bgpd: fix VRF leaking with 'network import-check' #15238
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ton31337
reviewed
Jan 29, 2024
If 'bgp network import-check' is defined on the source BGP session, prefixes that are defined with the network command cannot be leaked to the other VRFs BGP table even if they are present in the origin VRF RIB. Always validate the nexthop of BGP static routes (i.e. defined with the network statement) if 'network import-check' is defined on the source BGP session and the prefix is present in source RIB. Signed-off-by: Louis Scalbert <[email protected]>
"if not XX else" statements are confusing. Replace two "if not XX else" statements by "if XX else" to prepare next commits. The patch is only cosmetic. Signed-off-by: Louis Scalbert <[email protected]>
If 'bgp network import-check' is defined on the source BGP session, prefixes that are defined with the network command cannot be leaked to the other VRFs BGP table even if they are present in the origin VRF RIB if the 'rt import' statement is defined after the 'network <prefix>' ones. When a prefix nexthop is updated, update the prefix route leaking. The current state of nexthop validation is now stored in the attributes of the bgp path info. Attributes are compared with the previous ones at route leaking update so that a nexthop validation change now triggers the update of destination VRF BGP table. Signed-off-by: Louis Scalbert <[email protected]>
The following configuration creates an infinite routing leaking loop because 'rt vpn both' parameters are the same in both VRFs. > router bgp 5227 vrf r1-cust4 > no bgp network import-check > bgp router-id 192.168.1.1 > address-family ipv4 unicast > network 28.0.0.0/24 > rd vpn export 10:12 > rt vpn both 52:100 > import vpn > export vpn > exit-address-family > ! > router bgp 5227 vrf r1-cust5 > no bgp network import-check > bgp router id 192.168.1.1 > address-family ipv4 unicast > network 29.0.0.0/24 > rd vpn export 10:13 > rt vpn both 52:100 > import vpn > export vpn > exit-address-family The previous commit has added a routing leak update when a nexthop update is received from zebra. It indirectly calls bgp_find_or_add_nexthop() in which a static route triggers a nexthop cache entry registration that triggers a nexthop update from zebra. Do not register again the nexthop cache entry if the BGP_STATIC_ROUTE is already set. Signed-off-by: Louis Scalbert <[email protected]>
Test vpnv4 route leaking with import-check Signed-off-by: Louis Scalbert <[email protected]>
louis-6wind
force-pushed
the
bgp-leak-network
branch
from
5e7930e to
fb77755
Compare
mike-dubrovsky
added a commit
to mike-dubrovsky/frr-bgp-show-rib
that referenced
this pull request
Dec 7, 2025
When bgp_afi_node_get() is called, it locks the node via
route_lock_node() before returning it to the caller. The caller is
responsible for unlocking the node when done.
Call chain:
bgp_afi_node_get()
bgp_node_get()
route_node_get()
route_lock_node()
In bgp_bnc_mark_nht_important() and bgp_nexthop_update(), the route
nodes obtained from bgp_afi_node_get() were not being unlocked after
use, causing a reference count leak.
These issues were introduced by:
- Recent commit FRRouting#19008
(bgp_bnc_mark_nht_important function)
- VRF leaking commit FRRouting#15238
(bgp_nexthop_update function)
mike-dubrovsky
added a commit
to mike-dubrovsky/frr-bgp-show-rib
that referenced
this pull request
Dec 8, 2025
When bgp_afi_node_get() is called, it locks the node via
route_lock_node() before returning it to the caller. The caller is
responsible for unlocking the node when done.
Call chain:
bgp_afi_node_get()
bgp_node_get()
route_node_get()
route_lock_node()
In bgp_bnc_mark_nht_important() and bgp_nexthop_update(), the route
nodes obtained from bgp_afi_node_get() were not being unlocked after
use, causing a reference count leak.
These issues were introduced by:
- Recent commit FRRouting#19008
(bgp_bnc_mark_nht_important function)
- VRF leaking commit FRRouting#15238
(bgp_nexthop_update function)
Signed-off-by: Mike Dubrovsky <[email protected]>
mergify bot
pushed a commit
that referenced
this pull request
Dec 17, 2025
When bgp_afi_node_get() is called, it locks the node via
route_lock_node() before returning it to the caller. The caller is
responsible for unlocking the node when done.
Call chain:
bgp_afi_node_get()
bgp_node_get()
route_node_get()
route_lock_node()
In bgp_bnc_mark_nht_important() and bgp_nexthop_update(), the route
nodes obtained from bgp_afi_node_get() were not being unlocked after
use, causing a reference count leak.
These issues were introduced by:
- Recent commit #19008
(bgp_bnc_mark_nht_important function)
- VRF leaking commit #15238
(bgp_nexthop_update function)
Signed-off-by: Mike Dubrovsky <[email protected]>
(cherry picked from commit f36be98)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If 'bgp network import-check' is defined on the source BGP session,
prefixes that are defined with the network command cannot be leaked to
the other VRFs BGP table even if they are present in the origin VRF RIB.
Always validate the nexthop of BGP static routes (i.e. defined with the
network statement) if 'network import-check' is defined on the source
BGP session and the prefix is present in source RIB.