BGP strict bind socket error

Sun Jan 9 09:10:54 CET 2022

On Sun, Jan 9, 2022 at 3:41 AM Ondrej Zajicek <santiago at crfreenet.org> wrote:
>
> On Wed, Dec 29, 2021 at 06:11:32PM +0100, Alexander Zubkov wrote:
> > Yes, probably it is ok to use it by default, at least in our case we
> > use it always-on (as in attached patch). Only in this case it may be
> > better to lower the log level for it then for the cases when it does
> > not work.
> > With default on there may be cases when someone will be surprised to
> > see the bird listening on nonexistent address in netstat. And may be
> > someone has some sort of security concerns with it, then please speak
> > now or forever hold your peace. :)
>
> Thanks, merged (the first patch). After all, i make it 'free bind' BGP
> option, disabled by default [*], applying SKF_FREEBIND to the listening
> socket. But your second patch enabled SKF_FREEBIND for both listening and
> active socket, i see reasons for listening one, but why to do it for
> the active socket (in bgp_connect())?

Cool, thanks!

Now, that you asked this question, I think there is really no reason
for that. :) It receives an error anyway if it is IP_FREEBIND and not
IP_TRANSPARENT, when trying to connect. Maybe I was worried that BIRD
could put the protocol down when trying to connect too and added it
there just for the case.

>
> [*] commit 60e9def9ef7b5d16f868b0fb4ab1192d59fd7541
>
>
> > I looked a bit about the FreeBSD, but there are different options for
> > it and it can probably be disabled with sysctl there. So I thought it
> > would be better if some people with more FreeBSD (or other *BSD)
> > experience updated this part later.
>
> Yes, after some research it seems that it is not an equivalent option.
>
>
> > diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c
> > index e4d754b1..5d985e25 100644
> > --- a/proto/bgp/bgp.c
> > +++ b/proto/bgp/bgp.c
> > @@ -180,7 +180,7 @@ bgp_open(struct bgp_proto *p)
> >    sk->sport = port;
> >    sk->iface = ifa;
> >    sk->vrf = p->p.vrf;
> > -  sk->flags = 0;
> > +  sk->flags = SKF_FREEBIND;
> >    sk->tos = IP_PREC_INTERNET_CONTROL;
> >    sk->rbsize = BGP_RX_BUFFER_SIZE;
> >    sk->tbsize = BGP_TX_BUFFER_SIZE;
> > @@ -1117,6 +1117,7 @@ bgp_connect(struct bgp_proto *p)        /* Enter Connect state and start establishing c
> >    s->dport = p->cf->remote_port;
> >    s->iface = p->neigh ? p->neigh->iface : NULL;
> >    s->vrf = p->p.vrf;
> > +  s->flags = SKF_FREEBIND;
> >    s->ttl = p->cf->ttl_security ? 255 : hops;
> >    s->rbsize = p->cf->enable_extended_messages ? BGP_RX_BUFFER_EXT_SIZE : BGP_RX_BUFFER_SIZE;
> >    s->tbsize = p->cf->enable_extended_messages ? BGP_TX_BUFFER_EXT_SIZE : BGP_TX_BUFFER_SIZE;
>
>
> --
> Elen sila lumenn' omentielvo
>
> Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
> OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
> "To err is human -- to blame it on a computer is even more so."