bgpd: Validate only affected RPKI prefixes instead of a full RIB Before this fix, if rpki_sync_socket_rtr socket returns EAGAIN, then ALL routes in the RIB are revalidated which takes lots of CPU and some unnecessary traffic, e.g. if using BMP servers. With a full feed it would waste 50-80Mbps. Instead we should try to drain an existing pipe (another end), and revalidate only affected prefixes. Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> Reproducible: Always
Affected: <net-misc/frr-9.1.3 <net-misc/frr-10.0.3 <net-misc/frr-10.1.2 <net-misc/frr-10.2.1 Workaround: Don't use RPKI. That said, versions also fixes some memory leaks.
Mistake: 9.1.2 is not affected, 9.1.3 seems to just be a standard release. So all affected versions are currently ~ at best. Was aiming to stable 10.0.x and 10.1.x during Jan, but with this that had better stand over to Feb.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9878308a7ede6ea0b3c463bc07df9d9c9ac7d471 commit 9878308a7ede6ea0b3c463bc07df9d9c9ac7d471 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2025-01-06 19:43:29 +0000 Commit: Florian Schmaus <flow@gentoo.org> CommitDate: 2025-02-05 11:13:10 +0000 net-misc/frr: add 10.0.3, drop 10.0.2 - CVE-2024-55553 Bug: https://bugs.gentoo.org/947630 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Signed-off-by: Florian Schmaus <flow@gentoo.org> net-misc/frr/Manifest | 2 +- net-misc/frr/{frr-10.0.2.ebuild => frr-10.0.3.ebuild} | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=379f9bff317efa7fb9ad21fcda9c8c4b3255c3b9 commit 379f9bff317efa7fb9ad21fcda9c8c4b3255c3b9 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2025-01-06 19:38:28 +0000 Commit: Florian Schmaus <flow@gentoo.org> CommitDate: 2025-02-05 11:13:09 +0000 net-misc/frr: add 10.1.2, drop 10.1.1 - CVE-2024-55553 Bug: https://bugs.gentoo.org/947630 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Signed-off-by: Florian Schmaus <flow@gentoo.org> net-misc/frr/Manifest | 2 +- net-misc/frr/{frr-10.1.1.ebuild => frr-10.1.2.ebuild} | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cfa2681eb2aeb7381495dbe7ebc062781471ccc5 commit cfa2681eb2aeb7381495dbe7ebc062781471ccc5 Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2024-12-02 12:36:27 +0000 Commit: Florian Schmaus <flow@gentoo.org> CommitDate: 2025-02-05 11:13:09 +0000 net-misc/frr: add 10.2.1 - CVE-2024-55553 Bug: https://bugs.gentoo.org/947630 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Signed-off-by: Florian Schmaus <flow@gentoo.org> net-misc/frr/Manifest | 1 + net-misc/frr/frr-10.2.1.ebuild | 149 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 150 insertions(+)
Did we nwant to stable 10.2.1 to make versioning a bit easier or no?
There are differences in terms of features and stuff between different versions. I've correctly got 10.0, 10.1 and 10.2 deployed in different environments. As per discussion with co-maintainer we want to push everything to 10.2, but we don't want to make the stable jumps too big. So for the moment we've only just stabled 10.1: Keywords for net-misc/frr: | | u | | a a p s a l r | n | | m r h p p l o m i s m | e u s | r | d a m p p c a x p o i s 3 6 | a s l | e | 6 r 6 p p 6 r 8 h n p c 9 8 | p e o | p | 4 m 4 a c 4 c 6 a g s v 0 k | i d t | o -------+-----------------------------+------------+------- 9.1.2 | + o ~ o o o o ~ o o o o o o | 8 o 0/9.1 | gentoo 9.1.3 | ~ o ~ o o o o ~ o o o o o o | 8 o | gentoo -------+-----------------------------+------------+------- 10.0.3 | + o ~ o o o o ~ o o o o o o | 8 o 0/10.0 | gentoo -------+-----------------------------+------------+------- 10.1.2 | + o ~ o o o o ~ o o o o o o | 8 o 0/10.1 | gentoo -------+-----------------------------+------------+------- 10.2.1 | ~ o ~ o o o o ~ o o o o o o | 8 o 0/10.2 | gentoo Of course, https://github.com/gentoo/gentoo/pull/41206 does affect this, but IMHO doesn't affect the action required here. You can ignore the 9.1 slot as the PR does nuke that. PR does: net-misc/frr +10.1.3,10.2.2,10.3, -9.1.* I hope this helps.
