Unable to filter EVPN type 5 routes with ip prefix-list

[fdomain]

---

Describe the bug

In a L2VPN EVPN setup, when trying to filter EVPN type-5 routes with an ip/ipv6 prefix-list, it drops everything.

[X] Did you check if this is a duplicate issue?
[ ] Did you test it on the latest FRRouting/frr master branch?

To Reproduce

Consider the following EVPN type 5 route received on the FRR instance

*> [5]:[0]:[128]:[2001:db8::cafe/128]
                    10.0.0.1
                                             0             0 64528 i
                    RT:64528:3 ET:8 Rmac:8a:2e:fb:2e:fb:87

Here is a basic configuration:

route-map RM-TEST-IN permit 10
  match evpn route-type prefix
exit
!
router bgp 65001
  address-family l2vpn evpn
    neighbor 10.0.0.1 route-map RM-TEST-IN in
!

Route is received and accepted:

r1# show bgp l2vpn evpn neighbors 10.0.0.1 routes 
BGP table version is 9, local router ID is 10.0.0.254
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
EVPN type-1 prefix: [1]:[EthTag]:[ESI]:[IPlen]:[VTEP-IP]
EVPN type-2 prefix: [2]:[EthTag]:[MAClen]:[MAC]:[IPlen]:[IP]
EVPN type-3 prefix: [3]:[EthTag]:[IPlen]:[OrigIP]
EVPN type-4 prefix: [4]:[ESI]:[IPlen]:[OrigIP]
EVPN type-5 prefix: [5]:[EthTag]:[IPlen]:[IP]

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 10.0.0.1:3
*> [5]:[0]:[128]:[2001:db8::cafe]
                    10.0.0.1
                                             0             0 64528 i
                    RT:64528:3 ET:8 Rmac:8a:2e:fb:2e:fb:87

We apply a "match prefix list" in addition:

conf t
ipv6 prefix-list TEST seq 5 permit 2001:db8::cafe/128
!
route-map RM-TEST-IN permit 10
  match ipv6 address prefix-list TEST
!
end

The route isn't accepted anymore:

r1# show bgp l2vpn evpn neighbors 10.0.0.1 routes
No prefixes displayed, 155 exist

Expected behavior

Route is received as long as it matches the prefix-list defined.

r1# show bgp l2vpn evpn neighbors 10.0.0.1 routes 
BGP table version is 9, local router ID is 10.0.0.254
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
EVPN type-1 prefix: [1]:[EthTag]:[ESI]:[IPlen]:[VTEP-IP]
EVPN type-2 prefix: [2]:[EthTag]:[MAClen]:[MAC]:[IPlen]:[IP]
EVPN type-3 prefix: [3]:[EthTag]:[IPlen]:[OrigIP]
EVPN type-4 prefix: [4]:[ESI]:[IPlen]:[OrigIP]
EVPN type-5 prefix: [5]:[EthTag]:[IPlen]:[IP]

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 10.0.0.1:3
*> [5]:[0]:[128]:[2001:db8::cafe]
                    10.0.0.1
                                             0             0 64528 i
                    RT:64528:3 ET:8 Rmac:8a:2e:fb:2e:fb:87

Screenshots

Versions

• OS Version: CentOS8

• Kernel: Linux 5.16

• FRR Version: 8.1

Additional context

• This is very similar to match ip address route-map command fails to match EVPN MACIP routes #8784

• It doesnt work either for outbound or inbound filtering

• Apparently it should be patched with the following PR bgpd: EVPN D-VNI L3 RT Config Enhancements #8647 but it hasn't been merged yet.

[fdomain]

Hello, do you have any update on this ?

[fdomain]

Hello @ton31337, do you have any information about that ? #8647 is still pending for a review

[fdomain]

Hello @ton31337 and @sworleys, sorry to ask you again, but is there any chance to have #8647 merged soon?
It would be very useful for us to be able to filter on prefixes with EVPN type 5 routes.

[ton31337]

Need to fix merge conflicts first and we might ship it.

[sworleys]

@ton31337 fixed conflicts

[fdomain]

Hello @ton31337 and @sworleys , #8647 has been approved but still not merged, is there anything preventing the change to be merged?

[ton31337]

@fdomain merged, can you test?

[fdomain]

great thanks, I'll test it soon and get back to you.

[fdomain]

@ton31337, I've just built and tested master branch on CentOS8, and I confirm the prefix list filtering works for EVPN now, but I noticed a regression for other evpn filters:

• using match evpn route-type prefix doesn't work anymore, all routes seems to be dropped (including routes of type prefix)
• using match evpn vni <vni id> doesn't filter anything, it still accepts every prefixes for any vni
  These 2 commands were working on FRR v8.3.1.

Don't know if it's directly linked to the PR, I tried to build v8.3.1 with the patch from #8647 but with no success (diff is too large, files have been changed in the meantime).

[sworleys]

Don't know if it's directly linked to the PR, I tried to build v8.3.1 with the patch from #8647 but with no success (diff is too large, files have been changed in the meantime).

Did you confirm it worked on master before the changes in the PR?

[fdomain]

I've just tried with master with commit 2944807 (the one preceding your changes if I'm not mistaking), and these commands are still working, but not the prefix list filtering obviously.

[sworleys]

I've just tried with master with commit 2944807 (the one preceding your changes if I'm not mistaking), and these commands are still working, but not the prefix list filtering obviously.

Thanks, will look into it then.

[fdomain]

Hello @sworleys , I tested FRR v8.4.1 and the match ip address command still doesn't work for EVPN type 5 routes.
Did you have time to look into this ?

However the regression I mentioned in a previous post disappeared : I confirm match evpn route-type prefix and match evpn vni <vni id> work correctly in this version.

Thanks for your help

[fdomain]

Hello @ton31337 , would you have time to look into this issue ?

[github-actions]

This issue is stale because it has been open 180 days with no activity. Comment or remove the autoclose label in order to avoid having this issue closed.

[frrbot]

This issue will be automatically closed in the specified period unless there is further activity.

[fdomain]

Hello @sworleys and @ton31337, I'm just leaving another comment to avoid this issue to be closed.
Would you have time to look into it ? Let me know if I can be of any help.

[frrbot]

This issue will no longer be automatically closed.

[fdomain]

Hi @aderumier, it seems that you're using match evpn route-type matcher. This ticket was initially opened for the match ip address prefix-list matcher that doesn't work with EVPN prefixes, so it might be not the right place to report it.

However, I'd be interested to know if you've managed to get the match ip address prefix-list to work with EVPN on your setup ?

[aderumier]

@fdomain I remember that prefix-list was not working too, I can do test next week if you want.
I'll delete my comment as it's a different case, and wirte it to other issue.

[aderumier]

@fdomain
ok, prefix-list filtering are now working for me since
272c6d5

But this commit is breaking for me, "match evpn ..."
#14419

[fdomain]

Thanks @aderumier for the confirmation, I've just realized I made the same observations a year ago (see: #10559 (comment)). Anyway I'll watch the other issue as I'm interested in it as well :)

[fdomain]

Closing this issue since prefix list filtering is now fixed, and evpn matchers on IP prefixes are also fixed with #15377