Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When Export Policy is configured, withdrawn NLRI can only ever contain routes allowed by Export Policy #330

Closed
taspelund opened this issue Aug 13, 2024 · 0 comments · Fixed by #385
Closed

When Export Policy is configured, withdrawn NLRI can only ever contain routes allowed by Export Policy #330

taspelund opened this issue Aug 13, 2024 · 0 comments · Fixed by #385

Comments

@taspelund
Copy link
Contributor 

   1886         if let ImportExportPolicy::Allow(ref policy) =
   1887             lock!(self.session).allow_export
   1888         {
   1889             let message_policy = policy
   1890                 .iter()
   1891                 .filter_map(|x| match x {
   1892                     rdb::Prefix::V4(x) => Some(x),
   1893                     _ => None,
   1894                 })
   1895                 .map(|x| crate::messages::Prefix::from(*x))
   1896                 .collect::<BTreeSet<crate::messages::Prefix>>();
   1897
   1898             update.nlri.retain(|x| message_policy.contains(x));
   1899             update.withdrawn.retain(|x| message_policy.contains(x));
   1900         };

bgp/src/session.rs

Line 1899 is only retaining routes in the withdrawn nlri list that pass the export policy.
This means that reconfiguring the export policy will not result in previously-allowed routes getting withdrawn.
taspelund added a commit that referenced this issue Oct 4, 2024
@taspelund
bgp: Don't apply ImportExportPolicy to withdrawn nlri
c24b7c1 
Import/Export filters are meant to modify which advertised prefixes
are allowed. For Import, this is simply an allow-list that accepts a
subset of the advertised nlri in a received update. For Export, this
is an allow-list that accepts a subset of the locally originated nlri.
In neither case do you want to apply these filters to the list of
withdrawn nlri, as this can result in stale routes if a legitimate
withdrawal is not sent or received.

Fixes: #330

Signed-off-by: Trey Aspelund <trey@oxidecomputer.com>
@taspelund taspelund mentioned this issue Oct 4, 2024
Merged
taspelund added a commit that referenced this issue Oct 20, 2024
@taspelund
bgp: Don't apply ImportExportPolicy to withdrawn nlri
e71e1bc 
Import/Export filters are meant to modify which advertised prefixes
are allowed. For Import, this is simply an allow-list that accepts a
subset of the advertised nlri in a received update. For Export, this
is an allow-list that accepts a subset of the locally originated nlri.
In neither case do you want to apply these filters to the list of
withdrawn nlri, as this can result in stale routes if a legitimate
withdrawal is not sent or received.

Fixes: #330

Signed-off-by: Trey Aspelund <trey@oxidecomputer.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Embiggen the goodness of maghemite oxidecomputer/maghemite
1 participant
@taspelund