Bug #3772
closedBroken openbgpd config generation logic in 2.2
100%
Description
Under Services -> OpenBGPD, under the neighbors tab, if you add a neighbor and set the Neighbor Parameter called "Local address X", but don't have the global "Listen on IP" option set under the Settings tab, that neighbor config gets 2 lines added and only the second one is honored. As an example, if I have the following under the settings tab:
AS number: 65000
Hold time: 30s
fib-update: yes
listen on IP: blank
router IP: blank
networks: 172.27.32.0/24, 172.27.38.0/24
With the following group under the groups tab:
Name: VPC
Remote AS: 7224
Description: VPC
And the following neighbors under the neighbors tab:
1. Description: VPC_1
Neighbor: 169.254.255.73
TCP-MD5 key: blank
TCP-MD5 password: blank
Group: VPC
Neighbor parameters: Announce all, Local address 169.254.255.74
2. Description: VPC_2
Neighbor: 169.254.255.77
TCP-MD5 key: blank
TCP-MD5 password: blank
Group: VPC
Neighbor parameters: Announce all, Local address 169.254.255.78
The configuration that is generated for bgpd looks like the attached file bgpd-2_2.conf. The neighbor portion looks like the below:
neighbor 169.254.255.73 {
descr "VPC_1"
announce all
local-address 169.254.255.74
local-address 0.0.0.0
}
neighbor 169.254.255.77 {
descr "VPC_2"
announce all
local-address 169.254.255.78
local-address 0.0.0.0
}
Bgpd does not respond to incoming SYN requests from 169.254.255.77 and 169.254.255.73 and sends out SYNs to those hosts with the WAN interface IP as the source address instead of the private addresses that are configured.
I believe this commit broke this functionality:
https://git.pfmechanics.com/pfsense/pfsense-packages/commit/e1776b88ed746f666a7384db414e119f11f1b069
I think that on lines 132-136, instead of this:
if ($setlocaladdr == true && !empty($openbgpd_conf['listenip']))
$conffile .= "\t\tlocal-address {$openbgpd_conf['listenip']}\n";
else
$conffile .= "\t\tlocal-address 0.0.0.0\n";
It should be this:
if ($setlocaladdr == true)
if (!empty($openbgpd_conf['listenip']))
$conffile .= "\t\tlocal-address {$openbgpd_conf['listenip']}\n";
else
$conffile .= "\t\tlocal-address 0.0.0.0\n";
This logic would appear to be correct to me. The only time that $setlocaladdr evaluates to false is if there was already a local-address parameter encountered. So the local-address line should not be set in that case. It is being set in that case by the else clause of the original code.
I will test this fix shortly and push the above change to git if it works as expected.
Files
Updated by Matthew Smith over 10 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset commit:02dcf3888c643fcbd6b7f01d92eec2f9b5dc5955.
Updated by Adam Thompson over 9 years ago
I don't know if I'm doing something wrong, but when I apply the fixed version of openbgpd.inc to a 2.2.2-RELEASE system with OpenBGPd package version 0.9.3_1, the bug is still there.
I still get neighbor stanzas like this:
neighbor 206.72.208.16 {
descr "MBIX-RS2-IPv4"
announce self
local-address 206.72.208.16
remote-as 16395
enforce neighbor-as no
softreconfig in yes no
local-address 0.0.0.0
}
Updated by Adam Thompson over 9 years ago
I'm guessing a similar fix needs to be applied around line 168. I'll try putting them all into groups and see what happens...
Updated by Adam Thompson over 9 years ago
Yup. Works correctly if the neighbour is part of a group, otherwise the same breakage occurs.