Page MenuHomeVyOS Platform

Prefix-List(6) update cause empty prefix-list(6)
Closed, ResolvedPublicBUG

Description

Hi team,

I have often the case that a prefix-list(6) updates causing an empty prefix-list. Prefix-list is used in route-map to allow ingress/egress prefixes for eBGP. For example I add additional prefix with higher rule number to that list. That will cause that route-map which using the prefix-list as match rule is dropping all prefixes egress / ingress. That cause bgp summary shows 0 0 PfxRcd / PfxSnt. Vyos shows the correct pref-list configuration.

Prefix-list:

set policy prefix-list6 BGP-IN6 rule 100 action 'deny'
set policy prefix-list6 BGP-IN6 rule 100 prefix '::/0'
set policy prefix-list6 BGP-IN6 rule 101 action 'deny'
set policy prefix-list6 BGP-IN6 rule 101 le '128'
set policy prefix-list6 BGP-IN6 rule 101 prefix 'xxx/48'
set policy prefix-list6 BGP-IN6 rule 999 action 'permit'
set policy prefix-list6 BGP-IN6 rule 999 le '48'
set policy prefix-list6 BGP-IN6 rule 999 prefix '::/0'
...

Route-map:

set policy route-map BGP-IN6 rule 10 action 'permit'
set policy route-map BGP-IN6 rule 10 match ipv6 address prefix-list 'BGP-IN6'

Restart of bgp daemon does not fix the issue. The only fix ist to delete all pref-list entries, commit and add all entries including the new entry to that prefix-list. Then all works as expected. It looks like an update of an existing pref-list with additional rule will cause that prefix-list return deny at any time until i delete all rules and add it again.

That a really annoying behavior.

Details

Difficulty level
Unknown (require assessment)
Version
1.4-rolling-202105170417
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

This comment was removed by fernando.

Hi

I tried to replicate that issue with the same version but I couldn't , let me show

vyos@vipv6-lp# run show version

Version: VyOS 1.4-rolling-202104270417
Release Train: sagitta

Built by: [email protected]
Built on: Wed 28 Apr 2021 01:17 UTC

current configuration :

vyos@vipv6-lp# run show configuration commands | match "bgp|prefix"
set policy prefix-list6 BGP-IN6 rule 100 action 'deny'
set policy prefix-list6 BGP-IN6 rule 100 prefix '::/0'
set policy prefix-list6 BGP-IN6 rule 101 action 'permit'
set policy prefix-list6 BGP-IN6 rule 101 le '128'
set policy prefix-list6 BGP-IN6 rule 101 prefix '2001:db8:4444::/48'
set policy route-map BGP-IN6 rule 10 match ipv6 address prefix-list 'BGP-IN6'
set protocols bgp address-family ipv6-unicast redistribute connected
set protocols bgp local-as '65000'
set protocols bgp neighbor 2001:db8:3333::11 address-family ipv6-unicast route-map import 'BGP-IN6'
set protocols bgp neighbor 2001:db8:3333::11 ebgp-multihop '2'
set protocols bgp neighbor 2001:db8:3333::11 remote-as '65001'

add new lines to existing prefix-list :

vyos@vipv6-lp# set policy prefix-list6 BGP-IN6 rule 999 action 'permit'
[edit]
vyos@vipv6-lp# set policy prefix-list6 BGP-IN6 rule 999 le '48'
[edit]
vyos@vipv6-lp# set policy prefix-list6 BGP-IN6 rule 999 prefix '::/0'
[edit]
vyos@vipv6-lp# commit
[edit]
vyos@vipv6-lp# save
Saving configuration to '/config/config.boot'...

then the prefix-list show the new lines :

vyos@vipv6-lp# run show configuration commands | match "bgp|prefix"
set policy prefix-list6 BGP-IN6 rule 100 action 'deny'
set policy prefix-list6 BGP-IN6 rule 100 prefix '::/0'
set policy prefix-list6 BGP-IN6 rule 101 action 'permit'
set policy prefix-list6 BGP-IN6 rule 101 le '128'
set policy prefix-list6 BGP-IN6 rule 101 prefix '2001:db8:4444::/48'
set policy prefix-list6 BGP-IN6 rule 999 action 'permit'
set policy prefix-list6 BGP-IN6 rule 999 le '48'
set policy prefix-list6 BGP-IN6 rule 999 prefix '::/0'
set policy route-map BGP-IN6 rule 10 match ipv6 address prefix-list 'BGP-IN6'

this is not empty and the new rules are applicate on the ipv6 neighbor

Why you closing the issue? Bug or issue is not resolved.

It happens again and again within my installation.

I can not reproduce the issue using the following command sequence using VyOS 1.4-rolling-202106010417:

set policy prefix-list6 BGP-IN6 rule 100 action 'deny'
set policy prefix-list6 BGP-IN6 rule 100 prefix '::/0'
set policy prefix-list6 BGP-IN6 rule 101 action 'deny'
set policy prefix-list6 BGP-IN6 rule 101 le '128'
set policy prefix-list6 BGP-IN6 rule 101 prefix '2001:db8::/48'
set policy prefix-list6 BGP-IN6 rule 999 action 'permit'
set policy prefix-list6 BGP-IN6 rule 999 le '48'
set policy prefix-list6 BGP-IN6 rule 999 prefix '::/0'
commit
set policy route-map BGP-IN6 rule 10 action 'permit'
set policy route-map BGP-IN6 rule 10 match ipv6 address prefix-list 'BGP-IN6'

FRR vtysh -c "show run" reports:

!
ipv6 prefix-list BGP-IN6 seq 100 deny ::/0
ipv6 prefix-list BGP-IN6 seq 101 deny 2001:db8::/48 le 128
ipv6 prefix-list BGP-IN6 seq 999 permit ::/0 le 48
!
route-map BGP-IN6 permit 10
 match ipv6 address prefix-list BGP-IN6
!

I can reproduce the issue on our productive route in following way:

Base configuration:

set policy prefix-list6 BGP-IN6 rule 100 action 'deny'
set policy prefix-list6 BGP-IN6 rule 100 prefix '::/0'
set policy prefix-list6 BGP-IN6 rule 101 action 'deny'
set policy prefix-list6 BGP-IN6 rule 101 le '48'
set policy prefix-list6 BGP-IN6 rule 101 prefix 'xxx/48'
set policy prefix-list6 BGP-IN6 rule 102 action 'permit'
set policy prefix-list6 BGP-IN6 rule 102 le '48'
set policy prefix-list6 BGP-IN6 rule 102 prefix 'xxx/44'
set policy prefix-list6 BGP-IN6 rule 103 action 'permit'
set policy prefix-list6 BGP-IN6 rule 103 le '48'
set policy prefix-list6 BGP-IN6 rule 103 prefix 'xxx/44'
set policy route-map XXX-CUS-IN6 rule 10 action 'permit'
set policy route-map XXX-CUS-IN6 rule 10 match ipv6 address prefix-list 'BGP-IN6 '
set policy route-map XXX-CUS-IN6 rule 999 action 'deny'

BGP sessions is up running and route filter import is set to: XXX-CUS-IN6

Now, customer has another prefix. We create additonal prefix-list rule:

set policy prefix-list6 BGP-IN6 rule 104 action 'permit'
set policy prefix-list6 BGP-IN6 rule 104 le '48'
set policy prefix-list6 BGP-IN6 rule 104 prefix 'xxx/44'

After commit rule 104 route count drops to 0. BGP session restart does not solve the problem.
Only way to solve the issue is

a) Deleting all rules and then add rule 100 to 103 again or
b) Restart router

Maybe issue is caused by our last drop rule to drop any stupid issue.

set policy route-map XXX-CUS-IN6 rule 999 action 'deny'

Hi

Sorry for confusing with the status of the ticket , I wanted to put in pending . I was trying to replicate the issues in a lab environment but it wasn't possible , let me show :

vyos@vipv6-lp# run show configuration commands | match "route-map|prefix"
set policy prefix-list6 BGP-IN6 rule 100 action 'deny'
set policy prefix-list6 BGP-IN6 rule 100 prefix '::/0'
set policy prefix-list6 BGP-IN6 rule 101 action 'permit'
set policy prefix-list6 BGP-IN6 rule 101 le '128'
set policy prefix-list6 BGP-IN6 rule 101 prefix '2001:db8:4444::/48'
set policy prefix-list6 BGP-IN6 rule 999 action 'permit'
set policy prefix-list6 BGP-IN6 rule 999 le '48'
set policy prefix-list6 BGP-IN6 rule 999 prefix '::/0'
set policy route-map BGP-IN6 rule 10 action 'permit'
set policy route-map BGP-IN6 rule 10 match ipv6 address prefix-list 'BGP-IN6'
set policy route-map BGP-IN6 rule 999 action 'deny'

before applying the new config , I did " show bgp summary "

Neighbor          V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd   PfxSnt
2001:db8:3333::11 4      65001        63        60        0    0    0 00:53:30            1        3

so I add a new rule in the prefix-list :

vyos@vipv6-lp# set policy prefix-list6 BGP-IN6 rule 103 action 'permit'
[edit]
vyos@vipv6-lp# set policy prefix-list6 BGP-IN6 rule 103 le '128'
[edit]
/128'vipv6-lp# set policy prefix-list6 BGP-IN6 rule 103 prefix '2001:db8:1111::1 
[edit]
vyos@vipv6-lp# compare 
[edit policy prefix-list6 BGP-IN6]
+rule 103 {
+    action permit
+    le 128
+    prefix 2001:db8:1111::1/128

but It works without problems :

vyos@vipv6-lp# run show bgp summary 

IPv6 Unicast Summary:
BGP router identifier 2.2.2.2, local AS number 65000 vrf-id 0
BGP table version 4
RIB entries 7, using 1344 bytes of memory
Peers 1, using 21 KiB of memory

Neighbor          V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd   PfxSnt
2001:db8:3333::11 4      65001        67        62        0    0    0 00:53:39            2        4

Total number of neighbors 1
[edit]
vyos@vipv6-lp# run show configuration commands  | match "prefix-list|route-map"
set policy prefix-list6 BGP-IN6 rule 100 action 'deny'
set policy prefix-list6 BGP-IN6 rule 100 prefix '::/0'
set policy prefix-list6 BGP-IN6 rule 101 action 'permit'
set policy prefix-list6 BGP-IN6 rule 101 le '128'
set policy prefix-list6 BGP-IN6 rule 101 prefix '2001:db8:4444::/48'
set policy prefix-list6 BGP-IN6 rule 103 action 'permit'
set policy prefix-list6 BGP-IN6 rule 103 le '128'
set policy prefix-list6 BGP-IN6 rule 103 prefix '2001:db8:1111::1/128'
set policy prefix-list6 BGP-IN6 rule 999 action 'permit'
set policy prefix-list6 BGP-IN6 rule 999 le '48'
set policy prefix-list6 BGP-IN6 rule 999 prefix '::/0'
set policy route-map BGP-IN6 rule 10 action 'permit'
set policy route-map BGP-IN6 rule 10 match ipv6 address prefix-list 'BGP-IN6'
set policy route-map BGP-IN6 rule 999 action 'deny'
set protocols bgp neighbor 2001:db8:3333::11 address-family ipv6-unicast route-map import 'BGP-IN6'

FRR vtysh -c "show run" reports:

ipv6 prefix-list BGP-IN6 seq 100 deny ::/0
ipv6 prefix-list BGP-IN6 seq 101 permit 2001:db8:4444::/48 le 128
ipv6 prefix-list BGP-IN6 seq 103 permit 2001:db8:1111::1/128 le 128
ipv6 prefix-list BGP-IN6 seq 999 permit ::/0 le 48
!
route-map BGP-IN6 permit 10
 match ipv6 address prefix-list BGP-IN6
!
route-map BGP-IN6 deny 999