gobgp icon indicating copy to clipboard operation
gobgp copied to clipboard

Published 20 hours ago verified publisher icon osrg

Feature Request: a way to see if a route is not exported / imported due to policys

Open imcom opened this issue 6 years ago • 9 comments

eg a R1 sends 10.0.0.0/24 and i have a policy that filteres bogons from that router.

like Quagga or FRR. This feature is quite useful in traffic engineering and troubleshooting , routers like Cisco or Juniper also support similar feature to show hidden routes (filtered) and locally accepted routes etc.

Perhaps a variable on each path that tells me the reason for it being filtered like a reference to what policy blocked it

Please refer to Juniper's Understanding hidden routes for the hidden routes and its purposes and reasons

Thanks in advance

imcom avatar Jan 16 '19 07:01 imcom

Just for reference, should be possible to make with a few easy changes:

in Path: add a reason of policy rejection (completely internal) and pass that to api in policy.ApplyPolicy: save the last run policy before a reject was given -> put it into the original path cli: print the new policy reject field - and possibly add a filter

That should make it possible to see why a certain path was rejected (for the adj-in table)

For the adj-out table you can get the filtered paths from getBestFromLocal (server.go:getAdjRib) -> that's why adj-out takes a long time, each time it's called all paths are reevaluated

thoro avatar Feb 18 '19 16:02 thoro

Implemented my proposal in the attached PR, except for the filtered paths, at least you see when a path was Accepted ;)

New field "Policy" in the cli output for RIB shows in the format:

A/import/match_incomplete

[A]ccepted|[R]ejected/Policy Name/Statement Name

thoro avatar Feb 19 '19 08:02 thoro

I've been hacking a little on this also.

From what i've concluded until now is;

Either we implement a separat table for rejected incomming routes.

Or we store the rejected incoming routes in the general table that is already setup. But if we do this we need to adapt all the APIs and usage where we apply a policy to the path. Since now if a path is rejected by a policy we return a "nil" instead of a path.

I dont know where we really should put this. My initial simple implementation did a separate table for invalid routes but i think its very hacky.

And i think we should save the routes in the table even if they are invalid and do the filtering based information attached to the path by the policys.

  1. Path is recieved
  2. import policies are applied, if they should be rejected, they are marked with a referense to what policy rejected.
  3. if the policy is not rejected update the tables on all neighbours.
  4. export policys are applied, if they should be rejected they are marked with a reference to what policy rejected the path. GOTO END
  5. if policy is not rejected continue with sending the BGP updates
  6. END

emil-palm avatar Feb 19 '19 12:02 emil-palm

Actually, the incoming routes are saved in the adj-rib, and are just passed to the global rib as a withdraw.

That's because you can change the Policy at runtime and reevaluate the adj-rib

thoro avatar Feb 19 '19 12:02 thoro

Yeah i saw that the adj-in does have all the routes I’ve began writing a PR to get the information saved on the path if it’s rejected or not and which policy that if so rejected it.

emil-palm avatar Feb 25 '19 11:02 emil-palm

I wrote this today;

https://github.com/Netnod/gobgp/commit/3eaf07cadc4f0033c2b3a777ef24752295f83131

Also added a "detail" flag to adj-in for example;

# ./gobgp nei 10.0.2.20 adj-in 77.80.128.0/17 detail
Target Prefix: 77.80.128.0/17, AS: 65002
  This route is Accepted
# ./gobgp nei 10.0.2.20 adj-in 77.80.0.0/12 detail
Target Prefix: 77.80.0.0/12, AS: 65002
  This route is Filtered

  Policy: as65002-ipv4-import
  Statement: Reject IPV4 PREFIXES not belonging to AS65002
`

emil-palm avatar Feb 26 '19 14:02 emil-palm

@mrevilme thanks a lot from the quick look, some comments from me

  • needs to add option listpathrequest. This feature needs to be enable only when specified.
  • prefers to avoid adding policy to path. policy is kinda large. fatten path hurts the performance of listpath api. If you have multiple full routes, then it matters.
  • really want to avoid cloning path. that's another performance killer.

fujita avatar Feb 27 '19 11:02 fujita

The size of api.Policy structure is 40 bytes at least. This hurts the performance of an often-use feature, getting the paths in the rib. I really want to avoid fattening api.Path. How about simply returning filter paths by ListPath API()? if the details is necessary, a client can get the policies and evaluates the paths.

fujita avatar Mar 02 '19 22:03 fujita

https://github.com/osrg/gobgp/pull/2063

ListPath API will support the feature to show routes filtered by import/export policies.

Anyone is interested in making the CLI (gobgp) to support this feature?

fujita avatar Apr 16 '19 10:04 fujita