From d14dbdb897907baeadf44c67b583316434561255 Mon Sep 17 00:00:00 2001 From: Donald Sharp Date: Wed, 30 Oct 2024 16:09:01 -0400 Subject: [PATCH] bgpd: Move RFC 8212 check for inbound before filter in bgp_update Currently the code to check to see if any input filters are applicable is *before* the RFC 8212 check to see if we have any filters at all. As such we have already tested for this, so let's move this check for RFC 8212 to immediately before the input filter test. Signed-off-by: Donald Sharp --- bgpd/bgp_route.c | 45 ++++++++++++++++++++++----------------------- 1 file changed, 22 insertions(+), 23 deletions(-) diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c index f07a8730c8..7a87739479 100644 --- a/bgpd/bgp_route.c +++ b/bgpd/bgp_route.c @@ -4839,6 +4839,28 @@ void bgp_update(struct peer *peer, const struct prefix *p, uint32_t addpath_id, goto filtered; } + /* RFC 8212 to prevent route leaks. + * This specification intends to improve this situation by requiring the + * explicit configuration of both BGP Import and Export Policies for any + * External BGP (EBGP) session such as customers, peers, or + * confederation boundaries for all enabled address families. Through + * codification of the aforementioned requirement, operators will + * benefit from consistent behavior across different BGP + * implementations. + */ + if (CHECK_FLAG(bgp->flags, BGP_FLAG_EBGP_REQUIRES_POLICY)) + if (!bgp_inbound_policy_exists(peer, &peer->filter[afi][safi])) { + reason = "inbound policy missing"; + if (monotime_since(&bgp->ebgprequirespolicywarning, NULL) > + FIFTEENMINUTE2USEC || + bgp->ebgprequirespolicywarning.tv_sec == 0) { + zlog_warn( + "EBGP inbound/outbound policy not properly setup, please configure in order for your peering to work correctly"); + monotime(&bgp->ebgprequirespolicywarning); + } + goto filtered; + } + /* Apply incoming filter. */ if (bgp_input_filter(peer, p, attr, afi, orig_safi) == FILTER_DENY) { peer->stat_pfx_filter++; @@ -4871,29 +4893,6 @@ void bgp_update(struct peer *peer, const struct prefix *p, uint32_t addpath_id, } } - /* RFC 8212 to prevent route leaks. - * This specification intends to improve this situation by requiring the - * explicit configuration of both BGP Import and Export Policies for any - * External BGP (EBGP) session such as customers, peers, or - * confederation boundaries for all enabled address families. Through - * codification of the aforementioned requirement, operators will - * benefit from consistent behavior across different BGP - * implementations. - */ - if (CHECK_FLAG(bgp->flags, BGP_FLAG_EBGP_REQUIRES_POLICY)) - if (!bgp_inbound_policy_exists(peer, - &peer->filter[afi][safi])) { - reason = "inbound policy missing"; - if (monotime_since(&bgp->ebgprequirespolicywarning, - NULL) > FIFTEENMINUTE2USEC || - bgp->ebgprequirespolicywarning.tv_sec == 0) { - zlog_warn( - "EBGP inbound/outbound policy not properly setup, please configure in order for your peering to work correctly"); - monotime(&bgp->ebgprequirespolicywarning); - } - goto filtered; - } - /* draft-ietf-idr-deprecate-as-set-confed-set * Filter routes having AS_SET or AS_CONFED_SET in the path. * Eventually, This document (if approved) updates RFC 4271