FRR: Initial support for TCP Authentication Option

[cdleonard]

This contains the minimum required to show that TCP authentication can work between BGP peers.

The kernel part is still a RFC, this was posted here early mainly to get ABI feedback. This version was tested with https://github.com/cdleonard/linux/commits/tcp_authopt%4020210813T195209, ABI might change in the future. Since kernel changes are required CI is expected to fail.

Last netdev post is here: https://lore.kernel.org/netdev/cover.1628544649.git.cdleonard@gmail.com/

Some ABI issues:

• Maximum key length is fixed to 80, same as md5. Should this be dynamic?
• There is no kernel support for marking keys as "expired for send" or "expired for accept" but it's not clear how those keychain properties should map to TCP-AO.
• There is no prefixlen support (what MD5 gained in 4.14)
• Unsigned packets are accepted if neighbor has no keys configured. This means that if keychain is empty or all keys are expired linux default to "accept all" instead of "deny all"

For implementing key rollover there is already support in the kernel but not in these FRR patches. My best guess is that I should add a timer for "next key validity change event" and a frr hook for any keychain changes? The lib/tcp_authopt.[ch] layer was created in the idea that BGP and LDP and maybe others would share it.

RFC5925 warns against changing keys while in use but it's not clear the extent to which this should enforced at the vtysh level.

There are also a bunch of issues related to bgp code itself:

• Not clear how keys would be added when a listener restarts?
• I've only taken a brief look through frr developer guides so I probably missed a lot of stuff.

[polychaeta]

Thanks for your contribution to FRR!

Click for style suggestions

To apply these suggestions:

curl -s https://gist.githubusercontent.com/polychaeta/d08076df4d413456718c7b2d4a977852/raw/eefda0619f69277590db97c061b62083a85ebb2b/cr_9442_1629317311.diff | git apply

diff --git a/bgpd/bgp_network.c b/bgpd/bgp_network.c
index e2e075110..2e0ee2bdd 100644
--- a/bgpd/bgp_network.c
+++ b/bgpd/bgp_network.c
@@ -237,13 +237,14 @@ static int bgp_tcp_authopt_connect(struct peer *peer)
 	if (!peer->tcp_authopt_keychain_name)
 		return BGP_SUCCESS;
 
-	zlog_info("peer %p %s tcp_authopt_keychain %s fd %d",
-		peer, peer->host,
-		peer->tcp_authopt_keychain_name, peer->fd);
-	ret = tcp_authopt_user_init(&peer->tcp_authopt_user, peer->fd, &peer->su);
+	zlog_info("peer %p %s tcp_authopt_keychain %s fd %d", peer, peer->host,
+		  peer->tcp_authopt_keychain_name, peer->fd);
+	ret = tcp_authopt_user_init(&peer->tcp_authopt_user, peer->fd,
+				    &peer->su);
 	if (ret)
 		return BGP_ERR_TCP_AUTHOPT_FAILED;
-	ret = tcp_authopt_user_set(&peer->tcp_authopt_user, peer->tcp_authopt_keychain_name);
+	ret = tcp_authopt_user_set(&peer->tcp_authopt_user,
+				   peer->tcp_authopt_keychain_name);
 	if (ret)
 		return BGP_ERR_TCP_AUTHOPT_FAILED;
 
@@ -254,16 +255,13 @@ static int bgp_tcp_authopt_accept(struct peer *peer)
 {
 	int ret;
 
-	zlog_info("peer %p %s fd=%d keychain_name=%s",
-		peer, peer->host,
-		peer->fd, peer->tcp_authopt_keychain_name);
-	ret = tcp_authopt_user_init_accept(
-			&peer->tcp_authopt_user,
-			peer->fd,
-			&peer->su,
-			peer->tcp_authopt_keychain_name);
+	zlog_info("peer %p %s fd=%d keychain_name=%s", peer, peer->host,
+		  peer->fd, peer->tcp_authopt_keychain_name);
+	ret = tcp_authopt_user_init_accept(&peer->tcp_authopt_user, peer->fd,
+					   &peer->su,
+					   peer->tcp_authopt_keychain_name);
 
-	return ret ? BGP_ERR_TCP_AUTHOPT_FAILED: BGP_SUCCESS;
+	return ret ? BGP_ERR_TCP_AUTHOPT_FAILED : BGP_SUCCESS;
 }
 
 int bgp_tcp_authopt_close(struct peer *peer)
@@ -274,25 +272,21 @@ int bgp_tcp_authopt_close(struct peer *peer)
 
 int bgp_tcp_authopt_transfer(struct peer *newpeer, struct peer *oldpeer)
 {
-	zlog_info("oldpeer %p %s keychain_name=%s",
-			oldpeer, oldpeer->host,
-			oldpeer->tcp_authopt_keychain_name);
-	zlog_info("newpeer %p %s fd=%d keychain_name=%s",
-			newpeer, newpeer->host,
-			newpeer->fd, newpeer->tcp_authopt_keychain_name);
+	zlog_info("oldpeer %p %s keychain_name=%s", oldpeer, oldpeer->host,
+		  oldpeer->tcp_authopt_keychain_name);
+	zlog_info("newpeer %p %s fd=%d keychain_name=%s", newpeer,
+		  newpeer->host, newpeer->fd,
+		  newpeer->tcp_authopt_keychain_name);
 
 	tcp_authopt_user_reset(&oldpeer->tcp_authopt_user);
-	tcp_authopt_user_init_accept(
-			&newpeer->tcp_authopt_user,
-			newpeer->fd,
-			&newpeer->su,
-			newpeer->tcp_authopt_keychain_name);
+	tcp_authopt_user_init_accept(&newpeer->tcp_authopt_user, newpeer->fd,
+				     &newpeer->su,
+				     newpeer->tcp_authopt_keychain_name);
 
 	return 0;
 }
 
-int
-bgp_tcp_authopt_set(struct peer *peer)
+int bgp_tcp_authopt_set(struct peer *peer)
 {
 	struct listnode *node;
 	struct bgp_listener *listener;
@@ -304,14 +298,16 @@ bgp_tcp_authopt_set(struct peer *peer)
 	for (ALL_LIST_ELEMENTS_RO(bm->listen_sockets, node, listener)) {
 		if (listener->su.sa.sa_family != peer->su.sa.sa_family)
 			continue;
-		zlog_info("peer %p %s tcp_authopt_keychain %s listener %p fd %d",
-				peer, peer->host,
-				peer->tcp_authopt_keychain_name,
-				listener, listener->fd);
-		ret = tcp_authopt_user_init(&peer->tcp_authopt_user_listen, listener->fd, &peer->su);
+		zlog_info(
+			"peer %p %s tcp_authopt_keychain %s listener %p fd %d",
+			peer, peer->host, peer->tcp_authopt_keychain_name,
+			listener, listener->fd);
+		ret = tcp_authopt_user_init(&peer->tcp_authopt_user_listen,
+					    listener->fd, &peer->su);
 		if (ret)
 			return BGP_ERR_TCP_AUTHOPT_FAILED;
-		ret = tcp_authopt_user_set(&peer->tcp_authopt_user_listen, peer->tcp_authopt_keychain_name);
+		ret = tcp_authopt_user_set(&peer->tcp_authopt_user_listen,
+					   peer->tcp_authopt_keychain_name);
 		if (ret)
 			return BGP_ERR_TCP_AUTHOPT_FAILED;
 	}
diff --git a/bgpd/bgp_vty.c b/bgpd/bgp_vty.c
index e65e23814..c7dcd960b 100644
--- a/bgpd/bgp_vty.c
+++ b/bgpd/bgp_vty.c
@@ -4692,13 +4692,11 @@ DEFUN (no_neighbor_password,
 	return bgp_vty_return(vty, ret);
 }
 
-DEFUN (neighbor_tcp_authopt,
-       neighbor_tcp_authopt_cmd,
-       "neighbor <A.B.C.D|X:X::X:X|WORD> tcp-authopt [KEYCHAIN]",
-       NEIGHBOR_STR
-       NEIGHBOR_ADDR_STR2
-       "Enable the TCP Authentication Option\n"
-       "The name of the KEYCHAIN to use\n")
+DEFUN(neighbor_tcp_authopt, neighbor_tcp_authopt_cmd,
+      "neighbor <A.B.C.D|X:X::X:X|WORD> tcp-authopt [KEYCHAIN]",
+      NEIGHBOR_STR NEIGHBOR_ADDR_STR2
+      "Enable the TCP Authentication Option\n"
+      "The name of the KEYCHAIN to use\n")
 {
 	struct peer *peer;
 	int ret;
@@ -4711,13 +4709,10 @@ DEFUN (neighbor_tcp_authopt,
 	return bgp_vty_return(vty, ret);
 }
 
-DEFUN (no_neighbor_tcp_authopt,
-       no_neighbor_tcp_authopt_cmd,
-       "no neighbor <A.B.C.D|X:X::X:X|WORD> tcp-authopt",
-       NO_STR
-       NEIGHBOR_STR
-       NEIGHBOR_ADDR_STR2
-       "Disable the TCP Authentication Option\n")
+DEFUN(no_neighbor_tcp_authopt, no_neighbor_tcp_authopt_cmd,
+      "no neighbor <A.B.C.D|X:X::X:X|WORD> tcp-authopt",
+      NO_STR NEIGHBOR_STR NEIGHBOR_ADDR_STR2
+      "Disable the TCP Authentication Option\n")
 {
 	struct peer *peer;
 	int ret;
diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
index a63cdc64f..85d97ceb4 100644
--- a/bgpd/bgpd.c
+++ b/bgpd/bgpd.c
@@ -5960,17 +5960,19 @@ int peer_local_as_unset(struct peer *peer)
 
 int peer_tcp_authopt_keychain_set(struct peer *peer, const char *keychain_name)
 {
-	zlog_info("peer %p %s tcp_authopt keychain_name %s", peer, peer->host, keychain_name);
+	zlog_info("peer %p %s tcp_authopt keychain_name %s", peer, peer->host,
+		  keychain_name);
 
 	/* Set flag and configuration on peer. */
 	peer_flag_set(peer, PEER_FLAG_TCP_AUTHOPT_KEYCHAIN);
-	if (peer->tcp_authopt_keychain_name && keychain_name &&
-			strcmp(peer->tcp_authopt_keychain_name, keychain_name) == 0)
+	if (peer->tcp_authopt_keychain_name && keychain_name
+	    && strcmp(peer->tcp_authopt_keychain_name, keychain_name) == 0)
 		return 0;
 	if (peer->tcp_authopt_keychain_name == NULL && keychain_name == NULL)
 		return 0;
 	XFREE(MTYPE_PEER_TCP_AUTHOPT_KEYCHAIN, peer->tcp_authopt_keychain_name);
-	peer->tcp_authopt_keychain_name = XSTRDUP(MTYPE_PEER_TCP_AUTHOPT_KEYCHAIN, keychain_name);
+	peer->tcp_authopt_keychain_name =
+		XSTRDUP(MTYPE_PEER_TCP_AUTHOPT_KEYCHAIN, keychain_name);
 
 	if (!CHECK_FLAG(peer->sflags, PEER_STATUS_GROUP)) {
 		if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
@@ -5981,7 +5983,8 @@ int peer_tcp_authopt_keychain_set(struct peer *peer, const char *keychain_name)
 
 		return bgp_tcp_authopt_set(peer);
 	} else {
-		zlog_err("tcp authopt not supported for group or dynamic range\n");
+		zlog_err(
+			"tcp authopt not supported for group or dynamic range\n");
 		return BGP_ERR_TCP_AUTHOPT_FAILED;
 	}
 }
diff --git a/bgpd/bgpd.h b/bgpd/bgpd.h
index 3cbf0cacc..83c8c3aab 100644
--- a/bgpd/bgpd.h
+++ b/bgpd/bgpd.h
@@ -1276,7 +1276,8 @@ struct peer {
 #define PEER_FLAG_PASSWORD                  (1U << 20) /* password */
 #define PEER_FLAG_LOCAL_AS                  (1U << 21) /* local-as */
 #define PEER_FLAG_UPDATE_SOURCE             (1U << 22) /* update-source */
-#define PEER_FLAG_TCP_AUTHOPT_KEYCHAIN      (1U << 23) /* tcp authentication option keychain */
+#define PEER_FLAG_TCP_AUTHOPT_KEYCHAIN                                         \
+	(1U << 23) /* tcp authentication option keychain */
 
 	/* BGP-GR Peer related  flags */
 #define PEER_FLAG_GRACEFUL_RESTART_HELPER   (1U << 23) /* Helper */
@@ -1933,7 +1934,7 @@ enum bgp_clear_type {
 #define BGP_ERR_GR_OPERATION_FAILED             -37
 #define BGP_GR_NO_OPERATION                     -38
 
-#define BGP_ERR_TCP_AUTHOPT_FAILED              -39
+#define BGP_ERR_TCP_AUTHOPT_FAILED -39
 
 /*
  * Enumeration of different policy kinds a peer can be configured with.
@@ -2170,7 +2171,8 @@ extern int peer_advertise_map_set(struct peer *peer, afi_t afi, safi_t safi,
 extern int peer_password_set(struct peer *, const char *);
 extern int peer_password_unset(struct peer *);
 
-extern int peer_tcp_authopt_keychain_set(struct peer *peer, const char *keychain_name);
+extern int peer_tcp_authopt_keychain_set(struct peer *peer,
+					 const char *keychain_name);
 
 extern int peer_unsuppress_map_unset(struct peer *, afi_t, safi_t);
 
diff --git a/lib/keychain.c b/lib/keychain.c
index da798fcaa..4aea4e66f 100644
--- a/lib/keychain.c
+++ b/lib/keychain.c
@@ -141,7 +141,8 @@ bool key_valid_for_accept(struct key *key, time_t now)
 	if (key->accept.start == 0)
 		return true;
 
-	if (key->accept.start <= now && (key->accept.end >= now || key->accept.end == -1))
+	if (key->accept.start <= now
+	    && (key->accept.end >= now || key->accept.end == -1))
 		return true;
 
 	return false;
@@ -152,7 +153,8 @@ bool key_valid_for_send(struct key *key, time_t now)
 	if (key->send.start == 0)
 		return true;
 
-	if (key->send.start <= now && (key->send.end >= now || key->send.end == -1))
+	if (key->send.start <= now
+	    && (key->send.end >= now || key->send.end == -1))
 		return true;
 
 	return false;
@@ -989,8 +991,7 @@ static const char *tcp_authopt_alg_id_to_name(enum zebra_tcp_authopt_alg id)
 		return NULL;
 }
 
-DEFUN(tcp_authopt_enable,
-      tcp_authopt_enable_cmd,
+DEFUN(tcp_authopt_enable, tcp_authopt_enable_cmd,
       "tcp-authopt <enabled|disabled>",
       "TCP Authentication Option\n"
       "Enable using this key for TCP Authentication Option\n"
@@ -1001,8 +1002,7 @@ DEFUN(tcp_authopt_enable,
 	return CMD_SUCCESS;
 }
 
-DEFUN(tcp_authopt_algorithm,
-      tcp_authopt_algorithm_cmd,
+DEFUN(tcp_authopt_algorithm, tcp_authopt_algorithm_cmd,
       "tcp-authopt algorithm <hmac-sha-1-96|aes-128-cmac-96>",
       "TCP Authentication Option\n"
       "TCP Authentication Option algorithm\n"
@@ -1023,8 +1023,7 @@ DEFUN(tcp_authopt_algorithm,
 	}
 }
 
-DEFUN(tcp_authopt_send_id,
-      tcp_authopt_send_id_cmd,
+DEFUN(tcp_authopt_send_id, tcp_authopt_send_id_cmd,
       "tcp-authopt send-id (0-255)",
       "TCP Authentication Option\n"
       "SendID\n"
@@ -1035,8 +1034,7 @@ DEFUN(tcp_authopt_send_id,
 	return CMD_SUCCESS;
 }
 
-DEFUN(tcp_authopt_recv_id,
-      tcp_authopt_recv_id_cmd,
+DEFUN(tcp_authopt_recv_id, tcp_authopt_recv_id_cmd,
       "tcp-authopt recv-id (0-255)",
       "TCP Authentication Option\n"
       "RecvID\n"
@@ -1132,11 +1130,15 @@ static int keychain_config_write(struct vty *vty)
 			if (key->tcp_authopt_enabled)
 				vty_out(vty, "  tcp-authopt enabled\n");
 			if (key->tcp_authopt_alg)
-				vty_out(vty, "  tcp-authopt algorithm %s\n", tcp_authopt_alg_id_to_name(key->tcp_authopt_alg));
+				vty_out(vty, "  tcp-authopt algorithm %s\n",
+					tcp_authopt_alg_id_to_name(
+						key->tcp_authopt_alg));
 			if (key->tcp_authopt_send_id)
-				vty_out(vty, "  tcp-authopt send-id %hhu\n", key->tcp_authopt_send_id);
+				vty_out(vty, "  tcp-authopt send-id %hhu\n",
+					key->tcp_authopt_send_id);
 			if (key->tcp_authopt_recv_id)
-				vty_out(vty, "  tcp-authopt recv-id %hhu\n", key->tcp_authopt_recv_id);
+				vty_out(vty, "  tcp-authopt recv-id %hhu\n",
+					key->tcp_authopt_recv_id);
 			vty_out(vty, " exit\n");
 		}
 		vty_out(vty, "!\n");
diff --git a/vtysh/vtysh.h b/vtysh/vtysh.h
index 234a5e311..a08135cf3 100644
--- a/vtysh/vtysh.h
+++ b/vtysh/vtysh.h
@@ -57,7 +57,7 @@ DECLARE_MGROUP(MVTYSH);
 #define VTYSH_RMAP	  VTYSH_ZEBRA|VTYSH_RIPD|VTYSH_RIPNGD|VTYSH_OSPFD|VTYSH_OSPF6D|VTYSH_BGPD|VTYSH_ISISD|VTYSH_PIMD|VTYSH_EIGRPD|VTYSH_FABRICD
 #define VTYSH_INTERFACE	  VTYSH_ZEBRA|VTYSH_RIPD|VTYSH_RIPNGD|VTYSH_OSPFD|VTYSH_OSPF6D|VTYSH_ISISD|VTYSH_PIMD|VTYSH_NHRPD|VTYSH_EIGRPD|VTYSH_BABELD|VTYSH_PBRD|VTYSH_FABRICD|VTYSH_VRRPD
 #define VTYSH_VRF	  VTYSH_INTERFACE|VTYSH_STATICD
-#define VTYSH_KEYS        VTYSH_RIPD|VTYSH_EIGRPD|VTYSH_BGPD
+#define VTYSH_KEYS VTYSH_RIPD | VTYSH_EIGRPD | VTYSH_BGPD
 /* Daemons who can process nexthop-group configs */
 #define VTYSH_NH_GROUP    VTYSH_PBRD|VTYSH_SHARPD
 #define VTYSH_SR          VTYSH_ZEBRA|VTYSH_PATHD

If you are a new contributor to FRR, please see our contributing guidelines.

After making changes, you do not need to create a new PR. You should perform an amend or interactive rebase followed by a force push.

[LabN-CI]

Outdated results 🚧

Basic BGPD CI results: Partial FAILURE, 0 tests failed, has VALGRIND issues

_	_
Result	SUCCESS git merge/9442 27c81a7
Date	08/18/2021
Start	16:11:33
Finish	16:37:44
Run-Time	26:11
Total	1813
Pass	1813
Fail	0
Valgrind-Errors	0
Valgrind-Loss	2
Details	vncregress-2021-08-18-16:11:33.txt
Log	autoscript-2021-08-18-16:12:47.log.bz2
Memory	490 508 424

For details, please contact louberger

[NetDEF-CI]

Continuous Integration Result: FAILED

Continuous Integration Result: FAILED

See below for issues.
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/

This is a comment from an automated CI system.
For questions and feedback in regards to this CI system, please feel free to email
Martin Winter - mwinter (at) opensourcerouting.org.

Get source / Pull Request: Successful

Building Stage: Failed

NetBSD 8 amd64 build: Failed (click for details)

NetBSD 8 amd64 build: Unknown Log URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI012BUILD/config.log/config.log.gz

Make failed for NetBSD 8 amd64 build:
(see full Make log at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI012BUILD/ErrorLog/log_make.txt)

lib/elf_py.c:1033:13: warning: 'elffile_add_dynreloc' defined but not used [-Wunused-function]
 static void elffile_add_dynreloc(struct elffile *w, Elf_Data *reldata,
lib/tcp_authopt.c:69:2: error: unknown type name '__u32'
lib/tcp_authopt.c:75:2: error: unknown type name '__u8'
lib/tcp_authopt.c:82:2: error: unknown type name '__u8'
lib/tcp_authopt.c:84:2: error: unknown type name '__u8'
lib/tcp_authopt.c:86:2: error: unknown type name '__u8'
lib/tcp_authopt.c:126:2: error: unknown type name '__u32'
lib/tcp_authopt.c:128:2: error: unknown type name '__u8'

NetBSD 8 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI012BUILD/config.status/config.status

FreeBSD 11 amd64 build: Failed (click for details)

Make failed for FreeBSD 11 amd64 build:
(see full Make log at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI009BUILD/ErrorLog/log_make.txt)

lib/elf_py.c:1033:13: warning: 'elffile_add_dynreloc' defined but not used [-Wunused-function]
 1033 | static void elffile_add_dynreloc(struct elffile *w, Elf_Data *reldata,
lib/tcp_authopt.c:69:2: error: unknown type name '__u32'
lib/tcp_authopt.c:75:2: error: unknown type name '__u8'
lib/tcp_authopt.c:82:2: error: unknown type name '__u8'
lib/tcp_authopt.c:84:2: error: unknown type name '__u8'
lib/tcp_authopt.c:86:2: error: unknown type name '__u8'
lib/tcp_authopt.c:126:2: error: unknown type name '__u32'
lib/tcp_authopt.c:128:2: error: unknown type name '__u8'

FreeBSD 11 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI009BUILD/config.status/config.status
FreeBSD 11 amd64 build: Unknown Log <config.log.gz>
URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI009BUILD/config.log/config.log.gz

OpenBSD 6 amd64 build: Failed (click for details)

Make failed for OpenBSD 6 amd64 build:
(see full Make log at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI011BUILD/ErrorLog/log_make.txt)

static void elffile_add_dynreloc(struct elffile *w, Elf_Data *reldata,
3 warnings generated.
lib/keychain.c:1137:50: error: format specifies type 'unsigned char' but the argument has type 'int' [-Werror,-Wformat]
lib/keychain.c:1139:50: error: format specifies type 'unsigned char' but the argument has type 'int' [-Werror,-Wformat]
2 errors generated.
gmake[1]: *** [Makefile:9921: lib/keychain.lo] Error 1
lib/tcp_authopt.c:69:2: error: unknown type name '__u32'
lib/tcp_authopt.c:75:2: error: unknown type name '__u8'
lib/tcp_authopt.c:82:2: error: unknown type name '__u8'

OpenBSD 6 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI011BUILD/config.status/config.status
OpenBSD 6 amd64 build: Unknown Log <config.log.gz>
URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI011BUILD/config.log/config.log.gz

FreeBSD 12 amd64 build: Failed (click for details)

Make failed for FreeBSD 12 amd64 build:
(see full Make log at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/FBSD12AMD64/ErrorLog/log_make.txt)

lib/elf_py.c:1033:13: warning: 'elffile_add_dynreloc' defined but not used [-Wunused-function]
 static void elffile_add_dynreloc(struct elffile *w, Elf_Data *reldata,
lib/tcp_authopt.c:69:2: error: unknown type name '__u32'
lib/tcp_authopt.c:75:2: error: unknown type name '__u8'
lib/tcp_authopt.c:82:2: error: unknown type name '__u8'
lib/tcp_authopt.c:84:2: error: unknown type name '__u8'
lib/tcp_authopt.c:86:2: error: unknown type name '__u8'
lib/tcp_authopt.c:126:2: error: unknown type name '__u32'
lib/tcp_authopt.c:128:2: error: unknown type name '__u8'

FreeBSD 12 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/FBSD12AMD64/config.status/config.status
FreeBSD 12 amd64 build: Unknown Log <config.log.gz>
URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/FBSD12AMD64/config.log/config.log.gz

Successful on other platforms/tests

• Debian 9 amd64 build
• Ubuntu 18.04 ppc64le build
• Ubuntu 16.04 amd64 build
• Ubuntu 18.04 arm7 build
• Ubuntu 16.04 arm8 build
• Debian 11 amd64 build
• Ubuntu 20.04 amd64 build
• Ubuntu 16.04 i386 build
• Debian 10 amd64 build
• Fedora 29 amd64 build
• Ubuntu 18.04 arm8 build
• CentOS 7 amd64 build
• Ubuntu 18.04 i386 build
• Ubuntu 18.04 amd64 build
• Ubuntu 16.04 arm7 build
• CentOS 8 amd64 build

Warnings Generated during build:

Checkout code: Successful with additional warnings

NetBSD 8 amd64 build: Failed (click for details)

NetBSD 8 amd64 build: Unknown Log URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI012BUILD/config.log/config.log.gz

Make failed for NetBSD 8 amd64 build:
(see full Make log at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI012BUILD/ErrorLog/log_make.txt)

lib/elf_py.c:1033:13: warning: 'elffile_add_dynreloc' defined but not used [-Wunused-function]
 static void elffile_add_dynreloc(struct elffile *w, Elf_Data *reldata,
lib/tcp_authopt.c:69:2: error: unknown type name '__u32'
lib/tcp_authopt.c:75:2: error: unknown type name '__u8'
lib/tcp_authopt.c:82:2: error: unknown type name '__u8'
lib/tcp_authopt.c:84:2: error: unknown type name '__u8'
lib/tcp_authopt.c:86:2: error: unknown type name '__u8'
lib/tcp_authopt.c:126:2: error: unknown type name '__u32'
lib/tcp_authopt.c:128:2: error: unknown type name '__u8'

NetBSD 8 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI012BUILD/config.status/config.status

FreeBSD 11 amd64 build: Failed (click for details)

Make failed for FreeBSD 11 amd64 build:
(see full Make log at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI009BUILD/ErrorLog/log_make.txt)

lib/elf_py.c:1033:13: warning: 'elffile_add_dynreloc' defined but not used [-Wunused-function]
 1033 | static void elffile_add_dynreloc(struct elffile *w, Elf_Data *reldata,
lib/tcp_authopt.c:69:2: error: unknown type name '__u32'
lib/tcp_authopt.c:75:2: error: unknown type name '__u8'
lib/tcp_authopt.c:82:2: error: unknown type name '__u8'
lib/tcp_authopt.c:84:2: error: unknown type name '__u8'
lib/tcp_authopt.c:86:2: error: unknown type name '__u8'
lib/tcp_authopt.c:126:2: error: unknown type name '__u32'
lib/tcp_authopt.c:128:2: error: unknown type name '__u8'

FreeBSD 11 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI009BUILD/config.status/config.status
FreeBSD 11 amd64 build: Unknown Log <config.log.gz>
URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI009BUILD/config.log/config.log.gz

OpenBSD 6 amd64 build: Failed (click for details)

Make failed for OpenBSD 6 amd64 build:
(see full Make log at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI011BUILD/ErrorLog/log_make.txt)

static void elffile_add_dynreloc(struct elffile *w, Elf_Data *reldata,
3 warnings generated.
lib/keychain.c:1137:50: error: format specifies type 'unsigned char' but the argument has type 'int' [-Werror,-Wformat]
lib/keychain.c:1139:50: error: format specifies type 'unsigned char' but the argument has type 'int' [-Werror,-Wformat]
2 errors generated.
gmake[1]: *** [Makefile:9921: lib/keychain.lo] Error 1
lib/tcp_authopt.c:69:2: error: unknown type name '__u32'
lib/tcp_authopt.c:75:2: error: unknown type name '__u8'
lib/tcp_authopt.c:82:2: error: unknown type name '__u8'

OpenBSD 6 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI011BUILD/config.status/config.status
OpenBSD 6 amd64 build: Unknown Log <config.log.gz>
URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI011BUILD/config.log/config.log.gz

FreeBSD 12 amd64 build: Failed (click for details)

Make failed for FreeBSD 12 amd64 build:
(see full Make log at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/FBSD12AMD64/ErrorLog/log_make.txt)

lib/elf_py.c:1033:13: warning: 'elffile_add_dynreloc' defined but not used [-Wunused-function]
 static void elffile_add_dynreloc(struct elffile *w, Elf_Data *reldata,
lib/tcp_authopt.c:69:2: error: unknown type name '__u32'
lib/tcp_authopt.c:75:2: error: unknown type name '__u8'
lib/tcp_authopt.c:82:2: error: unknown type name '__u8'
lib/tcp_authopt.c:84:2: error: unknown type name '__u8'
lib/tcp_authopt.c:86:2: error: unknown type name '__u8'
lib/tcp_authopt.c:126:2: error: unknown type name '__u32'
lib/tcp_authopt.c:128:2: error: unknown type name '__u8'

FreeBSD 12 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/FBSD12AMD64/config.status/config.status
FreeBSD 12 amd64 build: Unknown Log <config.log.gz>
URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/FBSD12AMD64/config.log/config.log.gz

Report for bgpd.c | 8 issues
===============================================
< WARNING: line over 80 characters
< #5968: FILE: /tmp/f1-16516/bgpd.c:5968:
< WARNING: line over 80 characters
< #5973: FILE: /tmp/f1-16516/bgpd.c:5973:
< WARNING: else is not generally useful after a break or return
< #5983: FILE: /tmp/f1-16516/bgpd.c:5983:
< WARNING: line over 80 characters
< #6292: FILE: /tmp/f1-16516/bgpd.c:6292:
Report for bgpd.h | 4 issues
===============================================
< WARNING: line over 80 characters
< #1284: FILE: /tmp/f1-16516/bgpd.h:1284:
< WARNING: line over 80 characters
< #2173: FILE: /tmp/f1-16516/bgpd.h:2173:
Report for bgp_network.c | 10 issues
===============================================
< WARNING: line over 80 characters
< #243: FILE: /tmp/f1-16516/bgp_network.c:243:
< WARNING: line over 80 characters
< #246: FILE: /tmp/f1-16516/bgp_network.c:246:
< ERROR: spaces required around that ':' (ctx:VxW)
< #266: FILE: /tmp/f1-16516/bgp_network.c:266:
< WARNING: line over 80 characters
< #311: FILE: /tmp/f1-16516/bgp_network.c:311:
< WARNING: line over 80 characters
< #314: FILE: /tmp/f1-16516/bgp_network.c:314:
Report for bgp_network.h | 6 issues
===============================================
< WARNING: function definition argument 'struct peer *' should also have an identifier name
< #41: FILE: /tmp/f1-16516/bgp_network.h:41:
< WARNING: function definition argument 'struct peer *' should also have an identifier name
< #43: FILE: /tmp/f1-16516/bgp_network.h:43:
< WARNING: function definition argument 'struct peer *' should also have an identifier name
< #43: FILE: /tmp/f1-16516/bgp_network.h:43:
Report for bgp_vty.c | 2 issues
===============================================
< WARNING: braces {} are not necessary for any arm of this statement
< #13931: FILE: /tmp/f1-16516/bgp_vty.c:13931:
Report for keychain.c | 12 issues
===============================================
< WARNING: line over 80 characters
< #155: FILE: /tmp/f1-16516/keychain.c:155:
< WARNING: line over 80 characters
< #188: FILE: /tmp/f1-16516/keychain.c:188:
< WARNING: else is not generally useful after a break or return
< #1020: FILE: /tmp/f1-16516/keychain.c:1020:
< WARNING: line over 80 characters
< #1135: FILE: /tmp/f1-16516/keychain.c:1135:
< WARNING: line over 80 characters
< #1137: FILE: /tmp/f1-16516/keychain.c:1137:
< WARNING: line over 80 characters
< #1139: FILE: /tmp/f1-16516/keychain.c:1139:
Report for tcp_authopt.c | 161 issues
===============================================
WARNING: line over 80 characters
#34: FILE: /tmp/f1-16516/tcp_authopt.c:34:
+#define TCP_AUTHOPT		38	/* TCP Authentication Option (RFC5925) */

WARNING: line over 80 characters
#35: FILE: /tmp/f1-16516/tcp_authopt.c:35:
+#define TCP_AUTHOPT_KEY		39	/* TCP Authentication Option Key (RFC5925) */

WARNING: line over 80 characters
#44: FILE: /tmp/f1-16516/tcp_authopt.c:44:
+	 * If this is set `tcp_authopt.local_send_id` is used to determined sending

WARNING: line over 80 characters
#57: FILE: /tmp/f1-16516/tcp_authopt.c:57:
+	 *	Configure behavior of segments with TCP-AO coming from hosts for which no

WARNING: line over 80 characters
#58: FILE: /tmp/f1-16516/tcp_authopt.c:58:
+	 *	key is configured. The default recommended by RFC is to silently accept

WARNING: line over 80 characters
#79: FILE: /tmp/f1-16516/tcp_authopt.c:79:
+	 * This is controlled by the user iff TCP_AUTHOPT_FLAG_LOCK_RNEXTKEYID is

WARNING: line over 80 characters
#83: FILE: /tmp/f1-16516/tcp_authopt.c:83:
+	/** @recv_keyid: A recently-received keyid value. Only for getsockopt. */

WARNING: line over 80 characters
#85: FILE: /tmp/f1-16516/tcp_authopt.c:85:
+	/** @recv_rnextkeyid: A recently-received rnextkeyid value. Only for getsockopt. */

ERROR: "foo* bar" should be "foo *bar"
#148: FILE: /tmp/f1-16516/tcp_authopt.c:148:
+		struct tcp_authopt_key* keyopt,

ERROR: "foo* bar" should be "foo *bar"
#150: FILE: /tmp/f1-16516/tcp_authopt.c:150:
+		struct key* key)

WARNING: line over 80 characters
#165: FILE: /tmp/f1-16516/tcp_authopt.c:165:
+static int tcp_authopt_keychain_add(int sock, union sockunion *su, struct keychain *keychain)

ERROR: that open brace { should be on the previous line
#181: FILE: /tmp/f1-16516/tcp_authopt.c:181:
+	for (ALL_LIST_ELEMENTS_RO(keychain->key, node, key))
+	{

WARNING: line over 80 characters
#186: FILE: /tmp/f1-16516/tcp_authopt.c:186:
+		/* Linux implementation doesn't allow marking keys as expired so only add

WARNING: line over 80 characters
#212: FILE: /tmp/f1-16516/tcp_authopt.c:212:
+		if (setsockopt(sock, IPPROTO_TCP, TCP_AUTHOPT_KEY, &keyopt, sizeof(keyopt)) < 0) {

WARNING: line over 80 characters
#213: FILE: /tmp/f1-16516/tcp_authopt.c:213:
+			zlog_warn("setsockopt TCP_AUTHOPT_KEY: %s", safe_strerror(errno));

WARNING: line over 80 characters
#219: FILE: /tmp/f1-16516/tcp_authopt.c:219:
+		/* Currently kernel accepts everything if no keys are added for an

WARNING: line over 80 characters
#220: FILE: /tmp/f1-16516/tcp_authopt.c:220:
+		 * address. This means that if all keys fail unsigned packets will be

WARNING: line over 80 characters
#223: FILE: /tmp/f1-16516/tcp_authopt.c:223:
+		zlog_warn("No valid tcp_authopt keys added from keychain %s", keychain->name);

WARNING: line over 80 characters
#230: FILE: /tmp/f1-16516/tcp_authopt.c:230:
+static int tcp_authopt_keychain_del(int sock, union sockunion *su, struct keychain *keychain)

ERROR: that open brace { should be on the previous line
#242: FILE: /tmp/f1-16516/tcp_authopt.c:242:
+	for (ALL_LIST_ELEMENTS_RO(keychain->key, node, key))
+	{

WARNING: line over 80 characters
#249: FILE: /tmp/f1-16516/tcp_authopt.c:249:
+		if (setsockopt(sock, IPPROTO_TCP, TCP_AUTHOPT_KEY, &keyopt, sizeof(keyopt)) < 0) {

WARNING: line over 80 characters
#253: FILE: /tmp/f1-16516/tcp_authopt.c:253:
+				zlog_warn("setsockopt TCP_AUTHOPT_KEY_DEL unexpected error: %s", safe_strerror(errno));

WARNING: line over 80 characters
#300: FILE: /tmp/f1-16516/tcp_authopt.c:300:
+	if (user->keychain_name && keychain_name && !strcmp(user->keychain_name, keychain_name))

WARNING: line over 80 characters
#315: FILE: /tmp/f1-16516/tcp_authopt.c:315:
+			tcp_authopt_keychain_del(user->sock, &user->su, keychain);

WARNING: Missing a blank line after declarations
#340: FILE: /tmp/f1-16516/tcp_authopt.c:340:
+	char addrbuf[SU_ADDRSTRLEN];
+	if (user->sock == sock && 0 == memcmp(&user->su, su, sizeof(*su)))

ERROR: that open brace { should be on the previous line
#400: FILE: /tmp/f1-16516/tcp_authopt.c:400:
+	if (err == ENOPROTOOPT)
+	{

ERROR: that open brace { should be on the previous line
#405: FILE: /tmp/f1-16516/tcp_authopt.c:405:
+	if (err == ENOENT)
+	{

ERROR: that open brace { should be on the previous line
#410: FILE: /tmp/f1-16516/tcp_authopt.c:410:
+	if (err)
+	{

WARNING: line over 80 characters
#412: FILE: /tmp/f1-16516/tcp_authopt.c:412:
+		vty_out(vty, "TCP Authentication Option unexpected getsockopt err: %s\n", safe_strerror(errno));

WARNING: quoted string split across lines
#416: FILE: /tmp/f1-16516/tcp_authopt.c:416:
+	vty_out(vty, "TCP Authentication Option Enabled:"
+			" keyid %hhu"

WARNING: quoted string split across lines
#417: FILE: /tmp/f1-16516/tcp_authopt.c:417:
+			" keyid %hhu"
+			" rnextkeyid %hhu"

WARNING: quoted string split across lines
#418: FILE: /tmp/f1-16516/tcp_authopt.c:418:
+			" rnextkeyid %hhu"
+			" recv_keyid %hhu"

WARNING: quoted string split across lines
#419: FILE: /tmp/f1-16516/tcp_authopt.c:419:
+			" recv_keyid %hhu"
+			" recv_rnextkeyid %hhu\n",

ERROR: "foo* bar" should be "foo *bar"
#432: FILE: /tmp/f1-16516/tcp_authopt.c:432:
+	struct json_object* jo;

ERROR: that open brace { should be on the previous line
#441: FILE: /tmp/f1-16516/tcp_authopt.c:441:
+	if (err == ENOPROTOOPT)
+	{

ERROR: that open brace { should be on the previous line
#446: FILE: /tmp/f1-16516/tcp_authopt.c:446:
+	if (err == ENOENT)
+	{

ERROR: that open brace { should be on the previous line
#451: FILE: /tmp/f1-16516/tcp_authopt.c:451:
+	if (err)
+	{

[cdleonard]

Attempted to fix failure on non-linux systems.

[LabN-CI]

Outdated results 🛑

Basic BGPD CI results: FAILURE

_	_
Result	08/19/2021
Date	11:01:34
Start	11:28:41
Finish	27:07
Run-Time	1736
Total	1735
Pass	1
Fail	21
Valgrind-Errors	67
Valgrind-Loss	313
Details	vncregress-2021-08-19-11:01:34.txt
Log	autoscript-2021-08-19-11:02:47.log.bz2
Memory	503 499 426
FAILURE git merge/9442 0aa41dc Autoscript

For details, please contact louberger

[NetDEF-CI]

Continuous Integration Result: FAILED

See below for issues.
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/

This is a comment from an automated CI system.
For questions and feedback in regards to this CI system, please feel free to email
Martin Winter - mwinter (at) opensourcerouting.org.

Get source / Pull Request: Successful

Building Stage: Failed

CentOS 7 amd64 build: Failed (click for details)

CentOS 7 amd64 build: Unknown Log URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CI005BUILD/ErrorLog/ CentOS 7 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CI005BUILD/config.status/config.status CentOS 7 amd64 build: Unknown Log URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CI005BUILD/config.log/config.log.gz CentOS 7 amd64 build: Unknown Log URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CI005BUILD/frr.xref.xz/frr.xref.xz CentOS 7 amd64 build: No useful log found

OpenBSD 6 amd64 build: Failed (click for details)

Make failed for OpenBSD 6 amd64 build:
(see full Make log at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CI011BUILD/ErrorLog/log_make.txt)

static void elffile_add_dynreloc(struct elffile *w, Elf_Data *reldata,
3 warnings generated.
lib/keychain.c:1137:50: error: format specifies type 'unsigned char' but the argument has type 'int' [-Werror,-Wformat]
lib/keychain.c:1139:50: error: format specifies type 'unsigned char' but the argument has type 'int' [-Werror,-Wformat]
2 errors generated.
gmake[1]: *** [Makefile:9921: lib/keychain.lo] Error 1
/home/ci/cibuild.21225/frr-source/doc/user/zebra.rst:23: SEVERE: Duplicate ID: "cmdoption-configure-arg-net".
/home/ci/cibuild.21225/frr-source/doc/user/zebra.rst:23: SEVERE: Duplicate ID: "cmdoption-configure-arg-net".
/home/ci/cibuild.21225/frr-source/doc/user/zebra.rst:23: SEVERE: Duplicate ID: "cmdoption-configure-arg-net".

OpenBSD 6 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CI011BUILD/config.status/config.status
OpenBSD 6 amd64 build: Unknown Log <config.log.gz>
URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CI011BUILD/config.log/config.log.gz

Fedora 29 amd64 build: Failed (click for details)

Fedora 29 amd64 build: Unknown Log URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/F29BUILD/ErrorLog/ Fedora 29 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/F29BUILD/config.status/config.status Fedora 29 amd64 build: Unknown Log URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/F29BUILD/config.log/config.log.gz Fedora 29 amd64 build: Unknown Log URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/F29BUILD/frr.xref.xz/frr.xref.xz Fedora 29 amd64 build: No useful log found

CentOS 8 amd64 build: Failed (click for details)

CentOS 8 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CENTOS8BUILD/config.status/config.status CentOS 8 amd64 build: Unknown Log URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CENTOS8BUILD/ErrorLog/ CentOS 8 amd64 build: Unknown Log URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CENTOS8BUILD/config.log/config.log.gz CentOS 8 amd64 build: Unknown Log URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CENTOS8BUILD/frr.xref.xz/frr.xref.xz CentOS 8 amd64 build: No useful log found

Successful on other platforms/tests

• Ubuntu 16.04 i386 build
• NetBSD 8 amd64 build
• Debian 9 amd64 build
• Ubuntu 16.04 amd64 build
• Ubuntu 18.04 amd64 build
• Ubuntu 20.04 amd64 build
• Ubuntu 18.04 arm7 build
• Debian 11 amd64 build
• Ubuntu 18.04 arm8 build
• Ubuntu 18.04 ppc64le build
• Ubuntu 16.04 arm8 build
• FreeBSD 11 amd64 build
• Ubuntu 16.04 arm7 build
• Ubuntu 18.04 i386 build
• Debian 10 amd64 build
• FreeBSD 12 amd64 build

Warnings Generated during build:

Checkout code: Successful with additional warnings

CentOS 7 amd64 build: Failed (click for details)

CentOS 7 amd64 build: Unknown Log URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CI005BUILD/ErrorLog/ CentOS 7 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CI005BUILD/config.status/config.status CentOS 7 amd64 build: Unknown Log URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CI005BUILD/config.log/config.log.gz CentOS 7 amd64 build: Unknown Log URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CI005BUILD/frr.xref.xz/frr.xref.xz CentOS 7 amd64 build: No useful log found

OpenBSD 6 amd64 build: Failed (click for details)

Make failed for OpenBSD 6 amd64 build:
(see full Make log at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CI011BUILD/ErrorLog/log_make.txt)

static void elffile_add_dynreloc(struct elffile *w, Elf_Data *reldata,
3 warnings generated.
lib/keychain.c:1137:50: error: format specifies type 'unsigned char' but the argument has type 'int' [-Werror,-Wformat]
lib/keychain.c:1139:50: error: format specifies type 'unsigned char' but the argument has type 'int' [-Werror,-Wformat]
2 errors generated.
gmake[1]: *** [Makefile:9921: lib/keychain.lo] Error 1
/home/ci/cibuild.21225/frr-source/doc/user/zebra.rst:23: SEVERE: Duplicate ID: "cmdoption-configure-arg-net".
/home/ci/cibuild.21225/frr-source/doc/user/zebra.rst:23: SEVERE: Duplicate ID: "cmdoption-configure-arg-net".
/home/ci/cibuild.21225/frr-source/doc/user/zebra.rst:23: SEVERE: Duplicate ID: "cmdoption-configure-arg-net".

OpenBSD 6 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CI011BUILD/config.status/config.status
OpenBSD 6 amd64 build: Unknown Log <config.log.gz>
URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CI011BUILD/config.log/config.log.gz

Fedora 29 amd64 build: Failed (click for details)

Fedora 29 amd64 build: Unknown Log URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/F29BUILD/ErrorLog/ Fedora 29 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/F29BUILD/config.status/config.status Fedora 29 amd64 build: Unknown Log URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/F29BUILD/config.log/config.log.gz Fedora 29 amd64 build: Unknown Log URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/F29BUILD/frr.xref.xz/frr.xref.xz Fedora 29 amd64 build: No useful log found

CentOS 8 amd64 build: Failed (click for details)

CentOS 8 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CENTOS8BUILD/config.status/config.status CentOS 8 amd64 build: Unknown Log URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CENTOS8BUILD/ErrorLog/ CentOS 8 amd64 build: Unknown Log URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CENTOS8BUILD/config.log/config.log.gz CentOS 8 amd64 build: Unknown Log URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CENTOS8BUILD/frr.xref.xz/frr.xref.xz CentOS 8 amd64 build: No useful log found

Report for bgpd.c | 8 issues
===============================================
< WARNING: line over 80 characters
< #5968: FILE: /tmp/f1-25409/bgpd.c:5968:
< WARNING: line over 80 characters
< #5973: FILE: /tmp/f1-25409/bgpd.c:5973:
< WARNING: else is not generally useful after a break or return
< #5983: FILE: /tmp/f1-25409/bgpd.c:5983:
< WARNING: line over 80 characters
< #6292: FILE: /tmp/f1-25409/bgpd.c:6292:
Report for bgpd.h | 4 issues
===============================================
< WARNING: line over 80 characters
< #1284: FILE: /tmp/f1-25409/bgpd.h:1284:
< WARNING: line over 80 characters
< #2173: FILE: /tmp/f1-25409/bgpd.h:2173:
Report for bgp_network.c | 10 issues
===============================================
< WARNING: line over 80 characters
< #243: FILE: /tmp/f1-25409/bgp_network.c:243:
< WARNING: line over 80 characters
< #246: FILE: /tmp/f1-25409/bgp_network.c:246:
< ERROR: spaces required around that ':' (ctx:VxW)
< #266: FILE: /tmp/f1-25409/bgp_network.c:266:
< WARNING: line over 80 characters
< #311: FILE: /tmp/f1-25409/bgp_network.c:311:
< WARNING: line over 80 characters
< #314: FILE: /tmp/f1-25409/bgp_network.c:314:
Report for bgp_network.h | 6 issues
===============================================
< WARNING: function definition argument 'struct peer *' should also have an identifier name
< #41: FILE: /tmp/f1-25409/bgp_network.h:41:
< WARNING: function definition argument 'struct peer *' should also have an identifier name
< #43: FILE: /tmp/f1-25409/bgp_network.h:43:
< WARNING: function definition argument 'struct peer *' should also have an identifier name
< #43: FILE: /tmp/f1-25409/bgp_network.h:43:
Report for bgp_vty.c | 2 issues
===============================================
< WARNING: braces {} are not necessary for any arm of this statement
< #13931: FILE: /tmp/f1-25409/bgp_vty.c:13931:
Report for keychain.c | 12 issues
===============================================
< WARNING: line over 80 characters
< #155: FILE: /tmp/f1-25409/keychain.c:155:
< WARNING: line over 80 characters
< #188: FILE: /tmp/f1-25409/keychain.c:188:
< WARNING: else is not generally useful after a break or return
< #1020: FILE: /tmp/f1-25409/keychain.c:1020:
< WARNING: line over 80 characters
< #1135: FILE: /tmp/f1-25409/keychain.c:1135:
< WARNING: line over 80 characters
< #1137: FILE: /tmp/f1-25409/keychain.c:1137:
< WARNING: line over 80 characters
< #1139: FILE: /tmp/f1-25409/keychain.c:1139:
Report for tcp_authopt.c | 141 issues
===============================================
ERROR: "foo* bar" should be "foo *bar"
#34: FILE: /tmp/f1-25409/tcp_authopt.c:34:
+		struct tcp_authopt_key* keyopt,

ERROR: "foo* bar" should be "foo *bar"
#36: FILE: /tmp/f1-25409/tcp_authopt.c:36:
+		struct key* key)

WARNING: line over 80 characters
#51: FILE: /tmp/f1-25409/tcp_authopt.c:51:
+static int tcp_authopt_keychain_add(int sock, union sockunion *su, struct keychain *keychain)

ERROR: that open brace { should be on the previous line
#67: FILE: /tmp/f1-25409/tcp_authopt.c:67:
+	for (ALL_LIST_ELEMENTS_RO(keychain->key, node, key))
+	{

WARNING: line over 80 characters
#72: FILE: /tmp/f1-25409/tcp_authopt.c:72:
+		/* Linux implementation doesn't allow marking keys as expired so only add

WARNING: line over 80 characters
#98: FILE: /tmp/f1-25409/tcp_authopt.c:98:
+		if (setsockopt(sock, IPPROTO_TCP, TCP_AUTHOPT_KEY, &keyopt, sizeof(keyopt)) < 0) {

WARNING: line over 80 characters
#99: FILE: /tmp/f1-25409/tcp_authopt.c:99:
+			zlog_warn("setsockopt TCP_AUTHOPT_KEY: %s", safe_strerror(errno));

WARNING: line over 80 characters
#105: FILE: /tmp/f1-25409/tcp_authopt.c:105:
+		/* Currently kernel accepts everything if no keys are added for an

WARNING: line over 80 characters
#106: FILE: /tmp/f1-25409/tcp_authopt.c:106:
+		 * address. This means that if all keys fail unsigned packets will be

WARNING: line over 80 characters
#109: FILE: /tmp/f1-25409/tcp_authopt.c:109:
+		zlog_warn("No valid tcp_authopt keys added from keychain %s", keychain->name);

WARNING: line over 80 characters
#116: FILE: /tmp/f1-25409/tcp_authopt.c:116:
+static int tcp_authopt_keychain_del(int sock, union sockunion *su, struct keychain *keychain)

ERROR: that open brace { should be on the previous line
#128: FILE: /tmp/f1-25409/tcp_authopt.c:128:
+	for (ALL_LIST_ELEMENTS_RO(keychain->key, node, key))
+	{

WARNING: line over 80 characters
#135: FILE: /tmp/f1-25409/tcp_authopt.c:135:
+		if (setsockopt(sock, IPPROTO_TCP, TCP_AUTHOPT_KEY, &keyopt, sizeof(keyopt)) < 0) {

WARNING: line over 80 characters
#139: FILE: /tmp/f1-25409/tcp_authopt.c:139:
+				zlog_warn("setsockopt TCP_AUTHOPT_KEY_DEL unexpected error: %s", safe_strerror(errno));

WARNING: line over 80 characters
#149: FILE: /tmp/f1-25409/tcp_authopt.c:149:
+static int tcp_authopt_keychain_add(int sock, union sockunion *su, struct keychain *keychain)

WARNING: line over 80 characters
#154: FILE: /tmp/f1-25409/tcp_authopt.c:154:
+static int tcp_authopt_keychain_del(int sock, union sockunion *su, struct keychain *keychain)

WARNING: line over 80 characters
#197: FILE: /tmp/f1-25409/tcp_authopt.c:197:
+	if (user->keychain_name && keychain_name && !strcmp(user->keychain_name, keychain_name))

WARNING: line over 80 characters
#212: FILE: /tmp/f1-25409/tcp_authopt.c:212:
+			tcp_authopt_keychain_del(user->sock, &user->su, keychain);

WARNING: Missing a blank line after declarations
#237: FILE: /tmp/f1-25409/tcp_authopt.c:237:
+	char addrbuf[SU_ADDRSTRLEN];
+	if (user->sock == sock && 0 == memcmp(&user->su, su, sizeof(*su)))

ERROR: that open brace { should be on the previous line
#298: FILE: /tmp/f1-25409/tcp_authopt.c:298:
+	if (err == -ENOPROTOOPT)
+	{

ERROR: that open brace { should be on the previous line
#303: FILE: /tmp/f1-25409/tcp_authopt.c:303:
+	if (err == -ENOENT)
+	{

ERROR: that open brace { should be on the previous line
#308: FILE: /tmp/f1-25409/tcp_authopt.c:308:
+	if (err)
+	{

WARNING: line over 80 characters
#310: FILE: /tmp/f1-25409/tcp_authopt.c:310:
+		vty_out(vty, "TCP Authentication Option unexpected getsockopt err: %s\n", safe_strerror(-err));

WARNING: quoted string split across lines
#314: FILE: /tmp/f1-25409/tcp_authopt.c:314:
+	vty_out(vty, "TCP Authentication Option Enabled:"
+			" keyid %hhu"

WARNING: quoted string split across lines
#315: FILE: /tmp/f1-25409/tcp_authopt.c:315:
+			" keyid %hhu"
+			" rnextkeyid %hhu"

WARNING: quoted string split across lines
#316: FILE: /tmp/f1-25409/tcp_authopt.c:316:
+			" rnextkeyid %hhu"
+			" recv_keyid %hhu"

WARNING: quoted string split across lines
#317: FILE: /tmp/f1-25409/tcp_authopt.c:317:
+			" recv_keyid %hhu"
+			" recv_rnextkeyid %hhu\n",

ERROR: "foo* bar" should be "foo *bar"
#330: FILE: /tmp/f1-25409/tcp_authopt.c:330:
+	struct json_object* jo;

ERROR: that open brace { should be on the previous line
#339: FILE: /tmp/f1-25409/tcp_authopt.c:339:
+	if (err == -ENOPROTOOPT)
+	{

ERROR: that open brace { should be on the previous line
#344: FILE: /tmp/f1-25409/tcp_authopt.c:344:
+	if (err == -ENOENT)
+	{

ERROR: that open brace { should be on the previous line
#349: FILE: /tmp/f1-25409/tcp_authopt.c:349:
+	if (err)
+	{

ERROR: "foo* bar" should be "foo *bar"
#368: FILE: /tmp/f1-25409/tcp_authopt.c:368:
+	struct json_object* jo;

[LabN-CI]

Outdated results 🚧

Basic BGPD CI results: Partial FAILURE, 0 tests failed, has VALGRIND issues

_	_
Result	SUCCESS git merge/9442 ab300d9
Date	08/19/2021
Start	16:36:32
Finish	17:02:54
Run-Time	26:22
Total	1813
Pass	1813
Fail	0
Valgrind-Errors	0
Valgrind-Loss	2
Details	vncregress-2021-08-19-16:36:32.txt
Log	autoscript-2021-08-19-16:37:42.log.bz2
Memory	506 487 421

For details, please contact louberger

[eqvinox]

Any chance for this to use the XFRM infrastructure, i.e. setsockopt(..., IP_XFRM_POLICY, ...) rather than yet another new sockopt? (and socket(AF_NETLINK, ..., NETLINK_XFRM) for key management?)

[cdleonard]

This ABI mirrors TCP_MD5SIG because the standard is very directly intended to replace TCP-MD5. TCP sockopts are very easy to use and not at all scarce so why not use them?

I'm not very familiar with XFRM so I'd have to investigate how that could be used here. As far as I understand xfrm is meant for "global" config which matches and transforms all packets matching certain criteria, this would be very different from my approach where TCP-AO configuration only exists at the socket level. My approach seems to match the intent behind RFC5925; they describe user interface recommendations which are all per-connection. Are you expecting TCP-AO to "match" packets based on global config?

Another related issue is that on netdev people asked to use generic algorithm definitions similar to xfrm instead of an enum based on just what RFC5926 describes. I am very reluctant to add so much general functionality. Link: https://lore.kernel.org/netdev/CAJwJo6aicw_KGQSM5U1=0X11QfuNf2dMATErSymytmpf75W=tA@mail.gmail.com/

[cdleonard]

Posted v3 of kernel changes to netdev: https://lore.kernel.org/netdev/cover.1629840814.git.cdleonard@gmail.com/

You can send ABI feedback there as well.

[polychaeta]

Thanks for your contribution to FRR!

Style checking failed; check logs

If you are a new contributor to FRR, please see our contributing guidelines.

After making changes, you do not need to create a new PR. You should perform an amend or interactive rebase followed by a force push.

[cdleonard]

Fixed tcp-authopt property handling in peer groups (using test_peer_attr). Also fix overlapping flag with graceful-restart.

[cdleonard]

Style warnings apparently here: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-CHECKOUT-21406/log

Lots of "lines over 80 characters", maybe you should follow the kernel and invest in 100-column terminals? :)

[LabN-CI]

Outdated results 🚧

Basic BGPD CI results: Partial FAILURE, 0 tests failed, has VALGRIND issues

_	_
Result	SUCCESS git merge/9442 9bf7a8b
Date	08/26/2021
Start	12:19:06
Finish	12:45:13
Run-Time	26:07
Total	1813
Pass	1813
Fail	0
Valgrind-Errors	0
Valgrind-Loss	2
Details	vncregress-2021-08-26-12:19:06.txt
Log	autoscript-2021-08-26-12:20:20.log.bz2
Memory	486 492 416

For details, please contact louberger

[cdleonard]

Attempting for fix checkpatch

[LabN-CI]

Outdated results 🚧

Basic BGPD CI results: Partial FAILURE, 0 tests failed, has VALGRIND issues

_	_
Result	SUCCESS git merge/9442 482881e
Date	08/26/2021
Start	16:29:24
Finish	16:55:41
Run-Time	26:17
Total	1816
Pass	1816
Fail	0
Valgrind-Errors	0
Valgrind-Loss	2
Details	vncregress-2021-08-26-16:29:24.txt
Log	autoscript-2021-08-26-16:30:38.log.bz2
Memory	509 511 427

For details, please contact louberger

[eqvinox]

This ABI mirrors TCP_MD5SIG because the standard is very directly intended to replace TCP-MD5. TCP sockopts are very easy to use and not at all scarce so why not use them?

I would've preferred that TCP_MD5SIG use the XFRM setsockopt too ;)

I'm not very familiar with XFRM so I'd have to investigate how that could be used here. As far as I understand xfrm is meant for "global" config which matches and transforms all packets matching certain criteria, this would be very different from my approach where TCP-AO configuration only exists at the socket level. My approach seems to match the intent behind RFC5925; they describe user interface recommendations which are all per-connection. Are you expecting TCP-AO to "match" packets based on global config?

You can set a socket policy with setsockopt(fd, … IP_XFRM_POLICY …); this is how IPsec for OSPF would be handled too (which we don't currently support…) If I'm not completely mistaken, IP_XFRM_POLICY only handles the actual policy, with keys being handled separately over the "global" XFRM interface.

My thought was simply that it would be nice to have the same interface for IPsec AH (for OSPF & co.) and TCP-AO (for BGP & LDP) [and maybe even TCP-MD5.] But I don't know if it's really the "right thing", I just want to know if you considered it (and maybe what was the reason against it.)

[cdleonard]

I have not considered XFRM in detail because I'm not familiar with the xfrm API. I read the ipsec RFCs some years ago and I remember them poorly.

You're right that neighbor 1.2.3.4 tcp-authopt AAAA is sort-of like an SA with the remote peer. In theory it might be possible to configure such associations with netlink and have them affect all sockets.

This is more complex to implement but in theory it would work even for unmodified applications. I don't think there are notable interactions between TCP and XFRM in the kernel, XFRM is mostly at the IP level. Attaching all keys to sockets instead of making them global objects made my implementation a lot easier!

I'm not sure how IP_XFRM_POLICY would apply here. There would still be a need to make multiple TCP-AO keychains apply to a listen socket.

A sockopt would still be used in order to get/set the keyids currently being used on the connection: this is a requirement of RFC5925. Maybe some sort of netlink interface could also be provided (like tcp_info) but that would be complimentary and mostly used by administrative tools. The application handling the connect would still use sockopts on the FD.

[lcrestez-dn]

Looking through failures reported by bamboo a lot of the issues are crashes related to my code in tests that should not be affected. Need to run locally and fix.

[riw777]

changes look good at first run through ... let me know when y'all want this reviewed out of draft state

[cdleonard]

@riw777 I don't currently intend to move forward on FRR changes beyond this is a proof-of-concept stage.

My real focus is strictly to get the required kernel changes in.

I've also had a discussion with @ppaeps about actually making keys global which would simplify userspace handling.

[github-actions]

This PR is stale because it has been open 180 days with no activity. Comment or remove the autoclose label in order to avoid having this PR closed.

[cdleonard]

This PR is stale because it has been open 180 days with no activity. Comment or remove the autoclose label in order to avoid having this PR closed.

Please don't close this github. It's stale but I might restore it.

[donaldsharp]

I'm removing the autoclose as that I want to keep this around as well

[donaldsharp]

On a side note how is getting the tcp-A0 into the kernel going? I have not been paying attention but it should be on my radar

[cdleonard]

Last upstream post was v6 last week: https://lore.kernel.org/netdev/cover.1658815925.git.cdleonard@gmail.com/

[cdleonard]

A different unrelated kernel implementation was posted upstream: https://lore.kernel.org/netdev/20220818170005.747015-1-dima@arista.com/

ABI feedback might be useful.

[cdleonard]

Posted v8 upstream: https://lore.kernel.org/netdev/cover.1662361354.git.cdleonard@gmail.com/

Major difference is that key rollover can now be handled entirely inside the kernel so this would greatly simplify userspace (no more timers required).

[LabN-CI]

Outdated results 🚧

Basic BGPD CI results: Partial FAILURE, 0 tests failed, has VALGRIND issues

_	_
Result	SUCCESS git pull/9442 482881e (merge failed)
Date	09/20/2022
Start	03:45:47
Finish	04:11:54
Run-Time	26:07
Total	1813
Pass	1813
Fail	0
Valgrind-Errors	0
Valgrind-Loss	2
Details	vncregress-2022-09-20-03:45:47.txt
Log	autoscript-2022-09-20-03:46:55.log.bz2
Memory	517 516 428

For details, please contact louberger

[LabN-CI]

🚧 Basic BGPD CI results: Partial FAILURE, 0 tests failed, has VALGRIND issues

Results table

_	_
Result	SUCCESS git pull/9442 482881e (merge failed)
Date	09/20/2022
Start	04:12:18
Finish	04:38:37
Run-Time	26:19
Total	1813
Pass	1813
Fail	0
Valgrind-Errors	0
Valgrind-Loss	2
Details	vncregress-2022-09-20-04:12:18.txt
Log	autoscript-2022-09-20-04:13:30.log.bz2
Memory	515 507 426

For details, please contact louberger

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[donaldsharp]

@cdleonard -> looks like tcp-ao got into the kernel. Any possibility you can pick this up again?

[cdleonard]

@cdleonard -> looks like tcp-ao got into the kernel. Any possibility you can pick this up again?

Sorry but no (notice how I closed the PR). Somebody else should probably rewrite this from scratch.