Index | Thread | Search

From:
Theo Buehler <tb@theobuehler.org>
Subject:
Re: bgpd: attribute transparency when transparent-as is set
To:
tech@openbsd.org
Date:
Tue, 7 Jan 2025 11:51:47 +0100

Download raw body.

Thread 
On Tue, Jan 07, 2025 at 11:40:05AM +0100, Claudio Jeker wrote:
> Right now transparent-as yes has some influence on attribute transparency
> but the well known communities NO_EXPORT, NO_ADVERTISE, and
> NO_EXPORT_SUBCONFED still filter out paths. This is not what we want so
> bypass that check if transparent-as is set to yes.

ok for the code change

> Also be more precise in the documentation about transparent-as yes.

ok, but maybe jmc has something to add to my couple of nits :)

> -- 
> :wq Claudio
> 
> Index: bgpd.conf.5
> ===================================================================
> RCS file: /cvs/src/usr.sbin/bgpd/bgpd.conf.5,v
> diff -u -p -r1.245 bgpd.conf.5
> --- bgpd.conf.5	13 Dec 2024 19:21:03 -0000	1.245
> +++ bgpd.conf.5	7 Jan 2025 10:26:26 -0000
> @@ -407,8 +407,16 @@ The default is 180 seconds.
>  .Xc
>  If set to
>  .Ic yes ,
> +attribute transparency is enabled.
>  .Em AS paths
>  to EBGP neighbors are not prepended with the local AS.
> +Additionally the MULTI_EXIT_DISC attribute is passed transparently and

Could use a comma:

Additionally, ...

> +automatic filtering based on the well known communities

well-known

> +.Ic NO_EXPORT ,
> +.Ic NO_ADVERTISE ,
> +and
> +.Ic NO_EXPORT_SUBCONFED
> +is disabled.
>  The default is
>  .Ic no .
>  .El
> @@ -1571,8 +1579,11 @@ After changing keys, a session needs to 
>  .Xc
>  If set to
>  .Ic yes ,
> -.Em AS paths
> -to EBGP neighbors are not prepended with the local AS.
> +attribute transparency is enabled.
> +See also the
> +.Ic transparent-as
> +setting in
> +.Sx GLOBAL CONFIGURATION .
>  The default is inherited from the global
>  .Ic transparent-as
>  setting.
> Index: rde_update.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/bgpd/rde_update.c,v
> diff -u -p -r1.170 rde_update.c
> --- rde_update.c	9 Dec 2024 10:51:46 -0000	1.170
> +++ rde_update.c	7 Jan 2025 10:15:15 -0000
> @@ -90,6 +90,13 @@ up_test_update(struct rde_peer *peer, st
>  			return (0);
>  	}
>  
> +	/*
> +	 * With "transparent-as yes" set do not filter based on
> +	 * well known communities. Instead pass them on to the client.
> +	 */
> +	if (peer->flags & PEERFLAG_TRANS_AS)
> +		return (1);
> +
>  	/* well known communities */
>  	if (community_match(comm, &comm_no_advertise, NULL))
>  		return (0);
>