bgpd.c revision 1.227
1/* $OpenBSD: bgpd.c,v 1.227 2019/10/02 08:58:34 claudio Exp $ */ 2 3/* 4 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19#include <sys/types.h> 20#include <sys/socket.h> 21#include <sys/wait.h> 22#include <netinet/in.h> 23#include <arpa/inet.h> 24#include <err.h> 25#include <errno.h> 26#include <fcntl.h> 27#include <poll.h> 28#include <pwd.h> 29#include <signal.h> 30#include <stdio.h> 31#include <stdlib.h> 32#include <string.h> 33#include <syslog.h> 34#include <unistd.h> 35 36#include "bgpd.h" 37#include "session.h" 38#include "log.h" 39 40void sighdlr(int); 41__dead void usage(void); 42int main(int, char *[]); 43pid_t start_child(enum bgpd_process, char *, int, int, int); 44int send_filterset(struct imsgbuf *, struct filter_set_head *); 45int reconfigure(char *, struct bgpd_config *); 46int send_config(struct bgpd_config *); 47int dispatch_imsg(struct imsgbuf *, int, struct bgpd_config *); 48int control_setup(struct bgpd_config *); 49static void getsockpair(int [2]); 50int imsg_send_sockets(struct imsgbuf *, struct imsgbuf *); 51 52int cflags; 53volatile sig_atomic_t mrtdump; 54volatile sig_atomic_t quit; 55volatile sig_atomic_t reconfig; 56pid_t reconfpid; 57int reconfpending; 58struct imsgbuf *ibuf_se; 59struct imsgbuf *ibuf_rde; 60struct rib_names ribnames = SIMPLEQ_HEAD_INITIALIZER(ribnames); 61char *cname; 62char *rcname; 63 64void 65sighdlr(int sig) 66{ 67 switch (sig) { 68 case SIGTERM: 69 case SIGINT: 70 quit = 1; 71 break; 72 case SIGHUP: 73 reconfig = 1; 74 break; 75 case SIGALRM: 76 case SIGUSR1: 77 mrtdump = 1; 78 break; 79 } 80} 81 82__dead void 83usage(void) 84{ 85 extern char *__progname; 86 87 fprintf(stderr, "usage: %s [-cdnv] [-D macro=value] [-f file]\n", 88 __progname); 89 exit(1); 90} 91 92#define PFD_PIPE_SESSION 0 93#define PFD_PIPE_ROUTE 1 94#define PFD_SOCK_ROUTE 2 95#define PFD_SOCK_PFKEY 3 96#define POLL_MAX 4 97#define MAX_TIMEOUT 3600 98 99int cmd_opts; 100 101int 102main(int argc, char *argv[]) 103{ 104 struct bgpd_config *conf; 105 struct rde_rib *rr; 106 struct peer *p; 107 struct pollfd pfd[POLL_MAX]; 108 time_t timeout; 109 pid_t se_pid = 0, rde_pid = 0, pid; 110 char *conffile; 111 char *saved_argv0; 112 int debug = 0; 113 int rflag = 0, sflag = 0; 114 int rfd, keyfd; 115 int ch, status; 116 int pipe_m2s[2]; 117 int pipe_m2r[2]; 118 119 conffile = CONFFILE; 120 bgpd_process = PROC_MAIN; 121 122 log_init(1, LOG_DAEMON); /* log to stderr until daemonized */ 123 log_procinit(log_procnames[bgpd_process]); 124 log_setverbose(1); 125 126 saved_argv0 = argv[0]; 127 if (saved_argv0 == NULL) 128 saved_argv0 = "bgpd"; 129 130 while ((ch = getopt(argc, argv, "cdD:f:nRSv")) != -1) { 131 switch (ch) { 132 case 'c': 133 cmd_opts |= BGPD_OPT_FORCE_DEMOTE; 134 break; 135 case 'd': 136 debug = 1; 137 break; 138 case 'D': 139 if (cmdline_symset(optarg) < 0) 140 log_warnx("could not parse macro definition %s", 141 optarg); 142 break; 143 case 'f': 144 conffile = optarg; 145 break; 146 case 'n': 147 cmd_opts |= BGPD_OPT_NOACTION; 148 break; 149 case 'v': 150 if (cmd_opts & BGPD_OPT_VERBOSE) 151 cmd_opts |= BGPD_OPT_VERBOSE2; 152 cmd_opts |= BGPD_OPT_VERBOSE; 153 break; 154 case 'R': 155 rflag = 1; 156 break; 157 case 'S': 158 sflag = 1; 159 break; 160 default: 161 usage(); 162 /* NOTREACHED */ 163 } 164 } 165 166 argc -= optind; 167 argv += optind; 168 if (argc > 0 || (sflag && rflag)) 169 usage(); 170 171 if (cmd_opts & BGPD_OPT_NOACTION) { 172 if ((conf = parse_config(conffile, NULL)) == NULL) 173 exit(1); 174 175 if (cmd_opts & BGPD_OPT_VERBOSE) 176 print_config(conf, &ribnames); 177 else 178 fprintf(stderr, "configuration OK\n"); 179 180 while ((rr = SIMPLEQ_FIRST(&ribnames)) != NULL) { 181 SIMPLEQ_REMOVE_HEAD(&ribnames, entry); 182 free(rr); 183 } 184 free_config(conf); 185 exit(0); 186 } 187 188 if (rflag) 189 rde_main(debug, cmd_opts & BGPD_OPT_VERBOSE); 190 else if (sflag) 191 session_main(debug, cmd_opts & BGPD_OPT_VERBOSE); 192 193 if (geteuid()) 194 errx(1, "need root privileges"); 195 196 if (getpwnam(BGPD_USER) == NULL) 197 errx(1, "unknown user %s", BGPD_USER); 198 199 if ((conf = parse_config(conffile, NULL)) == NULL) { 200 log_warnx("config file %s has errors", conffile); 201 exit(1); 202 } 203 204 if (prepare_listeners(conf) == -1) 205 exit(1); 206 207 log_init(debug, LOG_DAEMON); 208 log_setverbose(cmd_opts & BGPD_OPT_VERBOSE); 209 210 if (!debug) 211 daemon(1, 0); 212 213 log_info("startup"); 214 215 getsockpair(pipe_m2s); 216 getsockpair(pipe_m2r); 217 218 /* fork children */ 219 rde_pid = start_child(PROC_RDE, saved_argv0, pipe_m2r[1], debug, 220 cmd_opts & BGPD_OPT_VERBOSE); 221 se_pid = start_child(PROC_SE, saved_argv0, pipe_m2s[1], debug, 222 cmd_opts & BGPD_OPT_VERBOSE); 223 224 signal(SIGTERM, sighdlr); 225 signal(SIGINT, sighdlr); 226 signal(SIGHUP, sighdlr); 227 signal(SIGALRM, sighdlr); 228 signal(SIGUSR1, sighdlr); 229 signal(SIGPIPE, SIG_IGN); 230 231 if ((ibuf_se = malloc(sizeof(struct imsgbuf))) == NULL || 232 (ibuf_rde = malloc(sizeof(struct imsgbuf))) == NULL) 233 fatal(NULL); 234 imsg_init(ibuf_se, pipe_m2s[0]); 235 imsg_init(ibuf_rde, pipe_m2r[0]); 236 mrt_init(ibuf_rde, ibuf_se); 237 if (kr_init(&rfd) == -1) 238 quit = 1; 239 keyfd = pfkey_init(); 240 241 /* 242 * rpath, read config file 243 * cpath, unlink control socket 244 * fattr, chmod on control socket 245 * wpath, needed if we are doing mrt dumps 246 * 247 * pledge placed here because kr_init() does a setsockopt on the 248 * routing socket thats not allowed at all. 249 */ 250#if 0 251 /* 252 * disabled because we do ioctls on /dev/pf and SIOCSIFGATTR 253 * this needs some redesign of bgpd to be fixed. 254 */ 255BROKEN if (pledge("stdio rpath wpath cpath fattr unix route recvfd sendfd", 256 NULL) == -1) 257 fatal("pledge"); 258#endif 259 260 if (imsg_send_sockets(ibuf_se, ibuf_rde)) 261 fatal("could not establish imsg links"); 262 /* control setup needs to happen late since it sends imsgs */ 263 if (control_setup(conf) == -1) 264 quit = 1; 265 if (send_config(conf) != 0) 266 quit = 1; 267 if (pftable_clear_all() != 0) 268 quit = 1; 269 270 while (quit == 0) { 271 bzero(pfd, sizeof(pfd)); 272 273 timeout = mrt_timeout(conf->mrt); 274 275 pfd[PFD_SOCK_ROUTE].fd = rfd; 276 pfd[PFD_SOCK_ROUTE].events = POLLIN; 277 278 pfd[PFD_SOCK_PFKEY].fd = keyfd; 279 pfd[PFD_SOCK_PFKEY].events = POLLIN; 280 281 set_pollfd(&pfd[PFD_PIPE_SESSION], ibuf_se); 282 set_pollfd(&pfd[PFD_PIPE_ROUTE], ibuf_rde); 283 284 if (timeout < 0 || timeout > MAX_TIMEOUT) 285 timeout = MAX_TIMEOUT; 286 if (poll(pfd, POLL_MAX, timeout * 1000) == -1) 287 if (errno != EINTR) { 288 log_warn("poll error"); 289 quit = 1; 290 } 291 292 if (handle_pollfd(&pfd[PFD_PIPE_SESSION], ibuf_se) == -1) { 293 log_warnx("main: Lost connection to SE"); 294 msgbuf_clear(&ibuf_se->w); 295 free(ibuf_se); 296 ibuf_se = NULL; 297 quit = 1; 298 } else { 299 if (dispatch_imsg(ibuf_se, PFD_PIPE_SESSION, conf) == 300 -1) 301 quit = 1; 302 } 303 304 if (handle_pollfd(&pfd[PFD_PIPE_ROUTE], ibuf_rde) == -1) { 305 log_warnx("main: Lost connection to RDE"); 306 msgbuf_clear(&ibuf_rde->w); 307 free(ibuf_rde); 308 ibuf_rde = NULL; 309 quit = 1; 310 } else { 311 if (dispatch_imsg(ibuf_rde, PFD_PIPE_ROUTE, conf) == 312 -1) 313 quit = 1; 314 } 315 316 if (pfd[PFD_SOCK_ROUTE].revents & POLLIN) { 317 if (kr_dispatch_msg(conf->default_tableid) == -1) 318 quit = 1; 319 } 320 321 if (pfd[PFD_SOCK_PFKEY].revents & POLLIN) { 322 if (pfkey_read(keyfd, NULL) == -1) { 323 log_warnx("pfkey_read failed, exiting..."); 324 quit = 1; 325 } 326 } 327 328 if (reconfig) { 329 u_int error; 330 331 reconfig = 0; 332 switch (reconfigure(conffile, conf)) { 333 case -1: /* fatal error */ 334 quit = 1; 335 break; 336 case 0: /* all OK */ 337 error = 0; 338 break; 339 case 2: 340 log_info("previous reload still running"); 341 error = CTL_RES_PENDING; 342 break; 343 default: /* parse error */ 344 log_warnx("config file %s has errors, " 345 "not reloading", conffile); 346 error = CTL_RES_PARSE_ERROR; 347 break; 348 } 349 if (reconfpid != 0) { 350 send_imsg_session(IMSG_CTL_RESULT, reconfpid, 351 &error, sizeof(error)); 352 reconfpid = 0; 353 } 354 } 355 356 if (mrtdump) { 357 mrtdump = 0; 358 mrt_handler(conf->mrt); 359 } 360 } 361 362 /* close pipes */ 363 if (ibuf_se) { 364 msgbuf_clear(&ibuf_se->w); 365 close(ibuf_se->fd); 366 free(ibuf_se); 367 ibuf_se = NULL; 368 } 369 if (ibuf_rde) { 370 msgbuf_clear(&ibuf_rde->w); 371 close(ibuf_rde->fd); 372 free(ibuf_rde); 373 ibuf_rde = NULL; 374 } 375 376 /* cleanup kernel data structures */ 377 carp_demote_shutdown(); 378 kr_shutdown(conf->fib_priority, conf->default_tableid); 379 pftable_clear_all(); 380 381 RB_FOREACH(p, peer_head, &conf->peers) 382 pfkey_remove(p); 383 384 while ((rr = SIMPLEQ_FIRST(&ribnames)) != NULL) { 385 SIMPLEQ_REMOVE_HEAD(&ribnames, entry); 386 free(rr); 387 } 388 free_config(conf); 389 390 log_debug("waiting for children to terminate"); 391 do { 392 pid = wait(&status); 393 if (pid == -1) { 394 if (errno != EINTR && errno != ECHILD) 395 fatal("wait"); 396 } else if (WIFSIGNALED(status)) { 397 char *name = "unknown process"; 398 if (pid == rde_pid) 399 name = "route decision engine"; 400 else if (pid == se_pid) 401 name = "session engine"; 402 log_warnx("%s terminated; signal %d", name, 403 WTERMSIG(status)); 404 } 405 } while (pid != -1 || (pid == -1 && errno == EINTR)); 406 407 free(rcname); 408 free(cname); 409 410 log_info("terminating"); 411 return (0); 412} 413 414pid_t 415start_child(enum bgpd_process p, char *argv0, int fd, int debug, int verbose) 416{ 417 char *argv[5]; 418 int argc = 0; 419 pid_t pid; 420 421 switch (pid = fork()) { 422 case -1: 423 fatal("cannot fork"); 424 case 0: 425 break; 426 default: 427 close(fd); 428 return (pid); 429 } 430 431 if (fd != 3) { 432 if (dup2(fd, 3) == -1) 433 fatal("cannot setup imsg fd"); 434 } else if (fcntl(fd, F_SETFD, 0) == -1) 435 fatal("cannot setup imsg fd"); 436 437 argv[argc++] = argv0; 438 switch (p) { 439 case PROC_MAIN: 440 fatalx("Can not start main process"); 441 case PROC_RDE: 442 argv[argc++] = "-R"; 443 break; 444 case PROC_SE: 445 argv[argc++] = "-S"; 446 break; 447 } 448 if (debug) 449 argv[argc++] = "-d"; 450 if (verbose) 451 argv[argc++] = "-v"; 452 argv[argc++] = NULL; 453 454 execvp(argv0, argv); 455 fatal("execvp"); 456} 457 458int 459send_filterset(struct imsgbuf *i, struct filter_set_head *set) 460{ 461 struct filter_set *s; 462 463 TAILQ_FOREACH(s, set, entry) 464 if (imsg_compose(i, IMSG_FILTER_SET, 0, 0, -1, s, 465 sizeof(struct filter_set)) == -1) 466 return (-1); 467 return (0); 468} 469 470int 471reconfigure(char *conffile, struct bgpd_config *conf) 472{ 473 struct bgpd_config *new_conf; 474 475 if (reconfpending) 476 return (2); 477 478 log_info("rereading config"); 479 if ((new_conf = parse_config(conffile, &conf->peers)) == NULL) 480 return (1); 481 482 merge_config(conf, new_conf); 483 484 if (prepare_listeners(conf) == -1) { 485 return (1); 486 } 487 488 if (control_setup(conf) == -1) { 489 return (1); 490 } 491 492 return send_config(conf); 493} 494 495int 496send_config(struct bgpd_config *conf) 497{ 498 struct peer *p; 499 struct filter_rule *r; 500 struct listen_addr *la; 501 struct rde_rib *rr; 502 struct l3vpn *vpn; 503 struct as_set *aset; 504 struct prefixset *ps; 505 struct prefixset_item *psi, *npsi; 506 507 reconfpending = 2; /* one per child */ 508 509 expand_networks(conf); 510 511 cflags = conf->flags; 512 513 /* start reconfiguration */ 514 if (imsg_compose(ibuf_se, IMSG_RECONF_CONF, 0, 0, -1, 515 conf, sizeof(*conf)) == -1) 516 return (-1); 517 if (imsg_compose(ibuf_rde, IMSG_RECONF_CONF, 0, 0, -1, 518 conf, sizeof(*conf)) == -1) 519 return (-1); 520 521 TAILQ_FOREACH(la, conf->listen_addrs, entry) { 522 if (imsg_compose(ibuf_se, IMSG_RECONF_LISTENER, 0, 0, la->fd, 523 la, sizeof(*la)) == -1) 524 return (-1); 525 la->fd = -1; 526 } 527 528 /* adjust fib syncing on reload */ 529 ktable_preload(); 530 531 /* RIBs for the RDE */ 532 while ((rr = SIMPLEQ_FIRST(&ribnames))) { 533 SIMPLEQ_REMOVE_HEAD(&ribnames, entry); 534 if (ktable_update(rr->rtableid, rr->name, rr->flags, 535 conf->fib_priority) == -1) { 536 log_warnx("failed to load rdomain %d", 537 rr->rtableid); 538 return (-1); 539 } 540 if (imsg_compose(ibuf_rde, IMSG_RECONF_RIB, 0, 0, -1, 541 rr, sizeof(*rr)) == -1) 542 return (-1); 543 free(rr); 544 } 545 546 /* send peer list to the SE */ 547 RB_FOREACH(p, peer_head, &conf->peers) { 548 if (imsg_compose(ibuf_se, IMSG_RECONF_PEER, p->conf.id, 0, -1, 549 &p->conf, sizeof(p->conf)) == -1) 550 return (-1); 551 552 if (p->reconf_action == RECONF_REINIT) 553 if (pfkey_establish(p) == -1) 554 log_peer_warnx(&p->conf, "pfkey setup failed"); 555 } 556 557 /* networks go via kroute to the RDE */ 558 kr_net_reload(conf->default_tableid, 0, &conf->networks); 559 560 /* prefixsets for filters in the RDE */ 561 while ((ps = SIMPLEQ_FIRST(&conf->prefixsets)) != NULL) { 562 SIMPLEQ_REMOVE_HEAD(&conf->prefixsets, entry); 563 if (imsg_compose(ibuf_rde, IMSG_RECONF_PREFIX_SET, 0, 0, -1, 564 ps->name, sizeof(ps->name)) == -1) 565 return (-1); 566 RB_FOREACH_SAFE(psi, prefixset_tree, &ps->psitems, npsi) { 567 RB_REMOVE(prefixset_tree, &ps->psitems, psi); 568 if (imsg_compose(ibuf_rde, IMSG_RECONF_PREFIX_SET_ITEM, 569 0, 0, -1, psi, sizeof(*psi)) == -1) 570 return (-1); 571 set_free(psi->set); 572 free(psi); 573 } 574 free(ps); 575 } 576 577 /* originsets for filters in the RDE */ 578 while ((ps = SIMPLEQ_FIRST(&conf->originsets)) != NULL) { 579 SIMPLEQ_REMOVE_HEAD(&conf->originsets, entry); 580 if (imsg_compose(ibuf_rde, IMSG_RECONF_ORIGIN_SET, 0, 0, -1, 581 ps->name, sizeof(ps->name)) == -1) 582 return (-1); 583 RB_FOREACH_SAFE(psi, prefixset_tree, &ps->psitems, npsi) { 584 struct roa_set *rs; 585 size_t i, l, n; 586 RB_REMOVE(prefixset_tree, &ps->psitems, psi); 587 rs = set_get(psi->set, &n); 588 for (i = 0; i < n; i += l) { 589 l = (n - i > 1024 ? 1024 : n - i); 590 if (imsg_compose(ibuf_rde, 591 IMSG_RECONF_ROA_SET_ITEMS, 592 0, 0, -1, rs + i, l * sizeof(*rs)) == -1) 593 return -1; 594 } 595 if (imsg_compose(ibuf_rde, IMSG_RECONF_PREFIX_SET_ITEM, 596 0, 0, -1, psi, sizeof(*psi)) == -1) 597 return (-1); 598 set_free(psi->set); 599 free(psi); 600 } 601 free(ps); 602 } 603 604 if (!RB_EMPTY(&conf->roa)) { 605 if (imsg_compose(ibuf_rde, IMSG_RECONF_ROA_SET, 0, 0, -1, 606 NULL, 0) == -1) 607 return (-1); 608 RB_FOREACH_SAFE(psi, prefixset_tree, &conf->roa, npsi) { 609 struct roa_set *rs; 610 size_t i, l, n; 611 RB_REMOVE(prefixset_tree, &conf->roa, psi); 612 rs = set_get(psi->set, &n); 613 for (i = 0; i < n; i += l) { 614 l = (n - i > 1024 ? 1024 : n - i); 615 if (imsg_compose(ibuf_rde, 616 IMSG_RECONF_ROA_SET_ITEMS, 617 0, 0, -1, rs + i, l * sizeof(*rs)) == -1) 618 return -1; 619 } 620 if (imsg_compose(ibuf_rde, IMSG_RECONF_PREFIX_SET_ITEM, 621 0, 0, -1, psi, sizeof(*psi)) == -1) 622 return (-1); 623 set_free(psi->set); 624 free(psi); 625 } 626 } 627 628 /* as-sets for filters in the RDE */ 629 while ((aset = SIMPLEQ_FIRST(&conf->as_sets)) != NULL) { 630 struct ibuf *wbuf; 631 u_int32_t *as; 632 size_t i, l, n; 633 634 SIMPLEQ_REMOVE_HEAD(&conf->as_sets, entry); 635 636 as = set_get(aset->set, &n); 637 if ((wbuf = imsg_create(ibuf_rde, IMSG_RECONF_AS_SET, 0, 0, 638 sizeof(n) + sizeof(aset->name))) == NULL) 639 return -1; 640 if (imsg_add(wbuf, &n, sizeof(n)) == -1 || 641 imsg_add(wbuf, aset->name, sizeof(aset->name)) == -1) 642 return -1; 643 imsg_close(ibuf_rde, wbuf); 644 645 for (i = 0; i < n; i += l) { 646 l = (n - i > 1024 ? 1024 : n - i); 647 if (imsg_compose(ibuf_rde, IMSG_RECONF_AS_SET_ITEMS, 648 0, 0, -1, as + i, l * sizeof(*as)) == -1) 649 return -1; 650 } 651 652 if (imsg_compose(ibuf_rde, IMSG_RECONF_AS_SET_DONE, 0, 0, -1, 653 NULL, 0) == -1) 654 return -1; 655 656 set_free(aset->set); 657 free(aset); 658 } 659 660 /* filters for the RDE */ 661 while ((r = TAILQ_FIRST(conf->filters)) != NULL) { 662 TAILQ_REMOVE(conf->filters, r, entry); 663 if (send_filterset(ibuf_rde, &r->set) == -1) 664 return (-1); 665 if (imsg_compose(ibuf_rde, IMSG_RECONF_FILTER, 0, 0, -1, 666 r, sizeof(struct filter_rule)) == -1) 667 return (-1); 668 filterset_free(&r->set); 669 free(r); 670 } 671 672 while ((vpn = SIMPLEQ_FIRST(&conf->l3vpns)) != NULL) { 673 SIMPLEQ_REMOVE_HEAD(&conf->l3vpns, entry); 674 if (ktable_update(vpn->rtableid, vpn->descr, vpn->flags, 675 conf->fib_priority) == -1) { 676 log_warnx("failed to load rdomain %d", 677 vpn->rtableid); 678 return (-1); 679 } 680 /* networks go via kroute to the RDE */ 681 kr_net_reload(vpn->rtableid, vpn->rd, &vpn->net_l); 682 683 if (imsg_compose(ibuf_rde, IMSG_RECONF_VPN, 0, 0, -1, 684 vpn, sizeof(*vpn)) == -1) 685 return (-1); 686 687 /* export targets */ 688 if (send_filterset(ibuf_rde, &vpn->export) == -1) 689 return (-1); 690 if (imsg_compose(ibuf_rde, IMSG_RECONF_VPN_EXPORT, 0, 0, 691 -1, NULL, 0) == -1) 692 return (-1); 693 filterset_free(&vpn->export); 694 695 /* import targets */ 696 if (send_filterset(ibuf_rde, &vpn->import) == -1) 697 return (-1); 698 if (imsg_compose(ibuf_rde, IMSG_RECONF_VPN_IMPORT, 0, 0, 699 -1, NULL, 0) == -1) 700 return (-1); 701 filterset_free(&vpn->import); 702 703 if (imsg_compose(ibuf_rde, IMSG_RECONF_VPN_DONE, 0, 0, 704 -1, NULL, 0) == -1) 705 return (-1); 706 707 free(vpn); 708 } 709 710 /* send a drain message to know when all messages where processed */ 711 if (imsg_compose(ibuf_se, IMSG_RECONF_DRAIN, 0, 0, -1, NULL, 0) == -1) 712 return (-1); 713 if (imsg_compose(ibuf_rde, IMSG_RECONF_DRAIN, 0, 0, -1, NULL, 0) == -1) 714 return (-1); 715 716 /* mrt changes can be sent out of bound */ 717 mrt_reconfigure(conf->mrt); 718 return (0); 719} 720 721int 722dispatch_imsg(struct imsgbuf *ibuf, int idx, struct bgpd_config *conf) 723{ 724 struct imsg imsg; 725 struct peer *p; 726 ssize_t n; 727 int rv, verbose; 728 729 rv = 0; 730 while (ibuf) { 731 if ((n = imsg_get(ibuf, &imsg)) == -1) 732 return (-1); 733 734 if (n == 0) 735 break; 736 737 switch (imsg.hdr.type) { 738 case IMSG_KROUTE_CHANGE: 739 if (idx != PFD_PIPE_ROUTE) 740 log_warnx("route request not from RDE"); 741 else if (imsg.hdr.len != IMSG_HEADER_SIZE + 742 sizeof(struct kroute_full)) 743 log_warnx("wrong imsg len"); 744 else if (kr_change(imsg.hdr.peerid, imsg.data, 745 conf->fib_priority)) 746 rv = -1; 747 break; 748 case IMSG_KROUTE_DELETE: 749 if (idx != PFD_PIPE_ROUTE) 750 log_warnx("route request not from RDE"); 751 else if (imsg.hdr.len != IMSG_HEADER_SIZE + 752 sizeof(struct kroute_full)) 753 log_warnx("wrong imsg len"); 754 else if (kr_delete(imsg.hdr.peerid, imsg.data, 755 conf->fib_priority)) 756 rv = -1; 757 break; 758 case IMSG_KROUTE_FLUSH: 759 if (idx != PFD_PIPE_ROUTE) 760 log_warnx("route request not from RDE"); 761 else if (imsg.hdr.len != IMSG_HEADER_SIZE) 762 log_warnx("wrong imsg len"); 763 else if (kr_flush(imsg.hdr.peerid)) 764 rv = -1; 765 break; 766 case IMSG_NEXTHOP_ADD: 767 if (idx != PFD_PIPE_ROUTE) 768 log_warnx("nexthop request not from RDE"); 769 else if (imsg.hdr.len != IMSG_HEADER_SIZE + 770 sizeof(struct bgpd_addr)) 771 log_warnx("wrong imsg len"); 772 else if (kr_nexthop_add(imsg.hdr.peerid, imsg.data, 773 conf) == -1) 774 rv = -1; 775 break; 776 case IMSG_NEXTHOP_REMOVE: 777 if (idx != PFD_PIPE_ROUTE) 778 log_warnx("nexthop request not from RDE"); 779 else if (imsg.hdr.len != IMSG_HEADER_SIZE + 780 sizeof(struct bgpd_addr)) 781 log_warnx("wrong imsg len"); 782 else 783 kr_nexthop_delete(imsg.hdr.peerid, imsg.data, 784 conf); 785 break; 786 case IMSG_PFTABLE_ADD: 787 if (idx != PFD_PIPE_ROUTE) 788 log_warnx("pftable request not from RDE"); 789 else 790 if (imsg.hdr.len != IMSG_HEADER_SIZE + 791 sizeof(struct pftable_msg)) 792 log_warnx("wrong imsg len"); 793 else if (pftable_addr_add(imsg.data) != 0) 794 rv = -1; 795 break; 796 case IMSG_PFTABLE_REMOVE: 797 if (idx != PFD_PIPE_ROUTE) 798 log_warnx("pftable request not from RDE"); 799 else 800 if (imsg.hdr.len != IMSG_HEADER_SIZE + 801 sizeof(struct pftable_msg)) 802 log_warnx("wrong imsg len"); 803 else if (pftable_addr_remove(imsg.data) != 0) 804 rv = -1; 805 break; 806 case IMSG_PFTABLE_COMMIT: 807 if (idx != PFD_PIPE_ROUTE) 808 log_warnx("pftable request not from RDE"); 809 else if (imsg.hdr.len != IMSG_HEADER_SIZE) 810 log_warnx("wrong imsg len"); 811 else if (pftable_commit() != 0) 812 rv = -1; 813 break; 814 case IMSG_PFKEY_RELOAD: 815 if (idx != PFD_PIPE_SESSION) { 816 log_warnx("pfkey reload request not from SE"); 817 break; 818 } 819 p = getpeerbyid(conf, imsg.hdr.peerid); 820 if (p != NULL) { 821 if (pfkey_establish(p) == -1) 822 log_peer_warnx(&p->conf, 823 "pfkey setup failed"); 824 } 825 break; 826 case IMSG_CTL_RELOAD: 827 if (idx != PFD_PIPE_SESSION) 828 log_warnx("reload request not from SE"); 829 else { 830 reconfig = 1; 831 reconfpid = imsg.hdr.pid; 832 } 833 break; 834 case IMSG_CTL_FIB_COUPLE: 835 if (idx != PFD_PIPE_SESSION) 836 log_warnx("couple request not from SE"); 837 else 838 kr_fib_couple(imsg.hdr.peerid, 839 conf->fib_priority); 840 break; 841 case IMSG_CTL_FIB_DECOUPLE: 842 if (idx != PFD_PIPE_SESSION) 843 log_warnx("decouple request not from SE"); 844 else 845 kr_fib_decouple(imsg.hdr.peerid, 846 conf->fib_priority); 847 break; 848 case IMSG_CTL_KROUTE: 849 case IMSG_CTL_KROUTE_ADDR: 850 case IMSG_CTL_SHOW_NEXTHOP: 851 case IMSG_CTL_SHOW_INTERFACE: 852 case IMSG_CTL_SHOW_FIB_TABLES: 853 if (idx != PFD_PIPE_SESSION) 854 log_warnx("kroute request not from SE"); 855 else 856 kr_show_route(&imsg); 857 break; 858 case IMSG_IFINFO: 859 if (idx != PFD_PIPE_SESSION) 860 log_warnx("IFINFO request not from SE"); 861 else if (imsg.hdr.len != IMSG_HEADER_SIZE + IFNAMSIZ) 862 log_warnx("IFINFO request with wrong len"); 863 else 864 kr_ifinfo(imsg.data); 865 break; 866 case IMSG_DEMOTE: 867 if (idx != PFD_PIPE_SESSION) 868 log_warnx("demote request not from SE"); 869 else if (imsg.hdr.len != IMSG_HEADER_SIZE + 870 sizeof(struct demote_msg)) 871 log_warnx("DEMOTE request with wrong len"); 872 else { 873 struct demote_msg *msg; 874 875 msg = imsg.data; 876 carp_demote_set(msg->demote_group, msg->level); 877 } 878 break; 879 case IMSG_CTL_LOG_VERBOSE: 880 /* already checked by SE */ 881 memcpy(&verbose, imsg.data, sizeof(verbose)); 882 log_setverbose(verbose); 883 break; 884 case IMSG_RECONF_DONE: 885 if (reconfpending == 0) { 886 log_warnx("unexpected RECONF_DONE received"); 887 break; 888 } 889 if (idx == PFD_PIPE_SESSION) { 890 imsg_compose(ibuf_rde, IMSG_RECONF_DONE, 0, 891 0, -1, NULL, 0); 892 893 /* finally fix kroute information */ 894 ktable_postload(conf->fib_priority); 895 896 /* redistribute list needs to be reloaded too */ 897 kr_reload(); 898 } 899 reconfpending--; 900 break; 901 case IMSG_RECONF_DRAIN: 902 if (reconfpending == 0) { 903 log_warnx("unexpected RECONF_DRAIN received"); 904 break; 905 } 906 reconfpending--; 907 if (reconfpending == 0) { 908 /* 909 * SE goes first to bring templated neighbors 910 * in sync. 911 */ 912 imsg_compose(ibuf_se, IMSG_RECONF_DONE, 0, 913 0, -1, NULL, 0); 914 reconfpending = 2; /* expecting 2 DONE msg */ 915 } 916 break; 917 default: 918 break; 919 } 920 imsg_free(&imsg); 921 if (rv != 0) 922 return (rv); 923 } 924 return (0); 925} 926 927void 928send_nexthop_update(struct kroute_nexthop *msg) 929{ 930 char *gw = NULL; 931 932 if (msg->gateway.aid) 933 if (asprintf(&gw, ": via %s", 934 log_addr(&msg->gateway)) == -1) { 935 log_warn("send_nexthop_update"); 936 quit = 1; 937 } 938 939 log_debug("nexthop %s now %s%s%s", log_addr(&msg->nexthop), 940 msg->valid ? "valid" : "invalid", 941 msg->connected ? ": directly connected" : "", 942 msg->gateway.aid ? gw : ""); 943 944 free(gw); 945 946 if (imsg_compose(ibuf_rde, IMSG_NEXTHOP_UPDATE, 0, 0, -1, 947 msg, sizeof(struct kroute_nexthop)) == -1) 948 quit = 1; 949} 950 951void 952send_imsg_session(int type, pid_t pid, void *data, u_int16_t datalen) 953{ 954 imsg_compose(ibuf_se, type, 0, pid, -1, data, datalen); 955} 956 957int 958send_network(int type, struct network_config *net, struct filter_set_head *h) 959{ 960 if (quit) 961 return (0); 962 if (imsg_compose(ibuf_rde, type, 0, 0, -1, net, 963 sizeof(struct network_config)) == -1) 964 return (-1); 965 /* networks that get deleted don't need to send the filter set */ 966 if (type == IMSG_NETWORK_REMOVE) 967 return (0); 968 if (send_filterset(ibuf_rde, h) == -1) 969 return (-1); 970 if (imsg_compose(ibuf_rde, IMSG_NETWORK_DONE, 0, 0, -1, NULL, 0) == -1) 971 return (-1); 972 973 return (0); 974} 975 976int 977bgpd_filternexthop(struct kroute *kr, struct kroute6 *kr6) 978{ 979 /* kernel routes are never filtered */ 980 if (kr && kr->flags & F_KERNEL && kr->prefixlen != 0) 981 return (0); 982 if (kr6 && kr6->flags & F_KERNEL && kr6->prefixlen != 0) 983 return (0); 984 985 if (cflags & BGPD_FLAG_NEXTHOP_BGP) { 986 if (kr && kr->flags & F_BGPD_INSERTED) 987 return (0); 988 if (kr6 && kr6->flags & F_BGPD_INSERTED) 989 return (0); 990 } 991 992 if (cflags & BGPD_FLAG_NEXTHOP_DEFAULT) { 993 if (kr && kr->prefixlen == 0) 994 return (0); 995 if (kr6 && kr6->prefixlen == 0) 996 return (0); 997 } 998 999 return (1); 1000} 1001 1002int 1003control_setup(struct bgpd_config *conf) 1004{ 1005 int fd, restricted; 1006 1007 /* control socket is outside chroot */ 1008 if (!cname || strcmp(cname, conf->csock)) { 1009 if (cname) { 1010 free(cname); 1011 } 1012 if ((cname = strdup(conf->csock)) == NULL) 1013 fatal("strdup"); 1014 if (control_check(cname) == -1) 1015 return (-1); 1016 if ((fd = control_init(0, cname)) == -1) 1017 fatalx("control socket setup failed"); 1018 if (control_listen(fd) == -1) 1019 fatalx("control socket setup failed"); 1020 restricted = 0; 1021 if (imsg_compose(ibuf_se, IMSG_RECONF_CTRL, 0, 0, fd, 1022 &restricted, sizeof(restricted)) == -1) 1023 return (-1); 1024 } 1025 if (!conf->rcsock) { 1026 /* remove restricted socket */ 1027 free(rcname); 1028 rcname = NULL; 1029 } else if (!rcname || strcmp(rcname, conf->rcsock)) { 1030 if (rcname) { 1031 free(rcname); 1032 } 1033 if ((rcname = strdup(conf->rcsock)) == NULL) 1034 fatal("strdup"); 1035 if (control_check(rcname) == -1) 1036 return (-1); 1037 if ((fd = control_init(1, rcname)) == -1) 1038 fatalx("control socket setup failed"); 1039 if (control_listen(fd) == -1) 1040 fatalx("control socket setup failed"); 1041 restricted = 1; 1042 if (imsg_compose(ibuf_se, IMSG_RECONF_CTRL, 0, 0, fd, 1043 &restricted, sizeof(restricted)) == -1) 1044 return (-1); 1045 } 1046 return (0); 1047} 1048 1049void 1050set_pollfd(struct pollfd *pfd, struct imsgbuf *i) 1051{ 1052 if (i == NULL || i->fd == -1) { 1053 pfd->fd = -1; 1054 return; 1055 } 1056 pfd->fd = i->fd; 1057 pfd->events = POLLIN; 1058 if (i->w.queued > 0) 1059 pfd->events |= POLLOUT; 1060} 1061 1062int 1063handle_pollfd(struct pollfd *pfd, struct imsgbuf *i) 1064{ 1065 ssize_t n; 1066 1067 if (i == NULL) 1068 return (0); 1069 1070 if (pfd->revents & POLLOUT) 1071 if (msgbuf_write(&i->w) <= 0 && errno != EAGAIN) { 1072 log_warn("imsg write error"); 1073 close(i->fd); 1074 i->fd = -1; 1075 return (-1); 1076 } 1077 1078 if (pfd->revents & POLLIN) { 1079 if ((n = imsg_read(i)) == -1 && errno != EAGAIN) { 1080 log_warn("imsg read error"); 1081 close(i->fd); 1082 i->fd = -1; 1083 return (-1); 1084 } 1085 if (n == 0) { 1086 log_warnx("peer closed imsg connection"); 1087 close(i->fd); 1088 i->fd = -1; 1089 return (-1); 1090 } 1091 } 1092 return (0); 1093} 1094 1095static void 1096getsockpair(int pipe[2]) 1097{ 1098 int bsize, i; 1099 1100 if (socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC | SOCK_NONBLOCK, 1101 PF_UNSPEC, pipe) == -1) 1102 fatal("socketpair"); 1103 1104 for (i = 0; i < 2; i++) { 1105 for (bsize = MAX_SOCK_BUF; bsize >= 16 * 1024; bsize /= 2) { 1106 if (setsockopt(pipe[i], SOL_SOCKET, SO_RCVBUF, 1107 &bsize, sizeof(bsize)) == -1) { 1108 if (errno != ENOBUFS) 1109 fatal("setsockopt(SO_RCVBUF, %d)", 1110 bsize); 1111 log_warn("setsockopt(SO_RCVBUF, %d)", bsize); 1112 continue; 1113 } 1114 break; 1115 } 1116 } 1117 for (i = 0; i < 2; i++) { 1118 for (bsize = MAX_SOCK_BUF; bsize >= 16 * 1024; bsize /= 2) { 1119 if (setsockopt(pipe[i], SOL_SOCKET, SO_SNDBUF, 1120 &bsize, sizeof(bsize)) == -1) { 1121 if (errno != ENOBUFS) 1122 fatal("setsockopt(SO_SNDBUF, %d)", 1123 bsize); 1124 log_warn("setsockopt(SO_SNDBUF, %d)", bsize); 1125 continue; 1126 } 1127 break; 1128 } 1129 } 1130} 1131 1132int 1133imsg_send_sockets(struct imsgbuf *se, struct imsgbuf *rde) 1134{ 1135 int pipe_s2r[2]; 1136 int pipe_s2r_ctl[2]; 1137 1138 getsockpair(pipe_s2r); 1139 getsockpair(pipe_s2r_ctl); 1140 1141 if (imsg_compose(se, IMSG_SOCKET_CONN, 0, 0, pipe_s2r[0], 1142 NULL, 0) == -1) 1143 return (-1); 1144 if (imsg_compose(rde, IMSG_SOCKET_CONN, 0, 0, pipe_s2r[1], 1145 NULL, 0) == -1) 1146 return (-1); 1147 1148 if (imsg_compose(se, IMSG_SOCKET_CONN_CTL, 0, 0, pipe_s2r_ctl[0], 1149 NULL, 0) == -1) 1150 return (-1); 1151 if (imsg_compose(rde, IMSG_SOCKET_CONN_CTL, 0, 0, pipe_s2r_ctl[1], 1152 NULL, 0) == -1) 1153 return (-1); 1154 1155 return (0); 1156} 1157