sonic-net · pavel-shirshov · Jun 23, 2019 · Jun 8, 2019 · Jun 10, 2019 · Jun 14, 2019
@@ -5,7 +5,6 @@
 import json
 import pytest
 
-@pytest.mark.skip(reason="not working for frr")
 def test_InvalidNexthop(dvs, testlog):
 
     dvs.copy_file("/etc/frr/", "bgp/files/invalid_nexthop/bgpd.conf")

@@ -8,6 +8,12 @@ DERIVED_TARGET = $(FRR_PYTHONTOOLS) $(FRR_DBG)
 $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
 	# Build the package
 	pushd ./frr
+	git reset --hard
+	git clean -xfdf
+	git branch work origin/frr/7.0
+	git checkout work
+	stg init
+	stg import -s ../patch/series
 	tools/tarsource.sh -V -e '-sonic'
 	dpkg-buildpackage -rfakeroot -b -us -uc -Ppkg.frr.nortrlib -j$(SONIC_CONFIG_MAKE_JOBS)
 	popd

@@ -0,0 +1,141 @@
+From ef017a613691a40f32cdaa5396bbd4889b1cb647 Mon Sep 17 00:00:00 2001
+From: Pavel Shirshov <pavelsh@microsoft.com>
+Date: Fri, 14 Jun 2019 17:45:31 -0700
+Subject: [PATCH] Add support of bgp tcp DSCP value
+
+---
+ bgpd/bgp_network.c | 11 ++++-------
+ bgpd/bgp_vty.c     | 40 ++++++++++++++++++++++++++++++++++++++++
+ bgpd/bgpd.c        |  5 ++++-
+ bgpd/bgpd.h        |  3 +++
+ 4 files changed, 51 insertions(+), 8 deletions(-)
+
+diff --git a/bgpd/bgp_network.c b/bgpd/bgp_network.c
+index 4153da5a6..fed133eb7 100644
+--- a/bgpd/bgp_network.c
++++ b/bgpd/bgp_network.c
+@@ -569,11 +569,9 @@ int bgp_connect(struct peer *peer)
+ #ifdef IPTOS_PREC_INTERNETCONTROL
+ 	frr_elevate_privs(&bgpd_privs) {
+ 		if (sockunion_family(&peer->su) == AF_INET)
+-			setsockopt_ipv4_tos(peer->fd,
+-					    IPTOS_PREC_INTERNETCONTROL);
++			setsockopt_ipv4_tos(peer->fd, peer->bgp->tcp_dscp);
+ 		else if (sockunion_family(&peer->su) == AF_INET6)
+-			setsockopt_ipv6_tclass(peer->fd,
+-					       IPTOS_PREC_INTERNETCONTROL);
++			setsockopt_ipv6_tclass(peer->fd, peer->bgp->tcp_dscp);
+ 	}
+ #endif
+
+@@ -643,10 +641,9 @@ static int bgp_listener(int sock, struct sockaddr *sa, socklen_t salen,
+
+ #ifdef IPTOS_PREC_INTERNETCONTROL
+ 		if (sa->sa_family == AF_INET)
+-			setsockopt_ipv4_tos(sock, IPTOS_PREC_INTERNETCONTROL);
++			setsockopt_ipv4_tos(sock, bgp->tcp_dscp);
+ 		else if (sa->sa_family == AF_INET6)
+-			setsockopt_ipv6_tclass(sock,
+-					       IPTOS_PREC_INTERNETCONTROL);
++			setsockopt_ipv6_tclass(sock, bgp->tcp_dscp);
+ #endif
+
+ 		sockopt_v6only(sa->sa_family, sock);
+diff --git a/bgpd/bgp_vty.c b/bgpd/bgp_vty.c
+index 7445df883..f91b908a4 100644
+--- a/bgpd/bgp_vty.c
++++ b/bgpd/bgp_vty.c
+@@ -1113,6 +1113,42 @@ DEFUN (no_router_bgp,
+ 	return CMD_SUCCESS;
+ }
+
++/* bgp session-dscp */
++
++DEFUN (bgp_session_dscp,
++       bgp_session_dscp_cmd,
++       "bgp session-dscp DSCP",
++        BGP_STR
++       "Override default (C0) bgp TCP session DSCP value\n"
++       "Manually configured dscp parameter\n")
++{
++	struct bgp *bgp = VTY_GET_CONTEXT(bgp);
++
++	uint8_t value = (uint8_t)strtol(argv[2]->arg, NULL, 16);
++	if ((value == 0 && errno == EINVAL) || (value > 0x3f))
++	{
++		vty_out (vty, "%% Malformed bgp session-dscp parameter\n");
++		return CMD_WARNING_CONFIG_FAILED;
++	}
++
++	bgp->tcp_dscp = value << 2;
++
++	return CMD_SUCCESS;
++}
++
++DEFUN (no_bgp_session_dscp,
++       no_bgp_session_dscp_cmd,
++       "no bgp session-dscp",
++       NO_STR
++       BGP_STR
++       "Override default (C0) bgp tcp session ip dscp value\n")
++{
++	struct bgp *bgp = VTY_GET_CONTEXT(bgp);
++
++	bgp->tcp_dscp = IPTOS_PREC_INTERNETCONTROL;
++
++	return CMD_SUCCESS;
++}
+
+ /* BGP router-id.  */
+
+@@ -12798,6 +12834,10 @@ void bgp_vty_init(void)
+ 	/* "no router bgp" commands. */
+ 	install_element(CONFIG_NODE, &no_router_bgp_cmd);
+
++	/* "bgp session-dscp command */
++	install_element (BGP_NODE, &bgp_session_dscp_cmd);
++	install_element (BGP_NODE, &no_bgp_session_dscp_cmd);
++
+ 	/* "bgp router-id" commands. */
+ 	install_element(BGP_NODE, &bgp_router_id_cmd);
+ 	install_element(BGP_NODE, &no_bgp_router_id_cmd);
+diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
+index 6fb3a70c7..503e6b4ed 100644
+--- a/bgpd/bgpd.c
++++ b/bgpd/bgpd.c
+@@ -2995,7 +2995,7 @@ static struct bgp *bgp_create(as_t *as, const char *name,
+
+ 	bgp->evpn_info = XCALLOC(MTYPE_BGP_EVPN_INFO,
+ 				 sizeof(struct bgp_evpn_info));
+-
++	bgp->tcp_dscp = IPTOS_PREC_INTERNETCONTROL;
+ 	bgp_evpn_init(bgp);
+ 	bgp_pbr_init(bgp);
+ 	return bgp;
+@@ -7516,6 +7516,9 @@ int bgp_config_write(struct vty *vty)
+ 		if (CHECK_FLAG(bgp->flags, BGP_FLAG_NO_FAST_EXT_FAILOVER))
+ 			vty_out(vty, " no bgp fast-external-failover\n");
+
++		if (bgp->tcp_dscp != IPTOS_PREC_INTERNETCONTROL)
++			vty_out(vty, " bgp session-dscp %02X\n", bgp->tcp_dscp >> 2);
++
+ 		/* BGP router ID. */
+ 		if (bgp->router_id_static.s_addr != 0)
+ 			vty_out(vty, " bgp router-id %s\n",
+diff --git a/bgpd/bgpd.h b/bgpd/bgpd.h
+index df3fde840..a6546457c 100644
+--- a/bgpd/bgpd.h
++++ b/bgpd/bgpd.h
+@@ -553,6 +553,9 @@ struct bgp {
+ 	/* Count of peers in established state */
+ 	uint32_t established_peers;
+
++	/* dscp value for tcp sessions */
++	uint8_t tcp_dscp;
++
+ 	QOBJ_FIELDS
+ };
+ DECLARE_QOBJ_TYPE(bgp)
+-- 
+2.17.1.windows.2
+
@@ -0,0 +1,25 @@
+From 87760a6a04d6ffbcc7a1093549bfb76656002b61 Mon Sep 17 00:00:00 2001
+From: Pavel Shirshov <pavelsh@microsoft.com>
+Date: Fri, 14 Jun 2019 17:48:50 -0700
+Subject: [PATCH] Reduce severity of 'Vty connected from' message
+
+---
+ lib/vty.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/vty.c b/lib/vty.c
+index 8450922c2..f159d1b4b 100644
+--- a/lib/vty.c
++++ b/lib/vty.c
+@@ -1875,7 +1875,7 @@ static int vty_accept(struct thread *thread)
+ 		zlog_info("can't set sockopt to vty_sock : %s",
+ 			  safe_strerror(errno));
+
+-	zlog_info("Vty connection from %s",
++	zlog_debug("Vty connection from %s",
+ 		  sockunion2str(&su, buf, SU_ADDRSTRLEN));
+
+ 	vty_create(vty_sock, &su);
+-- 
+2.17.1.windows.2
+
@@ -0,0 +1,98 @@
+From fcaec3a5712a26d3d3e03f76e52fecbe21c4eff6 Mon Sep 17 00:00:00 2001
+From: Pavel Shirshov <pavelsh@microsoft.com>
+Date: Fri, 14 Jun 2019 18:08:26 -0700
+Subject: [PATCH] ignore nexthop attribute when NLRI is present
+
+According to section 1.3 of RFC2858, an UPDATE message that carries no NLRI,
+other than the one encoded in the MP_REACH_NLRI attribute, should not carry
+the NEXT_HOP attribute. If such a message contains the NEXT_HOP attribute,
+the BGP speaker that receives the message should ignore this attribute.
+---
+ bgpd/bgp_attr.c | 56 +++++++++++++++++++++++++++++--------------------
+ 1 file changed, 33 insertions(+), 23 deletions(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 167ad89a5..ca88a8cb5 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -1263,7 +1263,7 @@ static bgp_attr_parse_ret_t bgp_attr_nexthop(struct bgp_attr_parser_args *args)
+ 	struct attr *const attr = args->attr;
+ 	const bgp_size_t length = args->length;
+
+-	in_addr_t nexthop_h, nexthop_n;
++	in_addr_t nexthop_n;
+
+ 	/* Check nexthop attribute length. */
+ 	if (length != 4) {
+@@ -1274,29 +1274,7 @@ static bgp_attr_parse_ret_t bgp_attr_nexthop(struct bgp_attr_parser_args *args)
+ 					  args->total);
+ 	}
+
+-	/* According to section 6.3 of RFC4271, syntactically incorrect NEXT_HOP
+-	   attribute must result in a NOTIFICATION message (this is implemented
+-	   below).
+-	   At the same time, semantically incorrect NEXT_HOP is more likely to
+-	   be just
+-	   logged locally (this is implemented somewhere else). The UPDATE
+-	   message
+-	   gets ignored in any of these cases. */
+ 	nexthop_n = stream_get_ipv4(peer->curr);
+-	nexthop_h = ntohl(nexthop_n);
+-	if ((IPV4_NET0(nexthop_h) || IPV4_NET127(nexthop_h)
+-	     || IPV4_CLASS_DE(nexthop_h))
+-	    && !BGP_DEBUG(
+-		       allow_martians,
+-		       ALLOW_MARTIANS)) /* loopbacks may be used in testing */
+-	{
+-		char buf[INET_ADDRSTRLEN];
+-		inet_ntop(AF_INET, &nexthop_n, buf, INET_ADDRSTRLEN);
+-		flog_err(EC_BGP_ATTR_MARTIAN_NH, "Martian nexthop %s", buf);
+-		return bgp_attr_malformed(
+-			args, BGP_NOTIFY_UPDATE_INVAL_NEXT_HOP, args->total);
+-	}
+-
+ 	attr->nexthop.s_addr = nexthop_n;
+ 	attr->flag |= ATTR_FLAG_BIT(BGP_ATTR_NEXT_HOP);
+
+@@ -2688,6 +2666,38 @@ bgp_attr_parse_ret_t bgp_attr_parse(struct peer *peer, struct attr *attr,
+ 		return ret;
+ 	}
+
++	/*
++	 * According to section 6.3 of RFC4271, syntactically incorrect NEXT_HOP
++	 * attribute must result in a NOTIFICATION message (this is implemented below).
++	 * At the same time, semantically incorrect NEXT_HOP is more likely to be just
++	 * logged locally (this is implemented somewhere else). The UPDATE message
++	 * gets ignored in any of these cases.
++	 *
++	 * According to section 1.3 of RFC2858, an UPDATE message that carries no NLRI,
++	 * other than the one encoded in the MP_REACH_NLRI attribute, should not carry
++	 * the NEXT_HOP attribute. If such a message contains the NEXT_HOP attribute,
++	 * the BGP speaker that receives the message should ignore this attribute.
++	 */
++	if (CHECK_FLAG (attr->flag, ATTR_FLAG_BIT (BGP_ATTR_NEXT_HOP))
++		&& !CHECK_FLAG (attr->flag, ATTR_FLAG_BIT (BGP_ATTR_MP_REACH_NLRI)))
++	{
++		in_addr_t nexthop_h;
++		nexthop_h = ntohl(attr->nexthop.s_addr);
++		if (IPV4_NET0 (nexthop_h) || IPV4_NET127 (nexthop_h)
++			|| IPV4_CLASS_DE (nexthop_h)
++			&& !BGP_DEBUG(
++				allow_martians,
++				ALLOW_MARTIANS)) {
++			char buf[INET_ADDRSTRLEN];
++			inet_ntop(AF_INET, &attr->nexthop.s_addr, buf, INET_ADDRSTRLEN);
++			flog_err(EC_BGP_ATTR_MARTIAN_NH, "Martian nexthop %s", buf);
++			bgp_notify_send (peer,
++				BGP_NOTIFY_UPDATE_ERR,
++				BGP_NOTIFY_UPDATE_INVAL_NEXT_HOP);
++			return BGP_ATTR_PARSE_ERROR;
++		}
++	}
++
+ 	/*
+ 	 * At this place we can see whether we got AS4_PATH and/or
+ 	 * AS4_AGGREGATOR from a 16Bit peer and act accordingly.
+-- 
+2.17.1.windows.2
+
@@ -0,0 +1,3 @@
+0001-Add-support-of-bgp-tcp-DSCP-value.patch
+0002-Reduce-severity-of-Vty-connected-from-message.patch
+0003-ignore-nexthop-attribute-when-NLRI-is-present.patch