From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 50E081FF14C for ; Fri, 15 May 2026 17:24:10 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 77776127AB; Fri, 15 May 2026 17:24:07 +0200 (CEST) From: Gabriel Goller To: pve-devel@lists.proxmox.com Subject: [PATCH frr 0/2] Fix leaked EVPN routes having wrong nexthop on IPv4 via IPv6 routes Date: Fri, 15 May 2026 17:23:55 +0200 Message-ID: <20260515152400.726794-1-g.goller@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1778858636219 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.028 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: IYR3KLCSVTQP3TPEGROBXK7VS2VJADLF X-Message-ID-Hash: IYR3KLCSVTQP3TPEGROBXK7VS2VJADLF X-MailFrom: g.goller@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: When we have a EVPN fabric with IPv6 VTEPs and leak them into the default routing table (or any other VRF) (via exit-nodes in our case) the nexthop is wrong. The nexthop is correct in the vrf (e.g. `ip route show vrf vrf_evpn`) but the import-vrf does not correctly check the BGP MP properties for the IPv6 nexthop and inserts a invalid (0.0.0.0) IPv4 nexthop. The BGP MP properties are not checked because a legacy bgp flag is set (BGP_ATTR_NEXT_HOP), which circumvents the BGP MP check. Fix this by not setting this flag when a IPv6 nexthop is used. Backport an upstream commit and make another small change on top of it so that this also works with EVPN routes and not only general BGP MP. Thanks @HannesL for the quick testing. @Thomas you can also cherry pick the patches from the other frr series and do a single bump, or we can apply this patch as-is and think over other series. frr: Gabriel Goller (2): frr: backport #21166 and #21958, fixing EVPN IPv4 routes with IPv6 nexhtop bump to version 10.6.1-1+pve2 debian/changelog | 6 + debian/patches/series | 2 + ...R_NEXT_HOP-flag-handling-in-bgp_attr.patch | 149 ++++++++++++++++++ ...v6-nexthops-when-importing-EVPN-IPv4.patch | 107 +++++++++++++ 4 files changed, 264 insertions(+) create mode 100644 debian/patches/upstream/0005-bgpd-fix-BGP_ATTR_NEXT_HOP-flag-handling-in-bgp_attr.patch create mode 100644 debian/patches/upstream/0006-bgpd-preserve-IPv6-nexthops-when-importing-EVPN-IPv4.patch Summary over all repositories: 4 files changed, 264 insertions(+), 0 deletions(-) -- Generated by murpp 0.11.0