Adjust the disc_recv_packet() code to not use IBUF_READ_SIZE and to
use a local recv_buf that is allocated on first call with malloc().
The memory returned from malloc() is properly aligned which may not
be the case for bss or stack memory.

rework how tcp md5 signatures are configured.

previously ldpd only allowed tcp md5 to be configured against a
neighbor (by ldp router id), but other vendors supported configuring
tcp md5sig by prefix as well as neighbor. this reworks the config
so auth is maintained globally as a list of prefixes that you do
and do not want to do tcp md5sig auth with.

the config statements look more like what is in bgpd.conf now too.

an example of the new config for interoperating with my baby cisco
test network:

on ios:

mpls ldp password required for MPLS
mpls ldp password option 1 for MPLS key-chain LDPAUTH

key chain LDPAUTH
key 1
key-string secret

interface Loopback0
ip address 192.168.0.0 255.255.255.255
end

ip prefix-list MPLS seq 5 permit 192.168.0.0/24
ip access-list standard MPLS

mpls ldp router-id Loopback0 force

and in ldpd.conf:

router-id 192.168.0.25
tcp md5sig password secret 192.168.0.0/24
address-family ipv4 { interface vmx1 }

this still supports specifying tcp md5sig on neighbors, but that
is syntactic sugar around adding entries to the list of auths.

ok (and lots of help from) claudio@

Implement RFC 5561 (LDP Capabilities).

This patch per-se doesn't introduce any useful functionality, but prepares
the ground for new enhancements to ldpd (i.e. implementation of new RFCs
that make use of LDP capabilities).

Kill send_notification_nbr().

Be more clever and trigger the PDU SENT event inside send_notification()
when tcp->nbr is set. This way we can eliminate send_notification_nbr()
and always use send_notification() instead.

Remove potential overflow when validating message's length.

Also, use uint16_t for msg_type on gen_msg_hdr().

More renaming and whitespace cleanup.

No binary change after "strip -s".

Several minor tweaks.

Add GTSM support (RFC 6720).

This also finishes the missing bits from our RFC 7552 implementation
because GTSM is mandatory for LDPv6.

To avoid any kind of interoperability problems, I included a few
knobs to enable/disable GTSM on a per-address-family and per-neighbor
basis. Cisco's LDPv6 implementation, for instance, doesn't support GTSM.

"reads good" claudio@

Fix removal of dual-stack neighbors.

Implement a timeout for the session initialization FSM.

This prevents neighbors stuck in the initialization FSM to linger forever
as long as the associated transport connection is up.

This timeout can be seen in the 'Session Initialization State Transition
Diagram' of RFC 5036. The RFC, however, doesn't specify how much we
should wait. Let's use 180 seconds for that, the default LDP hold time.

Fixes IxANVL LDP test 6.15.

Rework the handling of Hello packets.

With the introduction of IPv6 support by RFC 7552, the handling of Hello
packets in ldpd became something incredibly complex. Neighbors can change
from single-stack LDP to dual-stack and vice-versa. They can change
their transport preference, their transport addresses (IPv4 and IPv6)
and even start or stop sending the Dual-Stack TLV. We also have to take
care to reject things like multiple adjacencies advertising different
transport-addresses for the same neighbor. ldpd was failing for some of
the cases mentioned above, this patch fixes these issues and attempts
to make the code easier to read.

Do set the Message ID for Hello messages too.

In the original LDP specification, there was no circumstance where a
Notification message could be sent in response to a Hello message. So
setting the Message ID field for Hello packets was useless.

This changed with RFC 7552, where Hello packets can trigger the "Transport
Connection Mismatch" notification when the local and remote transport
preferences doesn't match. In this case, having a meaningful Message ID
in the Hello packets can aid in testing and troubleshooting.

Do not shut down the session upon receiving unknown messages.

RFC 5036 says the following about the receipt of unknown messages:
"Unknown message bit. Upon receipt of an unknown message, if U is
clear (=0), a notification is returned to the message originator;
if U is set (=1), the unknown message is silently ignored".

We were correctly ignoring unknown messages when the U-bit was set. But
when this bit was not set, we were shutting down the session when the
correct thing to do is to just send a non-fatal notification message.

Fix IxANVL LDP test 22.13.

Speed up session establishment after config reload.

If we change a neighbor's password or the global transport-address,
cancel the affected pending connects and, when playing the active role
of the session establishment process, try to connect again right away
with the new password and/or transport-address.

Without this patch we have to wait for the timeout of the pending
connects, which might be a lot of time.

Update copyright information.

Remove superfluous includes.

Make functions and variables static whenever possible.

The benefits of this include:
* clean up of the ldpd global namespace;
* improved readability;
* more hints to the compiler/linker to generate more efficient code.

Whenever possible, move global static variables to a smaller scope
(function).

All extern variables are now declared in header files to avoid unnecessary
duplication.

This patch also cleans up the indentation of all function prototypes
and global variables.

Add support for IPv6 (RFC 7552).

This includes:
* Full compliance to RFC 7552;
* Support for MD5 on LDPov6 sessions;
* Support for pseudowires over IPv6 LSPs (we're probably the world's
first implementation doing this);
* Support for the IPv6 explicit-null label;
* Knob to specify the prefered address-family for TCP transport
connections;
* Knob to use cisco non-compliant format to send and interpret the
Dual-Stack capability TLV.

Fix mess caused by my commit script.

I screwed up everything... trying to fix now.

Move setsockopt helper functions to a separate file.

IPv6 support is coming and we don't want to pollute the interface.c file
with too many of these helper functions.

Also, rename these functions from if_set_* to sock_set_*.

Standardize some log messages and fix some inconsistencies.

We were using several different names for the same thing in our log
messages: neighbor, neighbor ID, nbr ID and LSR ID.

Standardize to always use "lsr-id" to refer to a neighbor.

Also:
* Use log_warnx() instead of log_warn() when appropriate;
* Use fatal(x) instead of err(x) when appropriate;
* Fix some inconsistent log messages.

Make neighbor parameters per lsr-id not per transport-address.

With the advent of IPv6 support, a single neighbor can have two different
transport-addresses: one for ipv4 and one for ipv6. In order to define
neighbor-specific parameters in an indistinguishable way, define them
by lsr-id. This way we can switch between LDPov4 and LDPov6 and keep
the same configuration.

Rework the way we handle income connection requests.

The logic of the previous code was to accept all TCP connection requests
(destined to port 646) and create a tcp_conn structure for each them. Once
the first packet of a connection was received, we would analyze the
LDP Initialization message and identify its origin by looking at the
LSR-ID field.

When parsing a received TCP packet, we would need to distinguish between
two cases: tcp packet from an LDP neighbor and tcp packet from a newborn
connection (not associated with any neighbor yet). For this reason,
the session_read() function was quite complicated.

Also, we were not keeping track of the allocated tcp_conn structures. So,
we were subject to memory leaks and even DOS attacks.

With this patch, we also accept all TCP connection requests, but with two
major differences:
* We identify the neighbor by the source address of the SYN
packet. This is possible because we don't support label spaces, so
the transport-address by itself is enough to identify a neighbor,
we don't need to wait for the Initialization message;
* If there's no matching adjacency for this neighbor, then we start a
timer of 5 seconds. If we receive a Hello packet from this neighbor
within this interval, then we stop this timer and move on in
the Initialization state machine. Otherwise, we send a No Hello
Notification message and close the socket. We try to avoid sending
the No Hello notification as much as possible because it triggers the
backoff exponential in the remote peer, which considerably slow down
the session establishment process.

In summary, this new approach allows for a simpler code and fixes the
memory leak problem mentioned before.

Several improvements in the parsing of UDP/Hello packets.

* Fix check of the packet's size and the "PDU Length" field;
* Add check for the "Message Length" field;
* Check for invalid labelspace earlier.
* Use if_lookup() on disc_recv_iface() to reduce one level of identation;

Additionally, add the following safeguards:
* Check for unicast link hellos;
* Check for multicast targeted hellos;
* Validate packet's source address;
* Validate received transport-address.

Put the ancillary function bad_ip_addr() into a new file, util.c, which
will be used later for several other things.

Don't ignore notification messages before the session is operational.

This was preventing us from triggering the backoff exponential timer
after receiving a 'No Hello' notification.

Improve the parser of TCP/session packets.

Add more safeguards against malformed packets and fix existing ones. Also,
rename a few variables and constants to match their real meaning. For
example, rename gen_msg_tlv() to gen_msg_hdr() because this function
generates an LDP header, not a TLV.

Finally, clean-up all the send_* functions so they all follow the same
pattern.

Respect the received Max PDU Length field.

Move some code around.

This patch doesn't introduce any logical change.

Add knob to configure the transport address.

This will be especially important when we add support for IPv6, because
we'll not be able to use the router-id as the transport-address in
this case.

Replace manually written function names with __func__.

Call accept_unpause() when any TCP socket is closed.

We were calling accept_unpause() only when an LDP session is shut
down. But, during the LDP session establishment process, we may have
TCP sockets that are not associated with any neighbor. If we close one
of these sockets, we must call accept_unpause() too.

Add configuration reload support.

ok claudio@

Improve handling of addresses on ldpe.

This is a preliminary work for the the next patch (sigup config
reload). We want to make sure that the ldpe process can handle duplicated
addresses.

The idea is to alloc two different if_addr structures for each address,
and link one in the global list of addresses (used to send address
messages) and link the other to the associated interface list of
addresses.

Doing that we will be able to call kif_redistribute() after reloading
the config file and activate the new LDP enabled interfaces.

NOTE: Interfaces are created at config parse time and the child
processes inherit them on fork() so there's no need to send a status
update at startup.

ok claudio@

Implement md5 authentication support.

ok claudio@

Give more detailed information on a couple of debug messages.

More SOCK_NONBLOCK | SOCK_CLOEXEC love and one less session_socket_blockmode

Remove unnecessary netinet/in_systm.h include.

ok millert@

msgbuf_write() <= 0 for a few more daemons.

ok claudio@

deal with msgbuf_write EAGAIN, ok gilles benno

Improve parsing of label mapping messages and merge all recv_label*
functions into a single generic function.

Add a few error checks and implement parsing of optional tlvs.
Putting it all together helps avoid to code duplication and improve
maintainability.

Improve debug and error logs.
OK claudio@

Generate the NBR_EVT_PDU_RCVD event in a single point.
OK claudio@

Improve parsing of LDP messages.
Add more sanity checks and send proper notification messages on error
conditions.
OK claudio@

Ignore messages that have Unknown flag set.
OK claudio@

Fix build on vax

Always accept TCP connection requests and identify to which neighbor
it belongs only _after_ receiving an Initialization message containing
the information we need. Before an Initialization message is received,
the TCP connection shouldn't be associated with any neighbor/adjacency.
Therefor refactor that part into a own module.
From Renato Westphal

Implement support for adjacencies and targeted hellos
Refactor adjacencies out of the neighbor handling so that it is possible to
have more complex topologies with targeted sessions.
From Renato Westphal

Implement support for multiple addresses per interface.
This replaces the way addresses and interface are chained together.
In ospfd there was a 1 to 1 mapping (with iface clones) but LDP does
not have that limitation.
Diff from Renato Westphal

Improve error handling on session_read
* Don't try to send a Shutdown message if the connection is already
closed or a read error occured;
* As per RFC 5036, send a Shutdown message if an unexpected message is
received during the initialization process;
* Check if the whole LSR ID of received messages is correct;
* On ldpe_dispatch_main(), ignore the messages from the lde process
whose associated neighbor is not in the operational state.
Diff from Renato Westphal

Drop support for per-interface labelspaces.
Support for per-interface labelspaces is only necessary for legacy ATM/FR
interfaces running in cell-mode. We shouldn't worry about this.
For platform-wide label spaces the label space id is always 0.
Diff by Renato Westphal

Drop support for passive interfaces.
Support for passive interfaces was inherited from ospfd but it doesn't
make any sense at all for ldpd.
Diff from Renato Westphal

Use the nbr_stop_[*]timer functions
Diff from Renato Westphal

After returning from accept, we got a TCP connection not a LDP session.
Rename event/actions in the discovery FSM to avoid confusion
* NBR_EVT_SESSION_UP -> NBR_EVT_CONNECT_UP
* NBR_ACT_SESSION_EST -> NBR_ACT_CONNECT_SETUP
* nbr_act_session_establish -> nbr_act_connect_setup
* NBR_ACT_INIT_SEND -> NBR_ACT_PASSIVE_INIT
* NBR_ACT_STRT_KTIMER -> NBR_ACT_SESSION_EST
Diff by Renato Westphal

Don't set the Message ID for hello messages.
The Message ID field is used by notification messages to identify a
given message. This is the behavior adopted by Cisco IOS.
Diff from Renato Westphal

Improve sanity checks on received UDP messages
The actual meaning of the "PDU Length" field is the total length
of the LDP PDU, excluding the "Version" and "PDU Length" fields (as
per RFC 5036, section 3.1).
Diff from Renato Westphal [renatowestphal at gmail.com]

handle ECONNABORTED errors from accept(). In many code blocks they can be
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directories...

accept pacing ldpd way. Since this daemon has multiple listening fds
we add them all to a accept queue that does the pacing with the
accept_pause() and accept_unpause() calls.
With and OK deraadt@

Log the fact that a session was not accepted because of missing HELLOs.

Fix a bad heritage from ospfd. Make neighbors independent of interfaces.
They are not bound as strongly as in ospf and causes problems when the
TCP connection is established from an not connected IP (e.g. a loopback).
Use three RB trees to sort the neighbor list by id, addr and peerid.
More cleanup is needed but this makes ldpd work against peers using
loopback IPs. Problem found, reported and fix tested again by Marcel Wiget.

Rewrite all packet parsers to be more careful about alignment. Until
now ldpd had no chance to run on a strict alignment architecture but
this makes ldpd happy on sparc64. Be careful to do all needed overflow
checks and try to make all parsing functions look similar.
OK michele@

Rename some imsg bits to make namespace collisions less likely buf to
ibuf, buf_read to ibuf_read, READ_BUF_SIZE to IBUF_READ_SIZE.

ok henning gilles claudio jacekm deraadt

Do not send notifications directly onto the wire. Decide in the caller how
to send the notification. On accept use write() else queue message and try
to send the queued messages out via msgbuf_write(). This may still fail but
is better then the code beforehands.
OK michele@

split up a multiple assignment so we aren't casting an lvalue.
ok michele@ claudio@

Remove some more ospfd-ism from the interface code. This time remove
of most of the IF_TYPE_ special cases and most interface types.
Point-to-point and broadcast still present because of find_iface()
which needs addtional fixing.
OK michele@

session_shutdown() issues a NBR_EVT_CLOSE_SESSION and therefore a
session_close() which does the event_del(&nbr->rev) so no need to do it
twice. There is also no need to send two S_SHUTDOWN messages.
OK michele@

Fix fd leak in error case.
OK michele@

Instead of having three ways of setting fds non-blocking use
session_socket_blockmode() everywhere.
Additionally make two fatal() distinguishable.
OK michele@

event_del() the read event when hitting a read error or when closing the
file descriptor. If not done, we will loop forever on this event.
OK michele@

Do not use bufferevent for something that's already covered in the imsg
buffer API. This fixes a few possible problems in session_read and does
some further cleanup in various places. Wrap msgbuf into evbuf to add
libevent functionality and use buf_read to handle the read side of a
session. OK michele@ and dlg@ did not see anything evil

Initialize "len" before using it in accept(2).

Found by Christophe Fillot

ok claudio@

Correctly send notification messages when errors occur.

ok claudio@ laurent@

Welcome ldpd, the Label Distribution Protocol daemon.
Built using the imsg/three process framework, its main aim
is to redistribute MPLS labels between peers.

Right now it has some really basic functionalities,
the basic protocol works and peers are able to exchange
labels and insert them in the kernel.
It still does not react to changes of topology.

Not yet connected to the builds.

ok claudio@ deraadt@

rework how tcp md5 signatures are configured.

previously ldpd only allowed tcp md5 to be configured against a
neighbor (by ldp router id), but other vendors supported configuring
tcp md5sig by prefix as well as neighbor. this reworks the config
so auth is maintained globally as a list of prefixes that you do
and do not want to do tcp md5sig auth with.

the config statements look more like what is in bgpd.conf now too.

an example of the new config for interoperating with my baby cisco
test network:

on ios:

mpls ldp password required for MPLS
mpls ldp password option 1 for MPLS key-chain LDPAUTH

key chain LDPAUTH
key 1
key-string secret

interface Loopback0
ip address 192.168.0.0 255.255.255.255
end

ip prefix-list MPLS seq 5 permit 192.168.0.0/24
ip access-list standard MPLS

mpls ldp router-id Loopback0 force

and in ldpd.conf:

router-id 192.168.0.25
tcp md5sig password secret 192.168.0.0/24
address-family ipv4 { interface vmx1 }

this still supports specifying tcp md5sig on neighbors, but that
is syntactic sugar around adding entries to the list of auths.

ok (and lots of help from) claudio@

Implement RFC 5561 (LDP Capabilities).

This patch per-se doesn't introduce any useful functionality, but prepares
the ground for new enhancements to ldpd (i.e. implementation of new RFCs
that make use of LDP capabilities).

Kill send_notification_nbr().

Be more clever and trigger the PDU SENT event inside send_notification()
when tcp->nbr is set. This way we can eliminate send_notification_nbr()
and always use send_notification() instead.

Remove potential overflow when validating message's length.

Also, use uint16_t for msg_type on gen_msg_hdr().

More renaming and whitespace cleanup.

No binary change after "strip -s".

Several minor tweaks.

Add GTSM support (RFC 6720).

This also finishes the missing bits from our RFC 7552 implementation
because GTSM is mandatory for LDPv6.

To avoid any kind of interoperability problems, I included a few
knobs to enable/disable GTSM on a per-address-family and per-neighbor
basis. Cisco's LDPv6 implementation, for instance, doesn't support GTSM.

"reads good" claudio@

Fix removal of dual-stack neighbors.

Implement a timeout for the session initialization FSM.

This prevents neighbors stuck in the initialization FSM to linger forever
as long as the associated transport connection is up.

This timeout can be seen in the 'Session Initialization State Transition
Diagram' of RFC 5036. The RFC, however, doesn't specify how much we
should wait. Let's use 180 seconds for that, the default LDP hold time.

Fixes IxANVL LDP test 6.15.

Rework the handling of Hello packets.

With the introduction of IPv6 support by RFC 7552, the handling of Hello
packets in ldpd became something incredibly complex. Neighbors can change
from single-stack LDP to dual-stack and vice-versa. They can change
their transport preference, their transport addresses (IPv4 and IPv6)
and even start or stop sending the Dual-Stack TLV. We also have to take
care to reject things like multiple adjacencies advertising different
transport-addresses for the same neighbor. ldpd was failing for some of
the cases mentioned above, this patch fixes these issues and attempts
to make the code easier to read.

Do set the Message ID for Hello messages too.

In the original LDP specification, there was no circumstance where a
Notification message could be sent in response to a Hello message. So
setting the Message ID field for Hello packets was useless.

This changed with RFC 7552, where Hello packets can trigger the "Transport
Connection Mismatch" notification when the local and remote transport
preferences doesn't match. In this case, having a meaningful Message ID
in the Hello packets can aid in testing and troubleshooting.

Do not shut down the session upon receiving unknown messages.

RFC 5036 says the following about the receipt of unknown messages:
"Unknown message bit. Upon receipt of an unknown message, if U is
clear (=0), a notification is returned to the message originator;
if U is set (=1), the unknown message is silently ignored".

We were correctly ignoring unknown messages when the U-bit was set. But
when this bit was not set, we were shutting down the session when the
correct thing to do is to just send a non-fatal notification message.

Fix IxANVL LDP test 22.13.

Speed up session establishment after config reload.

If we change a neighbor's password or the global transport-address,
cancel the affected pending connects and, when playing the active role
of the session establishment process, try to connect again right away
with the new password and/or transport-address.

Without this patch we have to wait for the timeout of the pending
connects, which might be a lot of time.

Update copyright information.

Remove superfluous includes.

Make functions and variables static whenever possible.

The benefits of this include:
* clean up of the ldpd global namespace;
* improved readability;
* more hints to the compiler/linker to generate more efficient code.

Whenever possible, move global static variables to a smaller scope
(function).

All extern variables are now declared in header files to avoid unnecessary
duplication.

This patch also cleans up the indentation of all function prototypes
and global variables.

Add support for IPv6 (RFC 7552).

This includes:
* Full compliance to RFC 7552;
* Support for MD5 on LDPov6 sessions;
* Support for pseudowires over IPv6 LSPs (we're probably the world's
first implementation doing this);
* Support for the IPv6 explicit-null label;
* Knob to specify the prefered address-family for TCP transport
connections;
* Knob to use cisco non-compliant format to send and interpret the
Dual-Stack capability TLV.

Fix mess caused by my commit script.

I screwed up everything... trying to fix now.

Move setsockopt helper functions to a separate file.

IPv6 support is coming and we don't want to pollute the interface.c file
with too many of these helper functions.

Also, rename these functions from if_set_* to sock_set_*.

Standardize some log messages and fix some inconsistencies.

We were using several different names for the same thing in our log
messages: neighbor, neighbor ID, nbr ID and LSR ID.

Standardize to always use "lsr-id" to refer to a neighbor.

Also:
* Use log_warnx() instead of log_warn() when appropriate;
* Use fatal(x) instead of err(x) when appropriate;
* Fix some inconsistent log messages.

Make neighbor parameters per lsr-id not per transport-address.

With the advent of IPv6 support, a single neighbor can have two different
transport-addresses: one for ipv4 and one for ipv6. In order to define
neighbor-specific parameters in an indistinguishable way, define them
by lsr-id. This way we can switch between LDPov4 and LDPov6 and keep
the same configuration.

Rework the way we handle income connection requests.

The logic of the previous code was to accept all TCP connection requests
(destined to port 646) and create a tcp_conn structure for each them. Once
the first packet of a connection was received, we would analyze the
LDP Initialization message and identify its origin by looking at the
LSR-ID field.

When parsing a received TCP packet, we would need to distinguish between
two cases: tcp packet from an LDP neighbor and tcp packet from a newborn
connection (not associated with any neighbor yet). For this reason,
the session_read() function was quite complicated.

Also, we were not keeping track of the allocated tcp_conn structures. So,
we were subject to memory leaks and even DOS attacks.

With this patch, we also accept all TCP connection requests, but with two
major differences:
* We identify the neighbor by the source address of the SYN
packet. This is possible because we don't support label spaces, so
the transport-address by itself is enough to identify a neighbor,
we don't need to wait for the Initialization message;
* If there's no matching adjacency for this neighbor, then we start a
timer of 5 seconds. If we receive a Hello packet from this neighbor
within this interval, then we stop this timer and move on in
the Initialization state machine. Otherwise, we send a No Hello
Notification message and close the socket. We try to avoid sending
the No Hello notification as much as possible because it triggers the
backoff exponential in the remote peer, which considerably slow down
the session establishment process.

In summary, this new approach allows for a simpler code and fixes the
memory leak problem mentioned before.

Several improvements in the parsing of UDP/Hello packets.

* Fix check of the packet's size and the "PDU Length" field;
* Add check for the "Message Length" field;
* Check for invalid labelspace earlier.
* Use if_lookup() on disc_recv_iface() to reduce one level of identation;

Additionally, add the following safeguards:
* Check for unicast link hellos;
* Check for multicast targeted hellos;
* Validate packet's source address;
* Validate received transport-address.

Put the ancillary function bad_ip_addr() into a new file, util.c, which
will be used later for several other things.

Don't ignore notification messages before the session is operational.

This was preventing us from triggering the backoff exponential timer
after receiving a 'No Hello' notification.

Improve the parser of TCP/session packets.

Add more safeguards against malformed packets and fix existing ones. Also,
rename a few variables and constants to match their real meaning. For
example, rename gen_msg_tlv() to gen_msg_hdr() because this function
generates an LDP header, not a TLV.

Finally, clean-up all the send_* functions so they all follow the same
pattern.

Respect the received Max PDU Length field.

Move some code around.

This patch doesn't introduce any logical change.

Add knob to configure the transport address.

This will be especially important when we add support for IPv6, because
we'll not be able to use the router-id as the transport-address in
this case.

Replace manually written function names with __func__.

Call accept_unpause() when any TCP socket is closed.

We were calling accept_unpause() only when an LDP session is shut
down. But, during the LDP session establishment process, we may have
TCP sockets that are not associated with any neighbor. If we close one
of these sockets, we must call accept_unpause() too.

Add configuration reload support.

ok claudio@

Improve handling of addresses on ldpe.

This is a preliminary work for the the next patch (sigup config
reload). We want to make sure that the ldpe process can handle duplicated
addresses.

The idea is to alloc two different if_addr structures for each address,
and link one in the global list of addresses (used to send address
messages) and link the other to the associated interface list of
addresses.

Doing that we will be able to call kif_redistribute() after reloading
the config file and activate the new LDP enabled interfaces.

NOTE: Interfaces are created at config parse time and the child
processes inherit them on fork() so there's no need to send a status
update at startup.

ok claudio@

Implement md5 authentication support.

ok claudio@

Give more detailed information on a couple of debug messages.

More SOCK_NONBLOCK | SOCK_CLOEXEC love and one less session_socket_blockmode

Remove unnecessary netinet/in_systm.h include.

ok millert@

msgbuf_write() <= 0 for a few more daemons.

ok claudio@

deal with msgbuf_write EAGAIN, ok gilles benno

Improve parsing of label mapping messages and merge all recv_label*
functions into a single generic function.

Add a few error checks and implement parsing of optional tlvs.
Putting it all together helps avoid to code duplication and improve
maintainability.

Improve debug and error logs.
OK claudio@

Generate the NBR_EVT_PDU_RCVD event in a single point.
OK claudio@

Improve parsing of LDP messages.
Add more sanity checks and send proper notification messages on error
conditions.
OK claudio@

Ignore messages that have Unknown flag set.
OK claudio@

Fix build on vax

Always accept TCP connection requests and identify to which neighbor
it belongs only _after_ receiving an Initialization message containing
the information we need. Before an Initialization message is received,
the TCP connection shouldn't be associated with any neighbor/adjacency.
Therefor refactor that part into a own module.
From Renato Westphal

Implement support for adjacencies and targeted hellos
Refactor adjacencies out of the neighbor handling so that it is possible to
have more complex topologies with targeted sessions.
From Renato Westphal

Implement support for multiple addresses per interface.
This replaces the way addresses and interface are chained together.
In ospfd there was a 1 to 1 mapping (with iface clones) but LDP does
not have that limitation.
Diff from Renato Westphal

Improve error handling on session_read
* Don't try to send a Shutdown message if the connection is already
closed or a read error occured;
* As per RFC 5036, send a Shutdown message if an unexpected message is
received during the initialization process;
* Check if the whole LSR ID of received messages is correct;
* On ldpe_dispatch_main(), ignore the messages from the lde process
whose associated neighbor is not in the operational state.
Diff from Renato Westphal

Drop support for per-interface labelspaces.
Support for per-interface labelspaces is only necessary for legacy ATM/FR
interfaces running in cell-mode. We shouldn't worry about this.
For platform-wide label spaces the label space id is always 0.
Diff by Renato Westphal

Drop support for passive interfaces.
Support for passive interfaces was inherited from ospfd but it doesn't
make any sense at all for ldpd.
Diff from Renato Westphal

Use the nbr_stop_[*]timer functions
Diff from Renato Westphal

After returning from accept, we got a TCP connection not a LDP session.
Rename event/actions in the discovery FSM to avoid confusion
* NBR_EVT_SESSION_UP -> NBR_EVT_CONNECT_UP
* NBR_ACT_SESSION_EST -> NBR_ACT_CONNECT_SETUP
* nbr_act_session_establish -> nbr_act_connect_setup
* NBR_ACT_INIT_SEND -> NBR_ACT_PASSIVE_INIT
* NBR_ACT_STRT_KTIMER -> NBR_ACT_SESSION_EST
Diff by Renato Westphal

Don't set the Message ID for hello messages.
The Message ID field is used by notification messages to identify a
given message. This is the behavior adopted by Cisco IOS.
Diff from Renato Westphal

Improve sanity checks on received UDP messages
The actual meaning of the "PDU Length" field is the total length
of the LDP PDU, excluding the "Version" and "PDU Length" fields (as
per RFC 5036, section 3.1).
Diff from Renato Westphal [renatowestphal at gmail.com]

handle ECONNABORTED errors from accept(). In many code blocks they can be
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directories...

accept pacing ldpd way. Since this daemon has multiple listening fds
we add them all to a accept queue that does the pacing with the
accept_pause() and accept_unpause() calls.
With and OK deraadt@

Log the fact that a session was not accepted because of missing HELLOs.

Fix a bad heritage from ospfd. Make neighbors independent of interfaces.
They are not bound as strongly as in ospf and causes problems when the
TCP connection is established from an not connected IP (e.g. a loopback).
Use three RB trees to sort the neighbor list by id, addr and peerid.
More cleanup is needed but this makes ldpd work against peers using
loopback IPs. Problem found, reported and fix tested again by Marcel Wiget.

Rewrite all packet parsers to be more careful about alignment. Until
now ldpd had no chance to run on a strict alignment architecture but
this makes ldpd happy on sparc64. Be careful to do all needed overflow
checks and try to make all parsing functions look similar.
OK michele@

Rename some imsg bits to make namespace collisions less likely buf to
ibuf, buf_read to ibuf_read, READ_BUF_SIZE to IBUF_READ_SIZE.

ok henning gilles claudio jacekm deraadt

Do not send notifications directly onto the wire. Decide in the caller how
to send the notification. On accept use write() else queue message and try
to send the queued messages out via msgbuf_write(). This may still fail but
is better then the code beforehands.
OK michele@

split up a multiple assignment so we aren't casting an lvalue.
ok michele@ claudio@

Remove some more ospfd-ism from the interface code. This time remove
of most of the IF_TYPE_ special cases and most interface types.
Point-to-point and broadcast still present because of find_iface()
which needs addtional fixing.
OK michele@

session_shutdown() issues a NBR_EVT_CLOSE_SESSION and therefore a
session_close() which does the event_del(&nbr->rev) so no need to do it
twice. There is also no need to send two S_SHUTDOWN messages.
OK michele@

Fix fd leak in error case.
OK michele@

Instead of having three ways of setting fds non-blocking use
session_socket_blockmode() everywhere.
Additionally make two fatal() distinguishable.
OK michele@

event_del() the read event when hitting a read error or when closing the
file descriptor. If not done, we will loop forever on this event.
OK michele@

Do not use bufferevent for something that's already covered in the imsg
buffer API. This fixes a few possible problems in session_read and does
some further cleanup in various places. Wrap msgbuf into evbuf to add
libevent functionality and use buf_read to handle the read side of a
session. OK michele@ and dlg@ did not see anything evil

Initialize "len" before using it in accept(2).

Found by Christophe Fillot

ok claudio@

Correctly send notification messages when errors occur.

ok claudio@ laurent@

Welcome ldpd, the Label Distribution Protocol daemon.
Built using the imsg/three process framework, its main aim
is to redistribute MPLS labels between peers.

Right now it has some really basic functionalities,
the basic protocol works and peers are able to exchange
labels and insert them in the kernel.
It still does not react to changes of topology.

Not yet connected to the builds.

ok claudio@ deraadt@

Implement RFC 5561 (LDP Capabilities).

This patch per-se doesn't introduce any useful functionality, but prepares
the ground for new enhancements to ldpd (i.e. implementation of new RFCs
that make use of LDP capabilities).

Kill send_notification_nbr().

Be more clever and trigger the PDU SENT event inside send_notification()
when tcp->nbr is set. This way we can eliminate send_notification_nbr()
and always use send_notification() instead.

Remove potential overflow when validating message's length.

Also, use uint16_t for msg_type on gen_msg_hdr().

More renaming and whitespace cleanup.

No binary change after "strip -s".

Several minor tweaks.

Add GTSM support (RFC 6720).

This also finishes the missing bits from our RFC 7552 implementation
because GTSM is mandatory for LDPv6.

To avoid any kind of interoperability problems, I included a few
knobs to enable/disable GTSM on a per-address-family and per-neighbor
basis. Cisco's LDPv6 implementation, for instance, doesn't support GTSM.

"reads good" claudio@

Fix removal of dual-stack neighbors.

Implement a timeout for the session initialization FSM.

This prevents neighbors stuck in the initialization FSM to linger forever
as long as the associated transport connection is up.

This timeout can be seen in the 'Session Initialization State Transition
Diagram' of RFC 5036. The RFC, however, doesn't specify how much we
should wait. Let's use 180 seconds for that, the default LDP hold time.

Fixes IxANVL LDP test 6.15.

Rework the handling of Hello packets.

With the introduction of IPv6 support by RFC 7552, the handling of Hello
packets in ldpd became something incredibly complex. Neighbors can change
from single-stack LDP to dual-stack and vice-versa. They can change
their transport preference, their transport addresses (IPv4 and IPv6)
and even start or stop sending the Dual-Stack TLV. We also have to take
care to reject things like multiple adjacencies advertising different
transport-addresses for the same neighbor. ldpd was failing for some of
the cases mentioned above, this patch fixes these issues and attempts
to make the code easier to read.

Do set the Message ID for Hello messages too.

In the original LDP specification, there was no circumstance where a
Notification message could be sent in response to a Hello message. So
setting the Message ID field for Hello packets was useless.

This changed with RFC 7552, where Hello packets can trigger the "Transport
Connection Mismatch" notification when the local and remote transport
preferences doesn't match. In this case, having a meaningful Message ID
in the Hello packets can aid in testing and troubleshooting.

Do not shut down the session upon receiving unknown messages.

RFC 5036 says the following about the receipt of unknown messages:
"Unknown message bit. Upon receipt of an unknown message, if U is
clear (=0), a notification is returned to the message originator;
if U is set (=1), the unknown message is silently ignored".

We were correctly ignoring unknown messages when the U-bit was set. But
when this bit was not set, we were shutting down the session when the
correct thing to do is to just send a non-fatal notification message.

Fix IxANVL LDP test 22.13.

Speed up session establishment after config reload.

If we change a neighbor's password or the global transport-address,
cancel the affected pending connects and, when playing the active role
of the session establishment process, try to connect again right away
with the new password and/or transport-address.

Without this patch we have to wait for the timeout of the pending
connects, which might be a lot of time.

Update copyright information.

Remove superfluous includes.

Make functions and variables static whenever possible.

The benefits of this include:
* clean up of the ldpd global namespace;
* improved readability;
* more hints to the compiler/linker to generate more efficient code.

Whenever possible, move global static variables to a smaller scope
(function).

All extern variables are now declared in header files to avoid unnecessary
duplication.

This patch also cleans up the indentation of all function prototypes
and global variables.

Add support for IPv6 (RFC 7552).

This includes:
* Full compliance to RFC 7552;
* Support for MD5 on LDPov6 sessions;
* Support for pseudowires over IPv6 LSPs (we're probably the world's
first implementation doing this);
* Support for the IPv6 explicit-null label;
* Knob to specify the prefered address-family for TCP transport
connections;
* Knob to use cisco non-compliant format to send and interpret the
Dual-Stack capability TLV.

Fix mess caused by my commit script.

I screwed up everything... trying to fix now.

Move setsockopt helper functions to a separate file.

IPv6 support is coming and we don't want to pollute the interface.c file
with too many of these helper functions.

Also, rename these functions from if_set_* to sock_set_*.

Standardize some log messages and fix some inconsistencies.

We were using several different names for the same thing in our log
messages: neighbor, neighbor ID, nbr ID and LSR ID.

Standardize to always use "lsr-id" to refer to a neighbor.

Also:
* Use log_warnx() instead of log_warn() when appropriate;
* Use fatal(x) instead of err(x) when appropriate;
* Fix some inconsistent log messages.

Make neighbor parameters per lsr-id not per transport-address.

With the advent of IPv6 support, a single neighbor can have two different
transport-addresses: one for ipv4 and one for ipv6. In order to define
neighbor-specific parameters in an indistinguishable way, define them
by lsr-id. This way we can switch between LDPov4 and LDPov6 and keep
the same configuration.

Rework the way we handle income connection requests.

The logic of the previous code was to accept all TCP connection requests
(destined to port 646) and create a tcp_conn structure for each them. Once
the first packet of a connection was received, we would analyze the
LDP Initialization message and identify its origin by looking at the
LSR-ID field.

When parsing a received TCP packet, we would need to distinguish between
two cases: tcp packet from an LDP neighbor and tcp packet from a newborn
connection (not associated with any neighbor yet). For this reason,
the session_read() function was quite complicated.

Also, we were not keeping track of the allocated tcp_conn structures. So,
we were subject to memory leaks and even DOS attacks.

With this patch, we also accept all TCP connection requests, but with two
major differences:
* We identify the neighbor by the source address of the SYN
packet. This is possible because we don't support label spaces, so
the transport-address by itself is enough to identify a neighbor,
we don't need to wait for the Initialization message;
* If there's no matching adjacency for this neighbor, then we start a
timer of 5 seconds. If we receive a Hello packet from this neighbor
within this interval, then we stop this timer and move on in
the Initialization state machine. Otherwise, we send a No Hello
Notification message and close the socket. We try to avoid sending
the No Hello notification as much as possible because it triggers the
backoff exponential in the remote peer, which considerably slow down
the session establishment process.

In summary, this new approach allows for a simpler code and fixes the
memory leak problem mentioned before.

Several improvements in the parsing of UDP/Hello packets.

* Fix check of the packet's size and the "PDU Length" field;
* Add check for the "Message Length" field;
* Check for invalid labelspace earlier.
* Use if_lookup() on disc_recv_iface() to reduce one level of identation;

Additionally, add the following safeguards:
* Check for unicast link hellos;
* Check for multicast targeted hellos;
* Validate packet's source address;
* Validate received transport-address.

Put the ancillary function bad_ip_addr() into a new file, util.c, which
will be used later for several other things.

Don't ignore notification messages before the session is operational.

This was preventing us from triggering the backoff exponential timer
after receiving a 'No Hello' notification.

Improve the parser of TCP/session packets.

Add more safeguards against malformed packets and fix existing ones. Also,
rename a few variables and constants to match their real meaning. For
example, rename gen_msg_tlv() to gen_msg_hdr() because this function
generates an LDP header, not a TLV.

Finally, clean-up all the send_* functions so they all follow the same
pattern.

Respect the received Max PDU Length field.

Move some code around.

This patch doesn't introduce any logical change.

Add knob to configure the transport address.

This will be especially important when we add support for IPv6, because
we'll not be able to use the router-id as the transport-address in
this case.

Replace manually written function names with __func__.

Call accept_unpause() when any TCP socket is closed.

We were calling accept_unpause() only when an LDP session is shut
down. But, during the LDP session establishment process, we may have
TCP sockets that are not associated with any neighbor. If we close one
of these sockets, we must call accept_unpause() too.

Add configuration reload support.

ok claudio@

Improve handling of addresses on ldpe.

This is a preliminary work for the the next patch (sigup config
reload). We want to make sure that the ldpe process can handle duplicated
addresses.

The idea is to alloc two different if_addr structures for each address,
and link one in the global list of addresses (used to send address
messages) and link the other to the associated interface list of
addresses.

Doing that we will be able to call kif_redistribute() after reloading
the config file and activate the new LDP enabled interfaces.

NOTE: Interfaces are created at config parse time and the child
processes inherit them on fork() so there's no need to send a status
update at startup.

ok claudio@

Implement md5 authentication support.

ok claudio@

Give more detailed information on a couple of debug messages.

More SOCK_NONBLOCK | SOCK_CLOEXEC love and one less session_socket_blockmode

Remove unnecessary netinet/in_systm.h include.

ok millert@

msgbuf_write() <= 0 for a few more daemons.

ok claudio@

deal with msgbuf_write EAGAIN, ok gilles benno

Improve parsing of label mapping messages and merge all recv_label*
functions into a single generic function.

Add a few error checks and implement parsing of optional tlvs.
Putting it all together helps avoid to code duplication and improve
maintainability.

Improve debug and error logs.
OK claudio@

Generate the NBR_EVT_PDU_RCVD event in a single point.
OK claudio@

Improve parsing of LDP messages.
Add more sanity checks and send proper notification messages on error
conditions.
OK claudio@

Ignore messages that have Unknown flag set.
OK claudio@

Fix build on vax

Always accept TCP connection requests and identify to which neighbor
it belongs only _after_ receiving an Initialization message containing
the information we need. Before an Initialization message is received,
the TCP connection shouldn't be associated with any neighbor/adjacency.
Therefor refactor that part into a own module.
From Renato Westphal

Implement support for adjacencies and targeted hellos
Refactor adjacencies out of the neighbor handling so that it is possible to
have more complex topologies with targeted sessions.
From Renato Westphal

Implement support for multiple addresses per interface.
This replaces the way addresses and interface are chained together.
In ospfd there was a 1 to 1 mapping (with iface clones) but LDP does
not have that limitation.
Diff from Renato Westphal

Improve error handling on session_read
* Don't try to send a Shutdown message if the connection is already
closed or a read error occured;
* As per RFC 5036, send a Shutdown message if an unexpected message is
received during the initialization process;
* Check if the whole LSR ID of received messages is correct;
* On ldpe_dispatch_main(), ignore the messages from the lde process
whose associated neighbor is not in the operational state.
Diff from Renato Westphal

Drop support for per-interface labelspaces.
Support for per-interface labelspaces is only necessary for legacy ATM/FR
interfaces running in cell-mode. We shouldn't worry about this.
For platform-wide label spaces the label space id is always 0.
Diff by Renato Westphal

Drop support for passive interfaces.
Support for passive interfaces was inherited from ospfd but it doesn't
make any sense at all for ldpd.
Diff from Renato Westphal

Use the nbr_stop_[*]timer functions
Diff from Renato Westphal

After returning from accept, we got a TCP connection not a LDP session.
Rename event/actions in the discovery FSM to avoid confusion
* NBR_EVT_SESSION_UP -> NBR_EVT_CONNECT_UP
* NBR_ACT_SESSION_EST -> NBR_ACT_CONNECT_SETUP
* nbr_act_session_establish -> nbr_act_connect_setup
* NBR_ACT_INIT_SEND -> NBR_ACT_PASSIVE_INIT
* NBR_ACT_STRT_KTIMER -> NBR_ACT_SESSION_EST
Diff by Renato Westphal

Don't set the Message ID for hello messages.
The Message ID field is used by notification messages to identify a
given message. This is the behavior adopted by Cisco IOS.
Diff from Renato Westphal

Improve sanity checks on received UDP messages
The actual meaning of the "PDU Length" field is the total length
of the LDP PDU, excluding the "Version" and "PDU Length" fields (as
per RFC 5036, section 3.1).
Diff from Renato Westphal [renatowestphal at gmail.com]

handle ECONNABORTED errors from accept(). In many code blocks they can be
ignored silently and without aborting, much like EINTR and EWOULDBLOCK are.
ok's from various maintainers of these directories...

accept pacing ldpd way. Since this daemon has multiple listening fds
we add them all to a accept queue that does the pacing with the
accept_pause() and accept_unpause() calls.
With and OK deraadt@

Log the fact that a session was not accepted because of missing HELLOs.

Fix a bad heritage from ospfd. Make neighbors independent of interfaces.
They are not bound as strongly as in ospf and causes problems when the
TCP connection is established from an not connected IP (e.g. a loopback).
Use three RB trees to sort the neighbor list by id, addr and peerid.
More cleanup is needed but this makes ldpd work against peers using
loopback IPs. Problem found, reported and fix tested again by Marcel Wiget.

Rewrite all packet parsers to be more careful about alignment. Until
now ldpd had no chance to run on a strict alignment architecture but
this makes ldpd happy on sparc64. Be careful to do all needed overflow
checks and try to make all parsing functions look similar.
OK michele@

Rename some imsg bits to make namespace collisions less likely buf to
ibuf, buf_read to ibuf_read, READ_BUF_SIZE to IBUF_READ_SIZE.

ok henning gilles claudio jacekm deraadt

Do not send notifications directly onto the wire. Decide in the caller how
to send the notification. On accept use write() else queue message and try
to send the queued messages out via msgbuf_write(). This may still fail but
is better then the code beforehands.
OK michele@

split up a multiple assignment so we aren't casting an lvalue.
ok michele@ claudio@

Remove some more ospfd-ism from the interface code. This time remove
of most of the IF_TYPE_ special cases and most interface types.
Point-to-point and broadcast still present because of find_iface()
which needs addtional fixing.
OK michele@

session_shutdown() issues a NBR_EVT_CLOSE_SESSION and therefore a
session_close() which does the event_del(&nbr->rev) so no need to do it
twice. There is also no need to send two S_SHUTDOWN messages.
OK michele@

Fix fd leak in error case.
OK michele@

Instead of having three ways of setting fds non-blocking use
session_socket_blockmode() everywhere.
Additionally make two fatal() distinguishable.
OK michele@

event_del() the read event when hitting a read error or when closing the
file descriptor. If not done, we will loop forever on this event.
OK michele@

Do not use bufferevent for something that's already covered in the imsg
buffer API. This fixes a few possible problems in session_read and does
some further cleanup in various places. Wrap msgbuf into evbuf to add
libevent functionality and use buf_read to handle the read side of a
session. OK michele@ and dlg@ did not see anything evil

Initialize "len" before using it in accept(2).

Found by Christophe Fillot

ok claudio@

Correctly send notification messages when errors occur.

ok claudio@ laurent@

Welcome ldpd, the Label Distribution Protocol daemon.
Built using the imsg/three process framework, its main aim
is to redistribute MPLS labels between peers.

Right now it has some really basic functionalities,
the basic protocol works and peers are able to exchange
labels and insert them in the kernel.
It still does not react to changes of topology.

Not yet connected to the builds.

ok claudio@ deraadt@