ports/115055: openbgpd rfc2385 support

Ali Lomonaco ali at redanvil.net
Mon Jul 30 17:20:03 UTC 2007 

>Number:         115055
>Category:       ports
>Synopsis:       openbgpd rfc2385 support
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 30 17:20:02 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Ali Lomonaco
>Release:        6.2-RELEASE
>Organization:
>Environment:
FreeBSD mgmt-02.noc.redanvil.net 6.2-RELEASE FreeBSD 6.2-RELEASE #2: Tue Jul 24 20:03:55 CDT 2007     anvil at mgmt-02.noc.redanvil.net:/usr/src/sys/amd64/compile/MGMT-02  amd64
>Description:
The openbgpd port applies some patches to get around the missing pfkey support which disallow any rfc2385 support to be configured for a peer.
>How-To-Repeat:
setkey -c
add 1.1.1.1 1.1.1.2 tcp 0x1000 -A tcp-md5 "secret" ;

in bgpd.conf:

group "g1" {
  neighbor 1.1.1.2 {
     tcp md5sig password "secret"
  }
}

Session stays in IDLE state.
>Fix:
The attached patch will allow rfc2385 to be configured for a peer even though pfkey doesn't exist.  See setkey(8) for instructions on how to configure rfc2385 support.

diff -Nru openbgpd/files/patch-bgpd_pfkey_compat.c /usr/ports/net/openbgpd/files/patch-bgpd_pfkey_compat.c
--- openbgpd/files/patch-bgpd_pfkey_compat.c    Tue Jul 24 23:02:37 2007
+++ /usr/ports/net/openbgpd/files/patch-bgpd_pfkey_compat.c     Thu Jul 19 06:58:59 2007
@@ -7,7 +7,7 @@
 +int
 +pfkey_establish(struct peer *p)
 +{
-+      if (p->conf.auth.method > AUTH_MD5SIG)
++      if (p->conf.auth.method)
 +              return (-1);
 +      return (0);
 +}
@@ -15,7 +15,7 @@
 +int
 +pfkey_remove(struct peer *p)
 +{
-+        if (p->conf.auth.method > AUTH_MD5SIG)
++        if (p->conf.auth.method)
 +                return (-1);
 +        return (0);
 +}
diff -Nru openbgpd/files/patch-bgpd_session.c /usr/ports/net/openbgpd/files/patch-bgpd_session.c
--- openbgpd/files/patch-bgpd_session.c Tue Jul 24 23:20:40 2007
+++ /usr/ports/net/openbgpd/files/patch-bgpd_session.c  Wed Dec 31 18:00:00 1969
@@ -1,20 +0,0 @@
---- bgpd/session.c.orig        Tue Jul 24 23:11:06 2007
-+++ bgpd/session.c     Tue Jul 24 23:13:46 2007
-@@ -982,7 +982,7 @@ session_accept(int listenfd)
-                       }
-               }
- 
--              if (p->conf.auth.method != AUTH_NONE && sysdep.no_pfkey) {
-+              if (p->conf.auth.method != AUTH_NONE && sysdep.no_pfkey && sysdep.no_md5sig) {
-                       log_peer_warnx(&p->conf,
-                           "ipsec or md5sig configured but not available");
-                       close(connfd);
-@@ -1041,7 +1041,7 @@ session_connect(struct peer *peer)
-               return (-1);
-       }
- 
--      if (peer->conf.auth.method != AUTH_NONE && sysdep.no_pfkey) {
-+      if (peer->conf.auth.method != AUTH_NONE && sysdep.no_pfkey && sysdep.no_md5sig) {
-               log_peer_warnx(&peer->conf,
-                   "ipsec or md5sig configured but not available");
-               bgp_fsm(peer, EVNT_CON_OPENFAIL);


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list