Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

zebra route-leaking for static routes #1618

Merged
merged 18 commits into from
Jan 23, 2018

Conversation

donaldsharp
Copy link
Member

This code allows zebra to read routes from the linux kernel that have nexthops in a different vrf and then properly display them in various 'show .. route' commands and to disseminate the nexthops vrf up to the different routing protocols.

Additionally routing protocols now have the ability to send to zebra routes that are leaked, currently no routing protocol takes advantage of this yet.

nexthops are currently limited to 1 vrf.

static routes can now be created that have nexthops in different vrfs.

This supersedes #1607

@LabN-CI
Copy link
Collaborator

LabN-CI commented Jan 10, 2018

💚 Basic BGPD CI results: SUCCESS, 0 tests failed

Results table
_ _
Result SUCCESS git merge/1618 f1a027a
Date 01/10/2018
Start 11:50:10
Finish 12:13:01
Run-Time 22:51
Total 1805
Pass 1805
Fail 0
Valgrind-Errors 0
Valgrind-Loss 0
Details vncregress-2018-01-10-11:50:10.txt
Log autoscript-2018-01-10-11:50:47.log.bz2

For details, please contact louberger

@NetDEF-CI
Copy link
Collaborator

Continuous Integration Result: SUCCESSFUL

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-2286/

This is a comment from an EXPERIMENTAL automated CI system.
For questions and feedback in regards to this CI system, please feel free to email
Martin Winter - mwinter (at) opensourcerouting.org.


CLANG Static Analyzer Summary

  • Github Pull Request 1618, comparing to Git base SHA d215f9a

No Changes in Static Analysis warnings compared to base

21 Static Analyzer issues remaining.

See details at
https://ci1.netdef.org/browse/FRR-FRRPULLREQ-2286/artifact/shared/static_analysis/index.html

@rwestphal rwestphal self-requested a review January 10, 2018 20:17
Copy link
Member

@riw777 riw777 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other than the one observation, which I don't think is an issue, these changes look fine to me.

if (vrf_id == VRF_UNKNOWN) {
struct interface *ifp;

RB_FOREACH(vrf, vrf_id_head, &vrfs_by_id) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Observation -- this will find the first instance of a nexthop across all the vrf's -- if there are multiple instances (say 10.1.1.1 exists in two differen vrfs) it will only find the first. I think this is okay, and I don't know what else you would do here, just wanted to bring it up to make certain this case is considered.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a lookup by ifindex not an ip address, and ifindex's are unique in the system so I think we are good

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, yes -- this makes sense. This is good then.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ifindexes won't be unique when we add support for using netns's as VRFs :/

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that sucks :(

@rwestphal
Copy link
Member

Overall looks good to me.

A few comments:
1- Route leaking doesn't seem to work when we don't specify the nexthop interface. Example:

debian# sh run
[snip]
vrf-red
 ip route 100.0.0.0/8 1.1.1.1 nexthop-vrf vrf-blue
!

debian# show ip route vrf vrf-red
[snip]
VRF vrf-red:
S   101.0.0.0/8 [1/0] via 1.1.1.1(vrf vrf-blue) inactive, 00:32:12

debian# show ip route vrf vrf-blue
VRF vrf-blue:
C>* 1.1.1.1/32 is directly connected, rt1-eth1, 00:34:46

2 - You can change the vrf_var_handlers variable in lib/vrf.c to allow the CLI auto-complete to work for nexthop-vrf.

3 - I think that the vrf option in the "ip route" commands is now redundant and can be removed, since static routes can be configured under the VRF node (much better!). If we do this, we can reuse the same DEFPYs in both the CONFIG_NODE and VRF_NODE, which would remove a considerable amount of code duplication. BTW, any reason for not providing the nexthop-vrf option for static routes in the global VRF?

@donaldsharp
Copy link
Member Author

  1. I'm working on this now. Hopefully today.

  2. I was aware of that. Was going to do that once I got further into the project.

  3. I left the vrf keyword in for backwards compatibility, I didn't see a way to not break someone. I will add the ability for nexthop-vrf under global in a few minutes here.

@donaldsharp donaldsharp force-pushed the zebra_startup_ordering branch from 9596a59 to e481a68 Compare January 11, 2018 17:24
@NetDEF-CI
Copy link
Collaborator

Continuous Integration Result: SUCCESSFUL

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-2293/

This is a comment from an EXPERIMENTAL automated CI system.
For questions and feedback in regards to this CI system, please feel free to email
Martin Winter - mwinter (at) opensourcerouting.org.


CLANG Static Analyzer Summary

  • Github Pull Request 1618, comparing to Git base SHA d215f9a

No Changes in Static Analysis warnings compared to base

21 Static Analyzer issues remaining.

See details at
https://ci1.netdef.org/browse/FRR-FRRPULLREQ-2293/artifact/shared/static_analysis/index.html

@donaldsharp
Copy link
Member Author

I've fixed #1 and #3. I'm going to do #2 later as that it wasn't obvious what I was missing. I'd like to get back to working on the bgp side of this.

@LabN-CI
Copy link
Collaborator

LabN-CI commented Jan 11, 2018

💚 Basic BGPD CI results: SUCCESS, 0 tests failed

Results table
_ _
Result SUCCESS git merge/1618 e481a68
Date 01/11/2018
Start 12:48:06
Finish 13:10:55
Run-Time 22:49
Total 1808
Pass 1808
Fail 0
Valgrind-Errors 0
Valgrind-Loss 0
Details vncregress-2018-01-11-12:48:06.txt
Log autoscript-2018-01-11-12:48:41.log.bz2

For details, please contact louberger

@NetDEF-CI
Copy link
Collaborator

Continuous Integration Result: SUCCESSFUL

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-2295/

This is a comment from an EXPERIMENTAL automated CI system.
For questions and feedback in regards to this CI system, please feel free to email
Martin Winter - mwinter (at) opensourcerouting.org.


CLANG Static Analyzer Summary

  • Github Pull Request 1618, comparing to Git base SHA c124004

No Changes in Static Analysis warnings compared to base

21 Static Analyzer issues remaining.

See details at
https://ci1.netdef.org/browse/FRR-FRRPULLREQ-2295/artifact/shared/static_analysis/index.html

Copy link
Member

@rwestphal rwestphal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

I left the vrf keyword in for backwards compatibility

Fair enough. Just one concern: isn't frr-reload.py going to have issues if we allow the same command to be configured in two different ways? Maybe @dwalton76 can give us a hand here.

@donaldsharp
Copy link
Member Author

frr-reload is going to have issues and it's on my list of things to fix already. I'll publish my work swag in the morning.

The zapi_ipv4_route, zapi_ipv6_route and zapi_ipv4_route_ipv6_nexthop
functions are deprecated.  Add notice of when we can remove the
deprecated code from the system.

Signed-off-by: Donald Sharp <[email protected]>
Modify if_lookup_by_index to accept a VRF_UNKNOWN
as a vrf_id.  This will cause it to look in all
vrf's for the interface pointer.

Subsequently all if_XXXX functions that call this function
will also get this behavior.

VRF_UNKNOWN *should* not be used for interface creation
as that this will break some core assumptions.

This work is part of allowing vrf route leaking.  Currently
it is possible to create a route in the linux kernel that has
a nexthop across vrf boundaries.

Signed-off-by: Donald Sharp <[email protected]>
With VRF route-leaking we need to know what vrf
the nexthops are in compared to this vrf.  This
code adds the nh_vrf_id to the route entry and
sets it up correctly for the non-route-leaking
case.

The assumption here is that future commits
will make the nh_vrf_id *different* than
the vrf_id.

Signed-off-by: Donald Sharp <[email protected]>
Use the nexthop vrf_id to properly lookup the ifp pointer
for display purposes.

Signed-off-by: Donald Sharp <[email protected]>
Add to the rib_add function the ability to pass in the nexthops
vrf.

Additionally when we decode the netlink message from the linux
kernel, properly figure out the nexthops vrf_id.

Signed-off-by: Donald Sharp <[email protected]>
When we are handling nexthops in zebra, use the appropriate
vrf to figure out if the nexthops are active or not.

Signed-off-by: Donald Sharp <[email protected]>
If the vrf for the nexthop is different than the vrf the
route is in, display the nexthops vrf.

Signed-off-by: Donald Sharp <[email protected]>
Modify the code to send and receive to/from zebra
the nexthops vrf_id.

Signed-off-by: Donald Sharp <[email protected]>
Move the NS/VRF initialization code for zebra to an earlier
point in startup.  In the future we will have code that
will want to install_element into a VRF_NODE from zebra_vty.c

Signed-off-by: Donald Sharp <[email protected]>
Add a function to handle the route leaking of a static
route.

Signed-off-by: Donald Sharp <[email protected]>
Optimize vrf_config_write a tiny bit to be a bit more efficient.

Signed-off-by: Donald Sharp <[email protected]>
Add the ability to accept 'ip route ...' commands
from within a vrf context.

Signed-off-by: Donald Sharp <[email protected]>
Move the code that generates the 'show run' output for
'ip route' to be controlled by the vrf config generation
code.  Since it really belongs there.

Signed-off-by: Donald Sharp <[email protected]>
In order for routes to be leaked the ifindex must be sent
down into the kernel over the netlink protocol.  So
send it( we always figure it out ) when we add the
route.

Signed-off-by: Donald Sharp <[email protected]>
Allow this to work:

vrf DONNA
  ip route 4.3.2.1/32 192.168.1.5 nexthop-vrf EVA

The static route code was not properly telling the
nexthop resolution code what vrf to use.

Signed-off-by: Donald Sharp <[email protected]>
Allow the end user to specify static routes that leak
across vrf's in the default vrf.

Signed-off-by: Donald Sharp <[email protected]>
@donaldsharp donaldsharp force-pushed the zebra_startup_ordering branch from e481a68 to 6140853 Compare January 12, 2018 14:27
@donaldsharp
Copy link
Member Author

I've rebased code to fix merge issues from evpn getting in.

@LabN-CI
Copy link
Collaborator

LabN-CI commented Jan 12, 2018

💚 Basic BGPD CI results: SUCCESS, 0 tests failed

Results table
_ _
Result SUCCESS git merge/1618 6140853
Date 01/12/2018
Start 09:40:09
Finish 10:02:55
Run-Time 22:46
Total 1808
Pass 1808
Fail 0
Valgrind-Errors 0
Valgrind-Loss 0
Details vncregress-2018-01-12-09:40:09.txt
Log autoscript-2018-01-12-09:40:45.log.bz2

For details, please contact louberger

@NetDEF-CI
Copy link
Collaborator

Continuous Integration Result: SUCCESSFUL

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-2306/

This is a comment from an EXPERIMENTAL automated CI system.
For questions and feedback in regards to this CI system, please feel free to email
Martin Winter - mwinter (at) opensourcerouting.org.


CLANG Static Analyzer Summary

  • Github Pull Request 1618, comparing to Git base SHA b782607

No Changes in Static Analysis warnings compared to base

21 Static Analyzer issues remaining.

See details at
https://ci1.netdef.org/browse/FRR-FRRPULLREQ-2306/artifact/shared/static_analysis/index.html

Copy link
Member

@louberger louberger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So it's unfortunate that VRF_DEFAULT is zero and unknown is 0xffffffff. If we reversed this, then it would be possible to use vrf_id when vrf_id =0=UNKNOWN and it wouldn't be necessary to change all users of zapi. @donaldsharp what do you think it it worth making this change, or does its downsides outweigh the benefit...

@donaldsharp
Copy link
Member Author

I'm nervous about making such a change. Especially in places where we assume the vrf_id =0 == tableid. I also know I have run across places where the code assumes VRF_DEFAULT is 0 and things just work because of this.

@donaldsharp
Copy link
Member Author

Created #1657 to track the VRF_DEFAULT/VRF_UNKNOWN idea

nh_vrf_id = ifp->vrf_id;
}

rib_add(afi, SAFI_UNICAST, vrf_id, nh_vrf_id, proto,
0, flags, &p, NULL, &nh, table, metric,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my understanding is that vrf route leak mechanism is not yet available on netns.
so I think that lookup mechanism should be put in place only for vrf with backend vrf lite.

at least what I will do is : if (!(vrf_id has backend netns) && index)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest that you stop route leaking before we get to this point and just leave this code alone. It should not care about the underlying mechanism

Copy link
Member

@pguibert6WIND pguibert6WIND Jan 22, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have some other code in #1633 where I will have to know the kind of backend.
mainly because you can have the same interface name and interface index name for different vrfs.
so when you say "stop route leaking before", I need to ack with you that I will have that case very quickly.

* This is especially useful if we are doing route
* leaking.
*/
if (nexthop->type != NEXTHOP_TYPE_BLACKHOLE)
addattr32(nlmsg, req_size, RTA_OIF, nexthop->ifindex);

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if the vrf has a backend netns, one could imagine to send the NETNSID value, in addition to the ifindex.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't see how that could help in this part of the code. For route leaking with the netns backend, we should use the same netlink install functions. But the routes should point to some sort of virtual device (e.g. veth or macvlans) to make the leaking possible. Since netns isolation happens deep down in the network stack (at layer 2), we can't install a route pointing to an interface from a different netns (each netns has its own list of interfaces). What needs to be done is to install a route pointing to a different netns using some sort of internal network (e.g. 169.254.0.0/16), and rely on a second route-lookup in this netns to route the packet to its actual next hop.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @rwestphal ,
I see two questions:

  • the kernel implementation perspective
    I don"t know what exactly the kernel needs to do route leaking through netns.
    there will be attributes that will be retrieved from the route table, and perhaps a new attribute will be stored in the nexthop information: the NSID.
    what is sure is that currently, this feature does not exist.

  • the config trick that consists in using veth interfaces for instance.

That remark, I don't plan to do modifications in relationship to 1 ( since none kernel do it).
I also think that with the proposal of using veth, one can do the same route leak mechanism with current vty level..

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I got your point now. Yes, it would be nice to have direct support for netns route leaking in the Linux kernel. But I'm afraid that this feature might not be implemented due to security concerns.

I also think that with the proposal of using veth, one can do the same route leak mechanism with current vty level..

Indeed. But ideally we should provide some level of abstraction so the operator can create inter-VRF routes in the same way regardless of the VRF backend.

Copy link
Member

@louberger louberger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks ready

@louberger
Copy link
Member

@pguibert6WIND think this is ready to merge once you're ready...

@pguibert6WIND
Copy link
Member

it is ok for my side.
I wait for a last comment from Donald about the discussion we had zebra/rt_netlink.c .
things are clarified from my side.

@donaldsharp
Copy link
Member Author

IMO, we should not allow route leaking to occur in a namespaced based VRF by preventing the creation of a VRF route leak at the cli level of the code, instead of having to make the underpinnings aware of this distinction.

@pguibert6WIND pguibert6WIND merged commit d6fed38 into FRRouting:master Jan 23, 2018
@donaldsharp donaldsharp deleted the zebra_startup_ordering branch March 24, 2018 23:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants