gain.
OK phessler@, benno@

handle extended communities in bgpctl.
From Dennis Fondras, thanks!
ok phessler@

Implement an XON/XOFF protocol between the RDE and the SE to throttle
per control session and peer the generation of imsg in the RDE. This
reduces the memory pressure in the SE substantially and also a bit in
the RDE. Makes the RDE more responsive for bgpctl commands.
Tested by me with 100 peers * 2000 prefixes and by phessler@ on an AMS-IX
border router with 200+ session. Convergance time got quite a bit better.
OK phessler@

draft-ietf-idr-shutdown extends to support a message on either of
"Administrative Shutdown" or "Administrative Reset"

patch submitted by Job Snijders, thanks!

sync log.c from relayd et al to bgpd.

there is still a little difference regarding handling of the verbosity
value that will be handled later.

ok claudio@ florian@

Add support for draft-ietf-idr-shutdown

BGP state = Idle, marked down with shutdown reason "goodbye, we are
upgrading to openbsd 6.1", down for 00:00:17

developed by Peter van Dijk <peter.van.dijk@powerdns.com> and Job
Snijders <job@ntt.net>, thank you!

OK benno@

Replace hand-rolled for(;;) traversal of ctl_conns TAILQ with
TAILQ_FOREACH().

No intentional functional change.

ok reyk@

Add support for draft-ietf-idr-large-community

Joint work with Job Snijders, many thanks!
OK benno@ deraadt@

cleanup some log messages with wrong function names etc.
ok henning,claudio

EAGAIN handling for imsg_read. OK henning@ benno@

Rename imsg_compose_parent and imsg_compose_rde to imsg_ctl_parent and
imsg_ctl_rde since these function should only be used by the control
code. Also switch ibuf_rde to ibuf_rde_ctl so that the control imsgs
don't need to queue behind all the incoming bgp UPDATES. This speeds
up 'bgpctl show' from taking minutes to a few seconds. The RDE was doing
this since a very long time but it seems the SE was not adjusted. Yikes

"bgpctl sh rib in" and "bgpctl sh rib out" require a neighbor argument
to work. send an error if none is given.
ok claudio@

Do no accept fds on the control socket; including the restricted socket.

OK gilles@ eric@

mlarkin asks "bgpctl checks the length of the control socket path to
make sure it fits. When browsing around last night I saw that bgpd
does not. Any reason it shouldn't? Please commit"

Add a check in parse.y to check this when reading the configuration.
ok phessler@ henning@

Kill session_socket_blockmode() and replace it with SOCK_CLOEXEC or
SOCK_NONBLOCK and accept4(). OK henning@ tested & OK benno@

from claudio
"Let msgbuf_write return -1 with errno EAGAIN. The users then must
check if this was the case and readd the event or poll again. The
current handling in the imsg code is wrong for sure."

ok gilles, benno

handle ECONNABORTED errors from accept(). In many code blocks they can be
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directories...

Implements a few missing bits for better templates support:
- on config reload also adjust the cloned neighbors so that they get the
config changes as well.
- clean up sessions that are 1h idle but in state active (instead of down)
- add bits to allow bgpctl to destroy cloned neighbors
Tested by sthen@ some time ago, OK phessler@

Extend the network code to allow attributes to be passed in with prefixes.
In the end this will allow anyone to use MRT table dumps to load prefixes
into a bgpd instance. For example you can download the RIPE dumps and load
full-feeds onto your laptop until the poor thing dies.
OK henning@ sthen@

accept() pacing for bgpd based on similar work done on other daemons.
OK henning@ sthen@

malloc -> calloc for ctl_conn
pt out by cppcheck/jasper, ok sthen claudio

Make it possible to load multiple routing tables at the same time and use
those for alternate RIBs. This allows to use "rde rib TESTIT rtable 1".
NOTE: nexthop verification has changed for alternate tables. For now
nexthop will only be verified against the main routing table (id 0).
Because of this "nexthop qualify via bgp" may now compare the nexthops
against bgpd routes from a different RIB.
Tested by sthen@, OK to move on by henning@

Add support for BGP MPLS VPN aka RFC 4364. This is only the RDE part so
that it is possible to use OpenBGPD as a route-reflector for VPNv4.
Some clean up of the BGP MP code so that multiple protocols are easier
supported. kroute/kernel support not yet done but comming.
OK henning@, reyk@

porcesses -> processes

A bgpctl nei XY clear should not restart neighbors that are administrativly
down. So after a bgpctl reload clearing a neighbor will bring that neighbor
into the configured state (in this case down). OK henning@

log_warn() consistency.

`OK' claudio

Use an artificial address family id in struct bgpd_addr and almost everywhere
else. Adds conversion functions to map AFI/SAFI and the Unix AF_ values
from and into AID used in bgpd. This is needed to support things like MPLS
VPN and other upcomming changes that need to play a lot with AFI/SAFI pairs.
Mostly mechanical change, henning@ has no particular issues with this.
Must go in so that I can continue working.

Implement IMSG_CTL_LOG_VERBOSE similar to ospfd. Even though bgpd has almost
no log_debug() it makes more sense to make all routing daemons behave the same.

Implement all of RFC 4486 BGP Cease Notification Message Subcodes.
The other side should now see why a session was dropped. e.g:
bgpd: ... received notification: Cease, administratively down
OK henning

check that an IMSG_CTL_SHOW_RIB_PREFIX request has a valid
address family before passing it to the RDE.

ok henning@ claudio@

allow IMSG_CONTROL_SHOW_TIMER on restricted sockets

make sure we always send back something on IMSG_CTL_SHOW_NEIGHBOR
namely, the "no such neighbor" case was missing.
problem spotted by martin,ok claudio

do not leak confd on malloc failure in control_accept()
found by Igor Zinovik <zinovik@cs.karelia.ru>

send timers for bgpctlshow neighbor foo timer in seperate messages after
the peer data. makes bgpctl display code independent from timer
implementation internals. only running timers are displayed now, stopped
ones are skipped.

rework timers.
stop changing tienmr values directly, always use new
timer_(get/set/stop/running) functions. preparation for more to come :)
ok claudio

add IMSG_CTL_SHOW_RIB_COMMUNITY, rib by given community
mostly from rivo nurges <rix@estpak.ee>, ok claudio

when our red/recv/recvmsg in imsg_read gives EINTR or EAGAIN, do not
signal "connection closed" upstream.
spotted by Valentin Kozamernik <tin@komna.com>

Extend show rib interface code so that it is possible to show the adj-rib-in
and adj-rib-out. Additionally it is now possible to limit the output to a
specified peer. OK henning@

Pass a IMSG_CTL_RESULT messgae back to bgpctl on reloads to indicate if
the reload was successful or not. OK henning@

Cleanup with lint. Make the poll fd indexes unsigned and because of that
control_accept should also return a unsigned int. Remove old prototype.

allow bgpd to request a route refresh from a neighbor if that neighbor
announced route refresh capabilities

introduce "bgpctl show summary terse", shows summary in an easy to parse
format, intended for monitoring puposes. claudio ok

zap now unused var

introduce a second control socket, which is restricted to certain messages,
nameley the show ones. needed for looking glass style applications,
monitoring etc. claudio ok

Track some (memory) statistics in the RDE. Accessible via bgpctl.

for "bgpctl neighbor foo up/down/clear", make bgpctl not exit after sending
the request, but wait for the new IMSG_CTL_RESULT message, which contains
a status code to indicate wether the request was processed successfully
or wether an error occured and if so what kind of error.
no more "IMSG_CTL_NEIGHBOR_ with unknown neighbor foobaz" in the log
when you mistyped foobar - no bgpctl itself complains
claudio ok

on "bgpctl neighbor foo clear", we used to send a STOP event immediately
followed by a START event. Instead of sending START immediately, start the
IdleHoldTimer with a very low value (5 seconds) so that we restart the
session these seconds later. some other implementations deal poorly with
our previously superfast reconnects, namely, that commercial one from
san jose, claudio ok

move umask() song and dance closer around the bind, being more careful about errors; ok claudio

unlink() control socket in error path. Spotted by Theo.

allo the "bgpctl show neighbor " commands to take the neighbor descr
too, claudio ok

allow "bgpctl neighbor" to take the peer's descr as argument as well
as its address
so "bgpctl neighbor upstream1 clear" now works and you don't have to
remember IPs
claudio ok

Switch from a single filter_set to a linked list of sets. With this change
it is possible to specify multiple communities. This is also the first step
to better bgpd filters. OK henning@

imsg API cleanup:
-kill imsg_compose_pid, imsg_compose_fdpass and imsg_create_pid
-extend the original imsg_compose/_create API to take pid & fd too
-make imsg_compose do imsg_create + imsg_add + imsg_close instead of
duplicating the code
-adjust all callers to the new API
ok claudio

missing space in log message.

add IMSG_CTL_NEIGHBOR_CLEAR, takes a session down and restarts it,
claudio ok

merge IMSG_CTL_NEIGHBOR_UP and _DOWN handling, kills some duplicate code,
claudio ok

Forward IMSG_CTL_SHOW_NEIGHBOR messages to the rde so that we can report
the current and max prefix count back to bgpctl. OK henning@

at least somewhat consistently name the TAILQ_ENTRYs... this confused me
more than once