From fcb998c1ddba18a94100e79d140a5eace9275527c9c7980448801d2b2acc96d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 20 Sep 2024 16:01:17 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main frr revision 1f1dd955a33e91de5ac46966381a2ae8 --- .gitattributes | 23 + 0001-disable-zmq-test.patch | 25 + ...ctual-remaining-stream-length-before.patch | 51 ++ frr-10.0.1.tar.gz | 3 + frr-tmpfiles.d | 1 + frr.changes | 502 +++++++++++++++++ frr.spec | 505 ++++++++++++++++++ harden_frr.service.patch | 42 ++ 8 files changed, 1152 insertions(+) create mode 100644 .gitattributes create mode 100644 0001-disable-zmq-test.patch create mode 100644 0002-bgpd-Check-the-actual-remaining-stream-length-before.patch create mode 100644 frr-10.0.1.tar.gz create mode 100644 frr-tmpfiles.d create mode 100644 frr.changes create mode 100644 frr.spec create mode 100644 harden_frr.service.patch diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/0001-disable-zmq-test.patch b/0001-disable-zmq-test.patch new file mode 100644 index 0000000..8d59a16 --- /dev/null +++ b/0001-disable-zmq-test.patch @@ -0,0 +1,25 @@ +From a19581f960db4c5f4f3b759e2d7ecf3e9ac73381 Mon Sep 17 00:00:00 2001 +From: Ruben Torrero Marijnissen +Date: Mon, 21 Dec 2020 18:36:43 +0000 +Subject: [PATCH] tests: disable zeromq tests due to build service timeouts +References: bsc#1180217 +--- + tests/lib/test_zmq.py | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tests/lib/test_zmq.py b/tests/lib/test_zmq.py +index 1f8ee5416..b298fe7b5 100644 +--- a/tests/lib/test_zmq.py ++++ b/tests/lib/test_zmq.py +@@ -5,8 +5,7 @@ import os + program = "./test_zmq" + + @pytest.mark.skipif( +- 'S["ZEROMQ_TRUE"]=""\n' not in open("../config.status").readlines(), +- reason="ZEROMQ not enabled", ++ reason="Test disabled due to intermittent build service timeouts" + ) + def test_refout(self): + return super(TestZMQ, self).test_refout() +-- +2.29.2 diff --git a/0002-bgpd-Check-the-actual-remaining-stream-length-before.patch b/0002-bgpd-Check-the-actual-remaining-stream-length-before.patch new file mode 100644 index 0000000..edfa30d --- /dev/null +++ b/0002-bgpd-Check-the-actual-remaining-stream-length-before.patch @@ -0,0 +1,51 @@ +From 605485a7c470f6e49c3f5712f2c4692fea3019e7 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Wed, 31 Jul 2024 08:35:14 +0300 +Subject: [PATCH] bgpd: Check the actual remaining stream length before taking + TLV value +Upstream: yes +References: CVE-2024-44070,bsc#1229438,gh#FRRouting/frr#16502 + +``` + 0 0xb50b9f898028 in __sanitizer_print_stack_trace (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x368028) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7) + 1 0xb50b9f7ed8e4 in fuzzer::PrintStackTrace() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2bd8e4) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7) + 2 0xb50b9f7d4d9c in fuzzer::Fuzzer::CrashCallback() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2a4d9c) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7) + 3 0xe0d12d7469cc (linux-vdso.so.1+0x9cc) (BuildId: 1a77697e9d723fe22246cfd7641b140c427b7e11) + 4 0xe0d12c88f1fc in __pthread_kill_implementation nptl/pthread_kill.c:43:17 + 5 0xe0d12c84a678 in gsignal signal/../sysdeps/posix/raise.c:26:13 + 6 0xe0d12c83712c in abort stdlib/abort.c:79:7 + 7 0xe0d12d214724 in _zlog_assert_failed /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/zlog.c:789:2 + 8 0xe0d12d1285e4 in stream_get /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/stream.c:324:3 + 9 0xb50b9f8e47c4 in bgp_attr_encap /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:2758:3 + 10 0xb50b9f8dcd38 in bgp_attr_parse /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:3783:10 + 11 0xb50b9faf74b4 in bgp_update_receive /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:2383:20 + 12 0xb50b9faf1dcc in bgp_process_packet /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:4075:11 + 13 0xb50b9f8c90d0 in LLVMFuzzerTestOneInput /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_main.c:582:3 +``` + +Reported-by: Iggy Frankovic +Signed-off-by: Donatas Abraitis +(cherry picked from commit 0998b38e4d61179441f90dd7e7fd6a3a8b7bd8c5) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 40e074d058..4ebb45e3de 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -2727,6 +2727,14 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args) + args->total); + } + ++ if (STREAM_READABLE(BGP_INPUT(peer)) < sublength) { ++ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining stream length %zu", ++ sublength, STREAM_READABLE(BGP_INPUT(peer))); ++ return bgp_attr_malformed(args, ++ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); ++ } ++ + /* alloc and copy sub-tlv */ + /* TBD make sure these are freed when attributes are released */ + tlv = XCALLOC(MTYPE_ENCAP_TLV, +-- +2.43.0 + diff --git a/frr-10.0.1.tar.gz b/frr-10.0.1.tar.gz new file mode 100644 index 0000000..1eee213 --- /dev/null +++ b/frr-10.0.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:56ea357c56ea55e19101fcf9824252c45ab3b6b419a7a29ead8028c96863e0e2 +size 10963132 diff --git a/frr-tmpfiles.d b/frr-tmpfiles.d new file mode 100644 index 0000000..719f4b9 --- /dev/null +++ b/frr-tmpfiles.d @@ -0,0 +1 @@ +d @frr_statedir@ 0751 frr frrvty diff --git a/frr.changes b/frr.changes new file mode 100644 index 0000000..a658d3a --- /dev/null +++ b/frr.changes @@ -0,0 +1,502 @@ +------------------------------------------------------------------- +Mon Sep 16 16:36:31 UTC 2024 - Marius Tomaschewski + +- add release notes url to 10.0.1 update + +------------------------------------------------------------------- +Mon Sep 16 11:31:12 UTC 2024 - Marius Tomaschewski + +- fixed bug/pull request references in frr.changes file + +------------------------------------------------------------------- +Thu Aug 22 13:02:19 UTC 2024 - Marius Tomaschewski + +- Apply upstream fix for crash in bgp_attr_encap that were missing + a check of the actual remaining stream length before taking the + TLV value (CVE-2024-44070,bsc#1229438,gh#FRRouting/frr#16502): + + 0002-bgpd-Check-the-actual-remaining-stream-length-before.patch +- Re-added 0001-disable-zmq-test.patch to avoid (sporadic or arch + specific, e.g. aarch64) "make check" test failures (bsc#1180217). + + 0001-disable-zmq-test.patch +- Re-added hardening patch for systemd service(s) (bsc#1181400): + + harden_frr.service.patch +- Cleanup unknown --enable-systemd and correct the --sysconfdir + and --localstatedir configure options to not end in …/frr. + +------------------------------------------------------------------- +Fri Aug 9 14:14:10 UTC 2024 - Erico Mendonca + +- Fixing Source URL/archive name. + +------------------------------------------------------------------- +Sun Jul 28 20:21:43 UTC 2024 - Erico Mendonca + +- Update to version 10.0.1 from official sources. + See https://frrouting.org/release/10.0.1/ +- Clean slate: removing all previous patches. +- The following patches were obsoleted: + - 0001-disable-zmq-test.patch + - harden_frr.service.patch + - 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch + - 0004-tools-remove-backslash-from-declare-check-regex.patch + - 0005-root-ok-in-account-frr.pam.patch + - 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch + - 0007-bgpd-Ensure-stream-received-has-enough-data.patch + - 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch + - 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch + - 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch + - 0011-babeld-fix-11808-to-avoid-infinite-loops.patch + - 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch + - 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch + - 0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch + - 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch + - 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch + - 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch + - 0018-bgpd-Flowspec-overflow-issue.patch + - 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch + - 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch + - 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch + - 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch + - 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch + +------------------------------------------------------------------- +Tue Jun 4 21:27:48 UTC 2024 - Marius Tomaschewski + +- Apply upstream fix solving ospfd denial of service via get_edge() + function returning a NULL pointer (CVE-2024-34088,bsc#1223786, + gh#FRRouting/frr#16088). + [+ 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch] +- Apply upstream fix solving ospfd buffer overflow and daemon crash + in ospf_te_parse_ext_link for OSPF LSA packets during an attempt + to read Segment Routing Adjacency SID subTLVs (CVE-2024-31951, + bsc#1222528,gh#FRRouting/frr#16088). + [+ 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch] +- Apply upstream fix solving ospfd buffer overflow and daemon crash + in RI parsing with OSPF TE (CVE-2024-31950,bsc#1222526, + gh#FRRouting/frr#16088). + [+ 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch] + +------------------------------------------------------------------- +Wed Apr 24 10:40:57 UTC 2024 - Marius Tomaschewski + +- Apply upstream fix solving crash in OSPF TE parsing (bsc#1220548, + CVE-2024-27913, gh#FRRouting/frr#15431) + [+ 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch] + +------------------------------------------------------------------- +Wed Apr 10 18:59:00 UTC 2024 - Clemens Famulla-Conrad + +- add + 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch: + * Apply upstream fix on error handling when receiving BGP Prefix + SID attribute (bsc#1222518,CVE-2024-31948,gh#FRRouting/frr#15628) + +------------------------------------------------------------------- +Thu Feb 8 06:55:28 UTC 2024 - Dominique Leuenberger + +- Provide user/group symbol for user created during pre. + +------------------------------------------------------------------- +Fri Feb 2 08:25:36 UTC 2024 - Dominique Leuenberger + +- Fix build with RPM 4.19: a stray %-escape sequence was found in + the files section. + +------------------------------------------------------------------- +Mon Dec 4 09:11:46 UTC 2023 - Marius Tomaschewski + +- Apply upstream fix for a crash on malformed BGP UPDATE message + with an EOR, because the presence of EOR does not lead to a + treat-as-withdraw outcome (CVE-2023-47235,bsc#1216896,https://github.com/FRRouting/frr/pull/14716/commits/6814f2e0138a6ea5e1f83bdd9085d9a77999900b) + [+ 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch] +- Apply upstream fix for a crash on crafted BGP UPDATE message with + a MP_UNREACH_NLRI attribute and additional NLRI data (CVE-2023-47234, + bsc#1216897,https://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf) + [+ 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch] +- Apply upstream fix for attempts to read beyond the end of the + stream during labeled unicast parsing (CVE-2023-38407,bsc#1216899,https://github.com/FRRouting/frr/pull/12956/commits/ab362eae68edec12c175d9bc488bcc3f8b73d36f) + [+ 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch] +- Apply upstream fix for an nlri length of zero mishandling, aka + "flowspec overflow" (CVE-2023-38406,bsc#1216900,https://github.com/FRRouting/frr/pull/12884/commits/0b999c886e241c52bd1f7ef0066700e4b618ebb3) + [+ 0018-bgpd-Flowspec-overflow-issue.patch] + +------------------------------------------------------------------- +Mon Oct 30 12:38:21 UTC 2023 - Marius Tomaschewski + +- Apply upstream fix for a crash due to a crafted BGP UPDATE message + (CVE-2023-46753,bsc#1216626,https://github.com/FRRouting/frr/pull/14655/commits/21418d64af11553c402f932b0311c812d98ac3e4). + [+ 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch] +- Apply upstream fix for a crash due to mishandled malformed + MP_REACH_NLRI data (CVE-2023-46752,bsc#1216627,https://github.com/FRRouting/frr/pull/14645/commits/b08afc81c60607a4f736f418f2e3eb06087f1a35). + [+ 0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch] + +------------------------------------------------------------------- +Tue Sep 12 13:40:19 UTC 2023 - Marius Tomaschewski + +- Apply upstream fix for NULL pointer dereference due to processing + of malformed requests with no attributes in bgp_nlri_parse_flowspec + (CVE-2023-41909,bsc#1215065,https://github.com/FRRouting/frr/pull/13222/commits/cfd04dcb3e689754a72507d086ba3b9709fc5ed8). + [+ 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch] + +------------------------------------------------------------------- +Wed Aug 30 17:15:35 UTC 2023 - Marius Tomaschewski + +- Removed protobuf-c BuildRequires (source package name) breaking + build-system setup with libprotobuf-c-devel 1.3.2 updates. +- Apply upstream fix for bgpd: Don't read initial byte of the ORF + header in an ahead-of-stream situation (CVE-2023-41360, + bsc#1214739,https://github.com/FRRouting/frr/pull/14245) + [+ 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch] +- Apply upstream fix for bgpd: Do not process NLRIs if the attribute + length is zero (CVE-2023-41358,bsc#1214735, + https://github.com/FRRouting/frr/pull/14260) + [+ 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch] +- Apply upstream fix bgpd: Use treat-as-withdraw for tunnel encapsulation + attribute instead of session reset (CVE-2023-38802,bsc#1213284, + https://github.com/FRRouting/frr/pull/14290) + [+ 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch] +- Apply upstream fix babeld: avoid infinite loops (CVE-2023-3748,bsc#1213434, + gh#FRRouting/frr#11808,https://github.com/FRRouting/frr/pull/12952) + [+ 0011-babeld-fix-11808-to-avoid-infinite-loops.patch] + +------------------------------------------------------------------- +Mon May 15 08:01:39 UTC 2023 - Marius Tomaschewski + +- Apply upstream fix for denial of service via the bgp_capability_llgr() + function (bsc#1211248,CVE-2023-31489,gh#FRRouting/frr#13098). + [+ 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch] +- Apply upstream fix for denial of service via the bgp_attr_psid_sub() + function (bsc#1211249,CVE-2023-31490,gh#FRRouting/frr#13099). + [+ 0007-bgpd-Ensure-stream-received-has-enough-data.patch] + +------------------------------------------------------------------- +Mon Apr 3 14:00:27 UTC 2023 - Marius Tomaschewski + +- Enable pim6d providing PIMv6 support (bsc#1206234) + +------------------------------------------------------------------- +Fri Jan 13 12:27:58 UTC 2023 - Stefan Schubert + +- Migration of PAM settings to /usr/lib/pam.d. + +------------------------------------------------------------------- +Fri Nov 11 13:04:52 UTC 2022 - Marius Tomaschewski + +- Migration to /usr/etc: Conditionally moved /etc/logrotate.d/frr + file to vendor specific directory /usr/etc/logrotate.d and added + saving of user changed configuration files in /etc and restoring + them while an RPM update. +- Declare root as sufficient also in the pam account verification; + without vtysh use causes to log a pam frr:account warnings + (https://github.com/FRRouting/frr/pull/12308) + [+ 0005-root-ok-in-account-frr.pam.patch] +- Applied fix removing a not needed backslash causing to log a warning + (https://github.com/FRRouting/frr/pull/12307) + [+ 0004-tools-remove-backslash-from-declare-check-regex.patch] +- Applied upstream fixes for frrinit.sh to avoid a privilege escalation + from frr to root in frr config creation (bsc#1204124,CVE-2022-42917, + https://github.com/FRRouting/frr/pull/12157). + [+ 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch] +- Removed obsolete patches provided in the 8.4 source archive: + [- 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch, + - 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch, + - 0005-isisd-fix-router-capability-TLV-parsing-issues.patch, + - 0006-isisd-fix-10505-using-base64-encoding.patch, + - 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch, + - 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch] +- Update to version 8.4, see https://frrouting.org/release/8.4/ + * New BGP command (neighbor PEER soo) to configure SoO to prevent + routing loops and suboptimal routing on dual-homed sites. + * Command debug bgp allow-martian replaced to bgp allow-martian-nexthop + because previously we allowed using martian next-hops when debug is + turned on. + * Implement BGP Prefix Origin Validation State Extended Community rfc8097 + * Implement Route Leak Prevention and Detection Using Roles in UPDATE + and OPEN Messages rfc9234 + * BMP L3VPN support + * PIMv6 support + * MLD support + * New command to enable using reserved IPv4 ranges as normal addresses + for BGP next-hops, interface addresses, etc. + * As usual, lots of bugs and memory leaks were fixed \m/ + such as a fix for a possible use-after-free due to a race + condition related to bgp_notify_send_with_data() and + bgp_process_packet() in bgp_packet.c. This could lead to + Remote Code Execution or Information Disclosure by sending + crafted BGP packets (CVE-2022-37035,bsc#1202085). +- Update to version 8.3, see https://frrouting.org/release/8.3/ + * Notification Message support for BGP Graceful Restart + * BGP Cease Notification Subcode For BFD + * Send Hold Timer for BGP + * RFC5424 syslog support + * PIM passive command +- Update to version 8.2.2, see https://frrouting.org/release/8.2.2/ + * BGP Long-lived graceful restart capability + * BGP Extended Optional Parameters Length for BGP OPEN Message + * BGP Extended BGP Administrative Shutdown Communication + * IS-IS Link State Traffic Engineering support + * OSPFv3 Support for NSSA Type-7 address ranges + * PBR VLAN actions support + +------------------------------------------------------------------- +Mon Sep 5 11:48:25 UTC 2022 - Marius Tomaschewski + +- Apply upstream fix for out-of-bounds read in the BGP daemon + that may lead to information disclosure or denial of service + (bsc#1202023,CVE-2022-37032) + [+ 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch] +- Apply upstream fix for a memory leak in the IS-IS daemon that + may lead to server memory exhaustion (bsc#1202022,CVE-2019-25074) + [+ 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch] + +------------------------------------------------------------------- +Thu Mar 17 11:45:00 UTC 2022 - Dominique Leuenberger + +- Make build a bit cheaper: do only BuildRequire the primary python + interpreter and its modules (python3-FOO) instead of all + available versions as done using %{python_module FOO} + +------------------------------------------------------------------- +Mon Feb 28 11:05:48 UTC 2022 - Marius Tomaschewski + +- Apply fix for a buffer overflow in isisd due to the use of strdup + with a non-zero-terminated binary string (bsc#1196506,CVE-2022-26126) + [+ 0006-isisd-fix-10505-using-base64-encoding.patch] +- Apply fix for a buffer overflow in isisd due to wrong checks on + the input packet length (bsc#1196505,CVE-2022-26125) with workaround + for the GIT binary patch to tests/isisd/test_fuzz_isis_tlv_tests.h.gz + [+ 0005-isisd-fix-router-capability-TLV-parsing-issues.patch] +- Apply fix for a buffer overflow in babeld due to wrong checks on + the input packet length in the packet_examin and subtlv parsing + (bsc#1196504,bsc#1196507,CVE-2022-26128,CVE-2022-26129) + [+ 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch] +- Apply fix for a heap buffer overflow in babeld due to missing check + on the input packet length (bsc#1196503,CVE-2022-26127) + [+ 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch] + +------------------------------------------------------------------- +Thu Dec 9 08:40:11 UTC 2021 - Johannes Segitz + +- Add ReadWritePaths=/etc/frr to harden_frr.service.patch (bsc#1181400). + +------------------------------------------------------------------- +Wed Nov 17 05:48:12 UTC 2021 - Linnaea Lavia + +- Update to version 8.1 + * Graceful Restart for OSPFv2 and OSPFv3 + * OSPFv3 NSSA and NSSA-TSA support + * OSPFv3 ASBR Summarisation Support + * BGP SRv6 and Prefix-SID Type 5 improvements + * BGP EVPN type-5 gateway IP overlay Index + * Lua hook support + * See: https://frrouting.org/release/8.1/ + +------------------------------------------------------------------- +Fri Oct 15 12:11:50 UTC 2021 - Johannes Segitz + +- Drop ProtectClock hardening, can cause issues if other device acceess is needed + +------------------------------------------------------------------- +Sat Oct 9 01:58:08 UTC 2021 - Linnaea Lavia + +- Update to version 8.0.1 + * refreshed patch: + - 0001-disable-zmq-test.patch + - harden_frr.service.patch + * LDP gained SNMP support + * OSPFv3 gained VRF support + * EVPN Multihoming is now fully supported + * TI-LFA implemented in IS-IS and OSPS + * New Segment Routing daemon + * See: https://frrouting.org/release/8.0/ + and https://github.com/FRRouting/frr/releases/tag/frr-8.0.1 + +------------------------------------------------------------------- +Thu Sep 16 07:12:55 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_frr.service.patch + +------------------------------------------------------------------- +Fri Apr 23 03:05:06 UTC 2021 - Marius Tomaschewski + +- Use skip, not xfail in 0001-disable-zmq-test.patch to disable + zmq test as it is not expected to fail but hangs (bsc#1180217) + +------------------------------------------------------------------- +Thu Mar 4 21:20:02 UTC 2021 - Martin Hauke + +- Update to version 7.5.1 + * Maintenance release + See: https://github.com/FRRouting/frr/blob/stable/7.5/changelog-auto.in + +------------------------------------------------------------------- +Fri Jan 8 08:08:08 UTC 2021 - olaf@aepfle.de + +- Requires libyang 1.0.184 + +------------------------------------------------------------------- +Tue Dec 22 10:54:56 UTC 2020 - Rubén Torrero Marijnissen + +- Disable ZeroMQ tests due to sporadic timeouts during package builds (bsc#1180217) + [+ 0001-disable-zmq-test.patch] + +------------------------------------------------------------------- +Wed Nov 4 19:17:10 UTC 2020 - Martin Hauke + +- Update to version 7.5 + * Upstream does not provide a changelog +- Make grpc support optional and don't enable it by default + +------------------------------------------------------------------- +Fri Oct 2 12:38:25 UTC 2020 - Marius Tomaschewski + +- add build condition disabling mininet build require by default, + needed by the optional topology tests. +- removed one occurrence of vrrpd binary listed twice in file list + +------------------------------------------------------------------- +Wed Jul 1 12:21:24 UTC 2020 - Martin Hauke + +- Update to version 7.4 + * Upstream does not provide a changelog +- Drop patch (fixed upstream): + * 0001-build-use-configfile-mode-in-init-script.patch + +------------------------------------------------------------------- +Sun May 31 22:40:46 UTC 2020 - Erico Mendonca + +- 0001-build-use-configfile-mode-in-init-script.patch: Fix CVE-2020-12831 (boo#1171658). + +------------------------------------------------------------------- +Wed May 6 16:07:32 UTC 2020 - Martin Hauke + +- Update to version 7.3.1 + Bugfix/maintenance release + * Upstream does not provide a changelog + +------------------------------------------------------------------- +Tue Apr 7 21:38:12 UTC 2020 - Marcus Rueckert + +- enable verbose make rules +- enable grpc support. new subpackage libfrrgrpc_pb0, new BR: + pkgconfig(grpc) +- enable config rollbacks. new BR: pkgconfig(sqlite3) +- enable realms support +- enable shell access +- make sure we use system openssl +- fix shebang line of the frr-reload.py and + generate_support_bundle.py script so we dont pull python2 +- do not delete users and groups. +- add Requires for libyang-extentions + +------------------------------------------------------------------- +Sat Feb 15 21:27:22 UTC 2020 - Martin Hauke + +- Update to version 7.3 + * Upstream does not provide a changelog this time +- Remove patch: + * fix_tests.patch (not longer needed) + +------------------------------------------------------------------- +Sat Jan 18 20:25:42 UTC 2020 - Martin Hauke + +- Update to version 7.2.1: + BGPd + * Fix Addpath issue + * Do not apply eBGP policy for iBGP peers + * Show ip and fqdn in json output for show [ip] bgp json + * Fix large route-distinguisher's format + * Fix no bgp listen range ... configuration command + * Autocomplete neighbor for clear bgp + * Reflect the distance in RIB when it is changed for an + arbitrary afi/safi + * Notify "Peer De-configured" after entering 'no neighbor cmd + * Fix per afi/safi addpath peer counting + * Rework BGP dampening to be per AFI/SAFI + * Do not send next-hop as :: in MP_REACH_NLRI if no link-local + exists + * Override peer's TTL only if peer-group is configured with TTL + * Remove error message for unkown afi/safi combination + * Keep the session down if maximum-prefix is reached + OSPFd + * Fix BFD down not tearing down OSPF adjacency for + point-to-point net + BFDd + * Fix multiple VRF handling + * VRF security improvement + PIMd + * Fix rp crash + NHRPd + * Make sure no ip nhrp map works as expected + LDPd + * Add missing sanity check in the parsing of label messages + Zebra + * Use correct state when installing evpn macs + * Capture dplane plugin flags + lib + * Fix interface config when vrf changes + * Fix Interface Infinite Loop Walk (for special interfaces such + as bond) + Others + * Rename man pages (to avoid conflicts with other packages) + * Various other fixes for code cleanup and memory leaks + +------------------------------------------------------------------- +Fri Jan 17 21:07:45 UTC 2020 - Martin Hauke + +- Fix license tag + +------------------------------------------------------------------- +Wed Jan 15 20:34:50 UTC 2020 - Martin Hauke + +- Build with support for pcre, protobuf, rpki and zeromq by default + +------------------------------------------------------------------- +Wed Jan 15 14:34:59 UTC 2020 - Ismail Dönmez + +- Cleanup spec file + +------------------------------------------------------------------- +Sun Jan 12 09:40:39 UTC 2020 - Martin Hauke + +- Fix build-time dependencies +- Remove superflous comments + +------------------------------------------------------------------- +Wed Dec 11 23:18:06 UTC 2019 - Erico Mendonca + +- fix_tests.patch: correct syntax for Python 3 imports in tests. +- Enabling tests + +------------------------------------------------------------------- +Wed Dec 11 02:37:42 UTC 2019 - erico.mendonca@suse.com + +- Update to version frr7.2: + * zebra: use correct state when installing evpn macs + * lib: set entry to xpath in if_update_to_new_vrf + * zebra: capture dplane plugin flags + * bgpd: Autocomplete neighbor for clear bgp + * ospfd,eigrpd: don't take address of packed struct member + * bgpd: Prevent crash in bgp_table_range_lookup + * bgpd: Fix memory leak in json output of show commands + * tests: Test if `distance bgp (1-255) (1-255) (1-255)` works + * bgpd: Reflect the distance in RIB when it is changed for an arbitrary afi/safi + * bfdd: fix multiple VRF handling + +------------------------------------------------------------------- +Tue Dec 10 12:58:21 UTC 2019 - Erico Mendonca + +- Updating to version 7.2 +- Adding systemd scripts +- Fixing build and permission issues + +------------------------------------------------------------------- +Tue Jun 18 08:59:05 UTC 2019 - Martin Hauke + +- Update to version 7.0.1 + +------------------------------------------------------------------- +Sat Feb 2 13:50:16 UTC 2019 - mardnh@gmx.de + +- Initial package, version 6.0.2 diff --git a/frr.spec b/frr.spec new file mode 100644 index 0000000..e7d7d15 --- /dev/null +++ b/frr.spec @@ -0,0 +1,505 @@ +# +# spec file for package frr +# +# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2019-2021, Martin Hauke +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%bcond_with cumulus +%bcond_with datacenter +%bcond_with mininet +%bcond_with grpc + +%define frr_user frr +%define frr_group frr +%define frrvty_group frrvty +%define frr_home %{_localstatedir}/lib/%{name} +%define frr_statedir %{_rundir}/%{name} +%define frr_daemondir %{_prefix}/lib/frr + +Name: frr +Version: 10.0.1 +Release: 0 +Summary: The FRRouting Protocol Suite +License: GPL-2.0-or-later AND LGPL-2.1-or-later +Group: Productivity/Networking/System +URL: https://www.frrouting.org +#Git-Clone: https://github.com/FRRouting/frr.git +Source: https://github.com/FRRouting/frr/archive/refs/tags/%{name}-%{version}.tar.gz +Source1: %{name}-tmpfiles.d +Patch0: harden_frr.service.patch +Patch1: 0001-disable-zmq-test.patch +Patch2: 0002-bgpd-Check-the-actual-remaining-stream-length-before.patch +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: bison >= 2.7 +BuildRequires: flex +BuildRequires: libtool +BuildRequires: makeinfo +BuildRequires: python3-Sphinx +BuildRequires: python3-devel +BuildRequires: python3-pytest +%if %{with mininet} +BuildRequires: mininet +%endif +BuildRequires: net-snmp-devel +BuildRequires: pam-devel +BuildRequires: pkgconfig +BuildRequires: python-rpm-macros +BuildRequires: readline-devel +BuildRequires: systemd-rpm-macros +%if %{with grpc} +BuildRequires: pkgconfig(grpc) +%endif +BuildRequires: pkgconfig(json-c) +BuildRequires: pkgconfig(libcap) +BuildRequires: pkgconfig(libcares) +BuildRequires: pkgconfig(libelf) +BuildRequires: pkgconfig(libpcre) +BuildRequires: pkgconfig(libprotobuf-c) +%if 0%{?sle_version} == 150500 +BuildRequires: libprotoc25_1_0 +BuildRequires: libyang1 +%endif +BuildRequires: pkgconfig(libsystemd) +BuildRequires: pkgconfig(libyang) >= 2.0.0 +BuildRequires: pkgconfig(libzmq) >= 4.0.0 +BuildRequires: pkgconfig(rtrlib) >= 0.5.0 +BuildRequires: pkgconfig(sqlite3) +Requires(post): %{install_info_prereq} +Requires(pre): %{install_info_prereq} +Requires(pre): shadow +Requires(preun):%{install_info_prereq} +Recommends: logrotate +Conflicts: quagga +Provides: zebra = %{version} +Obsoletes: zebra < %{version} +Provides: group(%{frr_group}) +Provides: group(%{frrvty_group}) +Provides: user(%{frr_user}) + +%description +FRR is free software that implements and manages various IPv4 and IPv6 routing protocols. +FRR currently supports the following protocols: +- BGP +- OSPFv2 +- OSPFv3 +- RIPv1 +- RIPv2 +- RIPng +- IS-IS +- PIM-SM/MSDP +- LDP +- BFD +- Babel +- PBR +- OpenFabric +- VRRP +- EIGRP (alpha) +- NHRP (alpha) + +%package -n libfrrfpm_pb0 +Summary: FRRouting fpm protobuf library +Group: System/Libraries + +%description -n libfrrfpm_pb0 +This library contains forwarding plane manager protobuf definitions +for FRRouting. + +%package -n libfrr_pb0 +Summary: FRRouting protobuf library +Group: System/Libraries + +%description -n libfrr_pb0 +This library contains protobuf memory management for FRRouting.. + +%if %{with grpc} +%package -n libfrrgrpc_pb0 +Summary: FRRouting grpc protobuf library +Group: System/Libraries + +%description -n libfrrgrpc_pb0 +This library contains grpc protobuf definitions for FRRouting. +%endif + +%package -n libfrrospfapiclient0 +Summary: API for FRRouting's OSPFv2 implementation +Group: System/Libraries + +%description -n libfrrospfapiclient0 +This library contains part of the OSPFv2 implementation of FRRouting. + +%package -n libfrrsnmp0 +Summary: FRRouting snmp library +Group: System/Libraries + +%description -n libfrrsnmp0 +This library contains part of the net-snmp agentx implementation of FRRouting. + +%package -n libfrrzmq0 +Summary: FRRouting zeromq library +Group: System/Libraries + +%description -n libfrrzmq0 +This library contains part of the zermomq implementation of FRRouting. + +%package -n libfrr0 +Summary: FRRouting utility library +Group: System/Libraries + +%description -n libfrr0 +This library contains various utility functions to FRRouting, such as +data types, buffers and socket handling. + +%package -n libfrrcares0 +Summary: FRRouting utility library +Group: System/Libraries + +%description -n libfrrcares0 +This library contains various utility functions to FRRouting, such as +data types, buffers and socket handling. + +%package -n libmgmt_be_nb0 +Summary: FRRouting utility library +Group: System/Libraries + +%description -n libmgmt_be_nb0 +This library contains part of the mgmt_be implementation of FRRouting. + +%package devel +Summary: Header and object files for frr development +Group: Development/Libraries/C and C++ +Requires: libfrr0 = %{version} +Requires: libfrr_pb0 = %{version} +Requires: libfrrcares0 = %{version} +Requires: libfrrfpm_pb0 = %{version} +%if %{with grpc} +Requires: libfrrgrpc_pb0 = %{version} +%endif +Requires: libfrrospfapiclient0 = %{version} +Requires: libfrrsnmp0 = %{version} +Requires: libfrrzmq0 = %{version} +Requires: libmgmt_be_nb0 = %{version} + +%description devel +The frr-devel package contains the header and object files necessary for +developing OSPF-API and frr applications. + +%prep +%autosetup -n %{name}-%{name}-%{version} -p1 + +%build +# GCC LTO objects must be "fat" to avoid assembly errors +export CFLAGS="-ffat-lto-objects" + +autoreconf -fiv +%configure \ + --disable-silent-rules \ + --sysconfdir=%{_sysconfdir}\ + --localstatedir=%{_rundir} \ + --sbindir=%{frr_daemondir} \ + --with-moduledir=%{_libdir}/frr/modules \ + --disable-static \ + --with-vtysh-pager=%{_bindir}/less \ + --enable-user=%{frr_user} \ + --enable-group=%{frr_group} \ + --enable-vty-group=%{frrvty_group} \ + --enable-configfile-mask=0640 \ + --enable-logfile-mask=0640 \ + --enable-doc \ + --enable-doc-html \ + --enable-babeld \ + --enable-bfdd \ + --enable-bgpd \ + --enable-bgp-vnc \ +%if %{with cumulus} + --enable-cumulus \ +%endif +%if %{with datacenter} + --enable-datacenter \ +%endif + --enable-eigrpd \ + --enable-fpm \ + --enable-irdp \ + --enable-isisd \ + --enable-ldpd \ + --enable-multipath=256 \ + --enable-nhrpd \ + --enable-snmp \ + --enable-zeromq \ + --enable-ospfd \ + --enable-ospf6d \ + --enable-ospfapi \ + --enable-ospfclient \ + --with-libpam \ + --enable-pbrd \ + --enable-pimd \ + --enable-pim6d \ + --enable-protobuf \ + --enable-ripd \ + --enable-ripngd \ + --enable-rpki \ + --enable-rtadv \ + --enable-sharpd \ + --enable-staticd \ + --enable-vtysh \ + --enable-watchfrr \ + --enable-zebra \ + --enable-realms \ + --enable-shell-access \ + --with-crypto=openssl \ + --enable-config-rollbacks \ +%if %{with grpc} + --enable-grpc +%endif + +make %{?_smp_mflags} MAKEINFO="makeinfo --no-split" + +%install +make DESTDIR=%{buildroot} INSTALL="install -p" CP="cp -p" install +perl -p -i -e 's|#!/usr/bin/python|#!/usr/bin/python3|g' %{buildroot}/usr/lib/frr/{frr-reload.py,generate_support_bundle.py} + +find %{buildroot} -type f -name "*.la" -delete -print + +install -d %{buildroot}%{_sysconfdir}/frr +install -d %{buildroot}/%{_docdir}/%{name} +mv %{buildroot}/%{_datadir}/doc/frr/html %{buildroot}/%{_docdir}/%{name} + +# remove stray buildinfo files +find %{buildroot}/%{_docdir}/%{name} -type f -name .buildinfo -delete + +# systemd init scripts +install -D -m 0644 tools/frr.service %{buildroot}%{_unitdir}/frr.service +install -D -m 0644 tools%{_sysconfdir}/frr/daemons %{buildroot}%{_sysconfdir}/frr/daemons + +# add rpki module to daemon +sed -i -e 's/^\(bgpd_options=\)\(.*\)\(".*\)/\1\2 -M rpki\3/' %{buildroot}%{_sysconfdir}/frr/daemons + +%if 0%{?suse_version} > 1500 +mkdir -p %{buildroot}%{_pam_vendordir} +install -D -m 0644 redhat/frr.pam %{buildroot}%{_pam_vendordir}/frr +%else +install -D -m 0644 redhat/frr.pam %{buildroot}%{_sysconfdir}/pam.d/frr +%endif +%if 0%{?suse_version} > 1500 +install -D -m 0644 redhat/frr.logrotate %{buildroot}%{_distconfdir}/logrotate.d/frr +%else +install -D -m 0644 redhat/frr.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/frr +%endif + +install -d -m 0750 %{buildroot}%{rundir} +install -d -m 0750 %{buildroot}%{_localstatedir}/log/frr +install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/%{name}.conf +sed -e "s|@frr_statedir@|%{frr_statedir}|g" -i %{buildroot}/%{_tmpfilesdir}/%{name}.conf + +install -d %{buildroot}%{_sbindir} +ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcfrr +rm -f %{buildroot}%{frr_daemondir}/ssd + +cat > %{buildroot}%{_sysconfdir}/frr/frr.conf << __EOF__ +!hostname frr + +!password frr +!enable password frr + +log file %{_localstatedir}/log/frr/frr.log +__EOF__ +cat > %{buildroot}%{_sysconfdir}/frr/vtysh.conf << __EOF__ +! vtysh is using PAM authentication allowing root to use it. +__EOF__ + +%check +make %{?_smp_mflags} -C tests + +%pre +# Create frr user/groups +getent group %{frr_group} >/dev/null || groupadd -r %{frr_group} +getent group %{frrvty_group} >/dev/null || groupadd -r %{frrvty_group} +getent passwd %{frr_user} >/dev/null || useradd -r -g %{frr_group} -G %{frrvty_group} -d %{frr_home} -s /sbin/nologin -c "FRRouting suite" %{frr_user} + +%service_add_pre %{name}.service +%if 0%{?suse_version} > 1500 +# Prepare for migration to /usr/etc; save any old .rpmsave +for i in logrotate.d/frr pam.d/frr ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||: +done +%endif + +%posttrans +%if 0%{?suse_version} > 1500 +# Migration to /usr/etc, restore just created .rpmsave +for i in logrotate.d/frr pam.d/frr ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||: +done +%endif + +%post +%service_add_post %{name}.service +%install_info --info-dir=%{_infodir} %{_infodir}/%{name}.info%{ext_info} +%tmpfiles_create %{_tmpfilesdir}/%{name}.conf || true + +%preun +%service_del_preun %{name}.service + +%postun +%service_del_postun %{name}.service +%install_info_delete --info-dir=%{_infodir} %{_infodir}/frr.info%{ext_info} + +%post -n libfrr_pb0 -p /sbin/ldconfig +%postun -n libfrr_pb0 -p /sbin/ldconfig +%if %{with grpc} +%post -n libfrrgrpc_pb0 -p /sbin/ldconfig +%postun -n libfrrgrpc_pb0 -p /sbin/ldconfig +%endif +%post -n libfrrfpm_pb0 -p /sbin/ldconfig +%postun -n libfrrfpm_pb0 -p /sbin/ldconfig + +%post -n libfrrospfapiclient0 -p /sbin/ldconfig +%postun -n libfrrospfapiclient0 -p /sbin/ldconfig + +%post -n libfrrsnmp0 -p /sbin/ldconfig +%postun -n libfrrsnmp0 -p /sbin/ldconfig + +%post -n libfrrzmq0 -p /sbin/ldconfig +%postun -n libfrrzmq0 -p /sbin/ldconfig + +%post -n libfrr0 -p /sbin/ldconfig +%postun -n libfrr0 -p /sbin/ldconfig + +%post -n libfrrcares0 -p /sbin/ldconfig +%postun -n libfrrcares0 -p /sbin/ldconfig + +%post -n libmgmt_be_nb0 -p /sbin/ldconfig +%postun -n libmgmt_be_nb0 -p /sbin/ldconfig + +%files +%license COPYING +%doc README.md +%doc doc/mpls +%dir %attr(750,%{frr_user},%{frr_user}) %{_sysconfdir}/%{name} +%config(noreplace) %attr(640,%{frr_user},%{frr_group}) %{_sysconfdir}/%{name}/[!v]*.conf* +%config(noreplace) %attr(640,%{frr_user},%{frrvty_group}) %{_sysconfdir}/%{name}/vtysh.conf +%config(noreplace) %%attr(640,%{frr_user},%{frr_group}) %{_sysconfdir}/%{name}/daemons +%if 0%{?suse_version} > 1500 +%{_pam_vendordir}/frr +%else +%config(noreplace) %{_sysconfdir}/pam.d/frr +%endif +%if 0%{?suse_version} > 1500 +%{_distconfdir}/logrotate.d/frr +%else +%config(noreplace) %{_sysconfdir}/logrotate.d/frr +%endif +%{_infodir}/frr.info%{?ext_info} +%{_mandir}/man?/* +%{_docdir}/%{name}/html +%{_unitdir}/%{name}.service +%dir %{_tmpfilesdir} +%{_tmpfilesdir}/%{name}.conf +%dir %attr(-,%{frr_user},%{frr_group}) %{_localstatedir}/log/frr +%dir %attr(-,%{frr_user},%{frr_group}) %ghost %{frr_statedir} +%{_sbindir}/rc%{name} +%dir %{_prefix}/lib/frr +%{_prefix}/lib/frr/fabricd +%{_prefix}/lib/frr/vrrpd +%{_datadir}/yang +%{_bindir}/mtracebis +%{_bindir}/vtysh +%{frr_daemondir}/babeld +%{frr_daemondir}/bfdd +%{frr_daemondir}/bgpd +%{frr_daemondir}/eigrpd +%{frr_daemondir}/frr +%{frr_daemondir}/frr-reload +%{frr_daemondir}/frr-reload.py +%{frr_daemondir}/frr_babeltrace.py +%{frr_daemondir}/frrcommon.sh +%{frr_daemondir}/frrinit.sh +%{frr_daemondir}/isisd +%{frr_daemondir}/ldpd +%{frr_daemondir}/mgmtd +%{frr_daemondir}/nhrpd +%{frr_daemondir}/ospfclient.py +%{frr_daemondir}/ospf6d +%{frr_daemondir}/ospfd +%{frr_daemondir}/pathd +%{frr_daemondir}/pbrd +%{frr_daemondir}/pimd +%{frr_daemondir}/pim6d +%{frr_daemondir}/ripd +%{frr_daemondir}/ripngd +%{frr_daemondir}/sharpd +%{frr_daemondir}/staticd +%{frr_daemondir}/watchfrr +%{frr_daemondir}/watchfrr.sh +%{frr_daemondir}/zebra +%dir %{_libdir}/frr +%dir %{_libdir}/frr/modules +%{_libdir}/frr/modules/zebra_cumulus_mlag.so +%{_libdir}/frr/modules/zebra_fpm.so +%{_libdir}/frr/modules/zebra_irdp.so +%{_libdir}/frr/modules/pathd_pcep.so +%{_libdir}/frr/modules/bgpd_rpki.so +%if %{with grpc} +%{_libdir}/frr/modules/grpc.so +%endif +%{_libdir}/frr/modules/dplane_fpm_nl.so +%{_libdir}/frr/modules/bgpd_bmp.so +%{_prefix}/lib/frr/generate_support_bundle.py + +%files -n libfrr_pb0 +%{_libdir}/libfrr_pb.so.0* + +%files -n libfrrfpm_pb0 +%{_libdir}/libfrrfpm_pb.so.0* + +%if %{with grpc} +%files -n libfrrgrpc_pb0 +%{_libdir}/libfrrgrpc_pb.so.0* +%endif + +%files -n libfrrospfapiclient0 +%{_libdir}/libfrrospfapiclient.so.0* + +%files -n libfrrsnmp0 +%{_libdir}/libfrrsnmp.so.0* +%{_libdir}/frr/modules/*_snmp.so + +%files -n libfrrzmq0 +%{_libdir}/libfrrzmq.so.0* + +%files -n libfrr0 +%{_libdir}/libfrr.so.0* + +%files -n libfrrcares0 +%{_libdir}/libfrrcares.so.0* + +%files -n libmgmt_be_nb0 +%{_libdir}/libmgmt_be_nb.so.0* + +%files devel +%dir %{_includedir}/%{name} +%{_includedir}/%{name}/*.h +%dir %{_includedir}/%{name}/ospfd +%{_includedir}/%{name}/ospfd/*.h +%dir %{_includedir}/%{name}/ospfapi +%{_includedir}/%{name}/ospfapi/*.h +%dir %{_includedir}/%{name}/eigrpd +%{_includedir}/%{name}/eigrpd/*.h +%dir %{_includedir}/%{name}/bfdd +%{_includedir}/%{name}/bfdd/*.h +%{_libdir}/lib*.so + +%changelog diff --git a/harden_frr.service.patch b/harden_frr.service.patch new file mode 100644 index 0000000..daef202 --- /dev/null +++ b/harden_frr.service.patch @@ -0,0 +1,42 @@ +Index: frr-frr-8.1/tools/frr.service.in +=================================================================== +--- frr-frr-8.1.orig/tools/frr.service.in ++++ frr-frr-8.1/tools/frr.service.in +@@ -7,6 +7,16 @@ Before=network.target + OnFailure=heartbeat-failed@%n + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ReadWritePaths=/etc/frr ++ProtectHome=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Nice=-5 + Type=forking + NotifyAccess=all +Index: frr-frr-8.1/tools/frr@.service.in +=================================================================== +--- frr-frr-8.1.orig/tools/frr@.service.in ++++ frr-frr-8.1/tools/frr@.service.in +@@ -7,6 +7,16 @@ Before=network.target + OnFailure=heartbeat-failed@%n + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ReadWritePaths=/etc/frr ++ProtectHome=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Nice=-5 + Type=forking + NotifyAccess=all