Merge pull request #11358 from opensourcerouting/fix/implicit_withdraw_for_vrf_leaking_with_route_maps

bgpd: Fix VRF leaking when import/export RT list changed with route-maps

bgpd/bgp_mplsvpn.c

@@ -844,6 +844,26 @@ leak_update(struct bgp *bgp, /* destination bgp instance */
 			return NULL;
 		}
 
+		/* If the RT was changed via extended communities as an
+		 * import/export list, we should withdraw implicitly the old
+		 * path from VRFs.
+		 * For instance, RT list was modified using route-maps:
+		 * route-map test permit 10
+		 *   set extcommunity rt none
+		 */
+		if (CHECK_FLAG(bpi->attr->flag,
+			       ATTR_FLAG_BIT(BGP_ATTR_EXT_COMMUNITIES)) &&
+		    CHECK_FLAG(new_attr->flag,
+			       ATTR_FLAG_BIT(BGP_ATTR_EXT_COMMUNITIES))) {
+			if (!ecommunity_cmp(
+				    bgp_attr_get_ecommunity(bpi->attr),
+				    bgp_attr_get_ecommunity(new_attr))) {
+				vpn_leak_to_vrf_withdraw(bgp, bpi);
+				bgp_aggregate_decrement(bgp, p, bpi, afi, safi);
+				bgp_path_info_delete(bn, bpi);
+			}
+		}
+
 		/* attr is changed */
 		bgp_path_info_set_flag(bn, bpi, BGP_PATH_ATTR_CHANGED);
 
@@ -1510,8 +1530,8 @@ vpn_leak_to_vrf_update_onevrf(struct bgp *bgp_vrf,	    /* to */
 		    bgp_attr_get_ecommunity(path_vpn->attr))) {
 		if (debug)
 			zlog_debug(
-				"from vpn to vrf %s, skipping after no intersection of route targets",
-				bgp_vrf->name_pretty);
+				"from vpn (%s) to vrf (%s), skipping after no intersection of route targets",
+				bgp_vpn->name_pretty, bgp_vrf->name_pretty);
 		return;
 	}
 

tests/topotests/bgp_vrf_leaking_rt_change_route_maps/r1/bgpd.conf

@@ -0,0 +1,31 @@
+!
+router bgp 65500
+exit
+!
+router bgp 65500 vrf vrf1
+ bgp router-id 10.0.0.1
+ no bgp network import-check
+ address-family ipv4 unicast
+  network 192.168.100.100/32 route-map rm
+  rd vpn export 65500:10001
+  rt vpn import 65500:10000 65500:10990
+  rt vpn export 65500:10000
+  export vpn
+  import vpn
+ exit-address-family
+exit
+!
+router bgp 65500 vrf vrf2
+ address-family ipv4 unicast
+  rd vpn export 65500:11001
+  rt vpn import 65500:11000 65500:11990
+  rt vpn export 65500:11000
+  export vpn
+  import vpn
+ exit-address-family
+exit
+!
+route-map rm permit 10
+ set extcommunity rt 65500:10100 65500:11990
+exit
+!

tests/topotests/bgp_vrf_leaking_rt_change_route_maps/r1/zebra.conf

@@ -0,0 +1,6 @@
+!
+interface r1-eth0
+ ip address 10.0.0.1/24
+!
+ip forwarding
+!

tests/topotests/bgp_vrf_leaking_rt_change_route_maps/test_bgp_vrf_leaking_rt_change_route_maps.py

@@ -0,0 +1,104 @@
+#!/usr/bin/env python
+
+#
+# Copyright (c) 2022 by
+# Donatas Abraitis <donatas@opensourcerouting.org>
+#
+# Permission to use, copy, modify, and/or distribute this software
+# for any purpose with or without fee is hereby granted, provided
+# that the above copyright notice and this permission notice appear
+# in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND NETDEF DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NETDEF BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY
+# DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
+# WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
+# OF THIS SOFTWARE.
+#
+
+"""
+If we overwrite import/export RT list via route-maps or even flush by using
+`set extcommunity none`, then we must withdraw old paths from VRFs to avoid
+stale paths.
+"""
+
+import os
+import sys
+import json
+import pytest
+import functools
+
+CWD = os.path.dirname(os.path.realpath(__file__))
+sys.path.append(os.path.join(CWD, "../"))
+
+# pylint: disable=C0413
+from lib import topotest
+from lib.topogen import Topogen, TopoRouter, get_topogen
+from lib.common_config import step
+
+pytestmark = [pytest.mark.bgpd]
+
+
+def build_topo(tgen):
+    tgen.add_router("r1")
+
+
+def setup_module(mod):
+    tgen = Topogen(build_topo, mod.__name__)
+    tgen.start_topology()
+
+    router = tgen.gears["r1"]
+    router.cmd_raises("ip link add vrf1 type vrf table 10")
+    router.cmd_raises("ip link set up dev vrf1")
+    router.cmd_raises("ip link add vrf2 type vrf table 20")
+    router.cmd_raises("ip link set up dev vrf2")
+    router.load_config(TopoRouter.RD_ZEBRA, os.path.join(CWD, "r1/zebra.conf"))
+    router.load_config(TopoRouter.RD_BGP, os.path.join(CWD, "r1/bgpd.conf"))
+    router.start()
+
+
+def teardown_module(mod):
+    tgen = get_topogen()
+    tgen.stop_topology()
+
+
+def test_bgp_vrf_leaking_rt_change_route_maps():
+    tgen = get_topogen()
+
+    router = tgen.gears["r1"]
+
+    if tgen.routers_have_failure():
+        pytest.skip(tgen.errors)
+
+    def _bgp_check_path():
+        output = json.loads(router.vtysh_cmd("show bgp vrf vrf2 ipv4 unicast json"))
+        expected = {"routes": {"192.168.100.100/32": [{"nhVrfName": "vrf1"}]}}
+        return topotest.json_cmp(output, expected)
+
+    step("Initial converge")
+    test_func = functools.partial(_bgp_check_path)
+    _, result = topotest.run_and_expect(test_func, None, count=60, wait=0.5)
+    assert result is None, "Can't see 192.168.100.100/32 leaked from vrf1 into vrf2."
+
+    step("Overwrite RT list (remove rt 65500:11990 from route-map)")
+    router.vtysh_cmd(
+        """
+        config terminal
+        route-map rm permit 10
+         set extcommunity rt 65500:10100
+        exit
+        """
+    )
+
+    step("Check if 192.168.100.100/32 was removed from vrf2")
+    test_func = functools.partial(_bgp_check_path)
+    _, result = topotest.run_and_expect(test_func, not None, count=20, wait=0.5)
+    assert result is not None, "192.168.100.100/32 still exists in vrf2 as stale."
+
+
+if __name__ == "__main__":
+    args = ["-s"] + sys.argv[1:]
+    sys.exit(pytest.main(args))