limit community list count #17836
limit community list count #17836
Conversation
There was a problem hiding this comment.
Are you planning to implement the same for other types of communities (large, extended)?
Also... IMO we should somehow treat well-known communities to be an exception for this limit, what do you think? Imagine I have a limit 5, but my route has 6 communities and one of them is no-export or no-advertise.
doc/user/bgp.rst
Outdated
| @@ -2693,6 +2693,11 @@ The following commands can be used in route maps: | |||
| happen only when BGP updates have completely same communities value | |||
| specified in the community list. | |||
|
|
|||
| .. clicmd:: match community-limit (1-1024) | |||
There was a problem hiding this comment.
Any reason why this is limited to 1k? And why we can't use 0?
There was a problem hiding this comment.
what I can do is begin at 0 and consider this limit by comparing with <= instead of <.
| router = tgen.gears["r3"] | ||
| router.vtysh_cmd( | ||
| """ | ||
| configure terminal\n |
There was a problem hiding this comment.
Please remove \n chars, newlines are handled out of the box.
| router = tgen.gears["r3"] | ||
| router.vtysh_cmd( | ||
| """ | ||
| configure terminal\n |
yang/frr-bgp-route-map.yang
Outdated
| case community-limit { | ||
| when "derived-from-or-self(../frr-route-map:condition, 'frr-bgp-route-map:match-community-limit')"; | ||
| description | ||
| "Match eVPN route-distinguisher"; |
bgpd/bgp_routemap.c
Outdated
| } | ||
|
|
||
| if (argc < idx_limit) { | ||
| vty_out(vty, "%% BGP limit count not given.\n"); |
There was a problem hiding this comment.
Somehow the description is not as I would expect... What BGP limit?
bgpd/bgp_routemap.c
Outdated
| DEFPY_YANG( | ||
| match_community_limit, match_community_limit_cmd, | ||
| "[no$no] match community-limit [(1-1024)$limit]", | ||
| NO_STR MATCH_STR "Match BGP community limit\n" |
There was a problem hiding this comment.
Please use the format as any other (every new token with a new line). E.g.:
NO_STR
MATCH_STR
...
bgpd/bgp_routemap.c
Outdated
| struct bgp_path_info *path = NULL; | ||
| struct community *picomm = NULL; | ||
| uint16_t count = 0; | ||
| uint16_t *limit_rule = (uint16_t *)rule; |
There was a problem hiding this comment.
nit: Casting not needed here.
uint16_t *limit_rule = rule;
pguibert6WIND
force-pushed
the
limit_comm_list_count
branch
from
f52fa87 to
e2b0e12
Compare
I plan to implement extended comm limit and as path limit.
I would need to know more about those specific communities. Where in frr code, do we add this community dynamically. At first glance, I don't see any exceptions. I see the limit option as an administrative control in a domain where no device should use more than the defined limitation count. As counter example, which community should I keep if my limit is 1 and I have both no-export an no-advertise ? |
Keep both? |
bgpd/bgp_routemap.c
Outdated
| picomm = bgp_attr_get_community(path->attr); | ||
| if (picomm) | ||
| count = picomm->size; | ||
| if (!count) |
There was a problem hiding this comment.
If the limit is 0, it means "no limit"? Or it should be reverse?
There was a problem hiding this comment.
having 0 communities in the BGP update, it will always match. I simplified code and added comments.
There was a problem hiding this comment.
What if I want to deny any routes with any community attached?
bgpd/bgp_routemap.c
Outdated
| @@ -1303,6 +1303,58 @@ static const struct route_map_rule_cmd route_match_evpn_rd_cmd = { | |||
| route_match_rd_free | |||
| }; | |||
|
|
|||
| /* `match community-limit' */ | |||
|
|
|||
| /* Match function should return 1 if match is success else return zero. */ | |||
| } | ||
|
|
||
| /* Route map commands for community limit matching. */ | ||
| static const struct route_map_rule_cmd route_match_community_limit_cmd = { |
There was a problem hiding this comment.
Could you keep formatting for route_map_rule_cmd as others? (ignoring frrbot)
bgpd/bgp_routemap.c
Outdated
| @@ -5708,6 +5760,36 @@ DEFPY_YANG( | |||
| return nb_cli_apply_changes(vty, NULL); | |||
| } | |||
|
|
|||
| DEFPY_YANG( | |||
| match_community_limit, match_community_limit_cmd, | |||
| "[no$no] match community-limit [(0-65535)$limit]", | |||
There was a problem hiding this comment.
We should do instead this way, and then checking for idx_limit is not needed.
"[no$no] match community-limit ![(0-65535)$limit]",
| @@ -2693,6 +2693,11 @@ The following commands can be used in route maps: | |||
| happen only when BGP updates have completely same communities value | |||
| specified in the community list. | |||
|
|
|||
| .. clicmd:: match community-limit (0-65535) | |||
|
|
|||
| This command matches BGP updates that use community list, and with a community | |||
There was a problem hiding this comment.
We should also document what 0 means explicitly. Because what is now, it means unlimited, but me as an operator understand it as "do not accept the route if it has any community attached".
There was a problem hiding this comment.
whatever the meaning, I will document it. thanks for advice.
lib/routemap.c
Outdated
| @@ -1568,7 +1568,6 @@ enum rmap_compile_rets route_map_add_match(struct route_map_index *index, | |||
| rule->rule_str = XSTRDUP(MTYPE_ROUTE_MAP_RULE_STR, match_arg); | |||
| else | |||
| rule->rule_str = NULL; | |||
|
|
|||
| @@ -11,6 +11,7 @@ router bgp 65003 | |||
| neighbor 192.168.1.2 soft-reconfiguration inbound | |||
| exit-address-family | |||
| ! | |||
| bgp route-map delay-timer 5 | |||
why those communities are so special ? is there a RFC that describes this? |
pguibert6WIND
force-pushed
the
limit_comm_list_count
branch
from
e2b0e12 to
b81d971
Compare
Add a mechanism in route-map to filter out route-map which have a list of communities greater than the given number. Signed-off-by: Philippe Guibert <[email protected]>
Add a test to control the community-list count. Signed-off-by: Philippe Guibert <[email protected]>
pguibert6WIND
force-pushed
the
limit_comm_list_count
branch
from
b81d971 to
bd4b8c3
Compare
There was a problem hiding this comment.
I wonder if this should not apply to well-known communities? I suspect the result would be surprising to operators if we "randomly" choose which of the well-known communities to keep and which to discard, as these do have some pretty strong policy implications?
An optional keyword could be added to relax the default behavior, for all well known attributes. |
|
for information, some do this: |
|
Yes, I'm pretty happy with this now. We discussed this during the meeting yesterday. End result of blanket dropping the route when hitting the community limit is reasonable. Just waiting on Donatas's comments |
Add the ability to configure a limit on the number of received community entries.