BGP strict bind socket error

Ondrej Zajicek santiago at crfreenet.org
Sun Jan 9 03:41:50 CET 2022 

On Wed, Dec 29, 2021 at 06:11:32PM +0100, Alexander Zubkov wrote:
> Yes, probably it is ok to use it by default, at least in our case we
> use it always-on (as in attached patch). Only in this case it may be
> better to lower the log level for it then for the cases when it does
> not work.
> With default on there may be cases when someone will be surprised to
> see the bird listening on nonexistent address in netstat. And may be
> someone has some sort of security concerns with it, then please speak
> now or forever hold your peace. :)

Thanks, merged (the first patch). After all, i make it 'free bind' BGP
option, disabled by default [*], applying SKF_FREEBIND to the listening
socket. But your second patch enabled SKF_FREEBIND for both listening and
active socket, i see reasons for listening one, but why to do it for
the active socket (in bgp_connect())?

[*] commit 60e9def9ef7b5d16f868b0fb4ab1192d59fd7541


> I looked a bit about the FreeBSD, but there are different options for
> it and it can probably be disabled with sysctl there. So I thought it
> would be better if some people with more FreeBSD (or other *BSD)
> experience updated this part later.

Yes, after some research it seems that it is not an equivalent option.


> diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c
> index e4d754b1..5d985e25 100644
> --- a/proto/bgp/bgp.c
> +++ b/proto/bgp/bgp.c
> @@ -180,7 +180,7 @@ bgp_open(struct bgp_proto *p)
>    sk->sport = port;
>    sk->iface = ifa;
>    sk->vrf = p->p.vrf;
> -  sk->flags = 0;
> +  sk->flags = SKF_FREEBIND;
>    sk->tos = IP_PREC_INTERNET_CONTROL;
>    sk->rbsize = BGP_RX_BUFFER_SIZE;
>    sk->tbsize = BGP_TX_BUFFER_SIZE;
> @@ -1117,6 +1117,7 @@ bgp_connect(struct bgp_proto *p)	/* Enter Connect state and start establishing c
>    s->dport = p->cf->remote_port;
>    s->iface = p->neigh ? p->neigh->iface : NULL;
>    s->vrf = p->p.vrf;
> +  s->flags = SKF_FREEBIND;
>    s->ttl = p->cf->ttl_security ? 255 : hops;
>    s->rbsize = p->cf->enable_extended_messages ? BGP_RX_BUFFER_EXT_SIZE : BGP_RX_BUFFER_SIZE;
>    s->tbsize = p->cf->enable_extended_messages ? BGP_TX_BUFFER_EXT_SIZE : BGP_TX_BUFFER_SIZE;


-- 
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."

More information about the Bird-users mailing list