[pve-devel] [PATCH pve-network 1/1] controllers: evpn: fix multiple exit-nodes with route-map filtering
Alexandre Derumier
aderumier at odiso.com
Wed Apr 20 16:19:30 CEST 2022
Currently, when multiple exit-nodes are defined, each exit-nodes exchanges
their own default route, so traffic is looping between both exit nodes
instead going out.
This add a new route-map to filter received type-5 on exit node
Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
PVE/Network/SDN/Controllers/BgpPlugin.pm | 5 ++--
PVE/Network/SDN/Controllers/EvpnPlugin.pm | 23 +++++++++++++++----
.../expected_controller_config | 3 +++
.../expected_controller_config | 3 +++
.../evpn/ebgp/expected_controller_config | 3 +++
.../ebgp_loopback/expected_controller_config | 3 +++
.../evpn/exitnode/expected_controller_config | 6 +++++
.../expected_controller_config | 6 +++++
.../expected_controller_config | 3 +++
.../exitnode_snat/expected_controller_config | 6 +++++
.../evpn/ipv4/expected_controller_config | 3 +++
.../evpn/ipv4ipv6/expected_controller_config | 3 +++
.../expected_controller_config | 3 +++
.../evpn/ipv6/expected_controller_config | 3 +++
.../expected_controller_config | 3 +++
.../evpn/rt_import/expected_controller_config | 3 +++
16 files changed, 72 insertions(+), 7 deletions(-)
diff --git a/PVE/Network/SDN/Controllers/BgpPlugin.pm b/PVE/Network/SDN/Controllers/BgpPlugin.pm
index 73ed171..6e69f67 100644
--- a/PVE/Network/SDN/Controllers/BgpPlugin.pm
+++ b/PVE/Network/SDN/Controllers/BgpPlugin.pm
@@ -121,10 +121,11 @@ sub generate_controller_config {
push(@{$config->{frr}->{''}}, "ip prefix-list loopbacks_ips seq 10 permit 0.0.0.0/0 le 32");
push(@{$config->{frr}->{''}}, "ip protocol bgp route-map correct_src");
- my $routemap_config = [];
+ my $routemap_config = ();
push @{$routemap_config}, "match ip address prefix-list loopbacks_ips";
push @{$routemap_config}, "set src $ifaceip";
- push(@{$config->{frr_routemap}->{'correct_src'}}, $routemap_config);
+ my $routemap = { rule => $routemap_config, action => "permit" };
+ push(@{$config->{frr_routemap}->{'correct_src'}}, $routemap);
}
return $config;
diff --git a/PVE/Network/SDN/Controllers/EvpnPlugin.pm b/PVE/Network/SDN/Controllers/EvpnPlugin.pm
index 0c49893..22480d4 100644
--- a/PVE/Network/SDN/Controllers/EvpnPlugin.pm
+++ b/PVE/Network/SDN/Controllers/EvpnPlugin.pm
@@ -99,13 +99,16 @@ sub generate_controller_config {
# address-family l2vpn
@controller_config = ();
+ push @controller_config, "neighbor VTEP route-map MAP_VTEP_IN in";
push @controller_config, "neighbor VTEP route-map MAP_VTEP_OUT out";
push @controller_config, "neighbor VTEP activate";
push @controller_config, "advertise-all-vni";
push @controller_config, "autort as $autortas" if $autortas;
push(@{$bgp->{"address-family"}->{"l2vpn evpn"}}, @controller_config);
- push(@{$config->{frr_routemap}->{'MAP_VTEP_OUT'}}, []);
+ my $routemap = { rule => undef, action => "permit" };
+ push(@{$config->{frr_routemap}->{'MAP_VTEP_IN'}}, $routemap );
+ push(@{$config->{frr_routemap}->{'MAP_VTEP_OUT'}}, $routemap );
return $config;
}
@@ -160,14 +163,22 @@ sub generate_controller_zone_config {
if ($is_gateway) {
- if($exitnodes_primary && $exitnodes_primary ne $local_node) {
+ if(!$exitnodes_primary || $exitnodes_primary eq $local_node) {
+ #filter default type5 route coming from other exit nodes on primary node or both nodes if no primary is defined.
+ my $routemap_config = ();
+ push @{$routemap_config}, "match evpn route-type prefix";
+ my $routemap = { rule => $routemap_config, action => "deny" };
+ unshift(@{$config->{frr_routemap}->{'MAP_VTEP_IN'}}, $routemap);
+ } elsif ($exitnodes_primary ne $local_node) {
my $routemap_config = ();
push @{$routemap_config}, "match evpn vni $vrfvxlan";
push @{$routemap_config}, "match evpn route-type prefix";
push @{$routemap_config}, "set metric 200";
- unshift(@{$config->{frr_routemap}->{'MAP_VTEP_OUT'}}, $routemap_config);
+ my $routemap = { rule => $routemap_config, action => "permit" };
+ unshift(@{$config->{frr_routemap}->{'MAP_VTEP_OUT'}}, $routemap);
}
+
if (!$exitnodes_local_routing) {
@controller_config = ();
#import /32 routes of evpn network from vrf1 to default vrf (for packet return)
@@ -355,10 +366,12 @@ sub generate_frr_routemap {
my $order = 0;
foreach my $seq (@$routemap) {
$order++;
+ next if !defined($seq->{action});
my @config = ();
push @config, "!";
- push @config, "route-map $id permit $order";
- push @config, map { " $_" } @$seq;
+ push @config, "route-map $id $seq->{action} $order";
+ my $rule = $seq->{rule};
+ push @config, map { " $_" } @$rule;
push @{$final_config}, @config;
}
}
diff --git a/test/zones/evpn/advertise_subnets/expected_controller_config b/test/zones/evpn/advertise_subnets/expected_controller_config
index c9545bc..742bbf4 100644
--- a/test/zones/evpn/advertise_subnets/expected_controller_config
+++ b/test/zones/evpn/advertise_subnets/expected_controller_config
@@ -20,6 +20,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -41,6 +42,8 @@ router bgp 65000 vrf vrf_myzone
advertise ipv6 unicast
exit-address-family
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/disable_arp_nd_suppression/expected_controller_config b/test/zones/evpn/disable_arp_nd_suppression/expected_controller_config
index 5a8fb99..2f819e5 100644
--- a/test/zones/evpn/disable_arp_nd_suppression/expected_controller_config
+++ b/test/zones/evpn/disable_arp_nd_suppression/expected_controller_config
@@ -20,6 +20,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -28,6 +29,8 @@ router bgp 65000
router bgp 65000 vrf vrf_myzone
bgp router-id 192.168.0.1
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/ebgp/expected_controller_config b/test/zones/evpn/ebgp/expected_controller_config
index 5c9a7c6..d1956df 100644
--- a/test/zones/evpn/ebgp/expected_controller_config
+++ b/test/zones/evpn/ebgp/expected_controller_config
@@ -31,6 +31,7 @@ router bgp 65001
exit-address-family
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -45,6 +46,8 @@ router bgp 65001 vrf vrf_myzone
route-target export 65000:1000
exit-address-family
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/ebgp_loopback/expected_controller_config b/test/zones/evpn/ebgp_loopback/expected_controller_config
index 5ec19a8..905433b 100644
--- a/test/zones/evpn/ebgp_loopback/expected_controller_config
+++ b/test/zones/evpn/ebgp_loopback/expected_controller_config
@@ -36,6 +36,7 @@ router bgp 65001
exit-address-family
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -50,6 +51,8 @@ router bgp 65001 vrf vrf_myzone
route-target export 65000:1000
exit-address-family
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
route-map correct_src permit 1
diff --git a/test/zones/evpn/exitnode/expected_controller_config b/test/zones/evpn/exitnode/expected_controller_config
index 96d89f3..0ee4b8a 100644
--- a/test/zones/evpn/exitnode/expected_controller_config
+++ b/test/zones/evpn/exitnode/expected_controller_config
@@ -28,6 +28,7 @@ router bgp 65000
exit-address-family
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -49,6 +50,11 @@ router bgp 65000 vrf vrf_myzone
default-originate ipv6
exit-address-family
!
+route-map MAP_VTEP_IN deny 1
+ match evpn route-type prefix
+!
+route-map MAP_VTEP_IN permit 2
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/exitnode_local_routing/expected_controller_config b/test/zones/evpn/exitnode_local_routing/expected_controller_config
index 812043e..6ceaca7 100644
--- a/test/zones/evpn/exitnode_local_routing/expected_controller_config
+++ b/test/zones/evpn/exitnode_local_routing/expected_controller_config
@@ -21,6 +21,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -34,6 +35,11 @@ router bgp 65000 vrf vrf_myzone
default-originate ipv6
exit-address-family
!
+route-map MAP_VTEP_IN deny 1
+ match evpn route-type prefix
+!
+route-map MAP_VTEP_IN permit 2
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/exitnode_primary/expected_controller_config b/test/zones/evpn/exitnode_primary/expected_controller_config
index 5f23bdc..dfa158d 100644
--- a/test/zones/evpn/exitnode_primary/expected_controller_config
+++ b/test/zones/evpn/exitnode_primary/expected_controller_config
@@ -28,6 +28,7 @@ router bgp 65000
exit-address-family
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -49,6 +50,8 @@ router bgp 65000 vrf vrf_myzone
default-originate ipv6
exit-address-family
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
match evpn vni 1000
match evpn route-type prefix
diff --git a/test/zones/evpn/exitnode_snat/expected_controller_config b/test/zones/evpn/exitnode_snat/expected_controller_config
index 96d89f3..0ee4b8a 100644
--- a/test/zones/evpn/exitnode_snat/expected_controller_config
+++ b/test/zones/evpn/exitnode_snat/expected_controller_config
@@ -28,6 +28,7 @@ router bgp 65000
exit-address-family
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -49,6 +50,11 @@ router bgp 65000 vrf vrf_myzone
default-originate ipv6
exit-address-family
!
+route-map MAP_VTEP_IN deny 1
+ match evpn route-type prefix
+!
+route-map MAP_VTEP_IN permit 2
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/ipv4/expected_controller_config b/test/zones/evpn/ipv4/expected_controller_config
index 5a8fb99..2f819e5 100644
--- a/test/zones/evpn/ipv4/expected_controller_config
+++ b/test/zones/evpn/ipv4/expected_controller_config
@@ -20,6 +20,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -28,6 +29,8 @@ router bgp 65000
router bgp 65000 vrf vrf_myzone
bgp router-id 192.168.0.1
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/ipv4ipv6/expected_controller_config b/test/zones/evpn/ipv4ipv6/expected_controller_config
index 5a8fb99..2f819e5 100644
--- a/test/zones/evpn/ipv4ipv6/expected_controller_config
+++ b/test/zones/evpn/ipv4ipv6/expected_controller_config
@@ -20,6 +20,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -28,6 +29,8 @@ router bgp 65000
router bgp 65000 vrf vrf_myzone
bgp router-id 192.168.0.1
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/ipv4ipv6nogateway/expected_controller_config b/test/zones/evpn/ipv4ipv6nogateway/expected_controller_config
index 5a8fb99..2f819e5 100644
--- a/test/zones/evpn/ipv4ipv6nogateway/expected_controller_config
+++ b/test/zones/evpn/ipv4ipv6nogateway/expected_controller_config
@@ -20,6 +20,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -28,6 +29,8 @@ router bgp 65000
router bgp 65000 vrf vrf_myzone
bgp router-id 192.168.0.1
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/ipv6/expected_controller_config b/test/zones/evpn/ipv6/expected_controller_config
index 5a8fb99..2f819e5 100644
--- a/test/zones/evpn/ipv6/expected_controller_config
+++ b/test/zones/evpn/ipv6/expected_controller_config
@@ -20,6 +20,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -28,6 +29,8 @@ router bgp 65000
router bgp 65000 vrf vrf_myzone
bgp router-id 192.168.0.1
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/multipath_relax/expected_controller_config b/test/zones/evpn/multipath_relax/expected_controller_config
index ec3ce69..4f8d7de 100644
--- a/test/zones/evpn/multipath_relax/expected_controller_config
+++ b/test/zones/evpn/multipath_relax/expected_controller_config
@@ -32,6 +32,7 @@ router bgp 65000
exit-address-family
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -40,6 +41,8 @@ router bgp 65000
router bgp 65000 vrf vrf_myzone
bgp router-id 192.168.0.1
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
diff --git a/test/zones/evpn/rt_import/expected_controller_config b/test/zones/evpn/rt_import/expected_controller_config
index bcd2479..60d22e3 100644
--- a/test/zones/evpn/rt_import/expected_controller_config
+++ b/test/zones/evpn/rt_import/expected_controller_config
@@ -20,6 +20,7 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
@@ -34,6 +35,8 @@ router bgp 65000 vrf vrf_myzone
route-target import 65003:1000
exit-address-family
!
+route-map MAP_VTEP_IN permit 1
+!
route-map MAP_VTEP_OUT permit 1
!
line vty
--
2.30.2
More information about the pve-devel
mailing list