prefixes tagged with blackhole get rejected due to out of bounds

[accuris-infrastructure]

Describe the bug Pathvector rejects routes with a length of /128 or /32 from peers when tagged with the blackhole community, when filter-prefix-length and allow-blackhole-community are enabled on the session. It should be possible to allow these prefix lengths through the filters when tagged with the blackhole community, as some carriers only accept /32s and /128s for RTBH purposes.

Environment

~# pathvector version
Pathvector 6.3.2
Built c35220bf121f366ff05a51d93c6236e8c324d682 on 2023-06-11T07:03:14Z
No plugins
BIRD: ready.

~# cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian

To Reproduce Steps to reproduce the behavior:

1. Configure a session with filter-prefix-length and allow-blackhole-community enabled on the peer.
2. Advertise a prefix with a length of either /32 or /128 to the peer with the above 2 settings enabled and the blackhole community tagged on export
3. See error

   bird: REJECTED [out of bounds (48 > len > 12)] pfx 2602:XXXX:XXX::1/128 session USER_ASXXXXX_v6 path (path XXXXX) pathlen 1 origin XXXXX

I suspect that this is due to the order in which the filters get processed in the generated BIRD config:

import filter {
...
            reject_out_of_bounds_routes();
            bgp_local_pref = 200; # pathvector:localpref
            process_blackholes();
...
            accept;
        };

Expected behavior Blackhole gets processed as normal.

Actual behavior Blackhole gets rejected due to being out of bounds.

[accuris-infrastructure]

Also worth noting that even with the community being tagged, if you also have RPKI and IRR filtering enabled on the peer it also rejects the announcement due to being invalid or outside the prefix list.