fix #4389: evpn: exit nodes: null routes subnets from other zones

We don't want to routes subnets between different zones when same
exit node is used.

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

1 files changed, 13 insertions, 2 deletions

diff --git a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
index 1944178..b1eb845 100644
--- a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
+++ b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
@@ -144,10 +144,23 @@ sub generate_controller_zone_config {
     return if !$vrf || !$vrfvxlan || !$asn;
 
     my ($ifaceip, $interface) = PVE::Network::SDN::Zones::Plugin::find_local_ip_interface_peers(\@peers, $loopback);
+    my $is_gateway = $exitnodes->{$local_node};
 
     # vrf
     my @controller_config = ();
     push @controller_config, "vni $vrfvxlan";
+    #avoid to routes between nodes through the exit nodes
+    #null routes subnets of other zones
+    if ($is_gateway) {
+	my $subnets = PVE::Network::SDN::Vnets::get_subnets();
+	foreach my $subnetid (sort keys %{$subnets}) {
+	    my $subnet = $subnets->{$subnetid};
+	    my $cidr = $subnet->{cidr};
+	    my $zone = $subnet->{zone};
+	    push @controller_config, "ip route $cidr null0" if $zone ne $id;
+	}
+    }
+
     push(@{$config->{frr}->{vrf}->{"$vrf"}}, @controller_config);
 
     #main vrf router
@@ -161,8 +174,6 @@ sub generate_controller_zone_config {
 	push(@{$config->{frr}->{router}->{"bgp $asn vrf $vrf"}->{"address-family"}->{"l2vpn evpn"}}, "route-target export $autortas:$vrfvxlan");
     }
 
-    my $is_gateway = $exitnodes->{$local_node};
-
     if ($is_gateway) {
 
 	if (!$exitnodes_primary || $exitnodes_primary eq $local_node) {