v9.1.0

Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>

.fmf/version

@@ -0,0 +1 @@
+1

.gitattributes

@@ -0,0 +1 @@
+*.tar.gz filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -6,3 +6,14 @@
 /frr-7.4.tar.gz
 /frr-7.5.tar.gz
 /frr-7.5.1.tar.gz
+/frr-8.0.tar.gz
+/frr-8.0.1.tar.gz
+/frr-8.2.tar.gz
+/frr-8.2.2.tar.gz
+/frr-8.3.1.tar.gz
+/frr-8.4.tar.gz
+/frr-8.4.1.tar.gz
+/frr-8.4.2.tar.gz
+/frr-8.5.tar.gz
+/frr-8.5.1.tar.gz
+/frr-8.5.2.tar.gz

0000-remove-babeld-and-ldpd.patch

@@ -1,29 +0,0 @@
-diff --git a/Makefile.am b/Makefile.am
-index 5be3264..33abc1d 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -130,8 +130,6 @@ include ospf6d/subdir.am
- include ospfclient/subdir.am
- include isisd/subdir.am
- include nhrpd/subdir.am
--include ldpd/subdir.am
--include babeld/subdir.am
- include eigrpd/subdir.am
- include sharpd/subdir.am
- include pimd/subdir.am
-@@ -182,7 +180,6 @@ EXTRA_DIST += \
- 	snapcraft/defaults \
- 	snapcraft/helpers \
- 	snapcraft/snap \
--	babeld/Makefile \
- 	bgpd/Makefile \
- 	bgpd/rfp-example/librfp/Makefile \
- 	bgpd/rfp-example/rfptest/Makefile \
-@@ -193,7 +190,6 @@ EXTRA_DIST += \
- 	fpm/Makefile \
- 	grpc/Makefile \
- 	isisd/Makefile \
--	ldpd/Makefile \
- 	lib/Makefile \
- 	nhrpd/Makefile \
- 	ospf6d/Makefile \

0001-remove-babeld-and-ldpd.patch

@@ -0,0 +1,68 @@
+From 1adef7e973aeab4de3409ab77295bf218fc0c56c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
+Date: Sun, 8 Oct 2023 11:22:51 +0200
+Subject: [PATCH 1/5] remove babeld and ldpd
+
+---
+ Makefile.am           | 4 ----
+ tools/etc/frr/daemons | 4 ----
+ 2 files changed, 8 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index f56e1b8e0b..a42811d940 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -196,8 +196,6 @@ include ospf6d/subdir.am
+ include ospfclient/subdir.am
+ include isisd/subdir.am
+ include nhrpd/subdir.am
+-include ldpd/subdir.am
+-include babeld/subdir.am
+ include eigrpd/subdir.am
+ include sharpd/subdir.am
+ include pimd/subdir.am
+@@ -261,7 +259,6 @@ EXTRA_DIST += \
+ 	snapcraft/defaults \
+ 	snapcraft/helpers \
+ 	snapcraft/snap \
+-	babeld/Makefile \
+ 	mgmtd/Makefile \
+ 	bgpd/Makefile \
+ 	bgpd/rfp-example/librfp/Makefile \
+@@ -274,7 +271,6 @@ EXTRA_DIST += \
+ 	fpm/Makefile \
+ 	grpc/Makefile \
+ 	isisd/Makefile \
+-	ldpd/Makefile \
+ 	lib/Makefile \
+ 	nhrpd/Makefile \
+ 	ospf6d/Makefile \
+diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons
+index c487e7e5f2..2e602901d3 100644
+--- a/tools/etc/frr/daemons
++++ b/tools/etc/frr/daemons
+@@ -22,10 +22,8 @@ ripngd=no
+ isisd=no
+ pimd=no
+ pim6d=no
+-ldpd=no
+ nhrpd=no
+ eigrpd=no
+-babeld=no
+ sharpd=no
+ pbrd=no
+ bfdd=no
+@@ -49,10 +47,8 @@ ripngd_options=" -A ::1"
+ isisd_options="  -A 127.0.0.1"
+ pimd_options="   -A 127.0.0.1"
+ pim6d_options="  -A ::1"
+-ldpd_options="   -A 127.0.0.1"
+ nhrpd_options="  -A 127.0.0.1"
+ eigrpd_options=" -A 127.0.0.1"
+-babeld_options=" -A 127.0.0.1"
+ sharpd_options=" -A 127.0.0.1"
+ pbrd_options="   -A 127.0.0.1"
+ staticd_options="-A 127.0.0.1"
+-- 
+2.41.0
+

0001-use-python3.patch

@@ -1,20 +0,0 @@
-diff --git a/tools/frr-reload.py b/tools/frr-reload.py
-index 208fb11..0692adc 100755
---- a/tools/frr-reload.py
-+++ b/tools/frr-reload.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/python
-+#!/usr/bin/python3
- # Frr Reloader
- # Copyright (C) 2014 Cumulus Networks, Inc.
- #
-diff --git a/tools/generate_support_bundle.py b/tools/generate_support_bundle.py
-index 540b7a1..0876ebb 100755
---- a/tools/generate_support_bundle.py
-+++ b/tools/generate_support_bundle.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/python
-+#!/usr/bin/python3
- 
- ########################################################
- ### Python Script to generate the FRR support bundle ###

0002-enable-openssl.patch

@@ -1,44 +1,20 @@
-diff --git a/lib/subdir.am b/lib/subdir.am
-index 0b7af18..0533e24 100644
---- a/lib/subdir.am
-+++ b/lib/subdir.am
-@@ -41,7 +41,6 @@ lib_libfrr_la_SOURCES = \
- 	lib/log.c \
- 	lib/log_filter.c \
- 	lib/log_vty.c \
--	lib/md5.c \
- 	lib/memory.c \
- 	lib/mlag.c \
- 	lib/module.c \
-@@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \
- 	lib/routemap_northbound.c \
- 	lib/sbuf.c \
- 	lib/seqlock.c \
--	lib/sha256.c \
- 	lib/sigevent.c \
- 	lib/skiplist.c \
- 	lib/sockopt.c \
-@@ -170,7 +170,6 @@ pkginclude_HEADERS += \
- 	lib/linklist.h \
- 	lib/log.h \
- 	lib/log_vty.h \
--	lib/md5.h \
- 	lib/memory.h \
- 	lib/module.h \
- 	lib/monotime.h \
-@@ -191,7 +190,6 @@ pkginclude_HEADERS += \
- 	lib/routemap.h \
- 	lib/sbuf.h \
- 	lib/seqlock.h \
--	lib/sha256.h \
- 	lib/sigevent.h \
- 	lib/skiplist.h \
- 	lib/smux.h \
+From f2afebcbbd27c834b5d5727b561e588348503c15 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
+Date: Sun, 8 Oct 2023 11:19:44 +0200
+Subject: [PATCH 2/5] enable openssl
+
+---
+ isisd/isis_lsp.c | 2 ++
+ isisd/isis_pdu.c | 2 ++
+ isisd/isis_te.c  | 2 ++
+ lib/subdir.am    | 4 ----
+ 4 files changed, 6 insertions(+), 4 deletions(-)
+
 diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c
-index 1991666..2e4fe55 100644
+index 77573cdfac..df8508fa17 100644
 --- a/isisd/isis_lsp.c
 +++ b/isisd/isis_lsp.c
-@@ -35,7 +35,9 @@
+@@ -22,7 +22,9 @@
  #include "hash.h"
  #include "if.h"
  #include "checksum.h"
@@ -49,10 +25,10 @@ index 1991666..2e4fe55 100644
  #include "srcdest_table.h"
  #include "lib_errors.h"
 diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c
-index 9c63311..7cf594c 100644
+index 0cd43a7abc..b2e114d734 100644
 --- a/isisd/isis_pdu.c
 +++ b/isisd/isis_pdu.c
-@@ -33,7 +33,9 @@
+@@ -20,7 +20,9 @@
  #include "prefix.h"
  #include "if.h"
  #include "checksum.h"
@@ -63,10 +39,10 @@ index 9c63311..7cf594c 100644
  
  #include "isisd/isis_constants.h"
 diff --git a/isisd/isis_te.c b/isisd/isis_te.c
-index 4ea6c2c..72ff0d2 100644
+index 90b53c540e..9d98c16e78 100644
 --- a/isisd/isis_te.c
 +++ b/isisd/isis_te.c
-@@ -38,7 +38,9 @@
+@@ -24,7 +24,9 @@
  #include "if.h"
  #include "vrf.h"
  #include "checksum.h"
@@ -76,3 +52,42 @@ index 4ea6c2c..72ff0d2 100644
  #include "sockunion.h"
  #include "network.h"
  #include "sbuf.h"
+diff --git a/lib/subdir.am b/lib/subdir.am
+index d7b28ffbd5..b2ee32168b 100644
+--- a/lib/subdir.am
++++ b/lib/subdir.am
+@@ -63,7 +63,6 @@ lib_libfrr_la_SOURCES = \
+ 	lib/log.c \
+ 	lib/log_filter.c \
+ 	lib/log_vty.c \
+-	lib/md5.c \
+ 	lib/memory.c \
+ 	lib/mgmt_be_client.c \
+ 	lib/mgmt_fe_client.c \
+@@ -95,7 +94,6 @@ lib_libfrr_la_SOURCES = \
+ 	lib/routemap_northbound.c \
+ 	lib/sbuf.c \
+ 	lib/seqlock.c \
+-	lib/sha256.c \
+ 	lib/sigevent.c \
+ 	lib/skiplist.c \
+ 	lib/sockopt.c \
+@@ -248,7 +246,6 @@ pkginclude_HEADERS += \
+ 	lib/link_state.h \
+ 	lib/log.h \
+ 	lib/log_vty.h \
+-	lib/md5.h \
+ 	lib/memory.h \
+ 	lib/mgmt.pb-c.h \
+ 	lib/mgmt_be_client.h \
+@@ -283,7 +280,6 @@ pkginclude_HEADERS += \
+ 	lib/route_opaque.h \
+ 	lib/sbuf.h \
+ 	lib/seqlock.h \
+-	lib/sha256.h \
+ 	lib/sigevent.h \
+ 	lib/skiplist.h \
+ 	lib/smux.h \
+-- 
+2.41.0
+

0003-disable-eigrp-crypto.patch

@@ -1,227 +1,26 @@
-diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c
-index bedaf15..8dc09bf 100644
---- a/eigrpd/eigrp_packet.c
-+++ b/eigrpd/eigrp_packet.c
-@@ -40,8 +40,10 @@
- #include "log.h"
- #include "sockopt.h"
- #include "checksum.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
- #include "sha256.h"
-+#endif
- #include "lib_errors.h"
- 
- #include "eigrpd/eigrp_structs.h"
-@@ -95,8 +97,12 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
- 	struct key *key = NULL;
- 	struct keychain *keychain;
- 
-+
- 	unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
-+#ifdef CRYPTO_OPENSSL
-+#elif CRYPTO_INTERNAL
- 	MD5_CTX ctx;
-+#endif
- 	uint8_t *ibuf;
- 	size_t backup_get, backup_end;
- 	struct TLV_MD5_Authentication_Type *auth_TLV;
-@@ -119,6 +125,9 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
- 		return EIGRP_AUTH_TYPE_NONE;
- 	}
- 
-+#ifdef CRYPTO_OPENSSL
-+//TBD when this is fixed in upstream
-+#elif CRYPTO_INTERNAL
- 	memset(&ctx, 0, sizeof(ctx));
- 	MD5Init(&ctx);
- 
-@@ -146,7 +155,7 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
- 	}
- 
- 	MD5Final(digest, &ctx);
--
-+#endif
- 	/* Append md5 digest to the end of the stream. */
- 	memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_MD5_LEN);
- 
-@@ -162,7 +171,10 @@ int eigrp_check_md5_digest(struct stream *s,
- 			   struct TLV_MD5_Authentication_Type *authTLV,
- 			   struct eigrp_neighbor *nbr, uint8_t flags)
- {
-+#ifdef CRYPTO_OPENSSL
-+#elif CRYPTO_INTERNAL
- 	MD5_CTX ctx;
-+#endif
- 	unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
- 	unsigned char orig[EIGRP_AUTH_TYPE_MD5_LEN];
- 	struct key *key = NULL;
-@@ -203,6 +215,9 @@ int eigrp_check_md5_digest(struct stream *s,
- 		return 0;
- 	}
- 
-+#ifdef CRYPTO_OPENSSL
-+	//TBD when eigrpd crypto is fixed in upstream
-+#elif CRYPTO_INTERNAL
- 	memset(&ctx, 0, sizeof(ctx));
- 	MD5Init(&ctx);
- 
-@@ -230,6 +245,7 @@ int eigrp_check_md5_digest(struct stream *s,
- 	}
- 
- 	MD5Final(digest, &ctx);
-+#endif
- 
- 	/* compare the two */
- 	if (memcmp(orig, digest, EIGRP_AUTH_TYPE_MD5_LEN) != 0) {
-@@ -254,7 +270,11 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
- 	unsigned char digest[EIGRP_AUTH_TYPE_SHA256_LEN];
- 	unsigned char buffer[1 + PLAINTEXT_LENGTH + 45 + 1] = {0};
- 
-+#ifdef CRYPTO_OPENSSL
-+	//TBD when eigrpd crypto is fixed in upstream
-+#elif CRYPTO_INTERNAL
- 	HMAC_SHA256_CTX ctx;
-+#endif
- 	void *ibuf;
- 	size_t backup_get, backup_end;
- 	struct TLV_SHA256_Authentication_Type *auth_TLV;
-@@ -283,6 +303,9 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
- 
- 	inet_ntop(AF_INET, &ei->address.u.prefix4, source_ip, PREFIX_STRLEN);
- 
-+#ifdef CRYPTO_OPENSSL
-+	//TBD when eigrpd crypto is fixed in upstream
-+#elif CRYPTO_INTERNAL
- 	memset(&ctx, 0, sizeof(ctx));
- 	buffer[0] = '\n';
- 	memcpy(buffer + 1, key, strlen(key->string));
-@@ -291,7 +314,7 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
- 			  1 + strlen(key->string) + strlen(source_ip));
- 	HMAC__SHA256_Update(&ctx, ibuf, strlen(ibuf));
- 	HMAC__SHA256_Final(digest, &ctx);
--
-+#endif
- 
- 	/* Put hmac-sha256 digest to it's place */
- 	memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_SHA256_LEN);
-diff --git a/eigrpd/eigrp_filter.c b/eigrpd/eigrp_filter.c
-index 93eed94..f1c7347 100644
---- a/eigrpd/eigrp_filter.c
-+++ b/eigrpd/eigrp_filter.c
-@@ -47,7 +47,9 @@
- #include "if_rmap.h"
- #include "plist.h"
- #include "distribute.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- #include "keychain.h"
- #include "privs.h"
- #include "vrf.h"
-diff --git a/eigrpd/eigrp_hello.c b/eigrpd/eigrp_hello.c
-index dacd5ca..b232cc5 100644
---- a/eigrpd/eigrp_hello.c
-+++ b/eigrpd/eigrp_hello.c
-@@ -43,7 +43,9 @@
- #include "sockopt.h"
- #include "checksum.h"
- #include "vty.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- 
- #include "eigrpd/eigrp_structs.h"
- #include "eigrpd/eigrpd.h"
-diff --git a/eigrpd/eigrp_query.c b/eigrpd/eigrp_query.c
-index 84dcf5e..a2575e3 100644
---- a/eigrpd/eigrp_query.c
-+++ b/eigrpd/eigrp_query.c
-@@ -38,7 +38,9 @@
- #include "log.h"
- #include "sockopt.h"
- #include "checksum.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- #include "vty.h"
- 
- #include "eigrpd/eigrp_structs.h"
-diff --git a/eigrpd/eigrp_reply.c b/eigrpd/eigrp_reply.c
-index ccf0496..2902365 100644
---- a/eigrpd/eigrp_reply.c
-+++ b/eigrpd/eigrp_reply.c
-@@ -42,7 +42,9 @@
- #include "log.h"
- #include "sockopt.h"
- #include "checksum.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- #include "vty.h"
- #include "keychain.h"
- #include "plist.h"
-diff --git a/eigrpd/eigrp_siaquery.c b/eigrpd/eigrp_siaquery.c
-index ff38325..09b9369 100644
---- a/eigrpd/eigrp_siaquery.c
-+++ b/eigrpd/eigrp_siaquery.c
-@@ -38,7 +38,9 @@
- #include "log.h"
- #include "sockopt.h"
- #include "checksum.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- #include "vty.h"
- 
- #include "eigrpd/eigrp_structs.h"
-diff --git a/eigrpd/eigrp_siareply.c b/eigrpd/eigrp_siareply.c
-index d3dd123..f6a2bd6 100644
---- a/eigrpd/eigrp_siareply.c
-+++ b/eigrpd/eigrp_siareply.c
-@@ -37,7 +37,9 @@
- #include "log.h"
- #include "sockopt.h"
- #include "checksum.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- #include "vty.h"
- 
- #include "eigrpd/eigrp_structs.h"
-diff --git a/eigrpd/eigrp_snmp.c b/eigrpd/eigrp_snmp.c
-index 21c9238..cfb8890 100644
---- a/eigrpd/eigrp_snmp.c
-+++ b/eigrpd/eigrp_snmp.c
-@@ -42,7 +42,9 @@
- #include "log.h"
- #include "sockopt.h"
- #include "checksum.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- #include "keychain.h"
- #include "smux.h"
- 
-diff --git a/eigrpd/eigrp_update.c b/eigrpd/eigrp_update.c
-index 8db4903..2a4f0bb 100644
---- a/eigrpd/eigrp_update.c
-+++ b/eigrpd/eigrp_update.c
-@@ -42,7 +42,9 @@
- #include "log.h"
- #include "sockopt.h"
- #include "checksum.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- #include "vty.h"
- #include "plist.h"
- #include "plist_int.h"
+From 138dff00b047a92b0616d53742b83b13cca8981c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
+Date: Sun, 8 Oct 2023 11:23:48 +0200
+Subject: [PATCH 3/5] disable eigrp crypto
+
+---
+ eigrpd/eigrp_cli.c      | 15 +++++++++++++++
+ eigrpd/eigrp_filter.c   |  2 ++
+ eigrpd/eigrp_hello.c    |  2 ++
+ eigrpd/eigrp_packet.c   | 27 +++++++++++++++++++++++++--
+ eigrpd/eigrp_query.c    |  2 ++
+ eigrpd/eigrp_reply.c    |  2 ++
+ eigrpd/eigrp_siaquery.c |  2 ++
+ eigrpd/eigrp_siareply.c |  2 ++
+ eigrpd/eigrp_snmp.c     |  2 ++
+ eigrpd/eigrp_update.c   |  2 ++
+ 10 files changed, 56 insertions(+), 2 deletions(-)
+
 diff --git a/eigrpd/eigrp_cli.c b/eigrpd/eigrp_cli.c
-index a93d4c8..b01e121 100644
+index 213834afc8..73647937db 100644
 --- a/eigrpd/eigrp_cli.c
 +++ b/eigrpd/eigrp_cli.c
-@@ -25,6 +25,7 @@
+@@ -11,6 +11,7 @@
  #include "lib/command.h"
  #include "lib/log.h"
  #include "lib/northbound_cli.h"
@@ -229,7 +28,7 @@ index a93d4c8..b01e121 100644
  
  #include "eigrp_structs.h"
  #include "eigrpd.h"
-@@ -726,6 +726,20 @@ DEFPY(
+@@ -716,6 +717,20 @@ DEFPY_YANG(
  	"Keyed message digest\n"
  	"HMAC SHA256 algorithm \n")
  {
@@ -250,3 +49,225 @@ index a93d4c8..b01e121 100644
  	char xpath[XPATH_MAXLEN], xpath_auth[XPATH_MAXLEN + 64];
  
  	snprintf(xpath, sizeof(xpath), "./frr-eigrpd:eigrp/instance[asn='%s']",
+diff --git a/eigrpd/eigrp_filter.c b/eigrpd/eigrp_filter.c
+index eceef6b8a7..1d194be143 100644
+--- a/eigrpd/eigrp_filter.c
++++ b/eigrpd/eigrp_filter.c
+@@ -32,7 +32,9 @@
+ #include "if_rmap.h"
+ #include "plist.h"
+ #include "distribute.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "keychain.h"
+ #include "privs.h"
+ #include "vrf.h"
+diff --git a/eigrpd/eigrp_hello.c b/eigrpd/eigrp_hello.c
+index ee0e2451a2..d3b8414b81 100644
+--- a/eigrpd/eigrp_hello.c
++++ b/eigrpd/eigrp_hello.c
+@@ -28,7 +28,9 @@
+ #include "sockopt.h"
+ #include "checksum.h"
+ #include "vty.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ 
+ #include "eigrpd/eigrp_structs.h"
+ #include "eigrpd/eigrpd.h"
+diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c
+index 963d229bc1..587eb422ea 100644
+--- a/eigrpd/eigrp_packet.c
++++ b/eigrpd/eigrp_packet.c
+@@ -25,8 +25,10 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
+ #include "sha256.h"
++#endif
+ #include "lib_errors.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+@@ -88,8 +90,12 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
+ 	struct key *key = NULL;
+ 	struct keychain *keychain;
+ 
++
+ 	unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
++#ifdef CRYPTO_OPENSSL
++#elif CRYPTO_INTERNAL
+ 	MD5_CTX ctx;
++#endif
+ 	uint8_t *ibuf;
+ 	size_t backup_get, backup_end;
+ 	struct TLV_MD5_Authentication_Type *auth_TLV;
+@@ -112,6 +118,9 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
+ 		return EIGRP_AUTH_TYPE_NONE;
+ 	}
+ 
++#ifdef CRYPTO_OPENSSL
++//TBD when this is fixed in upstream
++#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	MD5Init(&ctx);
+ 
+@@ -139,7 +148,7 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
+ 	}
+ 
+ 	MD5Final(digest, &ctx);
+-
++#endif
+ 	/* Append md5 digest to the end of the stream. */
+ 	memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_MD5_LEN);
+ 
+@@ -155,7 +164,10 @@ int eigrp_check_md5_digest(struct stream *s,
+ 			   struct TLV_MD5_Authentication_Type *authTLV,
+ 			   struct eigrp_neighbor *nbr, uint8_t flags)
+ {
++#ifdef CRYPTO_OPENSSL
++#elif CRYPTO_INTERNAL
+ 	MD5_CTX ctx;
++#endif
+ 	unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
+ 	unsigned char orig[EIGRP_AUTH_TYPE_MD5_LEN];
+ 	struct key *key = NULL;
+@@ -196,6 +208,9 @@ int eigrp_check_md5_digest(struct stream *s,
+ 		return 0;
+ 	}
+ 
++#ifdef CRYPTO_OPENSSL
++	//TBD when eigrpd crypto is fixed in upstream
++#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	MD5Init(&ctx);
+ 
+@@ -223,6 +238,7 @@ int eigrp_check_md5_digest(struct stream *s,
+ 	}
+ 
+ 	MD5Final(digest, &ctx);
++#endif
+ 
+ 	/* compare the two */
+ 	if (memcmp(orig, digest, EIGRP_AUTH_TYPE_MD5_LEN) != 0) {
+@@ -247,7 +263,11 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
+ 	unsigned char digest[EIGRP_AUTH_TYPE_SHA256_LEN];
+ 	unsigned char buffer[1 + PLAINTEXT_LENGTH + 45 + 1] = {0};
+ 
++#ifdef CRYPTO_OPENSSL
++	//TBD when eigrpd crypto is fixed in upstream
++#elif CRYPTO_INTERNAL
+ 	HMAC_SHA256_CTX ctx;
++#endif
+ 	void *ibuf;
+ 	size_t backup_get, backup_end;
+ 	struct TLV_SHA256_Authentication_Type *auth_TLV;
+@@ -276,6 +296,9 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
+ 
+ 	inet_ntop(AF_INET, &ei->address.u.prefix4, source_ip, PREFIX_STRLEN);
+ 
++#ifdef CRYPTO_OPENSSL
++	//TBD when eigrpd crypto is fixed in upstream
++#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	buffer[0] = '\n';
+ 	memcpy(buffer + 1, key, strlen(key->string));
+@@ -284,7 +307,7 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
+ 			  1 + strlen(key->string) + strlen(source_ip));
+ 	HMAC__SHA256_Update(&ctx, ibuf, strlen(ibuf));
+ 	HMAC__SHA256_Final(digest, &ctx);
+-
++#endif
+ 
+ 	/* Put hmac-sha256 digest to it's place */
+ 	memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_SHA256_LEN);
+diff --git a/eigrpd/eigrp_query.c b/eigrpd/eigrp_query.c
+index 0e206cded6..4b3f4e0821 100644
+--- a/eigrpd/eigrp_query.c
++++ b/eigrpd/eigrp_query.c
+@@ -23,7 +23,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+diff --git a/eigrpd/eigrp_reply.c b/eigrpd/eigrp_reply.c
+index aae89e832b..1fb1f404d2 100644
+--- a/eigrpd/eigrp_reply.c
++++ b/eigrpd/eigrp_reply.c
+@@ -27,7 +27,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ #include "keychain.h"
+ #include "plist.h"
+diff --git a/eigrpd/eigrp_siaquery.c b/eigrpd/eigrp_siaquery.c
+index 71486a1f6f..430e8ce719 100644
+--- a/eigrpd/eigrp_siaquery.c
++++ b/eigrpd/eigrp_siaquery.c
+@@ -23,7 +23,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+diff --git a/eigrpd/eigrp_siareply.c b/eigrpd/eigrp_siareply.c
+index 6c8c1ef58d..b16e0fcfc8 100644
+--- a/eigrpd/eigrp_siareply.c
++++ b/eigrpd/eigrp_siareply.c
+@@ -22,7 +22,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+diff --git a/eigrpd/eigrp_snmp.c b/eigrpd/eigrp_snmp.c
+index 492ef3e713..5618c3f2b5 100644
+--- a/eigrpd/eigrp_snmp.c
++++ b/eigrpd/eigrp_snmp.c
+@@ -27,7 +27,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "keychain.h"
+ #include "smux.h"
+ 
+diff --git a/eigrpd/eigrp_update.c b/eigrpd/eigrp_update.c
+index 74f573d9d8..39f4dcfc39 100644
+--- a/eigrpd/eigrp_update.c
++++ b/eigrpd/eigrp_update.c
+@@ -27,7 +27,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ #include "plist.h"
+ #include "plist_int.h"
+-- 
+2.41.0
+

0004-fips-mode.patch

@@ -1,10 +1,65 @@
+From 90d09b061feae5e39a88c0ae51f880e82d82bb18 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
+Date: Sun, 8 Oct 2023 11:24:43 +0200
+Subject: [PATCH 4/5] fips mode
+
+---
+ isisd/isis_circuit.c |  4 ++++
+ isisd/isisd.c        |  4 ++++
+ lib/zebra.h          |  1 +
+ ospfd/ospf_vty.c     | 24 ++++++++++++++++++++++++
+ ripd/rip_cli.c       |  6 ++++++
+ 5 files changed, 39 insertions(+)
+
+diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
+index ffa6ad3e40..8c28b17eb2 100644
+--- a/isisd/isis_circuit.c
++++ b/isisd/isis_circuit.c
+@@ -1543,6 +1543,10 @@ ferr_r isis_circuit_passwd_set(struct isis_circuit *circuit,
+ 		return ferr_code_bug(
+ 			"circuit password too long (max 254 chars)");
+ 
++	//When in FIPS mode, the password never gets set in MD5
++	if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode())
++		return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
++
+ 	circuit->passwd.len = len;
+ 	strlcpy((char *)circuit->passwd.passwd, passwd,
+ 		sizeof(circuit->passwd.passwd));
+diff --git a/isisd/isisd.c b/isisd/isisd.c
+index b1064d8941..fbcd097f72 100644
+--- a/isisd/isisd.c
++++ b/isisd/isisd.c
+@@ -3040,6 +3040,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
+ 		if (len > 254)
+ 			return -1;
+ 
++		//When in FIPS mode, the password never get set in MD5
++		if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode()))
++			return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
++
+ 		modified.len = len;
+ 		strlcpy((char *)modified.passwd, passwd,
+ 			sizeof(modified.passwd));
+diff --git a/lib/zebra.h b/lib/zebra.h
+index ecc87f58f1..5cb7167598 100644
+--- a/lib/zebra.h
++++ b/lib/zebra.h
+@@ -90,6 +90,7 @@
+ #ifdef CRYPTO_OPENSSL
+ #include <openssl/evp.h>
+ #include <openssl/hmac.h>
++#include <openssl/fips.h>
+ #endif
+ 
+ #include "openbsd-tree.h"
 diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c
-index 631465f..e084ff3 100644
+index 740ecb518b..d094b205b3 100644
 --- a/ospfd/ospf_vty.c
 +++ b/ospfd/ospf_vty.c
-@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink,
- 
- 	if (argv_find(argv, argc, "message-digest", &idx)) {
+@@ -1085,6 +1085,11 @@ DEFUN (ospf_area_vlink,
+ 		vl_config.keychain = argv[idx+1]->arg;
+ 	} else if (argv_find(argv, argc, "message-digest", &idx)) {
  		/* authentication message-digest */
 +		if(FIPS_mode())
 +		{
@@ -14,7 +69,7 @@ index 631465f..e084ff3 100644
  		vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
  	} else if (argv_find(argv, argc, "null", &idx)) {
  		/* "authentication null" */
-@@ -1993,6 +1998,15 @@ DEFUN (ospf_area_authentication_message_digest,
+@@ -1997,6 +2002,15 @@ DEFUN (ospf_area_authentication_message_digest,
  				  ? OSPF_AUTH_NULL
  				  : OSPF_AUTH_CRYPTOGRAPHIC;
  
@@ -30,7 +85,7 @@ index 631465f..e084ff3 100644
  	return CMD_SUCCESS;
  }
  
-@@ -6665,6 +6679,11 @@ DEFUN (ip_ospf_authentication_args,
+@@ -7621,6 +7635,11 @@ DEFUN (ip_ospf_authentication_args,
  
  	/* Handle message-digest authentication */
  	if (argv[idx_encryption]->arg[0] == 'm') {
@@ -41,8 +96,8 @@ index 631465f..e084ff3 100644
 +		}
  		SET_IF_PARAM(params, auth_type);
  		params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
- 		return CMD_SUCCESS;
-@@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key,
+ 		UNSET_IF_PARAM(params, keychain_name);
+@@ -7949,6 +7968,11 @@ DEFUN (ip_ospf_message_digest_key,
         "The OSPF password (key)\n"
         "Address of interface\n")
  {
@@ -54,41 +109,11 @@ index 631465f..e084ff3 100644
  	VTY_DECLVAR_CONTEXT(interface, ifp);
  	struct crypt_key *ck;
  	uint8_t key_id;
-diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
-index 81b4b39..cce33d9 100644
---- a/isisd/isis_circuit.c
-+++ b/isisd/isis_circuit.c
-@@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit,
- 		return ferr_code_bug(
- 			"circuit password too long (max 254 chars)");
- 
-+	//When in FIPS mode, the password never gets set in MD5
-+	if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode())
-+		return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
-+
- 	circuit->passwd.len = len;
- 	strlcpy((char *)circuit->passwd.passwd, passwd,
- 		sizeof(circuit->passwd.passwd));
-diff --git a/isisd/isisd.c b/isisd/isisd.c
-index 419127c..a6c36af 100644
---- a/isisd/isisd.c
-+++ b/isisd/isisd.c
-@@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
- 		if (len > 254)
- 			return -1;
- 
-+		//When in FIPS mode, the password never get set in MD5
-+		if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode()))
-+			return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
-+
- 		modified.len = len;
- 		strlcpy((char *)modified.passwd, passwd,
- 			sizeof(modified.passwd));
 diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c
-index 5bb81ef..02a09ef 100644
+index 097c708ab1..854a16e4e0 100644
 --- a/ripd/rip_cli.c
 +++ b/ripd/rip_cli.c
-@@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode,
+@@ -876,6 +876,12 @@ DEFPY_YANG (ip_rip_authentication_mode,
  			value = "20";
  	}
  
@@ -101,3 +126,6 @@ index 5bb81ef..02a09ef 100644
  	nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
  			      strmatch(mode, "md5") ? "md5" : "plain-text");
  	if (strmatch(mode, "md5"))
+-- 
+2.41.0
+

0005-icc-options.patch

@@ -1,52 +0,0 @@
-From 4e90d19ea3de6b8938d097d84f6df3fcf6eb0422 Mon Sep 17 00:00:00 2001
-From: Mark Stapp <mjs@voltanet.io>
-Date: Mon, 15 Feb 2021 13:59:02 -0500
-Subject: [PATCH] build: detect ICC, only try ICC options if ICC
-
-Some ICC command-line options can cause confusion for other
-compilers; test for ICC specifically, and only try to use those
-options if ICC is being used.
-
-Signed-off-by: Mark Stapp <mjs@voltanet.io>
----
- configure.ac | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 266f37a1129..f3d1f38986a 100755
---- a/configure.ac
-+++ b/configure.ac
-@@ -191,6 +191,11 @@ CXXFLAGS="$orig_cxxflags"
- AC_PROG_CC_C99
- dnl NB: see C11 below
- 
-+dnl Some special handling for ICC later on
-+if test "$CC" = "icc"; then
-+    cc_is_icc="yes"
-+fi
-+
- PKG_PROG_PKG_CONFIG
- 
- dnl it's 2019, sed is sed.
-@@ -252,7 +257,9 @@ AC_DEFUN([AC_LINK_IFELSE_FLAGS], [{
- 
- dnl ICC won't bail on unknown options without -diag-error 10006
- dnl need to do this first so we get useful results for the other options
--AC_C_FLAG([-diag-error 10006])
-+if test "$cc_is_icc" = "yes"; then
-+    AC_C_FLAG([-diag-error 10006])
-+fi
- 
- dnl AC_PROG_CC_C99 may change CC to include -std=gnu99 or something
- ac_cc="$CC"
-@@ -335,7 +342,9 @@ AC_SUBST([CXX_COMPAT_CFLAGS])
- dnl ICC emits a broken warning for const char *x = a ? "b" : "c";
- dnl for some reason the string consts get 'promoted' to char *,
- dnl triggering a const to non-const conversion warning.
--AC_C_FLAG([-diag-disable 3179])
-+if test "$cc_is_icc" = "yes"; then
-+    AC_C_FLAG([-diag-disable 3179])
-+fi
- 
- if test "$enable_werror" = "yes" ; then
-   WERROR="-Werror"

0005-remove-grpc-test.patch

@@ -0,0 +1,34 @@
+From e89eb677ad94cd39379e254215e3ec91e571da73 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
+Date: Sun, 8 Oct 2023 11:26:25 +0200
+Subject: [PATCH 5/5] remove grpc test
+
+---
+ tests/lib/subdir.am | 11 -----------
+ 1 file changed, 11 deletions(-)
+
+diff --git a/tests/lib/subdir.am b/tests/lib/subdir.am
+index 6c1be50201..2ac3d508e9 100644
+--- a/tests/lib/subdir.am
++++ b/tests/lib/subdir.am
+@@ -24,17 +24,6 @@ copy_script: tests/lib/script1.lua
+ 	test -e tests/lib/script1.lua || \
+ 	$(INSTALL_SCRIPT) $< tests/lib/script1.lua
+ 
+-##############################################################################
+-GRPC_TESTS_LDADD = staticd/libstatic.a grpc/libfrrgrpc_pb.la -lgrpc++ -lprotobuf $(ALL_TESTS_LDADD) $(LIBYANG_LIBS) -lm
+-
+-if GRPC
+-check_PROGRAMS += tests/lib/test_grpc
+-endif
+-tests_lib_test_grpc_CXXFLAGS = $(WERROR) $(TESTS_CXXFLAGS)
+-tests_lib_test_grpc_CPPFLAGS = $(TESTS_CPPFLAGS)
+-tests_lib_test_grpc_LDADD = $(GRPC_TESTS_LDADD)
+-tests_lib_test_grpc_SOURCES = tests/lib/test_grpc.cpp
+-
+ 
+ ##############################################################################
+ if ZEROMQ
+-- 
+2.41.0
+

0006-move-to-libexec.patch

@@ -1,17 +0,0 @@
-diff --git a/tools/frr.service b/tools/frr.service
-index aa45f42..402def8 100644
---- a/tools/frr.service
-+++ b/tools/frr.service
-@@ -17,9 +17,9 @@ WatchdogSec=60s
- RestartSec=5
- Restart=on-abnormal
- LimitNOFILE=1024
--ExecStart=/usr/lib/frr/frrinit.sh start
--ExecStop=/usr/lib/frr/frrinit.sh stop
--ExecReload=/usr/lib/frr/frrinit.sh reload
-+ExecStart=/usr/libexec/frr/frrinit.sh start
-+ExecStop=/usr/libexec/frr/frrinit.sh stop
-+ExecReload=/usr/libexec/frr/frrinit.sh reload
- 
- [Install]
- WantedBy=multi-user.target

0007-ospfd-crash.patch

@@ -1,108 +0,0 @@
-From 4f08c715db6893ff439d0a39bf4506cd26256d13 Mon Sep 17 00:00:00 2001
-From: Igor Ryzhov <iryzhov@nfware.com>
-Date: Fri, 18 Jun 2021 13:06:13 +0300
-Subject: [PATCH] lib: remove pure attribute from functions that modify memory
-
-Almost all functions currently marked with pure attribute acquire a
-route_node lock. By marking them pure we allow compiler to optimize the
-code and not call them when it already knows the return value. This is
-completely incorrect.
-
-Only two of eleven functions can be marked as pure. And they still won't
-be optimized because they are never called from the same function twice.
-Let's remove the ext_pure macro completely to reduce the chance of
-repeating this mistake in the future.
-
-Fixes #8866, #8809, #8595, #6992.
-
-Signed-off-by: Igor Ryzhov <iryzhov@nfware.com>
----
- lib/compiler.h |  9 ---------
- lib/table.h    | 44 ++++++++++++++++++++------------------------
- 2 files changed, 20 insertions(+), 33 deletions(-)
-
-diff --git a/lib/compiler.h b/lib/compiler.h
-index bbfe01b569c..e805eb8be48 100644
---- a/lib/compiler.h
-+++ b/lib/compiler.h
-@@ -123,15 +123,6 @@ extern "C" {
- #define assume(x)
- #endif
- 
--/* pure = function does not modify memory & return value is the same if
-- * memory hasn't changed (=> allows compiler to optimize)
-- *
-- * Mostly autodetected by the compiler if function body is available (i.e.
-- * static inline functions in headers).  Since that implies it should only be
-- * used in headers for non-inline functions, the "extern" is included here.
-- */
--#define ext_pure	extern __attribute__((pure))
--
- /* for helper functions defined inside macros */
- #define macro_inline	static inline __attribute__((unused))
- #define macro_pure	static inline __attribute__((unused, pure))
-diff --git a/lib/table.h b/lib/table.h
-index 7e383dce808..5dec69ee7ea 100644
---- a/lib/table.h
-+++ b/lib/table.h
-@@ -197,29 +197,25 @@ static inline void route_table_set_info(struct route_table *table, void *d)
- 	table->info = d;
- }
- 
--/* ext_pure => extern __attribute__((pure))
-- *   does not modify memory (but depends on mem), allows compiler to optimize
-- */
--
- extern void route_table_finish(struct route_table *table);
--ext_pure struct route_node *route_top(struct route_table *table);
--ext_pure struct route_node *route_next(struct route_node *node);
--ext_pure struct route_node *route_next_until(struct route_node *node,
--					     const struct route_node *limit);
-+extern struct route_node *route_top(struct route_table *table);
-+extern struct route_node *route_next(struct route_node *node);
-+extern struct route_node *route_next_until(struct route_node *node,
-+					   const struct route_node *limit);
- extern struct route_node *route_node_get(struct route_table *table,
- 					 union prefixconstptr pu);
--ext_pure struct route_node *route_node_lookup(struct route_table *table,
--					      union prefixconstptr pu);
--ext_pure struct route_node *route_node_lookup_maynull(struct route_table *table,
--						      union prefixconstptr pu);
--ext_pure struct route_node *route_node_match(struct route_table *table,
--					     union prefixconstptr pu);
--ext_pure struct route_node *route_node_match_ipv4(struct route_table *table,
--						  const struct in_addr *addr);
--ext_pure struct route_node *route_node_match_ipv6(struct route_table *table,
--						  const struct in6_addr *addr);
--
--ext_pure unsigned long route_table_count(struct route_table *table);
-+extern struct route_node *route_node_lookup(struct route_table *table,
-+					    union prefixconstptr pu);
-+extern struct route_node *route_node_lookup_maynull(struct route_table *table,
-+						    union prefixconstptr pu);
-+extern struct route_node *route_node_match(struct route_table *table,
-+					   union prefixconstptr pu);
-+extern struct route_node *route_node_match_ipv4(struct route_table *table,
-+						const struct in_addr *addr);
-+extern struct route_node *route_node_match_ipv6(struct route_table *table,
-+						const struct in6_addr *addr);
-+
-+extern unsigned long route_table_count(struct route_table *table);
- 
- extern struct route_node *route_node_create(route_table_delegate_t *delegate,
- 					    struct route_table *table);
-@@ -228,10 +224,10 @@ extern void route_node_destroy(route_table_delegate_t *delegate,
- 			       struct route_table *table,
- 			       struct route_node *node);
- 
--ext_pure struct route_node *route_table_get_next(struct route_table *table,
--						 union prefixconstptr pu);
--ext_pure int route_table_prefix_iter_cmp(const struct prefix *p1,
--					 const struct prefix *p2);
-+extern struct route_node *route_table_get_next(struct route_table *table,
-+					       union prefixconstptr pu);
-+extern int route_table_prefix_iter_cmp(const struct prefix *p1,
-+				       const struct prefix *p2);
- 
- /*
-  * Iterator functions.

frr.fc

@@ -0,0 +1,29 @@
+/usr/libexec/frr/(.*)?              gen_context(system_u:object_r:frr_exec_t,s0)
+
+/usr/lib/systemd/system/frr.*   gen_context(system_u:object_r:frr_unit_file_t,s0)
+
+/etc/frr(/.*)?                  gen_context(system_u:object_r:frr_conf_t,s0)
+
+/var/log/frr(/.*)?              gen_context(system_u:object_r:frr_log_t,s0)
+/var/tmp/frr(/.*)?              gen_context(system_u:object_r:frr_tmp_t,s0)
+
+/var/lock/subsys/bfdd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/bgpd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/eigrpd     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/fabricd    --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/isisd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/nhrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ospf6d     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ospfd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pbrd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pimd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ripd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ripngd     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/staticd    --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/zebra      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/vrrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pathd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+
+/var/run/frr(/.*)?              gen_context(system_u:object_r:frr_var_run_t,s0)
+
+/usr/bin/vtysh              --  gen_context(system_u:object_r:frr_exec_t,s0)

frr.if

@@ -0,0 +1,215 @@
+## <summary>policy for frr</summary>
+
+########################################
+## <summary>
+##	Execute frr_exec_t in the frr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`frr_domtrans',`
+	gen_require(`
+		type frr_t, frr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, frr_exec_t, frr_t)
+')
+
+######################################
+## <summary>
+##	Execute frr in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_exec',`
+	gen_require(`
+		type frr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, frr_exec_t)
+')
+
+########################################
+## <summary>
+##	Read frr's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`frr_read_log',`
+	gen_require(`
+		type frr_log_t;
+	')
+
+	read_files_pattern($1, frr_log_t, frr_log_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+')
+
+########################################
+## <summary>
+##	Append to frr log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_append_log',`
+	gen_require(`
+		type frr_log_t;
+	')
+
+	append_files_pattern($1, frr_log_t, frr_log_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+')
+
+########################################
+## <summary>
+##	Manage frr log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_manage_log',`
+	gen_require(`
+		type frr_log_t;
+	')
+
+	manage_dirs_pattern($1, frr_log_t, frr_log_t)
+	manage_files_pattern($1, frr_log_t, frr_log_t)
+	manage_lnk_files_pattern($1, frr_log_t, frr_log_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+')
+
+########################################
+## <summary>
+##	Read frr PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_read_pid_files',`
+	gen_require(`
+		type frr_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, frr_var_run_t, frr_var_run_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an frr environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_admin',`
+	gen_require(`
+		type frr_t;
+		type frr_log_t;
+		type frr_var_run_t;
+	')
+
+	allow $1 frr_t:process { signal_perms };
+	ps_process_pattern($1, frr_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 frr_t:process ptrace;
+	')
+
+	admin_pattern($1, frr_log_t)
+
+	files_search_pids($1)
+	admin_pattern($1, frr_var_run_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+########################################
+#
+# Interface compatibility blocks
+#
+# The following definitions ensure compatibility with distribution policy
+# versions that do not contain given interfaces (epel, or older Fedora
+# releases).
+# Each block tests for existence of given interface and defines it if needed.
+#
+
+######################################
+## <summary>
+##	Watch ifconfig_var_run_t directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+ifndef(`sysnet_watch_ifconfig_run',`
+	interface(`sysnet_watch_ifconfig_run',`
+		gen_require(`
+			type ifconfig_var_run_t;
+		')
+
+		watch_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+	')
+')
+
+########################################
+## <summary>
+##	Read ifconfig_var_run_t files and link files
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+ifndef(`sysnet_read_ifconfig_run',`
+	interface(`sysnet_read_ifconfig_run',`
+		gen_require(`
+			type ifconfig_var_run_t;
+		')
+
+		list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+		read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+		read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+	')
+')
+

frr.spec

@@ -1,26 +1,32 @@
+%global dist .ims.1%{?dist}
+
 %global frr_libdir %{_libexecdir}/frr
 
 %global _hardened_build 1
+%global selinuxtype targeted
 %define _legacy_common_support 1
+%bcond grpc %{undefined rhel}
+%bcond selinux 1
 
 Name:           frr
-Version:        7.5.1
-Release:        9%{?dist}
+Version:        9.1.0
+Release:        1%{?dist}
 Summary:        Routing daemon
 License:        GPLv2+
 URL:            http://www.frrouting.org
 Source0:        https://github.com/FRRouting/frr/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
 Source1:        %{name}-tmpfiles.conf
 Source2:        %{name}-sysusers.conf
+#Decentralized SELinux policy
+Source3:        frr.fc
+Source4:        frr.te
+Source5:        frr.if
 
-Patch0000:      0000-remove-babeld-and-ldpd.patch
-Patch0001:      0001-use-python3.patch
+Patch0000:      0001-remove-babeld-and-ldpd.patch
 Patch0002:      0002-enable-openssl.patch
 Patch0003:      0003-disable-eigrp-crypto.patch
 Patch0004:      0004-fips-mode.patch
-Patch0005:      0005-icc-options.patch
-Patch0006:      0006-move-to-libexec.patch
-Patch0007:      0007-ospfd-crash.patch
+Patch0005:      0005-remove-grpc-test.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -31,12 +37,14 @@ BuildRequires:  gcc
 BuildRequires:  gcc-c++
 BuildRequires:  git-core
 BuildRequires:  groff
+%if %{with grpc}
 BuildRequires:  grpc-devel
 BuildRequires:  grpc-plugins
+%endif
 BuildRequires:  json-c-devel
 BuildRequires:  libcap-devel
 BuildRequires:  libtool
-BuildRequires:  libyang-devel >= 0.16.74
+BuildRequires:  libyang-devel >= 2.0.0
 BuildRequires:  make
 BuildRequires:  ncurses
 BuildRequires:  ncurses-devel
@@ -52,6 +60,7 @@ BuildRequires:  readline-devel
 BuildRequires:  systemd-devel
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  texinfo
+BuildRequires:  protobuf-c-devel
 
 Requires:       ncurses
 Requires:       net-snmp
@@ -60,7 +69,12 @@ Requires(post): hostname
 Requires(post): systemd
 Requires(postun): systemd
 Requires(preun): systemd
-Conflicts:      quagga
+
+%if 0%{?with_selinux}
+Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
+%endif
+
+Obsoletes:      quagga < 1.2.4-17
 Provides:       routingdaemon = %{version}-%{release}
 
 %description
@@ -72,8 +86,27 @@ FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP
 
 FRRouting is a fork of Quagga.
 
+%if 0%{?with_selinux}
+%package selinux
+Summary:	Selinux policy for FRR
+BuildArch:	noarch
+Requires:	selinux-policy-%{selinuxtype}
+Requires(post):	selinux-policy-%{selinuxtype}
+BuildRequires:	selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux
+SELinux policy modules for FRR package
+
+%endif
+
 %prep
 %autosetup -S git
+#Selinux
+mkdir selinux
+cp -p %{SOURCE3} %{SOURCE4} %{SOURCE5} selinux
+# C++14 or later needed for abseil-cpp 20230125; string_view needs C++17:
+sed -r -i 's/(AX_CXX_COMPILE_STDCXX\(\[)11(\])/\117\2/' configure.ac
 
 %build
 autoreconf -ivf
@@ -83,7 +116,7 @@ autoreconf -ivf
     --sysconfdir=%{_sysconfdir}/frr \
     --libdir=%{_libdir}/frr \
     --libexecdir=%{_libexecdir}/frr \
-    --localstatedir=%{_localstatedir}/run/frr \
+    --localstatedir=/run/frr \
     --enable-multipath=64 \
     --enable-vtysh=yes \
     --disable-ospfclient \
@@ -100,14 +133,21 @@ autoreconf -ivf
     --disable-babeld \
     --with-moduledir=%{_libdir}/frr/modules \
     --with-crypto=openssl \
+    --with-vici-socket=/run/strongswan/charon.vici \
     --enable-fpm \
-    --enable-grpc
+    %{?with_grpc:--enable-grpc}
 
 %make_build MAKEINFO="makeinfo --no-split" PYTHON=%{__python3}
 
 # Build info documentation
 %make_build -C doc info
 
+#SELinux policy
+%if 0%{?with_selinux}
+make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp
+bzip2 -9 selinux/%{name}.pp
+%endif
+
 %install
 mkdir -p %{buildroot}%{_sysconfdir}/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \
          %{buildroot}%{_localstatedir}/log/frr %{buildroot}%{_infodir} \
@@ -134,6 +174,12 @@ install -p -m 644 redhat/frr.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/fr
 install -p -m 644 redhat/frr.pam %{buildroot}%{_sysconfdir}/pam.d/frr
 install -d -m 775 %{buildroot}/run/frr
 
+%if 0%{?with_selinux}
+install -D -m 644 selinux/%{name}.pp.bz2 \
+	%{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
+%endif
+
 # Delete libtool archives
 find %{buildroot} -type f -name "*.la" -delete -print
 
@@ -144,7 +190,6 @@ rm -r %{buildroot}%{_includedir}/frr/
 %pre
 %sysusers_create_compat %{SOURCE2}
 
-
 %post
 %systemd_post frr.service
 
@@ -168,28 +213,48 @@ fi
 %preun
 %systemd_preun frr.service
 
+#SELinux
+%if 0%{?with_selinux}
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+%selinux_relabel_post -s %{selinuxtype}
+#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade
+if [ $1 == 2 ]; then
+    %{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null
+    %{_sbindir}/restorecon -R /var/run/frr &> /dev/null
+fi
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{name}
+    %selinux_relabel_post -s %{selinuxtype}
+fi
+
+%endif
+
 %check
+#this should be temporary, the grpc test is just badly designed
+rm tests/lib/*grpc*
 %make_build check PYTHON=%{__python3}
 
 %files
 %license COPYING
-%doc zebra/zebra.conf.sample
-%doc isisd/isisd.conf.sample
-%doc ripd/ripd.conf.sample
-%doc bgpd/bgpd.conf.sample*
-%doc ospfd/ospfd.conf.sample
-%doc ospf6d/ospf6d.conf.sample
-%doc ripngd/ripngd.conf.sample
-%doc pimd/pimd.conf.sample
 %doc doc/mpls
 %dir %attr(750,frr,frr) %{_sysconfdir}/frr
 %dir %attr(755,frr,frr) %{_localstatedir}/log/frr
 %dir %attr(755,frr,frr) /run/frr
 %{_infodir}/*info*
-%{_mandir}/man*/*
+%{_mandir}/man1/frr.1*
+%{_mandir}/man1/vtysh.1*
+%{_mandir}/man8/frr-*.8*
+%{_mandir}/man8/mtracebis.8*
 %dir %{frr_libdir}/
 %{frr_libdir}/*
-%{_bindir}/*
+%{_bindir}/mtracebis
+%{_bindir}/vtysh
 %dir %{_libdir}/frr
 %{_libdir}/frr/*.so.*
 %dir %{_libdir}/frr/modules
@@ -203,7 +268,130 @@ fi
 %{_tmpfilesdir}/%{name}.conf
 %{_sysusersdir}/%{name}.conf
 
+%if 0%{?with_selinux}
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.*
+%{_datadir}/selinux/devel/include/distributed/%{name}.if
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
+%endif
+
 %changelog
+* Fri Jun 30 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.2-1
+- New version 8.5.2
+- Fixing a couple of SELinux issues
+
+* Wed Apr 26 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.1-1
+- New version 8.5.1
+
+* Wed Apr 12 2023 Michal Ruprich <mruprich@redhat.com> - 8.5-1
+- New version 8.5
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 8.4.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Thu Jan 12 2023 Michal Ruprich <mruprich@redhat.com> - 8.4.2-1
+- New version 8.4.2
+
+* Fri Nov 25 2022 Michal Ruprich <mruprich@redhat.com> - 8.4.1-1
+- New version 8.4.1
+- Fix for rhbz #2140705
+
+* Thu Nov 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.4-1
+- New version 8.4
+
+* Fri Sep 16 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5
+- Adding SELinux rule to enable zebra to write to sysctl_net_t
+- Adding SELinux rule to enable bgpd to call name_connect to bgp_port_t
+
+* Fri Sep 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-4
+- Fixing an error in post scriptlet
+
+* Fri Sep 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-3
+- Resolves: #2124254 - frr can no longer update routes
+
+* Wed Sep 07 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-2
+- Resolves: #2124253 - SELinux is preventing zebra from setattr access on the directory frr
+- Better handling FRR files during upgrade
+
+* Tue Sep 06 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-1
+- New version 8.3.1
+
+* Mon Aug 22 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-10
+- Rebuilding for new abseil-cpp and grpc updates
+
+* Wed Aug 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-9
+- Adding vrrpd and pathd as daemons to the policy
+
+* Wed Aug 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-8
+- Finalizing SELinux policy
+
+* Tue Aug 02 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-7
+- Fixing wrong path for vtysh in frr.fc
+
+* Fri Jul 29 2022 Benjamin A. Beasley <code@musicinmybrain.net> - 8.2.2-6
+- Rebuild with abseil-cpp-20211102.0-4.fc37 (RHBZ#2108658)
+
+* Wed Jul 27 2022 Michal Ruprich - 8.2.2-5
+- Packaging SELinux policy for FRR
+
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 8.2.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Tue May 17 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-3
+- Rebuild for grpc-1.46.1
+
+* Mon Apr 11 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-2
+- Fix for CVE-2022-16126
+
+* Tue Mar 15 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-1
+- New version 8.2.2
+
+* Thu Mar 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2-2
+- Rebuild for abseil-cpp 20211102.0
+
+* Wed Mar 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.2-1
+- New version 8.2 (rhbz#2020439)
+- Resolves: #2011868 - systemctl frr reload does not stop daemons that are not enabled in /etc/frr/daemons
+
+* Tue Feb 01 2022 Michal Ruprich <mruprich@redhat.com> - 8.0.1-11
+- Rebuilding for FTBFS in Rawhide(rhbz#2045399)
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 8.0.1-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Sat Jan 08 2022 Miro Hrončok <mhroncok@redhat.com> - 8.0.1-9
+- Rebuilt for libre2.so.9
+
+* Sat Nov 06 2021 Adrian Reber <adrian@lisas.de> - 8.0.1-8
+- Rebuilt for protobuf 3.19.0
+
+* Mon Oct 25 2021 Adrian Reber <adrian@lisas.de> - 8.0.1-7
+- Rebuilt for protobuf 3.18.1
+
+* Fri Oct 15 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-6
+- Obsoleting quagga so that it may be retired
+
+* Thu Oct 07 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-5
+- Rebuilding for grpc 1.41
+
+* Thu Sep 30 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-4
+- Rebuild for new version of libyang
+
+* Sat Sep 18 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 8.0.1-3
+- Rebuild for grpc 1.40
+
+* Thu Sep 16 2021 Sahana Prasad <sahana@redhat.com> - 8.0.1-2
+- Rebuilt with OpenSSL 3.0.0
+
+* Thu Sep 16 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-1
+- New version 8.0.1
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 8.0-2
+- Rebuilt with OpenSSL 3.0.0
+
+* Wed Aug 11 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-1
+- New version 8.0
+
 * Wed Aug 04 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 7.5.1-9
 - Rebuild for grpc 1.39
 

frr.te

@@ -0,0 +1,122 @@
+policy_module(frr, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type frr_t;
+type frr_exec_t;
+init_daemon_domain(frr_t, frr_exec_t)
+
+type frr_log_t;
+logging_log_file(frr_log_t)
+
+type frr_tmp_t;
+files_tmp_file(frr_tmp_t)
+
+type frr_lock_t;
+files_lock_file(frr_lock_t)
+
+type frr_conf_t;
+files_config_file(frr_conf_t)
+
+type frr_unit_file_t;
+systemd_unit_file(frr_unit_file_t)
+
+type frr_var_run_t;
+files_pid_file(frr_var_run_t)
+
+########################################
+#
+# frr local policy
+#
+allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
+allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
+allow frr_t self:packet_socket { create setopt };
+allow frr_t self:process { setcap setpgid };
+allow frr_t self:rawip_socket create_socket_perms;
+allow frr_t self:tcp_socket { connect connected_stream_socket_perms };
+allow frr_t self:udp_socket create_socket_perms;
+allow frr_t self:unix_stream_socket connectto;
+
+allow frr_t frr_conf_t:dir list_dir_perms;
+manage_files_pattern(frr_t, frr_conf_t, frr_conf_t)
+read_lnk_files_pattern(frr_t, frr_conf_t, frr_conf_t)
+
+manage_dirs_pattern(frr_t, frr_log_t, frr_log_t)
+manage_files_pattern(frr_t, frr_log_t, frr_log_t)
+manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t)
+logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file })
+
+allow frr_t frr_tmp_t:file map;
+manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t)
+manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t)
+files_tmp_filetrans(frr_t, frr_tmp_t, { file dir })
+
+manage_files_pattern(frr_t, frr_lock_t, frr_lock_t)
+manage_lnk_files_pattern(frr_t, frr_lock_t, frr_lock_t)
+files_lock_filetrans(frr_t, frr_lock_t, { file lnk_file })
+
+manage_dirs_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+manage_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+manage_lnk_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+manage_sock_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
+files_pid_filetrans(frr_t, frr_var_run_t, { dir file lnk_file })
+
+allow frr_t frr_exec_t:dir search_dir_perms;
+can_exec(frr_t, frr_exec_t)
+
+kernel_read_network_state(frr_t)
+kernel_rw_net_sysctls(frr_t)
+kernel_read_system_state(frr_t)
+
+auth_use_nsswitch(frr_t)
+
+corecmd_exec_bin(frr_t)
+
+corenet_tcp_bind_appswitch_emp_port(frr_t)
+corenet_udp_bind_bfd_control_port(frr_t)
+corenet_udp_bind_bfd_echo_port(frr_t)
+corenet_udp_bind_bfd_multi_port(frr_t)
+corenet_tcp_bind_bgp_port(frr_t)
+corenet_tcp_connect_bgp_port(frr_t)
+corenet_tcp_bind_cmadmin_port(frr_t)
+corenet_udp_bind_cmadmin_port(frr_t)
+corenet_tcp_bind_firepower_port(frr_t)
+corenet_tcp_bind_generic_port(frr_t)
+corenet_tcp_bind_priority_e_com_port(frr_t)
+corenet_udp_bind_router_port(frr_t)
+corenet_tcp_bind_qpasa_agent_port(frr_t)
+corenet_tcp_bind_smntubootstrap_port(frr_t)
+corenet_tcp_bind_versa_tek_port(frr_t)
+corenet_tcp_bind_zebra_port(frr_t)
+
+domain_use_interactive_fds(frr_t)
+
+fs_read_nsfs_files(frr_t)
+
+sysnet_exec_ifconfig(frr_t)
+sysnet_read_ifconfig_run(frr_t)
+sysnet_watch_ifconfig_run(frr_t)
+
+userdom_read_admin_home_files(frr_t)
+
+optional_policy(`
+	logging_send_syslog_msg(frr_t)
+')
+
+optional_policy(`
+	modutils_exec_kmod(frr_t)
+	modutils_getattr_module_deps(frr_t)
+	modutils_read_module_config(frr_t)
+	modutils_read_module_deps_files(frr_t)
+')
+
+optional_policy(`
+	networkmanager_read_state(frr_t)
+')
+
+optional_policy(`
+	userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr")
+')

gating.yaml

@@ -0,0 +1,16 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_contexts: [bodhi_update_push_testing]
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+ 
+#gating rawhide
+--- !Policy
+product_versions:
+  - fedora-*
+decision_contexts: [bodhi_update_push_stable]
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}

plans/all.fmf

@@ -0,0 +1,6 @@
+summary: Test plan with all Fedora tests
+discover:
+       how: fmf
+       url: https://src.fedoraproject.org/tests/frr.git
+execute:
+       how: tmt

sources

@@ -1,2 +1,2 @@
-SHA512 (frr-7.5.1.tar.gz) = 1c27420594e52647090da3556e5c62d6f916903c4fa86e5110f1e86152f07d3ce4252bc859d36c9d218dc96a80b245c8b9eee97f370d818cb39be187b6c3546e
+SHA512 (frr-8.5.2.tar.gz) = a5eadd8c88966b58ebc0e7b92311bda16b391abe727861eed772ded678f5a84d84421fbfd4b23c4a2b18ab3d2dcd5b2c9099491dab6958b63c39a9c67c4508d2
 SHA512 (remove-babeld-ldpd.sh) = a5bf67a3722cb20d43cef1dac28f839db68df73a1b7d34d8438e4f9366da3b67d85c1f44281f93434e8dd8ebcb2d3dc258b77eaa5627475b7395d207f020839d