Custom nhrp patches

.gitignore

@@ -17,8 +17,5 @@
 /frr-8.5.tar.gz
 /frr-8.5.1.tar.gz
 /frr-8.5.2.tar.gz
-/frr-9.0.1.tar.gz
-/frr-9.1.tar.gz
-/frr-10.0.1.tar.gz
-/frr-10.1.tar.gz
-/frr-10.2.tar.gz
+/frr-8.5.3.tar.gz
+/frr-8.5.4.tar.gz

0000-remove-babeld-and-ldpd.patch

@@ -16,9 +16,9 @@ index 5be3264..33abc1d 100644
  	snapcraft/helpers \
  	snapcraft/snap \
 -	babeld/Makefile \
- 	mgmtd/Makefile \
  	bgpd/Makefile \
  	bgpd/rfp-example/librfp/Makefile \
+ 	bgpd/rfp-example/rfptest/Makefile \
 @@ -193,7 +190,6 @@ EXTRA_DIST += \
  	fpm/Makefile \
  	grpc/Makefile \

0002-enable-openssl.patch

@@ -8,8 +8,8 @@ index 0b7af18..0533e24 100644
  	lib/log_vty.c \
 -	lib/md5.c \
  	lib/memory.c \
- 	lib/mgmt_be_client.c \
- 	lib/mgmt_fe_client.c \
+ 	lib/mlag.c \
+ 	lib/module.c \
 @@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \
  	lib/routemap_northbound.c \
  	lib/sbuf.c \
@@ -24,8 +24,8 @@ index 0b7af18..0533e24 100644
  	lib/log_vty.h \
 -	lib/md5.h \
  	lib/memory.h \
- 	lib/mgmt.pb-c.h \
- 	lib/mgmt_be_client.h \
+ 	lib/module.h \
+ 	lib/monotime.h \
 @@ -191,7 +190,6 @@ pkginclude_HEADERS += \
  	lib/route_opaque.h \
  	lib/sbuf.h \

0004-fips-mode.patch

@@ -2,20 +2,9 @@ diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c
 index 631465f..e084ff3 100644
 --- a/ospfd/ospf_vty.c
 +++ b/ospfd/ospf_vty.c
-@@ -7,6 +7,10 @@
- #include <zebra.h>
- #include <string.h>
- 
-+#ifdef CRYPTO_OPENSSL
-+#include <openssl/fips.h>
-+#endif
-+
- #include "printfrr.h"
- #include "monotime.h"
- #include "memory.h"
 @@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink,
- 		vl_config.keychain = argv[idx+1]->arg;
- 	} else if (argv_find(argv, argc, "message-digest", &idx)) {
+ 
+ 	if (argv_find(argv, argc, "message-digest", &idx)) {
  		/* authentication message-digest */
 +		if(FIPS_mode())
 +		{
@@ -52,7 +41,7 @@ index 631465f..e084ff3 100644
 +		}
  		SET_IF_PARAM(params, auth_type);
  		params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
- 		UNSET_IF_PARAM(params, keychain_name);
+ 		return CMD_SUCCESS;
 @@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key,
         "The OSPF password (key)\n"
         "Address of interface\n")
@@ -69,17 +58,6 @@ diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
 index 81b4b39..cce33d9 100644
 --- a/isisd/isis_circuit.c
 +++ b/isisd/isis_circuit.c
-@@ -13,6 +13,10 @@
- #include <netinet/if_ether.h>
- #endif
- 
-+#ifdef CRYPTO_OPENSSL
-+#include <openssl/fips.h>
-+#endif
-+
- #include "log.h"
- #include "memory.h"
- #include "vrf.h"
 @@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit,
  		return ferr_code_bug(
  			"circuit password too long (max 254 chars)");
@@ -95,17 +73,6 @@ diff --git a/isisd/isisd.c b/isisd/isisd.c
 index 419127c..a6c36af 100644
 --- a/isisd/isisd.c
 +++ b/isisd/isisd.c
-@@ -9,6 +9,10 @@
- 
- #include <zebra.h>
- 
-+#ifdef CRYPTO_OPENSSL
-+#include <openssl/fips.h>
-+#endif
-+
- #include "frrevent.h"
- #include "vty.h"
- #include "command.h"
 @@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
  		if (len > 254)
  			return -1;
@@ -121,17 +88,6 @@ diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c
 index 5bb81ef..02a09ef 100644
 --- a/ripd/rip_cli.c
 +++ b/ripd/rip_cli.c
-@@ -7,6 +7,10 @@
- 
- #include <zebra.h>
- 
-+#ifdef CRYPTO_OPENSSL
-+#include <openssl/fips.h>
-+#endif
-+
- #include "if.h"
- #include "if_rmap.h"
- #include "vrf.h"
 @@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode,
  			value = "20";
  	}
@@ -145,3 +101,15 @@ index 5bb81ef..02a09ef 100644
  	nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
  			      strmatch(mode, "md5") ? "md5" : "plain-text");
  	if (strmatch(mode, "md5"))
+diff --git a/lib/zebra.h b/lib/zebra.h
+index 53ae5b4..930307f 100644
+--- a/lib/zebra.h
++++ b/lib/zebra.h
+@@ -114,6 +114,7 @@
+ #ifdef CRYPTO_OPENSSL
+ #include <openssl/evp.h>
+ #include <openssl/hmac.h>
++#include <openssl/fips.h>
+ #endif
+
+ #include "openbsd-tree.h"

0005-remove-grpc-test.patch

@@ -2,12 +2,12 @@ diff --git a/tests/lib/subdir.am b/tests/lib/subdir.am
 index 7b5eaa4..5c82f69 100644
 --- a/tests/lib/subdir.am
 +++ b/tests/lib/subdir.am
-@@ -18,22 +18,6 @@ tests_lib_test_frrscript_SOURCES = tests/lib/test_frrscript.c
- 	test -e tests/lib/script1.lua || \
- 	$(INSTALL_SCRIPT) $< tests/lib/script1.lua
+@@ -18,18 +18,6 @@ tests_lib_test_frrscript_SOURCES = tests/lib/test_frrscript.c
+ EXTRA_DIST += tests/lib/test_frrscript.py
+ 
  
 -##############################################################################
--GRPC_TESTS_LDADD = mgmtd/libmgmt_be_nb.la staticd/libstatic.a grpc/libfrrgrpc_pb.la $(GRPC_LIBS) $(ALL_TESTS_LDADD) $(LIBYANG_LIBS) -lm
+-GRPC_TESTS_LDADD = staticd/libstatic.a grpc/libfrrgrpc_pb.la -lgrpc++ -lprotobuf $(ALL_TESTS_LDADD) $(LIBYANG_LIBS) -lm
 -
 -if GRPC
 -check_PROGRAMS += tests/lib/test_grpc
@@ -16,10 +16,6 @@ index 7b5eaa4..5c82f69 100644
 -tests_lib_test_grpc_CPPFLAGS = $(TESTS_CPPFLAGS)
 -tests_lib_test_grpc_LDADD = $(GRPC_TESTS_LDADD)
 -tests_lib_test_grpc_SOURCES = tests/lib/test_grpc.cpp
--nodist_tests_lib_test_grpc_SOURCES = \
--	yang/frr-bfdd.yang.c \
--	yang/frr-staticd.yang.c \
--	# end
 -
 -
  ##############################################################################

0006-autorp-segfault.patch

@@ -1,41 +0,0 @@
-From 37b88191fb4736ff0a1e565fc22003d0ab853ea2 Mon Sep 17 00:00:00 2001
-From: Donald Sharp <sharpd@nvidia.com>
-Date: Wed, 4 Dec 2024 10:47:33 -0500
-Subject: [PATCH] pimd: Prevent crash of pim when auto-rp's socket is not
- initialized
-
-If the socket associated with the auto-rp fails to initialize then
-the memory for the auto-rp is just dropped on the floor.  Additionally
-any type of attempt at using the feature will just cause pimd to crash,
-when the pointer is derefed.  Since it is derefed all over the place
-without checking.
-
-Clearly if you cannot bind/use the socket let's allow continuation.
-
-Fixes: #17540
-Signed-off-by: Donald Sharp <sharpd@nvidia.com>
----
- pimd/pim_autorp.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/pimd/pim_autorp.c b/pimd/pim_autorp.c
-index 3fb10f4..91ed005 100644
---- a/pimd/pim_autorp.c
-+++ b/pimd/pim_autorp.c
-@@ -1014,12 +1014,14 @@ void pim_autorp_init(struct pim_instance *pim)
- 	autorp->announce_interval = DEFAULT_ANNOUNCE_INTERVAL;
- 	autorp->announce_holdtime = DEFAULT_ANNOUNCE_HOLDTIME;
- 
-+	pim->autorp = autorp;
-+
- 	if (!pim_autorp_socket_enable(autorp)) {
--		zlog_err("%s: AutoRP failed to initialize", __func__);
-+		zlog_err("%s: AutoRP failed to initialize, feature will not work correctly",
-+				__func__);
- 		return;
- 	}
- 
--	pim->autorp = autorp;
- 	if (PIM_DEBUG_AUTORP)
- 		zlog_debug("%s: AutoRP Initialized", __func__);
- 

0010-nhrpd-zebra-Read-GRE-addresses-only-if-sent.patch

@@ -0,0 +1,49 @@
+From 114bd532ac0c3b6d819f516eb41021eb250b65bd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
+Date: Wed, 15 Sep 2021 19:44:56 +0200
+Subject: [PATCH 10/11] nhrpd, zebra: Read GRE addresses only if sent
+
+GRE addresses are not send if interface is missing in kernel. We
+should first check if they have been sent.
+---
+ nhrpd/nhrp_route.c | 7 ++++---
+ zebra/zapi_msg.c   | 2 --
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/nhrpd/nhrp_route.c b/nhrpd/nhrp_route.c
+index 698c6d0cdf..2e7923bf33 100644
+--- a/nhrpd/nhrp_route.c
++++ b/nhrpd/nhrp_route.c
+@@ -493,12 +493,13 @@ int nhrp_gre_update(ZAPI_CALLBACK_ARGS)
+ 	STREAM_GETL(s, gre_info.okey);
+ 	STREAM_GETL(s, gre_info.ifindex_link);
+ 	STREAM_GETL(s, gre_info.vrfid_link);
+-	STREAM_GETL(s, gre_info.vtep_ip.s_addr);
+-	STREAM_GETL(s, gre_info.vtep_ip_remote.s_addr);
+ 	if (gre_info.ifindex == IFINDEX_INTERNAL)
+ 		val = NULL;
+-	else
++	else {
+ 		val = hash_lookup(nhrp_gre_list, &gre_info);
++		STREAM_GETL(s, gre_info.vtep_ip.s_addr);
++		STREAM_GETL(s, gre_info.vtep_ip_remote.s_addr);
++	}
+ 	if (val) {
+ 		if (gre_info.vtep_ip.s_addr != val->vtep_ip.s_addr ||
+ 		    gre_info.vrfid_link != val->vrfid_link ||
+diff --git a/zebra/zapi_msg.c b/zebra/zapi_msg.c
+index 68bb9783f8..72d06d71ea 100644
+--- a/zebra/zapi_msg.c
++++ b/zebra/zapi_msg.c
+@@ -3618,8 +3618,6 @@ static inline void zebra_gre_get(ZAPI_HANDLER_ARGS)
+ 		stream_putl(s, 0);
+ 		stream_putl(s, IFINDEX_INTERNAL);
+ 		stream_putl(s, VRF_UNKNOWN);
+-		stream_putl(s, 0);
+-		stream_putl(s, 0);
+ 	}
+ 	/* Write packet size. */
+ 	stream_putw_at(s, 0, stream_get_endp(s));
+-- 
+2.41.0
+

0011-nhrp-Peer-should-not-be-connected-if-interface-is-ac.patch

@@ -0,0 +1,92 @@
+From f9876d6106263632287fcef2912ba4223b145672 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
+Date: Mon, 20 Sep 2021 23:51:06 +0200
+Subject: [PATCH 11/11] nhrp: Peer should not be connected if interface is
+ active
+
+---
+ nhrpd/nhrp_interface.c |  1 +
+ nhrpd/nhrp_nhs.c       | 21 +++++++++++++++++++--
+ nhrpd/nhrp_peer.c      |  2 ++
+ nhrpd/nhrpd.h          |  1 +
+ 4 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/nhrpd/nhrp_interface.c b/nhrpd/nhrp_interface.c
+index 4ac30a7d75..6a8b6e6997 100644
+--- a/nhrpd/nhrp_interface.c
++++ b/nhrpd/nhrp_interface.c
+@@ -461,6 +461,7 @@ int nhrp_ifp_up(struct interface *ifp)
+ {
+ 	debugf(NHRP_DEBUG_IF, "if-up: %s", ifp->name);
+ 	nhrp_interface_update_nbma(ifp, NULL);
++	nhrp_nhs_interface_add(ifp);
+ 
+ 	return 0;
+ }
+diff --git a/nhrpd/nhrp_nhs.c b/nhrpd/nhrp_nhs.c
+index 03b4b533bb..bd05813d28 100644
+--- a/nhrpd/nhrp_nhs.c
++++ b/nhrpd/nhrp_nhs.c
+@@ -351,8 +351,9 @@ int nhrp_nhs_add(struct interface *ifp, afi_t afi, union sockunion *proto_addr,
+ 		.reglist_head = INIT_DLIST(nhs->reglist_head),
+ 	};
+ 	nhrp_nhslist_add_tail(&nifp->afi[afi].nhslist_head, nhs);
+-	thread_add_timer_msec(master, nhrp_nhs_resolve, nhs, 1000,
+-			      &nhs->t_resolve);
++	if (CHECK_FLAG(ifp->status, ZEBRA_INTERFACE_ACTIVE))
++		thread_add_timer_msec(master, nhrp_nhs_resolve, nhs, 1000,
++				      &nhs->t_resolve);
+ 
+ 	return NHRP_OK;
+ }
+@@ -394,6 +395,22 @@ int nhrp_nhs_free(struct nhrp_interface *nifp, afi_t afi, struct nhrp_nhs *nhs)
+ 	return 0;
+ }
+ 
++void nhrp_nhs_interface_add(struct interface *ifp)
++{
++	struct nhrp_interface *nifp = ifp->info;
++	struct nhrp_nhs *nhs;
++	afi_t afi;
++
++	for (afi = 0; afi < AFI_MAX; afi++) {
++		debugf(NHRP_DEBUG_COMMON, "Adding nhs entries (%zu)",
++		       nhrp_nhslist_count(&nifp->afi[afi].nhslist_head));
++		frr_each (nhrp_nhslist, &nifp->afi[afi].nhslist_head, nhs) {
++			thread_add_timer_msec(master, nhrp_nhs_resolve, nhs, 1000,
++					      &nhs->t_resolve);
++		}
++	}
++}
++
+ void nhrp_nhs_interface_del(struct interface *ifp)
+ {
+ 	struct nhrp_interface *nifp = ifp->info;
+diff --git a/nhrpd/nhrp_peer.c b/nhrpd/nhrp_peer.c
+index e7f2eaf5a7..9e76d16db3 100644
+--- a/nhrpd/nhrp_peer.c
++++ b/nhrpd/nhrp_peer.c
+@@ -309,6 +309,8 @@ int nhrp_peer_check(struct nhrp_peer *p, int establish)
+ 	struct interface *ifp = p->ifp;
+ 	struct nhrp_interface *nifp = ifp->info;
+ 
++	if (!CHECK_FLAG(ifp->status, ZEBRA_INTERFACE_ACTIVE))
++		return 0;
+ 	if (p->online)
+ 		return 1;
+ 	if (!establish)
+diff --git a/nhrpd/nhrpd.h b/nhrpd/nhrpd.h
+index 753c6e9b22..4850c12b49 100644
+--- a/nhrpd/nhrpd.h
++++ b/nhrpd/nhrpd.h
+@@ -400,6 +400,7 @@ void nhrp_nhs_foreach(struct interface *ifp, afi_t afi,
+ 		      void (*cb)(struct nhrp_nhs *, struct nhrp_registration *,
+ 				 void *),
+ 		      void *ctx);
++void nhrp_nhs_interface_add(struct interface *ifp);
+ void nhrp_nhs_interface_del(struct interface *ifp);
+ 
+ int nhrp_multicast_add(struct interface *ifp, afi_t afi,
+-- 
+2.41.0
+

frr.fc

@@ -6,25 +6,24 @@
 
 /var/log/frr(/.*)?              gen_context(system_u:object_r:frr_log_t,s0)
 /var/tmp/frr(/.*)?              gen_context(system_u:object_r:frr_tmp_t,s0)
-/var/lib/frr(/.*)?              gen_context(system_u:object_r:frr_var_lib_t,s0)
 
-/run/lock/subsys/bfdd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/bgpd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/eigrpd     --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/fabricd    --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/isisd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/nhrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/ospf6d     --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/ospfd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/pbrd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/pimd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/ripd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/ripngd     --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/staticd    --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/zebra      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/vrrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/run/lock/subsys/pathd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/bfdd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/bgpd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/eigrpd     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/fabricd    --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/isisd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/nhrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ospf6d     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ospfd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pbrd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pimd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ripd       --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/ripngd     --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/staticd    --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/zebra      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/vrrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
+/var/lock/subsys/pathd      --  gen_context(system_u:object_r:frr_lock_t,s0)
 
-/run/frr(/.*)?              gen_context(system_u:object_r:frr_var_run_t,s0)
+/var/run/frr(/.*)?              gen_context(system_u:object_r:frr_var_run_t,s0)
 
 /usr/bin/vtysh              --  gen_context(system_u:object_r:frr_exec_t,s0)

frr.if

@@ -181,8 +181,8 @@ interface(`frr_admin',`
 ##	</summary>
 ## </param>
 #
-ifndef(`sysnet_watch_ifconfig_run_dirs',`
-	interface(`sysnet_watch_ifconfig_run_dirs',`
+ifndef(`sysnet_watch_ifconfig_run',`
+	interface(`sysnet_watch_ifconfig_run',`
 		gen_require(`
 			type ifconfig_var_run_t;
 		')
@@ -201,8 +201,8 @@ ifndef(`sysnet_watch_ifconfig_run_dirs',`
 ##	</summary>
 ## </param>
 #
-ifndef(`sysnet_read_ifconfig_run_files',`
-	interface(`sysnet_read_ifconfig_run_files',`
+ifndef(`sysnet_read_ifconfig_run',`
+	interface(`sysnet_read_ifconfig_run',`
 		gen_require(`
 			type ifconfig_var_run_t;
 		')
@@ -212,3 +212,4 @@ ifndef(`sysnet_read_ifconfig_run_files',`
 		read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
 	')
 ')
+

frr.spec

@@ -1,4 +1,4 @@
-%global dist .ims.1%{?dist}
+%global dist .ims.2%{?dist}
 
 %global frr_libdir %{_libexecdir}/frr
 
@@ -10,8 +10,8 @@
 %bcond selinux 1
 
 Name:           frr
-Version:        10.2
-Release:        2%{?dist}
+Version:        8.5.4
+Release:        1%{?dist}
 Summary:        Routing daemon
 License:        GPL-2.0-or-later AND ISC AND LGPL-2.0-or-later AND BSD-2-Clause AND BSD-3-Clause AND (GPL-2.0-or-later  OR ISC) AND MIT
 URL:            http://www.frrouting.org
@@ -28,8 +28,8 @@ Patch0002:      0002-enable-openssl.patch
 Patch0003:      0003-disable-eigrp-crypto.patch
 Patch0004:      0004-fips-mode.patch
 Patch0005:      0005-remove-grpc-test.patch
-Patch0006:      0006-autorp-segfault.patch
-
+Patch0010:      0010-nhrpd-zebra-Read-GRE-addresses-only-if-sent.patch
+Patch0011:      0011-nhrp-Peer-should-not-be-connected-if-interface-is-ac.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison >= 2.7
@@ -62,7 +62,6 @@ BuildRequires:  readline-devel
 BuildRequires:  systemd-devel
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  texinfo
-BuildRequires:  protobuf-c-devel
 
 Requires:       ncurses
 Requires:       net-snmp
@@ -119,7 +118,7 @@ autoreconf -ivf
     --sysconfdir=%{_sysconfdir}/frr \
     --libdir=%{_libdir}/frr \
     --libexecdir=%{_libexecdir}/frr \
-    --localstatedir=/var \
+    --localstatedir=/run/frr \
     --enable-multipath=64 \
     --enable-vtysh=yes \
     --disable-ospfclient \
@@ -135,7 +134,6 @@ autoreconf -ivf
     --disable-ldpd \
     --disable-babeld \
     --with-moduledir=%{_libdir}/frr/modules \
-    --with-yangmodelsdir=%{_datadir}/frr-yang/ \
     --with-crypto=openssl \
     --with-vici-socket=/run/strongswan/charon.vici \
     --enable-fpm \
@@ -267,8 +265,8 @@ rm tests/lib/*grpc*
 %config(noreplace) %attr(644,frr,frr) %{_sysconfdir}/frr/daemons
 %config(noreplace) %{_sysconfdir}/pam.d/frr
 %{_unitdir}/*.service
-%dir %{_datadir}/frr-yang
-%{_datadir}/frr-yang/*.yang
+%dir %{_datadir}/yang
+%{_datadir}/yang/*.yang
 %{_tmpfilesdir}/%{name}.conf
 %{_sysusersdir}/%{name}.conf
 
@@ -280,52 +278,11 @@ rm tests/lib/*grpc*
 %endif
 
 %changelog
-* Thu Dec 05 2024 Michal Ruprich <mruprich@redhat.com> - 10.2-2
-- Resolves: rhbz#2329643 - upgrading frr to 10.2 causes pimd crashes
+* Wed Jan 03 2024 Michal Ruprich <mruprich@redhat.com> - 8.5.4-1
+- New version 8.5.4
 
-* Fri Nov 22 2024 Michal Ruprich <mruprich@redhat.com> - 10.2-1
-- New version 10.2
-
-* Tue Sep 10 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-4
-- Resolves: #2311119 - Multiple AVCs for accessing lib_t in FRR-10.1
-- Resolves: #2311120 - AVCs for using a netlink socket in FRR
-
-* Sun Aug 25 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 10.1-3
-- Rebuilt for abseil-cpp-20240722.0
-
-* Thu Aug 15 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-2
-- Rebuilding for the libre soname bump
-
-* Mon Aug 12 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-1
-- New version 10.1
-
-* Wed Jul 31 2024 Michal Ruprich <mruprich@redhat.com> - 10.0.1-1
-- New version 10.0.1
-
-* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 9.1-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
-
-* Wed Apr 17 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-4
-- Moving yang modules to frr specific dir to avoid conflicts
-- Adding rpminspect.yaml
-
-* Sat Feb 24 2024 Paul Wouters <paul.wouters@aiven.io> - 9.1-3
-- Rebuild for libre2.so.11 bump
-
-* Sun Feb 04 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 9.1-2
-- Rebuilt for abseil-cpp-20240116.0
-
-* Thu Jan 25 2024 Michal Ruprich <mruprich@redhat.com> - 9.1-1
-- New version 9.1
-
-* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 9.0.1-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 9.0.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Mon Oct 16 2023 Michal Ruprich <mruprich@redhat.com> - 9.0.1-1
-- New version 9.0.1
+* Tue Oct 10 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.3-1
+- New version 8.5.3
 
 * Fri Sep 01 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.2-4
 - Adding a couple of SELinux rules, includes fix for rhbz#2149299

frr.te

@@ -27,20 +27,12 @@ systemd_unit_file(frr_unit_file_t)
 type frr_var_run_t;
 files_pid_file(frr_var_run_t)
 
-type frr_var_lib_t;
-files_type(frr_var_lib_t)
-
 ########################################
 #
 # frr local policy
 #
 allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
 allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
-allow frr_t self:netlink_generic_socket create;
-allow frr_t self:netlink_generic_socket setopt;
-allow frr_t self:netlink_generic_socket getopt;
-allow frr_t self:netlink_generic_socket getattr;
-allow frr_t self:netlink_generic_socket bind;
 allow frr_t self:packet_socket create_socket_perms;
 allow frr_t self:process { setcap setpgid };
 allow frr_t self:rawip_socket create_socket_perms;
@@ -57,10 +49,6 @@ manage_files_pattern(frr_t, frr_log_t, frr_log_t)
 manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t)
 logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file })
 
-manage_dirs_pattern(frr_t, frr_var_lib_t, frr_var_lib_t)
-manage_files_pattern(frr_t, frr_var_lib_t, frr_var_lib_t)
-files_var_lib_filetrans(frr_t, frr_var_lib_t, { dir file })
-
 allow frr_t frr_tmp_t:file map;
 manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t)
 manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t)
@@ -104,16 +92,14 @@ corenet_tcp_bind_qpasa_agent_port(frr_t)
 corenet_tcp_bind_smntubootstrap_port(frr_t)
 corenet_tcp_bind_versa_tek_port(frr_t)
 corenet_tcp_bind_zebra_port(frr_t)
-# general reserved port for pimd
-corenet_tcp_bind_reserved_port(frr_t)
 
 domain_use_interactive_fds(frr_t)
 
 fs_read_nsfs_files(frr_t)
 
 sysnet_exec_ifconfig(frr_t)
-sysnet_read_ifconfig_run_files(frr_t)
-sysnet_watch_ifconfig_run_dirs(frr_t)
+sysnet_read_ifconfig_run(frr_t)
+sysnet_watch_ifconfig_run(frr_t)
 
 ipsec_domtrans_mgmt(frr_t)
 

rpminspect.yaml

@@ -1,7 +0,0 @@
----
-runpath:
-    allowed_paths:
-        - /usr/lib64/frr
-        - /usr/lib/frr
-inspections:
-    badfuncs: off

sources

@@ -1,2 +1,2 @@
-SHA512 (frr-10.2.tar.gz) = 40a0e1f1a7f2cc137aac6e838b2f865b93fdc1cd6bd0f6c5b15b4507cbff87cb60092682e45aca68633cb053fb2ce663386edb78e5d3c5f890f4666e871ab8c5
+SHA512 (frr-8.5.4.tar.gz) = f234fe73a019db2188e56988dc5cb3807c83d16c6f8723c68cb8f6154e8e63140f3cf8c3adec64a7661dd988089a8253fc3f910b31a1e6505ea1a6fec3df2e14
 SHA512 (remove-babeld-ldpd.sh) = a5bf67a3722cb20d43cef1dac28f839db68df73a1b7d34d8438e4f9366da3b67d85c1f44281f93434e8dd8ebcb2d3dc258b77eaa5627475b7395d207f020839d