bird: per-peer import filter rejects connected subnet
Build flock Image / build (push) Successful in 2m17s
Build flock Image / build (push) Successful in 2m17s
Without a filter, crt001's `network 2602:817:3000:A25::/64` gets
re-advertised to every peer on that subnet. bird installs the BGP /64
with metric 32, beating the kernel-connected route at 256, and all
inter-host VLAN-25 traffic hairpins through the gateway — losing PMTU
9000 and ~30x throughput. Broke Plex 2026-05-04: NFS to nas002 capped
at 7 MB/s, jumbo blackholed.
Add LocalSubnetV6/V4 (CIDR) to NodeBGP. Agent populates by masking the
peer's address to /64 (v6) or /24 (v4) — same fritzlab convention
already in localAddrSameSubnet. Render emits `import where net !=
<subnet>;` per BGP channel when set, falls back to `import all;`
otherwise so existing tests stay green.
Defence in depth: with the matching outbound route-map on crt001
(ROUTE_MAP_CLUSTER_OUT_V{4,6}) the agent now refuses the leak on its
own if the router filter ever drifts.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Donavan Fritz
@@ -0,0 +1,25 @@
|
||||
package agent
|
||||
|
||||
import "testing"
|
||||
|
||||
func TestPeerSubnet(t *testing.T) {
|
||||
cases := []struct {
|
||||
peer string
|
||||
want string
|
||||
}{
|
||||
{"2602:817:3000:a25::1", "2602:817:3000:a25::/64"},
|
||||
{"2602:817:3000:a25::104", "2602:817:3000:a25::/64"},
|
||||
{"172.25.25.1", "172.25.25.0/24"},
|
||||
{"172.25.25.104", "172.25.25.0/24"},
|
||||
{"", ""},
|
||||
{"not-an-ip", ""},
|
||||
}
|
||||
for _, tc := range cases {
|
||||
t.Run(tc.peer, func(t *testing.T) {
|
||||
got := peerSubnet(tc.peer)
|
||||
if got != tc.want {
|
||||
t.Fatalf("peerSubnet(%q) = %q, want %q", tc.peer, got, tc.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user