Project

General

Profile

Actions

Bug #3772

closed

Broken openbgpd config generation logic in 2.2

Added by Matthew Smith over 9 years ago. Updated almost 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
openbgpd
Target version:
Start date:
07/23/2014
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
2.2
Affected Plus Version:
Affected Architecture:

Description

Under Services -> OpenBGPD, under the neighbors tab, if you add a neighbor and set the Neighbor Parameter called "Local address X", but don't have the global "Listen on IP" option set under the Settings tab, that neighbor config gets 2 lines added and only the second one is honored. As an example, if I have the following under the settings tab:

AS number: 65000
Hold time: 30s
fib-update: yes
listen on IP: blank
router IP: blank
networks: 172.27.32.0/24, 172.27.38.0/24

With the following group under the groups tab:

Name: VPC
Remote AS: 7224
Description: VPC

And the following neighbors under the neighbors tab:

1. Description: VPC_1
Neighbor: 169.254.255.73
TCP-MD5 key: blank
TCP-MD5 password: blank
Group: VPC
Neighbor parameters: Announce all, Local address 169.254.255.74

2. Description: VPC_2
Neighbor: 169.254.255.77
TCP-MD5 key: blank
TCP-MD5 password: blank
Group: VPC
Neighbor parameters: Announce all, Local address 169.254.255.78

The configuration that is generated for bgpd looks like the attached file bgpd-2_2.conf. The neighbor portion looks like the below:

neighbor 169.254.255.73 {
descr "VPC_1"
announce all
local-address 169.254.255.74
local-address 0.0.0.0
}
neighbor 169.254.255.77 {
descr "VPC_2"
announce all
local-address 169.254.255.78
local-address 0.0.0.0
}

Bgpd does not respond to incoming SYN requests from 169.254.255.77 and 169.254.255.73 and sends out SYNs to those hosts with the WAN interface IP as the source address instead of the private addresses that are configured.

I believe this commit broke this functionality:

https://git.pfmechanics.com/pfsense/pfsense-packages/commit/e1776b88ed746f666a7384db414e119f11f1b069

I think that on lines 132-136, instead of this:

if ($setlocaladdr == true && !empty($openbgpd_conf['listenip']))
$conffile .= "\t\tlocal-address {$openbgpd_conf['listenip']}\n";
else
$conffile .= "\t\tlocal-address 0.0.0.0\n";

It should be this:
if ($setlocaladdr == true)
if (!empty($openbgpd_conf['listenip']))
$conffile .= "\t\tlocal-address {$openbgpd_conf['listenip']}\n";
else
$conffile .= "\t\tlocal-address 0.0.0.0\n";

This logic would appear to be correct to me. The only time that $setlocaladdr evaluates to false is if there was already a local-address parameter encountered. So the local-address line should not be set in that case. It is being set in that case by the else clause of the original code.

I will test this fix shortly and push the above change to git if it works as expected.


Files

bgpd-2_2.conf (546 Bytes) bgpd-2_2.conf Matthew Smith, 07/24/2014 08:25 AM
Actions #1

Updated by Matthew Smith over 9 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

Applied in changeset commit:02dcf3888c643fcbd6b7f01d92eec2f9b5dc5955.

Actions #2

Updated by Jim Thompson over 9 years ago

  • Assignee set to Matthew Smith
Actions #3

Updated by Chris Buechler over 9 years ago

  • Status changed from Feedback to Resolved

fixed

Actions #4

Updated by Adam Thompson almost 9 years ago

I don't know if I'm doing something wrong, but when I apply the fixed version of openbgpd.inc to a 2.2.2-RELEASE system with OpenBGPd package version 0.9.3_1, the bug is still there.

I still get neighbor stanzas like this:

neighbor 206.72.208.16 {
descr "MBIX-RS2-IPv4"
announce self
local-address 206.72.208.16
remote-as 16395
enforce neighbor-as no
softreconfig in yes no
local-address 0.0.0.0
}

Actions #5

Updated by Adam Thompson almost 9 years ago

I'm guessing a similar fix needs to be applied around line 168. I'll try putting them all into groups and see what happens...

Actions #6

Updated by Adam Thompson almost 9 years ago

Yup. Works correctly if the neighbour is part of a group, otherwise the same breakage occurs.

Actions

Also available in: Atom PDF