On Mon, Dec 19, 2022 at 12:41:26PM +0100, Toni Mueller wrote: > > Hi, > > I am trying to upgrade an OpenBSD based BGP router from an old version > to 7.2. But on OpenBSD 7.2, the config file results in several errors, > despite the man page not indicating any thing "obvious". > > Eg. I get syntax errors on > > softreconfig in yes > softreconfig out yes > announce self > announce all > announce default-route You update from a very old version of OpenBGPD.
softreconfig is gone. softreconfig is now on by default and can't be turned off. Just remove all these lines. announce was replaced with export with the introduction of a default deny rule. So announce none became export none and announce default-route is now export default-route. announce self no longer exists and must be written by a explicity pass rule. See the example bgpd.conf file for a suggestion. > I also get errors on > > tcp md5sig password somesecrethere > > if the secret contains special characters. Always use "" around non-basic strings. tcp md5sig password "some secret" should work. > I have tried to comment the softreconfig lines, but can't do away with > the 'announce' statements. > > Is there some overview about what changed over the course of time, and > possibly, some better error messages to help diagnose the errors? Have a look at the current example bgpd.conf file. It shows how a config and especially example filters should be written. Some of these changes were covered in https://www.openbsd.org/faq/upgrade65.html Here are the commit messages: date: 2018/06/13 09:33:51; author: claudio; commitid: oGYqi7HT1AMsWI15; Deprecate announce (all|self|none|default-route) The announce keyword was overloaded and confused a lot of operators, time to clean it up and while there incorporate RFC8212 guideline for propagation. - `announce all` is the new default but the default deny filter will make sure that by default nothing is leaked - `announce self` is no more and results in syntax error - `announce none` is now `export none` - `announce default-route` becomes `export default-route` - the filters are switched to a default deny rule both incoming and outgoing You most certainly need to adjust your config! Best is to change the config in advance by using `announce all` explicitly on all neighbors and adding `deny from any` and `deny to any` at the start of your filters and adjust the rest of the filters to still produce the same result. `bgpd -nv -f bgpd.conf ` and `bgpctl show rib out nei foo` are good tools to verify the changes. Lots of discussions with job@, deraadt@, sthen@ OK job@ date: 2017/08/11 16:02:53; author: claudio; commitid: TArqhzl9aciTsGlE; softreconfig in and out are on by default for ever and machines now have enough memory that it does not make sense to provide these knobs anymore. They just make the code more complex for no much gain. OK phessler@, benno@ -- :wq Claudio
