There is also another linux-nl FIB source with a lower priority
("lcp-rt-dynamic"), which gets used based on the kernel route protocol. If
the route protocol is <= RTPROT_STATIC, lcp-rt is used. Otherwise, the
lower priority lcp-rt-dynamic is used. So if a route were added to the
kernel route table using iproute2 with 'proto bgp' (or 'proto bird', 'proto
zebra', etc) added to the command, linux-nl would use the lower priority
FIB source to add the route to VPP's FIB.
I.e. this iproute2 command would probably have the desired effect - 'sudo
ip netns exec dataplane ip -6 route add blackhole 2001:50:10:a111::101/64
table 1203 proto bgp'.
-Matt
On Wed, Apr 6, 2022 at 3:28 AM Neale Ranns <ne...@graphiant.com> wrote:
> Hi,
>
>
>
> You need to choose an appropriate priority for:
>
>
>
> lcp_rt_fib_src =
>
> fib_source_allocate ("lcp-rt", FIB_SOURCE_PRIORITY_HI,
> FIB_SOURCE_BH_API);
>
>
>
> in plugins/linux-cp/lcp_router.c
>
>
>
> from vnet/fb/fib_source.h
>
>
>
> /**
>
> * The fixed source to priority mappings.
>
> * Declared here so those adding new sources can better determine their
> respective
>
> * priority values.
>
> */
>
> #define foreach_fib_source \
>
> /** you can't do better then the special source */ \
>
> _(FIB_SOURCE_SPECIAL, 0x00, FIB_SOURCE_BH_SIMPLE) \
>
> _(FIB_SOURCE_CLASSIFY, 0x01, FIB_SOURCE_BH_SIMPLE) \
>
> _(FIB_SOURCE_PROXY, 0x02, FIB_SOURCE_BH_SIMPLE) \
>
> _(FIB_SOURCE_INTERFACE, 0x03, FIB_SOURCE_BH_INTERFACE) \
>
> _(FIB_SOURCE_SR, 0x10, FIB_SOURCE_BH_API) \
>
> _(FIB_SOURCE_BIER, 0x20, FIB_SOURCE_BH_SIMPLE) \
>
> _(FIB_SOURCE_6RD, 0x30, FIB_SOURCE_BH_API) \
>
> _(FIB_SOURCE_API, 0x80, FIB_SOURCE_BH_API) \
>
> _(FIB_SOURCE_CLI, 0x81, FIB_SOURCE_BH_API) \
>
> _(FIB_SOURCE_LISP, 0x90, FIB_SOURCE_BH_LISP) \
>
> _(FIB_SOURCE_MAP, 0xa0, FIB_SOURCE_BH_SIMPLE) \
>
> _(FIB_SOURCE_DHCP, 0xb0, FIB_SOURCE_BH_API) \
>
> _(FIB_SOURCE_IP6_ND_PROXY, 0xc0, FIB_SOURCE_BH_API) \
>
> _(FIB_SOURCE_IP6_ND, 0xc1, FIB_SOURCE_BH_API) \
>
> _(FIB_SOURCE_ADJ, 0xd0, FIB_SOURCE_BH_ADJ) \
>
> _(FIB_SOURCE_MPLS, 0xe0, FIB_SOURCE_BH_MPLS) \
>
> _(FIB_SOURCE_AE, 0xf0, FIB_SOURCE_BH_SIMPLE) \
>
> _(FIB_SOURCE_RR, 0xfb, FIB_SOURCE_BH_RR) \
>
> _(FIB_SOURCE_URPF_EXEMPT, 0xfc, FIB_SOURCE_BH_RR) \
>
> _(FIB_SOURCE_DEFAULT_ROUTE, 0xfd, FIB_SOURCE_BH_DROP) \
>
> _(FIB_SOURCE_INTERPOSE, 0xfe, FIB_SOURCE_BH_INTERPOSE) \
>
> _(FIB_SOURCE_INVALID, 0xff, FIB_SOURCE_BH_DROP)
>
>
>
> /**
>
> * Some priority values that plugins might use when they are not to
> concerned
>
> * where in the list they'll go.
>
> */
>
> #define FIB_SOURCE_PRIORITY_HI 0x10
>
> #define FIB_SOURCE_PRIORITY_LOW 0xd0
>
>
>
>
>
> /neale
>
>
>
>
>
> *From: *vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Chinmaya
> Aggarwal via lists.fd.io <chinmaya.agarwal=hsc....@lists.fd.io>
> *Date: *Tuesday, 5 April 2022 at 16:55
> *To: *vpp-dev@lists.fd.io <vpp-dev@lists.fd.io>
> *Subject: *Re: [vpp-dev] Prevent blackhole routes being leaked into VPP
>
> Hi,
>
>
>
> We are adding blackhole routes via linux command "sudo ip netns exec
> dataplane ip -6 route add blackhole 2001:50:10:a111::101/64 table 1203"
>
>
>
> After adding blackhole routes on linux (that are leaked to vpp), if we try
> to view the route in vpp ,we get the below output
>
> [root@j3chysr01stg05 ~]# vppctl show ip6 fib table 1203
> 2001:50:10:a111::/64
>
> ipv6-VRF:1203, fib_index:3, flow hash:[src dst sport dport proto flowlabel
> ] epoch:0 flags:none locks:[CLI:3, lcp-rt:1, ]
>
> 2001:50:10:a111::/64 fib:3 index:86 locks:2
>
> lcp-rt refs:1 entry-flags:drop, src-flags:added,contributing,active,
>
> path-list:[126] locks:2 flags:drop, uPRF-list:76 len:0 itfs:[]
>
> path:[126] pl-index:126 ip6 weight=1 pref=0 deag: cfg-flags:drop,
>
> fib-index:0
>
>
>
> forwarding: unicast-ip6-chain
>
> [@0]: dpo-load-balance: [proto:ip6 index:88 buckets:1 uRPF:76 to:[0:0]]
>
> [0] [@0]: dpo-drop ip6
>
> [root@j3chysr01stg05 ~]#
>
>
>
> Now, if we add another route via ipip tunnel (that supposedly should
> overwrite the blackhole route) using the API. We get below below output for
> command "show ip6 fib table 1203 2001:50:10:a111::/64"
>
>
>
> [root@j3chysr01stg05 ~]# vppctl show ip6 fib table 1203
> 2001:50:10:a111::/64
>
> ipv6-VRF:1203, fib_index:3, flow hash:[src dst sport dport proto flowlabel
> ] epoch:0 flags:none locks:[CLI:3, lcp-rt:1, ]
>
> 2001:50:10:a111::/64 fib:3 index:86 locks:3
>
> lcp-rt refs:1 entry-flags:drop, src-flags:added,contributing,active,
>
> path-list:[126] locks:2 flags:drop, uPRF-list:76 len:0 itfs:[]
>
> path:[126] pl-index:126 ip6 weight=1 pref=0 deag: cfg-flags:drop,
>
> fib-index:0
>
>
>
> API refs:1 entry-flags:attached,import, src-flags:added,
>
> path-list:[161] locks:1 flags:shared, uPRF-list:106 len:1 itfs:[40, ]
>
> path:[211] pl-index:161 ip6 weight=100 pref=0 attached:
> oper-flags:resolved,
>
> ipip19
>
>
>
> forwarding: unicast-ip6-chain
>
> [@0]: dpo-load-balance: [proto:ip6 index:88 buckets:1 uRPF:76 to:[0:0]]
>
> [0] [@0]: dpo-drop ip6
>
> [root@j3chysr01stg05 ~]#
>
>
>
> lcp-rt gets added the moment the blackhole routes get leaked to VPP. I
> think "lcp-rt" denotes the blackhole routes.
>
> API is still below the "lcp-rt" route. How can we prioritize API route
> over lcp-rt route?
>
> Thanks and Regards,
> Chinmaya Agarwal.
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21209): https://lists.fd.io/g/vpp-dev/message/21209
Mute This Topic: https://lists.fd.io/mt/90236408/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
