Quagga OSPF bug: no redistribution networks are written in wrong order

Reiner030

Hi,

here the patch to fix it ;)

(I must disallow distribution public routes which are in kernel routes … so my firewalls can't reach themselfes over the right interface)


*** /usr/local/pkg/quagga_ospfd.inc.orig        Sun Feb 17 07:05:10 2013
--- /usr/local/pkg/quagga_ospfd.inc     Sun Feb 17 07:06:11 2013
*************** function quagga_ospfd_install_conf() {
*** 215,225 ****
                        $conffile .= $redist;

                if (!empty($noredist)) {
                        $conffile .= "  distribute-list dnr-list out connected\n";
                        $conffile .= "  distribute-list dnr-list out kernel\n";
                        $conffile .= "  distribute-list dnr-list out static\n";
                        //$conffile .= "  distribute-list dnr-list out ospf\n";
-                       $conffile .= $noredist;
                        $conffile .= "  access-list dnr-list permit any\n";
                }

--- 215,225 ----
                        $conffile .= $redist;

                if (!empty($noredist)) {
+                       $conffile .= $noredist;
                        $conffile .= "  distribute-list dnr-list out connected\n";
                        $conffile .= "  distribute-list dnr-list out kernel\n";
                        $conffile .= "  distribute-list dnr-list out static\n";
                        //$conffile .= "  distribute-list dnr-list out ospf\n";
                        $conffile .= "  access-list dnr-list permit any\n";
                }

Bests

Reiner

jimp

Committed, thanks!

keysers0ze

Hi,

good info.. struggling with same thing.. Trying to disable redistribution of public ip's …

How / what do i need to do to update quagga packages -> update files with scp -> reinstall package or ?
Where to get modified files -> https://github.com/pfsense/pfsense-packages/tree/master/config/quagga_ospfd ?
Im running fresh vm-install:

2.0.2-RELEASE (amd64)
built on Fri Dec 7 22:39:32 EST 2012
FreeBSD 8.1-RELEASE-p13

quagga:

0.99.20.1 v0.5.1

br.
.k

jimp

just click the 'pkg' button from the list and it will reinstall and pick up the change.

keysers0ze

@jimp:

just click the 'pkg' button from the list and it will reinstall and pick up the change.

ok. thanks. its done now.. im still having difficulties with "disabling redistribution":

im trying to disable wan network not to redistribute to another pfsense…

If select "disable redistribution" | 85.20.0.0/24 | 0.0.0.0 |
status page of ospfd says:

"ospfd does not appear to be running"

br.
.k

jimp

That may be a completely separate error from this. It may be best to start a fresh thread and include copies of your quagga configs from /usr/local/etc/ and any logs from quagga/zebra in /var/log/system.log (2.0.x) or /var/log/routing.log (2.1)

Reiner030

@jimp:

That may be a completely separate error from this. It may be best to start a fresh thread and include copies of your quagga configs from /usr/local/etc/ and any logs from quagga/zebra in /var/log/system.log (2.0.x) or /var/log/routing.log (2.1)

Hi,

I have something equal problem… (howto create a new thread out of this additional question?^^)
Since I updated last time my router IDs pfsense won't start again.

=> http://forum.pfsense.org/index.php/topic,59103.msg318308.html#msg318308

[2.0.1-RELEASE][root@fw1.jws1.local]/root(10): clog /var/log/system.log | grep -e ospf -e zebra
Feb 25 21:40:01 fw1 zebra[57194]: Zebra 0.99.20.1 starting: vty@2601
Feb 25 21:40:01 fw1 zebra[57194]: Zebra 0.99.20.1 starting: vty@2601
Feb 25 21:40:01 fw1 ospfd[57429]: ASBR[Status:1]: Update
Feb 25 21:40:01 fw1 ospfd[57429]: ASBR[Status:2]: Update
Feb 25 21:40:01 fw1 ospfd[57429]: ASBR[Status:2]: Already ASBR

Mmh, perhaps this is the problem? Before last update there where configs in this directory (ospfd.conf and zebra.conf)

[2.0.1-RELEASE][root@fw1.jws1.local]/root(11): ls -la /usr/local/etc/quagga/
total 4
drwxr-xr-x 2 quagga quagga 512 Feb 24 20:35 .
drwxr-xr-x 14 root wheel 512 Feb 24 20:35 ..

ah no… they stay still in

[2.0.1-RELEASE][root@fw1.jws1.local]/root(14): ls -la /var/etc/quagga/
total 8
drwxr-xr-x 2 quagga quagga 512 Feb 20 22:47 .
drwxr-xr-x 8 root wheel 1024 Feb 25 20:05 ..
-rw–----- 1 quagga quagga 625 Feb 25 21:40 ospfd.conf
-rw------- 1 quagga quagga 100 Feb 25 21:40 zebra.conf

[2.0.1-RELEASE][root@fw1.jws1.local]/root(15): cat /var/etc/quagga/zebra.conf

This file was created by the pfSense package manager. Do not edit!

password secret
log syslog

[2.0.1-RELEASE][root@fw1.jws1.local]/root(16): cat /var/etc/quagga/ospfd.conf

This file was created by the pfSense package manager. Do not edit!

password secret
log syslog
interface lagg1_vlan6
ip ospf hello-interval 1
ip ospf authentication-key net-secret
ip ospf priority 255
ip ospf retransmit-interval 3
ip ospf dead-interval 5

router ospf
ospf router-id 192.168.6.2
log-adjacency-changes detail
redistribute connected
redistribute static
network 192.168.6.0/24 area 192.168.6.0
access-list dnr-list deny xx.xx.176.0/24
distribute-list dnr-list out connected
distribute-list dnr-list out kernel
distribute-list dnr-list out static
access-list dnr-list permit any

Only pass changed and IP xx-ed but they worked before update… changing back didn't helped.

Bests

Reiner

rubic

@jimp:

That may be a completely separate error from this.

I think the error is this commit related. While Quagga OSPF 0.99.20.1 v0.5.0 works fine in my production environment, in my fresh test setup with Quagga OSPF 0.99.20.1 v0.5.1 any value in the "Disable Redistribution" field prevents the service to start.
Here is pfSense console after reboot:

The service starts smoothly when "Disable Redistribution" is blank.
Regards

jimp

I moved the syntax back the other way since it does not seem to be valid in the other order. I'm not sure how the patch in the first post solved the OP's problem, if quagga won't even run with the commands ordered that way.

Reiner030

@rubic:

@jimp:

That may be a completely separate error from this.

I think the error is this commit related. While Quagga OSPF 0.99.20.1 v0.5.0 works fine in my production environment, in my fresh test setup with Quagga OSPF 0.99.20.1 v0.5.1 any value in the "Disable Redistribution" field prevents the service to start.

Ah this way I can try it, too:

[2.1-BETA1][root@fw1.zws8.local]/root(134): /usr/local/bin/quaggactl start
There is no such command.
Error occured during reading below line.
distribute-list dnr-list out connected

mmmh… I've tested my patch and it worked with several config modifications/reboots in my test setup... so a little surprising that it's now damaging OSPF package... sorry.

Without my above fix it works again.

router ospf
  ospf router-id 192.168.6.3
  log-adjacency-changes detail
  redistribute connected
  redistribute static
  network 192.168.6.0/24 area 192.168.6.0
  distribute-list dnr-list out connected
  distribute-list dnr-list out kernel
  distribute-list dnr-list out static
  access-list dnr-list deny xx.xx.176.0/24
  access-list dnr-list permit any

One problem / unknown difference:
I have one stable/old pfSense 2.0.1 pair and actual pfSense 2.1-BETA1 pair on other side…
The stable version didn't redistribute the network:

[2.0.1-RELEASE][root@fw1.jws1.local]/root(133): vtysh

fw1.jws1.local# sh ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route

K>* 0.0.0.0/0 via 91.102.12.193, lagg0_vlan2
O xx.xx.176.0/24 [110/20] via 192.168.6.12, lagg1_vlan6, 00:31:09
via 192.168.6.13, lagg1_vlan6, 00:31:09
C * xx.xx.176.0/24 is directly connected, vip47
C>* xx.xx.176.0/24 is directly connected, lagg0_vlan7
C>* xx.xx.176.4/32 is directly connected, vip40
C>* xx.xx.176.7/32 is directly connected, vip49
…

but BETA does?

[2.1-BETA1][root@fw1.zws8.local]/root(139): vtysh

fw1.zws8.local# show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, A - Babel,
> - selected route, * - FIB route

K>* 0.0.0.0/0 via xx.xx.176.254, lagg0_vlan7
O xx.xx.176.0/24 [110/20] via 192.168.6.13, lagg0_vlan6, 00:24:14
C * xx.xx.176.0/24 is directly connected, opt14_vip120
C * xx.xx.176.0/24 is directly connected, opt14_vip117
C * xx.xx.176.0/24 is directly connected, opt14_vip103
C * xx.xx.176.0/24 is directly connected, opt14_vip119
C * xx.xx.176.0/24 is directly connected, opt14_vip118
C * xx.xx.176.0/24 is directly connected, opt14_vip116
C * xx.xx.176.0/24 is directly connected, opt14_vip115
C * xx.xx.176.0/24 is directly connected, opt14_vip114
C * xx.xx.176.0/24 is directly connected, opt14_vip109
C>* xx.xx.176.0/24 is directly connected, lagg0_vlan7
…

I tested before only with BETA versions… and got problems with public routing.
(1st firewall pair got .1/.2/.3, 2nd fw pair .254/.253/.252)
Because without this "Disable Redistribution" of this public network the firewalls didn't saw itselfes and therefore shutting down their gateways.

ah... different BSD package versions which causes the problem:
2.0.1 => Hello, this is Quagga (version 0.99.20.1).
2.1-BETA1 => Hello, this is Quagga (version 0.99.21).

so please remove my patch… and we must search for other places to patch the behavior in package for 2.1...
Thanks.

Bests

Reiner