| #
3a50f0a9 |
| 28-Dec-2022 |
jmc <jmc@openbsd.org> |
spelling fixes; from paul tagliamonte
any parts of his diff not taken are noted on tech
|
| #
6f8eff73 |
| 31-Aug-2022 |
claudio <claudio@openbsd.org> |
Make sure that only one roa softreconfig runner is run at any time.
If a run takes to long drop the current update and wait for the next update.
OK benno@
|
| #
30afc530 |
| 23-May-2022 |
deraadt <deraadt@openbsd.org> |
whitespaces found when I went checking for something else
|
| #
39386878 |
| 06-Feb-2022 |
claudio <claudio@openbsd.org> |
Switch from u_intX_t types to stdint.h uintX_t. Mostly mechanical with
a few reindents.
OK florian@ tb@
|
| #
ee3cba03 |
| 28-Jan-2022 |
claudio <claudio@openbsd.org> |
Must use unsigned 1 here since modern compilers can't shift a signed 1 by 31.
OK tb@ kettenis@
|
| #
7ff9bf35 |
| 30-Dec-2020 |
claudio <claudio@openbsd.org> |
Implement IMSG_CTL_SHOW_SET to get information about roa-set, as-sets and
prefix-sets loaded into the RDE. For now only the number of prefixes or
asnumbers are shown plus the time since the last chan
Implement IMSG_CTL_SHOW_SET to get information about roa-set, as-sets and
prefix-sets loaded into the RDE. For now only the number of prefixes or
asnumbers are shown plus the time since the last change was done to the table.
OK benno@
show more ...
|
| #
6aa533f4 |
| 29-Dec-2020 |
claudio <claudio@openbsd.org> |
In preparation for RTR support change the representation of the roa-set
in the parent to a simple RB tree based on struct roa. With this overlapping
ROAs (same prefix & source-as but different maxlen
In preparation for RTR support change the representation of the roa-set
in the parent to a simple RB tree based on struct roa. With this overlapping
ROAs (same prefix & source-as but different maxlen) are now merged in the RDE
when the lookup trie is constructed.
OK benno@
show more ...
|
| #
e5b62a74 |
| 26-Oct-2018 |
claudio <claudio@openbsd.org> |
Track the amount of memory used for sets and tries (aka anything-set)
OK deraadt@
|
| #
6f1dba6e |
| 29-Sep-2018 |
claudio <claudio@openbsd.org> |
Implement origin validation in bgpd. This introduces two new tables, the
roa-set for RPKI based origin validation and a origin-set which allows to
lookup a source-as / prefix pair.
For RPKI a config
Implement origin validation in bgpd. This introduces two new tables, the
roa-set for RPKI based origin validation and a origin-set which allows to
lookup a source-as / prefix pair.
For RPKI a config can be built like this:
roa-set {
165.254.255.0/24 source-as 15562
193.0.0.0/21 maxlen 24 source-as 3333
}
deny from any ovs invalid
match from any ovs valid set community local-as:42
match from any ovs not-found set community local-as:43
Origin sets are similar but only match when the source-as / prefix pair is
valid.
match from any origin-set ARINDB set community local-as:44
Committing this now so that further work can be done in tree.
OK benno@, job@
show more ...
|
| #
d0605468 |
| 26-Sep-2018 |
claudio <claudio@openbsd.org> |
Use the same logic in trie_roa_check_v4 as in trie_roa_check_v6 when
checking that a source_as / maxlen combo actually fits.
Fixes regress test.
|
| #
59e404fb |
| 20-Sep-2018 |
claudio <claudio@openbsd.org> |
Split up as_set into a set_table and an as_set. The first is what does
the lookup and will now also be used in roa-set tries. The as_set is glue
to add the name and dirty flag. Add an accessor to get
Split up as_set into a set_table and an as_set. The first is what does
the lookup and will now also be used in roa-set tries. The as_set is glue
to add the name and dirty flag. Add an accessor to get the set data so
that the imsg sending and printing can be moved into the right places.
This is done mainly because roa-sets need similar but slightly different
versions and making the code more generic is the best way fixing this.
OK benno@
show more ...
|
| #
4b62fd1a |
| 18-Sep-2018 |
claudio <claudio@openbsd.org> |
Backend for roa-sets. This combines as_sets and prefix-set tries to do
proper ROA checking. There is a new match function trie_roa_check which
does a trie traversal and looks for candidates and match
Backend for roa-sets. This combines as_sets and prefix-set tries to do
proper ROA checking. There is a new match function trie_roa_check which
does a trie traversal and looks for candidates and matches. If prefix
is not covered then ROA_UNKNOWN is returned, if prefix is covered by an
entry it will return ROA_INVALID unless the source-as / maxlen combo is
matching (ROA_VALID).
OK and input sthen@
show more ...
|
| #
451e36b1 |
| 10-Sep-2018 |
denis <denis@openbsd.org> |
fix typos
OK claudio@
|
| #
9ed42aa2 |
| 08-Sep-2018 |
benno <benno@openbsd.org> |
implement or-longer filter op for prefix-sets. Allows one two write rules like
deny from any prefix-set mynetworks or-longer
ok claudio, feature discussed with job and deraadt
|
| #
d1ecd085 |
| 07-Sep-2018 |
claudio <claudio@openbsd.org> |
The debug function trie_dump() should use stderr since that does not case
that much problem with the regress test which writes its stuff on stdout.
|
| #
9e173f29 |
| 07-Sep-2018 |
claudio <claudio@openbsd.org> |
Add missing htonl() else matching does not really work.
|
| #
a02daadd |
| 07-Sep-2018 |
claudio <claudio@openbsd.org> |
Implement a fast presix-set lookup. This magic trie is able to match a
prefix addr/plen to a prefix-set spec addr/plen prefixlen min - max (a
prefix including prefixlen range). Every addr/plen pair i
Implement a fast presix-set lookup. This magic trie is able to match a
prefix addr/plen to a prefix-set spec addr/plen prefixlen min - max (a
prefix including prefixlen range). Every addr/plen pair is a node in the
trie and the prefixlen is added as a bitmask to those nodes.
For the lookup the any match is OK, there is no need to do longest or
best prefix matching.
Inspiration for this solution comes from the way bird implements this
which was done by Ondrej Zajicek santiago (at) crfreenet.org
OK benno@
show more ...
|