Skip to content

V4.6.0 - Security Fixes, New Features, Improvements and Bug Fixes
Compare
Choose a tag to compare
@barryo barryo released this 03 Oct 14:25
· 3261 commits to master since this release
v4.6.0
fbff0c6

IXP Manager v4.6.0 has been crafted from almost 300 new commits since v4.5.0 and, as well as new features, improvements, security fixes and bug fixes, it represents a complete rewrite of the interface management code (as well as a porting of same from Zend Framework to Laravel).

We would like to particularly thank the generosity and support of our sponsors - the Internet Society, Netflix, SwissIX, NIX - and new sponsor GR-IX. We would also like to thank INEX for investing and allocating time from the operations team towards managing, supporting and developing the project. We continue to look for and welcome new sponsors! See details here.

To upgrade:

  1. please follow the official upgrade documentation without skipping any steps. Particularly, we have added a new step which is essential called bower prune.
  2. complete some manual database changes covered at the end of this release notification.

I have copied the commands that we ran at INEX to upgrade our own installation at the end of this release notice.

If it's available for your operating system, we also strongly advise that you install the php-ds package.

Inactive code: this release contains code that is not currently available via the UI relating to a new feature which we are working on called core interfaces and some new APIs around automation. This will be officially released and explained in a future version.

Security Fixes

The release fixes a number of security issues:

  • CSRF attacks were possible on a number of UI actions such as GET requests used for deleting objects. These have been replaced with POST requests and implement a per-request CSRF validation token.
  • a number of XSS issues have also been fixed. We have additionally double-checked all code where non-super admin users can enter data to ensure that data is filtered on input to prevent XSS attacks.

The developers would like to express their sincere gratitude to the team that found these security issues and responsibly disclosed them to us. They have asked to remain anonymous but they know who they are and we thank them!

New Features / Large Improvements

  • Interface management controllers (all covered via this documentation has been ported from ZendFramework to Laravel with numerous improvements and bug fixes. This also includes on screen help messages / documentation.

  • TACACS / User formatting. IXP Manager can generate formatted lists of user information. The best example of this is for TACACS. See the documentation here. This is a complete reimplementation of a similar feature in v3.

  • Add support for Bird's Eye's new large BGP community support into IXP Manager's looking glass.

  • NAGIOS config generation to monitor:

    • peering LAN switches;
    • member reachability (ping v4/v6);
    • member route collector sessions;
    • member route server sessions.

    This is a complete rewrite of a similar (but more opinionated and less flexible) version from v3. See the documentation here.

  • (Significant) speed improvement for updating IRRDB prefixes by using php-ds - see issue #284.

  • Admin view of member graphs now includes sflow / VLAN / protocol view as well as original MRTG / interface view.

  • Addition of live status functionality for all routers that support the looking glass.

Bug Fixes / Small Improvements

  • MAC addresses are now included on the IX-F Member Export. See IXP Manager's documentation here.
  • The Chosen dropdown JS library has been replaced with the more modern Select2 across all Laravel-based pages.
  • When allocating an IP address to a VLAN interface, IXP Manager now checks via AJAX that the IP address really free by checking across all VLANs. This is useful when, say, you add a quarantine and production VLAN interface at the same time.
  • Ability to duplicate a VLAN interface (IP addresses, settings) to a second VLAN.
  • Add unique index on vlan/address for IPv4 and v6 addresses.
  • Fix billing details notification to use new config files (reported via the mailing list).
  • MRTG fixed so that it now correctly displays graphs from the RRD backend. Rendering of RRD based graphs for MRTG and sflow also improved (53f8fe6 | a0e678b | b1b33e7), also closes #332.
  • Fix admin view of all member interfaces which was broken since the move to Grapher (c6820b0).
  • Add string length validator to abbreviated name - fixes #313
  • Clear a number of cached database results when the underlying data changes (8c5950d | 4aa9198)
  • Remove layer2 address when removing VLAN interfaces (5111644 | 15082c0)
  • Fix issue displaying routes in the looking glass (4b81cbd)

Database Fixes

As well as running the database migration code, you will also need to run the following:

  1. IXP Manager was not strict on how it treated 0 (int) versus '' (empty string) versus null in some cases and as such, some columns need to be cleaned.

If you are happy that you have no bonded interfaces with channel group 0, run the following:

UPDATE `virtualinterface` SET `channelgroup` = NULL where `channelgroup` = 0 OR `channelgroup` = "";

Similarly, you may have virtual interfaces with an MTU setting of 0 - fix this with:

UPDATE `virtualinterface` SET `mtu` = NULL where `mtu` = 0 OR `mtu` = "";

We have added a unique constraint on IP addresses per VLAN. If you have accidently managed to add the same IP address to the same VLAN more than once, you'll need to clean this up before the schema update applies. This query can help find such addresses:

SELECT * FROM ipv4address WHERE address IN 
    ( SELECT address FROM `ipv4address` GROUP BY vlanid,address HAVING count(address) > 1 ORDER BY address ) 
    ORDER BY address;

SELECT * FROM ipv6address WHERE address IN 
    ( SELECT address FROM `ipv6address` GROUP BY vlanid,address HAVING count(address) > 1 ORDER BY address ) 
    ORDER BY address;

INEX's Upgrade Commands

What follows is a copy of our own upgrade session at INEX (and yes, we followed the documentation!):

# Move to your IXP Manager installation
cd /srv/ixpmanager

# Disable IXP Manager (disables the frontend, API and commands)
./artisan down

# Optional but recommended: back up your database:
mysqldump -u ixpuser -ppassword ixpdbname | bzip2 >ixp-20171003.sql.bz2

# Update the source:
git fetch
git checkout v4.6.0

# Update PHP dependancies
composer install

# Update UI dependancies
bower prune 
bower install

# Restart memcached and clear Laravel's own cache:
systemctl restart memcached.service
./artisan cache:clear

# See what SQL schema changes are required and then do them:
./artisan doctrine:schema:update --sql
./artisan doctrine:schema:update --force

# We need to run three manual SQL commands:
# 1. update SQL views
% mysql -u ixpuser -ppassword ixpdbname < tools/sql/views.sql
# 2. update channel groups
% mysql -u ixpuser -ppassword ixpdbname

 mysql> UPDATE `virtualinterface` SET `channelgroup` = NULL where `channelgroup` = 0 OR `channelgroup` = "";
Query OK, 122 rows affected (0.01 sec)
Rows matched: 122  Changed: 122  Warnings: 0

mysql> UPDATE `virtualinterface` SET `mtu` = NULL where `mtu` = 0 OR `mtu` = "";
Query OK, 132 rows affected (0.00 sec)
Rows matched: 132  Changed: 132  Warnings: 0


# Now exit MySQM and restart memcached:
systemctl restart memcached.service

# Ensure file permissions are correct:
MY_WWW_USER=www-data 
chown -R $MY_WWW_USER: bootstrap/cache var storage
chmod -R u+rwX bootstrap/cache var storage

# Re-enable the application
./artisan up
Assets 2
Loading