Re: Static routes on (active) interfaces without IP address set
On Sun, 19 Jun 2016, Alexander Demenshin wrote: > On 2016-06-19 17:59, Ondrej Zajicek wrote: > > > That is true. For historical reasons, BIRD handles interface without IP > > addresses as down. > > Well... does it mean that it has to stay like this or it makes sense > to fix this behavior? At least, an option in config would be nice, > if changing actual behavior is not desirable. > I agree; I've had it that community :666 couldn't be set without having them up, so had to create an interface with 253 IP's to still have those blocked at the upstream. Leo Vandewoestijne.
Re: Multiple FIBs on FreeBSD
On Wed, 10 Jan 2018 , Ondrej Zajicek wrote: > It should work when running in Fib0, > It's maybe very basic info, so quite a confession (now good for a laugh); but I remember when initially learning about fibs, that I learned the hard way that fib 0 is the default, and that bird is always using it (unless configured different). Without knowing this my observations were -let's say- odd. On Sat, 06 Jan 2018, Azerty32 wrote: >http://bird.network.cz/pipermail/bird-users/2013-July/003731.html >Which status is now about this? BIRD must be running inside Fib0? > I'm 100% sure syncing kernel protocols with fibs is enough. table t_as1; table t_as2; protocol kernel { table t_as1; kernel table 1; export all; } protocol kernel { table t_as2; kernel table 2; export all; } However key in the process is to also seperated your -physical and virtual- interfaces; ifconfig tap1 fib 1 ifconfig tap2 fib 2 ifconfig tap3 fib 3 Otherwise they're still in fib 0 (not outputted), and logically consequence you then depend on fib 0. In my use-case -with having one upstream-interface and OoB's- it was easier to simply run in fib 0 So back to your question: I can confirm setting fibs in bird is functioning. And probably with and without using `setfib` on daemon. -- Met vriendelijke groet, With kind regards, Leo Vandewoestijne ***@dns.company www.dns.company
Re: Bird2: BGP password & setkey
On Fri, 09 Mar 2018, Ondrej Zajicek wrote: > And if you try BIRD 1.6.3, it works without /etc/setkey.conf? > That's correct; Early 1.x I used setkey.conf without password, and in final releases the opposite seemed the only possible way: so in deed password without setkey.conf Without changes to the OS'es I went to 2.0.1 and now need both. -- Met vriendelijke groet, With kind regards, Leo Vandewoestijne <***@dns.company>
Bird2: BGP password & setkey
Hello, The setkey option caught my attention when reading the 2.x manual... I'm using FreeBSD 11.1 and was trying to have Bird manage the IPSEC (MD5 checksum), which I've succesfully done already in OpenBGPd before NIC.CZ picked up the Bird project. So I have a number of upstream pears that have it enabled. When the password option arrived in Bird I still used setkey, but in the later 1.x releases I needed to use only the 'password' option in bird.conf, and had to drop my IPSEC settings at the OS level. When I now -using bird 2.0.1- put in a BGP protocol block: password "bla"; setkey enabled; I get returned: bird: /usr/local/etc/bird.conf, line 42: Number expected So therefor (after `enabled/disabled`) I tried `1/0`, and then `yes/no`, even `true/false`. But nothing seems make the behaviour different. What was allowed was: password "bla"; setkey; But... having `setkey` in bird.conf -or not- doesn't seem to make any difference. Meaning I still need to define the password both my regular IPSEC settings AND those in Bird. So yes, I got it working, but -reading the manual- I highly doubt double config was intented. What is the correct/simple/efficient method to do this? FYI in /etc/rc.conf I still have: ipsec_enable="YES" ipsec_program="/sbin/setkey" ipsec_file="/etc/setkey.conf" The double config also makes me wonder if I might be confusing things; I find both "IPSEC" or "MD5 TCP checksum" sounds like improving authenticity of a transport, where "BGP password" -to me- sounds like authentication. But reading both the Bird manual as well as the setkey manual it looks like that's the same thing. Anyway, I also discovered you can set a password in a template (which I use in a cascading way), and further on can overwrite/reset it for particular sessions using `password "";`. As the manual doesn't mention it, I'm unsure if that's a bug or a feature, but that's very nice! Another nice new behaviour I discovered is that now you can have mixed (enabled/disabled) sessions on the same interface (which -in my case- is having multiple IP's). In 1.6 I never got that working. -- Met vriendelijke groet, With kind regards, Leo Vandewoestijne <***@dns.company>
Re: FreeBSD, BGP and md5
On Fri, 23 Mar 2018, Peter Andreev wrote: > Is it still necessary to build custom kernel to get md5 auth working? > I'm pretty sure, yes. The only way I got it working in 11.1 i.c.w. 1.6.x was: # kernel config options IPSEC options TCP_SIGNATURE # /etc/rc.conf ipsec_enable="YES" ipsec_program="/sbin/setkey" ipsec_file="/etc/setkey.conf" # /etc/setkey.conf flush; # useful when running mutations manually spdflush; # useful when running mutations manually add -4 12.34.56.6 12.34.56.7 tcp 0x1000 -A tcp-md5 "teNp8XUrZtNteNjbep68jXgUGroZtUN"; add -4 12.34.56.7 12.34.56.6 tcp 0x1000 -A tcp-md5 "teNp8XUrZtNteNjbep68jXgUGroZtUN"; And initially nothing in bird.conf (just like I did in OpenBGPd in the pre-Bird era). But suddenly -about a year ago- at one Asian location I needed the password option in bird.conf. I however do see a setkey patch in the current 1.6.4 port, so I don't know what has changed there. I have not used that, as I migrated to 2.0.x, which offered a password option in bird.conf: # bird.conf - at the BGP protocol: password "teNp8XUrZtNteNjbep68jXgUGroZtUN"; So the intented design was to only need it in bird.conf, but in reality I now only got it working when setting it both in setkey.conf and in bird.conf Clearly things have changed, somewhere in 11.1. I already noticed IPSEC_NAT_T was removed (which was useful on vlan) https://svnweb.freebsd.org/base/stable/11/sys/modules/tcp/tcpmd5/Makefile?view=log=315514 So this week I puzzled some more after having IPSEC_SUPPORT added to the kernel. But so far I did not witness any difference, so I'm still with the double config - not a real issue; it works fine. So I continued with finding out the correct restrictions/permissions in PF. For clarity; the double config "problem" is unrelated to firewalling - I did pretty much all of my testing without. I don't wish to threadjack yet, with something in fact unrelated to Bird, but once your problem is solved I'd like to bring that question up. Feel free to contact me off list in case you feel any need to. -- Met vriendelijke groet, With kind regards, Leo Vandewoestijne <***@dns.company>
FreeBSD, firewall patch in port of 1.6.x branche
Hi, Yesterday I've submitted patches to upgrade Bird 1.6.x and 2.0.x to yesterdays releases. Now at the 1.6.x there used to be a firewall patch, made by Alexander V. Chernikov. But it's a stuggle to not break that option. So now I wonder, is this only used by few people, or are thousands of routers depending on this option? Further the 2.0.2 branche may become the default, and 1.6.5 will be -legacy https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226859 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226860 -- Met vriendelijke groet, With kind regards, Leo Vandewoestijne <***@dns.company>
[bird2]: babel compile bug?
Hello list, If I compile using the following: BIRD was configured with the following options: Source directory: . Object directory: obj Iproute2 directory: System configuration: ./sysdep/cf/bsd.h Debugging: no POSIX threads: yes Routing protocols: bfd babel bgp static Kernel MPLS support:no Client: yes Then I end up with this: ===> Building for bird-2.0.1 gmake[2]: Entering directory '/usr/ports/net/bird2/work/bird-2.0.1' MKDIR -p obj/client obj/conf obj/doc obj/filter obj/lib obj/nest obj/test obj/proto/bfd obj/proto/babel obj/proto/bgp obj/proto/static obj/sysdep/unix obj/sysdep/bsd obj/doc gm4 -P conf/gen_parser.m4 conf/confbase.Y conf/flowspec.Y obj/.dir-stamp filter/config.Y nest/config.Y proto/bfd/config.Y proto/babel/config.Y proto/bgp/config.Y proto/static/config.Y sysdep/unix/config.Y sysdep/unix/krt.Y sysdep/bsd/krt-sock.Y >obj/conf/cf-parse.y bison -dv -pcf_ -b obj/conf/cf-parse obj/conf/cf-parse.y obj/conf/cf-parse.y:2707.7-14: error: symbol PRIORITY is used, but is not defined as a token and has no rules | TX PRIORITY expr { BABEL_IFACE->tx_priority = $3; } gmake[2]: *** [conf/Makefile:23: obj/conf/cf-parse.tab.c] Error 1 If I do Routing protocols: bfd bgp static or Routing protocols: bfd babel bgp ospf pipe radv rip static or Routing protocols: bfd babel bgp rip static all goes well. Was I trieng something impossible, or is this an error? Is RIP a dependency for Babel? -- Met vriendelijke groet, With kind regards, Leo Vandewoestijne <***@dns.company>
My FreeBSD port for 2.0.1
Hi, For the impatient ones who wish to run Bird 2.0.1 on FreeBSD; in advance of the port commit you could: cd /usr/ports # or custom path fetch https://dns.company/stuff/bird/bird-2.0.1.shar # or: fetch -o bird-2.0.1.shar --no-verify-peer https://bz-attachments.freebsd.org/attachment.cgi\?id=191018 sh bird-2.0.1.shar make -I net/bird2 install clean In case you wish to return any feedback: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=225962 -- Met vriendelijke groet, With kind regards, Leo Vandewoestijne <***@dns.company>
minimal protocols support now needs RIP?
Hello, I'm not the FreeBSD port maintainer for bird, however did wrote the initial bird2 port. In there I created the interface to "assemble" which protocols you wish, by un/checking checkboxes. This allows to only support what's needed. That worked all fine untill 2.0.3, but now I get stuck with this: BIRD was configured with the following options: Source directory: . Object directory: obj Iproute2 directory: System configuration: ./sysdep/cf/bsd.h Debugging: no POSIX threads: yes >>>>> Routing protocols: bgp static Kernel MPLS support:no Client: yes ===> Building for bird2-2.0.3 gmake[2]: Entering directory '/usr/ports/net/bird2/work/bird-2.0.3' /bin/sh: git: not found MKDIR -p obj/client obj/conf obj/doc obj/filter obj/lib obj/nest obj/test obj/proto/bgp obj/proto/static obj/sysdep/unix obj/sysdep/bsd obj/doc gm4 -s -P conf/gen_parser.m4 conf/confbase.Y conf/flowspec.Y obj/.dir-stamp filter/config.Y nest/config.Y proto/bgp/config.Y proto/static/config.Y sysdep/unix/config.Y sysdep/unix/krt.Y sysdep/bsd/krt-sock.Y >obj/conf/cf-parse.y bison -Dparse.lac=full -Dparse.error=verbose -dv -pcf_ -b obj/conf/cf-parse obj/conf/cf-parse.y conf/gen_parser.m4: warning: 8 nonterminals useless in grammar [-Wother] conf/gen_parser.m4: warning: 29 rules useless in grammar [-Wother] conf/confbase.Y:337.1-4: warning: nonterminal useless in grammar: time [-Wother] time: nest/config.Y:363.1-3: warning: nonterminal useless in grammar: tos [-Wother] However, installing goes well with: BIRD was configured with the following options: Source directory: . Object directory: obj Iproute2 directory: System configuration: ./sysdep/cf/bsd.h Debugging: no POSIX threads: yes >>>>> Routing protocols: bgp rip static Kernel MPLS support:no Client: yes ===> Building for bird2-2.0.3 gmake[2]: Entering directory '/usr/ports/net/bird2/work/bird-2.0.3' /bin/sh: git: not found MKDIR -p obj/client obj/conf obj/doc obj/filter obj/lib obj/nest obj/test obj/proto/bgp obj/proto/rip obj/proto/static obj/sysdep/unix obj/sysdep/bsd obj/doc gm4 -s -P conf/gen_parser.m4 conf/confbase.Y conf/flowspec.Y obj/.dir-stamp filter/config.Y nest/config.Y proto/bgp/config.Y proto/rip/config.Y proto/static/config.Y sysdep/unix/config.Y sysdep/unix/krt.Y sysdep/bsd/krt-sock.Y >obj/conf/cf-parse.y bison -Dparse.lac=full -Dparse.error=verbose -dv -pcf_ -b obj/conf/cf-parse obj/conf/cf-parse.y conf/gen_parser.m4: warning: 2 shift/reduce conflicts [-Wconflicts-sr] echo >obj/sysdep/paths.h "/* Generated by Makefile, don't edit manually! */" echo >>obj/sysdep/paths.h "#define PATH_CONFIG_FILE \"/usr/local/etc/bird.conf\"" echo >>obj/sysdep/paths.h "#define PATH_CONTROL_SOCKET \"/var/run/bird.ctl\"" if test -n "" ; then echo >>obj/sysdep/paths.h "#define PATH_IPROUTE_DIR \"\"" ; fi CC -o obj/conf/cf-parse.tab.o -c obj/conf/cf-parse.tab.c nest/config.Y:330:25: warning: assigning to 'byte *' (aka 'unsigned char *') from 'char *' converts between pointers to integer types with different sign etc, etc. only warnings, but in the end all fine. -- Met vriendelijke groet, With kind regards, Leo Vandewoestijne <***@dns.company>