-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
zebra route-leaking for static routes #1618
zebra route-leaking for static routes #1618
Conversation
💚 Basic BGPD CI results: SUCCESS, 0 tests failedResults table
For details, please contact louberger |
Continuous Integration Result: SUCCESSFULCongratulations, this patch passed basic tests Tested-by: NetDEF / OpenSourceRouting.org CI System CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-2286/ This is a comment from an EXPERIMENTAL automated CI system. CLANG Static Analyzer Summary
No Changes in Static Analysis warnings compared to base21 Static Analyzer issues remaining.See details at |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other than the one observation, which I don't think is an issue, these changes look fine to me.
if (vrf_id == VRF_UNKNOWN) { | ||
struct interface *ifp; | ||
|
||
RB_FOREACH(vrf, vrf_id_head, &vrfs_by_id) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Observation -- this will find the first instance of a nexthop across all the vrf's -- if there are multiple instances (say 10.1.1.1 exists in two differen vrfs) it will only find the first. I think this is okay, and I don't know what else you would do here, just wanted to bring it up to make certain this case is considered.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a lookup by ifindex not an ip address, and ifindex's are unique in the system so I think we are good
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, yes -- this makes sense. This is good then.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ifindexes won't be unique when we add support for using netns's as VRFs :/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that sucks :(
Overall looks good to me. A few comments:
2 - You can change the 3 - I think that the |
|
9596a59
to
e481a68
Compare
Continuous Integration Result: SUCCESSFULCongratulations, this patch passed basic tests Tested-by: NetDEF / OpenSourceRouting.org CI System CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-2293/ This is a comment from an EXPERIMENTAL automated CI system. CLANG Static Analyzer Summary
No Changes in Static Analysis warnings compared to base21 Static Analyzer issues remaining.See details at |
💚 Basic BGPD CI results: SUCCESS, 0 tests failedResults table
For details, please contact louberger |
Continuous Integration Result: SUCCESSFULCongratulations, this patch passed basic tests Tested-by: NetDEF / OpenSourceRouting.org CI System CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-2295/ This is a comment from an EXPERIMENTAL automated CI system. CLANG Static Analyzer Summary
No Changes in Static Analysis warnings compared to base21 Static Analyzer issues remaining.See details at |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me.
I left the vrf keyword in for backwards compatibility
Fair enough. Just one concern: isn't frr-reload.py
going to have issues if we allow the same command to be configured in two different ways? Maybe @dwalton76 can give us a hand here.
frr-reload is going to have issues and it's on my list of things to fix already. I'll publish my work swag in the morning. |
The zapi_ipv4_route, zapi_ipv6_route and zapi_ipv4_route_ipv6_nexthop functions are deprecated. Add notice of when we can remove the deprecated code from the system. Signed-off-by: Donald Sharp <[email protected]>
Modify if_lookup_by_index to accept a VRF_UNKNOWN as a vrf_id. This will cause it to look in all vrf's for the interface pointer. Subsequently all if_XXXX functions that call this function will also get this behavior. VRF_UNKNOWN *should* not be used for interface creation as that this will break some core assumptions. This work is part of allowing vrf route leaking. Currently it is possible to create a route in the linux kernel that has a nexthop across vrf boundaries. Signed-off-by: Donald Sharp <[email protected]>
With VRF route-leaking we need to know what vrf the nexthops are in compared to this vrf. This code adds the nh_vrf_id to the route entry and sets it up correctly for the non-route-leaking case. The assumption here is that future commits will make the nh_vrf_id *different* than the vrf_id. Signed-off-by: Donald Sharp <[email protected]>
Use the nexthop vrf_id to properly lookup the ifp pointer for display purposes. Signed-off-by: Donald Sharp <[email protected]>
Add to the rib_add function the ability to pass in the nexthops vrf. Additionally when we decode the netlink message from the linux kernel, properly figure out the nexthops vrf_id. Signed-off-by: Donald Sharp <[email protected]>
When we are handling nexthops in zebra, use the appropriate vrf to figure out if the nexthops are active or not. Signed-off-by: Donald Sharp <[email protected]>
If the vrf for the nexthop is different than the vrf the route is in, display the nexthops vrf. Signed-off-by: Donald Sharp <[email protected]>
Modify the code to send and receive to/from zebra the nexthops vrf_id. Signed-off-by: Donald Sharp <[email protected]>
Signed-off-by: Donald Sharp <[email protected]>
Move the NS/VRF initialization code for zebra to an earlier point in startup. In the future we will have code that will want to install_element into a VRF_NODE from zebra_vty.c Signed-off-by: Donald Sharp <[email protected]>
Add a function to handle the route leaking of a static route. Signed-off-by: Donald Sharp <[email protected]>
Signed-off-by: Donald Sharp <[email protected]>
Optimize vrf_config_write a tiny bit to be a bit more efficient. Signed-off-by: Donald Sharp <[email protected]>
Add the ability to accept 'ip route ...' commands from within a vrf context. Signed-off-by: Donald Sharp <[email protected]>
Move the code that generates the 'show run' output for 'ip route' to be controlled by the vrf config generation code. Since it really belongs there. Signed-off-by: Donald Sharp <[email protected]>
In order for routes to be leaked the ifindex must be sent down into the kernel over the netlink protocol. So send it( we always figure it out ) when we add the route. Signed-off-by: Donald Sharp <[email protected]>
Allow this to work: vrf DONNA ip route 4.3.2.1/32 192.168.1.5 nexthop-vrf EVA The static route code was not properly telling the nexthop resolution code what vrf to use. Signed-off-by: Donald Sharp <[email protected]>
Allow the end user to specify static routes that leak across vrf's in the default vrf. Signed-off-by: Donald Sharp <[email protected]>
e481a68
to
6140853
Compare
I've rebased code to fix merge issues from evpn getting in. |
💚 Basic BGPD CI results: SUCCESS, 0 tests failedResults table
For details, please contact louberger |
Continuous Integration Result: SUCCESSFULCongratulations, this patch passed basic tests Tested-by: NetDEF / OpenSourceRouting.org CI System CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-2306/ This is a comment from an EXPERIMENTAL automated CI system. CLANG Static Analyzer Summary
No Changes in Static Analysis warnings compared to base21 Static Analyzer issues remaining.See details at |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So it's unfortunate that VRF_DEFAULT is zero and unknown is 0xffffffff. If we reversed this, then it would be possible to use vrf_id when vrf_id =0=UNKNOWN and it wouldn't be necessary to change all users of zapi. @donaldsharp what do you think it it worth making this change, or does its downsides outweigh the benefit...
I'm nervous about making such a change. Especially in places where we assume the vrf_id =0 == tableid. I also know I have run across places where the code assumes VRF_DEFAULT is 0 and things just work because of this. |
Created #1657 to track the VRF_DEFAULT/VRF_UNKNOWN idea |
nh_vrf_id = ifp->vrf_id; | ||
} | ||
|
||
rib_add(afi, SAFI_UNICAST, vrf_id, nh_vrf_id, proto, | ||
0, flags, &p, NULL, &nh, table, metric, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
my understanding is that vrf route leak mechanism is not yet available on netns.
so I think that lookup mechanism should be put in place only for vrf with backend vrf lite.
at least what I will do is : if (!(vrf_id has backend netns) && index)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest that you stop route leaking before we get to this point and just leave this code alone. It should not care about the underlying mechanism
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have some other code in #1633 where I will have to know the kind of backend.
mainly because you can have the same interface name and interface index name for different vrfs.
so when you say "stop route leaking before", I need to ack with you that I will have that case very quickly.
* This is especially useful if we are doing route | ||
* leaking. | ||
*/ | ||
if (nexthop->type != NEXTHOP_TYPE_BLACKHOLE) | ||
addattr32(nlmsg, req_size, RTA_OIF, nexthop->ifindex); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if the vrf has a backend netns, one could imagine to send the NETNSID value, in addition to the ifindex.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't see how that could help in this part of the code. For route leaking with the netns backend, we should use the same netlink install functions. But the routes should point to some sort of virtual device (e.g. veth or macvlans) to make the leaking possible. Since netns isolation happens deep down in the network stack (at layer 2), we can't install a route pointing to an interface from a different netns (each netns has its own list of interfaces). What needs to be done is to install a route pointing to a different netns using some sort of internal network (e.g. 169.254.0.0/16), and rely on a second route-lookup in this netns to route the packet to its actual next hop.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @rwestphal ,
I see two questions:
-
the kernel implementation perspective
I don"t know what exactly the kernel needs to do route leaking through netns.
there will be attributes that will be retrieved from the route table, and perhaps a new attribute will be stored in the nexthop information: the NSID.
what is sure is that currently, this feature does not exist. -
the config trick that consists in using veth interfaces for instance.
That remark, I don't plan to do modifications in relationship to 1 ( since none kernel do it).
I also think that with the proposal of using veth, one can do the same route leak mechanism with current vty level..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I got your point now. Yes, it would be nice to have direct support for netns route leaking in the Linux kernel. But I'm afraid that this feature might not be implemented due to security concerns.
I also think that with the proposal of using veth, one can do the same route leak mechanism with current vty level..
Indeed. But ideally we should provide some level of abstraction so the operator can create inter-VRF routes in the same way regardless of the VRF backend.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks ready
@pguibert6WIND think this is ready to merge once you're ready... |
it is ok for my side. |
IMO, we should not allow route leaking to occur in a namespaced based VRF by preventing the creation of a VRF route leak at the cli level of the code, instead of having to make the underpinnings aware of this distinction. |
This code allows zebra to read routes from the linux kernel that have nexthops in a different vrf and then properly display them in various 'show .. route' commands and to disseminate the nexthops vrf up to the different routing protocols.
Additionally routing protocols now have the ability to send to zebra routes that are leaked, currently no routing protocol takes advantage of this yet.
nexthops are currently limited to 1 vrf.
static routes can now be created that have nexthops in different vrfs.
This supersedes #1607