Bug 242671

Summary: net/openbgpd6: Fails to update FIB
Product: Ports & Packages Reporter: Alarig Le Lay <alarig>
Component: Individual Port(s)Assignee: Kurt Jaeger <pi>
Status: Closed Overcome By Events    
Severity: Affects Many People CC: felipe, href, hrs
Priority: Normal Keywords: needs-qa
Version: LatestFlags: bugzilla: maintainer-feedback? (pi)
koobs: maintainer-feedback? (hrs)
koobs: merge-quarterly?
Hardware: Any   
OS: Any   

Description Alarig Le Lay 2019-12-16 20:33:55 UTC 
Hi,

I have a FreeBSD VM for an AS112 node, the BGP is done with OpenBGPD.

root@as112:~ # uname -a
FreeBSD as112.grifon.fr 12.0-RELEASE-p12 FreeBSD 12.0-RELEASE-p12 GENERIC  amd64
root@as112:~ # pkg info openbgpd6
openbgpd6-6.6p0
Name           : openbgpd6
Version        : 6.6p0
Installed on   : Mon Dec 16 20:13:44 2019 CET
Origin         : net/openbgpd6
Architecture   : FreeBSD:12:amd64
Prefix         : /usr/local
Categories     : net
Licenses       : ISCL
Maintainer     : pi@FreeBSD.org
WWW            : http://www.openbgpd.org/
Comment        : Free implementation of the Border Gateway Protocol, Version 4
Options        :
        IPV6LLPEER     : on
Annotations    :
        FreeBSD_version: 1200086
        repo_type      : binary
        repository     : poudriere
Flat size      : 435KiB
Description    :
OpenBGPD is a FREE implementation of the Border Gateway Protocol, Version 4.
It allows ordinary machines to be used as routers exchanging routes with
other systems speaking the BGP protocol.

This is the portable version and it does not have the means to
influence kernel routing tables. It is only suitable for route
servers/collectors.

WWW: http://www.openbgpd.org/


Here is my configuration:
router-id 89.234.186.134                                                                  
AS 112                                                                                    
fib-update yes                                                                            
                                                                                          
network 192.175.48.0/24                                                                   
network 192.31.196.0/24                                                                   
network 2620:4f:8000::/48                                                                 
network 2001:4:112::/48                                                                   
                                                                                          
group "peering" {                                                                         
        announce IPv4 unicast                                                             
        announce IPv6 unicast                                                             
                                                                                          
        neighbor 89.234.186.129 {  
                remote-as       204092                                                    
                descr           "Grifon nominoe IPv4"
        }                                                                                 
                                                                                          
        neighbor 2a00:5884:0:100::1:1 {                                                   
                remote-as       204092                                                    
                descr           "Grifon nominoe IPv6"                                     
        }                                                                                 
                                                                                          
        neighbor 89.234.186.130 {                                                         
                remote-as       204092                                                    
                descr           "Grifon budic IPv4" 
        }                             
                                                                                          
        neighbor 2a00:5884:0:100::1:2 {                                                   
                remote-as       204092                                                                                                                                               
                descr           "Grifon budic IPv6"                                       
        }                                                                                 
                                                                                                                                                                                     
        neighbor 185.1.89.1 {                                                             
                remote-as       206165                                                    
                descr           "Breizh-IX RS1 IPv4"                                      
                enforce neighbor-as no                                                    
                set localpref   150                                                       
        }                           
                                             
        neighbor 2001:7f8:b1::1 {                                                                                                                                                    
                remote-as       206165                                                    
                descr           "Breizh-IX RS1 IPv6"                                      
                enforce neighbor-as no                                                    
                set localpref   150                                                       
        }                                                                                 
                                                                                          
        neighbor 185.1.89.2 {                                                             
                remote-as       206165                                                    
                descr           "Breizh-IX RS2 IPv4"                                      
                enforce neighbor-as no                                                    
                set localpref   150                                                       
        }                                                                                 
                                                                                          
        neighbor 2001:7f8:b1::2 {                                                         
                remote-as       206165
                descr           "Breizh-IX RS2 IPv6"                                      
                enforce neighbor-as no                                                    
                set localpref   150                                                       
        }                                                                                 
}                                                                                         
                                                                                          
# do not send or use routes from neighbors without further explicit                       
# configuration                                                                           
deny from any                                                                             
deny to any                                                                               
                                                                                          
# filter out prefixes longer than 24 or shorter than 8 bits for IPv4
# and longer than 48 or shorter than 16 bits for IPv6.
allow from any inet prefixlen 8 - 24                                                      
allow from any inet6 prefixlen 16 - 48                                                    
                                                                                                                                                                                     
# filter bogus networks according to RFC5735                                              
deny from any prefix 0.0.0.0/8 prefixlen >= 8           # 'this' network [RFC1122]        
deny from any prefix 10.0.0.0/8 prefixlen >= 8          # private space [RFC1918]                                                                                                    
deny from any prefix 100.64.0.0/10 prefixlen >= 10      # CGN Shared [RFC6598]            
deny from any prefix 127.0.0.0/8 prefixlen >= 8         # localhost [RFC1122]             
deny from any prefix 169.254.0.0/16 prefixlen >= 16     # link local [RFC3927]            
deny from any prefix 172.16.0.0/12 prefixlen >= 12      # private space [RFC1918]         
deny from any prefix 192.0.2.0/24 prefixlen >= 24       # TEST-NET-1 [RFC5737]            
deny from any prefix 192.168.0.0/16 prefixlen >= 16     # private space [RFC1918]
deny from any prefix 198.18.0.0/15 prefixlen >= 15      # benchmarking [RFC2544]
deny from any prefix 198.51.100.0/24 prefixlen >= 24    # TEST-NET-2 [RFC5737]
deny from any prefix 203.0.113.0/24 prefixlen >= 24     # TEST-NET-3 [RFC5737]
deny from any prefix 224.0.0.0/4 prefixlen >= 4         # multicast
deny from any prefix 240.0.0.0/4 prefixlen >= 4         # reserved

# filter bogus IPv6 networks according to IANA
deny from any prefix ::/8 prefixlen >= 8
deny from any prefix 0100::/64 prefixlen >= 64          # Discard-Only [RFC6666]
deny from any prefix 2001:2::/48 prefixlen >= 48        # BMWG [RFC5180]
deny from any prefix 2001:10::/28 prefixlen >= 28       # ORCHID [RFC4843]
deny from any prefix 2001:db8::/32 prefixlen >= 32      # docu range [RFC3849]
deny from any prefix 3ffe::/16 prefixlen >= 16          # old 6bone
deny from any prefix fc00::/7 prefixlen >= 7            # unique local unicast
deny from any prefix fe80::/10 prefixlen >= 10          # link local unicast
deny from any prefix fec0::/10 prefixlen >= 10          # old site local unicast
deny from any prefix ff00::/8 prefixlen >= 8            # multicast

## filter bogon AS numbers
## http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
deny from any AS 23456                          # AS_TRANS
deny from any AS 64496 - 64511                  # Reserved for use in docs and code RFC5398
deny from any AS 64512 - 65534                  # Reserved for Private Use RFC6996
deny from any AS 65535                          # Reserved RFC7300
deny from any AS 65536 - 65551                  # Reserved for use in docs and code RFC5398 
deny from any AS 65552 - 131071                 # Reserved
deny from any AS 4200000000 - 4294967294        # Reserved for Private Use RFC6996
deny from any AS 4294967295                     # Reserved RFC7300

allow to any prefix 2620:4f:8000::/48
allow to any prefix 2001:4:112::/48
allow to any prefix 192.175.48.0/24
allow to any prefix 192.31.196.0/24




The BGP sessions are up, but the FIB is empty (and I have a permission denied when I try to print it from bgpd):
root@as112:~ # bgpctl show summary
Neighbor                   AS    MsgRcvd    MsgSent  OutQ Up/Down  State/PrfRcvd
Grifon nominoe IPv4    204092     136105        152     0 01:14:56 799528
Grifon nominoe IPv6    204092      29247        152     0 01:14:56  78083
Grifon budic IPv4      204092     174092        153     0 01:14:56 799529
Grifon budic IPv6      204092      34591        153     0 01:14:56  78085
Breizh-IX RS1 IPv4     206165        200        153     0 01:14:56     83
Breizh-IX RS1 IPv6     206165        193        153     0 01:14:56     32
Breizh-IX RS2 IPv4     206165        212        155     0 01:14:56     69
Breizh-IX RS2 IPv6     206165        213        155     0 01:14:56     71
root@as112:~ # bgpctl show rib | head
flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
       S = Stale, E = Error
origin validation state: N = not-found, V = valid, ! = invalid
origin: i = IGP, e = EGP, ? = Incomplete

flags ovs destination          gateway          lpref   med aspath origin
*>      N 1.0.0.0/24           89.234.186.129     100    50 204092 34019 13335 i
*       N 1.0.0.0/24           89.234.186.130     100    50 204092 198507 13335 i
*>      N 1.0.4.0/22           89.234.186.129     100    50 204092 34019 6939 4826 38803 56203 i
*       N 1.0.4.0/22           89.234.186.130     100    50 204092 198507 6939 4826 38803 56203 i
root@as112:~ # bgpctl show fib
flags: * = valid, B = BGP, C = Connected, S = Static, D = Dynamic
       N = BGP Nexthop reachable via this route
       r = reject route, b = blackhole route

flags prio destination          gateway
permission denied
root@as112:~ # route get 1.0.0.0/24
route: route has not been found
root@as112:~ # netstat -rn                                                                
Routing tables                                                                            
                                                                                          
Internet:                                                                                 
Destination        Gateway            Flags     Netif Expire                   
default            89.234.186.129     UGS      vtnet2                          
89.234.186.128/29  link#3             U        vtnet2                          
89.234.186.134     link#3             UHS         lo0                          
127.0.0.1          link#4             UH          lo0                          
172.17.0.0/24      link#1             U        vtnet0                          
172.17.0.27        link#1             UHS         lo0                          
185.1.89.0/24      link#2             U        vtnet1                          
185.1.89.16        link#2             UHS         lo0                          
192.31.196.1       link#5             UH          lo1
192.175.48.1       link#5             UH          lo1
192.175.48.6       link#5             UH          lo1
192.175.48.42      link#5             UH          lo1

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::/96                             ::1                           UGRS        lo0
default                           2a00:5884:0:100::1:1          UGS      vtnet2
::1                               link#4                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
2001:4:112::/64                   link#5                        U           lo1
2001:4:112::1                     link#5                        UHS         lo0
2001:7f8:b1::/64                  link#2                        U        vtnet1
2001:7f8:b1::12                   link#2                        UHS         lo0
2620:4f:8000::/64                 link#5                        U           lo1
2620:4f:8000::1                   link#5                        UHS         lo0
2620:4f:8000::6                   link#5                        UHS         lo0
2620:4f:8000::42                  link#5                        UHS         lo0
2a00:5884:0:100::1:0/112          link#3                        U        vtnet2
2a00:5884:0:100::1:10             link#3                        UHS         lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%vtnet1/64                  link#2                        U        vtnet1
fe80::fc7a:e9ff:fea9:1ba2%vtnet1  link#2                        UHS         lo0
fe80::%vtnet2/64                  link#3                        U        vtnet2
fe80::c54:abff:fef6:f9ec%vtnet2   link#3                        UHS         lo0
fe80::%lo0/64                     link#4                        U           lo0
fe80::1%lo0                       link#4                        UHS         lo0
fe80::%lo1/64                     link#5                        U           lo1
fe80::1%lo1                       link#5                        UHS         lo0
ff02::/16                         ::1                           UGRS        lo0
root@as112:~ # 


Regards,
-- 
Alarig
Comment 1 Kurt Jaeger freebsd_committer freebsd_triage 2019-12-16 21:17:35 UTC 
It looks like hrs@ knows more about this FIB-update stuff.
Comment 2 Felipe N. Oliva 2021-02-10 12:47:38 UTC 
Problem persist in 6.8p0.

# bgpctl s fib
flags: * = valid, B = BGP, C = Connected, S = Static, D = Dynamic
       N = BGP Nexthop reachable via this route
       r = reject route, b = blackhole route

flags prio destination          gateway
permission denied

# bgpd -v -n -f /usr/local/etc/bgpd.conf|grep fib
rde rib Loc-RIB rtable 0 fib-update yes
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2021-11-09 23:51:11 UTC 
(In reply to Felipe N. Oliva from comment #2)

Felipe, are you able to test reproduction against net/openbgpd as well?
Comment 4 Felipe N. Oliva 2021-11-10 11:10:26 UTC 
(In reply to Kubilay Kocak from comment #3)

net/openbgpd It's ok.
Comment 5 Kurt Jaeger freebsd_committer freebsd_triage 2022-08-01 06:21:11 UTC 
klarasystems provided patches to openbgpd7 to update the FIB, so this makes openbgpd6 obsolete for this use case. Please test openbgpd7.