Hello Stephen, I was pointed out the the patch on
http://code.quagga.net/cgi-bin/gitweb.cgi?p=quagga.git;a=commitdiff;h=3d265b4d9d748bf4c92aefebc2ca0c04fd607945;hp=30a2231a4881f53deca61ef7a62b225a43dab4c5 It seems to work here and was signed-off by Paul Jakma. Can you confirm that this patch is all (an no other patch has to be applied as well)? Hannes, you said something about security issues, did you mean in the patch from the above mentioned URL? Why is one of the patches insecure? bye, -christian- Am Tue, 06 Jan 2009 00:49:16 +0000 schrieb Ben Hutchings <b...@decadent.org.uk>: > On Mon, 2009-01-05 at 16:23 -0800, Stephen Hemminger wrote: > > On Tue, 6 Jan 2009 00:53:09 +0100 > > Christian Hammers <c...@debian.org> wrote: > > > > > [resent to quagga-dev as there was a space in the e-mail address > > > and the mail did not show up in the mailing list archives -ch] > > > > > > On Sun, 04 Jan 2009, Ben Hutchings <b...@decadent.org.uk> wrote: > > > > > > Stephen, > > > > > > Debian 5.0 "lenny" will release with quagga 0.99.10. However we > > > have a bug report that: > > > > > > "I try to add routes with "/sbin/ip" e.g. > > > /sbin/ip ro add 62.116.121.19 dev br8 > > > > > > strace suggests the resulting netlink message never reaches > > > zebra." > > > > > > and the proposed fix to the netlink filter: > > > > > > --- zebra/rt_netlink.c 2008-08-15 15:42:56.000000000 +0200 > > > +++ zebra/rt_netlink.c 2008-08-15 15:43:19.000000000 +0200 > > > @@ -1971,7 +1971,7 @@ > > > /* 7*/ BPF_STMT(BPF_LD|BPF_ABS|BPF_B, > > > sizeof(struct nlmsghdr) + offsetof(struct > > > rtmsg, rtm_protocol)), /* 8*/ BPF_JUMP(BPF_JMP+ BPF_B, > > > RTPROT_REDIRECT, 4, 0), > > > - /* 9*/ BPF_JUMP(BPF_JMP+ BPF_B, RTPROT_KERNEL, 0, 1), > > > + /* 9*/ BPF_JUMP(BPF_JMP+ BPF_B, RTPROT_KERNEL, 3, 0), > > > /*10*/ BPF_JUMP(BPF_JMP+ BPF_B, RTPROT_ZEBRA, 0, 3), > > > /*11*/ BPF_STMT(BPF_LD|BPF_ABS|BPF_H, offsetof(struct > > > nlmsghdr, nlmsg_type)), /*12*/ BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, > > > htons(RTM_NEWROUTE), 0, 1), --- END --- > > > > > > This looks correct to me. Please can you confirm? > > > > > > Ben. > > > > > > > I changed it around later versions and used a different (better > > method) that handles all protocols and filter based on nlmsg_pid. I > > haven't been getting lots of uptake on quagga patches so only post > > them about once a Vyatta release. > > Yes, I saw the filter is quite different in 0.99.11. But we want to > make a minimal change to 0.99.10, which has: > > /* > * Filter is equivalent to netlink_route_change > * > * if (h->nlmsg_type == RTM_DELROUTE || h->nlmsg_type == > RTM_NEWROUTE) { > * if (rtm->rtm_type != RTM_UNICAST) > * return 0; > * if (rtm->rtm_flags & RTM_F_CLONED) > * return 0; > * if (rtm->rtm_protocol == RTPROT_REDIRECT) > * return 0; > * if (rtm->rtm_protocol == RTPROT_KERNEL) > * return 0; > * if (rtm->rtm_protocol == RTPROT_ZEBRA && h->nlmsg_type == > RTM_NEWROUTE) > * return 0; > * } > * return 0xffff; > */ > struct sock_filter filter[] = { > /* 0*/ BPF_STMT(BPF_LD|BPF_ABS|BPF_H, offsetof(struct nlmsghdr, > nlmsg_type)), /* 1*/ BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, > htons(RTM_DELROUTE), 1, 0), /* 2*/ BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, > htons(RTM_NEWROUTE), 0, 11), /* 3*/ BPF_STMT(BPF_LD|BPF_ABS|BPF_B, > sizeof(struct nlmsghdr) + offsetof(struct rtmsg, > rtm_type)), /* 4*/ BPF_JUMP(BPF_JMP|BPF_B, RTN_UNICAST, 0, 8), > /* 5*/ BPF_STMT(BPF_LD|BPF_ABS|BPF_B, > sizeof(struct nlmsghdr) + offsetof(struct rtmsg, > rtm_flags)), /* 6*/ BPF_JUMP(BPF_JMP|BPF_JSET|BPF_K, RTM_F_CLONED, 6, > 0), /* 7*/ BPF_STMT(BPF_LD|BPF_ABS|BPF_B, > sizeof(struct nlmsghdr) + offsetof(struct rtmsg, > rtm_protocol)), /* 8*/ BPF_JUMP(BPF_JMP+ BPF_B, RTPROT_REDIRECT, 4, > 0), /* 9*/ BPF_JUMP(BPF_JMP+ BPF_B, RTPROT_KERNEL, 0, 1), > /*10*/ BPF_JUMP(BPF_JMP+ BPF_B, RTPROT_ZEBRA, 0, 3), > /*11*/ BPF_STMT(BPF_LD|BPF_ABS|BPF_H, offsetof(struct nlmsghdr, > nlmsg_type)), /*12*/ BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, > htons(RTM_NEWROUTE), 0, 1), /*13*/ BPF_STMT(BPF_RET|BPF_K, > 0), /* drop */ /*14*/ BPF_STMT(BPF_RET|BPF_K, > 0xffff), /* keep */ }; > > The offsets for instruction 9 need to be 3, 0 to match the code in the > comment, don't they? > > Ben. > -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
