From 0f5b46a5404a42e1856e74ab209829ead782428e Mon Sep 17 00:00:00 2001 From: Mazdak Nasab Date: Wed, 1 Nov 2023 08:41:28 -0700 Subject: [PATCH] Ignore tunnel routes in BGP advertisement (#8175) --------- Co-authored-by: Rene Dekker --- api/pkg/apis/projectcalico/v3/bgpfilter.go | 4 + api/pkg/openapi/openapi_generated.go | 12 ++ apiserver/test/integration/clientset_test.go | 108 ++++++++-- calicoctl/calicoctl/commands/crds/crds.go | 2 +- .../calico/confd/templates/bird.cfg.template | 14 +- .../calico/confd/templates/bird6.cfg.template | 14 +- .../confd/templates/bird6_ipam.cfg.template | 19 +- .../confd/templates/bird_ipam.cfg.template | 19 +- confd/pkg/resource/template/template_funcs.go | 20 ++ .../resource/template/template_funcs_test.go | 48 ++++- .../export_only/explicit_peer/bird.cfg | 14 +- .../export_only/explicit_peer/bird6.cfg | 14 +- .../export_only/explicit_peer/bird6_ipam.cfg | 19 +- .../export_only/explicit_peer/bird_ipam.cfg | 19 +- .../export_only/global_peer/bird.cfg | 12 +- .../export_only/global_peer/bird6.cfg | 12 +- .../export_only/global_peer/bird6_ipam.cfg | 19 +- .../export_only/global_peer/bird_ipam.cfg | 19 +- .../bgpfilter/filter_deletion/step1/bird.cfg | 10 +- .../bgpfilter/filter_deletion/step1/bird6.cfg | 10 +- .../filter_deletion/step1/bird6_ipam.cfg | 19 +- .../filter_deletion/step1/bird_ipam.cfg | 19 +- .../bgpfilter/filter_deletion/step2/bird.cfg | 10 +- .../bgpfilter/filter_deletion/step2/bird6.cfg | 10 +- .../filter_deletion/step2/bird6_ipam.cfg | 19 +- .../filter_deletion/step2/bird_ipam.cfg | 19 +- .../bgpfilter/filter_names/bird.cfg | 10 +- .../bgpfilter/filter_names/bird6.cfg | 10 +- .../bgpfilter/filter_names/bird6_ipam.cfg | 19 +- .../bgpfilter/filter_names/bird_ipam.cfg | 19 +- .../import_only/explicit_peer/bird.cfg | 14 +- .../import_only/explicit_peer/bird6.cfg | 14 +- .../import_only/explicit_peer/bird6_ipam.cfg | 19 +- .../import_only/explicit_peer/bird_ipam.cfg | 19 +- .../import_only/global_peer/bird.cfg | 12 +- .../import_only/global_peer/bird6.cfg | 12 +- .../import_only/global_peer/bird6_ipam.cfg | 19 +- .../import_only/global_peer/bird_ipam.cfg | 19 +- .../bgpfilter/match_interface/bird.cfg | 130 ++++++++++++ .../bgpfilter/match_interface/bird6.cfg | 130 ++++++++++++ .../bgpfilter/match_interface/bird6_aggr.cfg | 10 + .../bgpfilter/match_interface/bird6_ipam.cfg | 33 ++++ .../bgpfilter/match_interface/bird_aggr.cfg | 29 +++ .../bgpfilter/match_interface/bird_ipam.cfg | 34 ++++ .../bgpfilter/match_operators/bird.cfg | 10 +- .../bgpfilter/match_operators/bird6.cfg | 10 +- .../bgpfilter/match_operators/bird6_ipam.cfg | 19 +- .../bgpfilter/match_operators/bird_ipam.cfg | 19 +- .../bgpfilter/match_source/bird.cfg | 10 +- .../bgpfilter/match_source/bird6.cfg | 10 +- .../bgpfilter/match_source/bird6_ipam.cfg | 19 +- .../bgpfilter/match_source/bird_ipam.cfg | 19 +- .../multi_filter/explicit_peer/bird.cfg | 14 +- .../multi_filter/explicit_peer/bird6.cfg | 14 +- .../multi_filter/explicit_peer/bird6_ipam.cfg | 19 +- .../multi_filter/explicit_peer/bird_ipam.cfg | 19 +- .../multi_filter/global_peer/bird.cfg | 14 +- .../multi_filter/global_peer/bird6.cfg | 14 +- .../multi_filter/global_peer/bird6_ipam.cfg | 19 +- .../multi_filter/global_peer/bird_ipam.cfg | 19 +- .../bgpfilter/node_mesh/bird.cfg | 8 +- .../bgpfilter/node_mesh/bird6.cfg | 8 +- .../bgpfilter/node_mesh/bird6_ipam.cfg | 19 +- .../bgpfilter/node_mesh/bird_ipam.cfg | 19 +- .../single_filter/explicit_peer/bird.cfg | 18 +- .../single_filter/explicit_peer/bird6.cfg | 18 +- .../explicit_peer/bird6_ipam.cfg | 19 +- .../single_filter/explicit_peer/bird_ipam.cfg | 19 +- .../single_filter/global_peer/bird.cfg | 14 +- .../single_filter/global_peer/bird6.cfg | 14 +- .../single_filter/global_peer/bird6_ipam.cfg | 19 +- .../single_filter/global_peer/bird_ipam.cfg | 19 +- .../bgpfilter/v4_only/explicit_peer/bird.cfg | 18 +- .../bgpfilter/v4_only/explicit_peer/bird6.cfg | 10 +- .../v4_only/explicit_peer/bird6_ipam.cfg | 19 +- .../v4_only/explicit_peer/bird_ipam.cfg | 19 +- .../bgpfilter/v4_only/global_peer/bird.cfg | 10 +- .../bgpfilter/v4_only/global_peer/bird6.cfg | 10 +- .../v4_only/global_peer/bird6_ipam.cfg | 19 +- .../v4_only/global_peer/bird_ipam.cfg | 19 +- .../bgpfilter/v6_only/explicit_peer/bird.cfg | 10 +- .../bgpfilter/v6_only/explicit_peer/bird6.cfg | 18 +- .../v6_only/explicit_peer/bird6_ipam.cfg | 19 +- .../v6_only/explicit_peer/bird_ipam.cfg | 19 +- .../bgpfilter/v6_only/global_peer/bird.cfg | 10 +- .../bgpfilter/v6_only/global_peer/bird6.cfg | 14 +- .../v6_only/global_peer/bird6_ipam.cfg | 19 +- .../v6_only/global_peer/bird_ipam.cfg | 19 +- .../explicit_peering/global-external/bird.cfg | 15 +- .../global-external/bird6_ipam.cfg | 19 +- .../global-external/bird_ipam.cfg | 19 +- .../explicit_peering/global-ipv6/bird6.cfg | 10 +- .../global-ipv6/bird6_ipam.cfg | 19 +- .../global-ipv6/bird_ipam.cfg | 19 +- .../explicit_peering/global/bird.cfg | 15 +- .../explicit_peering/global/bird6_ipam.cfg | 19 +- .../explicit_peering/global/bird_ipam.cfg | 19 +- .../keepnexthop-global/bird.cfg | 5 +- .../keepnexthop-global/bird6.cfg | 5 +- .../keepnexthop-global/bird6_ipam.cfg | 19 +- .../keepnexthop-global/bird_ipam.cfg | 19 +- .../explicit_peering/keepnexthop/bird.cfg | 15 +- .../explicit_peering/keepnexthop/bird6.cfg | 5 +- .../keepnexthop/bird6_ipam.cfg | 19 +- .../keepnexthop/bird_ipam.cfg | 19 +- .../explicit_peering/local-as-global/bird.cfg | 15 +- .../local-as-global/bird6_ipam.cfg | 19 +- .../local-as-global/bird_ipam.cfg | 19 +- .../explicit_peering/local-as/bird.cfg | 10 +- .../explicit_peering/local-as/bird6_ipam.cfg | 19 +- .../explicit_peering/local-as/bird_ipam.cfg | 19 +- .../explicit_peering/route_reflector/bird.cfg | 15 +- .../route_reflector/bird6.cfg | 15 +- .../route_reflector/bird6_ipam.cfg | 19 +- .../route_reflector/bird_ipam.cfg | 19 +- .../route_reflector_v6_by_ip/bird.cfg | 5 +- .../route_reflector_v6_by_ip/bird6.cfg | 15 +- .../route_reflector_v6_by_ip/bird6_ipam.cfg | 19 +- .../route_reflector_v6_by_ip/bird_ipam.cfg | 19 +- .../explicit_peering/selectors/bird.cfg | 10 +- .../explicit_peering/selectors/bird6.cfg | 10 +- .../explicit_peering/selectors/bird6_ipam.cfg | 19 +- .../explicit_peering/selectors/bird_ipam.cfg | 19 +- .../explicit_peering/selectors/step2/bird.cfg | 10 +- .../selectors/step2/bird6.cfg | 10 +- .../selectors/step2/bird6_ipam.cfg | 19 +- .../selectors/step2/bird_ipam.cfg | 19 +- .../explicit_peering/specific_node/bird.cfg | 10 +- .../specific_node/bird6_ipam.cfg | 19 +- .../specific_node/bird_ipam.cfg | 19 +- .../ignored_interfaces/bird.cfg | 4 +- .../ignored_interfaces/bird6.cfg | 4 +- .../ignored_interfaces/bird6_ipam.cfg | 19 +- .../ignored_interfaces/bird_ipam.cfg | 19 +- .../mesh/bgp-export/bird.cfg | 4 +- .../mesh/bgp-export/bird6_ipam.cfg | 19 +- .../mesh/bgp-export/bird_ipam.cfg | 19 +- .../mesh/communities/bird.cfg | 4 +- .../mesh/communities/bird6_ipam.cfg | 19 +- .../mesh/communities/bird_ipam.cfg | 19 +- .../mesh/communities/step2/bird.cfg | 4 +- .../mesh/communities/step2/bird6_ipam.cfg | 19 +- .../mesh/communities/step2/bird_ipam.cfg | 19 +- .../compiled_templates/mesh/hash/bird.cfg | 4 +- .../mesh/hash/bird6_ipam.cfg | 19 +- .../mesh/hash/bird_ipam.cfg | 19 +- .../mesh/ipip-always/bird.cfg | 4 +- .../mesh/ipip-always/bird6_ipam.cfg | 19 +- .../mesh/ipip-always/bird_ipam.cfg | 19 +- .../mesh/ipip-cross-subnet/bird.cfg | 4 +- .../mesh/ipip-cross-subnet/bird6_ipam.cfg | 19 +- .../mesh/ipip-cross-subnet/bird_ipam.cfg | 19 +- .../compiled_templates/mesh/ipip-off/bird.cfg | 4 +- .../mesh/ipip-off/bird6.cfg | 4 +- .../mesh/ipip-off/bird6_ipam.cfg | 19 +- .../mesh/ipip-off/bird_ipam.cfg | 19 +- .../mesh/password/step1/bird.cfg | 4 +- .../mesh/password/step1/bird6.cfg | 4 +- .../mesh/password/step1/bird6_ipam.cfg | 19 +- .../mesh/password/step1/bird_ipam.cfg | 19 +- .../mesh/password/step2/bird.cfg | 4 +- .../mesh/password/step2/bird6.cfg | 4 +- .../mesh/password/step2/bird6_ipam.cfg | 19 +- .../mesh/password/step2/bird_ipam.cfg | 19 +- .../mesh/password/step3/bird.cfg | 4 +- .../mesh/password/step3/bird6.cfg | 4 +- .../mesh/password/step3/bird6_ipam.cfg | 19 +- .../mesh/password/step3/bird_ipam.cfg | 19 +- .../mesh/restart-time/bird.cfg | 4 +- .../mesh/restart-time/bird6.cfg | 4 +- .../mesh/restart-time/bird6_ipam.cfg | 19 +- .../mesh/restart-time/bird_ipam.cfg | 19 +- .../route-reflector-mesh-enabled/bird.cfg | 7 +- .../route-reflector-mesh-enabled/bird6.cfg | 7 +- .../bird6_ipam.cfg | 19 +- .../bird_ipam.cfg | 19 +- .../mesh/static-routes-exclude-node/bird.cfg | 4 +- .../mesh/static-routes-exclude-node/bird6.cfg | 4 +- .../static-routes-exclude-node/bird6_ipam.cfg | 19 +- .../static-routes-exclude-node/bird_ipam.cfg | 19 +- .../static-routes-exclude-node/step2/bird.cfg | 4 +- .../step2/bird6.cfg | 4 +- .../step2/bird6_ipam.cfg | 19 +- .../step2/bird_ipam.cfg | 19 +- .../bird6_ipam.cfg | 19 +- .../bird_ipam.cfg | 19 +- .../mesh/static-routes/bird.cfg | 4 +- .../mesh/static-routes/bird6.cfg | 4 +- .../mesh/static-routes/bird6_ipam.cfg | 19 +- .../mesh/static-routes/bird_ipam.cfg | 19 +- .../mesh/static-routes/step2/bird.cfg | 4 +- .../mesh/static-routes/step2/bird6.cfg | 4 +- .../mesh/static-routes/step2/bird6_ipam.cfg | 19 +- .../mesh/static-routes/step2/bird_ipam.cfg | 19 +- .../mesh/vxlan-always/bird.cfg | 4 +- .../mesh/vxlan-always/bird6.cfg | 4 +- .../mesh/vxlan-always/bird6_ipam.cfg | 19 +- .../mesh/vxlan-always/bird_ipam.cfg | 19 +- .../password-deadlock/bird.cfg | 5 +- .../password-deadlock/bird6_ipam.cfg | 19 +- .../password-deadlock/bird_ipam.cfg | 19 +- .../password/step1/bird.cfg | 15 +- .../password/step1/bird6_ipam.cfg | 19 +- .../password/step1/bird_ipam.cfg | 19 +- .../password/step2/bird.cfg | 15 +- .../password/step2/bird6_ipam.cfg | 19 +- .../password/step2/bird_ipam.cfg | 19 +- .../password/step3/bird.cfg | 15 +- .../password/step3/bird6_ipam.cfg | 19 +- .../password/step3/bird_ipam.cfg | 19 +- .../password/step4/bird.cfg | 15 +- .../password/step4/bird6_ipam.cfg | 19 +- .../password/step4/bird_ipam.cfg | 19 +- .../password/step5/bird.cfg | 15 +- .../password/step5/bird6_ipam.cfg | 19 +- .../password/step5/bird_ipam.cfg | 19 +- .../password/step6/bird.cfg | 15 +- .../password/step6/bird6_ipam.cfg | 19 +- .../password/step6/bird_ipam.cfg | 19 +- .../reachable_by/global_peers/bird.cfg | 10 +- .../reachable_by/global_peers/bird6.cfg | 10 +- .../reachable_by/global_peers/bird6_ipam.cfg | 19 +- .../reachable_by/global_peers/bird_ipam.cfg | 19 +- .../reachable_by/route_reflectors/bird.cfg | 20 +- .../reachable_by/route_reflectors/bird6.cfg | 20 +- .../route_reflectors/bird6_ipam.cfg | 19 +- .../route_reflectors/bird_ipam.cfg | 19 +- .../sourceaddr_gracefulrestart/step1/bird.cfg | 5 +- .../step1/bird6_ipam.cfg | 19 +- .../step1/bird_ipam.cfg | 19 +- .../sourceaddr_gracefulrestart/step2/bird.cfg | 5 +- .../step2/bird6_ipam.cfg | 19 +- .../step2/bird_ipam.cfg | 19 +- .../sourceaddr_gracefulrestart/step3/bird.cfg | 5 +- .../step3/bird6_ipam.cfg | 19 +- .../step3/bird_ipam.cfg | 19 +- .../ttl_security/explicit_node/bird.cfg | 10 +- .../ttl_security/explicit_node/bird6_ipam.cfg | 19 +- .../ttl_security/explicit_node/bird_ipam.cfg | 19 +- .../ttl_security/global/bird.cfg | 10 +- .../ttl_security/global/bird6.cfg | 10 +- .../ttl_security/global/bird6_ipam.cfg | 19 +- .../ttl_security/global/bird_ipam.cfg | 19 +- .../ttl_security/peer_selector/bird.cfg | 10 +- .../ttl_security/peer_selector/bird6.cfg | 10 +- .../ttl_security/peer_selector/bird6_ipam.cfg | 19 +- .../ttl_security/peer_selector/bird_ipam.cfg | 19 +- confd/tests/test_suite_common.sh | 186 ++++++++++++++++++ .../crd/crd.projectcalico.org_bgpfilters.yaml | 8 + libcalico-go/lib/validator/v3/validator.go | 74 +++---- .../lib/validator/v3/validator_test.go | 144 ++++++++++---- manifests/calico-bpf.yaml | 8 + manifests/calico-policy-only.yaml | 8 + manifests/calico-typha.yaml | 8 + manifests/calico-vxlan.yaml | 8 + manifests/calico.yaml | 8 + manifests/canal.yaml | 8 + manifests/crds.yaml | 8 + manifests/flannel-migration/calico.yaml | 8 + .../ocp/crd.projectcalico.org_bgpfilters.yaml | 8 + manifests/operator-crds.yaml | 8 + manifests/tigera-operator.yaml | 8 + 262 files changed, 3609 insertions(+), 930 deletions(-) create mode 100644 confd/tests/compiled_templates/bgpfilter/match_interface/bird.cfg create mode 100644 confd/tests/compiled_templates/bgpfilter/match_interface/bird6.cfg create mode 100644 confd/tests/compiled_templates/bgpfilter/match_interface/bird6_aggr.cfg create mode 100644 confd/tests/compiled_templates/bgpfilter/match_interface/bird6_ipam.cfg create mode 100644 confd/tests/compiled_templates/bgpfilter/match_interface/bird_aggr.cfg create mode 100644 confd/tests/compiled_templates/bgpfilter/match_interface/bird_ipam.cfg diff --git a/api/pkg/apis/projectcalico/v3/bgpfilter.go b/api/pkg/apis/projectcalico/v3/bgpfilter.go index 56de8d61bf6..21e70ce14ec 100644 --- a/api/pkg/apis/projectcalico/v3/bgpfilter.go +++ b/api/pkg/apis/projectcalico/v3/bgpfilter.go @@ -66,6 +66,8 @@ type BGPFilterRuleV4 struct { Source BGPFilterMatchSource `json:"source,omitempty" validate:"omitempty,oneof=RemotePeers"` + Interface string `json:"interface,omitempty" validate:"omitempty,bgpFilterInterface"` + MatchOperator BGPFilterMatchOperator `json:"matchOperator,omitempty" validate:"omitempty,matchOperator"` Action BGPFilterAction `json:"action" validate:"required,filterAction"` @@ -77,6 +79,8 @@ type BGPFilterRuleV6 struct { Source BGPFilterMatchSource `json:"source,omitempty" validate:"omitempty,oneof=RemotePeers"` + Interface string `json:"interface,omitempty" validate:"omitempty,bgpFilterInterface"` + MatchOperator BGPFilterMatchOperator `json:"matchOperator,omitempty" validate:"omitempty,matchOperator"` Action BGPFilterAction `json:"action" validate:"required,filterAction"` diff --git a/api/pkg/openapi/openapi_generated.go b/api/pkg/openapi/openapi_generated.go index 8ca4b8fd737..fa90ceb5fa3 100644 --- a/api/pkg/openapi/openapi_generated.go +++ b/api/pkg/openapi/openapi_generated.go @@ -821,6 +821,12 @@ func schema_pkg_apis_projectcalico_v3_BGPFilterRuleV4(ref common.ReferenceCallba Format: "", }, }, + "interface": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, "matchOperator": { SchemaProps: spec.SchemaProps{ Type: []string{"string"}, @@ -860,6 +866,12 @@ func schema_pkg_apis_projectcalico_v3_BGPFilterRuleV6(ref common.ReferenceCallba Format: "", }, }, + "interface": { + SchemaProps: spec.SchemaProps{ + Type: []string{"string"}, + Format: "", + }, + }, "matchOperator": { SchemaProps: spec.SchemaProps{ Type: []string{"string"}, diff --git a/apiserver/test/integration/clientset_test.go b/apiserver/test/integration/clientset_test.go index 349906d90fc..6424498f53b 100644 --- a/apiserver/test/integration/clientset_test.go +++ b/apiserver/test/integration/clientset_test.go @@ -1511,32 +1511,95 @@ func TestBGPFilterClient(t *testing.T) { func testBGPFilterClient(client calicoclient.Interface, name string) error { bgpFilterClient := client.ProjectcalicoV3().BGPFilters() - acceptRuleV4 := v3.BGPFilterRuleV4{ + r1v4 := v3.BGPFilterRuleV4{ CIDR: "10.10.10.0/24", MatchOperator: v3.In, Source: v3.BGPFilterSourceRemotePeers, + Interface: "*.calico", Action: v3.Accept, } - rejectRuleV4 := v3.BGPFilterRuleV4{ - Action: v3.Reject, + r1v6 := v3.BGPFilterRuleV6{ + CIDR: "dead:beef:1::/64", + MatchOperator: v3.Equal, + Source: v3.BGPFilterSourceRemotePeers, + Interface: "*.calico", + Action: v3.Accept, + } + r2v4 := v3.BGPFilterRuleV4{ + CIDR: "10.10.10.0/24", + MatchOperator: v3.In, + Source: v3.BGPFilterSourceRemotePeers, + Action: v3.Accept, + } + r2v6 := v3.BGPFilterRuleV6{ + CIDR: "dead:beef:1::/64", + MatchOperator: v3.Equal, + Source: v3.BGPFilterSourceRemotePeers, + Action: v3.Accept, + } + r3v4 := v3.BGPFilterRuleV4{ + CIDR: "10.10.10.0/24", + MatchOperator: v3.In, + Interface: "*.calico", + Action: v3.Accept, + } + r3v6 := v3.BGPFilterRuleV6{ + CIDR: "dead:beef:1::/64", + MatchOperator: v3.Equal, + Interface: "*.calico", + Action: v3.Accept, + } + r4v4 := v3.BGPFilterRuleV4{ + Source: v3.BGPFilterSourceRemotePeers, + Interface: "*.calico", + Action: v3.Accept, + } + r4v6 := v3.BGPFilterRuleV6{ + Source: v3.BGPFilterSourceRemotePeers, + Interface: "*.calico", + Action: v3.Accept, } - acceptRuleV6 := v3.BGPFilterRuleV6{ + r5v4 := v3.BGPFilterRuleV4{ + CIDR: "10.10.10.0/24", + MatchOperator: v3.In, + Action: v3.Accept, + } + r5v6 := v3.BGPFilterRuleV6{ CIDR: "dead:beef:1::/64", MatchOperator: v3.Equal, Action: v3.Accept, } - rejectRuleV6 := v3.BGPFilterRuleV6{ + r6v4 := v3.BGPFilterRuleV4{ + Source: v3.BGPFilterSourceRemotePeers, + Action: v3.Accept, + } + r6v6 := v3.BGPFilterRuleV6{ Source: v3.BGPFilterSourceRemotePeers, - Action: v3.Reject, + Action: v3.Accept, + } + r7v4 := v3.BGPFilterRuleV4{ + Interface: "*.calico", + Action: v3.Accept, + } + r7v6 := v3.BGPFilterRuleV6{ + Interface: "*.calico", + Action: v3.Accept, } + r8v4 := v3.BGPFilterRuleV4{ + Action: v3.Accept, + } + r8v6 := v3.BGPFilterRuleV6{ + Action: v3.Accept, + } + + // This test expect equal number of rules in each of ExportV4, ImportV4, ExportV6 and ImportV6. bgpFilter := &v3.BGPFilter{ ObjectMeta: metav1.ObjectMeta{Name: name}, - Spec: v3.BGPFilterSpec{ - ExportV4: []v3.BGPFilterRuleV4{acceptRuleV4}, - ImportV4: []v3.BGPFilterRuleV4{rejectRuleV4}, - ExportV6: []v3.BGPFilterRuleV6{acceptRuleV6}, - ImportV6: []v3.BGPFilterRuleV6{rejectRuleV6}, + ExportV4: []v3.BGPFilterRuleV4{r1v4, r7v4, r6v4, r5v4, r2v4, r8v4}, + ImportV4: []v3.BGPFilterRuleV4{r2v4, r3v4, r4v4, r7v4, r8v4, r1v4}, + ExportV6: []v3.BGPFilterRuleV6{r5v6, r1v6, r6v6, r4v6, r8v6, r2v6}, + ImportV6: []v3.BGPFilterRuleV6{r6v6, r1v6, r3v6, r7v6, r2v6, r4v6}, }, } ctx := context.Background() @@ -1555,10 +1618,31 @@ func testBGPFilterClient(client calicoclient.Interface, name string) error { return fmt.Errorf("didn't get the same object back from the server \n%+v\n%+v", bgpFilter, bgpFilterNew) } - if len(bgpFilterNew.Spec.ExportV4) != 1 || bgpFilterNew.Spec.ExportV4[0] != bgpFilter.Spec.ExportV4[0] || len(bgpFilterNew.Spec.ImportV4) != 1 || bgpFilterNew.Spec.ImportV4[0] != bgpFilter.Spec.ImportV4[0] || len(bgpFilterNew.Spec.ExportV6) != 1 || bgpFilterNew.Spec.ExportV6[0] != bgpFilter.Spec.ExportV6[0] || len(bgpFilterNew.Spec.ImportV6) != 1 || bgpFilterNew.Spec.ImportV6[0] != bgpFilter.Spec.ImportV6[0] { + size := len(bgpFilter.Spec.ExportV4) + if len(bgpFilterNew.Spec.ExportV4) != size || len(bgpFilterNew.Spec.ImportV4) != size || + len(bgpFilterNew.Spec.ExportV6) != size || len(bgpFilterNew.Spec.ImportV6) != size { return fmt.Errorf("didn't get the correct object back from the server \n%+v\n%+v", bgpFilter, bgpFilterNew) } + for i := 0; i < size; i++ { + if bgpFilterNew.Spec.ExportV4[i] != bgpFilter.Spec.ExportV4[i] { + return fmt.Errorf("didn't get the correct object back from the server. Incorrect ExportV4: \n%+v\n%+v", + bgpFilter.Spec.ExportV4, bgpFilterNew.Spec.ExportV4) + } + if bgpFilterNew.Spec.ImportV4[i] != bgpFilter.Spec.ImportV4[i] { + return fmt.Errorf("didn't get the correct object back from the server. Incorrect ImportV4: \n%+v\n%+v", + bgpFilter.Spec.ImportV4, bgpFilterNew.Spec.ImportV4) + } + if bgpFilterNew.Spec.ExportV6[i] != bgpFilter.Spec.ExportV6[i] { + return fmt.Errorf("didn't get the correct object back from the server. Incorrect ExportV6: \n%+v\n%+v", + bgpFilter.Spec.ExportV6, bgpFilterNew.Spec.ExportV6) + } + if bgpFilterNew.Spec.ImportV6[i] != bgpFilter.Spec.ImportV6[i] { + return fmt.Errorf("didn't get the correct object back from the server. Incorrect ImportV6: \n%+v\n%+v", + bgpFilter.Spec.ImportV6, bgpFilterNew.Spec.ImportV6) + } + } + bgpFilterNew, err = bgpFilterClient.Get(ctx, bgpFilter.Name, metav1.GetOptions{}) if err != nil { return fmt.Errorf("error getting object %s (%s)", bgpFilter.Name, err) diff --git a/calicoctl/calicoctl/commands/crds/crds.go b/calicoctl/calicoctl/commands/crds/crds.go index 8213bf2634f..40cc9277926 100644 --- a/calicoctl/calicoctl/commands/crds/crds.go +++ b/calicoctl/calicoctl/commands/crds/crds.go @@ -18,7 +18,7 @@ package crds const ( bgpconfigurations = "apiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: bgpconfigurations.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n names:\n kind: BGPConfiguration\n listKind: BGPConfigurationList\n plural: bgpconfigurations\n singular: bgpconfiguration\n preserveUnknownFields: false\n scope: Cluster\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n description: BGPConfiguration contains the configuration for any BGP routing.\n properties:\n apiVersion:\n description: 'APIVersion defines the versioned schema of this representation\n of an object. Servers should convert recognized schemas to the latest\n internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n type: string\n kind:\n description: 'Kind is a string value representing the REST resource this\n object represents. Servers may infer this from the endpoint the client\n submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n type: string\n metadata:\n type: object\n spec:\n description: BGPConfigurationSpec contains the values of the BGP configuration.\n properties:\n asNumber:\n description: 'ASNumber is the default AS number used by a node. [Default:\n 64512]'\n format: int32\n type: integer\n bindMode:\n description: BindMode indicates whether to listen for BGP connections\n on all addresses (None) or only on the node's canonical IP address\n Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen\n for BGP connections on all addresses.\n type: string\n communities:\n description: Communities is a list of BGP community values and their\n arbitrary names for tagging routes.\n items:\n description: Community contains standard or large community value\n and its name.\n properties:\n name:\n description: Name given to community value.\n type: string\n value:\n description: Value must be of format `aa:nn` or `aa:nn:mm`.\n For standard community use `aa:nn` format, where `aa` and\n `nn` are 16 bit number. For large community use `aa:nn:mm`\n format, where `aa`, `nn` and `mm` are 32 bit number. Where,\n `aa` is an AS Number, `nn` and `mm` are per-AS identifier.\n pattern: ^(\\d+):(\\d+)$|^(\\d+):(\\d+):(\\d+)$\n type: string\n type: object\n type: array\n ignoredInterfaces:\n description: IgnoredInterfaces indicates the network interfaces that\n needs to be excluded when reading device routes.\n items:\n type: string\n type: array\n listenPort:\n description: ListenPort is the port where BGP protocol should listen.\n Defaults to 179\n maximum: 65535\n minimum: 1\n type: integer\n logSeverityScreen:\n description: 'LogSeverityScreen is the log severity above which logs\n are sent to the stdout. [Default: INFO]'\n type: string\n nodeMeshMaxRestartTime:\n description: Time to allow for software restart for node-to-mesh peerings. When\n specified, this is configured as the graceful restart timeout. When\n not specified, the BIRD default of 120s is used. This field can\n only be set on the default BGPConfiguration instance and requires\n that NodeMesh is enabled\n type: string\n nodeMeshPassword:\n description: Optional BGP password for full node-to-mesh peerings.\n This field can only be set on the default BGPConfiguration instance\n and requires that NodeMesh is enabled\n properties:\n secretKeyRef:\n description: Selects a key of a secret in the node pod's namespace.\n properties:\n key:\n description: The key of the secret to select from. Must be\n a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\n TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n optional:\n description: Specify whether the Secret or its key must be\n defined\n type: boolean\n required:\n - key\n type: object\n type: object\n nodeToNodeMeshEnabled:\n description: 'NodeToNodeMeshEnabled sets whether full node to node\n BGP mesh is enabled. [Default: true]'\n type: boolean\n prefixAdvertisements:\n description: PrefixAdvertisements contains per-prefix advertisement\n configuration.\n items:\n description: PrefixAdvertisement configures advertisement properties\n for the specified CIDR.\n properties:\n cidr:\n description: CIDR for which properties should be advertised.\n type: string\n communities:\n description: Communities can be list of either community names\n already defined in `Specs.Communities` or community value\n of format `aa:nn` or `aa:nn:mm`. For standard community use\n `aa:nn` format, where `aa` and `nn` are 16 bit number. For\n large community use `aa:nn:mm` format, where `aa`, `nn` and\n `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and\n `mm` are per-AS identifier.\n items:\n type: string\n type: array\n type: object\n type: array\n serviceClusterIPs:\n description: ServiceClusterIPs are the CIDR blocks from which service\n cluster IPs are allocated. If specified, Calico will advertise these\n blocks, as well as any cluster IPs within them.\n items:\n description: ServiceClusterIPBlock represents a single allowed ClusterIP\n CIDR block.\n properties:\n cidr:\n type: string\n type: object\n type: array\n serviceExternalIPs:\n description: ServiceExternalIPs are the CIDR blocks for Kubernetes\n Service External IPs. Kubernetes Service ExternalIPs will only be\n advertised if they are within one of these blocks.\n items:\n description: ServiceExternalIPBlock represents a single allowed\n External IP CIDR block.\n properties:\n cidr:\n type: string\n type: object\n type: array\n serviceLoadBalancerIPs:\n description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes\n Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress\n IPs will only be advertised if they are within one of these blocks.\n items:\n description: ServiceLoadBalancerIPBlock represents a single allowed\n LoadBalancer IP CIDR block.\n properties:\n cidr:\n type: string\n type: object\n type: array\n type: object\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n" - bgpfilters = "apiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n name: bgpfilters.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n names:\n kind: BGPFilter\n listKind: BGPFilterList\n plural: bgpfilters\n singular: bgpfilter\n scope: Cluster\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n description: 'APIVersion defines the versioned schema of this representation\n of an object. Servers should convert recognized schemas to the latest\n internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n type: string\n kind:\n description: 'Kind is a string value representing the REST resource this\n object represents. Servers may infer this from the endpoint the client\n submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n type: string\n metadata:\n type: object\n spec:\n description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of\n the BGP Filter.\n properties:\n exportV4:\n description: The ordered set of IPv4 BGPFilter rules acting on exporting\n routes to a peer.\n items:\n description: BGPFilterRuleV4 defines a BGP filter rule consisting\n a single IPv4 CIDR block and a filter action for this CIDR.\n properties:\n action:\n type: string\n cidr:\n type: string\n matchOperator:\n type: string\n source:\n type: string\n required:\n - action\n type: object\n type: array\n exportV6:\n description: The ordered set of IPv6 BGPFilter rules acting on exporting\n routes to a peer.\n items:\n description: BGPFilterRuleV6 defines a BGP filter rule consisting\n a single IPv6 CIDR block and a filter action for this CIDR.\n properties:\n action:\n type: string\n cidr:\n type: string\n matchOperator:\n type: string\n source:\n type: string\n required:\n - action\n type: object\n type: array\n importV4:\n description: The ordered set of IPv4 BGPFilter rules acting on importing\n routes from a peer.\n items:\n description: BGPFilterRuleV4 defines a BGP filter rule consisting\n a single IPv4 CIDR block and a filter action for this CIDR.\n properties:\n action:\n type: string\n cidr:\n type: string\n matchOperator:\n type: string\n source:\n type: string\n required:\n - action\n type: object\n type: array\n importV6:\n description: The ordered set of IPv6 BGPFilter rules acting on importing\n routes from a peer.\n items:\n description: BGPFilterRuleV6 defines a BGP filter rule consisting\n a single IPv6 CIDR block and a filter action for this CIDR.\n properties:\n action:\n type: string\n cidr:\n type: string\n matchOperator:\n type: string\n source:\n type: string\n required:\n - action\n type: object\n type: array\n type: object\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n" + bgpfilters = "apiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n name: bgpfilters.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n names:\n kind: BGPFilter\n listKind: BGPFilterList\n plural: bgpfilters\n singular: bgpfilter\n scope: Cluster\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n description: 'APIVersion defines the versioned schema of this representation\n of an object. Servers should convert recognized schemas to the latest\n internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n type: string\n kind:\n description: 'Kind is a string value representing the REST resource this\n object represents. Servers may infer this from the endpoint the client\n submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n type: string\n metadata:\n type: object\n spec:\n description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of\n the BGP Filter.\n properties:\n exportV4:\n description: The ordered set of IPv4 BGPFilter rules acting on exporting\n routes to a peer.\n items:\n description: BGPFilterRuleV4 defines a BGP filter rule consisting\n a single IPv4 CIDR block and a filter action for this CIDR.\n properties:\n action:\n type: string\n cidr:\n type: string\n interface:\n type: string\n matchOperator:\n type: string\n source:\n type: string\n required:\n - action\n type: object\n type: array\n exportV6:\n description: The ordered set of IPv6 BGPFilter rules acting on exporting\n routes to a peer.\n items:\n description: BGPFilterRuleV6 defines a BGP filter rule consisting\n a single IPv6 CIDR block and a filter action for this CIDR.\n properties:\n action:\n type: string\n cidr:\n type: string\n interface:\n type: string\n matchOperator:\n type: string\n source:\n type: string\n required:\n - action\n type: object\n type: array\n importV4:\n description: The ordered set of IPv4 BGPFilter rules acting on importing\n routes from a peer.\n items:\n description: BGPFilterRuleV4 defines a BGP filter rule consisting\n a single IPv4 CIDR block and a filter action for this CIDR.\n properties:\n action:\n type: string\n cidr:\n type: string\n interface:\n type: string\n matchOperator:\n type: string\n source:\n type: string\n required:\n - action\n type: object\n type: array\n importV6:\n description: The ordered set of IPv6 BGPFilter rules acting on importing\n routes from a peer.\n items:\n description: BGPFilterRuleV6 defines a BGP filter rule consisting\n a single IPv6 CIDR block and a filter action for this CIDR.\n properties:\n action:\n type: string\n cidr:\n type: string\n interface:\n type: string\n matchOperator:\n type: string\n source:\n type: string\n required:\n - action\n type: object\n type: array\n type: object\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n" bgppeers = "apiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: bgppeers.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n names:\n kind: BGPPeer\n listKind: BGPPeerList\n plural: bgppeers\n singular: bgppeer\n preserveUnknownFields: false\n scope: Cluster\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n description: 'APIVersion defines the versioned schema of this representation\n of an object. Servers should convert recognized schemas to the latest\n internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n type: string\n kind:\n description: 'Kind is a string value representing the REST resource this\n object represents. Servers may infer this from the endpoint the client\n submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n type: string\n metadata:\n type: object\n spec:\n description: BGPPeerSpec contains the specification for a BGPPeer resource.\n properties:\n asNumber:\n description: The AS Number of the peer.\n format: int32\n type: integer\n filters:\n description: The ordered set of BGPFilters applied on this BGP peer.\n items:\n type: string\n type: array\n keepOriginalNextHop:\n description: Option to keep the original nexthop field when routes\n are sent to a BGP Peer. Setting \"true\" configures the selected BGP\n Peers node to use the \"next hop keep;\" instead of \"next hop self;\"(default)\n in the specific branch of the Node on \"bird.cfg\".\n type: boolean\n maxRestartTime:\n description: Time to allow for software restart. When specified,\n this is configured as the graceful restart timeout. When not specified,\n the BIRD default of 120s is used.\n type: string\n node:\n description: The node name identifying the Calico node instance that\n is targeted by this peer. If this is not set, and no nodeSelector\n is specified, then this BGP peer selects all nodes in the cluster.\n type: string\n nodeSelector:\n description: Selector for the nodes that should have this peering. When\n this is set, the Node field must be empty.\n type: string\n numAllowedLocalASNumbers:\n description: Maximum number of local AS numbers that are allowed in\n the AS path for received routes. This removes BGP loop prevention\n and should only be used if absolutely necesssary.\n format: int32\n type: integer\n password:\n description: Optional BGP password for the peerings generated by this\n BGPPeer resource.\n properties:\n secretKeyRef:\n description: Selects a key of a secret in the node pod's namespace.\n properties:\n key:\n description: The key of the secret to select from. Must be\n a valid secret key.\n type: string\n name:\n description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names\n TODO: Add other useful fields. apiVersion, kind, uid?'\n type: string\n optional:\n description: Specify whether the Secret or its key must be\n defined\n type: boolean\n required:\n - key\n type: object\n type: object\n peerIP:\n description: The IP address of the peer followed by an optional port\n number to peer with. If port number is given, format should be `[]:port`\n or `:` for IPv4. If optional port number is not set,\n and this peer IP and ASNumber belongs to a calico/node with ListenPort\n set in BGPConfiguration, then we use that port to peer.\n type: string\n peerSelector:\n description: Selector for the remote nodes to peer with. When this\n is set, the PeerIP and ASNumber fields must be empty. For each\n peering between the local node and selected remote nodes, we configure\n an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,\n and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The\n remote AS number comes from the remote node's NodeBGPSpec.ASNumber,\n or the global default if that is not set.\n type: string\n reachableBy:\n description: Add an exact, i.e. /32, static route toward peer IP in\n order to prevent route flapping. ReachableBy contains the address\n of the gateway which peer can be reached by.\n type: string\n sourceAddress:\n description: Specifies whether and how to configure a source address\n for the peerings generated by this BGPPeer resource. Default value\n \"UseNodeIP\" means to configure the node IP as the source address. \"None\"\n means not to configure a source address.\n type: string\n ttlSecurity:\n description: TTLSecurity enables the generalized TTL security mechanism\n (GTSM) which protects against spoofed packets by ignoring received\n packets with a smaller than expected TTL value. The provided value\n is the number of hops (edges) between the peers.\n type: integer\n type: object\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n" blockaffinities = "apiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: blockaffinities.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n names:\n kind: BlockAffinity\n listKind: BlockAffinityList\n plural: blockaffinities\n singular: blockaffinity\n preserveUnknownFields: false\n scope: Cluster\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n description: 'APIVersion defines the versioned schema of this representation\n of an object. Servers should convert recognized schemas to the latest\n internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n type: string\n kind:\n description: 'Kind is a string value representing the REST resource this\n object represents. Servers may infer this from the endpoint the client\n submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n type: string\n metadata:\n type: object\n spec:\n description: BlockAffinitySpec contains the specification for a BlockAffinity\n resource.\n properties:\n cidr:\n type: string\n deleted:\n description: Deleted indicates that this block affinity is being deleted.\n This field is a string for compatibility with older releases that\n mistakenly treat this field as a string.\n type: string\n node:\n type: string\n state:\n type: string\n required:\n - cidr\n - deleted\n - node\n - state\n type: object\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n" caliconodestatuses = "apiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n controller-gen.kubebuilder.io/version: (devel)\n creationTimestamp: null\n name: caliconodestatuses.crd.projectcalico.org\nspec:\n group: crd.projectcalico.org\n names:\n kind: CalicoNodeStatus\n listKind: CalicoNodeStatusList\n plural: caliconodestatuses\n singular: caliconodestatus\n preserveUnknownFields: false\n scope: Cluster\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n description: 'APIVersion defines the versioned schema of this representation\n of an object. Servers should convert recognized schemas to the latest\n internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n type: string\n kind:\n description: 'Kind is a string value representing the REST resource this\n object represents. Servers may infer this from the endpoint the client\n submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n type: string\n metadata:\n type: object\n spec:\n description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus\n resource.\n properties:\n classes:\n description: Classes declares the types of information to monitor\n for this calico/node, and allows for selective status reporting\n about certain subsets of information.\n items:\n type: string\n type: array\n node:\n description: The node name identifies the Calico node instance for\n node status.\n type: string\n updatePeriodSeconds:\n description: UpdatePeriodSeconds is the period at which CalicoNodeStatus\n should be updated. Set to 0 to disable CalicoNodeStatus refresh.\n Maximum update period is one day.\n format: int32\n type: integer\n type: object\n status:\n description: CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus.\n No validation needed for status since it is updated by Calico.\n properties:\n agent:\n description: Agent holds agent status on the node.\n properties:\n birdV4:\n description: BIRDV4 represents the latest observed status of bird4.\n properties:\n lastBootTime:\n description: LastBootTime holds the value of lastBootTime\n from bird.ctl output.\n type: string\n lastReconfigurationTime:\n description: LastReconfigurationTime holds the value of lastReconfigTime\n from bird.ctl output.\n type: string\n routerID:\n description: Router ID used by bird.\n type: string\n state:\n description: The state of the BGP Daemon.\n type: string\n version:\n description: Version of the BGP daemon\n type: string\n type: object\n birdV6:\n description: BIRDV6 represents the latest observed status of bird6.\n properties:\n lastBootTime:\n description: LastBootTime holds the value of lastBootTime\n from bird.ctl output.\n type: string\n lastReconfigurationTime:\n description: LastReconfigurationTime holds the value of lastReconfigTime\n from bird.ctl output.\n type: string\n routerID:\n description: Router ID used by bird.\n type: string\n state:\n description: The state of the BGP Daemon.\n type: string\n version:\n description: Version of the BGP daemon\n type: string\n type: object\n type: object\n bgp:\n description: BGP holds node BGP status.\n properties:\n numberEstablishedV4:\n description: The total number of IPv4 established bgp sessions.\n type: integer\n numberEstablishedV6:\n description: The total number of IPv6 established bgp sessions.\n type: integer\n numberNotEstablishedV4:\n description: The total number of IPv4 non-established bgp sessions.\n type: integer\n numberNotEstablishedV6:\n description: The total number of IPv6 non-established bgp sessions.\n type: integer\n peersV4:\n description: PeersV4 represents IPv4 BGP peers status on the node.\n items:\n description: CalicoNodePeer contains the status of BGP peers\n on the node.\n properties:\n peerIP:\n description: IP address of the peer whose condition we are\n reporting.\n type: string\n since:\n description: Since the state or reason last changed.\n type: string\n state:\n description: State is the BGP session state.\n type: string\n type:\n description: Type indicates whether this peer is configured\n via the node-to-node mesh, or via en explicit global or\n per-node BGPPeer object.\n type: string\n type: object\n type: array\n peersV6:\n description: PeersV6 represents IPv6 BGP peers status on the node.\n items:\n description: CalicoNodePeer contains the status of BGP peers\n on the node.\n properties:\n peerIP:\n description: IP address of the peer whose condition we are\n reporting.\n type: string\n since:\n description: Since the state or reason last changed.\n type: string\n state:\n description: State is the BGP session state.\n type: string\n type:\n description: Type indicates whether this peer is configured\n via the node-to-node mesh, or via en explicit global or\n per-node BGPPeer object.\n type: string\n type: object\n type: array\n required:\n - numberEstablishedV4\n - numberEstablishedV6\n - numberNotEstablishedV4\n - numberNotEstablishedV6\n type: object\n lastUpdated:\n description: LastUpdated is a timestamp representing the server time\n when CalicoNodeStatus object last updated. It is represented in\n RFC3339 form and is in UTC.\n format: date-time\n nullable: true\n type: string\n routes:\n description: Routes reports routes known to the Calico BGP daemon\n on the node.\n properties:\n routesV4:\n description: RoutesV4 represents IPv4 routes on the node.\n items:\n description: CalicoNodeRoute contains the status of BGP routes\n on the node.\n properties:\n destination:\n description: Destination of the route.\n type: string\n gateway:\n description: Gateway for the destination.\n type: string\n interface:\n description: Interface for the destination\n type: string\n learnedFrom:\n description: LearnedFrom contains information regarding\n where this route originated.\n properties:\n peerIP:\n description: If sourceType is NodeMesh or BGPPeer, IP\n address of the router that sent us this route.\n type: string\n sourceType:\n description: Type of the source where a route is learned\n from.\n type: string\n type: object\n type:\n description: Type indicates if the route is being used for\n forwarding or not.\n type: string\n type: object\n type: array\n routesV6:\n description: RoutesV6 represents IPv6 routes on the node.\n items:\n description: CalicoNodeRoute contains the status of BGP routes\n on the node.\n properties:\n destination:\n description: Destination of the route.\n type: string\n gateway:\n description: Gateway for the destination.\n type: string\n interface:\n description: Interface for the destination\n type: string\n learnedFrom:\n description: LearnedFrom contains information regarding\n where this route originated.\n properties:\n peerIP:\n description: If sourceType is NodeMesh or BGPPeer, IP\n address of the router that sent us this route.\n type: string\n sourceType:\n description: Type of the source where a route is learned\n from.\n type: string\n type: object\n type:\n description: Type indicates if the route is being used for\n forwarding or not.\n type: string\n type: object\n type: array\n type: object\n type: object\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n" diff --git a/confd/etc/calico/confd/templates/bird.cfg.template b/confd/etc/calico/confd/templates/bird.cfg.template index d87eff7f5db..1b8ae1c44a6 100644 --- a/confd/etc/calico/confd/templates/bird.cfg.template +++ b/confd/etc/calico/confd/templates/bird.cfg.template @@ -186,7 +186,7 @@ template bgp bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. {{- /* @@ -258,9 +258,9 @@ protocol bgp Global_{{$id}} from bgp_template { {{- end }} {{- end }} {{- end }} - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers({{eq $data.as_num $node_as_num}}); + reject;{{/* Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() + was rejected so use default reject behaviour on export */}} }; # Only want to export routes for workloads. {{- if and ($data.calico_node) (gt $data.ip $node_ip)}} passive on; # Peering is unidirectional, peer will connect to us. @@ -333,9 +333,9 @@ protocol bgp Node_{{$id}} from bgp_template { {{- end }} {{- end }} {{- end }} - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers({{eq $data.as_num $node_as_num}}); + reject;{{/* Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() + was rejected so use default reject behaviour on export */}} }; # Only want to export routes for workloads. {{- if ne $data.restart_time ""}} graceful restart time {{$data.restart_time}}; diff --git a/confd/etc/calico/confd/templates/bird6.cfg.template b/confd/etc/calico/confd/templates/bird6.cfg.template index 617234a295c..3f7e6088fb4 100644 --- a/confd/etc/calico/confd/templates/bird6.cfg.template +++ b/confd/etc/calico/confd/templates/bird6.cfg.template @@ -188,7 +188,7 @@ template bgp bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. {{- /* @@ -260,9 +260,9 @@ protocol bgp Global_{{$id}} from bgp_template { {{- end }} {{- end }} {{- end }} - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers({{eq $data.as_num $node_as_num}}); + reject;{{/* Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() + was rejected so use default reject behaviour on export */}} }; # Only want to export routes for workloads. {{- if and ($data.calico_node) (gt $data.ip $node_ip6)}} passive on; # Peering is unidirectional, peer will connect to us. @@ -335,9 +335,9 @@ protocol bgp Node_{{$id}} from bgp_template { {{- end }} {{- end }} {{- end }} - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers({{eq $data.as_num $node_as_num}}); + reject;{{/* Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() + was rejected so use default reject behaviour on export */}} }; # Only want to export routes for workloads. {{- if ne $data.restart_time ""}} graceful restart time {{$data.restart_time}}; diff --git a/confd/etc/calico/confd/templates/bird6_ipam.cfg.template b/confd/etc/calico/confd/templates/bird6_ipam.cfg.template index b9fb7b4fd1f..8f14b1b935c 100644 --- a/confd/etc/calico/confd/templates/bird6_ipam.cfg.template +++ b/confd/etc/calico/confd/templates/bird6_ipam.cfg.template @@ -8,9 +8,24 @@ function reject_disabled_pools () {{- end}} } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); {{- $static_key := "/staticroutesv6"}} diff --git a/confd/etc/calico/confd/templates/bird_ipam.cfg.template b/confd/etc/calico/confd/templates/bird_ipam.cfg.template index 6bf16115e4e..38cba41de14 100644 --- a/confd/etc/calico/confd/templates/bird_ipam.cfg.template +++ b/confd/etc/calico/confd/templates/bird_ipam.cfg.template @@ -8,9 +8,24 @@ function reject_disabled_pools () {{- end}} } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); {{- $static_key := "/staticroutes"}} diff --git a/confd/pkg/resource/template/template_funcs.go b/confd/pkg/resource/template/template_funcs.go index e2120ff7722..6441c7b5ab3 100644 --- a/confd/pkg/resource/template/template_funcs.go +++ b/confd/pkg/resource/template/template_funcs.go @@ -80,6 +80,14 @@ func filterStatement(fields filterArgs) (string, error) { conditions = append(conditions, sourceCondition) } + if fields.iface != "" { + ifaceCondition, err := filterMatchInterface(fields.iface) + if err != nil { + return "", nil + } + conditions = append(conditions, ifaceCondition) + } + conditionExpr := strings.Join(conditions, "&&") if conditionExpr != "" { return fmt.Sprintf("if (%s) then { %s }", conditionExpr, actionStatement), nil @@ -120,6 +128,13 @@ func filterMatchSource(source v3.BGPFilterMatchSource) (string, error) { } } +func filterMatchInterface(iface string) (string, error) { + if iface == "" { + return "", fmt.Errorf("Empty interface found in BGPFilter") + } + return fmt.Sprintf("((defined(ifname))&&(ifname ~ \"%s\"))", iface), nil +} + // BGPFilterFunctionName returns a formatted name for use as a BIRD function, truncating and hashing if the provided // name would result in a function name longer than the max allowable length of 64 chars. // e.g. input of ("my-bgp-filter", "import", "4") would result in output of "'bgp_my-bpg-filter_importFilterV4'" @@ -143,6 +158,7 @@ type filterArgs struct { operator v3.BGPFilterMatchOperator cidr string source v3.BGPFilterMatchSource + iface string action v3.BGPFilterAction } @@ -248,6 +264,7 @@ func BGPFilterBIRDFuncs(pairs memkv.KVPairs, version int) ([]string, error) { operator: importV4.MatchOperator, cidr: importV4.CIDR, source: importV4.Source, + iface: importV4.Interface, action: importV4.Action, }) } @@ -257,6 +274,7 @@ func BGPFilterBIRDFuncs(pairs memkv.KVPairs, version int) ([]string, error) { operator: importV6.MatchOperator, cidr: importV6.CIDR, source: importV6.Source, + iface: importV6.Interface, action: importV6.Action, }) } @@ -291,6 +309,7 @@ func BGPFilterBIRDFuncs(pairs memkv.KVPairs, version int) ([]string, error) { operator: exportV4.MatchOperator, cidr: exportV4.CIDR, source: exportV4.Source, + iface: exportV4.Interface, action: exportV4.Action, }) } @@ -300,6 +319,7 @@ func BGPFilterBIRDFuncs(pairs memkv.KVPairs, version int) ([]string, error) { operator: exportV6.MatchOperator, cidr: exportV6.CIDR, source: exportV6.Source, + iface: exportV6.Interface, action: exportV6.Action, }) } diff --git a/confd/pkg/resource/template/template_funcs_test.go b/confd/pkg/resource/template/template_funcs_test.go index 914bb145acd..e103f3f6639 100644 --- a/confd/pkg/resource/template/template_funcs_test.go +++ b/confd/pkg/resource/template/template_funcs_test.go @@ -57,57 +57,89 @@ func Test_BGPFilterBIRDFuncs(t *testing.T) { testFilter.ObjectMeta.Name = "test-bgpfilter" testFilter.Spec = v3.BGPFilterSpec{ ImportV4: []v3.BGPFilterRuleV4{ - {Action: "Reject", MatchOperator: "Equal", CIDR: "44.4.0.0/16"}, + {Action: "Accept", Source: "RemotePeers", Interface: "vxlan.calico", MatchOperator: "NotIn", CIDR: "55.4.0.0/16"}, {Action: "Reject", Source: "RemotePeers", MatchOperator: "NotIn", CIDR: "55.4.0.0/16"}, + {Action: "Reject", Interface: "eth0", MatchOperator: "NotIn", CIDR: "55.4.0.0/16"}, + {Action: "Accept", Interface: "eth0", Source: "RemotePeers"}, + {Action: "Reject", MatchOperator: "Equal", CIDR: "44.4.0.0/16"}, {Action: "Accept", Source: "RemotePeers"}, + {Action: "Reject", Interface: "extraiface"}, {Action: "Reject"}, }, ExportV4: []v3.BGPFilterRuleV4{ - {Action: "Accept", MatchOperator: "In", CIDR: "77.7.0.0/16"}, + {Action: "Reject", Source: "RemotePeers", Interface: "vxlan.calico", MatchOperator: "NotIn", CIDR: "55.4.0.0/16"}, {Action: "Reject", Source: "RemotePeers", MatchOperator: "NotIn", CIDR: "88.7.0.0/16"}, + {Action: "Accept", Interface: "eth0", MatchOperator: "NotIn", CIDR: "55.4.0.0/16"}, + {Action: "Reject", Interface: "eth0", Source: "RemotePeers"}, + {Action: "Accept", MatchOperator: "In", CIDR: "77.7.0.0/16"}, {Action: "Accept", Source: "RemotePeers"}, + {Action: "Accept", Interface: "extraiface"}, {Action: "Reject"}, }, ImportV6: []v3.BGPFilterRuleV6{ - {Action: "Accept", MatchOperator: "NotEqual", CIDR: "7000:1::0/64"}, + {Action: "Reject", Source: "RemotePeers", Interface: "vxlan.calico", MatchOperator: "NotIn", CIDR: "55.4.0.0/16"}, {Action: "Reject", Source: "RemotePeers", MatchOperator: "NotEqual", CIDR: "8000:1::0/64"}, + {Action: "Accept", Interface: "eth0", MatchOperator: "NotIn", CIDR: "55.4.0.0/16"}, + {Action: "Reject", Interface: "eth0", Source: "RemotePeers"}, + {Action: "Accept", MatchOperator: "NotEqual", CIDR: "7000:1::0/64"}, {Action: "Accept", Source: "RemotePeers"}, + {Action: "Accept", Interface: "extraiface"}, {Action: "Reject"}, }, ExportV6: []v3.BGPFilterRuleV6{ - {Action: "Accept", MatchOperator: "NotIn", CIDR: "9000:1::0/64"}, + {Action: "Accept", Source: "RemotePeers", Interface: "vxlan.calico", MatchOperator: "NotIn", CIDR: "55.4.0.0/16"}, {Action: "Reject", Source: "RemotePeers", MatchOperator: "NotIn", CIDR: "a000:1::0/64"}, + {Action: "Reject", Interface: "eth0", MatchOperator: "NotIn", CIDR: "55.4.0.0/16"}, + {Action: "Accept", Interface: "eth0", Source: "RemotePeers"}, + {Action: "Accept", MatchOperator: "NotIn", CIDR: "9000:1::0/64"}, {Action: "Accept", Source: "RemotePeers"}, + {Action: "Reject", Interface: "extraiface"}, {Action: "Reject"}, }, } expectedBIRDCfgStrV4 := []string{ "# v4 BGPFilter test-bgpfilter", "function 'bgp_test-bgpfilter_importFilterV4'() {", - " if ((net = 44.4.0.0/16)) then { reject; }", + " if ((net !~ 55.4.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ \"vxlan.calico\"))) then { accept; }", " if ((net !~ 55.4.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; }", + " if ((net !~ 55.4.0.0/16)&&((defined(ifname))&&(ifname ~ \"eth0\"))) then { reject; }", + " if (((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ \"eth0\"))) then { accept; }", + " if ((net = 44.4.0.0/16)) then { reject; }", " if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; }", + " if (((defined(ifname))&&(ifname ~ \"extraiface\"))) then { reject; }", " reject;", "}", "function 'bgp_test-bgpfilter_exportFilterV4'() {", - " if ((net ~ 77.7.0.0/16)) then { accept; }", + " if ((net !~ 55.4.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ \"vxlan.calico\"))) then { reject; }", " if ((net !~ 88.7.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; }", + " if ((net !~ 55.4.0.0/16)&&((defined(ifname))&&(ifname ~ \"eth0\"))) then { accept; }", + " if (((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ \"eth0\"))) then { reject; }", + " if ((net ~ 77.7.0.0/16)) then { accept; }", " if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; }", + " if (((defined(ifname))&&(ifname ~ \"extraiface\"))) then { accept; }", " reject;", "}", } expectedBIRDCfgStrV6 := []string{ "# v6 BGPFilter test-bgpfilter", "function 'bgp_test-bgpfilter_importFilterV6'() {", - " if ((net != 7000:1::0/64)) then { accept; }", + " if ((net !~ 55.4.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ \"vxlan.calico\"))) then { reject; }", " if ((net != 8000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; }", + " if ((net !~ 55.4.0.0/16)&&((defined(ifname))&&(ifname ~ \"eth0\"))) then { accept; }", + " if (((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ \"eth0\"))) then { reject; }", + " if ((net != 7000:1::0/64)) then { accept; }", " if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; }", + " if (((defined(ifname))&&(ifname ~ \"extraiface\"))) then { accept; }", " reject;", "}", "function 'bgp_test-bgpfilter_exportFilterV6'() {", - " if ((net !~ 9000:1::0/64)) then { accept; }", + " if ((net !~ 55.4.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ \"vxlan.calico\"))) then { accept; }", " if ((net !~ a000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; }", + " if ((net !~ 55.4.0.0/16)&&((defined(ifname))&&(ifname ~ \"eth0\"))) then { reject; }", + " if (((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ \"eth0\"))) then { accept; }", + " if ((net !~ 9000:1::0/64)) then { accept; }", " if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; }", + " if (((defined(ifname))&&(ifname ~ \"extraiface\"))) then { reject; }", " reject;", "}", } diff --git a/confd/tests/compiled_templates/bgpfilter/export_only/explicit_peer/bird.cfg b/confd/tests/compiled_templates/bgpfilter/export_only/explicit_peer/bird.cfg index b70e4fcc11e..06dd4ae4e31 100644 --- a/confd/tests/compiled_templates/bgpfilter/export_only/explicit_peer/bird.cfg +++ b/confd/tests/compiled_templates/bgpfilter/export_only/explicit_peer/bird.cfg @@ -61,14 +61,14 @@ template bgp bgp_template { # v4 BGPFilter export-only-filter-1 function 'bgp_export-only-filter-1_exportFilterV4'() { if ((net ~ 44.0.0.0/16)) then { accept; } - if ((net ~ 44.1.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } + if ((net ~ 44.1.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "*.calico"))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; } # v4 BGPFilter export-only-filter-2 function 'bgp_export-only-filter-2_exportFilterV4'() { if ((net ~ 44.2.0.0/16)) then { accept; } - if ((net ~ 44.3.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } + if ((net ~ 44.3.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "eth9"))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; } @@ -99,9 +99,8 @@ protocol bgp Node_10_192_0_3 from bgp_template { }; export filter { 'bgp_export-only-filter-1_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } @@ -117,9 +116,8 @@ protocol bgp Node_10_192_0_4 from bgp_template { }; export filter { 'bgp_export-only-filter-2_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/export_only/explicit_peer/bird6.cfg b/confd/tests/compiled_templates/bgpfilter/export_only/explicit_peer/bird6.cfg index 17b6c93c8ea..ccee4c81cab 100644 --- a/confd/tests/compiled_templates/bgpfilter/export_only/explicit_peer/bird6.cfg +++ b/confd/tests/compiled_templates/bgpfilter/export_only/explicit_peer/bird6.cfg @@ -62,14 +62,14 @@ template bgp bgp_template { function 'bgp_export-only-filter-1_exportFilterV6'() { if ((net ~ 5000::0/64)) then { accept; } if ((net ~ 5000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } - if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } + if (((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "*"))) then { accept; } reject; } # v6 BGPFilter export-only-filter-2 function 'bgp_export-only-filter-2_exportFilterV6'() { if ((net ~ 5000:2::0/64)) then { accept; } if ((net ~ 5000:3::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } - if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } + if (((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "*.calico"))) then { accept; } reject; } @@ -99,9 +99,8 @@ protocol bgp Node_2001__103 from bgp_template { }; export filter { 'bgp_export-only-filter-1_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } @@ -117,9 +116,8 @@ protocol bgp Node_2001__104 from bgp_template { }; export filter { 'bgp_export-only-filter-2_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/export_only/explicit_peer/bird6_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/export_only/explicit_peer/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/bgpfilter/export_only/explicit_peer/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/export_only/explicit_peer/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/export_only/explicit_peer/bird_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/export_only/explicit_peer/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/bgpfilter/export_only/explicit_peer/bird_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/export_only/explicit_peer/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/export_only/global_peer/bird.cfg b/confd/tests/compiled_templates/bgpfilter/export_only/global_peer/bird.cfg index f147d7ab1ee..0b2caa61286 100644 --- a/confd/tests/compiled_templates/bgpfilter/export_only/global_peer/bird.cfg +++ b/confd/tests/compiled_templates/bgpfilter/export_only/global_peer/bird.cfg @@ -63,7 +63,7 @@ function 'bgp_export-only-filter_exportFilterV4'() { if ((net ~ 44.0.0.0/16)) then { accept; } if ((net ~ 44.1.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } - reject; + if (((defined(ifname))&&(ifname ~ "*.calico"))) then { reject; } } # ------------- Node-to-node mesh ------------- @@ -91,9 +91,8 @@ protocol bgp Global_10_192_0_3 from bgp_template { }; export filter { 'bgp_export-only-filter_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -109,9 +108,8 @@ protocol bgp Global_10_192_0_4 from bgp_template { }; export filter { 'bgp_export-only-filter_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/export_only/global_peer/bird6.cfg b/confd/tests/compiled_templates/bgpfilter/export_only/global_peer/bird6.cfg index 6cc0dc1220c..b82eb03e4d0 100644 --- a/confd/tests/compiled_templates/bgpfilter/export_only/global_peer/bird6.cfg +++ b/confd/tests/compiled_templates/bgpfilter/export_only/global_peer/bird6.cfg @@ -61,7 +61,7 @@ template bgp bgp_template { # v6 BGPFilter export-only-filter function 'bgp_export-only-filter_exportFilterV6'() { if ((net ~ 5000::0/64)) then { accept; } - if ((net ~ 5000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } + if ((net ~ 5000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "*.calico"))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; } @@ -91,9 +91,8 @@ protocol bgp Global_2001__103 from bgp_template { }; export filter { 'bgp_export-only-filter_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -109,9 +108,8 @@ protocol bgp Global_2001__104 from bgp_template { }; export filter { 'bgp_export-only-filter_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/export_only/global_peer/bird6_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/export_only/global_peer/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/bgpfilter/export_only/global_peer/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/export_only/global_peer/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/export_only/global_peer/bird_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/export_only/global_peer/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/bgpfilter/export_only/global_peer/bird_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/export_only/global_peer/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/filter_deletion/step1/bird.cfg b/confd/tests/compiled_templates/bgpfilter/filter_deletion/step1/bird.cfg index 89f7ac470ee..35af6e7f673 100644 --- a/confd/tests/compiled_templates/bgpfilter/filter_deletion/step1/bird.cfg +++ b/confd/tests/compiled_templates/bgpfilter/filter_deletion/step1/bird.cfg @@ -98,9 +98,8 @@ protocol bgp Global_10_192_0_3 from bgp_template { }; export filter { 'bgp_test-filter_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -117,9 +116,8 @@ protocol bgp Global_10_192_0_4 from bgp_template { }; export filter { 'bgp_test-filter_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/filter_deletion/step1/bird6.cfg b/confd/tests/compiled_templates/bgpfilter/filter_deletion/step1/bird6.cfg index dcd7ef39ffa..0a7501fecdc 100644 --- a/confd/tests/compiled_templates/bgpfilter/filter_deletion/step1/bird6.cfg +++ b/confd/tests/compiled_templates/bgpfilter/filter_deletion/step1/bird6.cfg @@ -98,9 +98,8 @@ protocol bgp Global_2001__103 from bgp_template { }; export filter { 'bgp_test-filter_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -117,9 +116,8 @@ protocol bgp Global_2001__104 from bgp_template { }; export filter { 'bgp_test-filter_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/filter_deletion/step1/bird6_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/filter_deletion/step1/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/bgpfilter/filter_deletion/step1/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/filter_deletion/step1/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/filter_deletion/step1/bird_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/filter_deletion/step1/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/bgpfilter/filter_deletion/step1/bird_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/filter_deletion/step1/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/filter_deletion/step2/bird.cfg b/confd/tests/compiled_templates/bgpfilter/filter_deletion/step2/bird.cfg index d86bc76b7c8..51d0a184beb 100644 --- a/confd/tests/compiled_templates/bgpfilter/filter_deletion/step2/bird.cfg +++ b/confd/tests/compiled_templates/bgpfilter/filter_deletion/step2/bird.cfg @@ -84,9 +84,8 @@ protocol bgp Global_10_192_0_3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -101,9 +100,8 @@ protocol bgp Global_10_192_0_4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/filter_deletion/step2/bird6.cfg b/confd/tests/compiled_templates/bgpfilter/filter_deletion/step2/bird6.cfg index 75093cf8fe0..6d0b72fe8b1 100644 --- a/confd/tests/compiled_templates/bgpfilter/filter_deletion/step2/bird6.cfg +++ b/confd/tests/compiled_templates/bgpfilter/filter_deletion/step2/bird6.cfg @@ -84,9 +84,8 @@ protocol bgp Global_2001__103 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -101,9 +100,8 @@ protocol bgp Global_2001__104 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/filter_deletion/step2/bird6_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/filter_deletion/step2/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/bgpfilter/filter_deletion/step2/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/filter_deletion/step2/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/filter_deletion/step2/bird_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/filter_deletion/step2/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/bgpfilter/filter_deletion/step2/bird_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/filter_deletion/step2/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/filter_names/bird.cfg b/confd/tests/compiled_templates/bgpfilter/filter_names/bird.cfg index bf4a4f91d81..a69c7043b22 100644 --- a/confd/tests/compiled_templates/bgpfilter/filter_names/bird.cfg +++ b/confd/tests/compiled_templates/bgpfilter/filter_names/bird.cfg @@ -116,9 +116,8 @@ protocol bgp Global_10_192_0_3 from bgp_template { 'bgp_45characters.exactly.so.should.not.truncate-1_exportFilterV4'(); 'bgp_46characters.exactly.so.shou_9615CBDC00BAC628_exportFilterV4'(); 'bgp_greater-than-64-characters.s_4C5DB3273E544641_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -139,9 +138,8 @@ protocol bgp Global_10_192_0_4 from bgp_template { 'bgp_45characters.exactly.so.should.not.truncate-1_exportFilterV4'(); 'bgp_46characters.exactly.so.shou_9615CBDC00BAC628_exportFilterV4'(); 'bgp_greater-than-64-characters.s_4C5DB3273E544641_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/filter_names/bird6.cfg b/confd/tests/compiled_templates/bgpfilter/filter_names/bird6.cfg index 8e7175b1613..070d8c74b6f 100644 --- a/confd/tests/compiled_templates/bgpfilter/filter_names/bird6.cfg +++ b/confd/tests/compiled_templates/bgpfilter/filter_names/bird6.cfg @@ -116,9 +116,8 @@ protocol bgp Global_2001__103 from bgp_template { 'bgp_45characters.exactly.so.should.not.truncate-1_exportFilterV6'(); 'bgp_46characters.exactly.so.shou_9615CBDC00BAC628_exportFilterV6'(); 'bgp_greater-than-64-characters.s_4C5DB3273E544641_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -139,9 +138,8 @@ protocol bgp Global_2001__104 from bgp_template { 'bgp_45characters.exactly.so.should.not.truncate-1_exportFilterV6'(); 'bgp_46characters.exactly.so.shou_9615CBDC00BAC628_exportFilterV6'(); 'bgp_greater-than-64-characters.s_4C5DB3273E544641_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/filter_names/bird6_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/filter_names/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/bgpfilter/filter_names/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/filter_names/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/filter_names/bird_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/filter_names/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/bgpfilter/filter_names/bird_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/filter_names/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/import_only/explicit_peer/bird.cfg b/confd/tests/compiled_templates/bgpfilter/import_only/explicit_peer/bird.cfg index aac681c3e5f..60edaaba366 100644 --- a/confd/tests/compiled_templates/bgpfilter/import_only/explicit_peer/bird.cfg +++ b/confd/tests/compiled_templates/bgpfilter/import_only/explicit_peer/bird.cfg @@ -60,7 +60,7 @@ template bgp bgp_template { # -------------- BGP Filters ------------------ # v4 BGPFilter import-only-filter-1 function 'bgp_import-only-filter-1_importFilterV4'() { - if ((net ~ 44.0.0.0/16)) then { accept; } + if ((net ~ 44.0.0.0/16)&&((defined(ifname))&&(ifname ~ "eth0"))) then { accept; } if ((net ~ 44.1.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; @@ -68,7 +68,7 @@ function 'bgp_import-only-filter-1_importFilterV4'() { # v4 BGPFilter import-only-filter-2 function 'bgp_import-only-filter-2_importFilterV4'() { if ((net ~ 44.2.0.0/16)) then { accept; } - if ((net ~ 44.3.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } + if ((net ~ 44.3.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "vxlan.calico"))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; } @@ -99,9 +99,8 @@ protocol bgp Node_10_192_0_3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } @@ -117,9 +116,8 @@ protocol bgp Node_10_192_0_4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/import_only/explicit_peer/bird6.cfg b/confd/tests/compiled_templates/bgpfilter/import_only/explicit_peer/bird6.cfg index c2aca74eec1..329c0848c6c 100644 --- a/confd/tests/compiled_templates/bgpfilter/import_only/explicit_peer/bird6.cfg +++ b/confd/tests/compiled_templates/bgpfilter/import_only/explicit_peer/bird6.cfg @@ -62,14 +62,14 @@ template bgp bgp_template { function 'bgp_import-only-filter-1_importFilterV6'() { if ((net ~ 5000::0/64)) then { accept; } if ((net ~ 5000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } - if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } + if (((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "*"))) then { accept; } reject; } # v6 BGPFilter import-only-filter-2 function 'bgp_import-only-filter-2_importFilterV6'() { if ((net ~ 5000:2::0/64)) then { accept; } if ((net ~ 5000:3::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } - if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } + if (((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "cali*"))) then { accept; } reject; } @@ -99,9 +99,8 @@ protocol bgp Node_2001__103 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } @@ -117,9 +116,8 @@ protocol bgp Node_2001__104 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/import_only/explicit_peer/bird6_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/import_only/explicit_peer/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/bgpfilter/import_only/explicit_peer/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/import_only/explicit_peer/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/import_only/explicit_peer/bird_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/import_only/explicit_peer/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/bgpfilter/import_only/explicit_peer/bird_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/import_only/explicit_peer/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/import_only/global_peer/bird.cfg b/confd/tests/compiled_templates/bgpfilter/import_only/global_peer/bird.cfg index 82eb975ce7a..dcd4d1bbdb0 100644 --- a/confd/tests/compiled_templates/bgpfilter/import_only/global_peer/bird.cfg +++ b/confd/tests/compiled_templates/bgpfilter/import_only/global_peer/bird.cfg @@ -63,7 +63,7 @@ function 'bgp_import-only-filter_importFilterV4'() { if ((net ~ 44.0.0.0/16)) then { accept; } if ((net ~ 44.1.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } - reject; + if (((defined(ifname))&&(ifname ~ "*"))) then { reject; } } # ------------- Node-to-node mesh ------------- @@ -91,9 +91,8 @@ protocol bgp Global_10_192_0_3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -109,9 +108,8 @@ protocol bgp Global_10_192_0_4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/import_only/global_peer/bird6.cfg b/confd/tests/compiled_templates/bgpfilter/import_only/global_peer/bird6.cfg index a82334317fb..4d90b813c2f 100644 --- a/confd/tests/compiled_templates/bgpfilter/import_only/global_peer/bird6.cfg +++ b/confd/tests/compiled_templates/bgpfilter/import_only/global_peer/bird6.cfg @@ -61,7 +61,7 @@ template bgp bgp_template { # v6 BGPFilter import-only-filter function 'bgp_import-only-filter_importFilterV6'() { if ((net ~ 5000::0/64)) then { accept; } - if ((net ~ 5000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } + if ((net ~ 5000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "eth."))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; } @@ -91,9 +91,8 @@ protocol bgp Global_2001__103 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -109,9 +108,8 @@ protocol bgp Global_2001__104 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/import_only/global_peer/bird6_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/import_only/global_peer/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/bgpfilter/import_only/global_peer/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/import_only/global_peer/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/import_only/global_peer/bird_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/import_only/global_peer/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/bgpfilter/import_only/global_peer/bird_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/import_only/global_peer/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/match_interface/bird.cfg b/confd/tests/compiled_templates/bgpfilter/match_interface/bird.cfg new file mode 100644 index 00000000000..9001564eb42 --- /dev/null +++ b/confd/tests/compiled_templates/bgpfilter/match_interface/bird.cfg @@ -0,0 +1,130 @@ +function apply_communities () +{ +} + +# Generated by confd +include "bird_aggr.cfg"; +include "bird_ipam.cfg"; + +router id 10.192.0.2; + +# Configure synchronization between routing tables and kernel. +protocol kernel { + learn; # Learn all alien routes from the kernel + persist; # Don't remove routes on bird shutdown + scan time 2; # Scan kernel routing table every 2 seconds + import all; + export filter calico_kernel_programming; # Default is export none + graceful restart; # Turn on graceful restart to reduce potential flaps in + # routes when reloading BIRD configuration. With a full + # automatic mesh, there is no way to prevent BGP from + # flapping since multiple nodes update their BGP + # configuration at the same time, GR is not guaranteed to + # work correctly in this scenario. + merge paths on; # Allow export multipath routes (ECMP) +} + +# Watch interface up/down events. +protocol device { + debug { states }; + scan time 2; # Scan interfaces every 2 seconds +} + +protocol direct { + debug { states }; + interface -"cali*", -"kube-ipvs*", "*"; # Exclude cali* and kube-ipvs* but + # include everything else. In + # IPVS-mode, kube-proxy creates a + # kube-ipvs0 interface. We exclude + # kube-ipvs0 because this interface + # gets an address for every in use + # cluster IP. We use static routes + # for when we legitimately want to + # export cluster IPs. +} + + +# Template for all BGP clients +template bgp bgp_template { + debug { states }; + description "Connection to BGP peer"; + local as 64512; + gateway recursive; # This should be the default, but just in case. + add paths on; + graceful restart; # See comment in kernel section about graceful restart. + connect delay time 2; + connect retry time 5; + error wait time 5,30; +} + +# -------------- BGP Filters ------------------ +# v4 BGPFilter test-filter-match-interface +function 'bgp_test-filter-match-interface_importFilterV4'() { + if ((net ~ 44.0.0.0/16)) then { accept; } + if ((net ~ 44.1.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } + if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } + if (((defined(ifname))&&(ifname ~ "iface"))) then { reject; } +} +function 'bgp_test-filter-match-interface_exportFilterV4'() { + if ((net !~ 77.0.0.0/16)&&((defined(ifname))&&(ifname ~ "eth0"))) then { accept; } + if ((net ~ 77.1.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } + if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } + reject; +} + +# ------------- Node-to-node mesh ------------- + +# Node-to-node mesh disabled + + + +# ------------- Global peers ------------- + + + +# For peer /bgp/v1/global/peer_v4/10.192.0.2 +# Skipping ourselves (10.192.0.2) + + +# For peer /bgp/v1/global/peer_v4/10.192.0.3 +protocol bgp Global_10_192_0_3 from bgp_template { + ttl security off; + multihop; + neighbor 10.192.0.3 as 64512; + source address 10.192.0.2; # The local address we use for the TCP connection + import filter { + 'bgp_test-filter-match-interface_importFilterV4'(); + accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import + }; + export filter { + 'bgp_test-filter-match-interface_exportFilterV4'(); + calico_export_to_bgp_peers(true); + reject; + }; # Only want to export routes for workloads. +} + + +# For peer /bgp/v1/global/peer_v4/10.192.0.4 +protocol bgp Global_10_192_0_4 from bgp_template { + ttl security off; + multihop; + neighbor 10.192.0.4 as 64512; + source address 10.192.0.2; # The local address we use for the TCP connection + import filter { + 'bgp_test-filter-match-interface_importFilterV4'(); + accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import + }; + export filter { + 'bgp_test-filter-match-interface_exportFilterV4'(); + calico_export_to_bgp_peers(true); + reject; + }; # Only want to export routes for workloads. +} + + + + +# ------------- Node-specific peers ------------- + +# No node-specific peers configured. + diff --git a/confd/tests/compiled_templates/bgpfilter/match_interface/bird6.cfg b/confd/tests/compiled_templates/bgpfilter/match_interface/bird6.cfg new file mode 100644 index 00000000000..717b893cb6c --- /dev/null +++ b/confd/tests/compiled_templates/bgpfilter/match_interface/bird6.cfg @@ -0,0 +1,130 @@ +function apply_communities () +{ +} + +# Generated by confd +include "bird6_aggr.cfg"; +include "bird6_ipam.cfg"; + +router id 10.192.0.2; # Use IPv4 address since router id is 4 octets, even in MP-BGP + +# Configure synchronization between routing tables and kernel. +protocol kernel { + learn; # Learn all alien routes from the kernel + persist; # Don't remove routes on bird shutdown + scan time 2; # Scan kernel routing table every 2 seconds + import all; + export filter calico_kernel_programming; # Default is export none + graceful restart; # Turn on graceful restart to reduce potential flaps in + # routes when reloading BIRD configuration. With a full + # automatic mesh, there is no way to prevent BGP from + # flapping since multiple nodes update their BGP + # configuration at the same time, GR is not guaranteed to + # work correctly in this scenario. + merge paths on; # Allow export multipath routes (ECMP) +} + +# Watch interface up/down events. +protocol device { + debug { states }; + scan time 2; # Scan interfaces every 2 seconds +} + +protocol direct { + debug { states }; + interface -"cali*", -"kube-ipvs*", "*"; # Exclude cali* and kube-ipvs* but + # include everything else. In + # IPVS-mode, kube-proxy creates a + # kube-ipvs0 interface. We exclude + # kube-ipvs0 because this interface + # gets an address for every in use + # cluster IP. We use static routes + # for when we legitimately want to + # export cluster IPs. +} + + +# Template for all BGP clients +template bgp bgp_template { + debug { states }; + description "Connection to BGP peer"; + local as 64512; + gateway recursive; # This should be the default, but just in case. + add paths on; + graceful restart; # See comment in kernel section about graceful restart. + connect delay time 2; + connect retry time 5; + error wait time 5,30; +} + +# -------------- BGP Filters ------------------ +# v6 BGPFilter test-filter-match-interface +function 'bgp_test-filter-match-interface_importFilterV6'() { + if ((net ~ 5000::0/64)) then { accept; } + if ((net ~ 5000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } + if (((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "*.calico"))) then { accept; } + reject; +} +function 'bgp_test-filter-match-interface_exportFilterV6'() { + if ((net ~ 9000::0/64)) then { accept; } + if ((net != 9000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "eth*"))) then { reject; } + if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } + reject; +} + +# ------------- Node-to-node mesh ------------- + +# Node-to-node mesh disabled + + + +# ------------- Global peers ------------- + + + +# For peer /bgp/v1/global/peer_v6/2001::102 +# Skipping ourselves (2001::102) + + +# For peer /bgp/v1/global/peer_v6/2001::103 +protocol bgp Global_2001__103 from bgp_template { + ttl security off; + multihop; + neighbor 2001::103 as 64512; + source address 2001::102; # The local address we use for the TCP connection + import filter { + 'bgp_test-filter-match-interface_importFilterV6'(); + accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import + }; + export filter { + 'bgp_test-filter-match-interface_exportFilterV6'(); + calico_export_to_bgp_peers(true); + reject; + }; # Only want to export routes for workloads. +} + + +# For peer /bgp/v1/global/peer_v6/2001::104 +protocol bgp Global_2001__104 from bgp_template { + ttl security off; + multihop; + neighbor 2001::104 as 64512; + source address 2001::102; # The local address we use for the TCP connection + import filter { + 'bgp_test-filter-match-interface_importFilterV6'(); + accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import + }; + export filter { + 'bgp_test-filter-match-interface_exportFilterV6'(); + calico_export_to_bgp_peers(true); + reject; + }; # Only want to export routes for workloads. +} + + + + +# ------------- Node-specific peers ------------- + +# No node-specific peers configured. + diff --git a/confd/tests/compiled_templates/bgpfilter/match_interface/bird6_aggr.cfg b/confd/tests/compiled_templates/bgpfilter/match_interface/bird6_aggr.cfg new file mode 100644 index 00000000000..2f8fc95b5af --- /dev/null +++ b/confd/tests/compiled_templates/bgpfilter/match_interface/bird6_aggr.cfg @@ -0,0 +1,10 @@ +# Generated by confd + +protocol static { + # No IP blocks or static routes for this host. +} + +# Aggregation of routes on this host; export the block, nothing beneath it. +function calico_aggr () +{ +} diff --git a/confd/tests/compiled_templates/bgpfilter/match_interface/bird6_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/match_interface/bird6_ipam.cfg new file mode 100644 index 00000000000..67327e452b9 --- /dev/null +++ b/confd/tests/compiled_templates/bgpfilter/match_interface/bird6_ipam.cfg @@ -0,0 +1,33 @@ +# Generated by confd +function reject_disabled_pools () +{ + +} + +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() + reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } + apply_communities(); + calico_aggr(); + +} + +filter calico_kernel_programming { + + accept; +} diff --git a/confd/tests/compiled_templates/bgpfilter/match_interface/bird_aggr.cfg b/confd/tests/compiled_templates/bgpfilter/match_interface/bird_aggr.cfg new file mode 100644 index 00000000000..9d86b3b0205 --- /dev/null +++ b/confd/tests/compiled_templates/bgpfilter/match_interface/bird_aggr.cfg @@ -0,0 +1,29 @@ +# Generated by confd + +protocol static { + # IP blocks for this host. + route 10.0.0.0/30 blackhole; + route 10.1.0.0/24 blackhole; + route 192.168.221.192/26 blackhole; + route 192.168.221.64/26 blackhole; +} + +# Aggregation of routes on this host; export the block, nothing beneath it. +function calico_aggr () +{ + # Block 10.0.0.0/30 is implicitly confirmed. + if ( net = 10.0.0.0/30 ) then { accept; } + if ( net ~ 10.0.0.0/30 ) then { reject; } + # Block 10.1.0.0/24 is implicitly confirmed. + if ( net = 10.1.0.0/24 ) then { accept; } + if ( net ~ 10.1.0.0/24 ) then { reject; } + # Block 10.2.0.1/32 is implicitly confirmed. + if ( net = 10.2.0.1/32 ) then { accept; } + if ( net ~ 10.2.0.1/32 ) then { reject; } + # Block 192.168.221.192/26 is implicitly confirmed. + if ( net = 192.168.221.192/26 ) then { accept; } + if ( net ~ 192.168.221.192/26 ) then { reject; } + # Block 192.168.221.64/26 is confirmed + if ( net = 192.168.221.64/26 ) then { accept; } + if ( net ~ 192.168.221.64/26 ) then { reject; } +} diff --git a/confd/tests/compiled_templates/bgpfilter/match_interface/bird_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/match_interface/bird_ipam.cfg new file mode 100644 index 00000000000..7b67c8f3c72 --- /dev/null +++ b/confd/tests/compiled_templates/bgpfilter/match_interface/bird_ipam.cfg @@ -0,0 +1,34 @@ +# Generated by confd +function reject_disabled_pools () +{ + +} + +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() + reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } + apply_communities(); + calico_aggr(); + +} + + +filter calico_kernel_programming { + + accept; +} diff --git a/confd/tests/compiled_templates/bgpfilter/match_operators/bird.cfg b/confd/tests/compiled_templates/bgpfilter/match_operators/bird.cfg index b088ecaf108..0af0a6cc3f8 100644 --- a/confd/tests/compiled_templates/bgpfilter/match_operators/bird.cfg +++ b/confd/tests/compiled_templates/bgpfilter/match_operators/bird.cfg @@ -98,9 +98,8 @@ protocol bgp Global_10_192_0_3 from bgp_template { }; export filter { 'bgp_test-filter-match-operators_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -117,9 +116,8 @@ protocol bgp Global_10_192_0_4 from bgp_template { }; export filter { 'bgp_test-filter-match-operators_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/match_operators/bird6.cfg b/confd/tests/compiled_templates/bgpfilter/match_operators/bird6.cfg index 1dee70015c6..7907545c23d 100644 --- a/confd/tests/compiled_templates/bgpfilter/match_operators/bird6.cfg +++ b/confd/tests/compiled_templates/bgpfilter/match_operators/bird6.cfg @@ -98,9 +98,8 @@ protocol bgp Global_2001__103 from bgp_template { }; export filter { 'bgp_test-filter-match-operators_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -117,9 +116,8 @@ protocol bgp Global_2001__104 from bgp_template { }; export filter { 'bgp_test-filter-match-operators_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/match_operators/bird6_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/match_operators/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/bgpfilter/match_operators/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/match_operators/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/match_operators/bird_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/match_operators/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/bgpfilter/match_operators/bird_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/match_operators/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/match_source/bird.cfg b/confd/tests/compiled_templates/bgpfilter/match_source/bird.cfg index 9d77d1ce7d7..e23e7d7f0c0 100644 --- a/confd/tests/compiled_templates/bgpfilter/match_source/bird.cfg +++ b/confd/tests/compiled_templates/bgpfilter/match_source/bird.cfg @@ -94,9 +94,8 @@ protocol bgp Global_10_192_0_3 from bgp_template { }; export filter { 'bgp_test-filter-match-source_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -113,9 +112,8 @@ protocol bgp Global_10_192_0_4 from bgp_template { }; export filter { 'bgp_test-filter-match-source_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/match_source/bird6.cfg b/confd/tests/compiled_templates/bgpfilter/match_source/bird6.cfg index 918dea03bb6..ed9f1e62fbd 100644 --- a/confd/tests/compiled_templates/bgpfilter/match_source/bird6.cfg +++ b/confd/tests/compiled_templates/bgpfilter/match_source/bird6.cfg @@ -94,9 +94,8 @@ protocol bgp Global_2001__103 from bgp_template { }; export filter { 'bgp_test-filter-match-source_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -113,9 +112,8 @@ protocol bgp Global_2001__104 from bgp_template { }; export filter { 'bgp_test-filter-match-source_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/match_source/bird6_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/match_source/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/bgpfilter/match_source/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/match_source/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/match_source/bird_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/match_source/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/bgpfilter/match_source/bird_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/match_source/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/multi_filter/explicit_peer/bird.cfg b/confd/tests/compiled_templates/bgpfilter/multi_filter/explicit_peer/bird.cfg index d9753bf80d9..98a03c493f4 100644 --- a/confd/tests/compiled_templates/bgpfilter/multi_filter/explicit_peer/bird.cfg +++ b/confd/tests/compiled_templates/bgpfilter/multi_filter/explicit_peer/bird.cfg @@ -74,12 +74,12 @@ function 'bgp_test-filter-1_exportFilterV4'() { # v4 BGPFilter test-filter-2 function 'bgp_test-filter-2_importFilterV4'() { if ((net ~ 44.2.0.0/16)) then { accept; } - if ((net ~ 44.3.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } + if ((net ~ 44.3.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "*"))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; } function 'bgp_test-filter-2_exportFilterV4'() { - if ((net ~ 77.2.0.0/16)) then { accept; } + if ((net ~ 77.2.0.0/16)&&((defined(ifname))&&(ifname ~ "eth0"))) then { accept; } if ((net ~ 77.3.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; @@ -109,9 +109,8 @@ protocol bgp Global_10_192_0_3 from bgp_template { export filter { 'bgp_test-filter-1_exportFilterV4'(); 'bgp_test-filter-2_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. passive on; # Peering is unidirectional, peer will connect to us. } @@ -131,9 +130,8 @@ protocol bgp Global_10_192_0_4 from bgp_template { export filter { 'bgp_test-filter-1_exportFilterV4'(); 'bgp_test-filter-2_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. passive on; # Peering is unidirectional, peer will connect to us. } diff --git a/confd/tests/compiled_templates/bgpfilter/multi_filter/explicit_peer/bird6.cfg b/confd/tests/compiled_templates/bgpfilter/multi_filter/explicit_peer/bird6.cfg index 294936f9351..ebafcb62ae0 100644 --- a/confd/tests/compiled_templates/bgpfilter/multi_filter/explicit_peer/bird6.cfg +++ b/confd/tests/compiled_templates/bgpfilter/multi_filter/explicit_peer/bird6.cfg @@ -76,12 +76,12 @@ function 'bgp_test-filter-2_importFilterV6'() { if ((net ~ 5000:2::0/64)) then { accept; } if ((net ~ 5000:3::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } - reject; + if (((defined(ifname))&&(ifname ~ "*"))) then { reject; } } function 'bgp_test-filter-2_exportFilterV6'() { if ((net ~ 9000:2::0/64)) then { accept; } if ((net ~ 9000:3::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } - if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } + if (((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "*.calico"))) then { accept; } reject; } @@ -109,9 +109,8 @@ protocol bgp Global_2001__103 from bgp_template { export filter { 'bgp_test-filter-1_exportFilterV6'(); 'bgp_test-filter-2_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. passive on; # Peering is unidirectional, peer will connect to us. } @@ -131,9 +130,8 @@ protocol bgp Global_2001__104 from bgp_template { export filter { 'bgp_test-filter-1_exportFilterV6'(); 'bgp_test-filter-2_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. passive on; # Peering is unidirectional, peer will connect to us. } diff --git a/confd/tests/compiled_templates/bgpfilter/multi_filter/explicit_peer/bird6_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/multi_filter/explicit_peer/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/bgpfilter/multi_filter/explicit_peer/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/multi_filter/explicit_peer/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/multi_filter/explicit_peer/bird_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/multi_filter/explicit_peer/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/bgpfilter/multi_filter/explicit_peer/bird_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/multi_filter/explicit_peer/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/multi_filter/global_peer/bird.cfg b/confd/tests/compiled_templates/bgpfilter/multi_filter/global_peer/bird.cfg index 633cf11fe99..3ace0c5fbb6 100644 --- a/confd/tests/compiled_templates/bgpfilter/multi_filter/global_peer/bird.cfg +++ b/confd/tests/compiled_templates/bgpfilter/multi_filter/global_peer/bird.cfg @@ -60,7 +60,7 @@ template bgp bgp_template { # -------------- BGP Filters ------------------ # v4 BGPFilter test-filter-1 function 'bgp_test-filter-1_importFilterV4'() { - if ((net ~ 44.0.0.0/16)) then { accept; } + if ((net ~ 44.0.0.0/16)&&((defined(ifname))&&(ifname ~ "eth*"))) then { accept; } if ((net ~ 44.1.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; @@ -69,7 +69,7 @@ function 'bgp_test-filter-1_exportFilterV4'() { if ((net ~ 77.0.0.0/16)) then { accept; } if ((net ~ 77.1.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } - reject; + if (((defined(ifname))&&(ifname ~ "eth0"))) then { reject; } } # v4 BGPFilter test-filter-2 function 'bgp_test-filter-2_importFilterV4'() { @@ -113,9 +113,8 @@ protocol bgp Global_10_192_0_3 from bgp_template { export filter { 'bgp_test-filter-1_exportFilterV4'(); 'bgp_test-filter-2_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -134,9 +133,8 @@ protocol bgp Global_10_192_0_4 from bgp_template { export filter { 'bgp_test-filter-1_exportFilterV4'(); 'bgp_test-filter-2_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/multi_filter/global_peer/bird6.cfg b/confd/tests/compiled_templates/bgpfilter/multi_filter/global_peer/bird6.cfg index 25ec73d941a..737623b9542 100644 --- a/confd/tests/compiled_templates/bgpfilter/multi_filter/global_peer/bird6.cfg +++ b/confd/tests/compiled_templates/bgpfilter/multi_filter/global_peer/bird6.cfg @@ -61,13 +61,13 @@ template bgp bgp_template { # v6 BGPFilter test-filter-1 function 'bgp_test-filter-1_importFilterV6'() { if ((net ~ 5000::0/64)) then { accept; } - if ((net ~ 5000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } + if ((net ~ 5000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "*.calico"))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; } function 'bgp_test-filter-1_exportFilterV6'() { if ((net ~ 9000::0/64)) then { accept; } - if ((net ~ 9000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } + if ((net ~ 9000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "vxlan.*"))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; } @@ -113,9 +113,8 @@ protocol bgp Global_2001__103 from bgp_template { export filter { 'bgp_test-filter-1_exportFilterV6'(); 'bgp_test-filter-2_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -134,9 +133,8 @@ protocol bgp Global_2001__104 from bgp_template { export filter { 'bgp_test-filter-1_exportFilterV6'(); 'bgp_test-filter-2_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/multi_filter/global_peer/bird6_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/multi_filter/global_peer/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/bgpfilter/multi_filter/global_peer/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/multi_filter/global_peer/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/multi_filter/global_peer/bird_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/multi_filter/global_peer/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/bgpfilter/multi_filter/global_peer/bird_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/multi_filter/global_peer/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/node_mesh/bird.cfg b/confd/tests/compiled_templates/bgpfilter/node_mesh/bird.cfg index cb6f1aab15b..91b911c1b9a 100644 --- a/confd/tests/compiled_templates/bgpfilter/node_mesh/bird.cfg +++ b/confd/tests/compiled_templates/bgpfilter/node_mesh/bird.cfg @@ -61,12 +61,12 @@ template bgp bgp_template { # v4 BGPFilter test-filter function 'bgp_test-filter_importFilterV4'() { if ((net ~ 44.0.0.0/16)) then { accept; } - if ((net ~ 44.1.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } + if ((net ~ 44.1.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "someiface"))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; } function 'bgp_test-filter_exportFilterV4'() { - if ((net ~ 77.0.0.0/16)) then { accept; } + if ((net ~ 77.0.0.0/16)&&((defined(ifname))&&(ifname ~ "*.calico"))) then { accept; } if ((net ~ 77.1.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; @@ -90,7 +90,7 @@ protocol bgp Mesh_10_192_0_3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -105,7 +105,7 @@ protocol bgp Mesh_10_192_0_4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/bgpfilter/node_mesh/bird6.cfg b/confd/tests/compiled_templates/bgpfilter/node_mesh/bird6.cfg index af6b5dc0503..7e89d29df1c 100644 --- a/confd/tests/compiled_templates/bgpfilter/node_mesh/bird6.cfg +++ b/confd/tests/compiled_templates/bgpfilter/node_mesh/bird6.cfg @@ -63,12 +63,12 @@ function 'bgp_test-filter_importFilterV6'() { if ((net ~ 5000::0/64)) then { accept; } if ((net ~ 5000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } - reject; + if (((defined(ifname))&&(ifname ~ "cali*"))) then { reject; } } function 'bgp_test-filter_exportFilterV6'() { if ((net ~ 9000::0/64)) then { accept; } if ((net ~ 9000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } - if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } + if (((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "some*iface"))) then { accept; } reject; } @@ -90,7 +90,7 @@ protocol bgp Mesh_2001__103 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -105,7 +105,7 @@ protocol bgp Mesh_2001__104 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/bgpfilter/node_mesh/bird6_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/node_mesh/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/bgpfilter/node_mesh/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/node_mesh/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/node_mesh/bird_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/node_mesh/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/bgpfilter/node_mesh/bird_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/node_mesh/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/single_filter/explicit_peer/bird.cfg b/confd/tests/compiled_templates/bgpfilter/single_filter/explicit_peer/bird.cfg index 54cadb3880c..946e4a1cb78 100644 --- a/confd/tests/compiled_templates/bgpfilter/single_filter/explicit_peer/bird.cfg +++ b/confd/tests/compiled_templates/bgpfilter/single_filter/explicit_peer/bird.cfg @@ -60,14 +60,14 @@ template bgp bgp_template { # -------------- BGP Filters ------------------ # v4 BGPFilter test-filter-1 function 'bgp_test-filter-1_importFilterV4'() { - if ((net ~ 44.0.0.0/16)) then { accept; } + if ((net ~ 44.0.0.0/16)&&((defined(ifname))&&(ifname ~ "eth*"))) then { accept; } if ((net ~ 44.1.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; } function 'bgp_test-filter-1_exportFilterV4'() { if ((net ~ 77.0.0.0/16)) then { accept; } - if ((net ~ 77.1.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } + if ((net ~ 77.1.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "eth0"))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; } @@ -76,12 +76,12 @@ function 'bgp_test-filter-2_importFilterV4'() { if ((net ~ 44.2.0.0/16)) then { accept; } if ((net ~ 44.3.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } - reject; + if (((defined(ifname))&&(ifname ~ "*.calico"))) then { reject; } } function 'bgp_test-filter-2_exportFilterV4'() { if ((net ~ 77.2.0.0/16)) then { accept; } if ((net ~ 77.3.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } - if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } + if (((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "eth0"))) then { accept; } reject; } @@ -112,9 +112,8 @@ protocol bgp Node_10_192_0_3 from bgp_template { }; export filter { 'bgp_test-filter-1_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } @@ -131,9 +130,8 @@ protocol bgp Node_10_192_0_4 from bgp_template { }; export filter { 'bgp_test-filter-2_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/single_filter/explicit_peer/bird6.cfg b/confd/tests/compiled_templates/bgpfilter/single_filter/explicit_peer/bird6.cfg index 491b3aaca3b..a4ae6735ddf 100644 --- a/confd/tests/compiled_templates/bgpfilter/single_filter/explicit_peer/bird6.cfg +++ b/confd/tests/compiled_templates/bgpfilter/single_filter/explicit_peer/bird6.cfg @@ -61,7 +61,7 @@ template bgp bgp_template { # v6 BGPFilter test-filter-1 function 'bgp_test-filter-1_importFilterV6'() { if ((net ~ 5000::0/64)) then { accept; } - if ((net ~ 5000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } + if ((net ~ 5000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "*"))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; } @@ -69,17 +69,17 @@ function 'bgp_test-filter-1_exportFilterV6'() { if ((net ~ 9000::0/64)) then { accept; } if ((net ~ 9000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } - reject; + if (((defined(ifname))&&(ifname ~ "*.calico"))) then { reject; } } # v6 BGPFilter test-filter-2 function 'bgp_test-filter-2_importFilterV6'() { if ((net ~ 5000:2::0/64)) then { accept; } if ((net ~ 5000:3::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } - if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } + if (((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "cali*"))) then { accept; } reject; } function 'bgp_test-filter-2_exportFilterV6'() { - if ((net ~ 9000:2::0/64)) then { accept; } + if ((net ~ 9000:2::0/64)&&((defined(ifname))&&(ifname ~ "eth*"))) then { accept; } if ((net ~ 9000:3::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; @@ -112,9 +112,8 @@ protocol bgp Node_2001__103 from bgp_template { }; export filter { 'bgp_test-filter-1_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } @@ -131,9 +130,8 @@ protocol bgp Node_2001__104 from bgp_template { }; export filter { 'bgp_test-filter-2_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/single_filter/explicit_peer/bird6_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/single_filter/explicit_peer/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/bgpfilter/single_filter/explicit_peer/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/single_filter/explicit_peer/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/single_filter/explicit_peer/bird_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/single_filter/explicit_peer/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/bgpfilter/single_filter/explicit_peer/bird_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/single_filter/explicit_peer/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/single_filter/global_peer/bird.cfg b/confd/tests/compiled_templates/bgpfilter/single_filter/global_peer/bird.cfg index 89f7ac470ee..a6e538ec88b 100644 --- a/confd/tests/compiled_templates/bgpfilter/single_filter/global_peer/bird.cfg +++ b/confd/tests/compiled_templates/bgpfilter/single_filter/global_peer/bird.cfg @@ -63,12 +63,12 @@ function 'bgp_test-filter_importFilterV4'() { if ((net ~ 44.0.0.0/16)) then { accept; } if ((net ~ 44.1.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } - reject; + if (((defined(ifname))&&(ifname ~ "eth*"))) then { reject; } } function 'bgp_test-filter_exportFilterV4'() { if ((net ~ 77.0.0.0/16)) then { accept; } if ((net ~ 77.1.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } - if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } + if (((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "eth0"))) then { accept; } reject; } @@ -98,9 +98,8 @@ protocol bgp Global_10_192_0_3 from bgp_template { }; export filter { 'bgp_test-filter_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -117,9 +116,8 @@ protocol bgp Global_10_192_0_4 from bgp_template { }; export filter { 'bgp_test-filter_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/single_filter/global_peer/bird6.cfg b/confd/tests/compiled_templates/bgpfilter/single_filter/global_peer/bird6.cfg index dcd7ef39ffa..a54d68701cf 100644 --- a/confd/tests/compiled_templates/bgpfilter/single_filter/global_peer/bird6.cfg +++ b/confd/tests/compiled_templates/bgpfilter/single_filter/global_peer/bird6.cfg @@ -60,14 +60,14 @@ template bgp bgp_template { # -------------- BGP Filters ------------------ # v6 BGPFilter test-filter function 'bgp_test-filter_importFilterV6'() { - if ((net ~ 5000::0/64)) then { accept; } + if ((net ~ 5000::0/64)&&((defined(ifname))&&(ifname ~ "*.calico"))) then { accept; } if ((net ~ 5000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; } function 'bgp_test-filter_exportFilterV6'() { if ((net ~ 9000::0/64)) then { accept; } - if ((net ~ 9000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } + if ((net ~ 9000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "vxlan.calico"))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; } @@ -98,9 +98,8 @@ protocol bgp Global_2001__103 from bgp_template { }; export filter { 'bgp_test-filter_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -117,9 +116,8 @@ protocol bgp Global_2001__104 from bgp_template { }; export filter { 'bgp_test-filter_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/single_filter/global_peer/bird6_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/single_filter/global_peer/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/bgpfilter/single_filter/global_peer/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/single_filter/global_peer/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/single_filter/global_peer/bird_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/single_filter/global_peer/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/bgpfilter/single_filter/global_peer/bird_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/single_filter/global_peer/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/v4_only/explicit_peer/bird.cfg b/confd/tests/compiled_templates/bgpfilter/v4_only/explicit_peer/bird.cfg index 54cadb3880c..d1560614350 100644 --- a/confd/tests/compiled_templates/bgpfilter/v4_only/explicit_peer/bird.cfg +++ b/confd/tests/compiled_templates/bgpfilter/v4_only/explicit_peer/bird.cfg @@ -60,7 +60,7 @@ template bgp bgp_template { # -------------- BGP Filters ------------------ # v4 BGPFilter test-filter-1 function 'bgp_test-filter-1_importFilterV4'() { - if ((net ~ 44.0.0.0/16)) then { accept; } + if ((net ~ 44.0.0.0/16)&&((defined(ifname))&&(ifname ~ ".calico"))) then { accept; } if ((net ~ 44.1.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; @@ -69,18 +69,18 @@ function 'bgp_test-filter-1_exportFilterV4'() { if ((net ~ 77.0.0.0/16)) then { accept; } if ((net ~ 77.1.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } - reject; + if (((defined(ifname))&&(ifname ~ "*.calico"))) then { reject; } } # v4 BGPFilter test-filter-2 function 'bgp_test-filter-2_importFilterV4'() { if ((net ~ 44.2.0.0/16)) then { accept; } - if ((net ~ 44.3.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } + if ((net ~ 44.3.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "random*"))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; } function 'bgp_test-filter-2_exportFilterV4'() { if ((net ~ 77.2.0.0/16)) then { accept; } - if ((net ~ 77.3.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } + if ((net ~ 77.3.0.0/16)&&((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "random.iface"))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; } @@ -112,9 +112,8 @@ protocol bgp Node_10_192_0_3 from bgp_template { }; export filter { 'bgp_test-filter-1_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } @@ -131,9 +130,8 @@ protocol bgp Node_10_192_0_4 from bgp_template { }; export filter { 'bgp_test-filter-2_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/v4_only/explicit_peer/bird6.cfg b/confd/tests/compiled_templates/bgpfilter/v4_only/explicit_peer/bird6.cfg index 3fa9d2714f4..49c7c7dd53d 100644 --- a/confd/tests/compiled_templates/bgpfilter/v4_only/explicit_peer/bird6.cfg +++ b/confd/tests/compiled_templates/bgpfilter/v4_only/explicit_peer/bird6.cfg @@ -85,9 +85,8 @@ protocol bgp Node_2001__103 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } @@ -102,9 +101,8 @@ protocol bgp Node_2001__104 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/v4_only/explicit_peer/bird6_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/v4_only/explicit_peer/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/bgpfilter/v4_only/explicit_peer/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/v4_only/explicit_peer/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/v4_only/explicit_peer/bird_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/v4_only/explicit_peer/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/bgpfilter/v4_only/explicit_peer/bird_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/v4_only/explicit_peer/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/v4_only/global_peer/bird.cfg b/confd/tests/compiled_templates/bgpfilter/v4_only/global_peer/bird.cfg index 89f7ac470ee..35af6e7f673 100644 --- a/confd/tests/compiled_templates/bgpfilter/v4_only/global_peer/bird.cfg +++ b/confd/tests/compiled_templates/bgpfilter/v4_only/global_peer/bird.cfg @@ -98,9 +98,8 @@ protocol bgp Global_10_192_0_3 from bgp_template { }; export filter { 'bgp_test-filter_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -117,9 +116,8 @@ protocol bgp Global_10_192_0_4 from bgp_template { }; export filter { 'bgp_test-filter_exportFilterV4'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/v4_only/global_peer/bird6.cfg b/confd/tests/compiled_templates/bgpfilter/v4_only/global_peer/bird6.cfg index 75093cf8fe0..6d0b72fe8b1 100644 --- a/confd/tests/compiled_templates/bgpfilter/v4_only/global_peer/bird6.cfg +++ b/confd/tests/compiled_templates/bgpfilter/v4_only/global_peer/bird6.cfg @@ -84,9 +84,8 @@ protocol bgp Global_2001__103 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -101,9 +100,8 @@ protocol bgp Global_2001__104 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/v4_only/global_peer/bird6_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/v4_only/global_peer/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/bgpfilter/v4_only/global_peer/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/v4_only/global_peer/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/v4_only/global_peer/bird_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/v4_only/global_peer/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/bgpfilter/v4_only/global_peer/bird_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/v4_only/global_peer/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/v6_only/explicit_peer/bird.cfg b/confd/tests/compiled_templates/bgpfilter/v6_only/explicit_peer/bird.cfg index db5a4e776f8..88314269717 100644 --- a/confd/tests/compiled_templates/bgpfilter/v6_only/explicit_peer/bird.cfg +++ b/confd/tests/compiled_templates/bgpfilter/v6_only/explicit_peer/bird.cfg @@ -85,9 +85,8 @@ protocol bgp Node_10_192_0_3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } @@ -102,9 +101,8 @@ protocol bgp Node_10_192_0_4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/v6_only/explicit_peer/bird6.cfg b/confd/tests/compiled_templates/bgpfilter/v6_only/explicit_peer/bird6.cfg index 491b3aaca3b..e68ab51cb98 100644 --- a/confd/tests/compiled_templates/bgpfilter/v6_only/explicit_peer/bird6.cfg +++ b/confd/tests/compiled_templates/bgpfilter/v6_only/explicit_peer/bird6.cfg @@ -63,18 +63,18 @@ function 'bgp_test-filter-1_importFilterV6'() { if ((net ~ 5000::0/64)) then { accept; } if ((net ~ 5000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } - reject; + if (((defined(ifname))&&(ifname ~ "*"))) then { reject; } } function 'bgp_test-filter-1_exportFilterV6'() { - if ((net ~ 9000::0/64)) then { accept; } + if ((net ~ 9000::0/64)&&((defined(ifname))&&(ifname ~ "eth0"))) then { accept; } if ((net ~ 9000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } - reject; + if (((defined(ifname))&&(ifname ~ "eth*"))) then { reject; } } # v6 BGPFilter test-filter-2 function 'bgp_test-filter-2_importFilterV6'() { if ((net ~ 5000:2::0/64)) then { accept; } - if ((net ~ 5000:3::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } + if ((net ~ 5000:3::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "eth*"))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; } @@ -112,9 +112,8 @@ protocol bgp Node_2001__103 from bgp_template { }; export filter { 'bgp_test-filter-1_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } @@ -131,9 +130,8 @@ protocol bgp Node_2001__104 from bgp_template { }; export filter { 'bgp_test-filter-2_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/v6_only/explicit_peer/bird6_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/v6_only/explicit_peer/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/bgpfilter/v6_only/explicit_peer/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/v6_only/explicit_peer/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/v6_only/explicit_peer/bird_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/v6_only/explicit_peer/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/bgpfilter/v6_only/explicit_peer/bird_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/v6_only/explicit_peer/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/v6_only/global_peer/bird.cfg b/confd/tests/compiled_templates/bgpfilter/v6_only/global_peer/bird.cfg index d86bc76b7c8..51d0a184beb 100644 --- a/confd/tests/compiled_templates/bgpfilter/v6_only/global_peer/bird.cfg +++ b/confd/tests/compiled_templates/bgpfilter/v6_only/global_peer/bird.cfg @@ -84,9 +84,8 @@ protocol bgp Global_10_192_0_3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -101,9 +100,8 @@ protocol bgp Global_10_192_0_4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/v6_only/global_peer/bird6.cfg b/confd/tests/compiled_templates/bgpfilter/v6_only/global_peer/bird6.cfg index dcd7ef39ffa..1f344b90fc2 100644 --- a/confd/tests/compiled_templates/bgpfilter/v6_only/global_peer/bird6.cfg +++ b/confd/tests/compiled_templates/bgpfilter/v6_only/global_peer/bird6.cfg @@ -63,11 +63,11 @@ function 'bgp_test-filter_importFilterV6'() { if ((net ~ 5000::0/64)) then { accept; } if ((net ~ 5000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } - reject; + if (((defined(ifname))&&(ifname ~ "eth0"))) then { reject; } } function 'bgp_test-filter_exportFilterV6'() { if ((net ~ 9000::0/64)) then { accept; } - if ((net ~ 9000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))) then { reject; } + if ((net ~ 9000:1::0/64)&&((defined(source))&&(source ~ [ RTS_BGP ]))&&((defined(ifname))&&(ifname ~ "*.calico"))) then { reject; } if (((defined(source))&&(source ~ [ RTS_BGP ]))) then { accept; } reject; } @@ -98,9 +98,8 @@ protocol bgp Global_2001__103 from bgp_template { }; export filter { 'bgp_test-filter_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -117,9 +116,8 @@ protocol bgp Global_2001__104 from bgp_template { }; export filter { 'bgp_test-filter_exportFilterV6'(); - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/bgpfilter/v6_only/global_peer/bird6_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/v6_only/global_peer/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/bgpfilter/v6_only/global_peer/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/v6_only/global_peer/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/bgpfilter/v6_only/global_peer/bird_ipam.cfg b/confd/tests/compiled_templates/bgpfilter/v6_only/global_peer/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/bgpfilter/v6_only/global_peer/bird_ipam.cfg +++ b/confd/tests/compiled_templates/bgpfilter/v6_only/global_peer/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/global-external/bird.cfg b/confd/tests/compiled_templates/explicit_peering/global-external/bird.cfg index 5a097c555a3..4e56628ffcf 100644 --- a/confd/tests/compiled_templates/explicit_peering/global-external/bird.cfg +++ b/confd/tests/compiled_templates/explicit_peering/global-external/bird.cfg @@ -81,9 +81,8 @@ protocol bgp Global_10_192_0_3_port_150 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. passive on; # Peering is unidirectional, peer will connect to us. } @@ -99,9 +98,8 @@ protocol bgp Global_10_192_0_4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -116,9 +114,8 @@ protocol bgp Global_10_192_0_4_port_166 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/explicit_peering/global-external/bird6_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/global-external/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/explicit_peering/global-external/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/global-external/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/global-external/bird_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/global-external/bird_ipam.cfg index ea268d0ea70..23a07585f21 100644 --- a/confd/tests/compiled_templates/explicit_peering/global-external/bird_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/global-external/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/global-ipv6/bird6.cfg b/confd/tests/compiled_templates/explicit_peering/global-ipv6/bird6.cfg index 24ccbfd2af5..75b262f32d3 100644 --- a/confd/tests/compiled_templates/explicit_peering/global-ipv6/bird6.cfg +++ b/confd/tests/compiled_templates/explicit_peering/global-ipv6/bird6.cfg @@ -79,9 +79,8 @@ protocol bgp Global_2001__102 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -96,9 +95,8 @@ protocol bgp Global_2001__104 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. passive on; # Peering is unidirectional, peer will connect to us. } diff --git a/confd/tests/compiled_templates/explicit_peering/global-ipv6/bird6_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/global-ipv6/bird6_ipam.cfg index 916956cf959..4fab5f8d396 100644 --- a/confd/tests/compiled_templates/explicit_peering/global-ipv6/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/global-ipv6/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/global-ipv6/bird_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/global-ipv6/bird_ipam.cfg index ea268d0ea70..23a07585f21 100644 --- a/confd/tests/compiled_templates/explicit_peering/global-ipv6/bird_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/global-ipv6/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/global/bird.cfg b/confd/tests/compiled_templates/explicit_peering/global/bird.cfg index bb5528b9b02..d53f6cee487 100644 --- a/confd/tests/compiled_templates/explicit_peering/global/bird.cfg +++ b/confd/tests/compiled_templates/explicit_peering/global/bird.cfg @@ -82,9 +82,8 @@ protocol bgp Global_10_192_0_1_port_150 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -99,9 +98,8 @@ protocol bgp Global_10_192_0_1_port_166 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -115,9 +113,8 @@ protocol bgp Global_10_192_0_3_port_150 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. passive on; # Peering is unidirectional, peer will connect to us. } diff --git a/confd/tests/compiled_templates/explicit_peering/global/bird6_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/global/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/explicit_peering/global/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/global/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/global/bird_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/global/bird_ipam.cfg index ea268d0ea70..23a07585f21 100644 --- a/confd/tests/compiled_templates/explicit_peering/global/bird_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/global/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/keepnexthop-global/bird.cfg b/confd/tests/compiled_templates/explicit_peering/keepnexthop-global/bird.cfg index 8f40d3956e5..11d87399ad9 100644 --- a/confd/tests/compiled_templates/explicit_peering/keepnexthop-global/bird.cfg +++ b/confd/tests/compiled_templates/explicit_peering/keepnexthop-global/bird.cfg @@ -79,9 +79,8 @@ protocol bgp Global_172_19_4_87 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. next hop keep; } diff --git a/confd/tests/compiled_templates/explicit_peering/keepnexthop-global/bird6.cfg b/confd/tests/compiled_templates/explicit_peering/keepnexthop-global/bird6.cfg index 0365c9e1118..a02a2886a4b 100644 --- a/confd/tests/compiled_templates/explicit_peering/keepnexthop-global/bird6.cfg +++ b/confd/tests/compiled_templates/explicit_peering/keepnexthop-global/bird6.cfg @@ -79,9 +79,8 @@ protocol bgp Global_ac13__57_port_50 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. next hop keep; } diff --git a/confd/tests/compiled_templates/explicit_peering/keepnexthop-global/bird6_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/keepnexthop-global/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/explicit_peering/keepnexthop-global/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/keepnexthop-global/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/keepnexthop-global/bird_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/keepnexthop-global/bird_ipam.cfg index ea268d0ea70..23a07585f21 100644 --- a/confd/tests/compiled_templates/explicit_peering/keepnexthop-global/bird_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/keepnexthop-global/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/keepnexthop/bird.cfg b/confd/tests/compiled_templates/explicit_peering/keepnexthop/bird.cfg index 587a6000982..76817b8acf6 100644 --- a/confd/tests/compiled_templates/explicit_peering/keepnexthop/bird.cfg +++ b/confd/tests/compiled_templates/explicit_peering/keepnexthop/bird.cfg @@ -88,9 +88,8 @@ protocol bgp Node_10_192_0_3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. rr client; rr cluster id 10.0.0.1; @@ -107,9 +106,8 @@ protocol bgp Node_10_192_0_4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. rr client; rr cluster id 10.0.0.1; @@ -126,9 +124,8 @@ protocol bgp Node_172_19_4_87 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. next hop keep; } diff --git a/confd/tests/compiled_templates/explicit_peering/keepnexthop/bird6.cfg b/confd/tests/compiled_templates/explicit_peering/keepnexthop/bird6.cfg index dd74d12f752..a43c357b002 100644 --- a/confd/tests/compiled_templates/explicit_peering/keepnexthop/bird6.cfg +++ b/confd/tests/compiled_templates/explicit_peering/keepnexthop/bird6.cfg @@ -84,9 +84,8 @@ protocol bgp Node_ac13__57_port_50 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. next hop keep; } diff --git a/confd/tests/compiled_templates/explicit_peering/keepnexthop/bird6_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/keepnexthop/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/explicit_peering/keepnexthop/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/keepnexthop/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/keepnexthop/bird_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/keepnexthop/bird_ipam.cfg index ea268d0ea70..23a07585f21 100644 --- a/confd/tests/compiled_templates/explicit_peering/keepnexthop/bird_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/keepnexthop/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/local-as-global/bird.cfg b/confd/tests/compiled_templates/explicit_peering/local-as-global/bird.cfg index 54698c151ca..7dfece19fb5 100644 --- a/confd/tests/compiled_templates/explicit_peering/local-as-global/bird.cfg +++ b/confd/tests/compiled_templates/explicit_peering/local-as-global/bird.cfg @@ -82,9 +82,8 @@ protocol bgp Global_10_192_0_1_port_150 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. allow local as 1; } @@ -100,9 +99,8 @@ protocol bgp Global_10_192_0_1_port_166 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -116,9 +114,8 @@ protocol bgp Global_10_192_0_3_port_150 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. passive on; # Peering is unidirectional, peer will connect to us. } diff --git a/confd/tests/compiled_templates/explicit_peering/local-as-global/bird6_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/local-as-global/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/explicit_peering/local-as-global/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/local-as-global/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/local-as-global/bird_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/local-as-global/bird_ipam.cfg index ea268d0ea70..23a07585f21 100644 --- a/confd/tests/compiled_templates/explicit_peering/local-as-global/bird_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/local-as-global/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/local-as/bird.cfg b/confd/tests/compiled_templates/explicit_peering/local-as/bird.cfg index 4440a94fe6c..f407ae108f5 100644 --- a/confd/tests/compiled_templates/explicit_peering/local-as/bird.cfg +++ b/confd/tests/compiled_templates/explicit_peering/local-as/bird.cfg @@ -85,9 +85,8 @@ protocol bgp Node_10_192_0_3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. allow local as 1; } @@ -103,9 +102,8 @@ protocol bgp Node_10_192_0_4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/explicit_peering/local-as/bird6_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/local-as/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/explicit_peering/local-as/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/local-as/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/local-as/bird_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/local-as/bird_ipam.cfg index ea268d0ea70..23a07585f21 100644 --- a/confd/tests/compiled_templates/explicit_peering/local-as/bird_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/local-as/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/route_reflector/bird.cfg b/confd/tests/compiled_templates/explicit_peering/route_reflector/bird.cfg index b36ec5053dc..ce4f7de0989 100644 --- a/confd/tests/compiled_templates/explicit_peering/route_reflector/bird.cfg +++ b/confd/tests/compiled_templates/explicit_peering/route_reflector/bird.cfg @@ -84,9 +84,8 @@ protocol bgp Node_10_192_0_3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. rr client; rr cluster id 10.0.0.1; @@ -103,9 +102,8 @@ protocol bgp Node_10_192_0_4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. rr client; rr cluster id 10.0.0.1; @@ -122,9 +120,8 @@ protocol bgp Node_172_19_4_87 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/explicit_peering/route_reflector/bird6.cfg b/confd/tests/compiled_templates/explicit_peering/route_reflector/bird6.cfg index ee0bc8ba9c9..9caddeeeb60 100644 --- a/confd/tests/compiled_templates/explicit_peering/route_reflector/bird6.cfg +++ b/confd/tests/compiled_templates/explicit_peering/route_reflector/bird6.cfg @@ -84,9 +84,8 @@ protocol bgp Node_ac13__57_port_50 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } @@ -101,9 +100,8 @@ protocol bgp Node_fe0a__3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. rr client; rr cluster id 10.0.0.1; @@ -120,9 +118,8 @@ protocol bgp Node_fe0a__4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. rr client; rr cluster id 10.0.0.1; diff --git a/confd/tests/compiled_templates/explicit_peering/route_reflector/bird6_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/route_reflector/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/explicit_peering/route_reflector/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/route_reflector/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/route_reflector/bird_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/route_reflector/bird_ipam.cfg index ea268d0ea70..23a07585f21 100644 --- a/confd/tests/compiled_templates/explicit_peering/route_reflector/bird_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/route_reflector/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/route_reflector_v6_by_ip/bird.cfg b/confd/tests/compiled_templates/explicit_peering/route_reflector_v6_by_ip/bird.cfg index 8aa152ad234..f70d574d5a1 100644 --- a/confd/tests/compiled_templates/explicit_peering/route_reflector_v6_by_ip/bird.cfg +++ b/confd/tests/compiled_templates/explicit_peering/route_reflector_v6_by_ip/bird.cfg @@ -84,9 +84,8 @@ protocol bgp Node_172_19_4_87 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/explicit_peering/route_reflector_v6_by_ip/bird6.cfg b/confd/tests/compiled_templates/explicit_peering/route_reflector_v6_by_ip/bird6.cfg index 414c199c222..ee50d29dda8 100644 --- a/confd/tests/compiled_templates/explicit_peering/route_reflector_v6_by_ip/bird6.cfg +++ b/confd/tests/compiled_templates/explicit_peering/route_reflector_v6_by_ip/bird6.cfg @@ -90,9 +90,8 @@ protocol bgp Node_ac13__57_port_50 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } @@ -107,9 +106,8 @@ protocol bgp Node_fe0a__3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. rr client; rr cluster id 10.0.0.1; @@ -126,9 +124,8 @@ protocol bgp Node_fe0a__4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. rr client; rr cluster id 10.0.0.1; diff --git a/confd/tests/compiled_templates/explicit_peering/route_reflector_v6_by_ip/bird6_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/route_reflector_v6_by_ip/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/explicit_peering/route_reflector_v6_by_ip/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/route_reflector_v6_by_ip/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/route_reflector_v6_by_ip/bird_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/route_reflector_v6_by_ip/bird_ipam.cfg index ea268d0ea70..23a07585f21 100644 --- a/confd/tests/compiled_templates/explicit_peering/route_reflector_v6_by_ip/bird_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/route_reflector_v6_by_ip/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/selectors/bird.cfg b/confd/tests/compiled_templates/explicit_peering/selectors/bird.cfg index 568e950637e..87bfec9ed03 100644 --- a/confd/tests/compiled_templates/explicit_peering/selectors/bird.cfg +++ b/confd/tests/compiled_templates/explicit_peering/selectors/bird.cfg @@ -85,9 +85,8 @@ protocol bgp Node_10_192_0_3_port_500 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -102,9 +101,8 @@ protocol bgp Node_10_192_0_4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/explicit_peering/selectors/bird6.cfg b/confd/tests/compiled_templates/explicit_peering/selectors/bird6.cfg index 45b2cbf57fa..4afa9eb0563 100644 --- a/confd/tests/compiled_templates/explicit_peering/selectors/bird6.cfg +++ b/confd/tests/compiled_templates/explicit_peering/selectors/bird6.cfg @@ -85,9 +85,8 @@ protocol bgp Node_fd5f__3_port_500 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -102,9 +101,8 @@ protocol bgp Node_fd5f__4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/explicit_peering/selectors/bird6_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/selectors/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/explicit_peering/selectors/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/selectors/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/selectors/bird_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/selectors/bird_ipam.cfg index ea268d0ea70..23a07585f21 100644 --- a/confd/tests/compiled_templates/explicit_peering/selectors/bird_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/selectors/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/selectors/step2/bird.cfg b/confd/tests/compiled_templates/explicit_peering/selectors/step2/bird.cfg index 9eefd3bc705..93cd1272626 100644 --- a/confd/tests/compiled_templates/explicit_peering/selectors/step2/bird.cfg +++ b/confd/tests/compiled_templates/explicit_peering/selectors/step2/bird.cfg @@ -85,9 +85,8 @@ protocol bgp Node_10_192_0_3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -102,9 +101,8 @@ protocol bgp Node_10_192_0_4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/explicit_peering/selectors/step2/bird6.cfg b/confd/tests/compiled_templates/explicit_peering/selectors/step2/bird6.cfg index 46c64a9ff73..a712c03929e 100644 --- a/confd/tests/compiled_templates/explicit_peering/selectors/step2/bird6.cfg +++ b/confd/tests/compiled_templates/explicit_peering/selectors/step2/bird6.cfg @@ -85,9 +85,8 @@ protocol bgp Node_fd5f__3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -102,9 +101,8 @@ protocol bgp Node_fd5f__4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/explicit_peering/selectors/step2/bird6_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/selectors/step2/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/explicit_peering/selectors/step2/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/selectors/step2/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/selectors/step2/bird_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/selectors/step2/bird_ipam.cfg index ea268d0ea70..23a07585f21 100644 --- a/confd/tests/compiled_templates/explicit_peering/selectors/step2/bird_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/selectors/step2/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/specific_node/bird.cfg b/confd/tests/compiled_templates/explicit_peering/specific_node/bird.cfg index db2f71989de..dafd0fc7d83 100644 --- a/confd/tests/compiled_templates/explicit_peering/specific_node/bird.cfg +++ b/confd/tests/compiled_templates/explicit_peering/specific_node/bird.cfg @@ -85,9 +85,8 @@ protocol bgp Node_10_192_0_3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -102,9 +101,8 @@ protocol bgp Node_10_192_0_4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/explicit_peering/specific_node/bird6_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/specific_node/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/explicit_peering/specific_node/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/specific_node/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/explicit_peering/specific_node/bird_ipam.cfg b/confd/tests/compiled_templates/explicit_peering/specific_node/bird_ipam.cfg index ea268d0ea70..23a07585f21 100644 --- a/confd/tests/compiled_templates/explicit_peering/specific_node/bird_ipam.cfg +++ b/confd/tests/compiled_templates/explicit_peering/specific_node/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/ignored_interfaces/bird.cfg b/confd/tests/compiled_templates/ignored_interfaces/bird.cfg index 8f5fd20a371..5b2bd2ce801 100644 --- a/confd/tests/compiled_templates/ignored_interfaces/bird.cfg +++ b/confd/tests/compiled_templates/ignored_interfaces/bird.cfg @@ -70,7 +70,7 @@ protocol bgp Mesh_10_192_0_3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -85,7 +85,7 @@ protocol bgp Mesh_10_192_0_4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/ignored_interfaces/bird6.cfg b/confd/tests/compiled_templates/ignored_interfaces/bird6.cfg index a0b059d8bbd..af62009da03 100644 --- a/confd/tests/compiled_templates/ignored_interfaces/bird6.cfg +++ b/confd/tests/compiled_templates/ignored_interfaces/bird6.cfg @@ -70,7 +70,7 @@ protocol bgp Mesh_2001__102 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. } @@ -84,7 +84,7 @@ protocol bgp Mesh_2001__104 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/ignored_interfaces/bird6_ipam.cfg b/confd/tests/compiled_templates/ignored_interfaces/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/ignored_interfaces/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/ignored_interfaces/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/ignored_interfaces/bird_ipam.cfg b/confd/tests/compiled_templates/ignored_interfaces/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/ignored_interfaces/bird_ipam.cfg +++ b/confd/tests/compiled_templates/ignored_interfaces/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/bgp-export/bird.cfg b/confd/tests/compiled_templates/mesh/bgp-export/bird.cfg index e09c5bff9e5..1bd9d150777 100644 --- a/confd/tests/compiled_templates/mesh/bgp-export/bird.cfg +++ b/confd/tests/compiled_templates/mesh/bgp-export/bird.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_10_192_0_3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -93,7 +93,7 @@ protocol bgp Mesh_10_192_0_4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/bgp-export/bird6_ipam.cfg b/confd/tests/compiled_templates/mesh/bgp-export/bird6_ipam.cfg index 405dc00f86c..6269e16308b 100644 --- a/confd/tests/compiled_templates/mesh/bgp-export/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/bgp-export/bird6_ipam.cfg @@ -5,9 +5,24 @@ function reject_disabled_pools () if ( net ~ 2002:102::/64 ) then { reject; } } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/bgp-export/bird_ipam.cfg b/confd/tests/compiled_templates/mesh/bgp-export/bird_ipam.cfg index a0f51d4f257..9098eb06830 100644 --- a/confd/tests/compiled_templates/mesh/bgp-export/bird_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/bgp-export/bird_ipam.cfg @@ -5,9 +5,24 @@ function reject_disabled_pools () if ( net ~ 192.168.2.0/24 ) then { reject; } } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/communities/bird.cfg b/confd/tests/compiled_templates/mesh/communities/bird.cfg index ea1cfa052c7..91495ea3872 100644 --- a/confd/tests/compiled_templates/mesh/communities/bird.cfg +++ b/confd/tests/compiled_templates/mesh/communities/bird.cfg @@ -85,7 +85,7 @@ protocol bgp Mesh_10_192_0_3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -100,7 +100,7 @@ protocol bgp Mesh_10_192_0_4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/communities/bird6_ipam.cfg b/confd/tests/compiled_templates/mesh/communities/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/mesh/communities/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/communities/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/communities/bird_ipam.cfg b/confd/tests/compiled_templates/mesh/communities/bird_ipam.cfg index 53f920b9a54..45e216e04a7 100644 --- a/confd/tests/compiled_templates/mesh/communities/bird_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/communities/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/communities/step2/bird.cfg b/confd/tests/compiled_templates/mesh/communities/step2/bird.cfg index 2c2fca0d84a..8e1d61d05ed 100644 --- a/confd/tests/compiled_templates/mesh/communities/step2/bird.cfg +++ b/confd/tests/compiled_templates/mesh/communities/step2/bird.cfg @@ -84,7 +84,7 @@ protocol bgp Mesh_10_192_0_3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -99,7 +99,7 @@ protocol bgp Mesh_10_192_0_4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/communities/step2/bird6_ipam.cfg b/confd/tests/compiled_templates/mesh/communities/step2/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/mesh/communities/step2/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/communities/step2/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/communities/step2/bird_ipam.cfg b/confd/tests/compiled_templates/mesh/communities/step2/bird_ipam.cfg index 53f920b9a54..45e216e04a7 100644 --- a/confd/tests/compiled_templates/mesh/communities/step2/bird_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/communities/step2/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/hash/bird.cfg b/confd/tests/compiled_templates/mesh/hash/bird.cfg index 5ba749822c7..71d73be28f4 100644 --- a/confd/tests/compiled_templates/mesh/hash/bird.cfg +++ b/confd/tests/compiled_templates/mesh/hash/bird.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_10_192_0_3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -93,7 +93,7 @@ protocol bgp Mesh_10_192_0_4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/hash/bird6_ipam.cfg b/confd/tests/compiled_templates/mesh/hash/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/mesh/hash/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/hash/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/hash/bird_ipam.cfg b/confd/tests/compiled_templates/mesh/hash/bird_ipam.cfg index 53f920b9a54..45e216e04a7 100644 --- a/confd/tests/compiled_templates/mesh/hash/bird_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/hash/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/ipip-always/bird.cfg b/confd/tests/compiled_templates/mesh/ipip-always/bird.cfg index e09c5bff9e5..1bd9d150777 100644 --- a/confd/tests/compiled_templates/mesh/ipip-always/bird.cfg +++ b/confd/tests/compiled_templates/mesh/ipip-always/bird.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_10_192_0_3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -93,7 +93,7 @@ protocol bgp Mesh_10_192_0_4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/ipip-always/bird6_ipam.cfg b/confd/tests/compiled_templates/mesh/ipip-always/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/mesh/ipip-always/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/ipip-always/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/ipip-always/bird_ipam.cfg b/confd/tests/compiled_templates/mesh/ipip-always/bird_ipam.cfg index ea268d0ea70..23a07585f21 100644 --- a/confd/tests/compiled_templates/mesh/ipip-always/bird_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/ipip-always/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/ipip-cross-subnet/bird.cfg b/confd/tests/compiled_templates/mesh/ipip-cross-subnet/bird.cfg index 1efbea31689..c9de101dcb0 100644 --- a/confd/tests/compiled_templates/mesh/ipip-cross-subnet/bird.cfg +++ b/confd/tests/compiled_templates/mesh/ipip-cross-subnet/bird.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_10_192_0_3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -93,7 +93,7 @@ protocol bgp Mesh_10_192_0_6 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/ipip-cross-subnet/bird6_ipam.cfg b/confd/tests/compiled_templates/mesh/ipip-cross-subnet/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/mesh/ipip-cross-subnet/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/ipip-cross-subnet/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/ipip-cross-subnet/bird_ipam.cfg b/confd/tests/compiled_templates/mesh/ipip-cross-subnet/bird_ipam.cfg index 5419b91c6b0..f7dd96ff075 100644 --- a/confd/tests/compiled_templates/mesh/ipip-cross-subnet/bird_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/ipip-cross-subnet/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/ipip-off/bird.cfg b/confd/tests/compiled_templates/mesh/ipip-off/bird.cfg index e09c5bff9e5..1bd9d150777 100644 --- a/confd/tests/compiled_templates/mesh/ipip-off/bird.cfg +++ b/confd/tests/compiled_templates/mesh/ipip-off/bird.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_10_192_0_3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -93,7 +93,7 @@ protocol bgp Mesh_10_192_0_4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/ipip-off/bird6.cfg b/confd/tests/compiled_templates/mesh/ipip-off/bird6.cfg index 127796dc253..2926b229262 100644 --- a/confd/tests/compiled_templates/mesh/ipip-off/bird6.cfg +++ b/confd/tests/compiled_templates/mesh/ipip-off/bird6.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_2001__102 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. } @@ -92,7 +92,7 @@ protocol bgp Mesh_2001__104 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/ipip-off/bird6_ipam.cfg b/confd/tests/compiled_templates/mesh/ipip-off/bird6_ipam.cfg index 916956cf959..4fab5f8d396 100644 --- a/confd/tests/compiled_templates/mesh/ipip-off/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/ipip-off/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/ipip-off/bird_ipam.cfg b/confd/tests/compiled_templates/mesh/ipip-off/bird_ipam.cfg index 53f920b9a54..45e216e04a7 100644 --- a/confd/tests/compiled_templates/mesh/ipip-off/bird_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/ipip-off/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/password/step1/bird.cfg b/confd/tests/compiled_templates/mesh/password/step1/bird.cfg index e09c5bff9e5..1bd9d150777 100644 --- a/confd/tests/compiled_templates/mesh/password/step1/bird.cfg +++ b/confd/tests/compiled_templates/mesh/password/step1/bird.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_10_192_0_3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -93,7 +93,7 @@ protocol bgp Mesh_10_192_0_4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/password/step1/bird6.cfg b/confd/tests/compiled_templates/mesh/password/step1/bird6.cfg index 127796dc253..2926b229262 100644 --- a/confd/tests/compiled_templates/mesh/password/step1/bird6.cfg +++ b/confd/tests/compiled_templates/mesh/password/step1/bird6.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_2001__102 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. } @@ -92,7 +92,7 @@ protocol bgp Mesh_2001__104 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/password/step1/bird6_ipam.cfg b/confd/tests/compiled_templates/mesh/password/step1/bird6_ipam.cfg index 916956cf959..4fab5f8d396 100644 --- a/confd/tests/compiled_templates/mesh/password/step1/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/password/step1/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/password/step1/bird_ipam.cfg b/confd/tests/compiled_templates/mesh/password/step1/bird_ipam.cfg index 53f920b9a54..45e216e04a7 100644 --- a/confd/tests/compiled_templates/mesh/password/step1/bird_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/password/step1/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/password/step2/bird.cfg b/confd/tests/compiled_templates/mesh/password/step2/bird.cfg index d7239ccb82c..e4e84f20144 100644 --- a/confd/tests/compiled_templates/mesh/password/step2/bird.cfg +++ b/confd/tests/compiled_templates/mesh/password/step2/bird.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_10_192_0_3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -94,7 +94,7 @@ protocol bgp Mesh_10_192_0_4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/password/step2/bird6.cfg b/confd/tests/compiled_templates/mesh/password/step2/bird6.cfg index a6c84faa804..5edf0d476d2 100644 --- a/confd/tests/compiled_templates/mesh/password/step2/bird6.cfg +++ b/confd/tests/compiled_templates/mesh/password/step2/bird6.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_2001__102 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. password "password-a"; @@ -93,7 +93,7 @@ protocol bgp Mesh_2001__104 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/password/step2/bird6_ipam.cfg b/confd/tests/compiled_templates/mesh/password/step2/bird6_ipam.cfg index 916956cf959..4fab5f8d396 100644 --- a/confd/tests/compiled_templates/mesh/password/step2/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/password/step2/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/password/step2/bird_ipam.cfg b/confd/tests/compiled_templates/mesh/password/step2/bird_ipam.cfg index 53f920b9a54..45e216e04a7 100644 --- a/confd/tests/compiled_templates/mesh/password/step2/bird_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/password/step2/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/password/step3/bird.cfg b/confd/tests/compiled_templates/mesh/password/step3/bird.cfg index 50f6c75252e..3e9cf2a12cf 100644 --- a/confd/tests/compiled_templates/mesh/password/step3/bird.cfg +++ b/confd/tests/compiled_templates/mesh/password/step3/bird.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_10_192_0_3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -94,7 +94,7 @@ protocol bgp Mesh_10_192_0_4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/password/step3/bird6.cfg b/confd/tests/compiled_templates/mesh/password/step3/bird6.cfg index ea06d776269..bb3b369b56d 100644 --- a/confd/tests/compiled_templates/mesh/password/step3/bird6.cfg +++ b/confd/tests/compiled_templates/mesh/password/step3/bird6.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_2001__102 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. password "new-password-a"; @@ -93,7 +93,7 @@ protocol bgp Mesh_2001__104 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/password/step3/bird6_ipam.cfg b/confd/tests/compiled_templates/mesh/password/step3/bird6_ipam.cfg index 916956cf959..4fab5f8d396 100644 --- a/confd/tests/compiled_templates/mesh/password/step3/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/password/step3/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/password/step3/bird_ipam.cfg b/confd/tests/compiled_templates/mesh/password/step3/bird_ipam.cfg index 53f920b9a54..45e216e04a7 100644 --- a/confd/tests/compiled_templates/mesh/password/step3/bird_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/password/step3/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/restart-time/bird.cfg b/confd/tests/compiled_templates/mesh/restart-time/bird.cfg index 65c2e5104a9..0fc2fb78eac 100644 --- a/confd/tests/compiled_templates/mesh/restart-time/bird.cfg +++ b/confd/tests/compiled_templates/mesh/restart-time/bird.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_10_192_0_3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -94,7 +94,7 @@ protocol bgp Mesh_10_192_0_4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/restart-time/bird6.cfg b/confd/tests/compiled_templates/mesh/restart-time/bird6.cfg index 573978092f4..cf85bb99261 100644 --- a/confd/tests/compiled_templates/mesh/restart-time/bird6.cfg +++ b/confd/tests/compiled_templates/mesh/restart-time/bird6.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_2001__102 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. graceful restart time 10; @@ -93,7 +93,7 @@ protocol bgp Mesh_2001__104 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/restart-time/bird6_ipam.cfg b/confd/tests/compiled_templates/mesh/restart-time/bird6_ipam.cfg index 916956cf959..4fab5f8d396 100644 --- a/confd/tests/compiled_templates/mesh/restart-time/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/restart-time/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/restart-time/bird_ipam.cfg b/confd/tests/compiled_templates/mesh/restart-time/bird_ipam.cfg index 53f920b9a54..45e216e04a7 100644 --- a/confd/tests/compiled_templates/mesh/restart-time/bird_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/restart-time/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/route-reflector-mesh-enabled/bird.cfg b/confd/tests/compiled_templates/mesh/route-reflector-mesh-enabled/bird.cfg index 22a9f97eb0a..d9619af45f6 100644 --- a/confd/tests/compiled_templates/mesh/route-reflector-mesh-enabled/bird.cfg +++ b/confd/tests/compiled_templates/mesh/route-reflector-mesh-enabled/bird.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_10_192_0_3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -111,9 +111,8 @@ protocol bgp Node_10_192_0_4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/mesh/route-reflector-mesh-enabled/bird6.cfg b/confd/tests/compiled_templates/mesh/route-reflector-mesh-enabled/bird6.cfg index b7ccbbe8ae7..178ede5bfd7 100644 --- a/confd/tests/compiled_templates/mesh/route-reflector-mesh-enabled/bird6.cfg +++ b/confd/tests/compiled_templates/mesh/route-reflector-mesh-enabled/bird6.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_fe0a__4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -111,9 +111,8 @@ protocol bgp Node_fe0a__6 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/mesh/route-reflector-mesh-enabled/bird6_ipam.cfg b/confd/tests/compiled_templates/mesh/route-reflector-mesh-enabled/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/mesh/route-reflector-mesh-enabled/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/route-reflector-mesh-enabled/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/route-reflector-mesh-enabled/bird_ipam.cfg b/confd/tests/compiled_templates/mesh/route-reflector-mesh-enabled/bird_ipam.cfg index ea268d0ea70..23a07585f21 100644 --- a/confd/tests/compiled_templates/mesh/route-reflector-mesh-enabled/bird_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/route-reflector-mesh-enabled/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/static-routes-exclude-node/bird.cfg b/confd/tests/compiled_templates/mesh/static-routes-exclude-node/bird.cfg index e09c5bff9e5..1bd9d150777 100644 --- a/confd/tests/compiled_templates/mesh/static-routes-exclude-node/bird.cfg +++ b/confd/tests/compiled_templates/mesh/static-routes-exclude-node/bird.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_10_192_0_3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -93,7 +93,7 @@ protocol bgp Mesh_10_192_0_4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/static-routes-exclude-node/bird6.cfg b/confd/tests/compiled_templates/mesh/static-routes-exclude-node/bird6.cfg index aa7d9de1bd3..6d07a3dc308 100644 --- a/confd/tests/compiled_templates/mesh/static-routes-exclude-node/bird6.cfg +++ b/confd/tests/compiled_templates/mesh/static-routes-exclude-node/bird6.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_fdf5_10__3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -93,7 +93,7 @@ protocol bgp Mesh_fdf5_10__4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/static-routes-exclude-node/bird6_ipam.cfg b/confd/tests/compiled_templates/mesh/static-routes-exclude-node/bird6_ipam.cfg index 5a9e0ab1f0f..6e2c9ae818d 100644 --- a/confd/tests/compiled_templates/mesh/static-routes-exclude-node/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/static-routes-exclude-node/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/static-routes-exclude-node/bird_ipam.cfg b/confd/tests/compiled_templates/mesh/static-routes-exclude-node/bird_ipam.cfg index bf78a74e53f..e7f629ee1ae 100644 --- a/confd/tests/compiled_templates/mesh/static-routes-exclude-node/bird_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/static-routes-exclude-node/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/static-routes-exclude-node/step2/bird.cfg b/confd/tests/compiled_templates/mesh/static-routes-exclude-node/step2/bird.cfg index e09c5bff9e5..1bd9d150777 100644 --- a/confd/tests/compiled_templates/mesh/static-routes-exclude-node/step2/bird.cfg +++ b/confd/tests/compiled_templates/mesh/static-routes-exclude-node/step2/bird.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_10_192_0_3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -93,7 +93,7 @@ protocol bgp Mesh_10_192_0_4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/static-routes-exclude-node/step2/bird6.cfg b/confd/tests/compiled_templates/mesh/static-routes-exclude-node/step2/bird6.cfg index aa7d9de1bd3..6d07a3dc308 100644 --- a/confd/tests/compiled_templates/mesh/static-routes-exclude-node/step2/bird6.cfg +++ b/confd/tests/compiled_templates/mesh/static-routes-exclude-node/step2/bird6.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_fdf5_10__3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -93,7 +93,7 @@ protocol bgp Mesh_fdf5_10__4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/static-routes-exclude-node/step2/bird6_ipam.cfg b/confd/tests/compiled_templates/mesh/static-routes-exclude-node/step2/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/mesh/static-routes-exclude-node/step2/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/static-routes-exclude-node/step2/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/static-routes-exclude-node/step2/bird_ipam.cfg b/confd/tests/compiled_templates/mesh/static-routes-exclude-node/step2/bird_ipam.cfg index ea268d0ea70..23a07585f21 100644 --- a/confd/tests/compiled_templates/mesh/static-routes-exclude-node/step2/bird_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/static-routes-exclude-node/step2/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/static-routes-no-ipv4-address/bird6_ipam.cfg b/confd/tests/compiled_templates/mesh/static-routes-no-ipv4-address/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/mesh/static-routes-no-ipv4-address/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/static-routes-no-ipv4-address/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/static-routes-no-ipv4-address/bird_ipam.cfg b/confd/tests/compiled_templates/mesh/static-routes-no-ipv4-address/bird_ipam.cfg index ab7ccec1489..346212966d2 100644 --- a/confd/tests/compiled_templates/mesh/static-routes-no-ipv4-address/bird_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/static-routes-no-ipv4-address/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/static-routes/bird.cfg b/confd/tests/compiled_templates/mesh/static-routes/bird.cfg index e09c5bff9e5..1bd9d150777 100644 --- a/confd/tests/compiled_templates/mesh/static-routes/bird.cfg +++ b/confd/tests/compiled_templates/mesh/static-routes/bird.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_10_192_0_3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -93,7 +93,7 @@ protocol bgp Mesh_10_192_0_4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/static-routes/bird6.cfg b/confd/tests/compiled_templates/mesh/static-routes/bird6.cfg index aa7d9de1bd3..6d07a3dc308 100644 --- a/confd/tests/compiled_templates/mesh/static-routes/bird6.cfg +++ b/confd/tests/compiled_templates/mesh/static-routes/bird6.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_fdf5_10__3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -93,7 +93,7 @@ protocol bgp Mesh_fdf5_10__4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/static-routes/bird6_ipam.cfg b/confd/tests/compiled_templates/mesh/static-routes/bird6_ipam.cfg index 358ad0168cd..37a5c4c75dd 100644 --- a/confd/tests/compiled_templates/mesh/static-routes/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/static-routes/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/static-routes/bird_ipam.cfg b/confd/tests/compiled_templates/mesh/static-routes/bird_ipam.cfg index 4aa54000cb0..65478831737 100644 --- a/confd/tests/compiled_templates/mesh/static-routes/bird_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/static-routes/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/static-routes/step2/bird.cfg b/confd/tests/compiled_templates/mesh/static-routes/step2/bird.cfg index e09c5bff9e5..1bd9d150777 100644 --- a/confd/tests/compiled_templates/mesh/static-routes/step2/bird.cfg +++ b/confd/tests/compiled_templates/mesh/static-routes/step2/bird.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_10_192_0_3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -93,7 +93,7 @@ protocol bgp Mesh_10_192_0_4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/static-routes/step2/bird6.cfg b/confd/tests/compiled_templates/mesh/static-routes/step2/bird6.cfg index aa7d9de1bd3..6d07a3dc308 100644 --- a/confd/tests/compiled_templates/mesh/static-routes/step2/bird6.cfg +++ b/confd/tests/compiled_templates/mesh/static-routes/step2/bird6.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_fdf5_10__3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -93,7 +93,7 @@ protocol bgp Mesh_fdf5_10__4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/static-routes/step2/bird6_ipam.cfg b/confd/tests/compiled_templates/mesh/static-routes/step2/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/mesh/static-routes/step2/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/static-routes/step2/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/static-routes/step2/bird_ipam.cfg b/confd/tests/compiled_templates/mesh/static-routes/step2/bird_ipam.cfg index ea268d0ea70..23a07585f21 100644 --- a/confd/tests/compiled_templates/mesh/static-routes/step2/bird_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/static-routes/step2/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/vxlan-always/bird.cfg b/confd/tests/compiled_templates/mesh/vxlan-always/bird.cfg index e09c5bff9e5..1bd9d150777 100644 --- a/confd/tests/compiled_templates/mesh/vxlan-always/bird.cfg +++ b/confd/tests/compiled_templates/mesh/vxlan-always/bird.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_10_192_0_3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -93,7 +93,7 @@ protocol bgp Mesh_10_192_0_4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/vxlan-always/bird6.cfg b/confd/tests/compiled_templates/mesh/vxlan-always/bird6.cfg index aa7d9de1bd3..6d07a3dc308 100644 --- a/confd/tests/compiled_templates/mesh/vxlan-always/bird6.cfg +++ b/confd/tests/compiled_templates/mesh/vxlan-always/bird6.cfg @@ -78,7 +78,7 @@ protocol bgp Mesh_fdf5_10__3 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. @@ -93,7 +93,7 @@ protocol bgp Mesh_fdf5_10__4 from bgp_template { import all; # Import all routes, since we don't know what the upstream # topology is and therefore have to trust the ToR/RR. export filter { - calico_export_to_bgp_peers(); + calico_export_to_bgp_peers(true); reject; }; # Only want to export routes for workloads. passive on; # Mesh is unidirectional, peer will connect to us. diff --git a/confd/tests/compiled_templates/mesh/vxlan-always/bird6_ipam.cfg b/confd/tests/compiled_templates/mesh/vxlan-always/bird6_ipam.cfg index 7b08bc8a830..52b7f72201c 100644 --- a/confd/tests/compiled_templates/mesh/vxlan-always/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/vxlan-always/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/mesh/vxlan-always/bird_ipam.cfg b/confd/tests/compiled_templates/mesh/vxlan-always/bird_ipam.cfg index 7f4b0d2a1c5..4a04effdf63 100644 --- a/confd/tests/compiled_templates/mesh/vxlan-always/bird_ipam.cfg +++ b/confd/tests/compiled_templates/mesh/vxlan-always/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/password-deadlock/bird.cfg b/confd/tests/compiled_templates/password-deadlock/bird.cfg index 7609e9a2fd0..b9ade532f9a 100644 --- a/confd/tests/compiled_templates/password-deadlock/bird.cfg +++ b/confd/tests/compiled_templates/password-deadlock/bird.cfg @@ -85,9 +85,8 @@ protocol bgp Node_10_24_0_2 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. password "password-a"; } diff --git a/confd/tests/compiled_templates/password-deadlock/bird6_ipam.cfg b/confd/tests/compiled_templates/password-deadlock/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/password-deadlock/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/password-deadlock/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/password-deadlock/bird_ipam.cfg b/confd/tests/compiled_templates/password-deadlock/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/password-deadlock/bird_ipam.cfg +++ b/confd/tests/compiled_templates/password-deadlock/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/password/step1/bird.cfg b/confd/tests/compiled_templates/password/step1/bird.cfg index bf11f1bf563..58ba8e0f082 100644 --- a/confd/tests/compiled_templates/password/step1/bird.cfg +++ b/confd/tests/compiled_templates/password/step1/bird.cfg @@ -85,9 +85,8 @@ protocol bgp Node_10_24_0_2 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -102,9 +101,8 @@ protocol bgp Node_10_24_0_3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -119,9 +117,8 @@ protocol bgp Node_10_24_10_10 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/password/step1/bird6_ipam.cfg b/confd/tests/compiled_templates/password/step1/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/password/step1/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/password/step1/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/password/step1/bird_ipam.cfg b/confd/tests/compiled_templates/password/step1/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/password/step1/bird_ipam.cfg +++ b/confd/tests/compiled_templates/password/step1/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/password/step2/bird.cfg b/confd/tests/compiled_templates/password/step2/bird.cfg index 2be4188b294..b427282c0b7 100644 --- a/confd/tests/compiled_templates/password/step2/bird.cfg +++ b/confd/tests/compiled_templates/password/step2/bird.cfg @@ -85,9 +85,8 @@ protocol bgp Node_10_24_0_2 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -102,9 +101,8 @@ protocol bgp Node_10_24_0_3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. password "password-b"; } @@ -120,9 +118,8 @@ protocol bgp Node_10_24_10_10 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/password/step2/bird6_ipam.cfg b/confd/tests/compiled_templates/password/step2/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/password/step2/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/password/step2/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/password/step2/bird_ipam.cfg b/confd/tests/compiled_templates/password/step2/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/password/step2/bird_ipam.cfg +++ b/confd/tests/compiled_templates/password/step2/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/password/step3/bird.cfg b/confd/tests/compiled_templates/password/step3/bird.cfg index 9fdcc283098..9dee450f48c 100644 --- a/confd/tests/compiled_templates/password/step3/bird.cfg +++ b/confd/tests/compiled_templates/password/step3/bird.cfg @@ -85,9 +85,8 @@ protocol bgp Node_10_24_0_2 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. password "password-a"; } @@ -103,9 +102,8 @@ protocol bgp Node_10_24_0_3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. password "password-b"; } @@ -121,9 +119,8 @@ protocol bgp Node_10_24_10_10 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. password "password-c"; } diff --git a/confd/tests/compiled_templates/password/step3/bird6_ipam.cfg b/confd/tests/compiled_templates/password/step3/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/password/step3/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/password/step3/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/password/step3/bird_ipam.cfg b/confd/tests/compiled_templates/password/step3/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/password/step3/bird_ipam.cfg +++ b/confd/tests/compiled_templates/password/step3/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/password/step4/bird.cfg b/confd/tests/compiled_templates/password/step4/bird.cfg index 7042f5007ba..db2f7531661 100644 --- a/confd/tests/compiled_templates/password/step4/bird.cfg +++ b/confd/tests/compiled_templates/password/step4/bird.cfg @@ -85,9 +85,8 @@ protocol bgp Node_10_24_0_2 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. password "password-a"; } @@ -103,9 +102,8 @@ protocol bgp Node_10_24_0_3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. password "password-b"; } @@ -121,9 +119,8 @@ protocol bgp Node_10_24_10_10 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/password/step4/bird6_ipam.cfg b/confd/tests/compiled_templates/password/step4/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/password/step4/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/password/step4/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/password/step4/bird_ipam.cfg b/confd/tests/compiled_templates/password/step4/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/password/step4/bird_ipam.cfg +++ b/confd/tests/compiled_templates/password/step4/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/password/step5/bird.cfg b/confd/tests/compiled_templates/password/step5/bird.cfg index 7ea84308acb..54216440327 100644 --- a/confd/tests/compiled_templates/password/step5/bird.cfg +++ b/confd/tests/compiled_templates/password/step5/bird.cfg @@ -85,9 +85,8 @@ protocol bgp Node_10_24_0_2 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. password "new-password-a"; } @@ -103,9 +102,8 @@ protocol bgp Node_10_24_0_3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. password "new-password-b"; } @@ -121,9 +119,8 @@ protocol bgp Node_10_24_10_10 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/password/step5/bird6_ipam.cfg b/confd/tests/compiled_templates/password/step5/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/password/step5/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/password/step5/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/password/step5/bird_ipam.cfg b/confd/tests/compiled_templates/password/step5/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/password/step5/bird_ipam.cfg +++ b/confd/tests/compiled_templates/password/step5/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/password/step6/bird.cfg b/confd/tests/compiled_templates/password/step6/bird.cfg index 1d066bc7640..06fc4df51fe 100644 --- a/confd/tests/compiled_templates/password/step6/bird.cfg +++ b/confd/tests/compiled_templates/password/step6/bird.cfg @@ -85,9 +85,8 @@ protocol bgp Node_10_24_0_2 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -102,9 +101,8 @@ protocol bgp Node_10_24_0_3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. password "new-password-b"; } @@ -120,9 +118,8 @@ protocol bgp Node_10_24_10_10 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/password/step6/bird6_ipam.cfg b/confd/tests/compiled_templates/password/step6/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/password/step6/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/password/step6/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/password/step6/bird_ipam.cfg b/confd/tests/compiled_templates/password/step6/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/password/step6/bird_ipam.cfg +++ b/confd/tests/compiled_templates/password/step6/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/reachable_by/global_peers/bird.cfg b/confd/tests/compiled_templates/reachable_by/global_peers/bird.cfg index 5c240afed09..443f020470b 100644 --- a/confd/tests/compiled_templates/reachable_by/global_peers/bird.cfg +++ b/confd/tests/compiled_templates/reachable_by/global_peers/bird.cfg @@ -80,9 +80,8 @@ protocol bgp Global_10_225_0_4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. next hop keep; } @@ -98,9 +97,8 @@ protocol bgp Global_10_225_0_5 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. next hop keep; } diff --git a/confd/tests/compiled_templates/reachable_by/global_peers/bird6.cfg b/confd/tests/compiled_templates/reachable_by/global_peers/bird6.cfg index a5d5ba5d5ae..dae946aa317 100644 --- a/confd/tests/compiled_templates/reachable_by/global_peers/bird6.cfg +++ b/confd/tests/compiled_templates/reachable_by/global_peers/bird6.cfg @@ -80,9 +80,8 @@ protocol bgp Global_ffee__10 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. next hop keep; } @@ -98,9 +97,8 @@ protocol bgp Global_ffee__11 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. next hop keep; } diff --git a/confd/tests/compiled_templates/reachable_by/global_peers/bird6_ipam.cfg b/confd/tests/compiled_templates/reachable_by/global_peers/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/reachable_by/global_peers/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/reachable_by/global_peers/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/reachable_by/global_peers/bird_ipam.cfg b/confd/tests/compiled_templates/reachable_by/global_peers/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/reachable_by/global_peers/bird_ipam.cfg +++ b/confd/tests/compiled_templates/reachable_by/global_peers/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/reachable_by/route_reflectors/bird.cfg b/confd/tests/compiled_templates/reachable_by/route_reflectors/bird.cfg index 640f4e3f8bb..8c03cd5af90 100644 --- a/confd/tests/compiled_templates/reachable_by/route_reflectors/bird.cfg +++ b/confd/tests/compiled_templates/reachable_by/route_reflectors/bird.cfg @@ -89,9 +89,8 @@ protocol bgp Node_10_192_0_3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -106,9 +105,8 @@ protocol bgp Node_10_192_0_4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -123,9 +121,8 @@ protocol bgp Node_10_225_0_4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. next hop keep; } @@ -141,9 +138,8 @@ protocol bgp Node_10_225_0_5 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. next hop keep; } diff --git a/confd/tests/compiled_templates/reachable_by/route_reflectors/bird6.cfg b/confd/tests/compiled_templates/reachable_by/route_reflectors/bird6.cfg index f8132a545fe..378076af5c1 100644 --- a/confd/tests/compiled_templates/reachable_by/route_reflectors/bird6.cfg +++ b/confd/tests/compiled_templates/reachable_by/route_reflectors/bird6.cfg @@ -85,9 +85,8 @@ protocol bgp Node_2001__102 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -106,9 +105,8 @@ protocol bgp Node_2001__104 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -123,9 +121,8 @@ protocol bgp Node_ffee__10 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. next hop keep; } @@ -141,9 +138,8 @@ protocol bgp Node_ffee__11 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. next hop keep; } diff --git a/confd/tests/compiled_templates/reachable_by/route_reflectors/bird6_ipam.cfg b/confd/tests/compiled_templates/reachable_by/route_reflectors/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/reachable_by/route_reflectors/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/reachable_by/route_reflectors/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/reachable_by/route_reflectors/bird_ipam.cfg b/confd/tests/compiled_templates/reachable_by/route_reflectors/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/reachable_by/route_reflectors/bird_ipam.cfg +++ b/confd/tests/compiled_templates/reachable_by/route_reflectors/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step1/bird.cfg b/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step1/bird.cfg index a8be824a76b..342a128135d 100644 --- a/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step1/bird.cfg +++ b/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step1/bird.cfg @@ -85,9 +85,8 @@ protocol bgp Node_172_17_0_6 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step1/bird6_ipam.cfg b/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step1/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step1/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step1/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step1/bird_ipam.cfg b/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step1/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step1/bird_ipam.cfg +++ b/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step1/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step2/bird.cfg b/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step2/bird.cfg index 851325d87a8..8636da9807d 100644 --- a/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step2/bird.cfg +++ b/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step2/bird.cfg @@ -84,9 +84,8 @@ protocol bgp Node_172_17_0_6 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step2/bird6_ipam.cfg b/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step2/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step2/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step2/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step2/bird_ipam.cfg b/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step2/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step2/bird_ipam.cfg +++ b/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step2/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step3/bird.cfg b/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step3/bird.cfg index 4caaaa4439a..ed5e16f081a 100644 --- a/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step3/bird.cfg +++ b/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step3/bird.cfg @@ -84,9 +84,8 @@ protocol bgp Node_172_17_0_6 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. graceful restart time 10; } diff --git a/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step3/bird6_ipam.cfg b/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step3/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step3/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step3/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step3/bird_ipam.cfg b/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step3/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step3/bird_ipam.cfg +++ b/confd/tests/compiled_templates/sourceaddr_gracefulrestart/step3/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/ttl_security/explicit_node/bird.cfg b/confd/tests/compiled_templates/ttl_security/explicit_node/bird.cfg index c7a0abd021f..9c1a3637ca4 100644 --- a/confd/tests/compiled_templates/ttl_security/explicit_node/bird.cfg +++ b/confd/tests/compiled_templates/ttl_security/explicit_node/bird.cfg @@ -85,9 +85,8 @@ protocol bgp Node_10_192_0_3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } @@ -102,9 +101,8 @@ protocol bgp Node_10_192_0_4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(false); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/ttl_security/explicit_node/bird6_ipam.cfg b/confd/tests/compiled_templates/ttl_security/explicit_node/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/ttl_security/explicit_node/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/ttl_security/explicit_node/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/ttl_security/explicit_node/bird_ipam.cfg b/confd/tests/compiled_templates/ttl_security/explicit_node/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/ttl_security/explicit_node/bird_ipam.cfg +++ b/confd/tests/compiled_templates/ttl_security/explicit_node/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/ttl_security/global/bird.cfg b/confd/tests/compiled_templates/ttl_security/global/bird.cfg index aae610494f8..1afc7a01fc8 100644 --- a/confd/tests/compiled_templates/ttl_security/global/bird.cfg +++ b/confd/tests/compiled_templates/ttl_security/global/bird.cfg @@ -84,9 +84,8 @@ protocol bgp Global_10_192_0_3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -101,9 +100,8 @@ protocol bgp Global_10_192_0_4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/ttl_security/global/bird6.cfg b/confd/tests/compiled_templates/ttl_security/global/bird6.cfg index 6f8d5433adc..13ae17e2341 100644 --- a/confd/tests/compiled_templates/ttl_security/global/bird6.cfg +++ b/confd/tests/compiled_templates/ttl_security/global/bird6.cfg @@ -80,9 +80,8 @@ protocol bgp Global_2001__102 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -101,9 +100,8 @@ protocol bgp Global_2001__104 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/ttl_security/global/bird6_ipam.cfg b/confd/tests/compiled_templates/ttl_security/global/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/ttl_security/global/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/ttl_security/global/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/ttl_security/global/bird_ipam.cfg b/confd/tests/compiled_templates/ttl_security/global/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/ttl_security/global/bird_ipam.cfg +++ b/confd/tests/compiled_templates/ttl_security/global/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/ttl_security/peer_selector/bird.cfg b/confd/tests/compiled_templates/ttl_security/peer_selector/bird.cfg index f7709f082c7..f39804810d3 100644 --- a/confd/tests/compiled_templates/ttl_security/peer_selector/bird.cfg +++ b/confd/tests/compiled_templates/ttl_security/peer_selector/bird.cfg @@ -85,9 +85,8 @@ protocol bgp Node_10_192_0_3 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -102,9 +101,8 @@ protocol bgp Node_10_192_0_4 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/ttl_security/peer_selector/bird6.cfg b/confd/tests/compiled_templates/ttl_security/peer_selector/bird6.cfg index beb973a8786..c0b85296ed7 100644 --- a/confd/tests/compiled_templates/ttl_security/peer_selector/bird6.cfg +++ b/confd/tests/compiled_templates/ttl_security/peer_selector/bird6.cfg @@ -85,9 +85,8 @@ protocol bgp Node_2001__102 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } @@ -102,9 +101,8 @@ protocol bgp Node_2001__104 from bgp_template { accept; # Prior to introduction of BGP Filters we used "import all" so use default accept behaviour on import }; export filter { - calico_export_to_bgp_peers(); - reject; # Prior to introduction of BGP Filters anything not explicitly exported through calico_export_to_bgp_peers() - # was rejected so use default reject behaviour on export + calico_export_to_bgp_peers(true); + reject; }; # Only want to export routes for workloads. } diff --git a/confd/tests/compiled_templates/ttl_security/peer_selector/bird6_ipam.cfg b/confd/tests/compiled_templates/ttl_security/peer_selector/bird6_ipam.cfg index 483ea539b8e..67327e452b9 100644 --- a/confd/tests/compiled_templates/ttl_security/peer_selector/bird6_ipam.cfg +++ b/confd/tests/compiled_templates/ttl_security/peer_selector/bird6_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers() { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/compiled_templates/ttl_security/peer_selector/bird_ipam.cfg b/confd/tests/compiled_templates/ttl_security/peer_selector/bird_ipam.cfg index 9dbf7cc1e8b..7b67c8f3c72 100644 --- a/confd/tests/compiled_templates/ttl_security/peer_selector/bird_ipam.cfg +++ b/confd/tests/compiled_templates/ttl_security/peer_selector/bird_ipam.cfg @@ -4,9 +4,24 @@ function reject_disabled_pools () } -function calico_export_to_bgp_peers () { - # filter code terminates when it calls `accept;` or `reject;`, call reject_disabled_pools() first, then apply_communities() and then calico_aggr() +function reject_tunnel_routes () { + # Don't export tunnel routes to other nodes, Felix programs them. + # IPIP routes are handled by Bird, and it does not re-advertise them. + if (defined(ifname)) then { + if ((ifname ~ "*.cali") || (ifname ~ "*.calico")) then { + reject; + } + } +} + +function calico_export_to_bgp_peers(bool internal_peer) { + # filter code terminates when it calls `accept;` or `reject;`, + # call reject_disabled_pools() first, then reject_tunnel_routes(), + # then apply_communities() and then calico_aggr() reject_disabled_pools(); + if (internal_peer) then { + reject_tunnel_routes(); + } apply_communities(); calico_aggr(); diff --git a/confd/tests/test_suite_common.sh b/confd/tests/test_suite_common.sh index 3fa21a8bc86..f8039c83127 100755 --- a/confd/tests/test_suite_common.sh +++ b/confd/tests/test_suite_common.sh @@ -790,6 +790,7 @@ kill_typha() { test_confd_templates() { # Compare the templates until they match (for a max of 10s). testdir=$1 + echo "Comparing with templates in $testdir" for i in $(seq 1 10); do echo "comparing templates attempt $i" && compare_templates $testdir 0 false && break || sleep 1; done compare_templates $testdir 1 ${UPDATE_EXPECTED_DATA} } @@ -1754,6 +1755,7 @@ spec: matchOperator: In cidr: 77.1.0.0/16 - action: Accept + interface: "eth0" source: RemotePeers - action: Reject importV4: @@ -1767,11 +1769,13 @@ spec: - action: Accept source: RemotePeers - action: Reject + interface: "eth*" exportV6: - action: Accept matchOperator: In cidr: 9000::0/64 - action: Reject + interface: "vxlan.calico" source: RemotePeers matchOperator: In cidr: 9000:1::0/64 @@ -1780,6 +1784,7 @@ spec: - action: Reject importV6: - action: Accept + interface: "*.calico" matchOperator: In cidr: 5000::0/64 - action: Reject @@ -1878,6 +1883,7 @@ spec: matchOperator: In cidr: 77.0.0.0/16 - action: Reject + interface: "eth0" source: RemotePeers matchOperator: In cidr: 77.1.0.0/16 @@ -1886,6 +1892,7 @@ spec: - action: Reject importV4: - action: Accept + interface: "eth*" matchOperator: In cidr: 44.0.0.0/16 - action: Reject @@ -1906,11 +1913,13 @@ spec: - action: Accept source: RemotePeers - action: Reject + interface: "*.calico" importV6: - action: Accept matchOperator: In cidr: 5000::0/64 - action: Reject + interface: "*" source: RemotePeers matchOperator: In cidr: 5000:1::0/64 @@ -1932,6 +1941,7 @@ spec: matchOperator: In cidr: 77.3.0.0/16 - action: Accept + interface: "eth0" source: RemotePeers - action: Reject importV4: @@ -1945,10 +1955,12 @@ spec: - action: Accept source: RemotePeers - action: Reject + interface: "*.calico" exportV6: - action: Accept matchOperator: In cidr: 9000:2::0/64 + interface: "eth*" - action: Reject source: RemotePeers matchOperator: In @@ -1966,6 +1978,7 @@ spec: cidr: 5000:3::0/64 - action: Accept source: RemotePeers + interface: "cali*" - action: Reject --- kind: BGPPeer @@ -2104,8 +2117,10 @@ spec: - action: Accept source: RemotePeers - action: Reject + interface: "eth0" importV4: - action: Accept + interface: "eth*" matchOperator: In cidr: 44.0.0.0/16 - action: Reject @@ -2120,6 +2135,7 @@ spec: matchOperator: In cidr: 9000::0/64 - action: Reject + interface: "vxlan.*" source: RemotePeers matchOperator: In cidr: 9000:1::0/64 @@ -2131,6 +2147,7 @@ spec: matchOperator: In cidr: 5000::0/64 - action: Reject + interface: "*.calico" source: RemotePeers matchOperator: In cidr: 5000:1::0/64 @@ -2325,6 +2342,7 @@ metadata: spec: exportV4: - action: Accept + interface: "eth0" matchOperator: In cidr: 77.2.0.0/16 - action: Reject @@ -2339,6 +2357,7 @@ spec: matchOperator: In cidr: 44.2.0.0/16 - action: Reject + interface: "*" source: RemotePeers matchOperator: In cidr: 44.3.0.0/16 @@ -2354,6 +2373,7 @@ spec: matchOperator: In cidr: 9000:3::0/64 - action: Accept + interface: "*.calico" source: RemotePeers - action: Reject importV6: @@ -2367,6 +2387,7 @@ spec: - action: Accept source: RemotePeers - action: Reject + interface: "*" --- kind: BGPPeer apiVersion: projectcalico.org/v3 @@ -2493,6 +2514,7 @@ spec: - action: Accept matchOperator: In cidr: 77.0.0.0/16 + interface: "*.calico" - action: Reject source: RemotePeers matchOperator: In @@ -2505,6 +2527,7 @@ spec: matchOperator: In cidr: 44.0.0.0/16 - action: Reject + interface: "someiface" source: RemotePeers matchOperator: In cidr: 44.1.0.0/16 @@ -2520,6 +2543,7 @@ spec: matchOperator: In cidr: 9000:1::0/64 - action: Accept + interface: "some*iface" source: RemotePeers - action: Reject importV6: @@ -2533,6 +2557,7 @@ spec: - action: Accept source: RemotePeers - action: Reject + interface: "cali*" EOF test_confd_templates bgpfilter/node_mesh @@ -2940,6 +2965,144 @@ EOF fi } +test_bgp_filter_match_interface() { + # For KDD, run Typha and clean up the output directory. + if [ "$DATASTORE_TYPE" = kubernetes ]; then + start_typha + rm -f /etc/calico/confd/config/* + fi + + # Run confd as a background process. + echo "Running confd as background process" + NODENAME=kube-master BGP_LOGSEVERITYSCREEN="debug" confd -confdir=/etc/calico/confd >$LOGPATH/logd1 2>&1 & + CONFD_PID=$! + echo "Running with PID " $CONFD_PID + + # Turn the node-mesh off + turn_mesh_off + + # Create 3 nodes and a BGPFilter then globally pair the nodes all using the same filter + $CALICOCTL apply -f - <