bgpd: Cleanups & fixes for minttl / GTSM
* bgp_vty.c: (peer_ebgp_multihop_{un,}set_vty) tail-call cleanup.
({no_,}neighbor_ttl_security) ditto.
* bgpd.c: (peer_ttl_security_hops_set) Peer group checks and TTL set only
need to be done on transition.
* sockunion.c: (sockopt_minttl) remove always-on debug and improve readability.
diff --git a/bgpd/bgp_vty.c b/bgpd/bgp_vty.c
index e1c47f4..d93c5d3 100644
--- a/bgpd/bgp_vty.c
+++ b/bgpd/bgp_vty.c
@@ -2629,7 +2629,6 @@
{
struct peer *peer;
unsigned int ttl;
- int ret;
peer = peer_and_group_lookup_vty (vty, ip_str);
if (! peer)
@@ -2640,24 +2639,19 @@
else
VTY_GET_INTEGER_RANGE ("TTL", ttl, ttl_str, 1, 255);
- ret = peer_ebgp_multihop_set (peer, ttl);
-
- return bgp_vty_return (vty, ret);
+ return bgp_vty_return (vty, peer_ebgp_multihop_set (peer, ttl));
}
static int
peer_ebgp_multihop_unset_vty (struct vty *vty, const char *ip_str)
{
struct peer *peer;
- int ret;
peer = peer_and_group_lookup_vty (vty, ip_str);
if (! peer)
return CMD_WARNING;
- ret = peer_ebgp_multihop_unset (peer);
-
- return bgp_vty_return (vty, ret);
+ return bgp_vty_return (vty, peer_ebgp_multihop_unset (peer));
}
/* neighbor ebgp-multihop. */
@@ -3967,7 +3961,7 @@
"Specify the maximum number of hops to the BGP peer\n")
{
struct peer *peer;
- int ret, gtsm_hops;
+ int gtsm_hops;
peer = peer_and_group_lookup_vty (vty, argv[0]);
if (! peer)
@@ -3975,9 +3969,7 @@
VTY_GET_INTEGER_RANGE ("", gtsm_hops, argv[1], 1, 254);
- ret = peer_ttl_security_hops_set (peer, gtsm_hops);
-
- return bgp_vty_return (vty, ret);
+ return bgp_vty_return (vty, peer_ttl_security_hops_set (peer, gtsm_hops));
}
DEFUN (no_neighbor_ttl_security,
@@ -3989,15 +3981,12 @@
"Specify the maximum number of hops to the BGP peer\n")
{
struct peer *peer;
- int ret;
peer = peer_and_group_lookup_vty (vty, argv[0]);
if (! peer)
return CMD_WARNING;
- ret = peer_ttl_security_hops_unset (peer);
-
- return bgp_vty_return (vty, ret);
+ return bgp_vty_return (vty, peer_ttl_security_hops_unset (peer));
}
/* Address family configuration. */
diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
index cc0ea8d..5a412f2 100644
--- a/bgpd/bgpd.c
+++ b/bgpd/bgpd.c
@@ -4376,7 +4376,7 @@
zlog_debug ("peer_ttl_security_hops_set: set gtsm_hops to %d for %s", gtsm_hops, peer->host);
if (peer_sort (peer) == BGP_PEER_IBGP)
- return 0;
+ return 0;
/* We cannot configure ttl-security hops when ebgp-multihop is already
set. For non peer-groups, the check is simple. For peer-groups, it's
@@ -4385,35 +4385,36 @@
before actually applying the ttl-security rules. Cisco really made a
mess of this configuration parameter, and OpenBGPD got it right.
*/
+
+ if (peer->gtsm_hops == 0) {
+ if (CHECK_FLAG (peer->sflags, PEER_STATUS_GROUP))
+ {
+ group = peer->group;
+ if (group->conf->ttl != 1)
+ return BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK;
- if (CHECK_FLAG (peer->sflags, PEER_STATUS_GROUP))
- {
- group = peer->group;
- if (group->conf->ttl != 1)
- return BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK;
+ for (ALL_LIST_ELEMENTS (group->peer, node, nnode, peer1))
+ {
+ if (peer_sort (peer1) == BGP_PEER_IBGP)
+ continue;
- for (ALL_LIST_ELEMENTS (group->peer, node, nnode, peer1))
- {
- if (peer_sort (peer1) == BGP_PEER_IBGP)
- continue;
-
- if (peer1->ttl != 1)
- return BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK;
- }
- }
- else
- {
- if (peer->ttl != 1)
- return BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK;
- }
-
+ if (peer1->ttl != 1)
+ return BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK;
+ }
+ }
+ else
+ {
+ if (peer->ttl != 1)
+ return BGP_ERR_NO_EBGP_MULTIHOP_WITH_TTLHACK;
+ }
+ /* specify MAXTTL on outgoing packets */
+ ret = peer_ebgp_multihop_set (peer, MAXTTL);
+ if (ret != 0)
+ return ret;
+ }
+
peer->gtsm_hops = gtsm_hops;
- /* specify MAXTTL on outgoing packets */
- ret = peer_ebgp_multihop_set (peer, MAXTTL);
- if (ret != 0)
- return ret;
-
if (! CHECK_FLAG (peer->sflags, PEER_STATUS_GROUP))
{
if (peer->fd >= 0 && peer_sort (peer) != BGP_PEER_IBGP)
@@ -4793,7 +4794,7 @@
/* ttl-security hops */
if (peer_sort (peer) != BGP_PEER_IBGP && peer->gtsm_hops != 0)
if (! peer_group_active (peer) || g_peer->gtsm_hops != peer->gtsm_hops)
- vty_out (vty, " neighbor %s ttl-security hops %d%s", addr,
+ vty_out (vty, " neighbor %s ttl-security hops %d%s", addr,
peer->gtsm_hops, VTY_NEWLINE);
/* disable-connected-check. */
diff --git a/lib/sockunion.c b/lib/sockunion.c
index a32809c..df05acb 100644
--- a/lib/sockunion.c
+++ b/lib/sockunion.c
@@ -540,23 +540,23 @@
int
sockopt_minttl (int family, int sock, int minttl)
{
+#ifdef IP_MINTTL
int ret;
- zlog_debug ("sockopt_minttl: set minttl to %d", minttl);
-
-#ifdef IP_MINTTL
ret = setsockopt (sock, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl));
-#else
- ret = -1;
- errno = EOPNOTSUPP;
-#endif /* IP_MINTTL */
if (ret < 0)
{
- zlog (NULL, LOG_WARNING, "can't set sockopt IP_MINTTL to %d on socket %d: %s", minttl, sock, safe_strerror (errno));
+ zlog (NULL, LOG_WARNING,
+ "can't set sockopt IP_MINTTL to %d on socket %d: %s",
+ minttl, sock, safe_strerror (errno));
return -1;
}
return 0;
+#else
+ errno = EOPNOTSUPP;
+ return -1;
+#endif /* IP_MINTTL */
}
/* If same family and same prefix return 1. */