Commit ad88b94b authored by Jan Moskyto Matejka's avatar Jan Moskyto Matejka

Merge branch 'int-new-rpki-squashed' (early part) into int-new

parents d15b0b0a af62c0f9
......@@ -10,6 +10,7 @@ CPPFLAGS=-I$(objdir) -I$(srcdir) @CPPFLAGS@
CFLAGS=$(CPPFLAGS) @CFLAGS@
LDFLAGS=@LDFLAGS@
LIBS=@LIBS@
DAEMON_LIBS=@DAEMON_LIBS@
CLIENT_LIBS=@CLIENT_LIBS@
CC=@CC@
M4=@M4@
......@@ -58,6 +59,8 @@ all: daemon cli
daemon: $(daemon)
cli: $(client)
$(daemon): LIBS += $(DAEMON_LIBS)
# Include directories
dirs := client conf doc filter lib nest test $(addprefix proto/,$(protocols)) @sysdep_dirs@
......
......@@ -10,6 +10,7 @@ AC_ARG_ENABLE(debug, [ --enable-debug enable internal debugging routin
AC_ARG_ENABLE(memcheck, [ --enable-memcheck check memory allocations when debugging (default: enabled)],,enable_memcheck=yes)
AC_ARG_ENABLE(client, [ --enable-client enable building of BIRD client (default: enabled)],,enable_client=yes)
AC_ARG_ENABLE(pthreads, [ --enable-pthreads enable POSIX threads support (default: detect)],,enable_pthreads=try)
AC_ARG_ENABLE(libssh, [ --enable-libssh enable LibSSH support together with RPKI protocol (default: detect)],,enable_libssh=try)
AC_ARG_WITH(sysconfig, [ --with-sysconfig=FILE use specified BIRD system configuration file])
AC_ARG_WITH(protocols, [ --with-protocols=LIST include specified routing protocols (default: all)],,[with_protocols="all"])
AC_ARG_WITH(sysinclude, [ --with-sysinclude=PATH search for system includes on specified place])
......@@ -86,6 +87,21 @@ if test "$enable_pthreads" != no ; then
fi
fi
if test "$enable_libssh" != no ; then
AC_CHECK_LIB(ssh, ssh_connect)
if test $ac_cv_lib_ssh_ssh_connect = yes ; then
proto_rpki=rpki
enable_libssh=yes
AC_DEFINE(HAVE_LIBSSH)
else
if test "$enable_libssh" = yes ; then
AC_MSG_ERROR([LibSSH not available.])
else
enable_libssh=no
fi
fi
fi
if test "$bird_cflags_default" = yes ; then
BIRD_CHECK_GCC_OPTION(bird_cv_c_option_wno_pointer_sign, -Wno-pointer-sign, -Wall)
BIRD_CHECK_GCC_OPTION(bird_cv_c_option_wno_missing_init, -Wno-missing-field-initializers, -Wall -Wextra)
......@@ -169,8 +185,8 @@ fi
AC_SUBST(iproutedir)
# all_protocols="$proto_bfd babel bgp ospf pipe radv rip static"
all_protocols="$proto_bfd bgp ospf pipe radv rip static"
# all_protocols="$proto_bfd babel bgp ospf pipe radv rip $proto_rpki static"
all_protocols="$proto_bfd bgp ospf pipe radv rip $proto_rpki static "
all_protocols=`echo $all_protocols | sed 's/ /,/g'`
......@@ -231,6 +247,9 @@ if test "$enable_debug" = yes ; then
fi
fi
DAEMON_LIBS=
AC_SUBST(DAEMON_LIBS)
CLIENT=birdcl
CLIENT_LIBS=
if test "$enable_client" = yes ; then
......
......@@ -3788,8 +3788,8 @@ protocol rip [<name>] {
<p>RIP defines two route attributes:
<descrip>
<tag><label id="rta-rip-metric">int rip_metric/</tag>
RIP metric of the route (ranging from 0 to <cf/infinity/). When routes
<tag>int <cf/rip_metric/</tag>
RIP metric of the route (ranging from 0 to <cf/infinity/). When routes
from different RIP instances are available and all of them have the same
preference, BIRD prefers the route with lowest <cf/rip_metric/. When a
non-RIP route is exported to RIP, the default metric is 1.
......@@ -3819,6 +3819,184 @@ protocol rip {
}
</code>
<sect>RPKI
<sect1>Introduction
<p>The Resource Public Key Infrastructure (RPKI) is mechanism for origin
validation of BGP routes (RFC 6480). BIRD supports only so-called RPKI-based
origin validation. There is implemented RPKI to Router (RPKI-RTR) protocol (RFC
6810). It uses some of the RPKI data to allow a router to verify that the
autonomous system announcing an IP address prefix is in fact authorized to do
so. This is not crypto checked so can be violated. But it should prevent the
vast majority of accidental hijackings on the Internet today, e.g. the famous
Pakastani accidental announcement of YouTube's address space.
<p>The RPKI-RTR protocol receives and maintains a set of ROAs from a cache
server (also called validator). You can validate routes (RFC 6483) using
function <cf/roa_check()/ in filter and set it as import filter at the BGP
protocol. BIRD should re-validate all of affected routes after RPKI update by
RFC 6811, but we don't support it yet! You can use a BIRD's client command
<cf>reload in <m/bgp_protocol_name/</cf> for manual call of revalidation of all
routes.
<sect1>Supported transports
<itemize>
<item>Unprotected transport over TCP uses a port 323. The cache server
and BIRD router should be on the same trusted and controlled network
for security reasons.
<item>SSHv2 encrypted transport connection uses the normal SSH port
22.
</itemize>
<sect1>Configuration
<p>We currently support just one cache server per protocol. However you can
define more RPKI protocols generally.
<code>
protocol rpki [&lt;name&gt;] {
roa4 { table &lt;tab&gt;; };
roa6 { table &lt;tab&gt;; };
remote &lt;ip&gt; | "&lt;domain&gt;" [port &lt;num&gt;];
port &lt;num&gt;;
refresh [keep] &lt;num&gt;;
retry [keep] &lt;num&gt;;
expire [keep] &lt;num&gt;;
transport tcp;
transport ssh {
bird private key "&lt;/path/to/id_rsa&gt;";
remote public key "&lt;/path/to/known_host&gt;";
user "&lt;name&gt;";
};
}
</code>
<p>Alse note that you have to specify ROA table into which will be imported
routes from a cache server. If you want to import only IPv4 prefixes you have
to specify only roa4 table. Similarly with IPv6 prefixes only. If you want to
fetch both IPv4 and even IPv6 ROAs you have to specify both types of ROA
tables.
<sect2>RPKI protocol options
<descrip>
<tag>remote <m/ip/ | "<m/hostname/" [port <m/num/]</tag> Specifies
a destination address of the cache server. Can be specified by an IP
address or by full domain name string. Only one cache can be specified
per protocol. This option is required.
<tag>port <m/num/</tag> Specifies the port number. The default port
number is 323 for transport without any encryption and 22 for transport
with SSH encryption.
<tag>refresh [keep] <m/num/</tag> Time period in seconds. Tells how
long to wait before next attempting to poll the cache using a Serial
Query or a Reset Query packet. Must be lower than 86400 seconds (one
day). Too low value can caused a false positive detection of
network connection problems. A keyword <cf/keep/ suppresses updating
this value by a cache server.
Default: 3600 seconds
<tag>retry [keep] <m/num/</tag> Time period in seconds between a failed
Serial/Reset Query and a next attempt. Maximum allowed value is 7200
seconds (two hours). Too low value can caused a false positive
detection of network connection problems. A keyword <cf/keep/
suppresses updating this value by a cache server.
Default: 600 seconds
<tag>expire [keep] <m/num/</tag> Time period in seconds. Received
records are deleted if the client was unable to successfully refresh
data for this time period. Must be in range from 600 seconds (ten
minutes) to 172800 seconds (two days). A keyword <cf/keep/
suppresses updating this value by a cache server.
Default: 7200 seconds
<tag>transport tcp</tag> Unprotected transport over TCP. It's a default
transport. Should be used only on secure private networks.
Default: tcp
<tag>transport ssh { <m/SSH transport options.../ }</tag> It enables a
SSHv2 transport encryption. Cannot be combined with a TCP transport.
Default: off
</descrip>
<sect3>SSH transport options
<descrip>
<tag>bird private key "<m>/path/to/id_rsa</m>"</tag>
A path to the BIRD's private SSH key for authentication.
It can be a <cf><m>id_rsa</m></cf> file.
<tag>remote public key "<m>/path/to/known_host</m>"</tag>
A path to the cache's public SSH key for verification identity
of the cache server. It could be a path to <cf><m>known_host</m></cf> file.
<tag>user "<m/name/"</tag>
A SSH user name for authentication. This option is a required.
</descrip>
<sect1>Examples
<sect2>BGP origin validation
<p>Policy: Don't import <cf/ROA_INVALID/ routes.
<code>
roa4 table r4;
roa6 table r6;
protocol rpki {
debug all;
roa4 { table r4; };
roa6 { table r6; };
# Please, do not use rpki-validator.realmv6.org in production
remote "rpki-validator.realmv6.org" port 8282;
retry keep 5;
refresh keep 30;
expire 600;
}
filter peer_in {
if (roa_check(r4, net, bgp_path.last) = ROA_INVALID ||
roa_check(r6, net, bgp_path.last) = ROA_INVALID) then
{
print "Ignore invalid ROA ", net, " for ASN ", bgp_path.last;
reject;
}
accept;
}
protocol bgp {
debug all;
local as 65000;
neighbor 192.168.2.1 as 65001;
import filter peer_in;
}
</code>
<sect2>SSHv2 transport encryption
<code>
roa4 table r4;
roa6 table r6;
protocol rpki {
debug all;
roa4 { table r4; };
roa6 { table r6; };
remote 127.0.0.1 port 2345;
transport ssh {
bird private key "/home/birdgeek/.ssh/id_rsa";
remote public key "/home/birdgeek/.ssh/known_hosts";
user "birdgeek";
};
# Default interval values
}
</code>
<sect>Static
<label id="static">
......
......@@ -399,8 +399,8 @@ CF_KEYWORDS(FUNCTION, PRINT, PRINTN, UNSET, RETURN,
TRUE, FALSE, RT, RO, UNKNOWN, GENERIC,
FROM, GW, NET, MASK, PROTO, SOURCE, SCOPE, CAST, DEST, IFNAME, IFINDEX,
PREFERENCE,
ROA_CHECK,
LEN,
ROA_CHECK, ASN,
LEN, MAXLEN,
DEFINED,
ADD, DELETE, CONTAINS, RESET,
PREPEND, FIRST, LAST, LAST_NONAGGREGATED, MATCH,
......@@ -891,6 +891,8 @@ term:
| term '.' IP { $$ = f_new_inst(); $$->code = P('c','p'); $$->a1.p = $1; $$->aux = T_IP; }
| term '.' LEN { $$ = f_new_inst(); $$->code = 'L'; $$->a1.p = $1; }
| term '.' MAXLEN { $$ = f_new_inst(); $$->code = P('R','m'); $$->a1.p = $1; }
| term '.' ASN { $$ = f_new_inst(); $$->code = P('R','a'); $$->a1.p = $1; }
| term '.' MASK '(' term ')' { $$ = f_new_inst(); $$->code = P('i','M'); $$->a1.p = $1; $$->a2.p = $5; }
| term '.' FIRST { $$ = f_new_inst(); $$->code = P('a','f'); $$->a1.p = $1; }
| term '.' LAST { $$ = f_new_inst(); $$->code = P('a','l'); $$->a1.p = $1; }
......
......@@ -1183,6 +1183,26 @@ interpret(struct f_inst *what)
default: runtime( "Prefix, path, clist or eclist expected" );
}
break;
case P('R','m'): /* Get ROA max prefix length */
ONEARG;
if (v1.type != T_NET || !net_is_roa(v1.val.net))
runtime( "ROA expected" );
res.type = T_INT;
res.val.i = (v1.val.net->type == NET_ROA4) ?
((net_addr_roa4 *) v1.val.net)->max_pxlen :
((net_addr_roa6 *) v1.val.net)->max_pxlen;
break;
case P('R','a'): /* Get ROA ASN */
ONEARG;
if (v1.type != T_NET || !net_is_roa(v1.val.net))
runtime( "ROA expected" );
res.type = T_INT;
res.val.i = (v1.val.net->type == NET_ROA4) ?
((net_addr_roa4 *) v1.val.net)->asn :
((net_addr_roa6 *) v1.val.net)->asn;
break;
case P('c','p'): /* Convert prefix to ... */
ONEARG;
if (v1.type != T_NET)
......@@ -1476,12 +1496,15 @@ interpret(struct f_inst *what)
if (!table)
runtime("Missing ROA table");
/* Table type is either NET_ROA4 or NET_ROA6, checked in parser */
if (v1.val.net->type != ((table->addr_type == NET_ROA4) ? NET_IP4 : NET_IP6))
runtime("Incompatible net type");
if (table->addr_type != NET_ROA4 && table->addr_type != NET_ROA6)
runtime("Table type must be either ROA4 or ROA6");
res.type = T_ENUM_ROA;
res.val.i = net_roa_check(table, v1.val.net, as);
if (table->addr_type != (v1.val.net->type == NET_IP4 ? NET_ROA4 : NET_ROA6))
res.val.i = ROA_UNKNOWN; /* Prefix and table type mismatch */
else
res.val.i = net_roa_check(table, v1.val.net, as);
break;
......
......@@ -1139,30 +1139,80 @@ int j;
accept "ok I take that";
}
/*
roa table rl
roa4 table r4;
roa6 table r6;
protocol static
{
roa4 { table r4; };
route 10.110.0.0/16 max 16 as 1000 blackhole;
route 10.120.0.0/16 max 24 as 1000 blackhole ;
route 10.130.0.0/16 max 24 as 2000 blackhole;
route 10.130.128.0/18 max 24 as 3000 blackhole;
}
protocol static
{
roa 10.110.0.0/16 max 16 as 1000;
roa 10.120.0.0/16 max 24 as 1000;
roa 10.130.0.0/16 max 24 as 2000;
roa 10.130.128.0/18 max 24 as 3000;
roa6 { table r6; };
route 2001:0db8:85a3:8a2e::/64 max 96 as 1000 blackhole;
}
function test_roa()
function test_roa_check()
{
# cannot be tested in __startup(), sorry
print "Testing ROA";
print "Should be true: ", roa_check(rl, 10.10.0.0/16, 1000) = ROA_UNKNOWN,
" ", roa_check(rl, 10.0.0.0/8, 1000) = ROA_UNKNOWN,
" ", roa_check(rl, 10.110.0.0/16, 1000) = ROA_VALID,
" ", roa_check(rl, 10.110.0.0/16, 2000) = ROA_INVALID,
" ", roa_check(rl, 10.110.32.0/20, 1000) = ROA_INVALID,
" ", roa_check(rl, 10.120.32.0/20, 1000) = ROA_VALID;
print "Should be true: ", roa_check(rl, 10.120.32.0/20, 2000) = ROA_INVALID,
" ", roa_check(rl, 10.120.32.32/28, 1000) = ROA_INVALID,
" ", roa_check(rl, 10.130.130.0/24, 1000) = ROA_INVALID,
" ", roa_check(rl, 10.130.130.0/24, 2000) = ROA_VALID,
" ", roa_check(rl, 10.130.30.0/24, 3000) = ROA_INVALID,
" ", roa_check(rl, 10.130.130.0/24, 3000) = ROA_VALID;
print "Should be true: ", roa_check(r4, 10.10.0.0/16, 1000) = ROA_UNKNOWN,
" ", roa_check(r4, 10.0.0.0/8, 1000) = ROA_UNKNOWN,
" ", roa_check(r4, 10.110.0.0/16, 1000) = ROA_VALID,
" ", roa_check(r4, 10.110.0.0/16, 2000) = ROA_INVALID,
" ", roa_check(r4, 10.110.32.0/20, 1000) = ROA_INVALID,
" ", roa_check(r4, 10.120.32.0/20, 1000) = ROA_VALID;
print "Should be true: ", roa_check(r4, 10.120.32.0/20, 2000) = ROA_INVALID,
" ", roa_check(r4, 10.120.32.32/28, 1000) = ROA_INVALID,
" ", roa_check(r4, 10.130.130.0/24, 1000) = ROA_INVALID,
" ", roa_check(r4, 10.130.130.0/24, 2000) = ROA_VALID,
" ", roa_check(r4, 10.130.30.0/24, 3000) = ROA_INVALID,
" ", roa_check(r4, 10.130.130.0/24, 3000) = ROA_VALID;
print "Should be true: ", roa_check(r6, 2001:0db8:85a3:8a2e:1234::/80, 1000) = ROA_VALID,
" ", roa_check(r6, 2001:0db8:85a3:8a2e:1234::/97, 1000) = ROA_INVALID,
" ", roa_check(r6, 2001:0db8:85a3:8a2e::/64, 1000) = ROA_VALID,
" ", roa_check(r6, 2001:0db8:85a3::/48, 1000) = ROA_UNKNOWN;
print "Should be true: ", roa_check(r4, 10.10.0.0/16, 1000) = ROA_UNKNOWN,
" ", roa_check(r4, 10.0.0.0/8, 1000) = ROA_UNKNOWN,
" ", roa_check(r4, 10.110.0.0/16, 1000) = ROA_VALID,
" ", roa_check(r4, 10.110.0.0/16, 2000) = ROA_INVALID,
" ", roa_check(r4, 10.110.32.0/20, 1000) = ROA_INVALID,
" ", roa_check(r4, 10.120.32.0/20, 1000) = ROA_VALID;
print "Should be true: ", roa_check(r6, 2001:0db8:85a3:8a2e:1234::/80, 1000) = ROA_VALID,
" ", roa_check(r6, 2001:0db8:85a3:8a2e:1234::/97, 1000) = ROA_INVALID,
" ", roa_check(r6, 2001:0db8:85a3:8a2e::/64, 1000) = ROA_VALID,
" ", roa_check(r6, 2001:0db8:85a3::/48, 1000) = ROA_UNKNOWN;
print "Should be true: ", roa_check(r4, 2001:0db8:85a3:8a2e:1234::/97, 1000) = ROA_INVALID ||
roa_check(r6, 2001:0db8:85a3:8a2e:1234::/97, 1000) = ROA_INVALID;
print "Should be false: ", roa_check(r4, 2001:0db8:85a3:8a2e:1234::/80, 1000) = ROA_INVALID ||
roa_check(r6, 2001:0db8:85a3:8a2e:1234::/80, 1000) = ROA_INVALID,
" ", roa_check(r4, 2001:0db8:85a3::/48, 1000) = ROA_INVALID ||
roa_check(r6, 2001:0db8:85a3::/48, 1000) = ROA_INVALID;
print "Should be true: ", 10.130.130.0/24 ~ 0.0.0.0/0,
" ", 2001:0db8:85a3:8a2e::/64 ~ ::/0;
print "Should be false: ", 10.130.130.0/24 ~ ::/0,
" ", 2001:0db8:85a3:8a2e::/64 ~ 0.0.0.0/0;
}
function roa_operators_test()
prefix pfx;
{
print "Testing ROA prefix operators '.maxlen' and '.asn':";
pfx = 12.13.0.0/16 max 24 as 1234;
print pfx;
print "Should be true: ", pfx.len = 16, " ", pfx.maxlen = 24, " ", pfx.asn = 1234;
pfx = 1000::/8 max 32 as 1234;
print pfx;
print "Should be true: ", pfx.len = 8, " ", pfx.maxlen = 32, " ", pfx.asn = 1234;
}
*/
\ No newline at end of file
src := bitops.c checksum.c ip.c lists.c md5.c net.c patmatch.c printf.c sha1.c sha256.c sha512.c slists.c xmalloc.c
obj := $(src-o-files)
$(all-client)
src := bitops.c checksum.c event.c idm.c ip.c lists.c mac.c md5.c mempool.c net.c patmatch.c printf.c resource.c sha1.c sha256.c sha512.c slab.c slists.c tbf.c xmalloc.c
obj := $(src-o-files)
$(all-daemon)
......
......@@ -171,6 +171,9 @@ static inline int net_type_match(const net_addr *a, u32 mask)
static inline int net_is_ip(const net_addr *a)
{ return (a->type == NET_IP4) || (a->type == NET_IP6); }
static inline int net_is_roa(const net_addr *a)
{ return (a->type == NET_ROA4) || (a->type == NET_ROA6); }
static inline ip4_addr net4_prefix(const net_addr *a)
{ return ((net_addr_ip4 *) a)->prefix; }
......
......@@ -31,7 +31,7 @@
struct pool {
resource r;
list inside;
char *name;
const char *name;
};
static void pool_dump(resource *);
......@@ -61,7 +61,7 @@ static int indent;
* parent pool.
*/
pool *
rp_new(pool *p, char *name)
rp_new(pool *p, const char *name)
{
pool *z = ralloc(p, &pool_class);
z->name = name;
......
......@@ -37,7 +37,7 @@ struct resclass {
typedef struct pool pool;
void resource_init(void);
pool *rp_new(pool *, char *); /* Create new pool */
pool *rp_new(pool *, const char *); /* Create new pool */
void rfree(void *); /* Free single resource */
void rdump(void *); /* Dump to debug output */
size_t rmemsize(void *res); /* Return size of memory used by the resource */
......
......@@ -12,6 +12,29 @@
#include <errno.h>
#include "lib/resource.h"
#ifdef HAVE_LIBSSH
#define LIBSSH_LEGACY_0_4
#include <libssh/libssh.h>
#endif
#ifdef HAVE_LIBSSH
struct ssh_sock {
const char *username; /* (Required) SSH user name */
const char *server_hostkey_path; /* (Optional) Filepath to the SSH public key of remote side, can be knownhost file */
const char *client_privkey_path; /* (Optional) Filepath to the SSH private key of BIRD */
const char *subsystem; /* (Optional) Name of SSH subsytem */
ssh_session session; /* Internal */
ssh_channel channel; /* Internal */
int state; /* Internal */
#define SK_SSH_CONNECT 0 /* Start state */
#define SK_SSH_SERVER_KNOWN 1 /* Internal */
#define SK_SSH_USERAUTH 2 /* Internal */
#define SK_SSH_CHANNEL 3 /* Internal */
#define SK_SSH_SESSION 4 /* Internal */
#define SK_SSH_SUBSYSTEM 5 /* Internal */
#define SK_SSH_ESTABLISHED 6 /* Final state */
};
#endif
typedef struct birdsock {
resource r;
......@@ -20,6 +43,7 @@ typedef struct birdsock {
int subtype; /* Socket subtype */
void *data; /* User data */
ip_addr saddr, daddr; /* IPA_NONE = unspecified */
const char *host; /* Alternative to daddr, NULL = unspecified */
uint sport, dport; /* 0 = unspecified (for IP: protocol type) */
int tos; /* TOS / traffic class, -1 = default */
int priority; /* Local socket priority, -1 = default */
......@@ -52,7 +76,8 @@ typedef struct birdsock {
node n;
void *rbuf_alloc, *tbuf_alloc;
char *password; /* Password for MD5 authentication */
char *err; /* Error message */
const char *err; /* Error message */
struct ssh_sock *ssh; /* Used in SK_SSH */
} sock;
sock *sock_new(pool *); /* Allocate new socket */
......@@ -115,6 +140,8 @@ extern int sk_priority_control; /* Suggested priority for control traffic, shou
#define SK_MAGIC 7 /* Internal use by sysdep code */
#define SK_UNIX_PASSIVE 8
#define SK_UNIX 9
#define SK_SSH_ACTIVE 10 /* - - * * - ? - DA = host */
#define SK_SSH 11
/*
* Socket subtypes
......
......@@ -1265,6 +1265,9 @@ protos_build(void)
#ifdef CONFIG_BABEL
proto_build(&proto_babel);
#endif
#ifdef CONFIG_RPKI
proto_build(&proto_rpki);
#endif
proto_pool = rp_new(&root_pool, "Protocols");
proto_shutdown_timer = tm_new(proto_pool);
......
......@@ -81,7 +81,7 @@ void protos_dump_all(void);
extern struct protocol
proto_device, proto_radv, proto_rip, proto_static,
proto_ospf, proto_pipe, proto_bgp, proto_bfd, proto_babel;
proto_ospf, proto_pipe, proto_bgp, proto_bfd, proto_babel, proto_rpki;
/*
* Routing Protocol Instance
......@@ -271,7 +271,7 @@ proto_get_router_id(struct proto_config *pc)
}
/* Moved from route.h to avoid dependency conflicts */
static inline void rte_update(struct proto *p, net_addr *n, rte *new) { rte_update2(p->main_channel, n, new, p->main_source); }
static inline void rte_update(struct proto *p, const net_addr *n, rte *new) { rte_update2(p->main_channel, n, new, p->main_source); }
extern pool *proto_pool;
extern list proto_list;
......@@ -568,11 +568,9 @@ int proto_configure_channel(struct proto *p, struct channel **c, struct channel_
void channel_set_state(struct channel *c, uint state);
/*
static inline void channel_init(struct channel *c) { channel_set_state(c, CS_START); }
static inline void channel_open(struct channel *c) { channel_set_state(c, CS_UP); }
static inline void channel_close(struct channel *c) { channel_set_state(c, CS_FLUSHING); }
*/
void channel_request_feeding(struct channel *c);
void *channel_config_new(const struct channel_class *cc, uint net_type, struct proto_config *proto);
......
......@@ -283,7 +283,7 @@ void *net_route(rtable *tab, const net_addr *n);
int net_roa_check(rtable *tab, const net_addr *n, u32 asn);
rte *rte_find(net *net, struct rte_src *src);
rte *rte_get_temp(struct rta *);
void rte_update2(struct channel *c, net_addr *n, rte *new, struct rte_src *src);
void rte_update2(struct channel *c, const net_addr *n, rte *new, struct rte_src *src);
/* rte_update() moved to protocol.h to avoid dependency conflicts */
int rt_examine(rtable *t, net_addr *a, struct proto *p, struct filter *filter);
rte *rt_export_merged(struct channel *c, net *net, rte **rt_free, struct ea_list **tmpa, linpool *pool, int silent);
......@@ -383,6 +383,8 @@ typedef struct rta {
#define RTS_BGP 11 /* BGP route */
#define RTS_PIPE 12 /* Inter-table wormhole */
#define RTS_BABEL 13 /* Babel route */
#define RTS_RPKI 14 /* Route Origin Authorization */
#define RTC_UNICAST 0
#define RTC_BROADCAST 1
......@@ -572,6 +574,7 @@ extern struct protocol *attr_class_to_protocol[EAP_MAX];
#define DEF_PREF_BABEL 130 /* Babel */
#define DEF_PREF_RIP 120 /* RIP */
#define DEF_PREF_BGP 100 /* BGP */
#define DEF_PREF_RPKI 100 /* RPKI */
#define DEF_PREF_INHERITED 10 /* Routes inherited from other routing daemons */
/*
......
......@@ -1301,7 +1301,7 @@ rte_unhide_dummy_routes(net *net, rte **dummy)
*/
void
rte_update2(struct channel *c, net_addr *n, rte *new, struct rte_src *src)
rte_update2(struct channel *c, const net_addr *n, rte *new, struct rte_src *src)
{
struct proto *p = c->proto;
struct proto_stats *stats = &c->stats;
......@@ -2695,6 +2695,12 @@ rt_show(struct rt_show_data *d)
}
}
if (d->table->addr_type != d->addr->type)
{
cli_msg(8001, "Incompatible type of prefix/ip with table");
return;
}
if (d->show_for)
n = net_route(d->table, d->addr);
else
......
......@@ -4,7 +4,8 @@ C bfd
C bgp
C ospf
C pipe
C rip
C radv
C rip
C rpki
C static
S ../nest/rt-dev.c
source=babel.c packets.c
root-rel=../../
dir-name=proto/babel
include ../../Rules
src := babel.c packets.c
obj := $(src-o-files)
$(all-daemon)
$(cf-local)
......@@ -21,11 +21,7 @@
#include "lib/lists.h"
#include "lib/socket.h"
#include "lib/string.h"
#include "lib/timer.h"
#ifndef IPV6
#error "The Babel protocol only speaks IPv6"
#endif
#include "sysdep/unix/timer.h"
#define EA_BABEL_METRIC EA_CODE(EAP_BABEL, 0)
#define EA_BABEL_ROUTER_ID EA_CODE(EAP_BABEL, 1)
......
S rpki.c
S packets.c
S transport.c
S tcp_transport.c
S ssh_transport.c
src := rpki.c packets.c tcp_transport.c ssh_transport.c transport.c
obj := $(src-o-files)
$(all-daemon)
$(cf-local)
/*
* BIRD -- The Resource Public Key Infrastructure (RPKI) to Router Protocol
*
* (c) 2015 CZ.NIC
*
* Can be freely distributed and used under the terms of the GNU GPL.
*/
CF_HDR
#include "proto/rpki/rpki.h"
CF_DEFINES
#define RPKI_CFG ((struct rpki_config *) this_proto)
#define RPKI_TR_SSH_CFG ((struct rpki_tr_ssh_config *) RPKI_CFG->tr_config.spec)
static void
rpki_check_unused_hostname(void)
{
if (RPKI_CFG->hostname != NULL)
cf_error("Only one cache server per protocol allowed");
}
static void
rpki_check_unused_transport(void)
{
if (RPKI_CFG->tr_config.spec != NULL)
cf_error("At the most one transport per protocol allowed");
}
CF_DECLS
CF_KEYWORDS(RPKI, REMOTE, BIRD, PRIVATE, PUBLIC, KEY, TCP, SSH, TRANSPORT, USER,
RETRY, REFRESH, EXPIRE, KEEP)
%type <i> rpki_keep_interval
CF_GRAMMAR
CF_ADDTO(proto, rpki_proto)
rpki_proto_start: proto_start RPKI {
this_proto = proto_config_new(&proto_rpki, $1);
RPKI_CFG->retry_interval = RPKI_RETRY_INTERVAL;
RPKI_CFG->refresh_interval = RPKI_REFRESH_INTERVAL;
RPKI_CFG->expire_interval = RPKI_EXPIRE_INTERVAL;
};
rpki_proto: rpki_proto_start proto_name '{' rpki_proto_opts '}' { rpki_check_config(RPKI_CFG); };
rpki_proto_opts:
/* empty */
| rpki_proto_opts rpki_proto_item ';'
;
rpki_proto_item:
proto_item
| proto_channel
| REMOTE rpki_cache_addr
| REMOTE rpki_cache_addr rpki_proto_item_port
| rpki_proto_item_port
| TRANSPORT rpki_transport
| REFRESH rpki_keep_interval expr {
if (rpki_check_refresh_interval($3))
cf_error(rpki_check_refresh_interval($3));
RPKI_CFG->refresh_interval = $3;
RPKI_CFG->keep_refresh_interval = $2;
}
| RETRY rpki_keep_interval expr {
if (rpki_check_retry_interval($3))
cf_error(rpki_check_retry_interval($3));
RPKI_CFG->retry_interval = $3;
RPKI_CFG->keep_retry_interval = $2;
}
| EXPIRE rpki_keep_interval expr {
if (rpki_check_expire_interval($3))
cf_error(rpki_check_expire_interval($3));
RPKI_CFG->expire_interval = $3;
RPKI_CFG->keep_expire_interval = $2;