bgpd.c revision 1.226
1/* $OpenBSD: bgpd.c,v 1.226 2019/10/01 08:57:47 claudio Exp $ */ 2 3/* 4 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19#include <sys/types.h> 20#include <sys/socket.h> 21#include <sys/wait.h> 22#include <netinet/in.h> 23#include <arpa/inet.h> 24#include <err.h> 25#include <errno.h> 26#include <fcntl.h> 27#include <poll.h> 28#include <pwd.h> 29#include <signal.h> 30#include <stdio.h> 31#include <stdlib.h> 32#include <string.h> 33#include <syslog.h> 34#include <unistd.h> 35 36#include "bgpd.h" 37#include "session.h" 38#include "log.h" 39 40void sighdlr(int); 41__dead void usage(void); 42int main(int, char *[]); 43pid_t start_child(enum bgpd_process, char *, int, int, int); 44int send_filterset(struct imsgbuf *, struct filter_set_head *); 45int reconfigure(char *, struct bgpd_config *); 46int send_config(struct bgpd_config *); 47int dispatch_imsg(struct imsgbuf *, int, struct bgpd_config *); 48int control_setup(struct bgpd_config *); 49static void getsockpair(int [2]); 50int imsg_send_sockets(struct imsgbuf *, struct imsgbuf *); 51 52int cflags; 53volatile sig_atomic_t mrtdump; 54volatile sig_atomic_t quit; 55volatile sig_atomic_t reconfig; 56pid_t reconfpid; 57int reconfpending; 58struct imsgbuf *ibuf_se; 59struct imsgbuf *ibuf_rde; 60struct rib_names ribnames = SIMPLEQ_HEAD_INITIALIZER(ribnames); 61char *cname; 62char *rcname; 63 64void 65sighdlr(int sig) 66{ 67 switch (sig) { 68 case SIGTERM: 69 case SIGINT: 70 quit = 1; 71 break; 72 case SIGHUP: 73 reconfig = 1; 74 break; 75 case SIGALRM: 76 case SIGUSR1: 77 mrtdump = 1; 78 break; 79 } 80} 81 82__dead void 83usage(void) 84{ 85 extern char *__progname; 86 87 fprintf(stderr, "usage: %s [-cdnv] [-D macro=value] [-f file]\n", 88 __progname); 89 exit(1); 90} 91 92#define PFD_PIPE_SESSION 0 93#define PFD_PIPE_ROUTE 1 94#define PFD_SOCK_ROUTE 2 95#define PFD_SOCK_PFKEY 3 96#define POLL_MAX 4 97#define MAX_TIMEOUT 3600 98 99int cmd_opts; 100 101int 102main(int argc, char *argv[]) 103{ 104 struct bgpd_config *conf; 105 struct rde_rib *rr; 106 struct peer *p; 107 struct pollfd pfd[POLL_MAX]; 108 time_t timeout; 109 pid_t se_pid = 0, rde_pid = 0, pid; 110 char *conffile; 111 char *saved_argv0; 112 int debug = 0; 113 int rflag = 0, sflag = 0; 114 int rfd, keyfd; 115 int ch, status; 116 int pipe_m2s[2]; 117 int pipe_m2r[2]; 118 119 conffile = CONFFILE; 120 bgpd_process = PROC_MAIN; 121 122 log_init(1, LOG_DAEMON); /* log to stderr until daemonized */ 123 log_procinit(log_procnames[bgpd_process]); 124 log_setverbose(1); 125 126 saved_argv0 = argv[0]; 127 if (saved_argv0 == NULL) 128 saved_argv0 = "bgpd"; 129 130 while ((ch = getopt(argc, argv, "cdD:f:nRSv")) != -1) { 131 switch (ch) { 132 case 'c': 133 cmd_opts |= BGPD_OPT_FORCE_DEMOTE; 134 break; 135 case 'd': 136 debug = 1; 137 break; 138 case 'D': 139 if (cmdline_symset(optarg) < 0) 140 log_warnx("could not parse macro definition %s", 141 optarg); 142 break; 143 case 'f': 144 conffile = optarg; 145 break; 146 case 'n': 147 cmd_opts |= BGPD_OPT_NOACTION; 148 break; 149 case 'v': 150 if (cmd_opts & BGPD_OPT_VERBOSE) 151 cmd_opts |= BGPD_OPT_VERBOSE2; 152 cmd_opts |= BGPD_OPT_VERBOSE; 153 break; 154 case 'R': 155 rflag = 1; 156 break; 157 case 'S': 158 sflag = 1; 159 break; 160 default: 161 usage(); 162 /* NOTREACHED */ 163 } 164 } 165 166 argc -= optind; 167 argv += optind; 168 if (argc > 0 || (sflag && rflag)) 169 usage(); 170 171 if (cmd_opts & BGPD_OPT_NOACTION) { 172 if ((conf = parse_config(conffile, NULL)) == NULL) 173 exit(1); 174 175 if (cmd_opts & BGPD_OPT_VERBOSE) 176 print_config(conf, &ribnames); 177 else 178 fprintf(stderr, "configuration OK\n"); 179 180 while ((rr = SIMPLEQ_FIRST(&ribnames)) != NULL) { 181 SIMPLEQ_REMOVE_HEAD(&ribnames, entry); 182 free(rr); 183 } 184 free_config(conf); 185 exit(0); 186 } 187 188 if (rflag) 189 rde_main(debug, cmd_opts & BGPD_OPT_VERBOSE); 190 else if (sflag) 191 session_main(debug, cmd_opts & BGPD_OPT_VERBOSE); 192 193 if (geteuid()) 194 errx(1, "need root privileges"); 195 196 if (getpwnam(BGPD_USER) == NULL) 197 errx(1, "unknown user %s", BGPD_USER); 198 199 if ((conf = parse_config(conffile, NULL)) == NULL) { 200 log_warnx("config file %s has errors", conffile); 201 exit(1); 202 } 203 204 if (prepare_listeners(conf) == -1) 205 exit(1); 206 207 log_init(debug, LOG_DAEMON); 208 log_setverbose(cmd_opts & BGPD_OPT_VERBOSE); 209 210 if (!debug) 211 daemon(1, 0); 212 213 log_info("startup"); 214 215 getsockpair(pipe_m2s); 216 getsockpair(pipe_m2r); 217 218 /* fork children */ 219 rde_pid = start_child(PROC_RDE, saved_argv0, pipe_m2r[1], debug, 220 cmd_opts & BGPD_OPT_VERBOSE); 221 se_pid = start_child(PROC_SE, saved_argv0, pipe_m2s[1], debug, 222 cmd_opts & BGPD_OPT_VERBOSE); 223 224 signal(SIGTERM, sighdlr); 225 signal(SIGINT, sighdlr); 226 signal(SIGHUP, sighdlr); 227 signal(SIGALRM, sighdlr); 228 signal(SIGUSR1, sighdlr); 229 signal(SIGPIPE, SIG_IGN); 230 231 if ((ibuf_se = malloc(sizeof(struct imsgbuf))) == NULL || 232 (ibuf_rde = malloc(sizeof(struct imsgbuf))) == NULL) 233 fatal(NULL); 234 imsg_init(ibuf_se, pipe_m2s[0]); 235 imsg_init(ibuf_rde, pipe_m2r[0]); 236 mrt_init(ibuf_rde, ibuf_se); 237 if (kr_init(&rfd) == -1) 238 quit = 1; 239 keyfd = pfkey_init(); 240 241 /* 242 * rpath, read config file 243 * cpath, unlink control socket 244 * fattr, chmod on control socket 245 * wpath, needed if we are doing mrt dumps 246 * 247 * pledge placed here because kr_init() does a setsockopt on the 248 * routing socket thats not allowed at all. 249 */ 250#if 0 251 /* 252 * disabled because we do ioctls on /dev/pf and SIOCSIFGATTR 253 * this needs some redesign of bgpd to be fixed. 254 */ 255BROKEN if (pledge("stdio rpath wpath cpath fattr unix route recvfd sendfd", 256 NULL) == -1) 257 fatal("pledge"); 258#endif 259 260 if (imsg_send_sockets(ibuf_se, ibuf_rde)) 261 fatal("could not establish imsg links"); 262 /* control setup needs to happen late since it sends imsgs */ 263 if (control_setup(conf) == -1) 264 quit = 1; 265 if (send_config(conf) != 0) 266 quit = 1; 267 if (pftable_clear_all() != 0) 268 quit = 1; 269 270 while (quit == 0) { 271 bzero(pfd, sizeof(pfd)); 272 273 timeout = mrt_timeout(conf->mrt); 274 275 pfd[PFD_SOCK_ROUTE].fd = rfd; 276 pfd[PFD_SOCK_ROUTE].events = POLLIN; 277 278 pfd[PFD_SOCK_PFKEY].fd = keyfd; 279 pfd[PFD_SOCK_PFKEY].events = POLLIN; 280 281 set_pollfd(&pfd[PFD_PIPE_SESSION], ibuf_se); 282 set_pollfd(&pfd[PFD_PIPE_ROUTE], ibuf_rde); 283 284 if (timeout < 0 || timeout > MAX_TIMEOUT) 285 timeout = MAX_TIMEOUT; 286 if (poll(pfd, POLL_MAX, timeout * 1000) == -1) 287 if (errno != EINTR) { 288 log_warn("poll error"); 289 quit = 1; 290 } 291 292 if (handle_pollfd(&pfd[PFD_PIPE_SESSION], ibuf_se) == -1) { 293 log_warnx("main: Lost connection to SE"); 294 msgbuf_clear(&ibuf_se->w); 295 free(ibuf_se); 296 ibuf_se = NULL; 297 quit = 1; 298 } else { 299 if (dispatch_imsg(ibuf_se, PFD_PIPE_SESSION, conf) == 300 -1) 301 quit = 1; 302 } 303 304 if (handle_pollfd(&pfd[PFD_PIPE_ROUTE], ibuf_rde) == -1) { 305 log_warnx("main: Lost connection to RDE"); 306 msgbuf_clear(&ibuf_rde->w); 307 free(ibuf_rde); 308 ibuf_rde = NULL; 309 quit = 1; 310 } else { 311 if (dispatch_imsg(ibuf_rde, PFD_PIPE_ROUTE, conf) == 312 -1) 313 quit = 1; 314 } 315 316 if (pfd[PFD_SOCK_ROUTE].revents & POLLIN) { 317 if (kr_dispatch_msg(conf->default_tableid) == -1) 318 quit = 1; 319 } 320 321 if (pfd[PFD_SOCK_PFKEY].revents & POLLIN) { 322 if (pfkey_read(keyfd, NULL) == -1) { 323 log_warnx("pfkey_read failed, exiting..."); 324 quit = 1; 325 } 326 } 327 328 if (reconfig) { 329 u_int error; 330 331 reconfig = 0; 332 switch (reconfigure(conffile, conf)) { 333 case -1: /* fatal error */ 334 quit = 1; 335 break; 336 case 0: /* all OK */ 337 error = 0; 338 break; 339 case 2: 340 log_info("previous reload still running"); 341 error = CTL_RES_PENDING; 342 break; 343 default: /* parse error */ 344 log_warnx("config file %s has errors, " 345 "not reloading", conffile); 346 error = CTL_RES_PARSE_ERROR; 347 break; 348 } 349 if (reconfpid != 0) { 350 send_imsg_session(IMSG_CTL_RESULT, reconfpid, 351 &error, sizeof(error)); 352 reconfpid = 0; 353 } 354 } 355 356 if (mrtdump) { 357 mrtdump = 0; 358 mrt_handler(conf->mrt); 359 } 360 } 361 362 /* close pipes */ 363 if (ibuf_se) { 364 msgbuf_clear(&ibuf_se->w); 365 close(ibuf_se->fd); 366 free(ibuf_se); 367 ibuf_se = NULL; 368 } 369 if (ibuf_rde) { 370 msgbuf_clear(&ibuf_rde->w); 371 close(ibuf_rde->fd); 372 free(ibuf_rde); 373 ibuf_rde = NULL; 374 } 375 376 /* cleanup kernel data structures */ 377 carp_demote_shutdown(); 378 kr_shutdown(conf->fib_priority, conf->default_tableid); 379 pftable_clear_all(); 380 381 RB_FOREACH(p, peer_head, &conf->peers) 382 pfkey_remove(p); 383 384 while ((rr = SIMPLEQ_FIRST(&ribnames)) != NULL) { 385 SIMPLEQ_REMOVE_HEAD(&ribnames, entry); 386 free(rr); 387 } 388 free_config(conf); 389 390 log_debug("waiting for children to terminate"); 391 do { 392 pid = wait(&status); 393 if (pid == -1) { 394 if (errno != EINTR && errno != ECHILD) 395 fatal("wait"); 396 } else if (WIFSIGNALED(status)) { 397 char *name = "unknown process"; 398 if (pid == rde_pid) 399 name = "route decision engine"; 400 else if (pid == se_pid) 401 name = "session engine"; 402 log_warnx("%s terminated; signal %d", name, 403 WTERMSIG(status)); 404 } 405 } while (pid != -1 || (pid == -1 && errno == EINTR)); 406 407 free(rcname); 408 free(cname); 409 410 log_info("terminating"); 411 return (0); 412} 413 414pid_t 415start_child(enum bgpd_process p, char *argv0, int fd, int debug, int verbose) 416{ 417 char *argv[5]; 418 int argc = 0; 419 pid_t pid; 420 421 switch (pid = fork()) { 422 case -1: 423 fatal("cannot fork"); 424 case 0: 425 break; 426 default: 427 close(fd); 428 return (pid); 429 } 430 431 if (fd != 3) { 432 if (dup2(fd, 3) == -1) 433 fatal("cannot setup imsg fd"); 434 } else if (fcntl(fd, F_SETFD, 0) == -1) 435 fatal("cannot setup imsg fd"); 436 437 argv[argc++] = argv0; 438 switch (p) { 439 case PROC_MAIN: 440 fatalx("Can not start main process"); 441 case PROC_RDE: 442 argv[argc++] = "-R"; 443 break; 444 case PROC_SE: 445 argv[argc++] = "-S"; 446 break; 447 } 448 if (debug) 449 argv[argc++] = "-d"; 450 if (verbose) 451 argv[argc++] = "-v"; 452 argv[argc++] = NULL; 453 454 execvp(argv0, argv); 455 fatal("execvp"); 456} 457 458int 459send_filterset(struct imsgbuf *i, struct filter_set_head *set) 460{ 461 struct filter_set *s; 462 463 TAILQ_FOREACH(s, set, entry) 464 if (imsg_compose(i, IMSG_FILTER_SET, 0, 0, -1, s, 465 sizeof(struct filter_set)) == -1) 466 return (-1); 467 return (0); 468} 469 470int 471reconfigure(char *conffile, struct bgpd_config *conf) 472{ 473 struct bgpd_config *new_conf; 474 475 if (reconfpending) 476 return (2); 477 478 log_info("rereading config"); 479 if ((new_conf = parse_config(conffile, &conf->peers)) == NULL) 480 return (1); 481 482 merge_config(conf, new_conf); 483 484 if (prepare_listeners(conf) == -1) { 485 return (1); 486 } 487 488 if (control_setup(conf) == -1) { 489 return (1); 490 } 491 492 return send_config(conf); 493} 494 495int 496send_config(struct bgpd_config *conf) 497{ 498 struct peer *p; 499 struct filter_rule *r; 500 struct listen_addr *la; 501 struct rde_rib *rr; 502 struct l3vpn *vpn; 503 struct as_set *aset; 504 struct prefixset *ps; 505 struct prefixset_item *psi, *npsi; 506 507 reconfpending = 2; /* one per child */ 508 509 expand_networks(conf); 510 511 cflags = conf->flags; 512 513 /* start reconfiguration */ 514 if (imsg_compose(ibuf_se, IMSG_RECONF_CONF, 0, 0, -1, 515 conf, sizeof(*conf)) == -1) 516 return (-1); 517 if (imsg_compose(ibuf_rde, IMSG_RECONF_CONF, 0, 0, -1, 518 conf, sizeof(*conf)) == -1) 519 return (-1); 520 521 TAILQ_FOREACH(la, conf->listen_addrs, entry) { 522 if (imsg_compose(ibuf_se, IMSG_RECONF_LISTENER, 0, 0, la->fd, 523 la, sizeof(*la)) == -1) 524 return (-1); 525 la->fd = -1; 526 } 527 528 /* adjust fib syncing on reload */ 529 ktable_preload(); 530 531 /* RIBs for the RDE */ 532 while ((rr = SIMPLEQ_FIRST(&ribnames))) { 533 SIMPLEQ_REMOVE_HEAD(&ribnames, entry); 534 if (ktable_update(rr->rtableid, rr->name, rr->flags, 535 conf->fib_priority) == -1) { 536 log_warnx("failed to load rdomain %d", 537 rr->rtableid); 538 return (-1); 539 } 540 if (imsg_compose(ibuf_rde, IMSG_RECONF_RIB, 0, 0, -1, 541 rr, sizeof(*rr)) == -1) 542 return (-1); 543 free(rr); 544 } 545 546 /* send peer list to the SE */ 547 RB_FOREACH(p, peer_head, &conf->peers) { 548 if (imsg_compose(ibuf_se, IMSG_RECONF_PEER, p->conf.id, 0, -1, 549 &p->conf, sizeof(p->conf)) == -1) 550 return (-1); 551 552 if (p->reconf_action == RECONF_REINIT) 553 if (pfkey_establish(p) == -1) 554 log_peer_warnx(&p->conf, "pfkey setup failed"); 555 } 556 557 /* networks go via kroute to the RDE */ 558 kr_net_reload(conf->default_tableid, 0, &conf->networks); 559 560 /* prefixsets for filters in the RDE */ 561 while ((ps = SIMPLEQ_FIRST(&conf->prefixsets)) != NULL) { 562 SIMPLEQ_REMOVE_HEAD(&conf->prefixsets, entry); 563 if (imsg_compose(ibuf_rde, IMSG_RECONF_PREFIX_SET, 0, 0, -1, 564 ps->name, sizeof(ps->name)) == -1) 565 return (-1); 566 RB_FOREACH_SAFE(psi, prefixset_tree, &ps->psitems, npsi) { 567 RB_REMOVE(prefixset_tree, &ps->psitems, psi); 568 if (imsg_compose(ibuf_rde, IMSG_RECONF_PREFIX_SET_ITEM, 569 0, 0, -1, psi, sizeof(*psi)) == -1) 570 return (-1); 571 set_free(psi->set); 572 free(psi); 573 } 574 free(ps); 575 } 576 577 /* originsets for filters in the RDE */ 578 while ((ps = SIMPLEQ_FIRST(&conf->originsets)) != NULL) { 579 SIMPLEQ_REMOVE_HEAD(&conf->originsets, entry); 580 if (imsg_compose(ibuf_rde, IMSG_RECONF_ORIGIN_SET, 0, 0, -1, 581 ps->name, sizeof(ps->name)) == -1) 582 return (-1); 583 RB_FOREACH_SAFE(psi, prefixset_tree, &ps->psitems, npsi) { 584 struct roa_set *rs; 585 size_t i, l, n; 586 RB_REMOVE(prefixset_tree, &ps->psitems, psi); 587 rs = set_get(psi->set, &n); 588 for (i = 0; i < n; i += l) { 589 l = (n - i > 1024 ? 1024 : n - i); 590 if (imsg_compose(ibuf_rde, 591 IMSG_RECONF_ROA_SET_ITEMS, 592 0, 0, -1, rs + i, l * sizeof(*rs)) == -1) 593 return -1; 594 } 595 if (imsg_compose(ibuf_rde, IMSG_RECONF_PREFIX_SET_ITEM, 596 0, 0, -1, psi, sizeof(*psi)) == -1) 597 return (-1); 598 set_free(psi->set); 599 free(psi); 600 } 601 free(ps); 602 } 603 604 if (!RB_EMPTY(&conf->roa)) { 605 if (imsg_compose(ibuf_rde, IMSG_RECONF_ROA_SET, 0, 0, -1, 606 NULL, 0) == -1) 607 return (-1); 608 RB_FOREACH_SAFE(psi, prefixset_tree, &conf->roa, npsi) { 609 struct roa_set *rs; 610 size_t i, l, n; 611 RB_REMOVE(prefixset_tree, &conf->roa, psi); 612 rs = set_get(psi->set, &n); 613 for (i = 0; i < n; i += l) { 614 l = (n - i > 1024 ? 1024 : n - i); 615 if (imsg_compose(ibuf_rde, 616 IMSG_RECONF_ROA_SET_ITEMS, 617 0, 0, -1, rs + i, l * sizeof(*rs)) == -1) 618 return -1; 619 } 620 if (imsg_compose(ibuf_rde, IMSG_RECONF_PREFIX_SET_ITEM, 621 0, 0, -1, psi, sizeof(*psi)) == -1) 622 return (-1); 623 set_free(psi->set); 624 free(psi); 625 } 626 } 627 628 /* as-sets for filters in the RDE */ 629 while ((aset = SIMPLEQ_FIRST(&conf->as_sets)) != NULL) { 630 struct ibuf *wbuf; 631 u_int32_t *as; 632 size_t i, l, n; 633 634 SIMPLEQ_REMOVE_HEAD(&conf->as_sets, entry); 635 636 as = set_get(aset->set, &n); 637 if ((wbuf = imsg_create(ibuf_rde, IMSG_RECONF_AS_SET, 0, 0, 638 sizeof(n) + sizeof(aset->name))) == NULL) 639 return -1; 640 if (imsg_add(wbuf, &n, sizeof(n)) == -1 || 641 imsg_add(wbuf, aset->name, sizeof(aset->name)) == -1) 642 return -1; 643 imsg_close(ibuf_rde, wbuf); 644 645 for (i = 0; i < n; i += l) { 646 l = (n - i > 1024 ? 1024 : n - i); 647 if (imsg_compose(ibuf_rde, IMSG_RECONF_AS_SET_ITEMS, 648 0, 0, -1, as + i, l * sizeof(*as)) == -1) 649 return -1; 650 } 651 652 if (imsg_compose(ibuf_rde, IMSG_RECONF_AS_SET_DONE, 0, 0, -1, 653 NULL, 0) == -1) 654 return -1; 655 656 set_free(aset->set); 657 free(aset); 658 } 659 660 /* filters for the RDE */ 661 while ((r = TAILQ_FIRST(conf->filters)) != NULL) { 662 TAILQ_REMOVE(conf->filters, r, entry); 663 if (send_filterset(ibuf_rde, &r->set) == -1) 664 return (-1); 665 if (imsg_compose(ibuf_rde, IMSG_RECONF_FILTER, 0, 0, -1, 666 r, sizeof(struct filter_rule)) == -1) 667 return (-1); 668 filterset_free(&r->set); 669 free(r); 670 } 671 672 while ((vpn = SIMPLEQ_FIRST(&conf->l3vpns)) != NULL) { 673 SIMPLEQ_REMOVE_HEAD(&conf->l3vpns, entry); 674 if (ktable_update(vpn->rtableid, vpn->descr, vpn->flags, 675 conf->fib_priority) == -1) { 676 log_warnx("failed to load rdomain %d", 677 vpn->rtableid); 678 return (-1); 679 } 680 /* networks go via kroute to the RDE */ 681 kr_net_reload(vpn->rtableid, vpn->rd, &vpn->net_l); 682 683 if (imsg_compose(ibuf_rde, IMSG_RECONF_VPN, 0, 0, -1, 684 vpn, sizeof(*vpn)) == -1) 685 return (-1); 686 687 /* export targets */ 688 if (send_filterset(ibuf_rde, &vpn->export) == -1) 689 return (-1); 690 if (imsg_compose(ibuf_rde, IMSG_RECONF_VPN_EXPORT, 0, 0, 691 -1, NULL, 0) == -1) 692 return (-1); 693 filterset_free(&vpn->export); 694 695 /* import targets */ 696 if (send_filterset(ibuf_rde, &vpn->import) == -1) 697 return (-1); 698 if (imsg_compose(ibuf_rde, IMSG_RECONF_VPN_IMPORT, 0, 0, 699 -1, NULL, 0) == -1) 700 return (-1); 701 filterset_free(&vpn->import); 702 703 if (imsg_compose(ibuf_rde, IMSG_RECONF_VPN_DONE, 0, 0, 704 -1, NULL, 0) == -1) 705 return (-1); 706 707 free(vpn); 708 } 709 710 /* send a drain message to know when all messages where processed */ 711 if (imsg_compose(ibuf_se, IMSG_RECONF_DRAIN, 0, 0, -1, NULL, 0) == -1) 712 return (-1); 713 if (imsg_compose(ibuf_rde, IMSG_RECONF_DRAIN, 0, 0, -1, NULL, 0) == -1) 714 return (-1); 715 716 /* mrt changes can be sent out of bound */ 717 mrt_reconfigure(conf->mrt); 718 return (0); 719} 720 721int 722dispatch_imsg(struct imsgbuf *ibuf, int idx, struct bgpd_config *conf) 723{ 724 struct imsg imsg; 725 struct peer *p; 726 ssize_t n; 727 int rv, verbose; 728 729 rv = 0; 730 while (ibuf) { 731 if ((n = imsg_get(ibuf, &imsg)) == -1) 732 return (-1); 733 734 if (n == 0) 735 break; 736 737 switch (imsg.hdr.type) { 738 case IMSG_KROUTE_CHANGE: 739 if (idx != PFD_PIPE_ROUTE) 740 log_warnx("route request not from RDE"); 741 else if (imsg.hdr.len != IMSG_HEADER_SIZE + 742 sizeof(struct kroute_full)) 743 log_warnx("wrong imsg len"); 744 else if (kr_change(imsg.hdr.peerid, imsg.data, 745 conf->fib_priority)) 746 rv = -1; 747 break; 748 case IMSG_KROUTE_DELETE: 749 if (idx != PFD_PIPE_ROUTE) 750 log_warnx("route request not from RDE"); 751 else if (imsg.hdr.len != IMSG_HEADER_SIZE + 752 sizeof(struct kroute_full)) 753 log_warnx("wrong imsg len"); 754 else if (kr_delete(imsg.hdr.peerid, imsg.data, 755 conf->fib_priority)) 756 rv = -1; 757 break; 758 case IMSG_KROUTE_FLUSH: 759 if (idx != PFD_PIPE_ROUTE) 760 log_warnx("route request not from RDE"); 761 else if (imsg.hdr.len != IMSG_HEADER_SIZE) 762 log_warnx("wrong imsg len"); 763 else if (kr_flush(imsg.hdr.peerid)) 764 rv = -1; 765 break; 766 case IMSG_NEXTHOP_ADD: 767 if (idx != PFD_PIPE_ROUTE) 768 log_warnx("nexthop request not from RDE"); 769 else if (imsg.hdr.len != IMSG_HEADER_SIZE + 770 sizeof(struct bgpd_addr)) 771 log_warnx("wrong imsg len"); 772 else if (kr_nexthop_add(imsg.hdr.peerid, imsg.data, 773 conf) == -1) 774 rv = -1; 775 break; 776 case IMSG_NEXTHOP_REMOVE: 777 if (idx != PFD_PIPE_ROUTE) 778 log_warnx("nexthop request not from RDE"); 779 else if (imsg.hdr.len != IMSG_HEADER_SIZE + 780 sizeof(struct bgpd_addr)) 781 log_warnx("wrong imsg len"); 782 else 783 kr_nexthop_delete(imsg.hdr.peerid, imsg.data, 784 conf); 785 break; 786 case IMSG_PFTABLE_ADD: 787 if (idx != PFD_PIPE_ROUTE) 788 log_warnx("pftable request not from RDE"); 789 else 790 if (imsg.hdr.len != IMSG_HEADER_SIZE + 791 sizeof(struct pftable_msg)) 792 log_warnx("wrong imsg len"); 793 else if (pftable_addr_add(imsg.data) != 0) 794 rv = -1; 795 break; 796 case IMSG_PFTABLE_REMOVE: 797 if (idx != PFD_PIPE_ROUTE) 798 log_warnx("pftable request not from RDE"); 799 else 800 if (imsg.hdr.len != IMSG_HEADER_SIZE + 801 sizeof(struct pftable_msg)) 802 log_warnx("wrong imsg len"); 803 else if (pftable_addr_remove(imsg.data) != 0) 804 rv = -1; 805 break; 806 case IMSG_PFTABLE_COMMIT: 807 if (idx != PFD_PIPE_ROUTE) 808 log_warnx("pftable request not from RDE"); 809 else if (imsg.hdr.len != IMSG_HEADER_SIZE) 810 log_warnx("wrong imsg len"); 811 else if (pftable_commit() != 0) 812 rv = -1; 813 break; 814 case IMSG_PFKEY_RELOAD: 815 if (idx != PFD_PIPE_SESSION) 816 log_warnx("pfkey reload request not from SE"); 817 else if ((p = getpeerbyid(conf, imsg.hdr.peerid)) == 818 NULL) 819 log_warnx("pfkey reload: no such peer: id=%u", 820 imsg.hdr.peerid); 821 else { 822 if (pfkey_establish(p) == -1) 823 log_peer_warnx(&p->conf, 824 "pfkey setup failed"); 825 } 826 break; 827 case IMSG_CTL_RELOAD: 828 if (idx != PFD_PIPE_SESSION) 829 log_warnx("reload request not from SE"); 830 else { 831 reconfig = 1; 832 reconfpid = imsg.hdr.pid; 833 } 834 break; 835 case IMSG_CTL_FIB_COUPLE: 836 if (idx != PFD_PIPE_SESSION) 837 log_warnx("couple request not from SE"); 838 else 839 kr_fib_couple(imsg.hdr.peerid, 840 conf->fib_priority); 841 break; 842 case IMSG_CTL_FIB_DECOUPLE: 843 if (idx != PFD_PIPE_SESSION) 844 log_warnx("decouple request not from SE"); 845 else 846 kr_fib_decouple(imsg.hdr.peerid, 847 conf->fib_priority); 848 break; 849 case IMSG_CTL_KROUTE: 850 case IMSG_CTL_KROUTE_ADDR: 851 case IMSG_CTL_SHOW_NEXTHOP: 852 case IMSG_CTL_SHOW_INTERFACE: 853 case IMSG_CTL_SHOW_FIB_TABLES: 854 if (idx != PFD_PIPE_SESSION) 855 log_warnx("kroute request not from SE"); 856 else 857 kr_show_route(&imsg); 858 break; 859 case IMSG_IFINFO: 860 if (idx != PFD_PIPE_SESSION) 861 log_warnx("IFINFO request not from SE"); 862 else if (imsg.hdr.len != IMSG_HEADER_SIZE + IFNAMSIZ) 863 log_warnx("IFINFO request with wrong len"); 864 else 865 kr_ifinfo(imsg.data); 866 break; 867 case IMSG_DEMOTE: 868 if (idx != PFD_PIPE_SESSION) 869 log_warnx("demote request not from SE"); 870 else if (imsg.hdr.len != IMSG_HEADER_SIZE + 871 sizeof(struct demote_msg)) 872 log_warnx("DEMOTE request with wrong len"); 873 else { 874 struct demote_msg *msg; 875 876 msg = imsg.data; 877 carp_demote_set(msg->demote_group, msg->level); 878 } 879 break; 880 case IMSG_CTL_LOG_VERBOSE: 881 /* already checked by SE */ 882 memcpy(&verbose, imsg.data, sizeof(verbose)); 883 log_setverbose(verbose); 884 break; 885 case IMSG_RECONF_DONE: 886 if (reconfpending == 0) { 887 log_warnx("unexpected RECONF_DONE received"); 888 break; 889 } 890 if (idx == PFD_PIPE_SESSION) { 891 imsg_compose(ibuf_rde, IMSG_RECONF_DONE, 0, 892 0, -1, NULL, 0); 893 894 /* finally fix kroute information */ 895 ktable_postload(conf->fib_priority); 896 897 /* redistribute list needs to be reloaded too */ 898 kr_reload(); 899 } 900 reconfpending--; 901 break; 902 case IMSG_RECONF_DRAIN: 903 if (reconfpending == 0) { 904 log_warnx("unexpected RECONF_DRAIN received"); 905 break; 906 } 907 reconfpending--; 908 if (reconfpending == 0) { 909 /* 910 * SE goes first to bring templated neighbors 911 * in sync. 912 */ 913 imsg_compose(ibuf_se, IMSG_RECONF_DONE, 0, 914 0, -1, NULL, 0); 915 reconfpending = 2; /* expecting 2 DONE msg */ 916 } 917 break; 918 default: 919 break; 920 } 921 imsg_free(&imsg); 922 if (rv != 0) 923 return (rv); 924 } 925 return (0); 926} 927 928void 929send_nexthop_update(struct kroute_nexthop *msg) 930{ 931 char *gw = NULL; 932 933 if (msg->gateway.aid) 934 if (asprintf(&gw, ": via %s", 935 log_addr(&msg->gateway)) == -1) { 936 log_warn("send_nexthop_update"); 937 quit = 1; 938 } 939 940 log_debug("nexthop %s now %s%s%s", log_addr(&msg->nexthop), 941 msg->valid ? "valid" : "invalid", 942 msg->connected ? ": directly connected" : "", 943 msg->gateway.aid ? gw : ""); 944 945 free(gw); 946 947 if (imsg_compose(ibuf_rde, IMSG_NEXTHOP_UPDATE, 0, 0, -1, 948 msg, sizeof(struct kroute_nexthop)) == -1) 949 quit = 1; 950} 951 952void 953send_imsg_session(int type, pid_t pid, void *data, u_int16_t datalen) 954{ 955 imsg_compose(ibuf_se, type, 0, pid, -1, data, datalen); 956} 957 958int 959send_network(int type, struct network_config *net, struct filter_set_head *h) 960{ 961 if (quit) 962 return (0); 963 if (imsg_compose(ibuf_rde, type, 0, 0, -1, net, 964 sizeof(struct network_config)) == -1) 965 return (-1); 966 /* networks that get deleted don't need to send the filter set */ 967 if (type == IMSG_NETWORK_REMOVE) 968 return (0); 969 if (send_filterset(ibuf_rde, h) == -1) 970 return (-1); 971 if (imsg_compose(ibuf_rde, IMSG_NETWORK_DONE, 0, 0, -1, NULL, 0) == -1) 972 return (-1); 973 974 return (0); 975} 976 977int 978bgpd_filternexthop(struct kroute *kr, struct kroute6 *kr6) 979{ 980 /* kernel routes are never filtered */ 981 if (kr && kr->flags & F_KERNEL && kr->prefixlen != 0) 982 return (0); 983 if (kr6 && kr6->flags & F_KERNEL && kr6->prefixlen != 0) 984 return (0); 985 986 if (cflags & BGPD_FLAG_NEXTHOP_BGP) { 987 if (kr && kr->flags & F_BGPD_INSERTED) 988 return (0); 989 if (kr6 && kr6->flags & F_BGPD_INSERTED) 990 return (0); 991 } 992 993 if (cflags & BGPD_FLAG_NEXTHOP_DEFAULT) { 994 if (kr && kr->prefixlen == 0) 995 return (0); 996 if (kr6 && kr6->prefixlen == 0) 997 return (0); 998 } 999 1000 return (1); 1001} 1002 1003int 1004control_setup(struct bgpd_config *conf) 1005{ 1006 int fd, restricted; 1007 1008 /* control socket is outside chroot */ 1009 if (!cname || strcmp(cname, conf->csock)) { 1010 if (cname) { 1011 free(cname); 1012 } 1013 if ((cname = strdup(conf->csock)) == NULL) 1014 fatal("strdup"); 1015 if (control_check(cname) == -1) 1016 return (-1); 1017 if ((fd = control_init(0, cname)) == -1) 1018 fatalx("control socket setup failed"); 1019 if (control_listen(fd) == -1) 1020 fatalx("control socket setup failed"); 1021 restricted = 0; 1022 if (imsg_compose(ibuf_se, IMSG_RECONF_CTRL, 0, 0, fd, 1023 &restricted, sizeof(restricted)) == -1) 1024 return (-1); 1025 } 1026 if (!conf->rcsock) { 1027 /* remove restricted socket */ 1028 free(rcname); 1029 rcname = NULL; 1030 } else if (!rcname || strcmp(rcname, conf->rcsock)) { 1031 if (rcname) { 1032 free(rcname); 1033 } 1034 if ((rcname = strdup(conf->rcsock)) == NULL) 1035 fatal("strdup"); 1036 if (control_check(rcname) == -1) 1037 return (-1); 1038 if ((fd = control_init(1, rcname)) == -1) 1039 fatalx("control socket setup failed"); 1040 if (control_listen(fd) == -1) 1041 fatalx("control socket setup failed"); 1042 restricted = 1; 1043 if (imsg_compose(ibuf_se, IMSG_RECONF_CTRL, 0, 0, fd, 1044 &restricted, sizeof(restricted)) == -1) 1045 return (-1); 1046 } 1047 return (0); 1048} 1049 1050void 1051set_pollfd(struct pollfd *pfd, struct imsgbuf *i) 1052{ 1053 if (i == NULL || i->fd == -1) { 1054 pfd->fd = -1; 1055 return; 1056 } 1057 pfd->fd = i->fd; 1058 pfd->events = POLLIN; 1059 if (i->w.queued > 0) 1060 pfd->events |= POLLOUT; 1061} 1062 1063int 1064handle_pollfd(struct pollfd *pfd, struct imsgbuf *i) 1065{ 1066 ssize_t n; 1067 1068 if (i == NULL) 1069 return (0); 1070 1071 if (pfd->revents & POLLOUT) 1072 if (msgbuf_write(&i->w) <= 0 && errno != EAGAIN) { 1073 log_warn("imsg write error"); 1074 close(i->fd); 1075 i->fd = -1; 1076 return (-1); 1077 } 1078 1079 if (pfd->revents & POLLIN) { 1080 if ((n = imsg_read(i)) == -1 && errno != EAGAIN) { 1081 log_warn("imsg read error"); 1082 close(i->fd); 1083 i->fd = -1; 1084 return (-1); 1085 } 1086 if (n == 0) { 1087 log_warnx("peer closed imsg connection"); 1088 close(i->fd); 1089 i->fd = -1; 1090 return (-1); 1091 } 1092 } 1093 return (0); 1094} 1095 1096static void 1097getsockpair(int pipe[2]) 1098{ 1099 int bsize, i; 1100 1101 if (socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC | SOCK_NONBLOCK, 1102 PF_UNSPEC, pipe) == -1) 1103 fatal("socketpair"); 1104 1105 for (i = 0; i < 2; i++) { 1106 for (bsize = MAX_SOCK_BUF; bsize >= 16 * 1024; bsize /= 2) { 1107 if (setsockopt(pipe[i], SOL_SOCKET, SO_RCVBUF, 1108 &bsize, sizeof(bsize)) == -1) { 1109 if (errno != ENOBUFS) 1110 fatal("setsockopt(SO_RCVBUF, %d)", 1111 bsize); 1112 log_warn("setsockopt(SO_RCVBUF, %d)", bsize); 1113 continue; 1114 } 1115 break; 1116 } 1117 } 1118 for (i = 0; i < 2; i++) { 1119 for (bsize = MAX_SOCK_BUF; bsize >= 16 * 1024; bsize /= 2) { 1120 if (setsockopt(pipe[i], SOL_SOCKET, SO_SNDBUF, 1121 &bsize, sizeof(bsize)) == -1) { 1122 if (errno != ENOBUFS) 1123 fatal("setsockopt(SO_SNDBUF, %d)", 1124 bsize); 1125 log_warn("setsockopt(SO_SNDBUF, %d)", bsize); 1126 continue; 1127 } 1128 break; 1129 } 1130 } 1131} 1132 1133int 1134imsg_send_sockets(struct imsgbuf *se, struct imsgbuf *rde) 1135{ 1136 int pipe_s2r[2]; 1137 int pipe_s2r_ctl[2]; 1138 1139 getsockpair(pipe_s2r); 1140 getsockpair(pipe_s2r_ctl); 1141 1142 if (imsg_compose(se, IMSG_SOCKET_CONN, 0, 0, pipe_s2r[0], 1143 NULL, 0) == -1) 1144 return (-1); 1145 if (imsg_compose(rde, IMSG_SOCKET_CONN, 0, 0, pipe_s2r[1], 1146 NULL, 0) == -1) 1147 return (-1); 1148 1149 if (imsg_compose(se, IMSG_SOCKET_CONN_CTL, 0, 0, pipe_s2r_ctl[0], 1150 NULL, 0) == -1) 1151 return (-1); 1152 if (imsg_compose(rde, IMSG_SOCKET_CONN_CTL, 0, 0, pipe_s2r_ctl[1], 1153 NULL, 0) == -1) 1154 return (-1); 1155 1156 return (0); 1157} 1158