Custom nhrp patches

The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(07/27/2023 11:26:31.692:622) : proctitle=/usr/libexec/frr/bfdd -d -F traditional -A 127.0.0.1
type=SOCKADDR msg=audit(07/27/2023 11:26:31.692:622) : saddr={ saddr_fam=packet (unsupported) }
type=SYSCALL msg=audit(07/27/2023 11:26:31.692:622) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xf a1=0x7ffeb8c5a000 a2=0x14 a3=0x7ffeb8c59ff0 items=0 ppid=7818 pid=7903 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=bfdd exe=/usr/libexec/frr/bfdd subj=system_u:system_r:frr_t:s0 key=(null)
type=AVC msg=audit(07/27/2023 11:26:31.692:622) : avc:  denied  { bind } for  pid=7903 comm=bfdd scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=packet_socket permissive=0

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2216912

.gitignore

@@ -10,3 +10,12 @@
 /frr-8.0.1.tar.gz
 /frr-8.2.tar.gz
 /frr-8.2.2.tar.gz
+/frr-8.3.1.tar.gz
+/frr-8.4.tar.gz
+/frr-8.4.1.tar.gz
+/frr-8.4.2.tar.gz
+/frr-8.5.tar.gz
+/frr-8.5.1.tar.gz
+/frr-8.5.2.tar.gz
+/frr-8.5.3.tar.gz
+/frr-8.5.4.tar.gz

0000-remove-babeld-and-ldpd.patch

@@ -27,3 +27,29 @@ index 5be3264..33abc1d 100644
  	lib/Makefile \
  	nhrpd/Makefile \
  	ospf6d/Makefile \
+diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons
+index 8aa0887..c92dcca 100644
+--- a/tools/etc/frr/daemons
++++ b/tools/etc/frr/daemons
+@@ -22,10 +22,8 @@ ripngd=no
+ isisd=no
+ pimd=no
+ pim6d=no
+-ldpd=no
+ nhrpd=no
+ eigrpd=no
+-babeld=no
+ sharpd=no
+ pbrd=no
+ bfdd=no
+@@ -48,10 +46,8 @@ ripngd_options=" -A ::1"
+ isisd_options="  -A 127.0.0.1"
+ pimd_options="   -A 127.0.0.1"
+ pim6d_options="  -A ::1"
+-ldpd_options="   -A 127.0.0.1"
+ nhrpd_options="  -A 127.0.0.1"
+ eigrpd_options=" -A 127.0.0.1"
+-babeld_options=" -A 127.0.0.1"
+ sharpd_options=" -A 127.0.0.1"
+ pbrd_options="   -A 127.0.0.1"
+ staticd_options="-A 127.0.0.1"

0004-fips-mode.patch

@@ -101,3 +101,15 @@ index 5bb81ef..02a09ef 100644
  	nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
  			      strmatch(mode, "md5") ? "md5" : "plain-text");
  	if (strmatch(mode, "md5"))
+diff --git a/lib/zebra.h b/lib/zebra.h
+index 53ae5b4..930307f 100644
+--- a/lib/zebra.h
++++ b/lib/zebra.h
+@@ -114,6 +114,7 @@
+ #ifdef CRYPTO_OPENSSL
+ #include <openssl/evp.h>
+ #include <openssl/hmac.h>
++#include <openssl/fips.h>
+ #endif
+
+ #include "openbsd-tree.h"

0006-cve-2022-26126.patch

@@ -1,461 +0,0 @@
-From ac3133450de12ba86c051265fc0f1b12bc57b40c Mon Sep 17 00:00:00 2001
-From: whichbug <whichbug@github.com>
-Date: Thu, 10 Feb 2022 22:49:41 -0500
-Subject: [PATCH] isisd: fix #10505 using base64 encoding
-
-Using base64 instead of the raw string to encode
-the binary data.
-
-Signed-off-by: whichbug <whichbug@github.com>
----
- isisd/isis_nb_notifications.c |  16 +--
- lib/base64.c                  | 193 ++++++++++++++++++++++++++++++++++
- lib/base64.h                  |  45 ++++++++
- lib/subdir.am                 |   2 +
- lib/yang_wrappers.c           |  59 +++++++++++
- lib/yang_wrappers.h           |   7 ++
- 6 files changed, 314 insertions(+), 8 deletions(-)
- create mode 100644 lib/base64.c
- create mode 100644 lib/base64.h
-
-diff --git a/isisd/isis_nb_notifications.c b/isisd/isis_nb_notifications.c
-index f219632acf7..fd7b1b3159a 100644
---- a/isisd/isis_nb_notifications.c
-+++ b/isisd/isis_nb_notifications.c
-@@ -245,7 +245,7 @@ void isis_notif_max_area_addr_mismatch(const struct isis_circuit *circuit,
- 	data = yang_data_new_uint8(xpath_arg, max_area_addrs);
- 	listnode_add(arguments, data);
- 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
--	data = yang_data_new(xpath_arg, raw_pdu);
-+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
- 	listnode_add(arguments, data);
- 
- 	hook_call(isis_hook_max_area_addr_mismatch, circuit, max_area_addrs,
-@@ -270,7 +270,7 @@ void isis_notif_authentication_type_failure(const struct isis_circuit *circuit,
- 	notif_prep_instance_hdr(xpath, area, "default", arguments);
- 	notif_prepr_iface_hdr(xpath, circuit, arguments);
- 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
--	data = yang_data_new(xpath_arg, raw_pdu);
-+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
- 	listnode_add(arguments, data);
- 
- 	hook_call(isis_hook_authentication_type_failure, circuit, raw_pdu,
-@@ -294,7 +294,7 @@ void isis_notif_authentication_failure(const struct isis_circuit *circuit,
- 	notif_prep_instance_hdr(xpath, area, "default", arguments);
- 	notif_prepr_iface_hdr(xpath, circuit, arguments);
- 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
--	data = yang_data_new(xpath_arg, raw_pdu);
-+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
- 	listnode_add(arguments, data);
- 
- 	hook_call(isis_hook_authentication_failure, circuit, raw_pdu,
-@@ -361,7 +361,7 @@ void isis_notif_reject_adjacency(const struct isis_circuit *circuit,
- 	data = yang_data_new_string(xpath_arg, reason);
- 	listnode_add(arguments, data);
- 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
--	data = yang_data_new(xpath_arg, raw_pdu);
-+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
- 	listnode_add(arguments, data);
- 
- 	hook_call(isis_hook_reject_adjacency, circuit, raw_pdu, raw_pdu_len);
-@@ -384,7 +384,7 @@ void isis_notif_area_mismatch(const struct isis_circuit *circuit,
- 	notif_prep_instance_hdr(xpath, area, "default", arguments);
- 	notif_prepr_iface_hdr(xpath, circuit, arguments);
- 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
--	data = yang_data_new(xpath_arg, raw_pdu);
-+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
- 	listnode_add(arguments, data);
- 
- 	hook_call(isis_hook_area_mismatch, circuit, raw_pdu, raw_pdu_len);
-@@ -467,7 +467,7 @@ void isis_notif_id_len_mismatch(const struct isis_circuit *circuit,
- 	data = yang_data_new_uint8(xpath_arg, rcv_id_len);
- 	listnode_add(arguments, data);
- 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
--	data = yang_data_new(xpath_arg, raw_pdu);
-+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
- 	listnode_add(arguments, data);
- 
- 	hook_call(isis_hook_id_len_mismatch, circuit, rcv_id_len, raw_pdu,
-@@ -495,7 +495,7 @@ void isis_notif_version_skew(const struct isis_circuit *circuit,
- 	data = yang_data_new_uint8(xpath_arg, version);
- 	listnode_add(arguments, data);
- 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
--	data = yang_data_new(xpath_arg, raw_pdu);
-+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
- 	listnode_add(arguments, data);
- 
- 	hook_call(isis_hook_version_skew, circuit, version, raw_pdu,
-@@ -525,7 +525,7 @@ void isis_notif_lsp_error(const struct isis_circuit *circuit,
- 	data = yang_data_new_string(xpath_arg, rawlspid_print(lsp_id));
- 	listnode_add(arguments, data);
- 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
--	data = yang_data_new(xpath_arg, raw_pdu);
-+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
- 	listnode_add(arguments, data);
- 	/* ignore offset and tlv_type which cannot be set properly */
- 
-diff --git a/lib/base64.c b/lib/base64.c
-new file mode 100644
-index 00000000000..e3f238969b3
---- /dev/null
-+++ b/lib/base64.c
-@@ -0,0 +1,193 @@
-+/*
-+ * This is part of the libb64 project, and has been placed in the public domain.
-+ * For details, see http://sourceforge.net/projects/libb64
-+ */
-+
-+#include "base64.h"
-+
-+static const int CHARS_PER_LINE = 72;
-+static const char *ENCODING =
-+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-+
-+void base64_init_encodestate(struct base64_encodestate *state_in)
-+{
-+	state_in->step = step_A;
-+	state_in->result = 0;
-+	state_in->stepcount = 0;
-+}
-+
-+char base64_encode_value(char value_in)
-+{
-+	if (value_in > 63)
-+		return '=';
-+	return ENCODING[(int)value_in];
-+}
-+
-+int base64_encode_block(const char *plaintext_in, int length_in, char *code_out,
-+			struct base64_encodestate *state_in)
-+{
-+	const char *plainchar = plaintext_in;
-+	const char *const plaintextend = plaintext_in + length_in;
-+	char *codechar = code_out;
-+	char result;
-+	char fragment;
-+
-+	result = state_in->result;
-+
-+	switch (state_in->step) {
-+		while (1) {
-+			case step_A:
-+				if (plainchar == plaintextend) {
-+					state_in->result = result;
-+					state_in->step = step_A;
-+					return codechar - code_out;
-+				}
-+				fragment = *plainchar++;
-+				result = (fragment & 0x0fc) >> 2;
-+				*codechar++ = base64_encode_value(result);
-+				result = (fragment & 0x003) << 4;
-+				/* fall through */
-+			case step_B:
-+				if (plainchar == plaintextend) {
-+					state_in->result = result;
-+					state_in->step = step_B;
-+					return codechar - code_out;
-+				}
-+				fragment = *plainchar++;
-+				result |= (fragment & 0x0f0) >> 4;
-+				*codechar++ = base64_encode_value(result);
-+				result = (fragment & 0x00f) << 2;
-+				/* fall through */
-+			case step_C:
-+				if (plainchar == plaintextend) {
-+					state_in->result = result;
-+					state_in->step = step_C;
-+					return codechar - code_out;
-+				}
-+				fragment = *plainchar++;
-+				result |= (fragment & 0x0c0) >> 6;
-+				*codechar++ = base64_encode_value(result);
-+				result  = (fragment & 0x03f) >> 0;
-+				*codechar++ = base64_encode_value(result);
-+
-+				++(state_in->stepcount);
-+				if (state_in->stepcount == CHARS_PER_LINE/4) {
-+					*codechar++ = '\n';
-+					state_in->stepcount = 0;
-+				}
-+		}
-+	}
-+	/* control should not reach here */
-+	return codechar - code_out;
-+}
-+
-+int base64_encode_blockend(char *code_out, struct base64_encodestate *state_in)
-+{
-+	char *codechar = code_out;
-+
-+	switch (state_in->step) {
-+	case step_B:
-+		*codechar++ = base64_encode_value(state_in->result);
-+		*codechar++ = '=';
-+		*codechar++ = '=';
-+		break;
-+	case step_C:
-+		*codechar++ = base64_encode_value(state_in->result);
-+		*codechar++ = '=';
-+		break;
-+	case step_A:
-+		break;
-+	}
-+	*codechar++ = '\n';
-+
-+	return codechar - code_out;
-+}
-+
-+
-+signed char base64_decode_value(signed char value_in)
-+{
-+	static const signed char decoding[] = {
-+		62, -1, -1, -1, 63, 52, 53, 54,
-+		55, 56, 57, 58, 59, 60, 61, -1,
-+		-1, -1, -2, -1, -1, -1, 0, 1,
-+		2,  3, 4, 5, 6, 7, 8, 9,
-+		10, 11, 12, 13, 14, 15, 16, 17,
-+		18, 19, 20, 21, 22, 23, 24, 25,
-+		-1, -1, -1, -1, -1, -1, 26, 27,
-+		28, 29, 30, 31, 32, 33, 34, 35,
-+		36, 37, 38, 39, 40, 41, 42, 43,
-+		44, 45, 46, 47, 48, 49, 50, 51
-+	};
-+	value_in -= 43;
-+	if (value_in < 0 || value_in >= 80)
-+		return -1;
-+	return decoding[(int)value_in];
-+}
-+
-+void base64_init_decodestate(struct base64_decodestate *state_in)
-+{
-+	state_in->step = step_a;
-+	state_in->plainchar = 0;
-+}
-+
-+int base64_decode_block(const char *code_in, int length_in, char *plaintext_out,
-+			struct base64_decodestate *state_in)
-+{
-+	const char *codec = code_in;
-+	char *plainc = plaintext_out;
-+	signed char fragmt;
-+
-+	*plainc = state_in->plainchar;
-+
-+	switch (state_in->step) {
-+		while (1) {
-+			case step_a:
-+				do {
-+					if (codec == code_in+length_in) {
-+						state_in->step = step_a;
-+						state_in->plainchar = *plainc;
-+						return plainc - plaintext_out;
-+					}
-+					fragmt = base64_decode_value(*codec++);
-+				} while (fragmt < 0);
-+				*plainc = (fragmt & 0x03f) << 2;
-+				/* fall through */
-+			case step_b:
-+				do {
-+					if (codec == code_in+length_in) {
-+						state_in->step = step_b;
-+						state_in->plainchar = *plainc;
-+						return plainc - plaintext_out;
-+					}
-+					fragmt = base64_decode_value(*codec++);
-+				} while (fragmt < 0);
-+				*plainc++ |= (fragmt & 0x030) >> 4;
-+				*plainc = (fragmt & 0x00f) << 4;
-+				/* fall through */
-+			case step_c:
-+				do {
-+					if (codec == code_in+length_in) {
-+						state_in->step = step_c;
-+						state_in->plainchar = *plainc;
-+						return plainc - plaintext_out;
-+					}
-+					fragmt = base64_decode_value(*codec++);
-+				} while (fragmt < 0);
-+				*plainc++ |= (fragmt & 0x03c) >> 2;
-+				*plainc = (fragmt & 0x003) << 6;
-+				/* fall through */
-+			case step_d:
-+				do {
-+					if (codec == code_in+length_in) {
-+						state_in->step = step_d;
-+						state_in->plainchar = *plainc;
-+						return plainc - plaintext_out;
-+					}
-+					fragmt = base64_decode_value(*codec++);
-+				} while (fragmt < 0);
-+				*plainc++   |= (fragmt & 0x03f);
-+		}
-+	}
-+	/* control should not reach here */
-+	return plainc - plaintext_out;
-+}
-diff --git a/lib/base64.h b/lib/base64.h
-new file mode 100644
-index 00000000000..3dc1559aa48
---- /dev/null
-+++ b/lib/base64.h
-@@ -0,0 +1,45 @@
-+/*
-+ * This is part of the libb64 project, and has been placed in the public domain.
-+ * For details, see http://sourceforge.net/projects/libb64
-+ */
-+
-+#ifndef _BASE64_H_
-+#define _BASE64_H_
-+
-+enum base64_encodestep {
-+	step_A, step_B, step_C
-+};
-+
-+struct base64_encodestate {
-+	enum base64_encodestep step;
-+	char result;
-+	int stepcount;
-+};
-+
-+void base64_init_encodestate(struct base64_encodestate *state_in);
-+
-+char base64_encode_value(char value_in);
-+
-+int base64_encode_block(const char *plaintext_in, int length_in, char *code_out,
-+			struct base64_encodestate *state_in);
-+
-+int base64_encode_blockend(char *code_out, struct base64_encodestate *state_in);
-+
-+
-+enum base64_decodestep {
-+	step_a, step_b, step_c, step_d
-+};
-+
-+struct base64_decodestate {
-+	enum base64_decodestep step;
-+	char plainchar;
-+};
-+
-+void base64_init_decodestate(struct base64_decodestate *state_in);
-+
-+signed char base64_decode_value(signed char value_in);
-+
-+int base64_decode_block(const char *code_in, int length_in, char *plaintext_out,
-+			struct base64_decodestate *state_in);
-+
-+#endif /* _BASE64_H_ */
-diff --git a/lib/subdir.am b/lib/subdir.am
-index 648ab7f14a1..f8f82f2766f 100644
---- a/lib/subdir.am
-+++ b/lib/subdir.am
-@@ -8,6 +8,7 @@ lib_libfrr_la_LIBADD = $(LIBCAP) $(UNWIND_LIBS) $(LIBYANG_LIBS) $(LUA_LIB) $(UST
- lib_libfrr_la_SOURCES = \
- 	lib/agg_table.c \
- 	lib/atomlist.c \
-+	lib/base64.c \
- 	lib/bfd.c \
- 	lib/buffer.c \
- 	lib/checksum.c \
-@@ -177,6 +178,7 @@ clippy_scan += \
- pkginclude_HEADERS += \
- 	lib/agg_table.h \
- 	lib/atomlist.h \
-+	lib/base64.h \
- 	lib/bfd.h \
- 	lib/bitfield.h \
- 	lib/buffer.h \
-diff --git a/lib/yang_wrappers.c b/lib/yang_wrappers.c
-index 85aa003db72..bee76c6e0f5 100644
---- a/lib/yang_wrappers.c
-+++ b/lib/yang_wrappers.c
-@@ -19,6 +19,7 @@
- 
- #include <zebra.h>
- 
-+#include "base64.h"
- #include "log.h"
- #include "lib_errors.h"
- #include "northbound.h"
-@@ -676,6 +677,64 @@ void yang_get_default_string_buf(char *buf, size_t size, const char *xpath_fmt,
- 			  xpath);
- }
- 
-+/*
-+ * Primitive type: binary.
-+ */
-+struct yang_data *yang_data_new_binary(const char *xpath, const char *value,
-+				       size_t len)
-+{
-+	char *value_str;
-+	struct base64_encodestate s;
-+	int cnt;
-+	char *c;
-+	struct yang_data *data;
-+
-+	value_str = (char *)malloc(len * 2);
-+	base64_init_encodestate(&s);
-+	cnt = base64_encode_block(value, len, value_str, &s);
-+	c = value_str + cnt;
-+	cnt = base64_encode_blockend(c, &s);
-+	c += cnt;
-+	*c = 0;
-+	data = yang_data_new(xpath, value_str);
-+	free(value_str);
-+	return data;
-+}
-+
-+size_t yang_dnode_get_binary_buf(char *buf, size_t size,
-+				 const struct lyd_node *dnode,
-+				 const char *xpath_fmt, ...)
-+{
-+	const char *canon;
-+	size_t cannon_len;
-+	size_t decode_len;
-+	size_t ret_len;
-+	size_t cnt;
-+	char *value_str;
-+	struct base64_decodestate s;
-+
-+	canon = YANG_DNODE_XPATH_GET_CANON(dnode, xpath_fmt);
-+	cannon_len = strlen(canon);
-+	decode_len = cannon_len;
-+	value_str = (char *)malloc(decode_len);
-+	base64_init_decodestate(&s);
-+	cnt = base64_decode_block(canon, cannon_len, value_str, &s);
-+
-+	ret_len = size > cnt ? cnt : size;
-+	memcpy(buf, value_str, ret_len);
-+	if (size < cnt) {
-+		char xpath[XPATH_MAXLEN];
-+
-+		yang_dnode_get_path(dnode, xpath, sizeof(xpath));
-+		flog_warn(EC_LIB_YANG_DATA_TRUNCATED,
-+			  "%s: value was truncated [xpath %s]", __func__,
-+			  xpath);
-+	}
-+	free(value_str);
-+	return ret_len;
-+}
-+
-+
- /*
-  * Primitive type: empty.
-  */
-diff --git a/lib/yang_wrappers.h b/lib/yang_wrappers.h
-index d781dfb1e42..56b314876f2 100644
---- a/lib/yang_wrappers.h
-+++ b/lib/yang_wrappers.h
-@@ -118,6 +118,13 @@ extern const char *yang_get_default_string(const char *xpath_fmt, ...);
- extern void yang_get_default_string_buf(char *buf, size_t size,
- 					const char *xpath_fmt, ...);
- 
-+/* binary */
-+extern struct yang_data *yang_data_new_binary(const char *xpath,
-+					      const char *value, size_t len);
-+extern size_t yang_dnode_get_binary_buf(char *buf, size_t size,
-+					const struct lyd_node *dnode,
-+					const char *xpath_fmt, ...);
-+
- /* empty */
- extern struct yang_data *yang_data_new_empty(const char *xpath);
- extern bool yang_dnode_get_empty(const struct lyd_node *dnode,

0010-nhrpd-zebra-Read-GRE-addresses-only-if-sent.patch

@@ -0,0 +1,49 @@
+From 114bd532ac0c3b6d819f516eb41021eb250b65bd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
+Date: Wed, 15 Sep 2021 19:44:56 +0200
+Subject: [PATCH 10/11] nhrpd, zebra: Read GRE addresses only if sent
+
+GRE addresses are not send if interface is missing in kernel. We
+should first check if they have been sent.
+---
+ nhrpd/nhrp_route.c | 7 ++++---
+ zebra/zapi_msg.c   | 2 --
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/nhrpd/nhrp_route.c b/nhrpd/nhrp_route.c
+index 698c6d0cdf..2e7923bf33 100644
+--- a/nhrpd/nhrp_route.c
++++ b/nhrpd/nhrp_route.c
+@@ -493,12 +493,13 @@ int nhrp_gre_update(ZAPI_CALLBACK_ARGS)
+ 	STREAM_GETL(s, gre_info.okey);
+ 	STREAM_GETL(s, gre_info.ifindex_link);
+ 	STREAM_GETL(s, gre_info.vrfid_link);
+-	STREAM_GETL(s, gre_info.vtep_ip.s_addr);
+-	STREAM_GETL(s, gre_info.vtep_ip_remote.s_addr);
+ 	if (gre_info.ifindex == IFINDEX_INTERNAL)
+ 		val = NULL;
+-	else
++	else {
+ 		val = hash_lookup(nhrp_gre_list, &gre_info);
++		STREAM_GETL(s, gre_info.vtep_ip.s_addr);
++		STREAM_GETL(s, gre_info.vtep_ip_remote.s_addr);
++	}
+ 	if (val) {
+ 		if (gre_info.vtep_ip.s_addr != val->vtep_ip.s_addr ||
+ 		    gre_info.vrfid_link != val->vrfid_link ||
+diff --git a/zebra/zapi_msg.c b/zebra/zapi_msg.c
+index 68bb9783f8..72d06d71ea 100644
+--- a/zebra/zapi_msg.c
++++ b/zebra/zapi_msg.c
+@@ -3618,8 +3618,6 @@ static inline void zebra_gre_get(ZAPI_HANDLER_ARGS)
+ 		stream_putl(s, 0);
+ 		stream_putl(s, IFINDEX_INTERNAL);
+ 		stream_putl(s, VRF_UNKNOWN);
+-		stream_putl(s, 0);
+-		stream_putl(s, 0);
+ 	}
+ 	/* Write packet size. */
+ 	stream_putw_at(s, 0, stream_get_endp(s));
+-- 
+2.41.0
+

0011-nhrp-Peer-should-not-be-connected-if-interface-is-ac.patch

@@ -0,0 +1,92 @@
+From f9876d6106263632287fcef2912ba4223b145672 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
+Date: Mon, 20 Sep 2021 23:51:06 +0200
+Subject: [PATCH 11/11] nhrp: Peer should not be connected if interface is
+ active
+
+---
+ nhrpd/nhrp_interface.c |  1 +
+ nhrpd/nhrp_nhs.c       | 21 +++++++++++++++++++--
+ nhrpd/nhrp_peer.c      |  2 ++
+ nhrpd/nhrpd.h          |  1 +
+ 4 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/nhrpd/nhrp_interface.c b/nhrpd/nhrp_interface.c
+index 4ac30a7d75..6a8b6e6997 100644
+--- a/nhrpd/nhrp_interface.c
++++ b/nhrpd/nhrp_interface.c
+@@ -461,6 +461,7 @@ int nhrp_ifp_up(struct interface *ifp)
+ {
+ 	debugf(NHRP_DEBUG_IF, "if-up: %s", ifp->name);
+ 	nhrp_interface_update_nbma(ifp, NULL);
++	nhrp_nhs_interface_add(ifp);
+ 
+ 	return 0;
+ }
+diff --git a/nhrpd/nhrp_nhs.c b/nhrpd/nhrp_nhs.c
+index 03b4b533bb..bd05813d28 100644
+--- a/nhrpd/nhrp_nhs.c
++++ b/nhrpd/nhrp_nhs.c
+@@ -351,8 +351,9 @@ int nhrp_nhs_add(struct interface *ifp, afi_t afi, union sockunion *proto_addr,
+ 		.reglist_head = INIT_DLIST(nhs->reglist_head),
+ 	};
+ 	nhrp_nhslist_add_tail(&nifp->afi[afi].nhslist_head, nhs);
+-	thread_add_timer_msec(master, nhrp_nhs_resolve, nhs, 1000,
+-			      &nhs->t_resolve);
++	if (CHECK_FLAG(ifp->status, ZEBRA_INTERFACE_ACTIVE))
++		thread_add_timer_msec(master, nhrp_nhs_resolve, nhs, 1000,
++				      &nhs->t_resolve);
+ 
+ 	return NHRP_OK;
+ }
+@@ -394,6 +395,22 @@ int nhrp_nhs_free(struct nhrp_interface *nifp, afi_t afi, struct nhrp_nhs *nhs)
+ 	return 0;
+ }
+ 
++void nhrp_nhs_interface_add(struct interface *ifp)
++{
++	struct nhrp_interface *nifp = ifp->info;
++	struct nhrp_nhs *nhs;
++	afi_t afi;
++
++	for (afi = 0; afi < AFI_MAX; afi++) {
++		debugf(NHRP_DEBUG_COMMON, "Adding nhs entries (%zu)",
++		       nhrp_nhslist_count(&nifp->afi[afi].nhslist_head));
++		frr_each (nhrp_nhslist, &nifp->afi[afi].nhslist_head, nhs) {
++			thread_add_timer_msec(master, nhrp_nhs_resolve, nhs, 1000,
++					      &nhs->t_resolve);
++		}
++	}
++}
++
+ void nhrp_nhs_interface_del(struct interface *ifp)
+ {
+ 	struct nhrp_interface *nifp = ifp->info;
+diff --git a/nhrpd/nhrp_peer.c b/nhrpd/nhrp_peer.c
+index e7f2eaf5a7..9e76d16db3 100644
+--- a/nhrpd/nhrp_peer.c
++++ b/nhrpd/nhrp_peer.c
+@@ -309,6 +309,8 @@ int nhrp_peer_check(struct nhrp_peer *p, int establish)
+ 	struct interface *ifp = p->ifp;
+ 	struct nhrp_interface *nifp = ifp->info;
+ 
++	if (!CHECK_FLAG(ifp->status, ZEBRA_INTERFACE_ACTIVE))
++		return 0;
+ 	if (p->online)
+ 		return 1;
+ 	if (!establish)
+diff --git a/nhrpd/nhrpd.h b/nhrpd/nhrpd.h
+index 753c6e9b22..4850c12b49 100644
+--- a/nhrpd/nhrpd.h
++++ b/nhrpd/nhrpd.h
+@@ -400,6 +400,7 @@ void nhrp_nhs_foreach(struct interface *ifp, afi_t afi,
+ 		      void (*cb)(struct nhrp_nhs *, struct nhrp_registration *,
+ 				 void *),
+ 		      void *ctx);
++void nhrp_nhs_interface_add(struct interface *ifp);
+ void nhrp_nhs_interface_del(struct interface *ifp);
+ 
+ int nhrp_multicast_add(struct interface *ifp, afi_t afi,
+-- 
+2.41.0
+

frr.fc

@@ -1,4 +1,4 @@
-/usr/libexec/frr(/.*)?              gen_context(system_u:object_r:frr_exec_t,s0)
+/usr/libexec/frr/(.*)?              gen_context(system_u:object_r:frr_exec_t,s0)
 
 /usr/lib/systemd/system/frr.*   gen_context(system_u:object_r:frr_unit_file_t,s0)
 
@@ -21,6 +21,8 @@
 /var/lock/subsys/ripngd     --  gen_context(system_u:object_r:frr_lock_t,s0)
 /var/lock/subsys/staticd    --  gen_context(system_u:object_r:frr_lock_t,s0)
 /var/lock/subsys/zebra      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/vrrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pathd      --  gen_context(system_u:object_r:frr_lock_t,s0)
 
 /var/run/frr(/.*)?              gen_context(system_u:object_r:frr_var_run_t,s0)
 

frr.if

@@ -160,3 +160,56 @@ interface(`frr_admin',`
 		systemd_read_fifo_file_passwd_run($1)
 	')
 ')
+
+########################################
+#
+# Interface compatibility blocks
+#
+# The following definitions ensure compatibility with distribution policy
+# versions that do not contain given interfaces (epel, or older Fedora
+# releases).
+# Each block tests for existence of given interface and defines it if needed.
+#
+
+######################################
+## <summary>
+##	Watch ifconfig_var_run_t directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+ifndef(`sysnet_watch_ifconfig_run',`
+	interface(`sysnet_watch_ifconfig_run',`
+		gen_require(`
+			type ifconfig_var_run_t;
+		')
+
+		watch_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+	')
+')
+
+########################################
+## <summary>
+##	Read ifconfig_var_run_t files and link files
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+ifndef(`sysnet_read_ifconfig_run',`
+	interface(`sysnet_read_ifconfig_run',`
+		gen_require(`
+			type ifconfig_var_run_t;
+		')
+
+		list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+		read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+		read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+	')
+')
+

frr.spec

@@ -1,15 +1,19 @@
+%global dist .ims.2%{?dist}
+
 %global frr_libdir %{_libexecdir}/frr
 
 %global _hardened_build 1
 %global selinuxtype targeted
 %define _legacy_common_support 1
-%bcond_without selinux
+
+%bcond grpc %{undefined rhel}
+%bcond selinux 1
 
 Name:           frr
-Version:        8.2.2
-Release:        7%{?dist}
+Version:        8.5.4
+Release:        1%{?dist}
 Summary:        Routing daemon
-License:        GPLv2+
+License:        GPL-2.0-or-later AND ISC AND LGPL-2.0-or-later AND BSD-2-Clause AND BSD-3-Clause AND (GPL-2.0-or-later  OR ISC) AND MIT
 URL:            http://www.frrouting.org
 Source0:        https://github.com/FRRouting/frr/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
 Source1:        %{name}-tmpfiles.conf
@@ -24,8 +28,8 @@ Patch0002:      0002-enable-openssl.patch
 Patch0003:      0003-disable-eigrp-crypto.patch
 Patch0004:      0004-fips-mode.patch
 Patch0005:      0005-remove-grpc-test.patch
-Patch0006:      0006-cve-2022-26126.patch
-
+Patch0010:      0010-nhrpd-zebra-Read-GRE-addresses-only-if-sent.patch
+Patch0011:      0011-nhrp-Peer-should-not-be-connected-if-interface-is-ac.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison >= 2.7
@@ -35,8 +39,10 @@ BuildRequires:  gcc
 BuildRequires:  gcc-c++
 BuildRequires:  git-core
 BuildRequires:  groff
+%if %{with grpc}
 BuildRequires:  grpc-devel
 BuildRequires:  grpc-plugins
+%endif
 BuildRequires:  json-c-devel
 BuildRequires:  libcap-devel
 BuildRequires:  libtool
@@ -66,7 +72,7 @@ Requires(postun): systemd
 Requires(preun): systemd
 
 %if 0%{?with_selinux}
-Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
+Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
 %endif
 
 Obsoletes:      quagga < 1.2.4-17
@@ -77,17 +83,18 @@ FRRouting is free software that manages TCP/IP based routing protocols. It takes
 a multi-server and multi-threaded approach to resolve the current complexity
 of the Internet.
 
-FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD.
+FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR,
+EIGRP and BFD.
 
 FRRouting is a fork of Quagga.
 
 %if 0%{?with_selinux}
 %package selinux
-Summary:	Selinux policy for FRR
-BuildArch:	noarch
-Requires:	selinux-policy-%{selinuxtype}
-Requires(post):	selinux-policy-%{selinuxtype}
-BuildRequires:	selinux-policy-devel
+Summary:  Selinux policy for FRR
+BuildArch:  noarch
+Requires:  selinux-policy-%{selinuxtype}
+Requires(post):  selinux-policy-%{selinuxtype}
+BuildRequires:  selinux-policy-devel
 %{?selinux_requires}
 
 %description selinux
@@ -100,6 +107,8 @@ SELinux policy modules for FRR package
 #Selinux
 mkdir selinux
 cp -p %{SOURCE3} %{SOURCE4} %{SOURCE5} selinux
+# C++14 or later needed for abseil-cpp 20230125; string_view needs C++17:
+sed -r -i 's/(AX_CXX_COMPILE_STDCXX\(\[)11(\])/\117\2/' configure.ac
 
 %build
 autoreconf -ivf
@@ -109,7 +118,7 @@ autoreconf -ivf
     --sysconfdir=%{_sysconfdir}/frr \
     --libdir=%{_libdir}/frr \
     --libexecdir=%{_libexecdir}/frr \
-    --localstatedir=%{_localstatedir}/run/frr \
+    --localstatedir=/run/frr \
     --enable-multipath=64 \
     --enable-vtysh=yes \
     --disable-ospfclient \
@@ -126,8 +135,9 @@ autoreconf -ivf
     --disable-babeld \
     --with-moduledir=%{_libdir}/frr/modules \
     --with-crypto=openssl \
+    --with-vici-socket=/run/strongswan/charon.vici \
     --enable-fpm \
-    --enable-grpc
+    %{?with_grpc:--enable-grpc}
 
 %make_build MAKEINFO="makeinfo --no-split" PYTHON=%{__python3}
 
@@ -168,7 +178,7 @@ install -d -m 775 %{buildroot}/run/frr
 
 %if 0%{?with_selinux}
 install -D -m 644 selinux/%{name}.pp.bz2 \
-	%{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+  %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
 install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
 %endif
 
@@ -213,6 +223,11 @@ fi
 %post selinux
 %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
 %selinux_relabel_post -s %{selinuxtype}
+#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade
+if [ $1 == 2 ]; then
+    %{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null
+    %{_sbindir}/restorecon -R /var/run/frr &> /dev/null
+fi
 
 %postun selinux
 if [ $1 -eq 0 ]; then
@@ -234,10 +249,14 @@ rm tests/lib/*grpc*
 %dir %attr(755,frr,frr) %{_localstatedir}/log/frr
 %dir %attr(755,frr,frr) /run/frr
 %{_infodir}/*info*
-%{_mandir}/man*/*
+%{_mandir}/man1/frr.1*
+%{_mandir}/man1/vtysh.1*
+%{_mandir}/man8/frr-*.8*
+%{_mandir}/man8/mtracebis.8*
 %dir %{frr_libdir}/
 %{frr_libdir}/*
-%{_bindir}/*
+%{_bindir}/mtracebis
+%{_bindir}/vtysh
 %dir %{_libdir}/frr
 %{_libdir}/frr/*.so.*
 %dir %{_libdir}/frr/modules
@@ -259,6 +278,88 @@ rm tests/lib/*grpc*
 %endif
 
 %changelog
+* Wed Jan 03 2024 Michal Ruprich <mruprich@redhat.com> - 8.5.4-1
+- New version 8.5.4
+
+* Tue Oct 10 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.3-1
+- New version 8.5.3
+
+* Fri Sep 01 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.2-4
+- Adding a couple of SELinux rules, includes fix for rhbz#2149299
+
+* Wed Aug 30 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 8.5.2-3
+- Rebuilt for abseil-cpp 20230802.0
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 8.5.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Fri Jun 30 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.2-1
+- New version 8.5.2
+- Fixing some rpmlint warnings
+
+* Mon Jun 26 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.1-4
+- Resolves: #2216073 - SELinux is preventing FRR-Zebra to access to network namespaces.
+
+* Mon Jun 05 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 8.5.1-3
+- Disable grpc in RHEL builds
+
+* Fri May 19 2023 Petr Pisar <ppisar@redhat.com> - 8.5.1-2
+- Rebuild against rpm-4.19 (https://fedoraproject.org/wiki/Changes/RPM-4.19)
+
+* Wed Apr 26 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.1-1
+- New version 8.5.1
+
+* Wed Apr 12 2023 Michal Ruprich <mruprich@redhat.com> - 8.5-1
+- New version 8.5
+
+* Thu Mar 23 2023 Michal Ruprich <mruprich@redhat.com> - 8.4.2-5
+- Rebuilding for new abseil-cpp version
+
+* Wed Mar 22 2023 Michal Ruprich <mruprich@redhat.com> - 8.4.2-4
+- SPDX migration
+
+* Wed Mar 08 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 8.4.2-3
+- Build as C++17, required by abseil-cpp 20230125
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 8.4.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Thu Jan 12 2023 Michal Ruprich <mruprich@redhat.com> - 8.4.2-1
+- New version 8.4.2
+
+* Fri Nov 25 2022 Michal Ruprich <mruprich@redhat.com> - 8.4.1-1
+- New version 8.4.1
+- Fix for rhbz #2140705
+
+* Thu Nov 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.4-1
+- New version 8.4
+
+* Fri Sep 16 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5
+- Adding SELinux rule to enable zebra to write to sysctl_net_t
+- Adding SELinux rule to enable bgpd to call name_connect to bgp_port_t
+
+* Fri Sep 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-4
+- Fixing an error in post scriptlet
+
+* Fri Sep 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-3
+- Resolves: #2124254 - frr can no longer update routes
+
+* Wed Sep 07 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-2
+- Resolves: #2124253 - SELinux is preventing zebra from setattr access on the directory frr
+- Better handling FRR files during upgrade
+
+* Tue Sep 06 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-1
+- New version 8.3.1
+
+* Mon Aug 22 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-10
+- Rebuilding for new abseil-cpp and grpc updates
+
+* Wed Aug 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-9
+- Adding vrrpd and pathd as daemons to the policy
+
+* Wed Aug 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-8
+- Finalizing SELinux policy
+
 * Tue Aug 02 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-7
 - Fixing wrong path for vtysh in frr.fc
 

frr.te

@@ -31,9 +31,9 @@ files_pid_file(frr_var_run_t)
 #
 # frr local policy
 #
-allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid };
+allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
 allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
-allow frr_t self:packet_socket create;
+allow frr_t self:packet_socket create_socket_perms;
 allow frr_t self:process { setcap setpgid };
 allow frr_t self:rawip_socket create_socket_perms;
 allow frr_t self:tcp_socket { connect connected_stream_socket_perms };
@@ -68,8 +68,9 @@ allow frr_t frr_exec_t:dir search_dir_perms;
 can_exec(frr_t, frr_exec_t)
 
 kernel_read_network_state(frr_t)
-kernel_read_net_sysctls(frr_t)
+kernel_rw_net_sysctls(frr_t)
 kernel_read_system_state(frr_t)
+kernel_request_load_module(frr_t)
 
 auth_use_nsswitch(frr_t)
 
@@ -80,9 +81,11 @@ corenet_udp_bind_bfd_control_port(frr_t)
 corenet_udp_bind_bfd_echo_port(frr_t)
 corenet_udp_bind_bfd_multi_port(frr_t)
 corenet_tcp_bind_bgp_port(frr_t)
+corenet_tcp_connect_bgp_port(frr_t)
 corenet_tcp_bind_cmadmin_port(frr_t)
 corenet_udp_bind_cmadmin_port(frr_t)
 corenet_tcp_bind_firepower_port(frr_t)
+corenet_tcp_bind_generic_port(frr_t)
 corenet_tcp_bind_priority_e_com_port(frr_t)
 corenet_udp_bind_router_port(frr_t)
 corenet_tcp_bind_qpasa_agent_port(frr_t)
@@ -95,6 +98,10 @@ domain_use_interactive_fds(frr_t)
 fs_read_nsfs_files(frr_t)
 
 sysnet_exec_ifconfig(frr_t)
+sysnet_read_ifconfig_run(frr_t)
+sysnet_watch_ifconfig_run(frr_t)
+
+ipsec_domtrans_mgmt(frr_t)
 
 userdom_read_admin_home_files(frr_t)
 
@@ -112,3 +119,7 @@ optional_policy(`
 optional_policy(`
 	networkmanager_read_state(frr_t)
 ')
+
+optional_policy(`
+	userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr")
+')

sources

@@ -1,2 +1,2 @@
-SHA512 (frr-8.2.2.tar.gz) = 2a3e189d8de09bd66bc4a49147bec681d48626d8cb268dc03f42b58064c066b35082114ff97d7333ae4029f759b78e216c8460c2611df7f6659675dc5f9b69b2
+SHA512 (frr-8.5.4.tar.gz) = f234fe73a019db2188e56988dc5cb3807c83d16c6f8723c68cb8f6154e8e63140f3cf8c3adec64a7661dd988089a8253fc3f910b31a1e6505ea1a6fec3df2e14
 SHA512 (remove-babeld-ldpd.sh) = a5bf67a3722cb20d43cef1dac28f839db68df73a1b7d34d8438e4f9366da3b67d85c1f44281f93434e8dd8ebcb2d3dc258b77eaa5627475b7395d207f020839d