From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Chinmaya Aggarwal
via lists.fd.io <chinmaya.agarwal=hsc....@lists.fd.io>
Date: Monday, 4 April 2022 at 09:08
To: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io>
Subject: [vpp-dev] Prevent blackhole routes being leaked into VPP
Hi,
We have integrated linux-cp and linux-nl plugin in VPP. We create table 1203 on
VPP and on linux (in namespace dataplane). We added a blackhole route on linux
using below command:-
sudo ip netns exec dataplane ip -6 route add blackhole 2001:50:10:a111::101/64
table 1203
When I view this route on VPP it shows something like this:-
vpp# show ip6 fib table 1203
2001:50:10:a111::/64
unicast-ip6-chain
[@0]: dpo-load-balance: [proto:ip6 index:88 buckets:1 uRPF:76 to:[164:17056]]
[0] [@0]: dpo-drop ip6
If you ‘show ip6 fib table 1203 2001:50:10:a111::/64’ you’ll see more detailed
output. It will show that the entry now has two ‘sources’ the API and the CLI.
FIB has a simple priority mechanism for choosing with source ‘wins’ and thus
contributes the forwarding (i.e. the DPOs you see display here). The API source
has higher priority than the CPI source. This was done on purpose to get
exactly the behaviour you see, that is the *debug* CLI cannot disrupt the
routes provided by the control plane. If you want to change this behaviour,
you’ll need to recompile VPP with the source priorities changed.
After this If I try to add or overwrite this route with another route but VPP
is not able to overwrite it. I executed below command:-
vppctl ip route add 2001:50:10:a111::101/64 table 1203 via ipip19
where ipip19 is an ipip tunnel created by us.
When I try to view the updated route on VPP it is still showing blackhole
route:-
vpp# show ip6 fib table 1203
2001:50:10:a111::/64
unicast-ip6-chain
[@0]: dpo-load-balance: [proto:ip6 index:88 buckets:1 uRPF:76 to:[164:17056]]
[0] [@0]: dpo-drop ip6
Why VPP is not able to overwrite the blackhole route with the new route?
Also, is there a way by which we can prevent blackhole routes (added in linux)
getting leaked into VPP?
I would suggest that VPP (i.e. the data plane) should always have an exact copy
of the routes from the control plane . So the question to ask is how to prevent
black hole routes being installed in linux, for which I do not have an answer
(assuming your example above is contrived and you get blackhole routes from a
routing protocol).
/neale
Thanks and Regards,
Chinmaya Agarwal.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21194): https://lists.fd.io/g/vpp-dev/message/21194
Mute This Topic: https://lists.fd.io/mt/90236408/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
