wireguard + multihop BGP = route rejected, but route created

Sun, 10 Dec 2023 05:31:23 -0800 

Hello!

I'm creating a BGP lab for my students and found interesting and unexpected
behavior.

I'm getting reject message when receiving route:
2023-12-10 15:10:53.724 <TRACE> isp1.ipv4 > added [best] 10.200.0.0/16 0L
4G unicast
2023-12-10 15:10:53.724 <TRACE> isp1.ipv4 < rejected by protocol
10.200.0.0/16 0L 4G unicast

But then the route appears in ip route:
10.200.0.0/16 dev 201 proto bird scope link metric 32

I've dug into the source code and found that the reject is happening here:
proto/bgp/attrs.c:1641 if (src == p) return -1 into bgp_preexport function.

The question is: what is happening and does it look valid/expected?

Wireguard configuration is the same on all peers:

[Interface]
Address=10.10.10.201/32
PrivateKey=******
Table=off

[Peer]
Endpoint=*******
PublicKey=*****
PersistentKeepalive=25
AllowedIPs=0.0.0.0/0

My configuration for BIRD peers:
==== local bird.conf ====
log stderr all;
router id 10.10.10.201;

protocol device {
scan time 10;
}

protocol kernel {
ipv4 {
     import all;
     export all;
};
learn;
}

protocol static {
ipv4;
route 10.201.0.0/16 via "wlp41s0"; # wifi device
route 10.10.10.0/24 via "201"; # wireguard device
}

protocol bgp isp1 {
router id 10.10.10.201;
local 10.10.10.201 as 65201;
neighbor 10.10.10.200 as 65200;
source address 10.10.10.201;
multihop;
ipv4 {
import filter {
if net ~ 10.0.0.0/8 then accept;
else reject;
};
export filter {
if net ~ 10.201.0.0/16 then accept;
else reject;
};

};
debug all;
}
==== /client bird.conf ====

==== remote bird.conf ====
log stderr all;

protocol kernel {
learn; # Learn all alien routes from the kernel
persist; # Don't remove routes on bird shutdown
scan time 20; # Scan kernel routing table every 20 seconds
import all; # Default is import all
export all; # Default is export none
# kernel table 5; # Kernel table to synchronize with (default: main)
}

protocol device {
scan time 10;
}

protocol static {
export all;
route 10.10.10.0/24 via "200"; # wireguard device
route 10.200.0.0/16 via 10.200.200.200; # virtual network
}

template bgp cpr_ne {
local as 65200;
router id 10.10.10.200;
multihop;
source address 10.10.10.200;
import filter {
if net ~ 10.201.0.0/16 then accept;
else if net ~ 10.202.0.0/16 then accept;
else if net ~ 10.203.0.0/16 then accept;
else if net ~ 10.204.0.0/16 then accept;
else if net ~ 10.205.0.0/16 then accept;
else if net ~ 10.206.0.0/16 then accept;
else if net ~ 10.207.0.0/16 then accept;
else if net ~ 10.208.0.0/16 then accept;
else reject;
};
export filter {
if net ~ 10.200.0.0/16 then accept;
else reject;
};
}

protocol bgp cpr201 from cpr_ne {
neighbor 10.10.10.201 as 65201;
}
protocol bgp cpr202 from cpr_ne {
neighbor 10.10.10.202 as 65202;
}
protocol bgp cpr203 from cpr_ne {
neighbor 10.10.10.203 as 65203;
}
protocol bgp cpr204 from cpr_ne {
neighbor 10.10.10.204 as 65204;
}
protocol bgp cpr205 from cpr_ne {
neighbor 10.10.10.205 as 65205;
}
protocol bgp cpr206 from cpr_ne {
neighbor 10.10.10.206 as 65206;
}
protocol bgp cpr207 from cpr_ne {
neighbor 10.10.10.207 as 65207;
}
protocol bgp cpr208 from cpr_ne {
neighbor 10.10.10.208 as 65208;
}
==== remote bird.conf ====

Reply via email to