On Fri, Jan 20, 2023 at 12:21:14PM +0100, Claudio Jeker wrote:
> This diff adds the reload logic and rewrites larger parts of what was
> already there to have ASPA validation in the RDE.
>
> The main reason this diff is so large is that the ASPA state cache on
> struct rde_aspath needs to be afi/aid and role independent. So I changed
> the aspa functions to be role and aid independent which results in a lot
> of churn.
>
> The code now uses rde_aspa_validity() with the cache in rde_aspath to
> figure out if a prefix is ASPA valid, invalid or unknown.
> rde_aspa_validity() is cheap since it just checks various bits to decide.
> The cache is updated by checking a generation counter that is increased
> during reload. This is done since the tables are walked by prefix and not
> by ASPATH.
>
> There is still no filter syntax available to deny aspa invalid routes but
> that will follow soon.
>
> The diff includes bgpd, bgpctl and regress test changes. There is a lot of
> churn in regress test because of bgpctl output changes.
I missed a small bit in the diff. In rde_filter_match() the state->vstate
needs to be masked with the ROA_MASK else the ovs validity will not match.
I added this to the big diff but just included the delta here.
--
:wq Claudio
Index: rde_filter.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/rde_filter.c,v
retrieving revision 1.131
diff -u -p -r1.131 rde_filter.c
--- rde_filter.c 12 Jan 2023 17:35:51 -0000 1.131
+++ rde_filter.c 20 Jan 2023 11:37:27 -0000
@@ -223,7 +223,7 @@ rde_filter_match(struct filter_rule *f,
return (0);
if (f->match.ovs.is_set) {
- if (state->vstate != f->match.ovs.validity)
+ if ((state->vstate & ROA_MASK) != f->match.ovs.validity)
return (0);
}
