In this thread[1], I realize I created a new problem in the BIRD BGP
configuration with `dest = RTD_BLACKHOLE`. Setting a destination to blackhole
works great when the routes are being propagated (no ICMP unreachable is sent
by the kernel) and an address being managed by Kubernetes DNAT facilities will
be caught in the netfilter chains and sent to the proper container. That
configuration:
> router id UP.STREAM.143.113;
>
> protocol bgp bgp_metal_gw01 {
> local as ASLOCAL;
> neighbor 10.10.0.41 as ASLOCAL;
> passive yes;
> ipv4 {
> next hop self;
> import filter {
> bgp_origin = ORIGIN_IGP;
> dest = RTD_BLACKHOLE; # <=== DISCUSSION LINE
> accept;
> };
> export none;
> };
> }
The problem is when a service on the same host as the container needs to
connect to the DNAT address presented for the container. Because the local
kernel routing table is set to blackhole for an address, the traffic is
immediately sunk instead of being offered to netfilter. Removing that dest line
simply sets it to a default of RTD_UNREACHABLE, which does the same thing but
politely tells the sender that it did so.
What I thought would work is to change the line to `ifname = “eno2”`, but doing
so generates a parse error. This seems to be a bug in the documentation as the
`ifname` attribute is not listed as read-only.
How can I set the route to a local interface in the filter?
Thanks! Brian
[1] https://marc.info/?l=bird-users&m=155458976221242&w=2
