Releases: FRRouting/frr
FRR Release 8.5.5
Fixed CVEs
Bug Fixes
bgpd
"default-originate" shouldn't withdraw non-default routes
Ensure community data is freed in some cases.
Ensure that the correct aspath is free'd
Fix error handling when receiving bgp prefix sid attribute
Fix format overflow for graceful-restart debug logs
Fix null argument warning
Include unsuppress-map as a valid outgoing policy
Make `suppress-fib-pending` clear peering
Prevent from one more cve triggering this place
doc
Add param range for graceful-restart helper supported-grace-time
isisd
Fix heap-after-free with prefix sid
Need to link directly against libyang
lib
Check for not being a blackhole route
Do not convert evpn prefixes into ipv4/ipv6 if not needed
nhrpd
Fix nhrp_peer leak
Fix race condition
Fix core dump on shutdown
ospf6d
Ospfv3 route change comparision fixed for asbr-only change
ospfd
Correct opaque lsa extended parser
Fix ospf dead-interval minimal hello-multiplier param range
Fix the bug where ip_ospf_dead-interval_minimal_hello-multiplier did not reset hello timer
Protect call to get_edge() in ospf_te.c
Solved crash in ri parsing with ospf te
pbrd
Fix pbr handling for last rule deletion
pimd
Fix crash unconfiguring rp keepalive timer
Fix crash when configuring ssmpingd
Fix dr-priority range
Fix null register before aging out reg-stop
Fix order of operations for evaluating join
Re-evaluated s,g oils upon rp changes and for empty sg upstream oils
tests
Check for 0.0.0.0/1 in bgp_default_route
vtysh
Show `ip ospf network ...` even if it's not the same as the interface type
zebra
Deny the routes if ip protocol cli refers to an undefined rmap
Fix crash if macvlan link in another netns
Fix nhg out of sync between zebra and kernel
Re-install dependent nhgs on interface up
Re-install nhg on interface up
The dplane_fpm_nl return path leaks memory
Full Changelog: frr-8.5.4...frr-8.5.5
FRR Release 8.4.5
Fixed CVEs
- CVE-2024-31950
- CVE-2024-31951
- CVE-2023-38802
- CVE-2023-46752
- CVE-2023-46753
- CVE-2023-47235
- CVE-2024-31948
Bug Fixes
babeld
Fix [#11808](https://github.com/FRRouting/frr/issues/11808) to avoid infinite loops
bgpd
Check mandatory attributes more carefully for update message
Do not explicitly print maxttl value for ebgp-multihop vty output
Do not process nlris if the attribute length is zero
Don't read the first byte of orf header if we are ahead of stream
Ensure community data is freed in some cases.
Ensure that the correct aspath is free'd
Evpn code was not properly unlocking rd_dest
Fix error handling when receiving bgp prefix sid attribute
Fix null argument warning
Fix session reset issue caused by malformed core attributes
Fix use beyond end of stream of labeled unicast parsing
Handle mp_reach_nlri malformed packets with session reset
Ignore handling nlris if we received mp_unreach_nlri
Include unsuppress-map as a valid outgoing policy
Prevent from one more cve triggering this place
Treat eor as withdrawn to avoid unwanted handling of malformed attrs
Use enum bgp_create_error_code as argument in header
Use treat-as-withdraw for tunnel encapsulation attribute
isisd
Fix heap-after-free with prefix sid
Staticd: need to link directly against libyang
lib
Fix evpn nexthop config order
Allow unsetting walltime-warning and cpu-warning
Make cmd_element->attr a bitmask & clarify
Replace deprecated ares_gethostbyname
Replace deprecated ares_process()
nhrpd
Fix nhrp_peer leak
Fix core dump on shutdown
ospf6d
Fix crash because neighbor structure was freed
Fix uninitialized warnings
Ospfv3 route change comparision fixed for asbr-only change
Stop crash in ospf6_write
ospfd
Check for nulls in vty code
Correct opaque lsa extended parser
Prevent use after free( and crash of ospf ) when no router ospf
Protect call to get_edge() in ospf_te.c
Solved crash in ospf te parsing
Solved crash in ri parsing with ospf te
pimd
Fix dr-priority range
Fix null register before aging out reg-stop
Fix order of operations for evaluating join
Re-evaluated s,g oils upon rp changes and for empty sg upstream oils
ripd
Revert "cleanup memory allocations on shutdown"
ripngd
Revert "cleanup memory allocations on shutdown"
vtysh
Print uniq lines when parsing `no service ...`
zebra
Deny the routes if ip protocol cli refers to an undefined rmap
Fix connected route deletion when multiple entry exists
Full Changelog: frr-8.4.4...frr-8.4.5
FRR Release 10.0.1
Fixed CVEs
Bug Fixes
bgpd
Fix route leaking from the default l3vrf
Allow using optional table id for negative `no set table x` command
Apply noop when doing negative commands for gr operations
Drop newline in json output for `show bgp afi safi json detail`
Fix `match peer` when switching between ipv4/ipv6/interface
Fix `no set as-path prepend asnum...`
Fix crash when deleting the srv6 locator
Fix display when using `missing-as-worst`
Fix dynamic peer graceful restart race condition
Fix logging message when receiving a software version capability
Fix show run of network route-distinguisher
Fix srv6 memory leaks spotted by asan
Fix the order of null check and zapi decode
Ignore validating the attribute flags if path-attribute is configured
Inherit `capability software-version` flag from the peer-group
Inherit `enforce-first-as` flag from the peer-group
Move srv6 cleanup functions
Print old/new states of graceful restart fsm
Revert "Fix pointer arithmetic in bgp snmp module"
debian, redhat, snapcraft
Libyang min version is 2.1.128
isisd
Fix heap-after-free with prefix sid
Fix ip/ipv6 reachability tlvs
lib
Check for not being a blackhole route
Fix exit commands
Remove nb/yang memory cleanup when daemonizing
Replace deprecated ares_gethostbyname
Replace deprecated ares_process()
nhrpd
Fix race condition
Fix core dump on shutdown
Clean up shortcut cache entries on termination
ospf6d
Accept cli `no` for point-to-multipoint
Fix defun formatting wrecked by clang
Fix loopback/ptp/ptmp conn. route checks
Force recalculate on interface_up
Prevent heap-buffer-overflow with unknown
Ospfv3 route change comparision fixed for asbr-only change
ospfd
Correct opaque lsa extended parser
Fix the bug where ip_ospf_dead-interval_minimal_hello-multiplier did not reset hello timer
Protect call to get_edge() in ospf_te.c
Solved crash in ri parsing with ospf te
Revert "Fix some dicey pointer arith in snmp module"
pimd
Fix crash unconfiguring rp keepalive timer
Fix dr-priority range
Fix null register before aging out reg-stop
Fix order of operations for evaluating join
Fix crash when mixing ssm/any-source joins
tests
Check if ibgp session can drop invalid aigp attribute
tools
Frr-reload strip interface vrf ctx line
Handle seq num for bgp as-path in frr-reload.py
topotests
Do not check table version
vtysh
Check if bgpd is enabled before installing vtysh commands for rpki
Fix `show route-map` command when calling via `do`
Show `ip ospf network ...` even if it's not the same as the interface type
zebra
Deny the routes if ip protocol cli refers to an undefined rmap
Fix encoded dnssl length
Fix evpn svd based remote nh neigh del
Fix mpls command
Full Changelog: frr-10.0...frr-10.0.1
FRR Release 10.0
We are pleased to announce FRR release 10.0.
FRR 10.0 brings a long list of enhancements and fixes with 938 commits from 54 developers. Thanks to all contributors.
Debian Packages - https://deb.frrouting.org
RPM Packages - https://rpm.frrouting.org
Snaps - https://snapcraft.io/frr
Docker - quay.io/frrouting/frr:10.0.0
Release Overview
Breaking changes
per-daemon config files no longer supported
Writing configuration works only with the unified configuration file frr.conf. I.e, writing to per-daemon config files is no longer supported.
noprefixroute
flag for interface prefixes with NetworkManager
Using NetworkManager can disrupt routing configurations where the noprefixroute
flag is set, as NetworkManager automatically applies the noprefixroute
flag by default. This behavior can interfere with custom routing rules and configurations that depend on the absence of this flag, leading to unintended routing issues. E.g. the next-hops might be resolved via incorrect interfaces (for instance, using a default route).
More details here.
Enable enforce-first-as
by default for BGP
More details here.
A complete log of changes can be found by browsing the commit history of the FRR 10.0 tag here
Deprecate ConfD
ConfD is not supported anymore and its use is discouraged by developers.
Introduce local host routes
Host routes are needed on the router that owns the IP address to process packets destined for that IP address. redistribute local
is also possible to redistribute local host routes into protocols.
Require libyang 2.1.128
In previous releases, we said that 2.1.80 is good, and 2.1.111 is bad (do not use this version). Now we recommend and even require 2.1.128 which is again good.
Log files per daemon
Configure file logging for a single FRR daemon.
More details are here.
BGP BMP Loc-RIB (RFC9069) support
The Loc-RIB contains the routes that have been selected by the local BGP speaker's Decision Process.
More details are here.
eBGP-OAD (One Administrative Domain) support
Add support for a new External BGP (EBGP) peering type known as EBGP-OAD, which is used between two EBGP peers that belong to One Administrative Domain (OAD). This is the implementation of this draft.
This implementation allows iBGP and non-transitive attributes to be optionally exchanged.
More details are here.
BGP RPKI VRF support
Now RPKI for BGP can be configured per-VRF.
More details are here.
BGP SNMP traps for BGP4-MIBV2
Recently added support for this draft got the support for SNMP traps in this release.
More details are here.
Management (mgmtd) daemon replace operation support
BGP dynamic capabilities for addpath, fqdn, orf capabilities
The previous release added support for BGP Graceful-Restart, Long-lived Graceful-Restart, and Role capabilities to be managed via BGP dynamic capabilities. With this release, we add support for AddPath, FQDN, and ORF capabilities.
E.g. to change the AddPath/ORF (Outbound Route Filtering) capability's flags, a session reset is not needed if the dynamic capability is enabled between the peers.
SRv6 encapsulation source address feature
Configure the source address of the outer encapsulating IPv6 header.
More details are here.
OSPFv3 Point-To-Multipoint mode
Add an ability to set the network type to point-to-multipoint for an interface.
More details are here.
Other significant changes
bgpd
- Add
clear bgp capabilities
command to resend some dynamic capabilities link - Add
debug bgp updates detail
command link - Add
debug bgp updates <in|out> <X.Y.Z.W> prefix-list <NAME>
command link - Add
neighbor capability fqdn
command link - Add
redistribute table-direct
support link - Fix
match ip address ...
+match evpn ...
commands for EVPN - Remove aggregated (summary-only) suppressed routes from EVPN
mgmtd
- Implement full XPATH 1.0 predicate functionality
- Output
staticd
configuration frommgmtd
ospfd
- Fix crash in OSPF TE parsing
ospf6d
- Advertise local addresses with la bit
- Set loopback interface cost to 0
- Let the user override interface cost for a loopback
pathd
- Add dynamic candidate path metric [computed] keyword link
- Add
no msd
command in thepcc
context - Add
no pcep
command
vtysh
- Send interface commands to mgmtd
watchfrr
- Extend the ignore option to the daemon being killed
zebrad
- Add
mpls label dynamic-block
command link - Add JSON support to
show debugging label-table
link - Add zebra to
mgmtd
oper-state - Allow longer prefix matches for the next hops
- Push all configured IP addresses when the interface comes up
- Remove static ARP entries on interface-down events
- Support to listen
teamd
netlink message as bond type - Fix crash when macvlan link-interface is in another netns
FRR Release 9.0.2
We are pleased to announce FRR release 9.0.2.
Debian Packages - https://deb.frrouting.org
RPM Packages - https://rpm.frrouting.org
Snaps - https://snapcraft.io/frr
Docker - quay.io/frrouting/frr:9.0.2
Fixed CVE-2023-47235
More details: https://frrouting.org/security/cve-2023-47235
Bug Fixes
bgpd
- Fix aggregate-address summary-only suppressed export to EVPN
- Allow using attribute number 255 for path attr discard/withdraw cmds
- Check mandatory attributes more carefully for the UPDATE message
- Do not suppress conditional advertisement updates if triggered
- Fix Extended community memory leak
- Fix the
no set as-path prepend
command - Fix heap-use-after-free for
bgp_best_selection()
- Fix crash in SNMP BGP4V2-MIB
bgpv2PeerErrorsTable()
- Fix
clear bgp ipv6 unicast ...
command - Flush attributes only if we don't have to announce a conditional route (avoid use-after-free)
- Free memory for SRv6 functions and locator chunks
- Handle MP_UNREACH_NLRI malformed packets with session reset
- Ignore handling NLRIs if we received the MP_UNREACH_NLRI attribute
- Initialise
timebuf
arrays to zeros for dampening reuse timer - Initialise buffer in
bgp_notify_admin_message()
before using it - LTTng add EVPN route trace events
- Make sure dampening is enabled for the specified AFI/SAFI
- Use proper AFI when dumping information for dampening stuff
- Treat the AS4-PATH attribute as withdrawn if malformed
- Treat PMSI tunnel attribute as withdrawn if malformed
- Treat EOR as withdrawn to avoid unwanted handling of malformed attrs
eigrpd
- Use the correct memory pool on interface deletion
mgmtd
- Change mgmtd_vty_port to 2623
- Fix crash on
show mgmtd datastore-contents
ospf6d
- Fix setting of the forwarding address in as-external LSAs
- Set loopback interface cost to 0
ospfd
- Fixing infinite loop when listing OSPF interfaces
pathd
- Add
no msd
command - Add
no pcep
command
pbrd
- Fix
show pbr map detail json
command - Free memory in
pbr_map_delete()
pim6d
- Fix valgrind issues
pimd
- Fix missing pimreg interface
tools
- Fix the
frr-reload
interface description command - Fix the
frr-reload
route-map description command - Make
--quiet
actually suppress output
vtysh
- Fix entering configuration node in file-lock mode
- Fix
configure terminal
argument descriptions - Fix working in file-lock mode
- Fix
show route map json
output
zebra
- Add
encap
type when building packet for FPM - Display
ptmStatus
order in interface JSON - Fix connected route deletion when multiple entry exists
- Fix FPM multipath
encap
addition - Fix link update for veth interfaces
- Fix zebra crash when replacing
nhe
during shutdown - Prevent null pointer dereference
FRR Release 8.5.4
We are pleased to announce FRR release 8.5.4.
Debian Packages - https://deb.frrouting.org
RPM Packages - https://rpm.frrouting.org
Snaps - https://snapcraft.io/frr
Docker - quay.io/frrouting/frr:8.5.4
Fixed CVE-2023-47235
More details: https://frrouting.org/security/cve-2023-47235
Bug Fixes
bgpd
- Check mandatory attributes more carefully for the UPDATE message
- Do not suppress conditional advertisement updates if triggered
- Fix crash in SNMP BGP4V2-MIB
bgpv2PeerErrorsTable()
- Handle MP_UNREACH_NLRI malformed packets with session reset
- Ignore handling NLRIs if we received the MP_UNREACH_NLRI attribute
- Initialise
timebuf
arrays to zeros for dampening reuse timer - Initialise buffer in
bgp_notify_admin_message()
before using it - Make sure dampening is enabled for the specified AFI/SAFI
- Use proper AFI when dumping information for dampening stuff
- Treat EOR as withdrawn to avoid unwanted handling of malformed attrs
eigrpd
- Use the correct memory pool on interface deletion
vtysh
- Fix
show route map JSON
output
ospfd
- Fix infinite loop when listing OSPF interfaces
pbrd
- Fix
show pbr map detail json
output
zebra
- Add
encap
type when building packet for FPM - Display
ptmStatus
order in interface JSON - Fix connected route deletion when multiple entry exists
- Fix FPM multipath
encap
addition - Fix link update for veth interfaces
- Fix zebra crash when replacing
nhe
during shutdown - Prevent null pointer dereference
FRR 9.1 Release
We are pleased to announce FRR release 9.1.
FRR 9.1 brings a long list of enhancements and fixes with 941 commits from 73 developers. Thanks to all contributors.
Debian Packages - https://deb.frrouting.org
RPM Packages - https://rpm.frrouting.org
Snaps - https://snapcraft.io/frr
Docker - quay.io/frrouting/frr:9.1.0
Release Overview
OSPFv2 HMAC-SHA Cryptographic Authentication
Specify that HMAC cryptographic authentication must be used on a specific interface using a key chain.
More details are here.
BGP MAC-VRF Site-Of-Origin support
In some EVPN deployments, it is useful to associate a logical VTEPβs Layer 2 domain (MAC-VRF) with a Site-of-Origin βsiteβ identifier. This provides a BGP topology-independent means of marking and import-filtering EVPN routes originating from a particular L2 domain. One situation where this is valuable is when deploying EVPN using anycast VTEPs, i.e. Active/Active MLAG, as it can be used to avoid ownership conflicts between the two control planes (EVPN vs MLAG).
More details are here.
BGP Dynamic capability support
Added support for Graceful-Restart, Long-lived Graceful-Restart, Software-version, and Role BGP capabilities to be adjusted dynamically using BGP dynamic capability.
Dynamic BGP capability allows the dynamic update of capabilities over an established BGP session. This capability would facilitate non-disruptive capability changes by BGP speakers.
Here is the draft implemented.
IS-IS SRv6 uSID support (RFC 9352)
The Segment Routing (SR) architecture allows a flexible definition of the end-to-end path by encoding it as a sequence of topological elements called "segments". It can be implemented over the MPLS or the IPv6 data plane. This feature enables extensions in IS-IS to support Segment Routing over the IPv6 data plane (SRv6) as per RFC 9352.
More details are here.
Next-hop resolution via the default route
Changed the default for a traditional
profile to be enabled. The datacenter
profile is left as disabled.
More details are on the links link, link.
Add support for VLAN, ECN, DSCP mangling/filtering
PBR maps are a way to specify a set of rules that are applied to packets received on individual interfaces. If a received packet matches a rule, the ruleβs next-hop-group or next-hop is used to forward it; any other actions specified in the rule are also applied to the packet.
With this change, we added more commands for PBR maps, like matching src-ip, dst-ip, src-port, dst-port, vlan, dscp, ecn, and more.
More details are here.
libyang 2.1.80 related breaking changes
prefix-list matching in route-maps is fundamentally broken with libyang 2.1.111. If you have this version, please downgrade to the most stable version 2.1.80.
More details CESNET/libyang#2090
Other significant changes
- Zebra support for route replace semantics in FPM link
- New command for BGP
neighbor x addpath-tx-best-selected
link - New command for BGP
mpls bgp l3vpn-multi-domain-switching
link - A couple more new BGP route-map commands:
Deprecations
- Deprecate pre-standard outbound route filtering capability
- Deprecate pre-standard route refresh capability
- Drop deprecated capability
A complete log of changes can be found by browsing the commit history of the FRR 9.1 tag here
FRR Release 9.0.1
We are pleased to announce FRR release 9.0.1
Debian Packages - https://deb.frrouting.org
RPM Packages - https://rpm.frrouting.org
Snaps - https://snapcraft.io/frr
Docker - quay.io/frrouting/frr:9.0.1
Bug Fixes
bgpd
- Add peers back to peer hash when peer_xfer_conn fails
- Check the length of the rcv software version
- Do not explicitly print maxttl value for ebgp-multihop vty output
- Do not process nlris if the attribute length is zero
- Don't read the first byte of orf header if we are ahead of stream
- Evpn code was not properly unlocking rd_dest
- Fix
show bgp all rpki notfound
- Make sure we have enough data to read two bytes when validating aigp
- Use treat-as-withdraw for tunnel encapsulation attribute
zebra
- Fix evpn nexthop config order
lib
- Allow unsetting walltime-warning and cpu-warning
ospfd
- Prevent use after free( and crash of ospf ) when no router ospf
pimd
- Prevent crash when receiving register message when the rp() is unknown
- When receiving a packet be more careful with length in pim_pim_packet
vtysh
- Print uniq lines when parsing
no service ...
FRR release 8.5.3
We are pleased to announce FRR release 8.5.3
Debian Packages - https://deb.frrouting.org
RPM Packages - https://rpm.frrouting.org
Snaps - https://snapcraft.io/frr
Docker - quay.io/frrouting/frr:8.5.3
Bug Fixes
bgpd
- Add peers back to peer hash when peer_xfer_conn fails
- Do not explicitly print maxttl value for ebgp-multihop vty output
- Do not process nlris if the attribute length is zero
- Do not try to redistribute routes if we are shutting down
- Don't read the first byte of orf header if we are ahead of stream
- Evpn code was not properly unlocking rd_dest
- Fix
show bgp all rpki notfound
- Fix session reset issue caused by malformed core attributes
- Free bgp vpn policy
- Free previously dup'ed aspath attribute for aggregate routes
- Free temporary memory after using argv_concat()
- Intern attributes before putting into rib-out
- Make sure we have enough data to read two bytes when validating aigp
- Prevent use after free
- Rfapi memleak fixes, clean ce tables at exit
- Unlock dest if we return earlier for aggregate install
- Use treat-as-withdraw for tunnel encapsulation attribute
zebra
- Fix evpn nexthop config order
- Abstract
dplane_ctx_route_init
to init route without copying - Fix crash when
dplane_fpm_nl
fails to process received routes - Further handle route replace semantics
- Fix command ipv6 nht xxx
lib
- Allow unsetting walltime-warning and cpu-warning
- Skip route-map optimization if !af_inet(6)
- Use max_bitlen instead of magic number
ospf6d
- Fix crash because neighbor structure was freed
- Stop crash in ospf6_write
ospfd
- Check for nulls in vty code
- Prevent use after free( and crash of ospf ) when no router ospf
pbrd
- Fix crash with match command
pimd
- Prevent crash when receiving register message when the rp() is unknown
- When receiving a packet be more careful with length in pim_pim_packet
ripd, ripngd
- Revert "Cleanup memory allocations on shutdown"
tools
- Add what frr thinks as the fib routes for support_bundle
vtysh
- Print uniq lines when parsing
no service ...
FRR 9.0 Release
We are pleased to announce FRR release 9.0.
FRR 9.0 brings a long list of enhancements and fixes with 942 commits from 70 developers. Thanks to all contributors.
Debian Packages - https://deb.frrouting.org
RPM Packages - https://rpm.frrouting.org
Snaps - https://snapcraft.io/frr
Docker - quay.io/frrouting/frr:9.0.0
Release Overview
Centralized Management Daemon
A new daemon called mgmtd
has been added paving the way for a new northbound yang-based management interface. staticd
has been converted to use mgmtd
with more daemons to follow future releases. If you use custom configuration paths you may need to adapt these to use mgmtd
. See the documentation for more info.
Switched to libyang minimum version 2.1.80!
The required minimum version for libyang is raised to 2.1.80. RPM/DEB packages are published on our repositories. Docker images are built using 2.1.80 also.
Memory footprint for BGP reduced drastically!
In FRR 8.4 release, we shipped Extended Message Support for BGP, which increased the memory usage significantly. In FRR 9.0 release, the memory footprint is back to normal again. We removed the unused structure fields that consumed a huge amount of memory unnecessarily.
Other significant changes
- Introduce
mgmtd
daemon link - Add BGP
neighbor path-attribute treat-as-withdraw
command link - Add BGP ASN dot notation support (RFC 5396) link
- Add BGP Software Version capability (draft-abraitis-bgp-version-capability) link
- Allow BGP peering via 127.0.0.0/8 link
- Deprecate BGP
internet
community - this is the Cisco-specific community, which is never been RFC-defined and confusing - Implement
match source-protocol
for BGP route maps link - Implement BGP Node Target extended communities (draft-ietf-idr-node-target-ext-comm) link
- Implement Flex-Algo for SR-MPLS (RFC 9350) link
- Add support for IS-IS
advertise-passive-only
link - Add IS-IS
affinity-map
support link - Add the
graceful-restart hello-delay
OSPFv2/OSPFv3 command link, link - Add the
ipv6 mld join
PIMv6 command link - Add
allow-ecmp x
RIP/RIPng command link, link - Add BFD support for RIP
Memory leak fixes for BGP and other protocols.
New CLI debug and show commands were added and/or fixed.
Dropping package builds for EOL Debian 9 and Ubuntu 18.04.
A full log of changes can be found by browsing the commit history of the FRR 9.0 tag here