Bug #15771: RPKI cannot be configured - pfSense Packages - pfSense bugtracker

Custom queries

Open package bugs
Package Feedback Issues

Actions

Copy link

Bug #15771

closed

RPKI cannot be configured

Added by Chris Linstruth about 1 month ago. Updated about 1 month ago.

Status:

Resolved

Priority:

Normal

Assignee:

Jim Pingle

Category:

FRR

Target version:

pfSense - 2.8.0

Start date:

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

24.03

Affected Version:

2.7.2

Affected Plus Version:

24.03

Affected Architecture:

Description

Customer concerned that enabling/changing RPKI is not working.

When the RPKI configuration is changed, the changes appear in Services > FRR BGP, Status, Configuration but do not appear in vtysh show run. No amount of restarting FRR results in the configuration. It is as if the proper RPKI bits/modules are not being loaded.

Also tested on recent 24.08 snapshot with same result.

Files

frr_rpki.patch (2.14 KB) frr_rpki.patch

Jim Pingle, 10/09/2024 04:43 PM

History
Notes
Property changes

Actions

Copy link

Updated by Mike Moore about 1 month ago

Confirmed as well.
There are a couple of modules in FRR (pfsense) that arent working
RPKI and AgentX

I think there's one more thing but i have to dig through tickets.

Actions

Copy link

Updated by Jim Pingle about 1 month ago

Status changed from New to Feedback

There are a couple problems here.

Issue #1: The check to see if RPKI is enabled isn't right so it's not defining the correct variable to enable the RPKI module for bgpd.

Issue #2: The "known hosts" file option was removed from FRR which makes the config invalid.

The fix for the first issue is a simple correction to the test in frr.inc:

diff --git a/usr/local/pkg/frr.inc b/usr/local/pkg/frr.inc
index db3751c6f561..1a26ce2781aa 100644
--- a/usr/local/pkg/frr.inc
+++ b/usr/local/pkg/frr.inc
@@ -387,7 +387,7 @@ function frr_generate_config_rcfile() {
                }
        }
        /* BGP RPKI */
-       if (config_get_path("installedpackages/{$config_key}/config/0/enablerpki")) {
+       if (config_get_path("installedpackages/frrbgp/config/0/enablerpki") == "on") {
                $frr_daemon_modules['bgpd'] .= ' -M rpki';
        }

The fix for the second problem is to remove the knownhostspath option code:

diff --git a/usr/local/pkg/frr/frr_bgp_rpki_cache_servers.xml b/usr/local/pkg/frr/frr_bgp_rpki_cache_servers.xml
index 5b2572229beb..ea8eb2c1bcd3 100644
--- a/usr/local/pkg/frr/frr_bgp_rpki_cache_servers.xml
+++ b/usr/local/pkg/frr/frr_bgp_rpki_cache_servers.xml
@@ -137,12 +137,6 @@
                        <description>Local path that includes the public key file of the router</description>
                        <type>input</type>
                </field>
-               <field>
-                       <fielddescr>Known Hosts Path</fielddescr>
-                       <fieldname>knownhostspath</fieldname>
-                       <description>Local path that includes the known hosts file</description>
-                       <type>input</type>
-               </field>
        </fields>
        <custom_delete_php_command>
                frr_generate_config();
diff --git a/usr/local/pkg/frr/inc/frr_bgp.inc b/usr/local/pkg/frr/inc/frr_bgp.inc
index cf7e0b571639..5eb51adb3bb3 100644
--- a/usr/local/pkg/frr/inc/frr_bgp.inc
+++ b/usr/local/pkg/frr/inc/frr_bgp.inc
@@ -848,7 +848,7 @@ function frr_bgp_generate_rpki_servers() {
        if (!empty($frr_bgp_rpki_cs)) {
                foreach ($frr_bgp_rpki_cs as $cs) {
                        $rpki_config .= " rpki cache {$cs['cacheserver']} {$cs['port']}";
-                       foreach (array("username", "privkeypath", "pubkeypath", "knownhostspath") as $key) {
+                       foreach (array("username", "privkeypath", "pubkeypath") as $key) {
                                if (empty($cs[$key])) {
                                        continue;
                                }

That appears to let it start and the RPKI config appears in show run within vtysh, but I do not have any RPKI structure to test that it actually works.

If we can get confirmation that it works, then someone can commit those changes.

Actions

Copy link

Updated by Jim Pingle about 1 month ago

File frr_rpki.patch frr_rpki.patch added

Actions

Copy link

Updated by Christopher Cope about 1 month ago

The customer that was hitting this issue confirmed that the above patch fixed the issue for him.

Actions

Copy link

Updated by Jim Pingle about 1 month ago

Assignee set to Jim Pingle
% Done changed from 0 to 100

Fix committed, new package should be available on Plus when it finishes building.

Actions

Copy link

Updated by Marcos M about 1 month ago

Subject changed from Enabling or changing RPKI configuration does not properly operate to RPKI cannot be configured
Target version set to 2.8.0
Plus Target Version set to 24.03