From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-docs 2/2] sdn: route map: delete note about creating an empty deny entry
Date: Wed, 13 May 2026 18:20:11 +0200 [thread overview]
Message-ID: <20260513162013.456890-3-s.hanreich@proxmox.com> (raw)
In-Reply-To: <20260513162013.456890-1-s.hanreich@proxmox.com>
When another route map is called from an entry, then the route is
denied if it the called route map returns deny, even if the calling
entry has permit as its matching policy. See FRR docs [1]:
If the route-map called returns deny then processing of the route-map
finishes and the route is denied, regardless of the Matching Policy or
the Exit Policy. If the called route-map returns permit, then Matching
Policy and Exit Policy govern further behaviour, as normal.
This means that, even though MAP_VTEP_IN has permit as its matching
policy, any route will be denied if the called route map denies it.
[1] https://docs.frrouting.org/en/latest/routemap.html#term-Call-Action
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
pvesdn.adoc | 6 ------
1 file changed, 6 deletions(-)
diff --git a/pvesdn.adoc b/pvesdn.adoc
index 9a3b6b8..3256e96 100644
--- a/pvesdn.adoc
+++ b/pvesdn.adoc
@@ -894,12 +894,6 @@ received from a peer before installing them; outgoing maps run against routes
before announcing them. Both fields are optional and selected from the route
maps configured in the SDN.
-NOTE: For the EVPN controller, the user-provided route maps are invoked via
-`call` from internal wrapper maps (`MAP_VTEP_IN` / `MAP_VTEP_OUT`) whose
-trailing action is `permit`. As a result, a deny-only user route map will not
-block routes that do not match any of its entries; finish such a map with an
-explicit catch-all `deny` entry if you want a closed default.
-
The OSPF and OpenFabric xref:pvesdn_config_fabrics[fabrics] take a `Route
Filter` option that references a prefix list. When set, only routes whose
destinations pass the prefix list are installed in the kernel routing table.
--
2.47.3
next prev parent reply other threads:[~2026-05-13 16:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-13 16:20 [PATCH docs 0/2] Improve route map documentation Stefan Hanreich
2026-05-13 16:20 ` [PATCH pve-docs 1/2] sdn: route maps: mention implicit deny default explicitly Stefan Hanreich
2026-05-13 16:20 ` Stefan Hanreich [this message]
2026-05-13 16:48 ` applied: [PATCH docs 0/2] Improve route map documentation Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260513162013.456890-3-s.hanreich@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.