search

FRRouting / frr

The FRRouting Protocol Suite
https://frrouting.org/
Other
3.33k stars 1.25k forks source link

Flowspec entry is not installed in PBR #3160

Open 464d41 opened 6 years ago

464d41 commented 6 years ago

Description

FRR receives flowspec entry but it is reported as "not installed in PBR" and rule isn't applied to traffic.

Steps to Reproduce

  1. Configure BGP to accept flowspec

    router bgp 12345
bgp router-id 10.0.0.1
neighbor 10.15.10.253 remote-as 12345
!
address-family ipv4 flowspec
neighbor 10.15.10.253 activate
exit-address-family
rfp full-table-download off
!

  2. Check received flowspec entry 

94613e4eaa8c# show bgp ipv4 flowspec
BGP table version is 1103, local router ID is 10.0.0.1, vrf id 0
Status codes:  s suppressed, d damped, h history, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*>i to 10.17.10.20/32 from 0.0.0.0/0 proto = 6  dstp = 443                  10.15.10.253                  100      0 i
Displayed  1 routes and 1 total paths
94613e4eaa8c# show bgp ipv4 flowspec 10.17.10.20/32
BGP flowspec entry: (flags 0x418)
        Destination Address 10.17.10.20/32
        Source Address 0.0.0.0/0
        IP Protocol = 6
        Destination Port = 443
        FS:redirect IP 0x0
        NH 10.15.10.253
        received for 00:03:39
        not installed in PBR
bash-4.4# iptables -t mangle --list
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Expected behavior:

Flowspec entry translated to underlying linux instructions and applied to traffic flow

Actual behavior: Looks flowspect entry is not translated to underlying linux instructions since iptables output shows nothing.

Components

bash-4.4# cat /etc/frr/daemons | grep yes zebra=yes bgpd=yes pbrd=yes

sudo docker logs -f frr Starting Frr daemons (prio:10):. Exiting from the script watchfrr[79]: watchfrr 6.1-dev starting: vty@0 watchfrr[79]: zebra state -> up : connect succeeded watchfrr[79]: pbrd state -> up : connect succeeded watchfrr[79]: bgpd state -> up : connect succeeded watchfrr[79]: all daemons up, doing startup-complete notify

Versions

I'm running FRR in container. Image: ajones17/frr:latest

Likely info listed above is not enough to debug. Please let me know what else is needed.

pguibert6WIND commented 6 years ago

the PBR install requires FRR to contain a plugin that is not yet in FRR main stream ( look at https://github.com/FRRouting/frr/pull/2025 for more information).

donaldsharp commented 6 years ago

@pguibert6WIND I thought you indicated that you were going to be providing a patch that did the install correctly into the kernel. Is this not the case?

pguibert6WIND commented 6 years ago

yes. a patch will be provided. but the ETA has been delayed.

464d41 commented 6 years ago

That is great. Thank you guys for fast reply. Hope on same fast resolution. Let me know if any other debug data is needed.

bhicks69 commented 5 years ago

It looks as though this will be resolved in 7.0. Is that correct? If so, is there a way to test this in a dev or test release?

pguibert6WIND commented 5 years ago

Hi @bhicks69 , sorry but as ETA has been postponed, this will not be available for 7.0 as mentioned, I think the original pull request used for driving netfilter is available, you should be able to build your own frr. but sorry, 7.0 will not have the flowspec driver.

reza-ghazvini commented 4 years ago

Hi Guys, I have the same problem when I send rules from ExaBGP to FRR (ver 6.0.2), Debian. "not installed in PBR". Could you please leave me any helpful comments.

pguibert6WIND commented 4 years ago

Hi @reza-ghazvini , there has not been any rework of #2025 yet so that you can use PBR directly in frr. if you feel motivated for moving to ABI interface, you re welcome.

tweippert commented 3 years ago

Hi @pguibert6WIND, if i understand it correctly, the current implementation in frr is, that i receives the flowspec informations and split it up in ipset/iptables actions in pbr, but the real installation in the kernel by the pbrd weren't achieved as there is a missing "module" which do the real work, is this correct?

sv3n-mu3ll3r commented 3 years ago

Hi Team, I'm running v7.5.1 and I still also face the issue with "not installed in PBR" after I receive a Flowspec route. Is this still not added in this version. I was not able to find an info on that. Thanks, sVen

buzzsumit commented 2 years ago

I am facing the problem even on running 8.1.0. Do we have an ETA on the fix ?

brezular commented 1 year ago

I am facing the problem even on running 8.4.2. Can you please provide that kernel module for us?

riw777 commented 1 year ago

I've put this on the project board ... before closing it for the moment, is anyone working on this?

pguibert6WIND commented 1 year ago

I've put this on the project board ... before closing it for the moment, is anyone working on this?

for information, https://github.com/FRRouting/frr/pull/2025 was the original work. we have to go to a real ABI (application BINARY interface), if someone is willing to do it.