[PATCH docs 0/2] Improve route map documentation

[PATCH docs 0/2] Improve route map documentation

[Stefan Hanreich]

Removed the misleading note about having to create an explicit deny entry when
calling a route map and also added a small section mentioning that every route
map has an empty deny entry as its last entry.


pve-docs:

Stefan Hanreich (2):
  sdn: route maps: mention implicit deny default explicitly
  sdn: route map: delete note about creating an empty deny entry

 pvesdn.adoc | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)


Summary over all repositories:
  1 files changed, 2 insertions(+), 7 deletions(-)

-- 
Generated by murpp 0.11.0

[PATCH pve-docs 1/2] sdn: route maps: mention implicit deny default explicitly

[Stefan Hanreich]

While mentioned in the examples, it is good to clarify this in the
route map section as well.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 pvesdn.adoc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pvesdn.adoc b/pvesdn.adoc
index 6bb4993..9a3b6b8 100644
--- a/pvesdn.adoc
+++ b/pvesdn.adoc
@@ -841,7 +841,8 @@ A route map is an ordered list of entries that match incoming or outgoing
 routes against criteria, optionally modify attributes such as the metric or
 local preference, and either `permit` (forward the route, possibly modified) or
 `deny` (drop the route). FRR evaluates entries in order; the first match
-controls the action.
+controls the action. Every route map implicitly has an otherwise empty `deny` as
+its last entry, denying all routes that did not match an entry explicitly.
 
 Route maps are managed under `Datacenter -> SDN -> Route Maps`. Each entry has
 the following properties:
-- 
2.47.3

[PATCH pve-docs 2/2] sdn: route map: delete note about creating an empty deny entry

[Stefan Hanreich]

When another route map is called from an entry, then the route is
denied if it the called route map returns deny, even if the calling
entry has permit as its matching policy. See FRR docs [1]:

If the route-map called returns deny then processing of the route-map
finishes and the route is denied, regardless of the Matching Policy or
the Exit Policy. If the called route-map returns permit, then Matching
Policy and Exit Policy govern further behaviour, as normal.

This means that, even though MAP_VTEP_IN has permit as its matching
policy, any route will be denied if the called route map denies it.

[1] https://docs.frrouting.org/en/latest/routemap.html#term-Call-Action

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 pvesdn.adoc | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/pvesdn.adoc b/pvesdn.adoc
index 9a3b6b8..3256e96 100644
--- a/pvesdn.adoc
+++ b/pvesdn.adoc
@@ -894,12 +894,6 @@ received from a peer before installing them; outgoing maps run against routes
 before announcing them. Both fields are optional and selected from the route
 maps configured in the SDN.
 
-NOTE: For the EVPN controller, the user-provided route maps are invoked via
-`call` from internal wrapper maps (`MAP_VTEP_IN` / `MAP_VTEP_OUT`) whose
-trailing action is `permit`. As a result, a deny-only user route map will not
-block routes that do not match any of its entries; finish such a map with an
-explicit catch-all `deny` entry if you want a closed default.
-
 The OSPF and OpenFabric xref:pvesdn_config_fabrics[fabrics] take a `Route
 Filter` option that references a prefix list. When set, only routes whose
 destinations pass the prefix list are installed in the kernel routing table.
-- 
2.47.3

applied: [PATCH docs 0/2] Improve route map documentation

[Thomas Lamprecht]

On Wed, 13 May 2026 18:20:09 +0200, Stefan Hanreich wrote:
> Removed the misleading note about having to create an explicit deny entry when
> calling a route map and also added a small section mentioning that every route
> map has an empty deny entry as its last entry.
> 
> 
> pve-docs:
> 
> [...]

Applied, thanks!

[1/2] sdn: route maps: mention implicit deny default explicitly
      commit: 8767063e577645d2f445329ec6711122f07a0fd0
[2/2] sdn: route map: delete note about creating an empty deny entry
      commit: dc6cbc20d4c466df1971eec7d9825cb733d46ff7