Convert bgpid, remote_bgpid and clusterid to host byte order.

Before the RDE used host byte order for remote_bgpid but all the other
code used network byte order. The reason for that was that bgpid was
initially an IPv4 address but since RFC 6286 in 2011 this is much more
relaxed and so it makes more sense to just treat them as numbers and
so host byte order.

OK tb@

Remove 'announce capabilities' as neighbor config stanza.

There is no need to have an easy knob to get outdated or crappy
implementations to limp along. Instead the various default on
capabilities just need to be disabled (e.g. announce as-4byte no).

OK tb@

Remove repeated type declaration that makes bison unhappy

Fixes: https://github.com/openbgpd-portable/openbgpd-portable/issues/77

ok claudio

Limit the number of provider ASnumbers to MAX_ASPA_SPAS_COUNT (10'000)
in the parser as well.

OK tb@

Allow operators to enforce the presence of certain capabilities on sessions.

For simple capabilities this just adds enforce to the yes/no option of the
announce statement. For multi-protocol capabilities and add-path there is
an extra keyword. On top of this for add-path the enforcement requires the
neighbor to send a matching capability, e.g
'announce add-path recv enforce' requires the other side to send any
'announce add-path send XYZ' capability.

This is mainly to enforce as-4byte and extra multi-protocol capabilities.

OK denis@ tb@

Rewrite str2key() to not use strtoul() to convert 2 hexdigits into one
char. Instead use a simple function to do the conversion per nibble.
OK deraadt@ tb@

Cleanup AID handling.

- Loops over all valid AID should start with AID_MIN and go up to AID_MAX - 1
e.g. for (i = AID_MIN; i < AID_MAX; i++)
If for some reason AID_UNSPEC must be handled make that explicit in the
for loop.

- aid2afi() now returns an error for AID_UNSPEC since there is no valid
AFI SAFI combo for AID_UNSPEC.

- Add additional checks for AID_MIN where currently only AID_MAX was checked.
This affects imsg for route refresh and graceful restart.

- Simplify add-path capability handling. Only the negotiated add_path capa
sets the flag for AID_UNSPEC to help code to quickly check if any add-path
is active.

OK tb@

Typecast char argument to isxdigit() to unsigned char since isxdigit()
only works that way correctly.
OK deraadt@

Remove per-AFI ASPA handling in bgpd internals

With draft-ietf-sidrops-aspa-profile-16 and
draft-ietf-sidrops-aspa-verification-15 the AFI dependence of ASPA
records was dropped. So remove this complication form the code.

This only removes the AFI handling internally in bgpd but still allows
the old syntax in aspa-set tables. The optional address family is just
ignored and records are merged together.

For RTR sessions draft-ietf-sidrops-8210bis has not yet been updated so
right now we still handle RTR sessions as specified there. The IPv4 and
IPv6 ASPA entries are handled in two trees and merged together into one
AFI independent tree. This is the best we can do for now until IETF
updates draft-ietf-sidrops-8210bis.

OK tb@ job@

Add explicit default labels in switch() statements with error handling.
Right now these are not reachable. Should also clear some gcc warnings.
OK tb@

Add prototypes for geticmptypebyname() and geticmpcodebyname().
Needed for bison.

Adjust ext community handling to support the generic transitive communities
introduced with flowspec.
OK tb@

Missing space noticed by Pablo Mendez Hernandez

Sync common code with bgpctl with the version from there.
OK tb@

Reshuffle the flowrule yacc rules to be in a more logical and alphabetical
order.

Rewrite some ugly for loops

This fixes a few KNF issues and ugly line wrapping by using a local
version of nitems(); fix two bsearch() on top.

ok claudio

Implement the parser bits to process flowspec rules. Heavily inspired by
pfctl, in bgpd flowspec rules are written like pf rules (with a few
exceptions / extensions). As a result not all flowspec features are
available but that is OK.
OK tb@

Refactor port definitions to also support service names like bgp.
OK tb@

Rename family with af to follow pfctl/parse.y a bit more.
OK tb@

Cleanup parse.y a bit. Move global defines a bit down. Move mrtdump and
network rules up into the grammar and switch the order of restricted
to be more like the rest.
OK tb@

Add first step of flowspec support. This adds the bits to establish a
connection with SAFI 133. Right now any sent UPDATE with SAFI 133 is
simply ignored. At the moment SAFI 134 (flowspec for L3VPN) is unsupported.
OK tb@

Major rework of RFC9234 support. My initial interpretation of the RFC was
too conservative. Fixes and changes include:

- add role output to bgpctl, also adjust the capability output.
Note, this changes the JSON output of neighbors a bit.
- adjust the config parser to enable the RFC9234 role capability when
there is a role set. iBGP and sessions with no role will not announce
the role capability.
- adjust the role capability announcement to be only on sessions that
use either AFI IPv4 or IPv6 and SAFI 1 (AID_INET, AID_INET6).
- if there is an OPEN notification indicating that the role capability
is bad only disable the capability if it is not enforced.
- Adjust capability negotiation, store remote_role on the peer since
the neighbors role is no longer needed by the RDE.
- inject the OTC attribute on ingress only for AID_INET and AID_INET6.
For other AIDs clear the F_ATTR_OTC_LOOP flag.
- Adjust the role logic in the RDE and use the peer->role (local role of
the system) for all checks. Also remove the check if the role capability
was negotiated between peers.
- In prefix_eligible() check also if the F_ATTR_OTC_LOOP flag is set.
The RFC requires that prefixes must be considered ineligible (and not
treat as withdraw as done before)
- When generating an UPDATE include the OTC attribute unless the AID is
neither AID_INET or AID_INET6.

Fixes https://github.com/openbgpd-portable/openbgpd-portable/issues/51
Reported by Pier Carlo Chiodi
OK tb@

Alter the way extended communities are matched when part of the value
is auto-expanded or masked off.
Try to match against both 2- and 4-byte AS encoding and on insertion
check if expansion is actually possible and deny communities where both
community values are > USHRT_MAX.
OK tb@

Implement filter and control message matching for ASAP.

This adds avs (ASPA validation state) which can be 'unknown', 'valid'
or 'invalid'. It behaves similar to ovs but the ASPA validation state
of paths from iBGP sessions is 'unknown' and the role of the ebgp session
is important to get the right validation state.

OK tb@

Document the aspa-set table. While there remove the superfluous 'allow'
keyword.
OK tb@

Add a per eBGP session role to the config.

This somewhat replaces the RFC 9234 open policy role. This is done because
ASPA requires the same role to be present to properly validate paths.
For iBGP sessions the role is forced to ROLE_NONE. If no role is set on
an ebgp session then 'announce policy' is forced to 'no'.
Also make sure the the role capability is only added if the role is set.
OK tb@

Add plumbing for ASPA support. This implements the parser and part of the
logic in the rtr process. It does not implement the new RTR messages yet
but it is possible to specify an aspa-set in the config. Also the validation
code in the RDE is missing so this does not do anything.
With this in it will be possible to extend rpki-client to publish an
aspa-set as part of the openbgpd config file.
OK tb@

The values for fib_priority are OS dependent. To help portability move
the RTP_BGP and similar defines all into kroute.c and export them via
kr_default_prio() and kr_check_prio().
OK tb@

Convert bzero() to memset(), bcmp() to memcmp() and bcopy() to memcpy().

The memory regions passed to memcpy() can not overlap so no need for memmove().
OK tb@ deraadt@

whitespace found during a read-thru; ok claudio

Relax the config of add-path send and rde evaluate all

add-path send is kind of like rde evaluate all (at least if plus is used)
and so it kind of implies 'rde evaluate all' in that case. Removing the
check in neighbor_consistent() allows to setup sessions so that 'either or'
are used. This makes sense since peers may opt out of add-path by disabling
the capability on their side.
Based on report from Pier Carlo Chiodi
OK tb@
cvs: ----------------------------------------------------------------------

Implement send side of RFC7911 ADD-PATH

This allows to send out more then one path per perfix to a neighbor that
supports add-path receive. OpenBGPD supports a few different modes to
select which paths to send:
- all: send all valid paths (the ones with a * in bgpctl output)
- best: send out only the single best path
- ecmp: send out paths that evaluate the same up and including
the nexthop metric
- as-wide-best: send out paths that evaluete the same up but not including
the nexthop metric
Currently ecmp and as-wide-best are the same. On top of this best, ecmp
and as-wide-best allow to include extra paths (e.g. best plus 2) and
for the multipath modes there is also a maximum (e.g. ecmp plus 2 max 4)

OK tb@

Add support for RFC 9234 - Route Leak Prevention and Detection Using Roles

With this it is possible to send a role in the OPEN message and if that
was successful the RDE will add the new OTC attribute if necessary.
OK tb@

Do not use defines from pfkeyv2.h in portable code.

Instead define our own algorithm enums for the IPsec code.
OK tb@ sthen@

Properly error out if a variable does not exist. Need to pass back
ERROR to yylex() to make the parser fail nicely.
OK tb@

Adjust lowest allowed routing priority to be bigger than RTP_LOCAL.
RTP_LOCAL is internally used by the kernel and is not available for
userland. The minimal usable routing prio is 2.
OK tb@

Use a common idiom to check if the user supplied routing priority is
in range. Also rephrase the error message.
OK tb@

Cleanup ktable_exists() usage and its warning message.

Check the return value in all cases and use a common idiom for this check.
OK tb@

Implement a max communities filter match

When max-communities X is set on a filterrule the filter will match when
more than X communities are present in the path. In other words
max-communities 0 means no communities are allowed and max-communities 3
limits it up to 3 communities.
There is max-communities, max-ext-communities and max-large-communities
for each of the 3 community attributes. These three max checks can be used
together.
OK tb@ job@

whitespaces found when I went checking for something else

Change how $macros are expanded in the config.

Expand $macros not only at the start of a yacc token but also inside STRING
elements. STRING elements are used e.g. for community specifications and
it makes sense to allow $FOO:$BAR to correctly expand. There is no expansion
of macros in quoted strings (both single and double quotes).

Factor out the macro expand logic and with this introduce its own lookup
buffer for the macro name. For expansion to work inside STRING the char
after the makro name must be a character not allowed in macro names (not
alpha-numerical or '_').

Add extra checks to set variables. Mainly restrict length of the name and
also make sure it does not include not allowed characters.
OK tb@

Make it possible to bind and connect to non-default ports. This is mainly
for testing. Using alternate ports does not work for session using ipsec.
OK tb@ deraadt@

Convert parse.y to use stdint.h types uintX_t instead of u_intX_t
OK tb@

Don't declare variables as "unsigned char *" that are passed to
functions that take "char *" arguments. Where such chars are
assigned to int or passed to ctype functions, explicitly cast them
to unsigned char.

For OpenBSD's clang, -Wpointer-sign has been disabled by default,
but when the parse.y code was built elsewhere, the compiler would
complain.

With help from millert@
ok benno@ deraadt@

Implement roa-set data expiry. Every prefix in a roa-set can specify an
optional expires timestamp. The rtr process is walking the roa-set every
5min and removes every prefix that is expired.
With this stale RPKI data will slowly disapear and not linger around.
OK job@

Implement reception of multiple paths per BGP session. This is one
side of RFC7911 and the send portion will follow.

The path-id is extracted from the NLRI encoding an put into struct
prefix. To do this the prefix_by_peer() function gets a path-id
argument. If a session is not path-id enabled this argument will
be always 0. If a session is path-id enabled the value is taken
from the NLRI and can be anything, including 0. The value has no
meaning in itself. Still to make sure the decision process is able
to break a tie the path-id is checked as the last step (this is not
part of the RFC but required).

OK benno@

Implement RFC 7313 enhanced route refresh. It is off by default and
can be enabled with 'announce enhanced refresh yes'
Similar to graceful restart this allows to mark routes as stale, refresh
them and the flush out routes that are still stale. Enhanced route refresh
uses a begin of rr and a end of rr message to signal the various stages.
A future enhancement would be the addition of a timeout in case the EoRR
message is not sent in reasonable time.
OK denis@ job@

Properly initalize the MRT config so that mrt_reconfigure() is doing the
right thing. This also fixes the bgpd -nv output for 'dump X {in,out}'
statements for peers.
Debugged with and tested by Paul de Weerd

On powerpc64 regress/usr.sbin/bgpd/config failed. It parses a
config file, writes bgpd's config to stdout and compares it with
an expected output. On big endian machines the order of the set
of communities is different. The parser used memcmp(3) to sort a
struct of integers. This depends of the endianess. The correct
way is to compare the integer fields in native byte order. With
this change, the resulting order is the same on i386 and powerpc64.
OK claudio@

Introduce 'rde evaluate all' a mode to work around path hiding in IXP
route-server environments.

By default only the best path is sent to peers and if that path is filtered
then the path is hidden for that peer. On route-servers this is sometimes
not desried. For this 'rde evaluate all' will cause the evaluation process
to fall back to alternate routes and will redistribute the first non-filtered
path to the peer. This is very similar to per-peer RIBs but accomplishes
the same effect without the massive increase in memory usage. Compared to
the default mode this requires more CPU resources but it is probably less
than what per-peer RIBs would require.

'rde evaluate all' can be set and reset globally, on groups and on idividual
neighbors. It is not limited to route-server configs but route loops are
possible if not properly used.

OK benno@

Add RTR support to OpenBGPD. Add basic support for the protocol.
The RTR client runs in a new process where the protocol handling is done
and when new data is available all sources are merged into one ROA set
which is then loaded into the RDE. The roa-set from the config is also
handled by the new RTR engine.
Tested by and ok job@

RFC6472 discourages the use of AS_SET segements in ASPATH attributes.
The main reason is that AS_SET does not play nice with RPKI ROA.

Introduce a per neighbor and global config option
'reject as-set yes' and 'reject as-set no'
If set to yes received UPDATES with AS_SET segements are rejected.
This is done the same way other ASPATH soft-errors are handled. The UPDATE
is marked invalid and all prefixes are treated as withdraws.
`bgpctl show rib in error` can be used to show prefixes that where denied
and treated as withdraws because of errors.

By default this feature is off.

OK benno@

In preparation for RTR support change the representation of the roa-set
in the parent to a simple RB tree based on struct roa. With this overlapping
ROAs (same prefix & source-as but different maxlen) are now merged in the RDE
when the lookup trie is constructed.
OK benno@

Do not allow configuration of the same neighbor multiple times. For this
the parser needs to check if the remote address is already in the RB tree.
Additionally fixup get_id to also compare the remote_masklen and fix
some memory leaks on parser failures.
Fixes a bgpd fatal on reload reported by Pascal Mathis.
OK benno@

Fix a memory leak when parsing roa-set lists. If the prefixset_item is
already in the RB tree free the item we tried to add since the item form
the RB tree is used.
Memory leak found and fix provided by Felix Maurer ( felix at felix-maurer.de)

branches: 1.408.4;
In bgpctl argument parser, re-arrange 'reason' parsing ('nei action [reason]')
to be more generic, then change 'reload' to take take a '[reason]' also,
which will be logged by bgpd.
ok kn claudio

Do not use string litterals in the grammar ("{") it is not POSIX compliant
and also not needed. This just needs a char lookup ('{') like it is done
in all the other rules with '{'. With this parse.y can be compiled with
bison.
OK otto@ benno@

branches: 1.406.4;
Store local-address by address family. This allows to configure both
an IPv4 and IPv6 local-address on a group and the neighbors bind to the
right local-address. Also implement 'no local-address' to reset a previously
set local address back to zero. This should help with IBGP and multihop
session config and hopefully reduce repetition in bgpd configs.
OK sthen@ benno@

The assumption that in roa tables a prefix / source-as combo only appears
once in the input file is not correct. I thought the RPKI validators would
aggreagte these entries but that is not necessarily the case.
There are cases where prefixes show up with the same source-as multiple times
with different maxlen lenght. In those cases merge these multiple entries
and keep the one entry with the longest maxlen length since that is the VRP
which covers all others.
Found by job@ OK benno@

Rename copy_filterset() to filterset_copy() and move it to rde_filter.c
where functions like filterset_move() live. Also initialize the dest
TAILQ in filterset_copy() as it is done in filterset_move().
OK benno@ phessler@

Implement 'max-prefix NUM out' to limit the number of announced prefixes.
This is an easy safety switch to not leak full tables to upstreams and
peers. If the limit is hit a Cease notification is sent and the session
is closed.
This implements most of https://tools.ietf.org/html/draft-sa-idr-maxprefix-00
OK job@

Move the code to initialize the cluster-id from merge_config() to
parse_config(). The first is not called on startup which results in bgpd
using 0.0.0.0 as cluster-id.
Found and fix provided by Rivo Nurges (Rivo dot Nurges at smit dot ee)
Thanks and OK claudio@

When allocating a new peer set the reconf_action to RECONF_REINIT.
Also in merge_config() it is no longer needed to reset the reconf_action
of the new peers to RECONF_REINIT. merge_config() is not called on
startup and so some of the initialisation of new peers did not happen
correctly.

This fixes the md5 integration test since the md5 initialisation did not
happen early enough.

Set the reconf state of listening addrs to RECONF_REINIT. This is what
the session engine expects and will allow to send out the config without
calling merge_config first.
OK sthen@

Improve RIB reload behaviour. Especially when the rtable changes or the
route evaluation is modified. In both cases the softreconfig code will
now walk the RIB and ensure that everything is in proper sync.
Additionally remove 'route-collector yes|no' from the bgpd config, instead
use 'rde rib Loc-RIB no evaluate' with the benefit that you can alter
the setting now during runtime.
Tested and OK benno@

Only templates can have a remote-as of 0 (as in uninitalised, trust the AS
from the OPEN message) any other use of AS 0 is forbidden. This makes
templates work again without any extra unwanted config.
OK benno@

Cleanup config reload in the RDE. Use the bgpd_conf struct to store sets
and l3vpns instead of temporary globals. Also rework rde_reload_done to
free filters and sets earlier. The soft-reconfiguration process no longer
needs the previous filters / sets to do its work since there is a full
Adj-RIB-Out.
OK benno@

mrt.h only needs to be included by mrt.c
ok claudio@

Refactor the way RIBs are parsed a bit. No functional change but should
make it easier to extend the rib definitions later on.
OK benno@

Clean up RIB related kroute code. Introduce a way to flush a FIB table
from the RDE. Make sure that all nexthops don't get removed in the FIB
when a FIB table is removed. This should only happen for the main FIB.
Remove F_RIB_HASNOFIB which is just confusing since there is already
F_RIB_NOFIB and F_RIB_NOFIBSYNC.
OK benno@

Change the Adj-RIB-Out to a per peer set of RB trees. The way RIB data
structures are linked does not scale for the Adj-RIB-Out and so inserts
and updates into the Adj-RIB-Out did not scale because of some linear
list traversals in hot paths.

A synthetic test with 4000 peers announcing one prefix each showed that
the initial convergence time dropped from around 1 hout to around 6min.

Note: because the Adj-RIB-Out is now per peer the order in which prefixes
are dumped in 'bgpctl show rib out' changed.

Tested and OK job@, benno@, phessler@

Adjust peer id allocation a bit. Use defines for the various special
values and intervals. Mostly the same with the exception that peerself
is now id 1 and the first peer has id 2 -- was 0 and 1 before.
OK kn@, benno@

Cleanup, remove some unneded spaces add some other where needed.
No binary change according to clang

Completley rewrite the community matching and handling code. All community
attributes are put into a new data structure when parsing the UPDATE.
The filter code can quickly lookup and modify this data structure.
When creating an UPDATE the data is put back into wire format.
Setups using a lot of communities benefit a lot from this.
Input and OK benno@

Also check the type of a network statement when looking for duplicates.
Fixes adding network 0.0.0.0/0 after network inet static.
OK phessler@ benno@

Switch the peer TAILQ to a RB tree indexed by the peer id. This way
getpeerbyid() gets a lot quicker at finding the peer when many peers
are configured. In my test case the difference is around 20% runtime.
OK denis@

Make sure that the as-set name is not too long when parsing the config file.
Fixes an assertion caught in new_as_set() parsing some arouteserver config.

branches: 1.386.2;
Include endian.h since htobe* or be*toh is used. Helps with protable.
OK deraadt@

Move the struct peer into bgpd_config and switch it to a TAILQ instead of
the hand-rolled list. This changes the way peers are reloaded since now
both parent and session engine are now merging the lists.
OK denis@

Set all default values in init_config in parse.y and remove the special
ones in session.c. Adjust printconfig a bit to only show non default values
and move mrt_mergeconfig into merge_conifg where it kind of belongs.
OK benno@

Unbreak 'announce inet none' which was actually clearing way too much.
'announce inet none' should only clear AFI/SAFI pairs where the AFI is
inet.
OK benno@

Do a better job at cleaning up the config on shutdown. Remove bits that
were missed before (e.g. network related objects). This helps to detect
memory leaks.
Start using new_config() and free_config() in all places where bgpd_config
structure are used. This way the struct is properly initialised and cleaned
up. Introduce copy_config() to only copy the values into the other struct
leaving the pointers as they were.
Looks good to benno@

Fix export none. none became a keyword some time ago and so this broke.
Switch also default-route to a keyword and remove the old 6.3/6.4 announce
compat code.
Reported by florian@
OK benno@

Add support for '*', local-as and neighbor-as for ext-community matching
and setting. This allows rules like:
ext-community * * # delete any ext-community
ext-community ovs * # delete any ext-community of specified type
ext-community rt 1.2.3.4:*
and
ext-community rt 65001:local-as
ext-community rt local-as:11111

Note: Sometimes the type of the ext-community is underspecified when using
wildchars or expands. So 'ext-community rt *' or 'ext-community soo *' will
match for any of the 3 possible types (2-byte AS, 4-byte AS and IP address).
If local-as/neighbor-as is used as an expand of as-number like
ext-community rt local-as:11111
then bgpd will default to the 4-byte AS type to encode the community.

OK benno@

Add stdlib.h since bsearch and strtoul need it.

Initialize type and subtype because modern gcc complains about it.

Drop netmpls/mpls.h include, not needed here.

Use (unsigned) long long instead of (u_)int64_t since that drops the
need to do casts for printf.

Do not depend on the length field of struct sockaddr instead pass the
length to the various functions needing it. Helps portability.
OK benno@

Remove stray ',' at end of a yacc rule. Noticed by bison.

Use the posix version of betoh64() which is spelled be64toh() this is more
portable.

(unsigned) means (unsigned int) which on ptrdiff_t or size_t or other
larger types really is a range reduction...
Almost any cast to (unsigned) is a bug.
ok millert tb benno

Move the yyerror in case get_mpe_config fails. If bgpd -n is used just
ignore the error and move on. This helps regress tests.

The definition of VPNs in bgpd was never super elegant. The 'depend on
mpeX' config was a bit redundant. Also to make it more flexible (e.g. having
more than one mpeX interface per rdomain the syntax was changed.

To make this possible especially the network distribution logic had to be
adjusted and cleaned up. This should in general make network statements
well defined and conflicts between 'network A.B.C.D/N' and e.g. 'network static'
are handled in a well defined way ('network A.B.C.D/N' has preference).

With and OK dlg@, OK denis@

Implement as-override, a feature where the neighbor AS is replaced by the
local AS in AS paths. This is sometimes needed in bigger transport networks
where private AS numbers are used in multiple locations.
The implementation is done using a filterset which modifies the AS path -
somewhat inspired by the set attribute code. Setting as-override yes will add
match from <neighbor> set { as-override }
to the start of the filter rules. Since this is filters the Adj-RIB-In still
holds the original path and so reloads changing the setting just work.
With and OK markus@

add support for IPv6 VPN routes

The kernel bits are missing as of now. With input from claudio@ and kn@

OK claudio@

set conf.capabilities.mp to 0 by default

OK claudio@

Fold ext-communities into filter_community so that bgpd can match
multiple ext-communities at the same time as well. Additionally this fixes
parsing some of the ext-community types. Now all communities are handled
by one common struct.
OK benno@ plus some input from denis@

Implement a simple ruleset optimizer. All it does is merge filter rules that
only differ in the filter sets. Since this is still rather common it is able
to reduce the number of rules by 5% on an autogenerated config.
OK job@

Start reworking community handling. Merge standard communities and large
communities into one filter_community struct and allow it that more then
one community can be used in filter rules (currently up to 3).
Also rework the code handling bgpctl show rib commands. The special IMSG
types for the various filters are gone and the code is in general simpler.
OK job@, phessler@

Use correct name when printing the error message that a network prefix-set
is not found. Fixes crash reported by Tom Smyth.

- odd condition/test in PF lexer
(and other lexers too)

This commit rectifies earlier change:

in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).

OK deraadt@, OK millert@

Implement origin validation in bgpd. This introduces two new tables, the
roa-set for RPKI based origin validation and a origin-set which allows to
lookup a source-as / prefix pair.
For RPKI a config can be built like this:
roa-set {
165.254.255.0/24 source-as 15562
193.0.0.0/21 maxlen 24 source-as 3333
}
deny from any ovs invalid
match from any ovs valid set community local-as:42
match from any ovs not-found set community local-as:43
Origin sets are similar but only match when the source-as / prefix pair is
valid.
match from any origin-set ARINDB set community local-as:44
Committing this now so that further work can be done in tree.
OK benno@, job@

unbreak "inet" and "inet6" aliases in filters after rev. 1.333
ok claudio@

Both AS 23456 and AS 0 are reserved and can nor be used. Extend check for
AS 0 and adjust yyerror message to print the right number.
With input and OK denis@

better yyerror messages. "syntax error" is generally not very helpful.
OK denis@

Move setting of the PREFIXSET_FLAG_OPS higher up since prefixset_item rule
is now also used by roa-set. Also set the prefix operation for roa-set
items to OP_NONE since that what it actually needs to be.

Implement code to parse, print and reload roa-set tables.
This is sharing a lot of code with prefixset which makes all a bit easier.
A roa-set is defined like this:
roa-set "test2" {
1.2.3.0/24 source-as 1,
1.2.8.0/22 maxlen 24 source-as 3
}
No support for acting on this data yet.
Put it in deraadt@, OK benno@, input and OK denis@

Split up as_set into a set_table and an as_set. The first is what does
the lookup and will now also be used in roa-set tries. The as_set is glue
to add the name and dirty flag. Add an accessor to get the set data so
that the imsg sending and printing can be moved into the right places.
This is done mainly because roa-sets need similar but slightly different
versions and making the code more generic is the best way fixing this.
OK benno@

Switch prefixset to an RB_TREE instead of a SIMPLEQ. This allows to trigger
on duplicates (which are only reported) but is needed as a preparation step
for roa-sets.
OK benno@ denis@

Extend as_set to allow for different sized objects to be added. The only
requirement is that the first value of the struct is a 32bit ID which is
used in the bsearch. This allows to add more than just as numbers to a
set. as_set_match now returns a pointer to this data or NULL if not found.
OK benno@

Similar to as-set factor out the code to create a prefix-set into a function.
Makes all a bit nicer and as an added bonus fixes a memory leak.
OK phessler@

ROA entires are allowing to define a prefix with a maxlen.
In the end this is just another way to specify a prefixlen range
and kind of an or-longer case with an upper limit.
So these two prefix statements are equivalent:
prefix 10.0.0.0/8 prefixlen 8 - 24
prefix 10.0.0.0/8 maxlen 24
While there also make 'prefixlen = 17' a OP_RANGE and because of that also
usable in prefix-set tables. Finally adjust printconf.c for those to
changes to print them nicely.
OK phessler@

use filterset_move() like all other network statements. It checks for
source == NULL, avoiding a possible crash introduced yesterday.
ok claudio@

Allow for empty as-set and prefix-set definitions by adding explicit rules
for those because shift/reduce issues in the list with optional commas.
OK benno@

Shut up a gcc warning about uninitialized use of min & max by adding a default
case in the switch statement. Found by denis@ and fix proposed by sthen@

Can not allow empty as-set and prefix-set blocks right now. This produces
shit/reduce confilcts which need to be resolved first.

Remove another optnl. In general we no longer support a newline between
the keyword and "{". In this case it is 'set {'.
Newlines afterwards are accepted.

Bad merge, change a optnl to comma since that is what we want there.

Rework the parser a bit to be more sane when it comes to newline and comma
handling. In expansion lists we want that commas and newlines are allowed
but optional. In the neighbor, group and rdomain blocks statements need to
be newline separated but neighbor 192.0.2.3 { descr "test-peer" } is allowed.
OK sthen@ benno@

Write asset as as_set since the other word is already used in English.
benno@ agrees, OK compiler

Add network prefix-set <name> syntax to announce networks in a prefix-set.
feature discussed with deraadt@ and job@, ok claudio@

implement or-longer filter op for prefix-sets. Allows one two write rules like
deny from any prefix-set mynetworks or-longer
ok claudio, feature discussed with job and deraadt

More BGPD_OPT_NOACTION checking to make regress happier.

If BGPD_OPT_NOACTION is set don't check that the rdomain exists.
This makes it possible to use bgpd -nv in regress with unknown rdomains.

Change the way we parse prefix-sets so that newlines are allowed in more
places and so prefix-sets look a lot better. Currently commas are not allowed
but they will come back soon.
OK benno@

remove unused function find_prefixsetitem(), ok claudio@

allow as4number_any in as-sets. Otherwise you cant filter bogon as'es.
ok claudio@

replace malloc()+strlcpy() with strndup() in cmdline_symset().

"looks good" gilles@ halex@

Implement as-set a fast lookup table to be used instead of long list of
AS numbers in source-as, AS and transit-as filterstatements. These table
use bsearch to quickly verify if an AS is in the set or not.
The filter syntax is not fully set in stone yet.
OK denis@ benno@ and previously OK deraadt@

Implement most prefixlen operations as OP_RANGE (prefixlen A - B).
Simplify the RDE logic this way and make it possible to load such ranges
into a much faster lookup trie for prefix-sets.
When printing the config bgpd tries to use the nices way to express the rule:
e.g. match from any prefix 18.0.0.0/8 prefixlen 8 - 32
becomes match from any prefix 18.0.0.0/8 or-longer
Apart from that there is no user visible change because of this.
OK sthen@

Change the way as_compare() and aspath_match() handle 'neighbor-as'. Instead
of doing the condition before calling aspath_match() just pass the neighbor-as
down to as_compare() which then has all needed data for the lookup. While
doing this also remove one of the as fields in struct filter_as since the
min/max fields can be reused for unary operations.
OK denis@ phessler@

If the maximum for a community is defined via the large flag then
this maximum should also be passed to strtonum() instead of UINT_MAX
or the error handling does not work.

merge_filterset() needs to produce a stable sorted filterset to make sure
the RDE can compare the sets on reload and skip those that did not change.
For large communities the check is wrong and incomplete, replace it with
a simple memcmp() of the structs which will result in a stable order.
OK phessler@

Merge getcommunity() and getlargecommunity() into one function that
takes a flag if it is large or not. Makes code more reusable.

add option "network ... priority number" to announce prefixes from the
kernel routing table selected by priority.
For example to import all ospfd/ospf6d routes into bgp.
tested by remi@
ok remi@ henning@ and maybe a little claudio@

You can run multiple copies of bgpd in seperate rdomains.

However, the processes will see each others route messages. Some
structures are not initialized correctly for that, causing at least
useless log messages.

This is an attempt to use the default_tableid where its needed.

A few hardcoded uses of rtable 0 remain.

ok claudio@

dont let rtable number overflow,
we only support up to RT_TABLEID_MAX rtables
ok henning@, claudio@, phessler@

No need to mention which memory allocation entry point failed (malloc,
calloc or strdup), we just need to log that we ran out of memory in a
particular function.

Recommended by florian@ and deraadt@

ok benno@ henning@ tb@

Be consistent in warn() and log_warn() usage when
running out of memory.

Next step, be correct *and* consistent.

ok dennis@ tb@ benno@ schwarze@

Provide backwards compatibility for some of the announce directives

OK sthen@

Deprecate announce (all|self|none|default-route)
The announce keyword was overloaded and confused a lot of operators, time
to clean it up and while there incorporate RFC8212 guideline for propagation.
- `announce all` is the new default but the default deny filter will
make sure that by default nothing is leaked
- `announce self` is no more and results in syntax error
- `announce none` is now `export none`
- `announce default-route` becomes `export default-route`
- the filters are switched to a default deny rule both incoming and outgoing

You most certainly need to adjust your config!

Best is to change the config in advance by using `announce all` explicitly on
all neighbors and adding `deny from any` and `deny to any` at the start of
your filters and adjust the rest of the filters to still produce the same
result. `bgpd -nv -f bgpd.conf ` and `bgpctl show rib out nei foo` are good
tools to verify the changes.
Lots of discussions with job@, deraadt@, sthen@
OK job@

Fix an off-by-one line count when using include statements.

Thanks to otto@ for the initial diff.

OK benno@

Plug leak in error case of the common 'varset' implementations.

ok benno@

Add prefix-sets, lists of prefixes which can be used in place of a
prefix in a filter rule. Initial idea hashed out with job@ in Toronto.
This is WIP, i'm commiting it now so we can work on it in the tree.
ok florian@ claudio@

Add a comment why it is OK to set the tableid to 0 for Adj-RIB-In/Out.
Requested by henning@

Clenaup RIB handling in the RDE. Introduce some defines for Adj-RIB-In and
Adj-RIB-Out and use them consistently. Makes code easier to read.
OK benno@

don't try to print uninitialised memory as a string in error paths
ok deraadt@ claudio@

When 'enforce neighbor-as no' is set, don't do a config-time check for the neighbor-as, as it is dynamic.

allow filter rules to be written that affect ibgp or ebgp neighbors

discussed with henning@
OK claudio@, benno@, job@

softreconfig in and out are on by default for ever and machines now have
enough memory that it does not make sense to provide these knobs anymore.
They just make the code more complex for no much gain.
OK phessler@, benno@

let admins set an unknown well-known community

from Job Snijders
ok phessler@ benno@

add support for the "graceful shutdown" well-known community as described
in draft-ietf-grow-bgp-gshut

from Job Snijders
ok phessler@ benno@

allow setting localpref to 0

from Job Snijders
ok phessler@ benno@

Too vs To. Found by Denis Fondras openbsd (at) ledeuns (dot) net

Rework the way we do extended communities (mainly in the parser) and update
the IANA table to a somewhat more complete list. This includes BGP Prefix
Origin Validation State support via the ext-community ovs keyword.
OK henning@ benno@ based on a diff by Job Snijders

remove the file permission check for bgpd.conf

OK deraadt@, henning@, sthen@, and everyone who has ever been annoyed

so far, bgpd was hardcoded to use rtable 0 for nexthop verification.
instead, use the rtable bgpd was started in (route -T <n> exec / rc.d
daemon_rtable) for nexthop verification and as default Adj-RIB-In and
Loc-RIB. This allows multiple bgpds in different rdomains on the same
machine - bgp router virtualization if you like buzzwords.
initial version written under contract more than a year ago, it took us
a while to wrap our brains around the bgpd <-> rdomain interactions -
1) RIBs, 2) nexthop verification and 3) tcp sockets.
ok & input phessler claudio benno

Allow an administrator to disable the bgp loop detection algorithm,
which is useful in very limited situations.

Angry dragons and grues will hunt for you, if you use it.

OK claudio@ sthen@ benno@

allow only one network <prefix> statement per for the same prefix.
ok florian@ phessler@

Allow OpenBGPD to selectively choose which local ASN to use per-peer.
This is intended to be used for ASN migrations, not for permanent use.

You MUST use filters to protect yourself from receiving your own routes.
There be dragons and grues.

OK claudio@ benno@

allow us to use 'local-as' in the filter language

"match in from any set community local-as:neighbor-as"

OK claudio@

AS 0 is special and should be considered an error.

Drop the session if it shows during OPEN or CAPA, or mark as invalid if
it is part of an Update.

required by RFC 7607

man page OK jmc@
OK florian@ benno@ claudio@

Expand RIB names in groups

Diff from Denis Fondras, many thanks!

OK claudio@ phessler@

Allow nested {} in prefix lists.

Diff from Denis Fondras, many thanks!

OK claudio@ phessler@

Add missing htonl for IPsec SPI.

Also, do not allow to configure SPI values in the 0..255 range. RFC 4302
and RFC 4303 say the following:
"The set of SPI values in the range 1 through 255 are reserved by the
Internet Assigned Numbers Authority (IANA) for future use; a reserved
SPI value will not normally be assigned by IANA unless the use of the
assigned SPI value is specified in an RFC. The SPI value of zero (0)
is reserved for local, implementation-specific use and MUST NOT be
sent on the wire".

ok and tweak benno@

Flag the Loc-RIB with F_RIB_LOCAL so we can remove one ugly hack somewhere else

sync log.c from relayd et al to bgpd.

there is still a little difference regarding handling of the verbosity
value that will be handled later.

ok claudio@ florian@

while a u_int is large enough for 32bit-asns, it is not big enough for
some of the magic values we use to indicate '*' or neighbor-as.

fixes "allow from any large-community neighbor-as:*:*"

Add support for draft-ietf-idr-shutdown

BGP state = Idle, marked down with shutdown reason "goodbye, we are
upgrading to openbsd 6.1", down for 00:00:17

developed by Peter van Dijk <peter.van.dijk@powerdns.com> and Job
Snijders <job@ntt.net>, thank you!

OK benno@

Replace hand-rolled for(;;) emptying of 'symhead' TAILQ with more
modern TAILQ_FOREACH_SAFE().

No intentional functional change.

ok millert@ bluhm@ gilles@

Replace symset()'s hand-rolled for(;;) traversal of 'symhead' TAILQ
with more modern TAILQ_FOREACH(). This what symget() was already
doing.

Add paranoia '{}' around body of symget()'s TAILQ_FOREACH().

No intentional functional change.

ok bluhm@ otto@

Typo, "more then" -> "more than"

Add support for draft-ietf-idr-large-community

Joint work with Job Snijders, many thanks!
OK benno@ deraadt@

Let bgpd announce routes based on a route-label.

OK henning@ benno@

do not allow whitespace in macro names, i.e. "this is" = "a variable".
change this in all config parsers in our tree that support macros.
problem reported by sven falempin.

feedback from henning@, stsp@, deraadt@
ok florian@ mikeb@

Add operators =, !=, - (range), >< (exclsive range) to the as-path
filters (AS, peer-as, source-as, transit-as).

Add a use case (block illegal AS numbers) to the bgpd.conf example.

feedback from claudio, sthen, florian,
ok florian@ phessler@

calloc -> malloc when the memory is immediately overwritten with memcpy.

ok claudio@

Revert revision 1.282:
"Allow for empty blocks for peers. While this is bad style for permant
use, this is very nice to temporarily disable a peer option."

This broke the grammar by introducing shift/reduce errors.

OK phessler@

standardize a community that has been independently created by nearly
every single AS on the planet: the blackhole

OK benno@, claudio@, sthen@

Let us log all updates sent from an individual peer. Since this can be
applied to a group, also let us disable logging on a sub-member of the
group. Very handy for debugging naughty peers on a router with multiple
peers.

OK benno@

Allow for empty blocks for peers. While this is bad style for permant
use, this is very nice to temporarily disable a peer option.

OK sthen@ benno@

Next round of config cleanup. Move various lists into the bgpd_config struct.
This is the next step to better split parsing and merging the config.
OK benno@

mlarkin asks "bgpctl checks the length of the control socket path to
make sure it fits. When browsing around last night I saw that bgpd
does not. Any reason it shouldn't? Please commit"

Add a check in parse.y to check this when reading the configuration.
ok phessler@ henning@

allow us to write rules that match directly on the peer AS

...
allow from AS 1 prefix 192.0.2.0/24
...

Also adjust the IRR ruleset output to include the declared peer AS,
instead of hoping they listed their neighbor IP address!


OK benno@
older version OK: claudio@ henning@

rename rde_free_filter() to filterlist_free() and start using it outside
of the RDE to free the filterlists. Also refactor common code to merge
filterlists into its own function. Makes the code look nicer.

Move the command line options (mainly -d and -v) out of struct bgpd_config
into a own flag field since these can't be modified via a config reload.
OK henning@ benno@ before lock

Move the code that adjust FIB priority when changed during a config reload
from the parsing function to the merge_config function where it belongs.
OK henning@ benno@ before lock

Don't allow embedded nul characters in strings.
Fixes a pfctl crash with an anchor name containing
an embedded nul found with the afl fuzzer.

pfctl parse.y patch from and ok deraadt@

Convert the logic in yyerror(). Instead of creating a temporary
format string, create a temporary message.
OK benno@ doug@ claudio@

Add gcc format attributes to parse.y's yyerror() for bgpd.

Fix some of the format characters in yyerror calls: %u -> %zu, %lld -> %u

ok claudio@

spelling; Denis Fondras

relax the cfg file secrecy check slightly to allow group readability
default permissions and mtree NOT changed.
prodded by benno, ok phessler benno jmatthew theo pelikan florian

use u_char for buffers in yylex, for ctype calls
found by millert@, ok deraadt@

Knob to set priority with which bgpd inserts routes into the kernel
routing table. Need for it in "special" setups pointed out by
Loic Blot (loic.blot _AT_ unix-experience _DOT_ fr) on tech.
OK benno, henning

Merge the prefix and prefixlen filter bits into one filter. Change the
filter expansion so that rules are grouped by prefixes last. The RDE will
then be able to optimize the rules into table lookups but that is a later
step. As additional goodies it is now possible to use inet and inet6
on their own and or-longer can be used as a shorthand for prefixlen >= len.
OK henning@ sthen@ florian@

typo in macro name; no md5 change

change mrt rib dump ReopenTimerInterval from time_t to int. Intervalls
don't need to scale to 64 bits in this universe.
ok claudio@ & florian@

Allow filtering based on the NEXTHOP attribute. This allows to build rules
like: allow from any nexthop neighbor (to allow only prefixes that use the
routers IP address as nexthop). Lots of testing, input and OK florian@

Enable graceful restart by default. The only way to find out if it works for
real. After discussion with sthen@, henning@ and deraadt@.
It can be disabled per neighbor with "announce restart no".

Better graceful restart support (implementing more then just the EoR record).
This implements only the "Restarting Client" bits of the RFC -- in other
words bgpd will keep the FIB when the client restarts but it will not do GR
when restarting itself. The capability is still off by default (you need
"announce restart yes" to enable it).
Tested by Anders Berggren. OK sthen@

Make sure that set med 0 is ACTION_SET_MED and not relative. Fixes
set med 0 and Hennings iBGP sessions. OK henning@

The ebgp flags is just a truth value and it is better to not == 1 compares.
OK henning@ sthen@

Implement new mrt table dump format as specified in draft-ietf-grow-mrt.
Tested with IP and IPv6 sessions and against the libbgpdump parser.
OK henning@

On reload the filtersets attached to a network need to be moved to the
existing network element. First free the old filterset and then move
the new on top of it. This solves the reload issue with changing network
statements. OK henning@

remove trailing spaces and tabs from source code; no binary changes
(verified by both sthen@ and me).

ok sthen@; "just commit it" claudio@

fix linecount bug with comments spanning multiple lines
problem reported with the obvious fix for bgpd by Sebastian Benoit
<benoit-lists at fb12.de>, also PR 6432
applied to all the others by yours truly. ok theo
isn't it amazing how far this parser (and more) spread?

Instead of specifying the control sockets on the command line have them
in bgpd.conf. This allows to add/modify restricted control sockets on runtime.
Feature request by a few people how often forgot to add -r path when restarting
bgpd (including myself).
NOTE: this removes the -s and -r arguments from bgpd so pay attention when
updateing.
jajaja sthen@, OK henning@

Implement two new filters, max-as-len and max-as-seq. The first is limiting
the length of an AS path (matches if the path is longer then the specified
lenght) the second matches when a sequence of the same AS number is longer
then the specified length).
max-as-len is good to protect crappy comercial bgp boxes from other crappy
comercial bgp boxes. max-as-seq was a feature request from SwissIX and maybe
EuroIX to find and filter prepends.
Additinal testing and OK sthen@

Last bits of MPLS VPN support. Hook kernel routing tables and RIB together.
This adds a bit of new config to specify the mapping between an rdomain and
the BGP MPLS VPN instance, example:
rdomain 1 {
descr "CUSTOMER1"
rd 65003:1
import-target rt 65003:3
export-target rt 65003:1
depend on mpe0
network 192.168.224/24
}
The "depend on mpe0" is a but ugly but for now this is the quickest way to
figure out which interface bgp should use to insert the MPLS routes.

A big side-effect of this diff is that networks are now internally
distributed through kroute.c.
This needs some kernel changes that will follow hopefully soon.
OK henning@

Make it possible to load multiple routing tables at the same time and use
those for alternate RIBs. This allows to use "rde rib TESTIT rtable 1".
NOTE: nexthop verification has changed for alternate tables. For now
nexthop will only be verified against the main routing table (id 0).
Because of this "nexthop qualify via bgp" may now compare the nexthops
against bgpd routes from a different RIB.
Tested by sthen@, OK to move on by henning@

Allow neighbor-as in AS filter statements like:
match from any source-as neighbor-as set localpref 1000
OK henning@

Fix some memory leaks on config reload failure and move one particular
cleanup loop to parse.y where it belongs.
OK henning@

network static and network connected have been superseded by network inet
static and network inet connected a long time ago. It is time to remove
the old compat code.

Allow to filter for ext-community attributes. Currently only perfect matches
work but that's already better then nothing. OK sthen@

Add support for BGP MPLS VPN aka RFC 4364. This is only the RDE part so
that it is possible to use OpenBGPD as a route-reflector for VPNv4.
Some clean up of the BGP MP code so that multiple protocols are easier
supported. kroute/kernel support not yet done but comming.
OK henning@, reyk@

lex <=, >=, !=, and >< into a single token for correctness and to reduce the
lookahead in the parser
ok henning

Implement "set ext-community [delete] subtype key:value" to set and delete
extended communities as specified in RFC 4360. No matching implemented yet
and stuff like * and neighbor-as are neither supported but will be soon.
Looks good henning & sthen, manpage fixed by jmc

parsecommunity() always works on a struct filter_community. So pass a
pointer to the struct instead of two int pointers.

parsecommunity() does not allow to set unknown well-known communities.
So there is no need to check that again. Switch a USHRT_MAX to
COMMUNITY_WELLKNOWN to make the compare clearer, the values are the same.

Big AID change part two. This changes the mp capability into an array of
flags. This makes a lot of code much easier since the comparison is now
trivial. Additionally calculate the negotiated capabilities for a session
in the SE and pass that and only that to the RDE. This makes the decisions
in the RDE a lot easier. OK henning@

Doh, switch src and dst in memcpy calls or the wrong thing gets copied.
For some reasons memcpy has the argument reversed - grmbl.
Found the hard way by Insan Praja.

Use an artificial address family id in struct bgpd_addr and almost everywhere
else. Adds conversion functions to map AFI/SAFI and the Unix AF_ values
from and into AID used in bgpd. This is needed to support things like MPLS
VPN and other upcomming changes that need to play a lot with AFI/SAFI pairs.
Mostly mechanical change, henning@ has no particular issues with this.
Must go in so that I can continue working.

support for set origin; based on an initial diff from
Sebastian Benoit <benoit-lists at fb12 dot de> who also tested this version
claudio ok

Plug two memory leaks in error pathes. Found by parfait. OK henning, jsg

Disable graceful restart for now. The EOR marker is sent in the wrong place
and fixing this is not a two liner. Will be enabled again when I found out
how to fix this.

Add config knobs to enable/disable individual BGP capabilities per neighbor.
e.g. announce refresh no. With this be more aggressive when announcing our
capabilities and enable all of them by default. If there are troubles with
some neighbors adding the following config lines should bring you back
to the old behaviour:
announce refresh yes # was already on by default
announce restart no
announce as-4byte no # was only set on sessions to peers with 4byte AS nums
OK henning and sthen

Make sure that a proper syntax error is produced when something else then
yes or no is used in a yes/no token. OK henning

Use the address familiy of the neighbor IP to decide which MP type to use.
IPv4 session will still default to only announce inet unicast but now
IPv6 session will by default use announce inet6 unicast. The defaults
can be overridden on groups and in the neighbor itself but this new
behaviour is way more sane then the old one. OK henning, sthen

Use UINT_MAX instead of ASNUM_MAX and get rid of this mostly useless define.

Make announce "self" work like all others (self is a bit special because
it's a keyword but "self" is not). OK henning@

Flag added RIBs as F_RIB_NOFIB | F_RIB_NOEVALUATE in the no-eval case even
though F_RIB_NOEVALUATE implicitly includes F_RIB_NOFIB.

Some preliminary filter magic to support multiple RIBs on the filters.
It is ugly but does the trick for now. Filters will be rewritten anyway.
The rib specifier only makes sense on from rules. e.g. deny rib OMG from any

Only the main Loc-RIB should update the FIB for now. So introduce a
F_RIB_NOFIB flag and apply it on all RIBs that are not F_RIB_NOEVALUATE.

Don't call the main RIB DEFAULT but Loc-RIB. Makes more sense.

Make it possible to bind peers to a specified RIB. Now only filters and
bgpctl are missing to have full support of multiple RIBs.

Make mrt understand alternate RIB plus remove some other static rib references.
There is still a problem with the mrt dumps because we only allow one in the
RDE. This needs some additional work.

Add "rde rib <name>" to the config and allow the rde to use these other RIBs.
Still a bit hackish, reload is missing and printconf as well. Looks good h@

add an option to change the "connect-retry" timer which defaults to 120s.
this can be used to decrease the failover time in specific carp'ed
IBGP setups.

ok henning@

allow bgpctl and bgpd.conf to contain 32-bit ASN written in ASPLAIN
format (RFC5396). ok claudio@ henning@

Fixed memory leaks which would occur if the second of two memory
allocations fails.

looks right deraadt, krw
ok henning

argh, do not reuse the global trans_as flag to be applied to the peer
specific or we had to widen the peer specific flags without need.
defien PERRFLAG_TRANS_AS instead and use that

make transparent-as yes|no settable peer neighbor with the global setting
acting as default.
per-neighbor requested by arnold nipper @ decix, ok claudio

Introduce local_as in the peer config. This allows per peer local AS and
simplifies some code because it is possible to get the local AS from the
peer struct. Local AS needs more patching to work correctly though.
OK henning@

typo in error message; "bigger that" -> "bigger than"

bring in the findeol() fix from pfctl. list of affected parsers by sthen

Use correct format string specifier for int argument. Don't try to print it
as string. Fixes crash seen by Peter Bristow. "obviously ok" henning@

Allow bgpd to delete more then one community per filter rule. Fixes PR5807
tested by Raphael Ho long time ago.

Have popfile() also close the main config file,
but only do the final popfile call after yyparse() is done.
This also fixes config reload on SIGHUP for some daemons.

Spotted by otto@. OK deraadt@

Remove space/tab compression function from lgetc() and replace
it with a simple filter in the yylex() loop.
The compression in lgetc() didn't happen for quoted strings,
thus creating a regression when tabs were used in variables.
Some testing by todd@ and pyr@
OK deraadt@

ntpd and bgpd's turn to behave like the others.
ok henning@

Allow '=' to end a number in all lexers.
Requested and OK deraadt@

in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
pointed out by mpf, discussed with pyr

in all these programs using the same pfctl-derived parse.y, re-unify the
yylex implementation and the code which interacts with yylex. this also
brings the future potential for include support to all of the parsers.
in the future please do not silly modifications to one of these files
without checking if you are de-unifying the code.
checked by developers in all these areas.

next step in the yylex unification: handle quoted strings in a nicer fashion
as found in hoststated, and make all the code diff as clean as possible. a
few issues remain mostly surrounding include support, which will likely be
added to more of the grammers soon.
ok norby pyr, others

Move parser to use NUMBER as all other parse.y do know. A bit tricky because
all the relative metrics need some special handling. OK henning@ deraadt@

Init community in get_rule() to COMMUNITY_UNSET. get_rule() is called when
set is used inside neighbor or group statements and the result was that
these rules no longer machted everything. Problem found by Jon Morby.
Please commit henning@

Even so some IX in germany likes to abuse 0 as AS community number we should
not allow anybody to use 65535. That one is reserved for well known
communities. Add in that check again.

allow matching on communities using 0 in the AS part, that is in use.
that unfortunately means we cannot use 0 for "unset".
ok claudio

Make bgpd 4-byte AS compatible. All internal representations of AS numbers
are now 4-byte instead of the old 2-byte numbers. The only exception are
communities because they can not be switched. The RDE will inflate and deflate
the ASPATH and AGGREGATOR attributes on demand and create the NEW_ASPATH and
NEW_AGGREGATOR field whenever needed. Both old and new stile sessions are
supported and can be mixed. Currently new stile sessions with the 4-byte AS
number capability turned on are only enabled if one of the AS numbers involved
is a 4-byte one.
This is based on an initial diff by Geoff Huston gih (at) apnic (dot) net
Cleanup, testing and bug-fixes by myself (via AS 3.10).
Currently mrt table dumps are producing incompatible output this will be fixed
afterwards -- this diff is already big enough.

"get it in if you think it is ready" henning@

Make "network inet connected" work again. inet and inet6 became keywords
some time ago. OK henning@

Until now prefixlen defaulted to AF_INET if it was used without a prefix.
This makes prefixlen filtering for AF_INET6 unnecessary complex. From now
on if prefixlen is used alone the address family needs to be specified
beforehands via the new inet or inet6 keywords.
Remove an old check so that it is finally possible to filter IPv6 prefixes.
OK henning@

allow filtering on peer-as (leftmost AS in path), ok claudio

KNF

AS 65535 aka USHRT_MAX is reserved and may not be used so adapt the
range check. Found while hacking on 4-byte AS support.

implement the ttl security hack. since the pc slaves fear the word hack,
they call it "Generalized TTL Security Mechanism" officially, RFC 3682.
manpage with help from jmc

allow bgpd to work on alternate routing tables, claudio ok, jmc manpage help

use strtonum, Pierre-Yves Ritschard <pyr@spootnik.org>

save the parser state in one big struct, and make it interchangable, aka
make the parser restartable. with that implement "include" file support.
makes life a _lot_ easier with filter generation tools. claudio ok

kill useless debug code that somehow snuck in, some 2 years ago...

add code to announce the restart capability according to
draft-ietf-idr-restart. Do not announce actual restart capabilities,
so that this only serves as indicator that we are capable of sending
and receiving the End-of-RIB marker.
leave disabled for now, since the code to actually send the EoR-marker
is currently ifdef'd out (to be fixed soon) and we wanna play safe for
4.0. and juniper doesn't support that capability (which is not a problem
per se) and at the same time has its capability negotiation code completely
fucked up, if a capability is rejected they don't indicate WHICH capability
they reject (which makes that a problem, tho still a small one and we cope).
claudio ok

add "restart" to max-prefix, allows sessions suspended due to reaching
max-prefix to be restarted automagically after a given number of minutes
requested by "Sylwester S. Biernacki" <obeer@obeer.com>, manpage help jmc,
ok claudio

implement carp demotion control for bgpd.
sessions can be configured to modify the carp demotion counter for a
given interface group (usually, "carp", which has all carp interfaces)
when the session is not established. once the session is established for
60 seconds, the demotion is cleared.
this, used correctly, can prevent a bgpd-box which lost all sessions (and
thus has no routes) to be carp master, while the backup has sessions.
thought through and partially hacked on a drive from calgary to vancouver
with ryan, ok claudio

Plug memory leaks in error path; ok henning@

\<char> is <char> except for \<newline> -- no exceptions. much like how
other things work. ok henning

Remove filterset_names from bgpd.h and replace it with a function because
the table was already out of sync now. OK henning@

cannot see the string self in the ANNOUNCE STRING prod any more since
self is a token now

Fix "announce self" that got broken by "nexthop self". Found by Thomas Bader.
OK henning@

add "set nexthop self", force nexthop to be set to own address even with IBGP
requested & tested Falk Brockerhoff <fb@smartterra.de>, and tony sarendal
tested this too. claudio ok

Change the way bgpd selects nexthops. Up until now every route was considered
when calculating the nexthop. Now only non BGP routes and not the default
route are used unless forced with the new config options
nexthop qualify via bgp
nexthop qualify via default
This change is required for complex setups e.g. where an additional IGP is
running. OK henning@

Fix a bug reported by Xavier Beaudouin. On config reloads set parameters
inside group blocks were reset to default values. The problem was that
group ids changed on reload as soon as a new peer was added to one group.
Make sure that group ids remain the same over reloads a similar thing is
already done for peer ids. ok henning@

Typos grab bag of the month, eyeballed by jmc@

Make it possible to turn suftreconfig in/out on or off. Default is on for
both directions. Manpage update follows. OK henning@

Implement "set community delete 65001:*" and friends. This will remove
communities from the path attributes. Useful to make sure that the ones you
set later are set by a (evil) peer. OK henning@

Implement new special community "neighbor-as". neighbor-as is expanded on
the fly to the remote AS of the current neighbor. This can be used to
simplify rulesets in a dramatic way -- going from a script based nightmare
down to a handfull rules. jajajaja henning@

Add COMMUNITY_NO_PEER to the list of known wellknown communities else it
is not possible to use NO_PEER as community in the config.

superfluous ; OK henning@

Sort filter_set with equal type as well. This affects community
attributes and set nexthop. Now the full filter set list is sorted.

Relative metrics should be stored in relative and not metric. The one
is singed the other not.

Make sure, that the list of filter_sets is ordered. Makes comparing easier.

Switch from the per peer filter set list to a filter-only solution.
The default filter_sets are converted into match filter rules that get
evaluated first. Simplifies code massively -- mainly the config reload
part -- and makes softreconfig out a piece of cake. "get it in" henning@

new keyword "down" in neighbor spec, when givenm, the session is not
started on bgpd startup but stays in IDLE. requested by claudio

Introduce new route decision tunable "rde med compare (always|strict)".
If set to always the med will also be compared between different AS.
The default is strict which is the way the RFC specifies it.
OK henning@

keywords have to be sorted, and I can't sort properly

allow the to be announced SAFIs to be specified per peer, that is part of the
multiprotocol shitz
claudi needs this to proceed with v6 stuff in the RIB, print stuff and
manpage later
from whatthehack, claudio ok, marcm schnell schnell schnell

New function filterset_cmp() used two compare two struct filter_set for
equality. This function is a bit more complicated than a memcmp() because there
are types that need to be considered equal e.g. ACTION_SET_MED and
ACTION_SET_RELATIVE_MED. Also ACTION_SET_COMMUNITY and ACTION_SET_NEXTHOP
need some special care. OK henning@

Switch some parser rules from "string" to "STRING". "string" is to greedy
and hides possible typos. e.g. set { rtlabel foo localperf 100 } was a valid
syntax but the result was a route label with name "foo localperf 100".
OK henning@

Switch filter_sets form SIMPLEQ to TAILQ, needed for upcomming stuff.

rtlabel support via filter sets. Just use "set rtlabel foobar" in filters
network and neighbor statements and the routes are labeled accordingly.
While doing that fix some mem-leaks by introducing filterset_free() and
remove the free on send option of send_filterset().
This took a bit longer because we need to carefully track the rtlabel id
refcnts or bad things may happen on reloads.
henning@ looks fine

Change the "network connected|static" statements to "network inet|inet6
connected|static" so that it is possible to distinguish between IPv4 and IPv6
addresses. "network connected|static" is considered deprecated but will be
supported as an alias for "network inet connected|static" for some time (one
release) to simplify upgrades. This also solve a nasty crash when using
"network connected". OK henning@

Remove unnecessary error check that is already done in parsecommunity().

Support for "network connected" and "network static" -- announce all
directly connected respectively all static routes. The list is auto-
matically adjusted as soon as a route changes.
OK henning@

and don't try to free a null set either

fix null pointer deref on filter rules without set part
problem reported by "Alexey E. Suslikov" <cruel@texnika.com.ua>

filter_set cleanup. Plug some memleaks and fix an obvious bug in the
network case. OK henning@

Introduce a per prefix weight. The weight is used to tip prefixes with equal
long AS pathes in one or the other direction. It weights a prefix at a very
late stage in the decision process. This is a nice bgpd feature to traffic
engineer networks where most AS pathes are equally long.
OK henning@

Fix some yyerror messages. Ja ja, INT_MAX is to small... OK henning@

walk & free network and filter lists after parse errors
ok claudio theo

walk & free peer_l after failed config parsing attempts

Move the neighbor checking code from merge_config() to neighbor_consistent()
where it belongs. OK henning@

don't try to merge the freshly parsed config into the running one if
we had parser failures...
debugging session with claudio and jason ackley
ok claudio norby deraadt

Allow to modify the metrics in a relative way by prepending the number with
a '+' or '-'. e.g. set localpref +20. This is another gem from the FOSDEM
lying around on my HD gathering dust. OK henning@

s/to many/too many/, from jmc

Finally commit the transparent-as and nexthop no-modify stuff I wrote on the
way to FOSDEM. With transparent-as set to ye bgpd will not prepend his own
AS for sent updates. NB the neighbor needs to set "enforce neighbor-as no"
or it will not like the received AS paths. With set nexthop no-modify bgpd
will change the nexthop as done normaly.
OK henning@ man page update with help of jmc@

KNF

Switch from a single filter_set to a linked list of sets. With this change
it is possible to specify multiple communities. This is also the first step
to better bgpd filters. OK henning@

For consistency reasons rename struct as_filter to struct filter_as.
OK henning@

Make "set network 127.0.0.1" work and use = instead of |= for the
blackhole/reject case as $$ is not zeroed. This caused funny results in
merge_filterset(). OK henning@

add an instance of struct capabilities to peer_conf, and inherit
peer->capa.ann from this

New config statement "rde route-age [evaluate|ignore]". If set to evaluate
the best path selection will not only be based on the path attributes but
also on the age of the prefix. This is an extension to the RFC. The default
is ignore but previously it was implicitly set to evaluate.
OK henning@ man page OK jaredy@ jmc@

memleaks in error pathes, again awesome work from Patrick Latifi

(try to) open the config file earlier, makes the error handling easier in
case we cannot. in fact there was one missing free(), thus this diff
plugs a little memory hole (without real-world relevance I guess).
From Patrick Latifi, thanks!

allow neighbor definitions to depend on interface state.
with this, if a neighbor is configured as dependent on carp0 for example,
the neighbor will remain in state IDLE as long as carp0 is not master.
once carp0 becomes master the session(s) depending on it immediately
go to CONNECT (or ACTIVE, if they're configured passive), reducing failover
time. claudio ok, with some input from ryan as well

Add prepend-neighbor feature. Prepend the remote-as n times similar to
prepend-self. Only for incomming UPDATEs. OK henning@

don't do the pftable_exists() check if we are running -n, needs root

correctly inherit conf->opts from xconf->opts in parse_config(),
foudn by claudio

back out rev. 1.136. I commited that unintentionally and it does not work
without other nastier changes in parse.y.

Grrr. copy paste error. Dump MED and not local-pref. OK henning@

foobar-AS -> foobar-as as already done in some places. mIXeD cASe keywords
are not fluffy. OK henning@

Merge set constructs in neighbor statements. This fixes a common problem:
previous sets were cleared by the last one. OK henning@

Fix minor issues with IPv6 dumps and add a function for dumping the RIB table
protocol independent. This new dump format is not (yet) supported by the
mrtd route_btoa tool. OK henning@

switch nexthop in struct filter_set form struct in_addr to struct bgpd_addr
OK henning@

tab at EOL

deny hilarious prepends. OK henning@

Fix a possible mem leak and add a missing yyerror(). OK henning@

Add new announce type "default-route" which will only announce the default
route to the specified neighbor. Idea and OK henning@

allow "set metric" as synonym for "set med", from discussion with & ok claudio

allow prefix lists inside prefix lists

allow AS lists inside AS lists

prevent the filter elements from beeing given more than once

add list expansion for AS in filter rules
actually, it's list expansion on steroids, this works:
deny from any { source-AS { 3320 852 } AS { 4589 174 } }

rework the filter_match production and everything below - fixes
a couple of bugs

add support for {} expansion for prefix in the filter rules, claudio ok

suport macro expansion for peer spec in filter rules
things like
deny from { $peer1 $peer2 } prefix 192.168.0.0/16
are now possible.

fix some typos

ok henning otto

implement "set nexthop blackhole" and "set nexthop reject"
blackhole/reject routes will be entered to the kernel for matching ones.
this is intended to be used with the Cymru Bogon Route Server Project
(http://www.cymru.com/BGP/bogon-rs.html) and similar services, claudio ok

Switch mrt dumping to fd passing. This gives some speed up when extensive
dumping is done. Acctually mrt dumps were broken because of the fd passing.
The nice side effect is a much cleaner code, especially in the parent process.
OK henning@

Support rfc 3765 which adds a new well known community NOPEER. OK henning@

at least somewhat consistently name the TAILQ_ENTRYs... this confused me
more than once

fix a few memory leaks in error paths and one in the pftable path,
and simplyfy the prefix production error handling slightly
from Mr. Memleak Terminator Patrick Latifi <pat@eyeo.org>, kickass!

rework bgpd's handling of listening sockets. instead of one for each
supported address familiy, keep a tailq of an arbitary number of them.
the new struct listen_addr contains the sockaddr and the fd.
this fixes quite some nasty behaviour which was a consequence of the previous
model.
looks right deraadt@, and discussed with claudio

RFC 2796 bgp route reflector support. This is very useful in conjunction
with templates. looks good, go for it henning@

extend filter language to allow basic setting of COMMUNITIES attribute.
ok claudio@

off by one in key too long detection

fix redefinition detection with manual keyes ipsec

with manual keyed ipsec, we need keys and spis for both directions -
enforce that

KNF

break out the consistency checking for neighbors in its own function,
and verify that peers with ipsec have local-address specified (needed to
set up the flows...)

allow for neighbor statements without { parameters } block; everything
can be inherited from the group

add support for ipsec ah with manual keys, pfkey part already does so, and
flesh parser out a bit. also add support for printing ipsec ah with manual
keys in printconf

factor out the string -> key conversion code used for md5sig and twice for ipsec

add a filter option to dump prefixes learned in UPDATEs into a PF table,
intended for building realtime BGP blacklists (e.g. with spamd);
ok claudio & henning

we need a seperate field for the md5 key len, can't use strlen, noticed
by markus some time ago

Correctly plug the memory leak and fix a error message.

plug memory leaks; henning ok

spelling

sock -> fd; ok henning

FILE * leak; henning ja ja ja ja

allow ah/esp spec with IKE, markus ok

prevent multiple auth methods to be specified

prefix the auth related defines by AUTH_, we had a name clash, markus ok

set conf.auth.methodod for md5, too

ike before in

rename the ipsec struct to auth, move all tcpmd5 related fields in there, and
add a generic "method" field that expresses what method
(none/md5sig/ipsec manual/ipsec ike) is in use
markus ok

parser parts for ipsec ike, markus ok

crud stripping; henning ok

curpeer must be set back to curgroup, not NULL

need more checks on the keys

unbreak

don't forget to set keylen, markus

parser support for setting ipsec keys and such, markus ok

reserve upper half of the (internal) ID space for cloned neighbors, claudio ok

fix check wether local-address and neighbor are of same address family -
we have to delay this because the current context might be a group nd not
a single neighbor, claudio ok

add "neighbor cloning", allowing you to specify a prefix and prefixlength
instead of the neighbor's IP address. WHen a connection comes in matching
that mask we clone the neighbor spec.
IPv6 match code by itojun, rde feeding by claudio, ok claudio

some rather boring windows talk at cansecwest made me hack initial support
for IPv6 transport
parts based on a diff from Brent Graveland
ok itojun@ claudio@

There is no cnumber token in the parser so don't define a type for it.

yes, the keyword table has to be sorted ;-)

Add basic support for communities. Currently it is only possible to filter
on communities, e.g match from any community 24640:* set localpref 666
OK henning@

oups

implement framework to announce capabilities in the open messages we send.
this includes handling "unsupported optional parameter" notifications from the
peer and retrying without capability announcement. claudio ok

mem leaks in error pathes, mostly from Patrick Latifi

typo in format strin (ugh!) and few missing free()s, partitially from
Patrick Latifi

plug a memory leak in the lexer.
the issue is this code fragement from yylex():
. token = lookup(buf);
. yylval.v.string = strdup(buf);
. if (yylval.v.string == NULL)
. fatal("yylex: strdup");
. return (token);
lookup() tries to match buf against a list of keywords, and returns the
associated token if it has a match, or the token STRING otherwise.
STRING is the only token that needs (and free()s) yylval.v.string. however,
we assigned memory for it with the strdup in yylex for each and every token.
the fix is obviously only setting yylval.v.string when lookup() returns STRING.
Patrick Latifi noticed that something was leaking with token handling,
analysis and fix by me.
ok deraadt@

plug a couple of memory leaks, Patrick Latifi

KNF

flesh out the address and prefix parsing, include v6 code, but reject v6
upwards, claudio ok

make sure AS doesn't exceed upper bound, issue pointed out by
Brent Graveland <brent@graveland.net>

KNF

Sync printconfig.c with parse.y. OK henning@

Make it possible to diable the decision process. This is a feature only useful
for route-collectors. OK henning@

Implement "enforce neighbor-as yes|no" which is by default on for ebgp
neighbors. While doing that check also that the nexthop is valid (not class D
or E and not in 127/8 range). Kill some TODO and XXX and rename the british
neighbour to neighbor as used everywhere else. OK henning@

No comma at the end of the keywords array. OK henning@

Add per netwok definition filter sets. So you can now use
network 10.0.0.0/8 set localpref 100
OK henning@

Rewrite some parts of the mrt dump handling. It is no longer possible to
dump the filtered updates but therefore it is now possible to dump per
neighbor and also to dump the outgoing messages. OK henning@

kill "updates" keyword and use a ordinary string + strcmp at the one place
where it's needed, claudio ok

Enhance filters. prefixlen knows now 8-24 and 8><24. It is possible to use
prefix 10.0.0.0/8 prefixlen >= 8 and set localpref 100 can be set on a per
neighbor basis. OK henning@

Make the code more portable. Add some missing header files and make the use
of the queue(3) makros more portable. OK henning@ some time ago.

enforce config file secrecy (correct owner, no rights for group/world)
help and ok theo

make max_prefix an u_int32_t instead of an u_long and change its
meaning as in 0 means no limit insytead of setting it to ULONG_MAX for
no limit

move printing the config to where it belongs

factor out functions to print the configuration (rules only for now)
will become more and needed by bgpctl too

use a struct bgpd_addr for the address token instead of a in_addr, claudio ok

initial cut at the filtering language.
structs etc to describe a rule, filter rule list management
parser groks filter defs now.

claudio ok, discussion & help also jakob theo

allocate curpeer little earlier.
there's a rather obscure error path where teh later allocation causes
trouble, claudio ok

error message tuning
more power!

introduce group IDs. will be needed for filtering (or rather, ease things
there)
just assign them from the neighbor ID pool - fortunately, that is rather
simple, we just have to make sure that all members of the group and (later)
all filter rules pointing to the group agree on the ID, but it does not need
to stay the same across config reloads.

ok claudio@

replace the previous hack for the internal peer id allocator (which just used
the peer's ip address as u_int32_t) by a real id allocator that tries to
keep locality high. claudio ok

defer free()ing the previous peer list until after parsing the config file
so in the parser we can access it. will be needed soon.

Set sane default announce types according to the peer type. For IBGP use
announce all and for EBGP use announce self. OK henning@

properly whine when password is too long instead of silently truncating

implement
tcp md5sig password
so that the key can be given in ascii, what unfortunately limits the key space
(cisco/juniper compat...)
we keep the ability to specify the key in hex whithout these limits.

help & ok markus

use a struct bgpd_addr instead of sockaddr_in for peer_config->local_addr and
->remote_addr for easier multiprotocol support

ok claudio@

rename "tcp signature" to "tcp md5sig" - the name is misleading, wether
ietf wants to call it so or not
prodded by theo

first cut at tcpmd5 setup seupport from within bgpd. works so far.
with help from hshoexer@ and markus@
ok claudio@ hshoexer@ markus@

eek, no, ERROR is of course not unused

Remove unused terminals.

ok henning@

provide a log_debug and use it in rde.c.
with this, logit() can be a private function.
we don't need to include syslog.h in bgpd.h any more; log.c and parse.y
who need it include it directly now.

Make it possible to announce own networks. In the RDE these prefixes are
attached to a pseudo peer and inserted like all other prefixes into the RIB.
OK henning@

KNF

Implement a max-prefix and a announce none | self | all neighbor statement.
The first limits the number of sent prefixes per peer the latter controls
which prefix we do annouce to the neighbor.
Another looks good from henning@

small bug that was not so easy to fix: we did not allow empty lines (or
comment-only lines) in the middle of neighbor/group blocks. as first or
last line in thise blocks they were accepted, but not in between.

ok deraadt@

allow holdtime and holdtime min to be configuered per peer

ok claudio@

2004