bgpd: Skip RD match if ACCEPT_OWN is not enabled

RFC7611 introduces new extended community ACCEPT_OWN and is already
implemented for FRR in the previous PR. However, this PR broke
compatibility about importing VPN routes.

Let's consider the following situation. There are 2 routers and these
routers connects with iBGP session. These routers have two VRF, vrf10
and vrf20, and RD 0:10, 0:20 is configured as the route distinguisher
of vrf10 and vrf20 respectively.

    +- R1 --------+    +- R2 --------+
    | +---------+ |    | +---------+ |
    | |  VRF10  | |    | |  VRF10  | |
    | | RD 0:10 +--------+ RD 0:10 | |
    | +---------+ |    | +---------+ |
    | +---------+ |    | +---------+ |
    | |  VRF20  +--------+  VRF20  | |
    | | RD 0:20 | |    | | RD 0:20 | |
    | +---------+ |    | +---------+ |
    +-------------+    +-------------+

In this situation, the VPN routes from R1's VRF10 should be imported to
R2's VRF10 and the VPN routes from R2's VRF10 should be imported to R2's
VRF20. However, the current implementation of ACCEPT_OWN will always
reject routes if the RD of VPN routes are matched with the RD of VRF.

Similar issues will happen in local VRF2VRF route leaks. In such cases,
the route reaked from VRF10 should be imported to VRF20. However, the
current implementation of ACCEPT_OWN will not permit them.

    +- R1 ---------------------+
    |      +------------+      |
    | +----v----+  +----v----+ |
    | |  VRF10  |  |  VRF20  | |
    | | RD 0:10 |  | RD 0:10 | |
    | +---------+  +---------+ |
    +--------------------------+

So, this commit add additional condition in RD match. If the route
doesn't have ACCEPT_OWN extended community, source VRF check will be
skipped.

[RFC7611]: https://datatracker.ietf.org/doc/html/rfc7611

Signed-off-by: Ryoga Saito <ryoga.saito@linecorp.com>

diff --git a/bgpd/bgp_mplsvpn.c b/bgpd/bgp_mplsvpn.c
index 7feaf7d1c2d551a175c8b394457c04f9cd244b57..288115f21198a597f697f844abfe4bd887081098 100644 (file)
--- a/bgpd/bgp_mplsvpn.c
+++ b/bgpd/bgp_mplsvpn.c
@@ -1907,8 +1907,9 @@ static bool vpn_leak_to_vrf_update_onevrf(struct bgp *to_bgp,   /* to */
        /* A route MUST NOT ever be accepted back into its source VRF, even if
         * it carries one or more RTs that match that VRF.
         */
-       if (prd && memcmp(&prd->val, &to_bgp->vpn_policy[afi].tovpn_rd.val,
-                         ECOMMUNITY_SIZE) == 0) {
+       if (CHECK_FLAG(path_vpn->flags, BGP_PATH_ACCEPT_OWN) && prd &&
+           memcmp(&prd->val, &to_bgp->vpn_policy[afi].tovpn_rd.val,
+                  ECOMMUNITY_SIZE) == 0) {
                if (debug)
                        zlog_debug(
                                "%s: skipping import, match RD (%pRD) of src VRF (%s) and the prefix (%pFX)",