Donavan Fritz
9b777ca7d1
Build flock Image / build (push) Successful in 2m17s
Without a filter, crt001's `network 2602:817:3000:A25::/64` gets
re-advertised to every peer on that subnet. bird installs the BGP /64
with metric 32, beating the kernel-connected route at 256, and all
inter-host VLAN-25 traffic hairpins through the gateway — losing PMTU
9000 and ~30x throughput. Broke Plex 2026-05-04: NFS to nas002 capped
at 7 MB/s, jumbo blackholed.
Add LocalSubnetV6/V4 (CIDR) to NodeBGP. Agent populates by masking the
peer's address to /64 (v6) or /24 (v4) — same fritzlab convention
already in localAddrSameSubnet. Render emits `import where net !=
<subnet>;` per BGP channel when set, falls back to `import all;`
otherwise so existing tests stay green.
Defence in depth: with the matching outbound route-map on crt001
(ROUTE_MAP_CLUSTER_OUT_V{4,6}) the agent now refuses the leak on its
own if the router filter ever drifts.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
26 lines
546 B
Go
26 lines
546 B
Go
package agent
|
|
|
|
import "testing"
|
|
|
|
func TestPeerSubnet(t *testing.T) {
|
|
cases := []struct {
|
|
peer string
|
|
want string
|
|
}{
|
|
{"2602:817:3000:a25::1", "2602:817:3000:a25::/64"},
|
|
{"2602:817:3000:a25::104", "2602:817:3000:a25::/64"},
|
|
{"172.25.25.1", "172.25.25.0/24"},
|
|
{"172.25.25.104", "172.25.25.0/24"},
|
|
{"", ""},
|
|
{"not-an-ip", ""},
|
|
}
|
|
for _, tc := range cases {
|
|
t.Run(tc.peer, func(t *testing.T) {
|
|
got := peerSubnet(tc.peer)
|
|
if got != tc.want {
|
|
t.Fatalf("peerSubnet(%q) = %q, want %q", tc.peer, got, tc.want)
|
|
}
|
|
})
|
|
}
|
|
}
|