From 6de0cd9bdfbdac6a38ac2206d4257d951422aff6 Mon Sep 17 00:00:00 2001 From: Louis Scalbert Date: Thu, 28 Apr 2022 18:32:20 +0200 Subject: [PATCH] bgpd: fix VRF leaking with 'network import-check' (1/4) If 'bgp network import-check' is defined on the source BGP session, prefixes that are defined with the network command cannot be leaked to the other VRFs BGP table even if they are present in the origin VRF RIB. Always validate the nexthop of BGP static routes (i.e. defined with the network statement) if 'network import-check' is defined on the source BGP session and the prefix is present in source RIB. Signed-off-by: Louis Scalbert --- bgpd/bgp_mplsvpn.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/bgpd/bgp_mplsvpn.c b/bgpd/bgp_mplsvpn.c index 5aa752d6e7..2353910ead 100644 --- a/bgpd/bgp_mplsvpn.c +++ b/bgpd/bgp_mplsvpn.c @@ -1034,13 +1034,19 @@ static bool leak_update_nexthop_valid(struct bgp *to_bgp, struct bgp_dest *bn, else if (bpi_ultimate->type == ZEBRA_ROUTE_BGP && bpi_ultimate->sub_type == BGP_ROUTE_STATIC && table && (table->safi == SAFI_UNICAST || - table->safi == SAFI_LABELED_UNICAST) && - !CHECK_FLAG(bgp_nexthop->flags, BGP_FLAG_IMPORT_CHECK)) { - /* if the route is defined with the "network " command - * and "no bgp network import-check" is set, - * then mark the nexthop as valid. - */ - nh_valid = true; + table->safi == SAFI_LABELED_UNICAST)) { + /* the route is defined with the "network " command */ + + if (CHECK_FLAG(bgp_nexthop->flags, BGP_FLAG_IMPORT_CHECK)) + nh_valid = bgp_find_or_add_nexthop(to_bgp, bgp_nexthop, + afi, SAFI_UNICAST, + bpi_ultimate, NULL, + 0, p); + else + /* if "no bgp network import-check" is set, + * then mark the nexthop as valid. + */ + nh_valid = true; } else /* * TBD do we need to do anything about the -- 2.39.5