From: Alexandre Derumier <aderumier@odiso.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH pve-network 1/1] controllers: evpn: fix multiple exit-nodes with route-map filtering
Date: Wed, 20 Apr 2022 16:19:30 +0200 [thread overview]
Message-ID: <20220420141930.1626073-2-aderumier@odiso.com> (raw)
In-Reply-To: <20220420141930.1626073-1-aderumier@odiso.com>
Currently, when multiple exit-nodes are defined, each exit-nodes exchanges
their own default route, so traffic is looping between both exit nodes
instead going out.
This add a new route-map to filter received type-5 on exit node
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
PVE/Network/SDN/Controllers/BgpPlugin.pm | 5 ++--
PVE/Network/SDN/Controllers/EvpnPlugin.pm | 23 +++++++++++++++----
.../expected_controller_config | 3 +++
.../expected_controller_config | 3 +++
.../evpn/ebgp/expected_controller_config | 3 +++
.../ebgp_loopback/expected_controller_config | 3 +++
.../evpn/exitnode/expected_controller_config | 6 +++++
.../expected_controller_config | 6 +++++
.../expected_controller_config | 3 +++
.../exitnode_snat/expected_controller_config | 6 +++++
.../evpn/ipv4/expected_controller_config | 3 +++
.../evpn/ipv4ipv6/expected_controller_config | 3 +++
.../expected_controller_config | 3 +++
.../evpn/ipv6/expected_controller_config | 3 +++
.../expected_controller_config | 3 +++
.../evpn/rt_import/expected_controller_config | 3 +++
16 files changed, 72 insertions(+), 7 deletions(-)
diff --git a/PVE/Network/SDN/Controllers/BgpPlugin.pm b/PVE/Network/SDN/Controllers/BgpPlugin.pm
index 73ed171..6e69f67 100644
--- a/PVE/Network/SDN/Controllers/BgpPlugin.pm
+++ b/PVE/Network/SDN/Controllers/BgpPlugin.pm
@@ -121,10 +121,11 @@ sub generate_controller_config {
push(@{$config->{frr}->{''}}, "ip prefix-list loopbacks_ips seq 10 permit 0.0.0.0/0 le 32");
push(@{$config->{frr}->{''}}, "ip protocol bgp route-map correct_src");
- my $routemap_config = [];
+ my $routemap_config = ();
push @{$routemap_config}, "match ip address prefix-list loopbacks_ips";
push @{$routemap_config}, "set src $ifaceip";
- push(@{$config->{frr_routemap}->{'correct_src'}}, $routemap_config);
+ my $routemap = { rule => $routemap_config, action => "permit" };
+ push(@{$config->{frr_routemap}->{'correct_src'}}, $routemap);
}
return $config;
diff --git a/PVE/Network/SDN/Controllers/EvpnPlugin.pm b/PVE/Network/SDN/Controllers/EvpnPlugin.pm
index 0c49893..22480d4 100644
--- a/PVE/Network/SDN/Controllers/EvpnPlugin.pm
+++ b/PVE/Network/SDN/Controllers/EvpnPlugin.pm
@@ -99,13 +99,16 @@ sub generate_controller_config {
# address-family l2vpn
@controller_config = ();
+ push @controller_config, "neighbor VTEP route-map MAP_VTEP_IN in";
push @controller_config, "neighbor VTEP route-map MAP_VTEP_OUT out";
push @controller_config, "neighbor VTEP activate";
push @controller_config, "advertise-all-vni";
push @controller_config, "autort as $autortas" if $autortas;
push(@{$bgp->{"address-family"}->{"l2vpn evpn"}}, @controller_config);
- push(@{$config->{frr_routemap}->{'MAP_VTEP_OUT'}}, []);
+ my $routemap = { rule => undef, action => "permit" };
+ push(@{$config->{frr_routemap}->{'MAP_VTEP_IN'}}, $routemap );
+ push(@{$config->{frr_routemap}->{'MAP_VTEP_OUT'}}, $routemap );
return $config;
}
@@ -160,14 +163,22 @@ sub generate_controller_zone_config {
if ($is_gateway) {
- if($exitnodes_primary && $exitnodes_primary ne $local_node) {
+ if(!$exitnodes_primary || $exitnodes_primary eq $local_node) {
+ #filter default type5 route coming from other exit nodes on primary node or both nodes if no primary is defined.
+ my $routemap_config = ();
+ push @{$routemap_config}, "match evpn route-type prefix";
+ my $routemap = { rule => $routemap_config, action => "deny" };
+ unshift(@{$config->{frr_routemap}->{'MAP_VTEP_IN'}}, $routemap);
+ } elsif ($exitnodes_primary ne $local_node) {
my $routemap_config = ();
push @{$routemap_config}, "match evpn vni $vrfvxlan";
push @{$routemap_config}, "match evpn route-type prefix";
push @{$routemap_config}, "set metric 200";
- unshift(@{$config->{frr_routemap}->{'MAP_VTEP_OUT'}}, $routemap_config);
+ my $routemap = { rule => $routemap_config, action => "permit" };
+ unshift(@{$config->{frr_routemap}->{'MAP_VTEP_OUT'}}, $routemap);
}
+
if (!$exitnodes_local_routing) {
@controller_config = ();
#import /32 routes of evpn network from vrf1 to default vrf (for packet return)
@@ -355,10 +366,12 @@ sub generate_frr_routemap {
my $order = 0;
foreach my $seq (@$routemap) {
$order++;
+ next if !defined($seq->{action});
my @config = ();
push @config, "!";
- push @config, "route-map $id permit $order";
- push @config, map { " $_" } @$seq;
+ push @config, "route-map $id $seq->{action} $order";
+ my $rule = $seq->{rule};
+ push @config, map { " $_" } @$rule;
push @{$final_config}, @config;
}
}
diff --git a/test/zones/evpn/advertise_subnets/expected_controller_config b/test/zones/evpn/advertise_subnets/expected_controller_config
index c9545bc..742bbf4 100644
--- a/test/zones/evpn/advertise_subnets/expected_controller_config
+++ b/test/zones/evpn/advertise_subnets/expected_controller_config
@@ -20,6 +20,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -41,6 +42,8 @@ router bgp 65000 vrf vrf_myzone
advertise ipv6 unicast
exit-address-family
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/disable_arp_nd_suppression/expected_controller_config b/test/zones/evpn/disable_arp_nd_suppression/expected_controller_config
index 5a8fb99..2f819e5 100644
--- a/test/zones/evpn/disable_arp_nd_suppression/expected_controller_config
+++ b/test/zones/evpn/disable_arp_nd_suppression/expected_controller_config
@@ -20,6 +20,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -28,6 +29,8 @@ router bgp 65000
router bgp 65000 vrf vrf_myzone
bgp router-id 192.168.0.1
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/ebgp/expected_controller_config b/test/zones/evpn/ebgp/expected_controller_config
index 5c9a7c6..d1956df 100644
--- a/test/zones/evpn/ebgp/expected_controller_config
+++ b/test/zones/evpn/ebgp/expected_controller_config
@@ -31,6 +31,7 @@ router bgp 65001
exit-address-family
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -45,6 +46,8 @@ router bgp 65001 vrf vrf_myzone
route-target export 65000:1000
exit-address-family
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/ebgp_loopback/expected_controller_config b/test/zones/evpn/ebgp_loopback/expected_controller_config
index 5ec19a8..905433b 100644
--- a/test/zones/evpn/ebgp_loopback/expected_controller_config
+++ b/test/zones/evpn/ebgp_loopback/expected_controller_config
@@ -36,6 +36,7 @@ router bgp 65001
exit-address-family
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -50,6 +51,8 @@ router bgp 65001 vrf vrf_myzone
route-target export 65000:1000
exit-address-family
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
route-map correct_src permit 1
diff --git a/test/zones/evpn/exitnode/expected_controller_config b/test/zones/evpn/exitnode/expected_controller_config
index 96d89f3..0ee4b8a 100644
--- a/test/zones/evpn/exitnode/expected_controller_config
+++ b/test/zones/evpn/exitnode/expected_controller_config
@@ -28,6 +28,7 @@ router bgp 65000
exit-address-family
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -49,6 +50,11 @@ router bgp 65000 vrf vrf_myzone
default-originate ipv6
exit-address-family
!
+route-map MAP_VTEP_IN deny 1
+ match evpn route-type prefix
+!
+route-map MAP_VTEP_IN permit 2
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/exitnode_local_routing/expected_controller_config b/test/zones/evpn/exitnode_local_routing/expected_controller_config
index 812043e..6ceaca7 100644
--- a/test/zones/evpn/exitnode_local_routing/expected_controller_config
+++ b/test/zones/evpn/exitnode_local_routing/expected_controller_config
@@ -21,6 +21,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -34,6 +35,11 @@ router bgp 65000 vrf vrf_myzone
default-originate ipv6
exit-address-family
!
+route-map MAP_VTEP_IN deny 1
+ match evpn route-type prefix
+!
+route-map MAP_VTEP_IN permit 2
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/exitnode_primary/expected_controller_config b/test/zones/evpn/exitnode_primary/expected_controller_config
index 5f23bdc..dfa158d 100644
--- a/test/zones/evpn/exitnode_primary/expected_controller_config
+++ b/test/zones/evpn/exitnode_primary/expected_controller_config
@@ -28,6 +28,7 @@ router bgp 65000
exit-address-family
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -49,6 +50,8 @@ router bgp 65000 vrf vrf_myzone
default-originate ipv6
exit-address-family
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
match evpn vni 1000
match evpn route-type prefix
diff --git a/test/zones/evpn/exitnode_snat/expected_controller_config b/test/zones/evpn/exitnode_snat/expected_controller_config
index 96d89f3..0ee4b8a 100644
--- a/test/zones/evpn/exitnode_snat/expected_controller_config
+++ b/test/zones/evpn/exitnode_snat/expected_controller_config
@@ -28,6 +28,7 @@ router bgp 65000
exit-address-family
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -49,6 +50,11 @@ router bgp 65000 vrf vrf_myzone
default-originate ipv6
exit-address-family
!
+route-map MAP_VTEP_IN deny 1
+ match evpn route-type prefix
+!
+route-map MAP_VTEP_IN permit 2
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/ipv4/expected_controller_config b/test/zones/evpn/ipv4/expected_controller_config
index 5a8fb99..2f819e5 100644
--- a/test/zones/evpn/ipv4/expected_controller_config
+++ b/test/zones/evpn/ipv4/expected_controller_config
@@ -20,6 +20,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -28,6 +29,8 @@ router bgp 65000
router bgp 65000 vrf vrf_myzone
bgp router-id 192.168.0.1
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/ipv4ipv6/expected_controller_config b/test/zones/evpn/ipv4ipv6/expected_controller_config
index 5a8fb99..2f819e5 100644
--- a/test/zones/evpn/ipv4ipv6/expected_controller_config
+++ b/test/zones/evpn/ipv4ipv6/expected_controller_config
@@ -20,6 +20,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -28,6 +29,8 @@ router bgp 65000
router bgp 65000 vrf vrf_myzone
bgp router-id 192.168.0.1
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/ipv4ipv6nogateway/expected_controller_config b/test/zones/evpn/ipv4ipv6nogateway/expected_controller_config
index 5a8fb99..2f819e5 100644
--- a/test/zones/evpn/ipv4ipv6nogateway/expected_controller_config
+++ b/test/zones/evpn/ipv4ipv6nogateway/expected_controller_config
@@ -20,6 +20,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -28,6 +29,8 @@ router bgp 65000
router bgp 65000 vrf vrf_myzone
bgp router-id 192.168.0.1
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/ipv6/expected_controller_config b/test/zones/evpn/ipv6/expected_controller_config
index 5a8fb99..2f819e5 100644
--- a/test/zones/evpn/ipv6/expected_controller_config
+++ b/test/zones/evpn/ipv6/expected_controller_config
@@ -20,6 +20,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -28,6 +29,8 @@ router bgp 65000
router bgp 65000 vrf vrf_myzone
bgp router-id 192.168.0.1
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/multipath_relax/expected_controller_config b/test/zones/evpn/multipath_relax/expected_controller_config
index ec3ce69..4f8d7de 100644
--- a/test/zones/evpn/multipath_relax/expected_controller_config
+++ b/test/zones/evpn/multipath_relax/expected_controller_config
@@ -32,6 +32,7 @@ router bgp 65000
exit-address-family
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -40,6 +41,8 @@ router bgp 65000
router bgp 65000 vrf vrf_myzone
bgp router-id 192.168.0.1
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/rt_import/expected_controller_config b/test/zones/evpn/rt_import/expected_controller_config
index bcd2479..60d22e3 100644
--- a/test/zones/evpn/rt_import/expected_controller_config
+++ b/test/zones/evpn/rt_import/expected_controller_config
@@ -20,6 +20,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -34,6 +35,8 @@ router bgp 65000 vrf vrf_myzone
route-target import 65003:1000
exit-address-family
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
--
2.30.2
next prev parent reply other threads:[~2022-04-20 14:20 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-20 14:19 [pve-devel] [PATCH pve-network 0/1] " Alexandre Derumier
2022-04-20 14:19 ` Alexandre Derumier [this message]
2022-04-27 8:34 ` [pve-devel] applied: [PATCH pve-network 1/1] " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220420141930.1626073-2-aderumier@odiso.com \
--to=aderumier@odiso.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.