From f9f2e280ea4fa1af19d8ce9e54abeb495694c0d5 Mon Sep 17 00:00:00 2001
From: "Ondrej Zajicek (work)" <santiago@crfreenet.org>
Date: Tue, 30 Aug 2016 12:43:46 +0200
Subject: [PATCH] KRT: Forbid path merging on BSD

We support ECMP routes only on Linux. Exported routes are checked in
krt_capable(), but a route generated during path merging avoids this
check.
---
 sysdep/linux/krt-sys.h |  2 ++
 sysdep/unix/krt.Y      | 18 +++++++++++++++---
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/sysdep/linux/krt-sys.h b/sysdep/linux/krt-sys.h
index 7fd5f1396..076870f5c 100644
--- a/sysdep/linux/krt-sys.h
+++ b/sysdep/linux/krt-sys.h
@@ -32,6 +32,8 @@ static inline struct ifa * kif_get_primary_ip(struct iface *i) { return NULL; }
 
 /* Kernel routes */
 
+#define KRT_ALLOW_MERGE_PATHS	1
+
 #define EA_KRT_PREFSRC		EA_CODE(EAP_KRT, 0x10)
 #define EA_KRT_REALM		EA_CODE(EAP_KRT, 0x11)
 
diff --git a/sysdep/unix/krt.Y b/sysdep/unix/krt.Y
index e036081d4..2ef6e3c4c 100644
--- a/sysdep/unix/krt.Y
+++ b/sysdep/unix/krt.Y
@@ -19,6 +19,8 @@ CF_DECLS
 
 CF_KEYWORDS(KERNEL, PERSIST, SCAN, TIME, LEARN, DEVICE, ROUTES, GRACEFUL, RESTART, KRT_SOURCE, KRT_METRIC, MERGE, PATHS)
 
+%type <i> kern_mp_limit
+
 CF_GRAMMAR
 
 /* Kernel syncer protocol */
@@ -32,6 +34,11 @@ CF_ADDTO(kern_proto, kern_proto_start proto_name '{')
 CF_ADDTO(kern_proto, kern_proto proto_item ';')
 CF_ADDTO(kern_proto, kern_proto kern_item ';')
 
+kern_mp_limit:
+   /* empty */ { $$ = KRT_DEFAULT_ECMP_LIMIT; }
+ | LIMIT expr  { $$ = $2; if (($2 <= 0) || ($2 > 255)) cf_error("Merge paths limit must be in range 1-255"); }
+ ;
+
 kern_item:
    PERSIST bool { THIS_KRT->persist = $2; }
  | SCAN TIME expr {
@@ -42,13 +49,18 @@ kern_item:
       THIS_KRT->learn = $2;
 #ifndef KRT_ALLOW_LEARN
       if ($2)
-	cf_error("Learning of kernel routes not supported in this configuration");
+	cf_error("Learning of kernel routes not supported on this platform");
 #endif
    }
  | DEVICE ROUTES bool { THIS_KRT->devroutes = $3; }
  | GRACEFUL RESTART bool { THIS_KRT->graceful_restart = $3; }
- | MERGE PATHS bool { THIS_KRT->merge_paths = $3 ? KRT_DEFAULT_ECMP_LIMIT : 0; }
- | MERGE PATHS bool LIMIT expr { THIS_KRT->merge_paths = $3 ? $5 : 0; if (($5 <= 0) || ($5 > 255)) cf_error("Merge paths limit must be in range 1-255"); }
+ | MERGE PATHS bool kern_mp_limit {
+      THIS_KRT->merge_paths = $3 ? $4 : 0;
+#ifndef KRT_ALLOW_LEARN
+      if ($3)
+	cf_error("Path merging not supported on this platform");
+#endif
+   }
  ;
 
 /* Kernel interface protocol */
-- 
2.39.2