* [pve-devel] [PATCH pve-network 0/1] controllers: evpn: fix multiple exit-nodes with route-map filtering
@ 2022-04-20 14:19 Alexandre Derumier
2022-04-20 14:19 ` [pve-devel] [PATCH pve-network 1/1] " Alexandre Derumier
0 siblings, 1 reply; 3+ messages in thread
From: Alexandre Derumier @ 2022-04-20 14:19 UTC (permalink / raw)
To: pve-devel
2 forums users have reported problems when multiple evpn exit-nodes are defined.
This was because of a loop between default gw exchanged between the exit-nodes.
This patch add a filtering of incoming default routes on the exit-nodes with a new route-map
Alexandre Derumier (1):
controllers: evpn: fix multiple exit-nodes with route-map filtering
PVE/Network/SDN/Controllers/BgpPlugin.pm | 5 ++--
PVE/Network/SDN/Controllers/EvpnPlugin.pm | 23 +++++++++++++++----
.../expected_controller_config | 3 +++
.../expected_controller_config | 3 +++
.../evpn/ebgp/expected_controller_config | 3 +++
.../ebgp_loopback/expected_controller_config | 3 +++
.../evpn/exitnode/expected_controller_config | 6 +++++
.../expected_controller_config | 6 +++++
.../expected_controller_config | 3 +++
.../exitnode_snat/expected_controller_config | 6 +++++
.../evpn/ipv4/expected_controller_config | 3 +++
.../evpn/ipv4ipv6/expected_controller_config | 3 +++
.../expected_controller_config | 3 +++
.../evpn/ipv6/expected_controller_config | 3 +++
.../expected_controller_config | 3 +++
.../evpn/rt_import/expected_controller_config | 3 +++
16 files changed, 72 insertions(+), 7 deletions(-)
--
2.30.2
^ permalink raw reply [flat|nested] 3+ messages in thread
* [pve-devel] [PATCH pve-network 1/1] controllers: evpn: fix multiple exit-nodes with route-map filtering
2022-04-20 14:19 [pve-devel] [PATCH pve-network 0/1] controllers: evpn: fix multiple exit-nodes with route-map filtering Alexandre Derumier
@ 2022-04-20 14:19 ` Alexandre Derumier
2022-04-27 8:34 ` [pve-devel] applied: " Thomas Lamprecht
0 siblings, 1 reply; 3+ messages in thread
From: Alexandre Derumier @ 2022-04-20 14:19 UTC (permalink / raw)
To: pve-devel
Currently, when multiple exit-nodes are defined, each exit-nodes exchanges
their own default route, so traffic is looping between both exit nodes
instead going out.
This add a new route-map to filter received type-5 on exit node
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
PVE/Network/SDN/Controllers/BgpPlugin.pm | 5 ++--
PVE/Network/SDN/Controllers/EvpnPlugin.pm | 23 +++++++++++++++----
.../expected_controller_config | 3 +++
.../expected_controller_config | 3 +++
.../evpn/ebgp/expected_controller_config | 3 +++
.../ebgp_loopback/expected_controller_config | 3 +++
.../evpn/exitnode/expected_controller_config | 6 +++++
.../expected_controller_config | 6 +++++
.../expected_controller_config | 3 +++
.../exitnode_snat/expected_controller_config | 6 +++++
.../evpn/ipv4/expected_controller_config | 3 +++
.../evpn/ipv4ipv6/expected_controller_config | 3 +++
.../expected_controller_config | 3 +++
.../evpn/ipv6/expected_controller_config | 3 +++
.../expected_controller_config | 3 +++
.../evpn/rt_import/expected_controller_config | 3 +++
16 files changed, 72 insertions(+), 7 deletions(-)
diff --git a/PVE/Network/SDN/Controllers/BgpPlugin.pm b/PVE/Network/SDN/Controllers/BgpPlugin.pm
index 73ed171..6e69f67 100644
--- a/PVE/Network/SDN/Controllers/BgpPlugin.pm
+++ b/PVE/Network/SDN/Controllers/BgpPlugin.pm
@@ -121,10 +121,11 @@ sub generate_controller_config {
push(@{$config->{frr}->{''}}, "ip prefix-list loopbacks_ips seq 10 permit 0.0.0.0/0 le 32");
push(@{$config->{frr}->{''}}, "ip protocol bgp route-map correct_src");
- my $routemap_config = [];
+ my $routemap_config = ();
push @{$routemap_config}, "match ip address prefix-list loopbacks_ips";
push @{$routemap_config}, "set src $ifaceip";
- push(@{$config->{frr_routemap}->{'correct_src'}}, $routemap_config);
+ my $routemap = { rule => $routemap_config, action => "permit" };
+ push(@{$config->{frr_routemap}->{'correct_src'}}, $routemap);
}
return $config;
diff --git a/PVE/Network/SDN/Controllers/EvpnPlugin.pm b/PVE/Network/SDN/Controllers/EvpnPlugin.pm
index 0c49893..22480d4 100644
--- a/PVE/Network/SDN/Controllers/EvpnPlugin.pm
+++ b/PVE/Network/SDN/Controllers/EvpnPlugin.pm
@@ -99,13 +99,16 @@ sub generate_controller_config {
# address-family l2vpn
@controller_config = ();
+ push @controller_config, "neighbor VTEP route-map MAP_VTEP_IN in";
push @controller_config, "neighbor VTEP route-map MAP_VTEP_OUT out";
push @controller_config, "neighbor VTEP activate";
push @controller_config, "advertise-all-vni";
push @controller_config, "autort as $autortas" if $autortas;
push(@{$bgp->{"address-family"}->{"l2vpn evpn"}}, @controller_config);
- push(@{$config->{frr_routemap}->{'MAP_VTEP_OUT'}}, []);
+ my $routemap = { rule => undef, action => "permit" };
+ push(@{$config->{frr_routemap}->{'MAP_VTEP_IN'}}, $routemap );
+ push(@{$config->{frr_routemap}->{'MAP_VTEP_OUT'}}, $routemap );
return $config;
}
@@ -160,14 +163,22 @@ sub generate_controller_zone_config {
if ($is_gateway) {
- if($exitnodes_primary && $exitnodes_primary ne $local_node) {
+ if(!$exitnodes_primary || $exitnodes_primary eq $local_node) {
+ #filter default type5 route coming from other exit nodes on primary node or both nodes if no primary is defined.
+ my $routemap_config = ();
+ push @{$routemap_config}, "match evpn route-type prefix";
+ my $routemap = { rule => $routemap_config, action => "deny" };
+ unshift(@{$config->{frr_routemap}->{'MAP_VTEP_IN'}}, $routemap);
+ } elsif ($exitnodes_primary ne $local_node) {
my $routemap_config = ();
push @{$routemap_config}, "match evpn vni $vrfvxlan";
push @{$routemap_config}, "match evpn route-type prefix";
push @{$routemap_config}, "set metric 200";
- unshift(@{$config->{frr_routemap}->{'MAP_VTEP_OUT'}}, $routemap_config);
+ my $routemap = { rule => $routemap_config, action => "permit" };
+ unshift(@{$config->{frr_routemap}->{'MAP_VTEP_OUT'}}, $routemap);
}
+
if (!$exitnodes_local_routing) {
@controller_config = ();
#import /32 routes of evpn network from vrf1 to default vrf (for packet return)
@@ -355,10 +366,12 @@ sub generate_frr_routemap {
my $order = 0;
foreach my $seq (@$routemap) {
$order++;
+ next if !defined($seq->{action});
my @config = ();
push @config, "!";
- push @config, "route-map $id permit $order";
- push @config, map { " $_" } @$seq;
+ push @config, "route-map $id $seq->{action} $order";
+ my $rule = $seq->{rule};
+ push @config, map { " $_" } @$rule;
push @{$final_config}, @config;
}
}
diff --git a/test/zones/evpn/advertise_subnets/expected_controller_config b/test/zones/evpn/advertise_subnets/expected_controller_config
index c9545bc..742bbf4 100644
--- a/test/zones/evpn/advertise_subnets/expected_controller_config
+++ b/test/zones/evpn/advertise_subnets/expected_controller_config
@@ -20,6 +20,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -41,6 +42,8 @@ router bgp 65000 vrf vrf_myzone
advertise ipv6 unicast
exit-address-family
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/disable_arp_nd_suppression/expected_controller_config b/test/zones/evpn/disable_arp_nd_suppression/expected_controller_config
index 5a8fb99..2f819e5 100644
--- a/test/zones/evpn/disable_arp_nd_suppression/expected_controller_config
+++ b/test/zones/evpn/disable_arp_nd_suppression/expected_controller_config
@@ -20,6 +20,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -28,6 +29,8 @@ router bgp 65000
router bgp 65000 vrf vrf_myzone
bgp router-id 192.168.0.1
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/ebgp/expected_controller_config b/test/zones/evpn/ebgp/expected_controller_config
index 5c9a7c6..d1956df 100644
--- a/test/zones/evpn/ebgp/expected_controller_config
+++ b/test/zones/evpn/ebgp/expected_controller_config
@@ -31,6 +31,7 @@ router bgp 65001
exit-address-family
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -45,6 +46,8 @@ router bgp 65001 vrf vrf_myzone
route-target export 65000:1000
exit-address-family
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/ebgp_loopback/expected_controller_config b/test/zones/evpn/ebgp_loopback/expected_controller_config
index 5ec19a8..905433b 100644
--- a/test/zones/evpn/ebgp_loopback/expected_controller_config
+++ b/test/zones/evpn/ebgp_loopback/expected_controller_config
@@ -36,6 +36,7 @@ router bgp 65001
exit-address-family
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -50,6 +51,8 @@ router bgp 65001 vrf vrf_myzone
route-target export 65000:1000
exit-address-family
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
route-map correct_src permit 1
diff --git a/test/zones/evpn/exitnode/expected_controller_config b/test/zones/evpn/exitnode/expected_controller_config
index 96d89f3..0ee4b8a 100644
--- a/test/zones/evpn/exitnode/expected_controller_config
+++ b/test/zones/evpn/exitnode/expected_controller_config
@@ -28,6 +28,7 @@ router bgp 65000
exit-address-family
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -49,6 +50,11 @@ router bgp 65000 vrf vrf_myzone
default-originate ipv6
exit-address-family
!
+route-map MAP_VTEP_IN deny 1
+ match evpn route-type prefix
+!
+route-map MAP_VTEP_IN permit 2
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/exitnode_local_routing/expected_controller_config b/test/zones/evpn/exitnode_local_routing/expected_controller_config
index 812043e..6ceaca7 100644
--- a/test/zones/evpn/exitnode_local_routing/expected_controller_config
+++ b/test/zones/evpn/exitnode_local_routing/expected_controller_config
@@ -21,6 +21,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -34,6 +35,11 @@ router bgp 65000 vrf vrf_myzone
default-originate ipv6
exit-address-family
!
+route-map MAP_VTEP_IN deny 1
+ match evpn route-type prefix
+!
+route-map MAP_VTEP_IN permit 2
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/exitnode_primary/expected_controller_config b/test/zones/evpn/exitnode_primary/expected_controller_config
index 5f23bdc..dfa158d 100644
--- a/test/zones/evpn/exitnode_primary/expected_controller_config
+++ b/test/zones/evpn/exitnode_primary/expected_controller_config
@@ -28,6 +28,7 @@ router bgp 65000
exit-address-family
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -49,6 +50,8 @@ router bgp 65000 vrf vrf_myzone
default-originate ipv6
exit-address-family
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
match evpn vni 1000
match evpn route-type prefix
diff --git a/test/zones/evpn/exitnode_snat/expected_controller_config b/test/zones/evpn/exitnode_snat/expected_controller_config
index 96d89f3..0ee4b8a 100644
--- a/test/zones/evpn/exitnode_snat/expected_controller_config
+++ b/test/zones/evpn/exitnode_snat/expected_controller_config
@@ -28,6 +28,7 @@ router bgp 65000
exit-address-family
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -49,6 +50,11 @@ router bgp 65000 vrf vrf_myzone
default-originate ipv6
exit-address-family
!
+route-map MAP_VTEP_IN deny 1
+ match evpn route-type prefix
+!
+route-map MAP_VTEP_IN permit 2
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/ipv4/expected_controller_config b/test/zones/evpn/ipv4/expected_controller_config
index 5a8fb99..2f819e5 100644
--- a/test/zones/evpn/ipv4/expected_controller_config
+++ b/test/zones/evpn/ipv4/expected_controller_config
@@ -20,6 +20,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -28,6 +29,8 @@ router bgp 65000
router bgp 65000 vrf vrf_myzone
bgp router-id 192.168.0.1
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/ipv4ipv6/expected_controller_config b/test/zones/evpn/ipv4ipv6/expected_controller_config
index 5a8fb99..2f819e5 100644
--- a/test/zones/evpn/ipv4ipv6/expected_controller_config
+++ b/test/zones/evpn/ipv4ipv6/expected_controller_config
@@ -20,6 +20,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -28,6 +29,8 @@ router bgp 65000
router bgp 65000 vrf vrf_myzone
bgp router-id 192.168.0.1
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/ipv4ipv6nogateway/expected_controller_config b/test/zones/evpn/ipv4ipv6nogateway/expected_controller_config
index 5a8fb99..2f819e5 100644
--- a/test/zones/evpn/ipv4ipv6nogateway/expected_controller_config
+++ b/test/zones/evpn/ipv4ipv6nogateway/expected_controller_config
@@ -20,6 +20,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -28,6 +29,8 @@ router bgp 65000
router bgp 65000 vrf vrf_myzone
bgp router-id 192.168.0.1
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/ipv6/expected_controller_config b/test/zones/evpn/ipv6/expected_controller_config
index 5a8fb99..2f819e5 100644
--- a/test/zones/evpn/ipv6/expected_controller_config
+++ b/test/zones/evpn/ipv6/expected_controller_config
@@ -20,6 +20,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -28,6 +29,8 @@ router bgp 65000
router bgp 65000 vrf vrf_myzone
bgp router-id 192.168.0.1
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/multipath_relax/expected_controller_config b/test/zones/evpn/multipath_relax/expected_controller_config
index ec3ce69..4f8d7de 100644
--- a/test/zones/evpn/multipath_relax/expected_controller_config
+++ b/test/zones/evpn/multipath_relax/expected_controller_config
@@ -32,6 +32,7 @@ router bgp 65000
exit-address-family
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -40,6 +41,8 @@ router bgp 65000
router bgp 65000 vrf vrf_myzone
bgp router-id 192.168.0.1
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/rt_import/expected_controller_config b/test/zones/evpn/rt_import/expected_controller_config
index bcd2479..60d22e3 100644
--- a/test/zones/evpn/rt_import/expected_controller_config
+++ b/test/zones/evpn/rt_import/expected_controller_config
@@ -20,6 +20,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -34,6 +35,8 @@ router bgp 65000 vrf vrf_myzone
route-target import 65003:1000
exit-address-family
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
--
2.30.2
^ permalink raw reply [flat|nested] 3+ messages in thread
* [pve-devel] applied: [PATCH pve-network 1/1] controllers: evpn: fix multiple exit-nodes with route-map filtering
2022-04-20 14:19 ` [pve-devel] [PATCH pve-network 1/1] " Alexandre Derumier
@ 2022-04-27 8:34 ` Thomas Lamprecht
0 siblings, 0 replies; 3+ messages in thread
From: Thomas Lamprecht @ 2022-04-27 8:34 UTC (permalink / raw)
To: Proxmox VE development discussion, Alexandre Derumier
On 20.04.22 16:19, Alexandre Derumier wrote:
> Currently, when multiple exit-nodes are defined, each exit-nodes exchanges
> their own default route, so traffic is looping between both exit nodes
> instead going out.
>
> This add a new route-map to filter received type-5 on exit node
>
> Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
> ---
> PVE/Network/SDN/Controllers/BgpPlugin.pm | 5 ++--
> PVE/Network/SDN/Controllers/EvpnPlugin.pm | 23 +++++++++++++++----
> .../expected_controller_config | 3 +++
> .../expected_controller_config | 3 +++
> .../evpn/ebgp/expected_controller_config | 3 +++
> .../ebgp_loopback/expected_controller_config | 3 +++
> .../evpn/exitnode/expected_controller_config | 6 +++++
> .../expected_controller_config | 6 +++++
> .../expected_controller_config | 3 +++
> .../exitnode_snat/expected_controller_config | 6 +++++
> .../evpn/ipv4/expected_controller_config | 3 +++
> .../evpn/ipv4ipv6/expected_controller_config | 3 +++
> .../expected_controller_config | 3 +++
> .../evpn/ipv6/expected_controller_config | 3 +++
> .../expected_controller_config | 3 +++
> .../evpn/rt_import/expected_controller_config | 3 +++
> 16 files changed, 72 insertions(+), 7 deletions(-)
>
>
applied, thanks!
I'd do a bump of pve-network now for the upcomming point release, do you have anything
left that should go in (or was forgotten to be reviewed+applied)?
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-04-27 8:34 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-20 14:19 [pve-devel] [PATCH pve-network 0/1] controllers: evpn: fix multiple exit-nodes with route-map filtering Alexandre Derumier
2022-04-20 14:19 ` [pve-devel] [PATCH pve-network 1/1] " Alexandre Derumier
2022-04-27 8:34 ` [pve-devel] applied: " Thomas Lamprecht
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal