feat(net/frr): run register_sas on restart and reload

[olanystrom]

invoke register_sas during FRR restart and reload to keep SAS state in sync with FRR changes

Important notices
Before you submit a pull request, we ask you kindly to acknowledge the following:

• I have read the contributing guidelines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• I opened an issue first for non-trivial changes and linked it below.
• AI tools were used to create at least part of the code submitted herewith.

If AI was used, please disclose:

• Model used: xAI/Grok 4.20
• Extent of AI involvement: I asked for validation of the method used.

---

Related issue
If this pull request relates to an issue, link it here:
#3372

---

Describe the problem
A clear and concise description of the problem this pull request addresses.
BGP md5-password are not synced to userspace with setkey.
A utility to sync this exists as '/usr/local/opnsense/scripts/frr/register_sas' but that is only ran once in setup.sh

---

Describe the proposed solution

Adding '/usr/local/opnsense/scripts/frr/register_sas' to reload and restart commands in actions_quagga.conf

---

[fichtner]

setup.sh also loads on restart and reload. Is the ordering wrong?

[olanystrom]

It never seems to run on my server.

I added logging to the script, but setup.sh doesn't appear to run at all — I see no output or logs on either reload or restart.

[fichtner]

I’ll check next week. This seems suspicious.

Cheers,
Franco

[AdSchellevis]

@fichtner it is, looks like a regression. My best guess is 9486488

@olanystrom can you try 9486488 and see if that makes a difference on your end?

[fichtner]

Yep, looks reasonable.

[olanystrom]

@AdSchellevis I Disabled and Enabled FRR with that change in.
Now setup.sh is run on start and restarts at least.
It is not run on reloads. So if I change the md5-password on a neighbour I have to restart bgpd to make it work.
Still. Much better now.

[AdSchellevis]

It is not run on reloads.

If I'm not mistaken the setup hook only triggers on [re]start, which might explain the behavior. Assuming reloading does work for these changes, we might need to add the script only in the reload command. I'll leave this open for further discussion.

[Monviech]

If a neighbor is changed, check if vtysh show running-config even has the new password in it (if it is contained in there, I didnt check)

From my experience changes that destroy configration aspects are not processed by frr-reload in order to not destroy established sessions.

I assume a full restart is necessary anyway.

[fichtner]

setup.sh should run on start, restart and reload... if running register_sas fixes this so should a running setup.sh in any case.

[olanystrom]

What triggers a reload in that case?
Changing a neigbour in BGP?
Adding a neigbour in BGP?
Removing a neigbour in BGP?