Page MenuHomeVyOS Platform

route-map issues , not load configuration FRR
Closed, ResolvedPublicBUG

Description

Hi team ,

I've made some tests, over the last version frr 8.4, and I found a behavior that this configuration doesn't allow to load full route-map with sentences on FRR (however, our cli allows to configure it /show)

vyos cli- export policy: 

set policy prefix-list PFX-ALL rule 10 action 'permit'
set policy prefix-list PFX-ALL rule 10 prefix '0.0.0.0/0'
set policy prefix-list PFX-BGP-RESERVED rule 10 action 'deny'
set policy prefix-list PFX-BGP-RESERVED rule 10 prefix '192.168.100.0/26'


set policy community-list COMM-AS65599-INTERNAL-DEL1 rule 10 action 'permit'
set policy community-list COMM-AS65599-INTERNAL-DEL1 rule 10 regex '1001:111'
set policy community-list COMM-AS65599-MATCH-BLH1 rule 10 action 'permit'
set policy community-list COMM-AS65599-MATCH-BLH1 rule 10 regex '1001:666'
set policy community-list COMM-ISP1-AS1001-MATCH-ADV1 rule 10 action 'permit'
set policy community-list COMM-ISP1-AS1001-MATCH-ADV1 rule 10 regex '1001:111'
set policy community-list COMM-ISP1-AS1001-MATCH-FLT1 rule 10 action 'permit'
set policy community-list COMM-ISP1-AS1001-MATCH-FLT1 rule 10 regex '666:666'

!


set policy route-map MAP-ISP1-AS1001-EXPORT rule 10 action 'deny'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 10 match ip address prefix-list 'PFX-BGP-RESERVED'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 20 action 'deny'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 20 match community community-list 'COMM-ISP1-AS1001-MATCH-FLT1'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 50 action 'deny'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 50 continue '100'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 50 match community community-list 'COMM-AS65599-MATCH-BLH1'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 50 set community add '1001:666'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 100 action 'permit'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 100 continue '130'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 100 match community community-list 'COMM-ISP1-AS1001-MATCH-ADV1'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 130 action 'permit'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 130 match ip address prefix-list PFX-ALL


import:

set policy route-map MAP-ISP1-AS1001-IMPORT rule 10 match ip address prefix-list 'PFX-BGP-RESERVED'
set policy route-map MAP-ISP1-AS1001-IMPORT rule 100 action 'permit'
set policy route-map MAP-ISP1-AS1001-IMPORT rule 100 continue '200'
set policy route-map MAP-ISP1-AS1001-IMPORT rule 100 match community community-list 'COMM-AS65599-INTERNAL-DEL1'
set policy route-map MAP-ISP1-AS1001-IMPORT rule 100 set community delete 'COMM-AS65599-INTERNAL-DEL1'
set policy route-map MAP-ISP1-AS1001-IMPORT rule 200 action 'permit'

if only configure the import policy , it works without issues ,when i add the export policy is not able to load full configuration :

[email protected]# run show configuration commands | match route-map
set policy route-map MAP-ISP1-AS1001-EXPORT rule 10 action 'deny'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 10 match ip address prefix-list 'PFX-BGP-RESERVED'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 20 action 'deny'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 20 match community community-list 'COMM-ISP1-AS1001-MATCH-FLT1'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 50 action 'deny'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 50 continue '100'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 50 match community community-list 'COMM-AS65599-MATCH-BLH1'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 50 set community add '1001:666'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 100 action 'permit'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 100 continue '130'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 100 match community community-list 'COMM-ISP1-AS1001-MATCH-ADV1'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 130 action 'permit'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 130 match ip address prefix-list 'PFX-ALL'
set policy route-map MAP-ISP1-AS1001-IMPORT rule 10 action 'deny'
set policy route-map MAP-ISP1-AS1001-IMPORT rule 10 match ip address prefix-list 'PFX-BGP-RESERVED'
set policy route-map MAP-ISP1-AS1001-IMPORT rule 100 action 'permit'
set policy route-map MAP-ISP1-AS1001-IMPORT rule 100 continue '200'
set policy route-map MAP-ISP1-AS1001-IMPORT rule 100 match community community-list 'COMM-AS65599-INTERNAL-DEL1'
set policy route-map MAP-ISP1-AS1001-IMPORT rule 100 set community delete 'COMM-AS65599-INTERNAL-DEL1'
set policy route-map MAP-ISP1-AS1001-IMPORT rule 200 action 'permit'
set policy route-map MAP-ISP1-AS1001-IMPORT rule 200 set community add '65535:1001'
set vrf name VRF-CR201-ISP1 protocols bgp neighbor 172.16.61.97 address-family ipv4-unicast route-map import 'MAP-ISP1-AS1001-IMPORT'
[edit]
[email protected]# sudo vtysh -c "show run"
frr version 8.4
frr defaults traditional
hostname vyos-main-rt
bgp community-list expanded COMM-AS65599-INTERNAL-DEL1 seq 10 permit 1001:111
bgp community-list expanded COMM-AS65599-MATCH-BLH1 seq 10 permit 1001:666
bgp community-list expanded COMM-ISP1-AS1001-MATCH-ADV1 seq 10 permit 1001:111
bgp community-list expanded COMM-ISP1-AS1001-MATCH-ADV2 seq 10 permit ^64[6-8][0-9][0-9]:123$
bgp community-list expanded COMM-ISP1-AS1001-MATCH-ADV3 seq 10 permit ^64[6-8][0-9][0-9]:123$
bgp community-list expanded COMM-ISP1-AS1001-MATCH-CUST-ACCEPT seq 10 permit 65599:1001
bgp community-list expanded COMM-ISP1-AS1001-MATCH-CUST-ACCEPT1 seq 10 permit 65599:1001
bgp community-list expanded COMM-ISP1-AS1001-MATCH-FLT1 seq 10 permit 666:666
!
rpki
exit
!
end

[email protected]# run show version
Version: VyOS 1.4-rolling-202211090847

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202211090847
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

set policy route-map MAP-ISP1-AS1001-EXPORT rule 50 action 'deny'
set policy route-map MAP-ISP1-AS1001-EXPORT rule 50 continue '100'

A possible reason is an action deny and state continue that doesn't make sense and can't pass FRR validation
FRR

route-map FOO permit 10
route-map FOO permit 100
route-map FOO deny 50
 on-match goto 100


r14(config)# route-map FOO permit 10
r14(config-route-map)# route-map FOO permit 100
r14(config-route-map)# route-map FOO deny 50
r14(config-route-map)#  on-match goto 100
% Configuration failed.

Error type: validation
r14(config-route-map)#

So route-map cannot be loaded at all, as it is an invalid configuration.

It seems wrong logic to stat "on-match" with deny, as it expects permit

route-map FOO permit 10
route-map FOO permit 100
route-map FOO permit 50
 on-match goto 100


r14(config)# 
r14(config)# route-map FOO permit 10
r14(config-route-map)# route-map FOO permit 100
r14(config-route-map)# route-map FOO permit 50
r14(config-route-map)#  on-match goto 100
r14(config-route-map)# 
r14(config-route-map)#

thanks @Viacheslav

as we talked , this behavior is the same on vyos1.3.x/frr7.5.x . the main difference is that on vyos-cli doesn't add this command .

[email protected]#   commit
[ policy route-map MAP-ISP1-AS1001-EXPORT rule 50 continue 100 ]
% Configuration failed.

Error type: validation

[[policy route-map MAP-ISP1-AS1001-EXPORT]] failed

on FRR :

vyos(config)# route-map FOO permit 100
vyos(config-route-map)# exit
vyos(config)# route-map FOO deny 50
vyos(config-route-map)# on-match goto 100
% Configuration failed.

Error type: validation
vyos(config-route-map)# e

## version 

vyos# show version
FRRouting 7.5.1-20220709-00-g886a63a59 (vyos).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
configured with:
    '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-sil'
vyos# show run
Building configuration...

regarding frr documentation, there isn't an explicit part where they said that it's not possible, however I found something that talked about exits-policy :

http://docs.frrouting.org/en/stable-8.4/routemap.html#term-Exit-Policy

    n entry may, optionally, specify an alternative Exit Policy to take if the entry matched, rather than the normal policy of exiting the route-map and permitting the route. The two possibilities are:

        next: Continue on with processing of the route-map entries.

        goto N: Jump ahead to the first route-map entry whose order in the route-map is >= N. Jumping to a previous entry is not permitted.

The default action of a route-map, if no entries match, is to deny. I.e. a route-map essentially has as its last entry an empty deny entry, which matches all routes. To change this behaviour, one must specify an empty permit entry as the last entry in the route-map.

It seems the logic on 'set rules' over RM, is denied by default. So it doesn't allow jumping (on-match goto) or shouldn't allow making it. as f far as I understand, we should check /not permit these rules to avoid issues when the route-map load on FRR.

Viacheslav claimed this task.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.
[email protected]# set policy route-map FOO rule 100 action permit
[edit]
[email protected]# set policy route-map FOO rule 50 action 'deny'
[edit]
[email protected]# set policy route-map FOO rule 50 continue '100'
[edit]
[email protected]# 
[edit]
[email protected]# commit
[ policy ]
rule 50 "continue" cannot be used with action deny!

[[policy]] failed
Commit failed
[edit]