File openbgpd.changes of Package openbgpd
-------------------------------------------------------------------
Sat Jun 29 14:11:42 UTC 2024 - Martin Hauke <mardnh@gmx.de>
- Update to version 8.5
* Fix Linux TCP MD5 autoconf detection and improve the code to
work in all cases.
* Double peer description length to 64 characters.
* Improve handling of bgpd AFI IPv4 sessions over IPv6 only links.
* Sessions over IPv6 link-local addresses are now always
considered to be connected.
* Allow operators to enforce the presence of certain capabilities.
* Improve capability negotiation and remove 'announce
capabilities'.
The 'announce capabilities [yes|no]' neighbor config option
needs to be removed from configuration files.
Instead individual capabilities need to be disabled.
* Improve negotiation of the multi-protocol capability and the
fallback to IPv4 only mode.
* Mark RTR and IPv6 BGP packets with DSCP CS6 (network control).
* Increase RTR PDU limit to 48k and limit number of SPAS to
10'000.
* Convert the remaining session engine parsers to the new ibuf
API.
-------------------------------------------------------------------
Sat Mar 9 11:11:28 UTC 2024 - Martin Hauke <mardnh@gmx.de>
- Update to version 8.4
* Rewrite the internal message passing mechanism to use a new
memory-safe API.
* Rewrite most protocol parsers to use the new memory-safe API.
Convert the UPDATE parser, all of RTR, as well as both the MRT
dump code in bgpd and the parser in bgpctl.
* Improve RTR logging, error handling and version negotiation.
* Switch to autoconf 2.71 to generate the supplied configure
scripts.
-------------------------------------------------------------------
Sat Oct 14 18:46:33 UTC 2023 - Alexander Naumov <alexander_naumov@opensuse.org>
- Update to version 8.3:
* bgpd 8.1 and 8.2 could send a bad COMMUNITY attribute when
non-transitive ext-communities are present. A workaround is to
add a filter rule to clear non-transitive ext-communities:
match to ebgp set ext-community delete ovs *
This fix is included in OpenBSD 7.4.
* Fix a possible fatal error in the RDE when "announce add-path send all"
is used. The error is triggered by an ineligible path which is wrongly
distributed.
* Fix selection of the local nexthop for the alternate address family.
This is used by 'announce IPv6 unicast' over an IPv4 session or
vice-versa.
- Fix RPM build warings.
-------------------------------------------------------------------
Sat Oct 12 14:22:04 UTC 2023 - Alexander Naumov <alexander_naumov@opensuse.org>
- Update to version 8.2
* Update ASPA support to follow draft-ietf-sidrops-aspa-verification-16
and draft-ietf-sidrops-aspa-profile-16 by making the ASPA lookup
tables AFI-agnostic.
* Fix a fatal error in the Linux netlink parser which was triggered
because of a mismatched netlink message size.
* Rework UPDATE message generation to use the new ibuf API instead
of the hand-rolled solution before.
* Improve error message in bgpctl for features not supported by the
portable version of OpenBGPD.
* Adjusted example GRACEFUL_SHUTDOWN filter rule in the example config
to only match on ebgp sessions.
-------------------------------------------------------------------
Sun Aug 27 13:44:48 UTC 2023 - Martin Hauke <mardnh@gmx.de>
- Update to version 8.1
* Include OpenBSD 7.3 errata 002:
Avoid fatal errors in bgpd(8) due to incorrect refcounting and
mishandling of ASPA objects. Fix bgpctl(8) 'show rib in' by
renaming 'invalid' into 'disqualified'.
* Include OpenBSD 7.3 errata 006:
Incorrect length handling of path attributes in bgpd(8) can
lead to a session reset.
* Include OpenBSD 7.3 errata 009:
When tracking nexthops over IPv6 multipath routes, or when
receiving a NOTIFICATION while reaching an internal limit,
bgpd(8) could crash.
When checking the next hop for IPv6 multipath routes, or when
receiving a NOTIFICATION while reaching an internal limit,
bgpd(8) could crash.
* Add configure options to adjust WWW_USER and wwwrunstatedir.
* Fix 'ext-community * *' matching which also affects filters
removing all ext-commuinites.
* Limit the socket buffer size to 64k for all sessions.
Limiting the buffer size to a reasonable size ensures that not
too many updates end up queued in the TCP stack.
- Update to version 8.0
* Include OpenBSD 7.3 errata 001:
A new ASPA object appeared in the RPKI ecosystem and exposed
bugs in bgpd(8) and rpki-client(8).
* Introduce a semaphore to protect intermittent RTR session data
from being published to the RDE.
* Add first version of flowspec support. Right now only
announcement of flowspec rules is possible.
* Improve and extend the bgpctl parser to handle commands like
`bgpctl show rib 192.0.2.0/24 detail`. Also add various flowspec
specific commands.
- Update to version 7.9
* Include OpenBSD 7.2 errata 023:
Incorrect length checks allow an out-of-bounds read in bgpd(8).
-------------------------------------------------------------------
Sat Mar 18 19:40:25 UTC 2023 - Martin Hauke <mardnh@gmx.de>
- Update to version 7.8
* Improved performance by optimising the output filters.
* Add Autonomous System Provider Authorization (ASPA) validaton
based on draft-ietf-sidrops-aspa-verification-12.
* Introduce avs (ASPA validation state) filter and bgpctl filter
argument.
* Add ASPA support for the RTR protocol based on
draft-ietf-sidrops-8210bis-10.
* Improve open policy (RFC 9234) support and enable the
capability automatically if a role is specified for the peer.
* Introduce a per neighbor 'role' configuration option to
specify the session role used by ASPA verification and the
open policy capability. The 'announce policy' statement was
simplified at the same time.
* Improve startup behaviour by introducing a small delay before
opening the connection to a new peer.
* Support for aspa-set table config which can be provided by
rpki-client.
* Make it possible to filter the RIB by invalid and leaked
prefixes in bgpctl and bgplgd.
* Add OpenMetrics output to bgpctl for various BGP statistics
and add /metrics endpoint to bgplgd.
-------------------------------------------------------------------
Fri Oct 7 06:29:20 UTC 2022 - Martin Hauke <mardnh@gmx.de>
- Update to version 7.7
* Adjust pathid_assign() to be much faster for the common case.
* Improve performance for generating updates for sessions using
add-path send all.
* Implement proper routing table sync in the kroute-linux.c code.
* Enable linux netlink integration by default.
* Add a --disable-fib-support config option to disable FIB sync
-------------------------------------------------------------------
Fri Sep 16 19:01:17 UTC 2022 - Martin Hauke <mardnh@gmx.de>
- Update to version 7.6
* Include OpenBSD 7.1 errata 008: bgpd(8) could fail to
invalidate nexthops and incorrectly leave them in the FIB or
Adj-RIB-Out.
* Speedup bgpctl show rib 10/8 or-longer and show rib 10/8
or-shorter.
* Switch various static hash tables to RB trees improving
performance on large systems.
* Export per neighbor pending update and withdraw statistics.
* Fix race between a neighbor session reset and its update
message backlog.
* Improve handling of nexthop reachability state changes.
* Further improve portability of the FIB handling code.
- Update to version 7.5
* Implement RFC 9234 - Route Leak Prevention and Detection Using
Roles in UPDATE and OPEN Messages.
* Full support for RFC 7911 - Advertisement of Multiple Paths in
BGP.
* Include bgplgd(8) - a fastcgi server providing a REST API of
bgpctl Built by default but can be excluded with
--disable-bgplgd.
* Disable Linux FIB support by default, add an --enable-netlink
configure option to enable it for testing and development.
* Improve bgpd FIB code, make it more portable and properly
handle IPv6 scoped addresses.
-------------------------------------------------------------------
Wed Jun 15 19:40:48 UTC 2022 - Martin Hauke <mardnh@gmx.de>
- Update to version 7.4
* Implement max-communities filter to limit the number of
allowed communities, ext-communities and large-communities.
* Fix TCP-MD5 support on Linux systems. The TCP-MD5 keys were
not correctly loaded on the listening sockets, which allowed
unprotected connections in.
* Fix insertion of additional non-transitive extended
communities when sending out prefixes.
* Relax IP address limitation by allowing prefixes in 240/4.
-------------------------------------------------------------------
Thu Apr 21 13:09:17 UTC 2022 - Martin Hauke <mardnh@gmx.de>
- Update to version 7.3
* Macro expansion in the config file is improved. It is now
possible to expand 'set large-community $myAS:$location:$transit'.
* Add initial FIB support for Linux. Routes can be added and
removed. Nexthop tracking and dynamic interface detection are
not yet implemented.
* Major refactoring in the RIB codebase to add multipath support
in an upcoming release.
- Update to version 7.2
* Support for RFC 9072 - Extended Optional Parameters Lenght for
BGP OPEN Message.
* Support for RFC 8050 - MRT Format with BGP Additional Path
Extensions.
* Implement receive side of RFC 7911 - Advertisement of Multiple
Paths in BGP. OpenBGPD is currently not able to send multiple
paths out.
* Improve checks of VRPs loaded via RTR or from the roa-set table
* Allow to optionally specify an expiry time for roa-set entries
to mitigate BGP route decision making based on outdated RPKI
data. OpenBGPD's companion rpki-client(8) produces roa-sets
with the new 'expires' property.
-------------------------------------------------------------------
Sat Jun 26 13:15:42 UTC 2021 - Martin Hauke <mardnh@gmx.de>
- Update to version 7.1
* During bgpd(8) config reloads prefixes of the wrong address
family could leak to peers resulting in session resets.
* Support for RFC 7313 - Enhanced Route Refresh
Disabled by default, to enable use 'announce enhanced refresh
yes'.
* Improve output of Adj-RIB-Out by updating nexthop and ASPATH
before adding the prefix to the RIB. This improves `bgpctl
show rib out` output.
* Add command line option to show the version
-------------------------------------------------------------------
Sun Jun 6 07:32:32 UTC 2021 - Martin Hauke <mardnh@gmx.de>
- Update to version 7.0
* Stop processing queued UPDATES when the max-prefix limit was
reached.
* Improve negotiation for route refresh, graceful restart and
multi-protocol capabilities
* Correctly track 'rde evaluate all' and 'export' settings
during reload.
* Properly withdraw prefixes when 'rde evaluate all' is used.
* Fix MRT handling on initial startup for message dump types.
* Fix and use non-blocking connect for RTR sessions.
* Fully implement RFC 6286 by checking for BGP ID collisions.
* Adjust the 4-byte AS number handling to RFC 6793 by changing
error behaviour from prefix witdraw to attribute discard.
* In bgpctl print out both the sent "Neighbor capabilities" and
the "Negotiated capabilities" for a session.
* Print timestamps both as a formatted and a pure time in
seconds filed in various JSON objects.
-------------------------------------------------------------------
Sun May 2 14:37:22 UTC 2021 - Martin Hauke <mardnh@gmx.de>
- Update to version 6.9p0
* Introduced bgpd(8) 'rde evaluate all' to reduce path hiding
in IXP route-server environments.
* Added RTR support to OpenBGPD.
* Added bgpctl(8) "show rtr" to display basic information about
RTR sessions.
* Added bgpctl(8) "show sets" to display information about the
roa-set, as-sets and prefix-sets loaded into bgpd(8).
* Properly implemented "rde med compare strict" in bgpd(8) and
ensured that the order of prefixes is always correct.
* Introduced the bgpd.conf(5) per neighbor and global config
option "reject as-set yes/no" to allow rejection of received
UPDATES with AS_SET segments. These rejected prefixes can be
viewed with `bgpctl show rib in error`.
* No longer allow configuration of the same neighbor multiple
times.
* Introduced a send hold timer in bgpd(8) to detect stalls on
the sending side of a TCP connection, acting as a last resort
to detect faulty peers.
-------------------------------------------------------------------
Fri Nov 6 11:36:59 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Update to version 6.8p1
* Include OpenBSD 6.8 errata 001:
+ In bgpd, the roa-set parser could leak memory.
-------------------------------------------------------------------
Sat Oct 24 08:56:21 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Update to version 6.8p0
* In bgpctl(8), the "reload" command now takes a 'reason'
argument to use as Administrative Shutdown Communication to
its neighbors.
* Added bgpctl(8) support for VPNv6 in the family option of the
"show rib" command.
* Added bgpctl(8) support for JSON formatted output in various
"show" commands.
- Update to version 6.7p0
* Add initial support for JSON output in bgpctl(8).
* Allow setting both IPv4 and IPv6 local-addresses at the same
time in bgpd.conf group blocks. Introduced 'no local-address'
to reset a previously set local address.
* Properly aggregate duplicate bgpd(8) roa table prefix/source-as
combinations into a single entry with the longest maxlen length
* Implemented bgpd.conf(5) max-prefix NUM out to limit the number
of announced prefixes, avoiding leaks of full tables to
upstreams and peers.
* Extended bgpctl(8) 'show neighbor' to include the received and
set prefix count, as well as the max-prefix out limit if set.
* Improved reporting of notifications to include the suberror
cause.
* Also report the last received error cause in bgpctl(8) show
neighbor output.
* Fix softreconfig out handling to also work for neighbors using
'export default-route'.
* Mark stale prefixes in the Adj-RIB-Out so that graceful reload
operates properly.
* Made it possible to build OpenBGPD-portable with bison. There
is no longer the need to use byacc on Linux distributions.
* Support for --runstatedir to specify the location of the
bgpctl.sock.
* Cleaned up configure script for better protability.
- Add -fcommon to *FLAGS to workaround gcc10 compilation issues
-------------------------------------------------------------------
Wed Jun 3 10:27:50 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Add "-fcommon" to $optflags to workaround linking errors when
compiling with gcc10
https://github.com/openbgpd-portable/openbgpd-portable/issues/8
-------------------------------------------------------------------
Wed May 13 07:09:26 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Update to version 6.6p0
* Changed the Adj-RIB-Out to a per-peer set of RB trees,
improving speed.
* Rewrote community matching and handling code and improved
performance for setups using many communities.
* Ensure that 'network 192.0.2.0/24' has precedence over the
same network announced dynamically via for example 'network
inet static'.
* Made speed improvements when configuring many peers.
* Implemented bgpctl(8) 'show mrt neighbors', to print the
neighbor table of MRT TABLE_DUMP_V2 dumps.
* Added TCP MD5SIG support for Linux systems and moved bgpd
pfkey socket to the parent process. The refreshing of the
keys for MD5 and IPSEC is done whenever the session state
changes to IDLE or ACTIVE, which should behave better when
reloading configs with auth changes.
* Fixed reloading of network statements that have no fixed
prefix specification.
* Extended the maximum size of the bgpd(8) shutdown communication
message to 255 bytes.
* Fixed reload behaviour of announced networks in the portable
version.
* Include OpenBSD 6.6 errata 003:
bgpd(8) can crash on nexthop changes or during startup in
certain configurations.
- Set more more secure default permissions for bgpd.conf
-------------------------------------------------------------------
Fri May 3 12:28:19 UTC 2019 - Martin Hauke <mardnh@gmx.de>
- Initial package, version 6.5p0
