Re: Static routes on (active) interfaces without IP address set

2016-06-19 Thread Leo Vandewoestijne 
On Sun, 19 Jun 2016, Alexander Demenshin wrote:

> On 2016-06-19 17:59, Ondrej Zajicek wrote:
> 
> > That is true. For historical reasons, BIRD handles interface without IP
> > addresses as down.
> 
> Well... does it mean that it has to stay like this or it makes sense
> to fix this behavior? At least, an option in config would be nice,
> if changing actual behavior is not desirable.
>
I agree; I've had it that community :666 couldn't be set without having them up,
so had to create an interface with 253 IP's to still have those blocked at the 
upstream.


Leo Vandewoestijne.

Re: Multiple FIBs on FreeBSD

2018-02-22 Thread Leo Vandewoestijne 
On Wed, 10 Jan 2018 , Ondrej Zajicek wrote:

> It should work when running in Fib0,
>
It's maybe very basic info, so quite a confession (now good for a laugh);
but I remember when initially learning about fibs, that I learned the hard way 
that fib 0 is the default,
and that bird is always using it (unless configured different).
Without knowing this my observations were -let's say- odd.


On Sat, 06 Jan 2018, Azerty32 wrote:

>http://bird.network.cz/pipermail/bird-users/2013-July/003731.html
>Which status is now about this? BIRD must be running inside Fib0?
> 
I'm 100% sure syncing kernel protocols with fibs is enough.

table t_as1;
table t_as2;

protocol kernel {
table t_as1;
kernel table 1;
export all;
}

protocol kernel {
table t_as2;
kernel table 2;
export all;
}

However key in the process is to also seperated your -physical and virtual- 
interfaces;

ifconfig tap1 fib 1
ifconfig tap2 fib 2
ifconfig tap3 fib 3

Otherwise they're still in fib 0 (not outputted), and logically consequence you 
then depend on fib 0.

In my use-case -with having one upstream-interface and OoB's- it was easier to 
simply run in fib 0

So back to your question:

I can confirm setting fibs in bird is functioning.
And probably with and without using `setfib` on daemon.

-- 

Met vriendelijke groet,
With kind regards,


Leo Vandewoestijne
***@dns.company
www.dns.company

Re: Bird2: BGP password & setkey

2018-03-09 Thread Leo Vandewoestijne 
On Fri, 09 Mar 2018, Ondrej Zajicek wrote:

> And if you try BIRD 1.6.3, it works without /etc/setkey.conf?
> 
That's correct;

Early 1.x I used setkey.conf without password,
and in final releases the opposite seemed the only possible way:
so in deed password without setkey.conf

Without changes to the OS'es I went to 2.0.1 and now need both.


--

Met vriendelijke groet,
With kind regards,


Leo Vandewoestijne
<***@dns.company>

Bird2: BGP password & setkey

2018-03-08 Thread Leo Vandewoestijne 
Hello,


The setkey option caught my attention when reading the 2.x manual...

I'm using FreeBSD 11.1 and was trying to have Bird manage the IPSEC (MD5 
checksum),
which I've succesfully done already in OpenBGPd before NIC.CZ picked up the 
Bird project.
So I have a number of upstream pears that have it enabled.
When the password option arrived in Bird I still used setkey,
but in the later 1.x releases I needed to use only the 'password' option in 
bird.conf,
and had to drop my IPSEC settings at the OS level.

When I now -using bird 2.0.1- put in a BGP protocol block:

password "bla";
setkey enabled;

I get returned:

bird: /usr/local/etc/bird.conf, line 42: Number expected

So therefor (after `enabled/disabled`) I tried `1/0`, and then `yes/no`, even 
`true/false`.
But nothing seems make the behaviour different. What was allowed was:

password "bla";
setkey;

But... having `setkey` in bird.conf -or not- doesn't seem to make any 
difference.
Meaning I still need to define the password both my regular IPSEC settings AND 
those in Bird.
So yes, I got it working, but -reading the manual- I highly doubt double config 
was intented.

What is the correct/simple/efficient method to do this?


FYI in /etc/rc.conf I still have:

ipsec_enable="YES"
ipsec_program="/sbin/setkey"
ipsec_file="/etc/setkey.conf"

The double config also makes me wonder if I might be confusing things;
I find both "IPSEC" or "MD5 TCP checksum" sounds like improving authenticity of 
a transport,
where "BGP password" -to me- sounds like authentication.
But reading both the Bird manual as well as the setkey manual it looks like 
that's the same thing.




Anyway, I also discovered you can set a password in a template (which I use in 
a cascading way),
and further on can overwrite/reset it for particular sessions using `password 
"";`.
As the manual doesn't mention it, I'm unsure if that's a bug or a feature, but 
that's very nice!

Another nice new behaviour I discovered is that now you can have mixed 
(enabled/disabled) sessions
on the same interface (which -in my case- is having multiple IP's). In 1.6 I 
never got that working.


-- 

Met vriendelijke groet,
With kind regards,


Leo Vandewoestijne
<***@dns.company>

Re: FreeBSD, BGP and md5

2018-03-23 Thread Leo Vandewoestijne 
On Fri, 23 Mar 2018, Peter Andreev wrote:

> Is it still necessary to build custom kernel to get md5 auth working?
> 
I'm pretty sure, yes.
The only way I got it working in 11.1 i.c.w. 1.6.x was:

# kernel config
options IPSEC
options TCP_SIGNATURE

# /etc/rc.conf
ipsec_enable="YES"
ipsec_program="/sbin/setkey"
ipsec_file="/etc/setkey.conf"

# /etc/setkey.conf
flush;  # useful when running mutations manually
spdflush;   # useful when running mutations manually
add -4 12.34.56.6 12.34.56.7 tcp 0x1000 -A tcp-md5 
"teNp8XUrZtNteNjbep68jXgUGroZtUN";
add -4 12.34.56.7 12.34.56.6 tcp 0x1000 -A tcp-md5 
"teNp8XUrZtNteNjbep68jXgUGroZtUN";

And initially nothing in bird.conf (just like I did in OpenBGPd in the pre-Bird 
era).
But suddenly -about a year ago- at one Asian location I needed the password 
option in bird.conf.

I however do see a setkey patch in the current 1.6.4 port, so I don't know what 
has changed there.
I have not used that, as I migrated to 2.0.x, which offered a password option 
in bird.conf:

# bird.conf - at the BGP protocol:
password "teNp8XUrZtNteNjbep68jXgUGroZtUN";

So the intented design was to only need it in bird.conf,
but in reality I now only got it working when setting it both in setkey.conf 
and in bird.conf

Clearly things have changed, somewhere in 11.1.
I already noticed IPSEC_NAT_T was removed (which was useful on vlan)
https://svnweb.freebsd.org/base/stable/11/sys/modules/tcp/tcpmd5/Makefile?view=log=315514
So this week I puzzled some more after having IPSEC_SUPPORT added to the kernel.

But so far I did not witness any difference, so I'm still with the double 
config - not a real issue; it works fine.


So I continued with finding out the correct restrictions/permissions in PF.
For clarity; the double config "problem" is unrelated to firewalling - I did 
pretty much all of my testing without.
I don't wish to threadjack yet, with something in fact unrelated to Bird, but 
once your problem is solved I'd like to bring that question up.


Feel free to contact me off list in case you feel any need to.


-- 

Met vriendelijke groet,
With kind regards,


Leo Vandewoestijne
<***@dns.company>

FreeBSD, firewall patch in port of 1.6.x branche

2018-03-23 Thread Leo Vandewoestijne 
Hi,


Yesterday I've submitted patches to upgrade Bird 1.6.x and 2.0.x to yesterdays 
releases.

Now at the 1.6.x there used to be a firewall patch, made by Alexander V. 
Chernikov.
But it's a stuggle to not break that option.

So now I wonder, is this only used by few people,
or are thousands of routers depending on this option?

Further the 2.0.2 branche may become the default, and 1.6.5 will be -legacy

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226859
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226860


-- 

Met vriendelijke groet,
With kind regards,



Leo Vandewoestijne

<***@dns.company>

[bird2]: babel compile bug?

2018-03-05 Thread Leo Vandewoestijne 
Hello list,

If I compile using the following:


BIRD was configured with the following options:
Source directory:   .
Object directory:   obj
Iproute2 directory:
System configuration:   ./sysdep/cf/bsd.h
Debugging:  no
POSIX threads:  yes
Routing protocols:  bfd babel bgp static
Kernel MPLS support:no
Client: yes

Then I end up with this:

===>  Building for bird-2.0.1
gmake[2]: Entering directory '/usr/ports/net/bird2/work/bird-2.0.1'
MKDIR -p obj/client obj/conf obj/doc obj/filter obj/lib obj/nest obj/test 
obj/proto/bfd obj/proto/babel obj/proto/bgp obj/proto/static obj/sysdep/unix 
obj/sysdep/bsd obj/doc
gm4 -P conf/gen_parser.m4 conf/confbase.Y conf/flowspec.Y obj/.dir-stamp 
filter/config.Y nest/config.Y proto/bfd/config.Y proto/babel/config.Y 
proto/bgp/config.Y proto/static/config.Y sysdep/unix/config.Y sysdep/unix/krt.Y 
sysdep/bsd/krt-sock.Y >obj/conf/cf-parse.y
bison  -dv -pcf_ -b obj/conf/cf-parse obj/conf/cf-parse.y
obj/conf/cf-parse.y:2707.7-14: error: symbol PRIORITY is used, but is not 
defined as a token and has no rules
  | TX PRIORITY expr { BABEL_IFACE->tx_priority = $3; }
   
gmake[2]: *** [conf/Makefile:23: obj/conf/cf-parse.tab.c] Error 1


If I do
Routing protocols:  bfd bgp static
or
Routing protocols:  bfd babel bgp ospf pipe radv rip static
or
Routing protocols:  bfd babel bgp rip static
all goes well.

Was I trieng something impossible, or is this an error?
Is RIP a dependency for Babel?

-- 

Met vriendelijke groet,
With kind regards,


Leo Vandewoestijne
<***@dns.company>

My FreeBSD port for 2.0.1

2018-02-28 Thread Leo Vandewoestijne 
Hi,


For the impatient ones who wish to run Bird 2.0.1 on FreeBSD;
in advance of the port commit you could:

cd /usr/ports # or custom path
fetch https://dns.company/stuff/bird/bird-2.0.1.shar
# or:   fetch -o bird-2.0.1.shar --no-verify-peer 
https://bz-attachments.freebsd.org/attachment.cgi\?id=191018
sh bird-2.0.1.shar
make -I net/bird2 install clean

In case you wish to return any feedback:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=225962


-- 

Met vriendelijke groet,
With kind regards,


Leo Vandewoestijne
<***@dns.company>

minimal protocols support now needs RIP?

2019-02-11 Thread Leo Vandewoestijne 
Hello,

I'm not the FreeBSD port maintainer for bird, however did wrote the initial 
bird2 port.
In there I created the interface to "assemble" which protocols you wish, by 
un/checking checkboxes.
This allows to only support what's needed.
That worked all fine untill 2.0.3, but now I get stuck with this:


BIRD was configured with the following options:
Source directory:   .
Object directory:   obj
Iproute2 directory:
System configuration:   ./sysdep/cf/bsd.h
Debugging:  no
POSIX threads:  yes
>>>>>   Routing protocols:  bgp static
Kernel MPLS support:no
Client: yes
===>  Building for bird2-2.0.3
gmake[2]: Entering directory '/usr/ports/net/bird2/work/bird-2.0.3'
/bin/sh: git: not found
MKDIR -p obj/client obj/conf obj/doc obj/filter obj/lib obj/nest obj/test 
obj/proto/bgp obj/proto/static obj/sysdep/unix obj/sysdep/bsd obj/doc
gm4 -s -P conf/gen_parser.m4 conf/confbase.Y conf/flowspec.Y obj/.dir-stamp 
filter/config.Y nest/config.Y proto/bgp/config.Y proto/static/config.Y 
sysdep/unix/config.Y sysdep/unix/krt.Y sysdep/bsd/krt-sock.Y 
>obj/conf/cf-parse.y
bison  -Dparse.lac=full -Dparse.error=verbose -dv -pcf_ -b obj/conf/cf-parse 
obj/conf/cf-parse.y
conf/gen_parser.m4: warning: 8 nonterminals useless in grammar [-Wother]
conf/gen_parser.m4: warning: 29 rules useless in grammar [-Wother]
conf/confbase.Y:337.1-4: warning: nonterminal useless in grammar: time [-Wother]
 time:
 
nest/config.Y:363.1-3: warning: nonterminal useless in grammar: tos [-Wother]


However, installing goes well with:


BIRD was configured with the following options:
Source directory:   .
Object directory:   obj
Iproute2 directory:
System configuration:   ./sysdep/cf/bsd.h
Debugging:  no
POSIX threads:  yes
>>>>>   Routing protocols:  bgp rip static
Kernel MPLS support:no
Client: yes
===>  Building for bird2-2.0.3
gmake[2]: Entering directory '/usr/ports/net/bird2/work/bird-2.0.3'
/bin/sh: git: not found
MKDIR -p obj/client obj/conf obj/doc obj/filter obj/lib obj/nest obj/test 
obj/proto/bgp obj/proto/rip obj/proto/static obj/sysdep/unix obj/sysdep/bsd 
obj/doc
gm4 -s -P conf/gen_parser.m4 conf/confbase.Y conf/flowspec.Y obj/.dir-stamp 
filter/config.Y nest/config.Y proto/bgp/config.Y proto/rip/config.Y 
proto/static/config.Y sysdep/unix/config.Y sysdep/unix/krt.Y 
sysdep/bsd/krt-sock.Y >obj/conf/cf-parse.y
bison  -Dparse.lac=full -Dparse.error=verbose -dv -pcf_ -b obj/conf/cf-parse 
obj/conf/cf-parse.y
conf/gen_parser.m4: warning: 2 shift/reduce conflicts [-Wconflicts-sr]
echo  >obj/sysdep/paths.h "/* Generated by Makefile, don't edit manually! */"
echo >>obj/sysdep/paths.h "#define PATH_CONFIG_FILE 
\"/usr/local/etc/bird.conf\""
echo >>obj/sysdep/paths.h "#define PATH_CONTROL_SOCKET \"/var/run/bird.ctl\""
if test -n "" ; then echo >>obj/sysdep/paths.h "#define PATH_IPROUTE_DIR \"\"" 
; fi
CC -o obj/conf/cf-parse.tab.o -c obj/conf/cf-parse.tab.c
nest/config.Y:330:25: warning: assigning to 'byte *' (aka 'unsigned char *') 
from 'char *' converts between pointers to integer types with different sign
etc, etc. only warnings, but in the end all fine.



-- 

Met vriendelijke groet,
With kind regards,



Leo Vandewoestijne

<***@dns.company>