*: remove --enable-tcp-zebra, rework ZAPI path

This adds "@tcp" as new choice on the -z option present in zebra and the protocol daemons. The --enable-tcp-zebra option on configure is no longer needed, both UNIX and TCP socket support is always available. Note that @tcp should not be used by default (e.g. in an init script), and --enable-tcp-zebra should never have been in any distro package builds, because **** TCP-ZEBRA IS A SECURITY PROBLEM **** It allows arbitrary local users to mess with the routing table and inject bogus data -- and also ZAPI is not designed to be robust against attacks. Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
author: David Lamparter <equinox@opensourcerouting.org> 2017-08-06 07:35:50 +0200
committer: David Lamparter <equinox@opensourcerouting.org> 2017-08-08 11:14:05 +0200
commit: 689f5a8c84b95dbd31ecab481f8f2977965fe741 (patch)
tree: 7c2a2b69908b3c3ac60e0de41b5a3f85caec2ef5 /doc
parent: Merge pull request #924 from qlyoung/deprecate-ospf-lsa-min-arrival (diff)
download: frr-689f5a8c84b95dbd31ecab481f8f2977965fe741.tar.xz
frr-689f5a8c84b95dbd31ecab481f8f2977965fe741.zip
16 files changed, 19 insertions, 15 deletions
diff --git a/doc/Building_FRR_on_CentOS6.md b/doc/Building_FRR_on_CentOS6.md
index b25845c38..10830e501 100644
--- a/doc/Building_FRR_on_CentOS6.md
+++ b/doc/Building_FRR_on_CentOS6.md
@@ -109,7 +109,6 @@ an example.)
         --enable-rtadv \
         --disable-exampledir \
         --enable-watchfrr \
-        --enable-tcp-zebra \
         --disable-ldpd \
         --enable-fpm \
         --enable-nhrpd \
diff --git a/doc/Building_FRR_on_CentOS7.md b/doc/Building_FRR_on_CentOS7.md
index 932459167..787b80fbf 100644
--- a/doc/Building_FRR_on_CentOS7.md
+++ b/doc/Building_FRR_on_CentOS7.md
@@ -61,7 +61,6 @@ an example.)
         --enable-rtadv \
         --disable-exampledir \
         --enable-watchfrr \
-        --enable-tcp-zebra \
         --disable-ldpd \
         --enable-fpm \
         --enable-nhrpd \
diff --git a/doc/Building_FRR_on_Debian8.md b/doc/Building_FRR_on_Debian8.md
index 1a961f752..a2dbbdb30 100644
--- a/doc/Building_FRR_on_Debian8.md
+++ b/doc/Building_FRR_on_Debian8.md
@@ -60,7 +60,6 @@ an example.)
         --enable-configfile-mask=0640 \
         --enable-logfile-mask=0640 \
         --enable-rtadv \
-        --enable-tcp-zebra \
         --enable-fpm \
         --enable-ldpd \
         --with-pkg-git-version \
diff --git a/doc/Building_FRR_on_Fedora24.md b/doc/Building_FRR_on_Fedora24.md
index c161b9b12..0070fd153 100644
--- a/doc/Building_FRR_on_Fedora24.md
+++ b/doc/Building_FRR_on_Fedora24.md
@@ -54,7 +54,6 @@ an example.)
         --enable-rtadv \
         --disable-exampledir \
         --enable-watchfrr \
-        --enable-tcp-zebra \
         --enable-ldpd \
         --enable-fpm \
         --enable-nhrpd \
diff --git a/doc/Building_FRR_on_FreeBSD10.md b/doc/Building_FRR_on_FreeBSD10.md
index 36ef573bb..ccae83a66 100644
--- a/doc/Building_FRR_on_FreeBSD10.md
+++ b/doc/Building_FRR_on_FreeBSD10.md
@@ -61,7 +61,6 @@ an example)
         --enable-configfile-mask=0640 \
         --enable-logfile-mask=0640 \
         --enable-rtadv \
-        --enable-tcp-zebra \
         --enable-fpm \
         --with-pkg-git-version \
         --with-pkg-extra-version=-MyOwnFRRVersion   
diff --git a/doc/Building_FRR_on_FreeBSD11.md b/doc/Building_FRR_on_FreeBSD11.md
index d6affd688..71ccd149f 100644
--- a/doc/Building_FRR_on_FreeBSD11.md
+++ b/doc/Building_FRR_on_FreeBSD11.md
@@ -61,7 +61,6 @@ an example)
         --enable-configfile-mask=0640 \
         --enable-logfile-mask=0640 \
         --enable-rtadv \
-        --enable-tcp-zebra \
         --enable-fpm \
         --with-pkg-git-version \
         --with-pkg-extra-version=-MyOwnFRRVersion   
diff --git a/doc/Building_FRR_on_FreeBSD9.md b/doc/Building_FRR_on_FreeBSD9.md
index 41d3148ad..8a09d8a4c 100644
--- a/doc/Building_FRR_on_FreeBSD9.md
+++ b/doc/Building_FRR_on_FreeBSD9.md
@@ -69,7 +69,6 @@ an example)
         --enable-configfile-mask=0640 \
         --enable-logfile-mask=0640 \
         --enable-rtadv \
-        --enable-tcp-zebra \
         --enable-fpm \
         --with-pkg-git-version \
         --with-pkg-extra-version=-MyOwnFRRVersion   
diff --git a/doc/Building_FRR_on_NetBSD6.md b/doc/Building_FRR_on_NetBSD6.md
index 2e453da66..4fe7109bc 100644
--- a/doc/Building_FRR_on_NetBSD6.md
+++ b/doc/Building_FRR_on_NetBSD6.md
@@ -65,7 +65,6 @@ an example)
         --enable-configfile-mask=0640 \
         --enable-logfile-mask=0640 \
         --enable-rtadv \
-        --enable-tcp-zebra \
         --enable-fpm \
         --with-pkg-git-version \
         --with-pkg-extra-version=-MyOwnFRRVersion   
diff --git a/doc/Building_FRR_on_NetBSD7.md b/doc/Building_FRR_on_NetBSD7.md
index f5f99d9ba..7fe9ad20c 100644
--- a/doc/Building_FRR_on_NetBSD7.md
+++ b/doc/Building_FRR_on_NetBSD7.md
@@ -59,7 +59,6 @@ an example)
         --enable-configfile-mask=0640 \
         --enable-logfile-mask=0640 \
         --enable-rtadv \
-        --enable-tcp-zebra \
         --enable-fpm \
         --with-pkg-git-version \
         --with-pkg-extra-version=-MyOwnFRRVersion   
diff --git a/doc/Building_FRR_on_OmniOS.md b/doc/Building_FRR_on_OmniOS.md
index 7e75bda9e..6e4575f07 100644
--- a/doc/Building_FRR_on_OmniOS.md
+++ b/doc/Building_FRR_on_OmniOS.md
@@ -104,7 +104,6 @@ an example)
         --enable-configfile-mask=0640 \
         --enable-logfile-mask=0640 \
         --enable-rtadv \
-        --enable-tcp-zebra \
         --enable-fpm \
         --with-pkg-git-version \
         --with-pkg-extra-version=-MyOwnFRRVersion   
diff --git a/doc/Building_FRR_on_OpenBSD6.md b/doc/Building_FRR_on_OpenBSD6.md
index e9e103051..c1bfa5005 100644
--- a/doc/Building_FRR_on_OpenBSD6.md
+++ b/doc/Building_FRR_on_OpenBSD6.md
@@ -54,7 +54,6 @@ an example)
         --enable-configfile-mask=0640 \
         --enable-logfile-mask=0640 \
         --enable-rtadv \
-        --enable-tcp-zebra \
         --enable-fpm \
         --with-pkg-git-version \
         --with-pkg-extra-version=-MyOwnFRRVersion   
diff --git a/doc/Building_FRR_on_Ubuntu1204.md b/doc/Building_FRR_on_Ubuntu1204.md
index e8567867c..58aa167d5 100644
--- a/doc/Building_FRR_on_Ubuntu1204.md
+++ b/doc/Building_FRR_on_Ubuntu1204.md
@@ -93,7 +93,6 @@ an example.)
         --enable-configfile-mask=0640 \
         --enable-logfile-mask=0640 \
         --enable-rtadv \
-        --enable-tcp-zebra \
         --enable-fpm \
         --with-pkg-git-version \
         --with-pkg-extra-version=-MyOwnFRRVersion   
diff --git a/doc/Building_FRR_on_Ubuntu1404.md b/doc/Building_FRR_on_Ubuntu1404.md
index a0f3a121f..8e6b38cc2 100644
--- a/doc/Building_FRR_on_Ubuntu1404.md
+++ b/doc/Building_FRR_on_Ubuntu1404.md
@@ -53,7 +53,6 @@ an example.)
         --enable-configfile-mask=0640 \
         --enable-logfile-mask=0640 \
         --enable-rtadv \
-        --enable-tcp-zebra \
         --enable-fpm \
         --enable-ldpd \
         --with-pkg-git-version \
diff --git a/doc/Building_FRR_on_Ubuntu1604.md b/doc/Building_FRR_on_Ubuntu1604.md
index 9144d4610..a178f9a16 100644
--- a/doc/Building_FRR_on_Ubuntu1604.md
+++ b/doc/Building_FRR_on_Ubuntu1604.md
@@ -54,7 +54,6 @@ an example.)
         --enable-configfile-mask=0640 \
         --enable-logfile-mask=0640 \
         --enable-rtadv \
-        --enable-tcp-zebra \
         --enable-fpm \
 	--enable-systemd=yes \
         --with-pkg-git-version \
diff --git a/doc/pimd.8.in b/doc/pimd.8.in
index 3fb060e56..6db3418f8 100644
--- a/doc/pimd.8.in
+++ b/doc/pimd.8.in
@@ -60,7 +60,9 @@ restart pimd.  The default is \fB\fI@CFG_STATE@/pimd.pid\fR.
 .TP
 \fB\-z\fR, \fB\-\-socket \fR\fIpath\fR
 Specify the socket path for contacting the zebra daemon.
-The default is \fB\fI@CFG_STATE@/zserv.api\fR.
+The default is \fB\fI@CFG_STATE@/zserv.api\fR.  The value of this option
+must be the same as the one given when starting zebra.  Refer to the \fBzebra
+(8)\fR man page for more information.
 .TP
 \fB\-P\fR, \fB\-\-vty_port \fR\fIport-number\fR 
 Specify the port that the pimd VTY will listen on. This defaults to
diff --git a/doc/zebra.8.in b/doc/zebra.8.in
index f5b8bd4d8..333e66fcf 100644
--- a/doc/zebra.8.in
+++ b/doc/zebra.8.in
@@ -26,6 +26,9 @@ zebra \- a routing manager for use with associated @PACKAGE_FULLNAME@ components
 ] [
 .B \-M
 .I module:options
+] [
+.B \-z
+.I socketpath
 ]
 .SH DESCRIPTION
 .B zebra 
@@ -97,6 +100,19 @@ respectively.  The \fBfpm\fR module takes an additional colon-separated
 argument specifying the encapsulation, either \fBnetlink\fR or \fBprotobuf\fR.
 It should thus be loaded with \fB-M fpm:netlink\fR or \fB-M fpm:protobuf\fR.
 .TP
+\fB\-z\fR, \fB\-\-socket \fR\fIsocketpath\fR
+Use the specified path to open the zebra API socket on.
+The default is \fB\fI@CFG_STATE@/zserv.api\fR.  This option must be given with
+the same value to all FRR protocol daemons.
+
+For debugging purposes (using tcpdump or wireshark to trace cross-daemon
+communication), a TCP socket can be used by specifying \fI@tcp[46][:port]\fR.
+It is intentionally not possible to bind this to anything other than localhost
+since zebra and the other daemons need to be running on the same host.  Using
+this feature \fBCREATES A SECURITY ISSUE\fR since nothing prevents other users
+on the local system from connecting to zebra and injecting bogus routing
+information.
+.TP
 \fB\-v\fR, \fB\-\-version\fR
 Print the version and exit.
 .SH FILES
author	David Lamparter <equinox@opensourcerouting.org>	2017-08-06 07:35:50 +0200
committer	David Lamparter <equinox@opensourcerouting.org>	2017-08-08 11:14:05 +0200
commit	689f5a8c84b95dbd31ecab481f8f2977965fe741 (patch)
tree	7c2a2b69908b3c3ac60e0de41b5a3f85caec2ef5 /doc
parent	Merge pull request #924 from qlyoung/deprecate-ospf-lsa-min-arrival (diff)
download	frr-689f5a8c84b95dbd31ecab481f8f2977965fe741.tar.xz frr-689f5a8c84b95dbd31ecab481f8f2977965fe741.zip