From dd2d28ea997ae3acc702d059efece5941f8db6aa Mon Sep 17 00:00:00 2001 From: Ryoga Saito Date: Thu, 19 Jan 2023 20:51:44 +0900 Subject: [PATCH] bgpd: Skip RD match if ACCEPT_OWN is not enabled RFC7611 introduces new extended community ACCEPT_OWN and is already implemented for FRR in the previous PR. However, this PR broke compatibility about importing VPN routes. Let's consider the following situation. There are 2 routers and these routers connects with iBGP session. These routers have two VRF, vrf10 and vrf20, and RD 0:10, 0:20 is configured as the route distinguisher of vrf10 and vrf20 respectively. +- R1 --------+ +- R2 --------+ | +---------+ | | +---------+ | | | VRF10 | | | | VRF10 | | | | RD 0:10 +--------+ RD 0:10 | | | +---------+ | | +---------+ | | +---------+ | | +---------+ | | | VRF20 +--------+ VRF20 | | | | RD 0:20 | | | | RD 0:20 | | | +---------+ | | +---------+ | +-------------+ +-------------+ In this situation, the VPN routes from R1's VRF10 should be imported to R2's VRF10 and the VPN routes from R2's VRF10 should be imported to R2's VRF20. However, the current implementation of ACCEPT_OWN will always reject routes if the RD of VPN routes are matched with the RD of VRF. Similar issues will happen in local VRF2VRF route leaks. In such cases, the route reaked from VRF10 should be imported to VRF20. However, the current implementation of ACCEPT_OWN will not permit them. +- R1 ---------------------+ | +------------+ | | +----v----+ +----v----+ | | | VRF10 | | VRF20 | | | | RD 0:10 | | RD 0:10 | | | +---------+ +---------+ | +--------------------------+ So, this commit add additional condition in RD match. If the route doesn't have ACCEPT_OWN extended community, source VRF check will be skipped. [RFC7611]: https://datatracker.ietf.org/doc/html/rfc7611 Signed-off-by: Ryoga Saito --- bgpd/bgp_mplsvpn.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bgpd/bgp_mplsvpn.c b/bgpd/bgp_mplsvpn.c index 7feaf7d1c2..288115f211 100644 --- a/bgpd/bgp_mplsvpn.c +++ b/bgpd/bgp_mplsvpn.c @@ -1907,8 +1907,9 @@ static bool vpn_leak_to_vrf_update_onevrf(struct bgp *to_bgp, /* to */ /* A route MUST NOT ever be accepted back into its source VRF, even if * it carries one or more RTs that match that VRF. */ - if (prd && memcmp(&prd->val, &to_bgp->vpn_policy[afi].tovpn_rd.val, - ECOMMUNITY_SIZE) == 0) { + if (CHECK_FLAG(path_vpn->flags, BGP_PATH_ACCEPT_OWN) && prd && + memcmp(&prd->val, &to_bgp->vpn_policy[afi].tovpn_rd.val, + ECOMMUNITY_SIZE) == 0) { if (debug) zlog_debug( "%s: skipping import, match RD (%pRD) of src VRF (%s) and the prefix (%pFX)", -- 2.39.5