Sync from SUSE:SLFO:Main frr revision 1f1dd955a33e91de5ac46966381a2ae8

This commit is contained in:
Adrian Schröter 2024-09-20 16:01:17 +02:00
commit fcb998c1dd
8 changed files with 1152 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

View File

@ -0,0 +1,25 @@
From a19581f960db4c5f4f3b759e2d7ecf3e9ac73381 Mon Sep 17 00:00:00 2001
From: Ruben Torrero Marijnissen <rtorreromarijnissen@suse.com>
Date: Mon, 21 Dec 2020 18:36:43 +0000
Subject: [PATCH] tests: disable zeromq tests due to build service timeouts
References: bsc#1180217
---
tests/lib/test_zmq.py | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/tests/lib/test_zmq.py b/tests/lib/test_zmq.py
index 1f8ee5416..b298fe7b5 100644
--- a/tests/lib/test_zmq.py
+++ b/tests/lib/test_zmq.py
@@ -5,8 +5,7 @@ import os
program = "./test_zmq"
@pytest.mark.skipif(
- 'S["ZEROMQ_TRUE"]=""\n' not in open("../config.status").readlines(),
- reason="ZEROMQ not enabled",
+ reason="Test disabled due to intermittent build service timeouts"
)
def test_refout(self):
return super(TestZMQ, self).test_refout()
--
2.29.2

View File

@ -0,0 +1,51 @@
From 605485a7c470f6e49c3f5712f2c4692fea3019e7 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Wed, 31 Jul 2024 08:35:14 +0300
Subject: [PATCH] bgpd: Check the actual remaining stream length before taking
TLV value
Upstream: yes
References: CVE-2024-44070,bsc#1229438,gh#FRRouting/frr#16502
```
0 0xb50b9f898028 in __sanitizer_print_stack_trace (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x368028) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
1 0xb50b9f7ed8e4 in fuzzer::PrintStackTrace() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2bd8e4) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
2 0xb50b9f7d4d9c in fuzzer::Fuzzer::CrashCallback() (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2a4d9c) (BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
3 0xe0d12d7469cc (linux-vdso.so.1+0x9cc) (BuildId: 1a77697e9d723fe22246cfd7641b140c427b7e11)
4 0xe0d12c88f1fc in __pthread_kill_implementation nptl/pthread_kill.c:43:17
5 0xe0d12c84a678 in gsignal signal/../sysdeps/posix/raise.c:26:13
6 0xe0d12c83712c in abort stdlib/abort.c:79:7
7 0xe0d12d214724 in _zlog_assert_failed /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/zlog.c:789:2
8 0xe0d12d1285e4 in stream_get /home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/stream.c:324:3
9 0xb50b9f8e47c4 in bgp_attr_encap /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:2758:3
10 0xb50b9f8dcd38 in bgp_attr_parse /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:3783:10
11 0xb50b9faf74b4 in bgp_update_receive /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:2383:20
12 0xb50b9faf1dcc in bgp_process_packet /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:4075:11
13 0xb50b9f8c90d0 in LLVMFuzzerTestOneInput /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_main.c:582:3
```
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit 0998b38e4d61179441f90dd7e7fd6a3a8b7bd8c5)
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 40e074d058..4ebb45e3de 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2727,6 +2727,14 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args)
args->total);
}
+ if (STREAM_READABLE(BGP_INPUT(peer)) < sublength) {
+ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining stream length %zu",
+ sublength, STREAM_READABLE(BGP_INPUT(peer)));
+ return bgp_attr_malformed(args,
+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+ args->total);
+ }
+
/* alloc and copy sub-tlv */
/* TBD make sure these are freed when attributes are released */
tlv = XCALLOC(MTYPE_ENCAP_TLV,
--
2.43.0

BIN
frr-10.0.1.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

1
frr-tmpfiles.d Normal file
View File

@ -0,0 +1 @@
d @frr_statedir@ 0751 frr frrvty

502
frr.changes Normal file
View File

@ -0,0 +1,502 @@
-------------------------------------------------------------------
Mon Sep 16 16:36:31 UTC 2024 - Marius Tomaschewski <mt@suse.com>
- add release notes url to 10.0.1 update
-------------------------------------------------------------------
Mon Sep 16 11:31:12 UTC 2024 - Marius Tomaschewski <mt@suse.com>
- fixed bug/pull request references in frr.changes file
-------------------------------------------------------------------
Thu Aug 22 13:02:19 UTC 2024 - Marius Tomaschewski <mt@suse.com>
- Apply upstream fix for crash in bgp_attr_encap that were missing
a check of the actual remaining stream length before taking the
TLV value (CVE-2024-44070,bsc#1229438,gh#FRRouting/frr#16502):
+ 0002-bgpd-Check-the-actual-remaining-stream-length-before.patch
- Re-added 0001-disable-zmq-test.patch to avoid (sporadic or arch
specific, e.g. aarch64) "make check" test failures (bsc#1180217).
+ 0001-disable-zmq-test.patch
- Re-added hardening patch for systemd service(s) (bsc#1181400):
+ harden_frr.service.patch
- Cleanup unknown --enable-systemd and correct the --sysconfdir
and --localstatedir configure options to not end in …/frr.
-------------------------------------------------------------------
Fri Aug 9 14:14:10 UTC 2024 - Erico Mendonca <erico.mendonca@suse.com>
- Fixing Source URL/archive name.
-------------------------------------------------------------------
Sun Jul 28 20:21:43 UTC 2024 - Erico Mendonca <erico.mendonca@suse.com>
- Update to version 10.0.1 from official sources.
See https://frrouting.org/release/10.0.1/
- Clean slate: removing all previous patches.
- The following patches were obsoleted:
- 0001-disable-zmq-test.patch
- harden_frr.service.patch
- 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch
- 0004-tools-remove-backslash-from-declare-check-regex.patch
- 0005-root-ok-in-account-frr.pam.patch
- 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch
- 0007-bgpd-Ensure-stream-received-has-enough-data.patch
- 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch
- 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch
- 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch
- 0011-babeld-fix-11808-to-avoid-infinite-loops.patch
- 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch
- 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch
- 0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch
- 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch
- 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch
- 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch
- 0018-bgpd-Flowspec-overflow-issue.patch
- 0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch
- 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch
- 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch
- 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch
- 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch
-------------------------------------------------------------------
Tue Jun 4 21:27:48 UTC 2024 - Marius Tomaschewski <mt@suse.com>
- Apply upstream fix solving ospfd denial of service via get_edge()
function returning a NULL pointer (CVE-2024-34088,bsc#1223786,
gh#FRRouting/frr#16088).
[+ 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch]
- Apply upstream fix solving ospfd buffer overflow and daemon crash
in ospf_te_parse_ext_link for OSPF LSA packets during an attempt
to read Segment Routing Adjacency SID subTLVs (CVE-2024-31951,
bsc#1222528,gh#FRRouting/frr#16088).
[+ 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch]
- Apply upstream fix solving ospfd buffer overflow and daemon crash
in RI parsing with OSPF TE (CVE-2024-31950,bsc#1222526,
gh#FRRouting/frr#16088).
[+ 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch]
-------------------------------------------------------------------
Wed Apr 24 10:40:57 UTC 2024 - Marius Tomaschewski <mt@suse.com>
- Apply upstream fix solving crash in OSPF TE parsing (bsc#1220548,
CVE-2024-27913, gh#FRRouting/frr#15431)
[+ 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch]
-------------------------------------------------------------------
Wed Apr 10 18:59:00 UTC 2024 - Clemens Famulla-Conrad <cfamullaconrad@suse.com>
- add
0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch:
* Apply upstream fix on error handling when receiving BGP Prefix
SID attribute (bsc#1222518,CVE-2024-31948,gh#FRRouting/frr#15628)
-------------------------------------------------------------------
Thu Feb 8 06:55:28 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
- Provide user/group symbol for user created during pre.
-------------------------------------------------------------------
Fri Feb 2 08:25:36 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
- Fix build with RPM 4.19: a stray %-escape sequence was found in
the files section.
-------------------------------------------------------------------
Mon Dec 4 09:11:46 UTC 2023 - Marius Tomaschewski <mt@suse.com>
- Apply upstream fix for a crash on malformed BGP UPDATE message
with an EOR, because the presence of EOR does not lead to a
treat-as-withdraw outcome (CVE-2023-47235,bsc#1216896,https://github.com/FRRouting/frr/pull/14716/commits/6814f2e0138a6ea5e1f83bdd9085d9a77999900b)
[+ 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch]
- Apply upstream fix for a crash on crafted BGP UPDATE message with
a MP_UNREACH_NLRI attribute and additional NLRI data (CVE-2023-47234,
bsc#1216897,https://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf)
[+ 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch]
- Apply upstream fix for attempts to read beyond the end of the
stream during labeled unicast parsing (CVE-2023-38407,bsc#1216899,https://github.com/FRRouting/frr/pull/12956/commits/ab362eae68edec12c175d9bc488bcc3f8b73d36f)
[+ 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch]
- Apply upstream fix for an nlri length of zero mishandling, aka
"flowspec overflow" (CVE-2023-38406,bsc#1216900,https://github.com/FRRouting/frr/pull/12884/commits/0b999c886e241c52bd1f7ef0066700e4b618ebb3)
[+ 0018-bgpd-Flowspec-overflow-issue.patch]
-------------------------------------------------------------------
Mon Oct 30 12:38:21 UTC 2023 - Marius Tomaschewski <mt@suse.com>
- Apply upstream fix for a crash due to a crafted BGP UPDATE message
(CVE-2023-46753,bsc#1216626,https://github.com/FRRouting/frr/pull/14655/commits/21418d64af11553c402f932b0311c812d98ac3e4).
[+ 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch]
- Apply upstream fix for a crash due to mishandled malformed
MP_REACH_NLRI data (CVE-2023-46752,bsc#1216627,https://github.com/FRRouting/frr/pull/14645/commits/b08afc81c60607a4f736f418f2e3eb06087f1a35).
[+ 0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch]
-------------------------------------------------------------------
Tue Sep 12 13:40:19 UTC 2023 - Marius Tomaschewski <mt@suse.com>
- Apply upstream fix for NULL pointer dereference due to processing
of malformed requests with no attributes in bgp_nlri_parse_flowspec
(CVE-2023-41909,bsc#1215065,https://github.com/FRRouting/frr/pull/13222/commits/cfd04dcb3e689754a72507d086ba3b9709fc5ed8).
[+ 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch]
-------------------------------------------------------------------
Wed Aug 30 17:15:35 UTC 2023 - Marius Tomaschewski <mt@suse.com>
- Removed protobuf-c BuildRequires (source package name) breaking
build-system setup with libprotobuf-c-devel 1.3.2 updates.
- Apply upstream fix for bgpd: Don't read initial byte of the ORF
header in an ahead-of-stream situation (CVE-2023-41360,
bsc#1214739,https://github.com/FRRouting/frr/pull/14245)
[+ 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch]
- Apply upstream fix for bgpd: Do not process NLRIs if the attribute
length is zero (CVE-2023-41358,bsc#1214735,
https://github.com/FRRouting/frr/pull/14260)
[+ 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch]
- Apply upstream fix bgpd: Use treat-as-withdraw for tunnel encapsulation
attribute instead of session reset (CVE-2023-38802,bsc#1213284,
https://github.com/FRRouting/frr/pull/14290)
[+ 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch]
- Apply upstream fix babeld: avoid infinite loops (CVE-2023-3748,bsc#1213434,
gh#FRRouting/frr#11808,https://github.com/FRRouting/frr/pull/12952)
[+ 0011-babeld-fix-11808-to-avoid-infinite-loops.patch]
-------------------------------------------------------------------
Mon May 15 08:01:39 UTC 2023 - Marius Tomaschewski <mt@suse.com>
- Apply upstream fix for denial of service via the bgp_capability_llgr()
function (bsc#1211248,CVE-2023-31489,gh#FRRouting/frr#13098).
[+ 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch]
- Apply upstream fix for denial of service via the bgp_attr_psid_sub()
function (bsc#1211249,CVE-2023-31490,gh#FRRouting/frr#13099).
[+ 0007-bgpd-Ensure-stream-received-has-enough-data.patch]
-------------------------------------------------------------------
Mon Apr 3 14:00:27 UTC 2023 - Marius Tomaschewski <mt@suse.com>
- Enable pim6d providing PIMv6 support (bsc#1206234)
-------------------------------------------------------------------
Fri Jan 13 12:27:58 UTC 2023 - Stefan Schubert <schubi@suse.com>
- Migration of PAM settings to /usr/lib/pam.d.
-------------------------------------------------------------------
Fri Nov 11 13:04:52 UTC 2022 - Marius Tomaschewski <mt@suse.com>
- Migration to /usr/etc: Conditionally moved /etc/logrotate.d/frr
file to vendor specific directory /usr/etc/logrotate.d and added
saving of user changed configuration files in /etc and restoring
them while an RPM update.
- Declare root as sufficient also in the pam account verification;
without vtysh use causes to log a pam frr:account warnings
(https://github.com/FRRouting/frr/pull/12308)
[+ 0005-root-ok-in-account-frr.pam.patch]
- Applied fix removing a not needed backslash causing to log a warning
(https://github.com/FRRouting/frr/pull/12307)
[+ 0004-tools-remove-backslash-from-declare-check-regex.patch]
- Applied upstream fixes for frrinit.sh to avoid a privilege escalation
from frr to root in frr config creation (bsc#1204124,CVE-2022-42917,
https://github.com/FRRouting/frr/pull/12157).
[+ 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch]
- Removed obsolete patches provided in the 8.4 source archive:
[- 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch,
- 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch,
- 0005-isisd-fix-router-capability-TLV-parsing-issues.patch,
- 0006-isisd-fix-10505-using-base64-encoding.patch,
- 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch,
- 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch]
- Update to version 8.4, see https://frrouting.org/release/8.4/
* New BGP command (neighbor PEER soo) to configure SoO to prevent
routing loops and suboptimal routing on dual-homed sites.
* Command debug bgp allow-martian replaced to bgp allow-martian-nexthop
because previously we allowed using martian next-hops when debug is
turned on.
* Implement BGP Prefix Origin Validation State Extended Community rfc8097
* Implement Route Leak Prevention and Detection Using Roles in UPDATE
and OPEN Messages rfc9234
* BMP L3VPN support
* PIMv6 support
* MLD support
* New command to enable using reserved IPv4 ranges as normal addresses
for BGP next-hops, interface addresses, etc.
* As usual, lots of bugs and memory leaks were fixed \m/
such as a fix for a possible use-after-free due to a race
condition related to bgp_notify_send_with_data() and
bgp_process_packet() in bgp_packet.c. This could lead to
Remote Code Execution or Information Disclosure by sending
crafted BGP packets (CVE-2022-37035,bsc#1202085).
- Update to version 8.3, see https://frrouting.org/release/8.3/
* Notification Message support for BGP Graceful Restart
* BGP Cease Notification Subcode For BFD
* Send Hold Timer for BGP
* RFC5424 syslog support
* PIM passive command
- Update to version 8.2.2, see https://frrouting.org/release/8.2.2/
* BGP Long-lived graceful restart capability
* BGP Extended Optional Parameters Length for BGP OPEN Message
* BGP Extended BGP Administrative Shutdown Communication
* IS-IS Link State Traffic Engineering support
* OSPFv3 Support for NSSA Type-7 address ranges
* PBR VLAN actions support
-------------------------------------------------------------------
Mon Sep 5 11:48:25 UTC 2022 - Marius Tomaschewski <mt@suse.com>
- Apply upstream fix for out-of-bounds read in the BGP daemon
that may lead to information disclosure or denial of service
(bsc#1202023,CVE-2022-37032)
[+ 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch]
- Apply upstream fix for a memory leak in the IS-IS daemon that
may lead to server memory exhaustion (bsc#1202022,CVE-2019-25074)
[+ 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch]
-------------------------------------------------------------------
Thu Mar 17 11:45:00 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org>
- Make build a bit cheaper: do only BuildRequire the primary python
interpreter and its modules (python3-FOO) instead of all
available versions as done using %{python_module FOO}
-------------------------------------------------------------------
Mon Feb 28 11:05:48 UTC 2022 - Marius Tomaschewski <mt@suse.com>
- Apply fix for a buffer overflow in isisd due to the use of strdup
with a non-zero-terminated binary string (bsc#1196506,CVE-2022-26126)
[+ 0006-isisd-fix-10505-using-base64-encoding.patch]
- Apply fix for a buffer overflow in isisd due to wrong checks on
the input packet length (bsc#1196505,CVE-2022-26125) with workaround
for the GIT binary patch to tests/isisd/test_fuzz_isis_tlv_tests.h.gz
[+ 0005-isisd-fix-router-capability-TLV-parsing-issues.patch]
- Apply fix for a buffer overflow in babeld due to wrong checks on
the input packet length in the packet_examin and subtlv parsing
(bsc#1196504,bsc#1196507,CVE-2022-26128,CVE-2022-26129)
[+ 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch]
- Apply fix for a heap buffer overflow in babeld due to missing check
on the input packet length (bsc#1196503,CVE-2022-26127)
[+ 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch]
-------------------------------------------------------------------
Thu Dec 9 08:40:11 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Add ReadWritePaths=/etc/frr to harden_frr.service.patch (bsc#1181400).
-------------------------------------------------------------------
Wed Nov 17 05:48:12 UTC 2021 - Linnaea Lavia <linnaea@lavia.moe>
- Update to version 8.1
* Graceful Restart for OSPFv2 and OSPFv3
* OSPFv3 NSSA and NSSA-TSA support
* OSPFv3 ASBR Summarisation Support
* BGP SRv6 and Prefix-SID Type 5 improvements
* BGP EVPN type-5 gateway IP overlay Index
* Lua hook support
* See: https://frrouting.org/release/8.1/
-------------------------------------------------------------------
Fri Oct 15 12:11:50 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Drop ProtectClock hardening, can cause issues if other device acceess is needed
-------------------------------------------------------------------
Sat Oct 9 01:58:08 UTC 2021 - Linnaea Lavia <linnaea@lavia.moe>
- Update to version 8.0.1
* refreshed patch:
- 0001-disable-zmq-test.patch
- harden_frr.service.patch
* LDP gained SNMP support
* OSPFv3 gained VRF support
* EVPN Multihoming is now fully supported
* TI-LFA implemented in IS-IS and OSPS
* New Segment Routing daemon
* See: https://frrouting.org/release/8.0/
and https://github.com/FRRouting/frr/releases/tag/frr-8.0.1
-------------------------------------------------------------------
Thu Sep 16 07:12:55 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
* harden_frr.service.patch
-------------------------------------------------------------------
Fri Apr 23 03:05:06 UTC 2021 - Marius Tomaschewski <mt@suse.com>
- Use skip, not xfail in 0001-disable-zmq-test.patch to disable
zmq test as it is not expected to fail but hangs (bsc#1180217)
-------------------------------------------------------------------
Thu Mar 4 21:20:02 UTC 2021 - Martin Hauke <mardnh@gmx.de>
- Update to version 7.5.1
* Maintenance release
See: https://github.com/FRRouting/frr/blob/stable/7.5/changelog-auto.in
-------------------------------------------------------------------
Fri Jan 8 08:08:08 UTC 2021 - olaf@aepfle.de
- Requires libyang 1.0.184
-------------------------------------------------------------------
Tue Dec 22 10:54:56 UTC 2020 - Rubén Torrero Marijnissen <rtorreromarijnissen@suse.com>
- Disable ZeroMQ tests due to sporadic timeouts during package builds (bsc#1180217)
[+ 0001-disable-zmq-test.patch]
-------------------------------------------------------------------
Wed Nov 4 19:17:10 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Update to version 7.5
* Upstream does not provide a changelog
- Make grpc support optional and don't enable it by default
-------------------------------------------------------------------
Fri Oct 2 12:38:25 UTC 2020 - Marius Tomaschewski <mt@suse.com>
- add build condition disabling mininet build require by default,
needed by the optional topology tests.
- removed one occurrence of vrrpd binary listed twice in file list
-------------------------------------------------------------------
Wed Jul 1 12:21:24 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Update to version 7.4
* Upstream does not provide a changelog
- Drop patch (fixed upstream):
* 0001-build-use-configfile-mode-in-init-script.patch
-------------------------------------------------------------------
Sun May 31 22:40:46 UTC 2020 - Erico Mendonca <erico.mendonca@suse.com>
- 0001-build-use-configfile-mode-in-init-script.patch: Fix CVE-2020-12831 (boo#1171658).
-------------------------------------------------------------------
Wed May 6 16:07:32 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Update to version 7.3.1
Bugfix/maintenance release
* Upstream does not provide a changelog
-------------------------------------------------------------------
Tue Apr 7 21:38:12 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
- enable verbose make rules
- enable grpc support. new subpackage libfrrgrpc_pb0, new BR:
pkgconfig(grpc)
- enable config rollbacks. new BR: pkgconfig(sqlite3)
- enable realms support
- enable shell access
- make sure we use system openssl
- fix shebang line of the frr-reload.py and
generate_support_bundle.py script so we dont pull python2
- do not delete users and groups.
- add Requires for libyang-extentions
-------------------------------------------------------------------
Sat Feb 15 21:27:22 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Update to version 7.3
* Upstream does not provide a changelog this time
- Remove patch:
* fix_tests.patch (not longer needed)
-------------------------------------------------------------------
Sat Jan 18 20:25:42 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Update to version 7.2.1:
BGPd
* Fix Addpath issue
* Do not apply eBGP policy for iBGP peers
* Show ip and fqdn in json output for show [ip] bgp <route> json
* Fix large route-distinguisher's format
* Fix no bgp listen range ... configuration command
* Autocomplete neighbor for clear bgp
* Reflect the distance in RIB when it is changed for an
arbitrary afi/safi
* Notify "Peer De-configured" after entering 'no neighbor cmd
* Fix per afi/safi addpath peer counting
* Rework BGP dampening to be per AFI/SAFI
* Do not send next-hop as :: in MP_REACH_NLRI if no link-local
exists
* Override peer's TTL only if peer-group is configured with TTL
* Remove error message for unkown afi/safi combination
* Keep the session down if maximum-prefix is reached
OSPFd
* Fix BFD down not tearing down OSPF adjacency for
point-to-point net
BFDd
* Fix multiple VRF handling
* VRF security improvement
PIMd
* Fix rp crash
NHRPd
* Make sure no ip nhrp map <something> works as expected
LDPd
* Add missing sanity check in the parsing of label messages
Zebra
* Use correct state when installing evpn macs
* Capture dplane plugin flags
lib
* Fix interface config when vrf changes
* Fix Interface Infinite Loop Walk (for special interfaces such
as bond)
Others
* Rename man pages (to avoid conflicts with other packages)
* Various other fixes for code cleanup and memory leaks
-------------------------------------------------------------------
Fri Jan 17 21:07:45 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Fix license tag
-------------------------------------------------------------------
Wed Jan 15 20:34:50 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Build with support for pcre, protobuf, rpki and zeromq by default
-------------------------------------------------------------------
Wed Jan 15 14:34:59 UTC 2020 - Ismail Dönmez <idonmez@suse.com>
- Cleanup spec file
-------------------------------------------------------------------
Sun Jan 12 09:40:39 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Fix build-time dependencies
- Remove superflous comments
-------------------------------------------------------------------
Wed Dec 11 23:18:06 UTC 2019 - Erico Mendonca <erico.mendonca@suse.com>
- fix_tests.patch: correct syntax for Python 3 imports in tests.
- Enabling tests
-------------------------------------------------------------------
Wed Dec 11 02:37:42 UTC 2019 - erico.mendonca@suse.com
- Update to version frr7.2:
* zebra: use correct state when installing evpn macs
* lib: set entry to xpath in if_update_to_new_vrf
* zebra: capture dplane plugin flags
* bgpd: Autocomplete neighbor for clear bgp
* ospfd,eigrpd: don't take address of packed struct member
* bgpd: Prevent crash in bgp_table_range_lookup
* bgpd: Fix memory leak in json output of show commands
* tests: Test if `distance bgp (1-255) (1-255) (1-255)` works
* bgpd: Reflect the distance in RIB when it is changed for an arbitrary afi/safi
* bfdd: fix multiple VRF handling
-------------------------------------------------------------------
Tue Dec 10 12:58:21 UTC 2019 - Erico Mendonca <erico.mendonca@suse.com>
- Updating to version 7.2
- Adding systemd scripts
- Fixing build and permission issues
-------------------------------------------------------------------
Tue Jun 18 08:59:05 UTC 2019 - Martin Hauke <mardnh@gmx.de>
- Update to version 7.0.1
-------------------------------------------------------------------
Sat Feb 2 13:50:16 UTC 2019 - mardnh@gmx.de
- Initial package, version 6.0.2

505
frr.spec Normal file
View File

@ -0,0 +1,505 @@
#
# spec file for package frr
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2019-2021, Martin Hauke <mardnh@gmx.de>
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%bcond_with cumulus
%bcond_with datacenter
%bcond_with mininet
%bcond_with grpc
%define frr_user frr
%define frr_group frr
%define frrvty_group frrvty
%define frr_home %{_localstatedir}/lib/%{name}
%define frr_statedir %{_rundir}/%{name}
%define frr_daemondir %{_prefix}/lib/frr
Name: frr
Version: 10.0.1
Release: 0
Summary: The FRRouting Protocol Suite
License: GPL-2.0-or-later AND LGPL-2.1-or-later
Group: Productivity/Networking/System
URL: https://www.frrouting.org
#Git-Clone: https://github.com/FRRouting/frr.git
Source: https://github.com/FRRouting/frr/archive/refs/tags/%{name}-%{version}.tar.gz
Source1: %{name}-tmpfiles.d
Patch0: harden_frr.service.patch
Patch1: 0001-disable-zmq-test.patch
Patch2: 0002-bgpd-Check-the-actual-remaining-stream-length-before.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bison >= 2.7
BuildRequires: flex
BuildRequires: libtool
BuildRequires: makeinfo
BuildRequires: python3-Sphinx
BuildRequires: python3-devel
BuildRequires: python3-pytest
%if %{with mininet}
BuildRequires: mininet
%endif
BuildRequires: net-snmp-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: python-rpm-macros
BuildRequires: readline-devel
BuildRequires: systemd-rpm-macros
%if %{with grpc}
BuildRequires: pkgconfig(grpc)
%endif
BuildRequires: pkgconfig(json-c)
BuildRequires: pkgconfig(libcap)
BuildRequires: pkgconfig(libcares)
BuildRequires: pkgconfig(libelf)
BuildRequires: pkgconfig(libpcre)
BuildRequires: pkgconfig(libprotobuf-c)
%if 0%{?sle_version} == 150500
BuildRequires: libprotoc25_1_0
BuildRequires: libyang1
%endif
BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(libyang) >= 2.0.0
BuildRequires: pkgconfig(libzmq) >= 4.0.0
BuildRequires: pkgconfig(rtrlib) >= 0.5.0
BuildRequires: pkgconfig(sqlite3)
Requires(post): %{install_info_prereq}
Requires(pre): %{install_info_prereq}
Requires(pre): shadow
Requires(preun):%{install_info_prereq}
Recommends: logrotate
Conflicts: quagga
Provides: zebra = %{version}
Obsoletes: zebra < %{version}
Provides: group(%{frr_group})
Provides: group(%{frrvty_group})
Provides: user(%{frr_user})
%description
FRR is free software that implements and manages various IPv4 and IPv6 routing protocols.
FRR currently supports the following protocols:
- BGP
- OSPFv2
- OSPFv3
- RIPv1
- RIPv2
- RIPng
- IS-IS
- PIM-SM/MSDP
- LDP
- BFD
- Babel
- PBR
- OpenFabric
- VRRP
- EIGRP (alpha)
- NHRP (alpha)
%package -n libfrrfpm_pb0
Summary: FRRouting fpm protobuf library
Group: System/Libraries
%description -n libfrrfpm_pb0
This library contains forwarding plane manager protobuf definitions
for FRRouting.
%package -n libfrr_pb0
Summary: FRRouting protobuf library
Group: System/Libraries
%description -n libfrr_pb0
This library contains protobuf memory management for FRRouting..
%if %{with grpc}
%package -n libfrrgrpc_pb0
Summary: FRRouting grpc protobuf library
Group: System/Libraries
%description -n libfrrgrpc_pb0
This library contains grpc protobuf definitions for FRRouting.
%endif
%package -n libfrrospfapiclient0
Summary: API for FRRouting's OSPFv2 implementation
Group: System/Libraries
%description -n libfrrospfapiclient0
This library contains part of the OSPFv2 implementation of FRRouting.
%package -n libfrrsnmp0
Summary: FRRouting snmp library
Group: System/Libraries
%description -n libfrrsnmp0
This library contains part of the net-snmp agentx implementation of FRRouting.
%package -n libfrrzmq0
Summary: FRRouting zeromq library
Group: System/Libraries
%description -n libfrrzmq0
This library contains part of the zermomq implementation of FRRouting.
%package -n libfrr0
Summary: FRRouting utility library
Group: System/Libraries
%description -n libfrr0
This library contains various utility functions to FRRouting, such as
data types, buffers and socket handling.
%package -n libfrrcares0
Summary: FRRouting utility library
Group: System/Libraries
%description -n libfrrcares0
This library contains various utility functions to FRRouting, such as
data types, buffers and socket handling.
%package -n libmgmt_be_nb0
Summary: FRRouting utility library
Group: System/Libraries
%description -n libmgmt_be_nb0
This library contains part of the mgmt_be implementation of FRRouting.
%package devel
Summary: Header and object files for frr development
Group: Development/Libraries/C and C++
Requires: libfrr0 = %{version}
Requires: libfrr_pb0 = %{version}
Requires: libfrrcares0 = %{version}
Requires: libfrrfpm_pb0 = %{version}
%if %{with grpc}
Requires: libfrrgrpc_pb0 = %{version}
%endif
Requires: libfrrospfapiclient0 = %{version}
Requires: libfrrsnmp0 = %{version}
Requires: libfrrzmq0 = %{version}
Requires: libmgmt_be_nb0 = %{version}
%description devel
The frr-devel package contains the header and object files necessary for
developing OSPF-API and frr applications.
%prep
%autosetup -n %{name}-%{name}-%{version} -p1
%build
# GCC LTO objects must be "fat" to avoid assembly errors
export CFLAGS="-ffat-lto-objects"
autoreconf -fiv
%configure \
--disable-silent-rules \
--sysconfdir=%{_sysconfdir}\
--localstatedir=%{_rundir} \
--sbindir=%{frr_daemondir} \
--with-moduledir=%{_libdir}/frr/modules \
--disable-static \
--with-vtysh-pager=%{_bindir}/less \
--enable-user=%{frr_user} \
--enable-group=%{frr_group} \
--enable-vty-group=%{frrvty_group} \
--enable-configfile-mask=0640 \
--enable-logfile-mask=0640 \
--enable-doc \
--enable-doc-html \
--enable-babeld \
--enable-bfdd \
--enable-bgpd \
--enable-bgp-vnc \
%if %{with cumulus}
--enable-cumulus \
%endif
%if %{with datacenter}
--enable-datacenter \
%endif
--enable-eigrpd \
--enable-fpm \
--enable-irdp \
--enable-isisd \
--enable-ldpd \
--enable-multipath=256 \
--enable-nhrpd \
--enable-snmp \
--enable-zeromq \
--enable-ospfd \
--enable-ospf6d \
--enable-ospfapi \
--enable-ospfclient \
--with-libpam \
--enable-pbrd \
--enable-pimd \
--enable-pim6d \
--enable-protobuf \
--enable-ripd \
--enable-ripngd \
--enable-rpki \
--enable-rtadv \
--enable-sharpd \
--enable-staticd \
--enable-vtysh \
--enable-watchfrr \
--enable-zebra \
--enable-realms \
--enable-shell-access \
--with-crypto=openssl \
--enable-config-rollbacks \
%if %{with grpc}
--enable-grpc
%endif
make %{?_smp_mflags} MAKEINFO="makeinfo --no-split"
%install
make DESTDIR=%{buildroot} INSTALL="install -p" CP="cp -p" install
perl -p -i -e 's|#!/usr/bin/python|#!/usr/bin/python3|g' %{buildroot}/usr/lib/frr/{frr-reload.py,generate_support_bundle.py}
find %{buildroot} -type f -name "*.la" -delete -print
install -d %{buildroot}%{_sysconfdir}/frr
install -d %{buildroot}/%{_docdir}/%{name}
mv %{buildroot}/%{_datadir}/doc/frr/html %{buildroot}/%{_docdir}/%{name}
# remove stray buildinfo files
find %{buildroot}/%{_docdir}/%{name} -type f -name .buildinfo -delete
# systemd init scripts
install -D -m 0644 tools/frr.service %{buildroot}%{_unitdir}/frr.service
install -D -m 0644 tools%{_sysconfdir}/frr/daemons %{buildroot}%{_sysconfdir}/frr/daemons
# add rpki module to daemon
sed -i -e 's/^\(bgpd_options=\)\(.*\)\(".*\)/\1\2 -M rpki\3/' %{buildroot}%{_sysconfdir}/frr/daemons
%if 0%{?suse_version} > 1500
mkdir -p %{buildroot}%{_pam_vendordir}
install -D -m 0644 redhat/frr.pam %{buildroot}%{_pam_vendordir}/frr
%else
install -D -m 0644 redhat/frr.pam %{buildroot}%{_sysconfdir}/pam.d/frr
%endif
%if 0%{?suse_version} > 1500
install -D -m 0644 redhat/frr.logrotate %{buildroot}%{_distconfdir}/logrotate.d/frr
%else
install -D -m 0644 redhat/frr.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/frr
%endif
install -d -m 0750 %{buildroot}%{rundir}
install -d -m 0750 %{buildroot}%{_localstatedir}/log/frr
install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/%{name}.conf
sed -e "s|@frr_statedir@|%{frr_statedir}|g" -i %{buildroot}/%{_tmpfilesdir}/%{name}.conf
install -d %{buildroot}%{_sbindir}
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcfrr
rm -f %{buildroot}%{frr_daemondir}/ssd
cat > %{buildroot}%{_sysconfdir}/frr/frr.conf << __EOF__
!hostname frr
!password frr
!enable password frr
log file %{_localstatedir}/log/frr/frr.log
__EOF__
cat > %{buildroot}%{_sysconfdir}/frr/vtysh.conf << __EOF__
! vtysh is using PAM authentication allowing root to use it.
__EOF__
%check
make %{?_smp_mflags} -C tests
%pre
# Create frr user/groups
getent group %{frr_group} >/dev/null || groupadd -r %{frr_group}
getent group %{frrvty_group} >/dev/null || groupadd -r %{frrvty_group}
getent passwd %{frr_user} >/dev/null || useradd -r -g %{frr_group} -G %{frrvty_group} -d %{frr_home} -s /sbin/nologin -c "FRRouting suite" %{frr_user}
%service_add_pre %{name}.service
%if 0%{?suse_version} > 1500
# Prepare for migration to /usr/etc; save any old .rpmsave
for i in logrotate.d/frr pam.d/frr ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
done
%endif
%posttrans
%if 0%{?suse_version} > 1500
# Migration to /usr/etc, restore just created .rpmsave
for i in logrotate.d/frr pam.d/frr ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
done
%endif
%post
%service_add_post %{name}.service
%install_info --info-dir=%{_infodir} %{_infodir}/%{name}.info%{ext_info}
%tmpfiles_create %{_tmpfilesdir}/%{name}.conf || true
%preun
%service_del_preun %{name}.service
%postun
%service_del_postun %{name}.service
%install_info_delete --info-dir=%{_infodir} %{_infodir}/frr.info%{ext_info}
%post -n libfrr_pb0 -p /sbin/ldconfig
%postun -n libfrr_pb0 -p /sbin/ldconfig
%if %{with grpc}
%post -n libfrrgrpc_pb0 -p /sbin/ldconfig
%postun -n libfrrgrpc_pb0 -p /sbin/ldconfig
%endif
%post -n libfrrfpm_pb0 -p /sbin/ldconfig
%postun -n libfrrfpm_pb0 -p /sbin/ldconfig
%post -n libfrrospfapiclient0 -p /sbin/ldconfig
%postun -n libfrrospfapiclient0 -p /sbin/ldconfig
%post -n libfrrsnmp0 -p /sbin/ldconfig
%postun -n libfrrsnmp0 -p /sbin/ldconfig
%post -n libfrrzmq0 -p /sbin/ldconfig
%postun -n libfrrzmq0 -p /sbin/ldconfig
%post -n libfrr0 -p /sbin/ldconfig
%postun -n libfrr0 -p /sbin/ldconfig
%post -n libfrrcares0 -p /sbin/ldconfig
%postun -n libfrrcares0 -p /sbin/ldconfig
%post -n libmgmt_be_nb0 -p /sbin/ldconfig
%postun -n libmgmt_be_nb0 -p /sbin/ldconfig
%files
%license COPYING
%doc README.md
%doc doc/mpls
%dir %attr(750,%{frr_user},%{frr_user}) %{_sysconfdir}/%{name}
%config(noreplace) %attr(640,%{frr_user},%{frr_group}) %{_sysconfdir}/%{name}/[!v]*.conf*
%config(noreplace) %attr(640,%{frr_user},%{frrvty_group}) %{_sysconfdir}/%{name}/vtysh.conf
%config(noreplace) %%attr(640,%{frr_user},%{frr_group}) %{_sysconfdir}/%{name}/daemons
%if 0%{?suse_version} > 1500
%{_pam_vendordir}/frr
%else
%config(noreplace) %{_sysconfdir}/pam.d/frr
%endif
%if 0%{?suse_version} > 1500
%{_distconfdir}/logrotate.d/frr
%else
%config(noreplace) %{_sysconfdir}/logrotate.d/frr
%endif
%{_infodir}/frr.info%{?ext_info}
%{_mandir}/man?/*
%{_docdir}/%{name}/html
%{_unitdir}/%{name}.service
%dir %{_tmpfilesdir}
%{_tmpfilesdir}/%{name}.conf
%dir %attr(-,%{frr_user},%{frr_group}) %{_localstatedir}/log/frr
%dir %attr(-,%{frr_user},%{frr_group}) %ghost %{frr_statedir}
%{_sbindir}/rc%{name}
%dir %{_prefix}/lib/frr
%{_prefix}/lib/frr/fabricd
%{_prefix}/lib/frr/vrrpd
%{_datadir}/yang
%{_bindir}/mtracebis
%{_bindir}/vtysh
%{frr_daemondir}/babeld
%{frr_daemondir}/bfdd
%{frr_daemondir}/bgpd
%{frr_daemondir}/eigrpd
%{frr_daemondir}/frr
%{frr_daemondir}/frr-reload
%{frr_daemondir}/frr-reload.py
%{frr_daemondir}/frr_babeltrace.py
%{frr_daemondir}/frrcommon.sh
%{frr_daemondir}/frrinit.sh
%{frr_daemondir}/isisd
%{frr_daemondir}/ldpd
%{frr_daemondir}/mgmtd
%{frr_daemondir}/nhrpd
%{frr_daemondir}/ospfclient.py
%{frr_daemondir}/ospf6d
%{frr_daemondir}/ospfd
%{frr_daemondir}/pathd
%{frr_daemondir}/pbrd
%{frr_daemondir}/pimd
%{frr_daemondir}/pim6d
%{frr_daemondir}/ripd
%{frr_daemondir}/ripngd
%{frr_daemondir}/sharpd
%{frr_daemondir}/staticd
%{frr_daemondir}/watchfrr
%{frr_daemondir}/watchfrr.sh
%{frr_daemondir}/zebra
%dir %{_libdir}/frr
%dir %{_libdir}/frr/modules
%{_libdir}/frr/modules/zebra_cumulus_mlag.so
%{_libdir}/frr/modules/zebra_fpm.so
%{_libdir}/frr/modules/zebra_irdp.so
%{_libdir}/frr/modules/pathd_pcep.so
%{_libdir}/frr/modules/bgpd_rpki.so
%if %{with grpc}
%{_libdir}/frr/modules/grpc.so
%endif
%{_libdir}/frr/modules/dplane_fpm_nl.so
%{_libdir}/frr/modules/bgpd_bmp.so
%{_prefix}/lib/frr/generate_support_bundle.py
%files -n libfrr_pb0
%{_libdir}/libfrr_pb.so.0*
%files -n libfrrfpm_pb0
%{_libdir}/libfrrfpm_pb.so.0*
%if %{with grpc}
%files -n libfrrgrpc_pb0
%{_libdir}/libfrrgrpc_pb.so.0*
%endif
%files -n libfrrospfapiclient0
%{_libdir}/libfrrospfapiclient.so.0*
%files -n libfrrsnmp0
%{_libdir}/libfrrsnmp.so.0*
%{_libdir}/frr/modules/*_snmp.so
%files -n libfrrzmq0
%{_libdir}/libfrrzmq.so.0*
%files -n libfrr0
%{_libdir}/libfrr.so.0*
%files -n libfrrcares0
%{_libdir}/libfrrcares.so.0*
%files -n libmgmt_be_nb0
%{_libdir}/libmgmt_be_nb.so.0*
%files devel
%dir %{_includedir}/%{name}
%{_includedir}/%{name}/*.h
%dir %{_includedir}/%{name}/ospfd
%{_includedir}/%{name}/ospfd/*.h
%dir %{_includedir}/%{name}/ospfapi
%{_includedir}/%{name}/ospfapi/*.h
%dir %{_includedir}/%{name}/eigrpd
%{_includedir}/%{name}/eigrpd/*.h
%dir %{_includedir}/%{name}/bfdd
%{_includedir}/%{name}/bfdd/*.h
%{_libdir}/lib*.so
%changelog

42
harden_frr.service.patch Normal file
View File

@ -0,0 +1,42 @@
Index: frr-frr-8.1/tools/frr.service.in
===================================================================
--- frr-frr-8.1.orig/tools/frr.service.in
+++ frr-frr-8.1/tools/frr.service.in
@@ -7,6 +7,16 @@ Before=network.target
OnFailure=heartbeat-failed@%n
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ReadWritePaths=/etc/frr
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Nice=-5
Type=forking
NotifyAccess=all
Index: frr-frr-8.1/tools/frr@.service.in
===================================================================
--- frr-frr-8.1.orig/tools/frr@.service.in
+++ frr-frr-8.1/tools/frr@.service.in
@@ -7,6 +7,16 @@ Before=network.target
OnFailure=heartbeat-failed@%n
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ReadWritePaths=/etc/frr
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Nice=-5
Type=forking
NotifyAccess=all