Project

General

Profile

Actions

Bug #3772

closed

Broken openbgpd config generation logic in 2.2

Added by Matthew Smith over 10 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
openbgpd
Target version:
Start date:
07/23/2014
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
2.2
Affected Plus Version:
Affected Architecture:

Description

Under Services -> OpenBGPD, under the neighbors tab, if you add a neighbor and set the Neighbor Parameter called "Local address X", but don't have the global "Listen on IP" option set under the Settings tab, that neighbor config gets 2 lines added and only the second one is honored. As an example, if I have the following under the settings tab:

AS number: 65000
Hold time: 30s
fib-update: yes
listen on IP: blank
router IP: blank
networks: 172.27.32.0/24, 172.27.38.0/24

With the following group under the groups tab:

Name: VPC
Remote AS: 7224
Description: VPC

And the following neighbors under the neighbors tab:

1. Description: VPC_1
Neighbor: 169.254.255.73
TCP-MD5 key: blank
TCP-MD5 password: blank
Group: VPC
Neighbor parameters: Announce all, Local address 169.254.255.74

2. Description: VPC_2
Neighbor: 169.254.255.77
TCP-MD5 key: blank
TCP-MD5 password: blank
Group: VPC
Neighbor parameters: Announce all, Local address 169.254.255.78

The configuration that is generated for bgpd looks like the attached file bgpd-2_2.conf. The neighbor portion looks like the below:

neighbor 169.254.255.73 {
descr "VPC_1"
announce all
local-address 169.254.255.74
local-address 0.0.0.0
}
neighbor 169.254.255.77 {
descr "VPC_2"
announce all
local-address 169.254.255.78
local-address 0.0.0.0
}

Bgpd does not respond to incoming SYN requests from 169.254.255.77 and 169.254.255.73 and sends out SYNs to those hosts with the WAN interface IP as the source address instead of the private addresses that are configured.

I believe this commit broke this functionality:

https://git.pfmechanics.com/pfsense/pfsense-packages/commit/e1776b88ed746f666a7384db414e119f11f1b069

I think that on lines 132-136, instead of this:

if ($setlocaladdr == true && !empty($openbgpd_conf['listenip']))
$conffile .= "\t\tlocal-address {$openbgpd_conf['listenip']}\n";
else
$conffile .= "\t\tlocal-address 0.0.0.0\n";

It should be this:
if ($setlocaladdr == true)
if (!empty($openbgpd_conf['listenip']))
$conffile .= "\t\tlocal-address {$openbgpd_conf['listenip']}\n";
else
$conffile .= "\t\tlocal-address 0.0.0.0\n";

This logic would appear to be correct to me. The only time that $setlocaladdr evaluates to false is if there was already a local-address parameter encountered. So the local-address line should not be set in that case. It is being set in that case by the else clause of the original code.

I will test this fix shortly and push the above change to git if it works as expected.


Files

bgpd-2_2.conf (546 Bytes) bgpd-2_2.conf Matthew Smith, 07/24/2014 08:25 AM
Actions

Also available in: Atom PDF