Page MenuHomeVyOS Platform

BGP config script removes neighbor policies before deactivating the neighbor, which may cause routing table leaks
Closed, ResolvedPublicBUG

Description

As reported in https://forum.vyos.io/t/reboot-causes-bgp-route-map-to-drop-before-bgp-session-tripping-peer-prefix-filters/2046

Lack of order enforcement causes the BGP script to delete route-maps, prefix-lists etc. before it deactivates the neighbor in address families.
Since the neighbor remains active, if there's enough time between deletion of the policies and deletion of the neighbor, it may leak a substantial part of its routing table before it gets deleted, and create network disruption or trip the prefix limit on the remote peer.

dmbaturin@vyos# delete protocols bgp 64793 neighbor 192.0.2.40
[edit]
dmbaturin@vyos# commit
[ protocols bgp 64793 ]
$VAR1 = '/usr/bin/vtysh';
$VAR2 = '-c';
$VAR3 = 'configure terminal';
$VAR4 = '-c';
$VAR5 = 'router bgp 64793';
$VAR6 = '-c';
$VAR7 = 'address-family ipv4 unicast';
$VAR8 = '-c';
$VAR9 = 'no neighbor 192.0.2.40 route-map Test out';

$VAR1 = '/usr/bin/vtysh';
$VAR2 = '-c';
$VAR3 = 'configure terminal';
$VAR4 = '-c';
$VAR5 = 'router bgp 64793';
$VAR6 = '-c';
$VAR7 = 'address-family ipv4 unicast';
$VAR8 = '-c';
$VAR9 = 'no neighbor 192.0.2.40 activate';

$VAR1 = '/usr/bin/vtysh';
$VAR2 = '-c';
$VAR3 = 'configure terminal';
$VAR4 = '-c';
$VAR5 = 'router bgp 64793';
$VAR6 = '-c';
$VAR7 = 'no neighbor 192.0.2.40 remote-as 64444';

$VAR1 = '/usr/bin/vtysh';
$VAR2 = '-c';
$VAR3 = 'configure terminal';
$VAR4 = '-c';
$VAR5 = 'router bgp 64793';
$VAR6 = '-c';
$VAR7 = 'no neighbor 192.0.2.40';

$VAR1 = '/usr/bin/vtysh';
$VAR2 = '-c';
$VAR3 = 'configure terminal';
$VAR4 = '-c';
$VAR5 = 'router bgp 64793';

Details

Difficulty level
Easy (less than an hour)
Version
1.2.0-rc3
Why the issue appeared?
Implementation mistake