wireguard + multihop BGP = route rejected, but route created

Sun Dec 10 15:19:34 CET 2023

Hi,

Looks like it is the check that the route is not returned to the
session where it was received from.

Regards,
Alexander

On Sun, Dec 10, 2023 at 2:32 PM Ivan Agarkov <ivan.agarkov at gmail.com> wrote:
>
> Hello!
>
> I'm creating a BGP lab for my students and found interesting and unexpected behavior.
>
> I'm getting reject message when receiving route:
> 2023-12-10 15:10:53.724 <TRACE> isp1.ipv4 > added [best] 10.200.0.0/16 0L 4G unicast
> 2023-12-10 15:10:53.724 <TRACE> isp1.ipv4 < rejected by protocol 10.200.0.0/16 0L 4G unicast
>
> But then the route appears in ip route:
> 10.200.0.0/16 dev 201 proto bird scope link metric 32
>
> I've dug into the source code and found that the reject is happening here:
> proto/bgp/attrs.c:1641 if (src == p) return -1 into bgp_preexport function.
>
> The question is: what is happening and does it look valid/expected?
>
> Wireguard configuration is the same on all peers:
>
> [Interface]
> Address=10.10.10.201/32
> PrivateKey=******
> Table=off
>
> [Peer]
> Endpoint=*******
> PublicKey=*****
> PersistentKeepalive=25
> AllowedIPs=0.0.0.0/0
>
> My configuration for BIRD peers:
> ==== local bird.conf ====
> log stderr all;
> router id 10.10.10.201;
>
> protocol device {
> scan time 10;
> }
>
> protocol kernel {
> ipv4 {
>      import all;
>      export all;
> };
> learn;
> }
>
> protocol static {
> ipv4;
> route 10.201.0.0/16 via "wlp41s0"; # wifi device
> route 10.10.10.0/24 via "201"; # wireguard device
> }
>
> protocol bgp isp1 {
> router id 10.10.10.201;
> local 10.10.10.201 as 65201;
> neighbor 10.10.10.200 as 65200;
> source address 10.10.10.201;
> multihop;
> ipv4 {
> import filter {
> if net ~ 10.0.0.0/8 then accept;
> else reject;
> };
> export filter {
> if net ~ 10.201.0.0/16 then accept;
> else reject;
> };
>
> };
> debug all;
> }
> ==== /client bird.conf ====
>
> ==== remote bird.conf ====
> log stderr all;
>
> protocol kernel {
> learn; # Learn all alien routes from the kernel
> persist; # Don't remove routes on bird shutdown
> scan time 20; # Scan kernel routing table every 20 seconds
> import all; # Default is import all
> export all; # Default is export none
> # kernel table 5; # Kernel table to synchronize with (default: main)
> }
>
> protocol device {
> scan time 10;
> }
>
> protocol static {
> export all;
> route 10.10.10.0/24 via "200"; # wireguard device
> route 10.200.0.0/16 via 10.200.200.200; # virtual network
> }
>
> template bgp cpr_ne {
> local as 65200;
> router id 10.10.10.200;
> multihop;
> source address 10.10.10.200;
> import filter {
> if net ~ 10.201.0.0/16 then accept;
> else if net ~ 10.202.0.0/16 then accept;
> else if net ~ 10.203.0.0/16 then accept;
> else if net ~ 10.204.0.0/16 then accept;
> else if net ~ 10.205.0.0/16 then accept;
> else if net ~ 10.206.0.0/16 then accept;
> else if net ~ 10.207.0.0/16 then accept;
> else if net ~ 10.208.0.0/16 then accept;
> else reject;
> };
> export filter {
> if net ~ 10.200.0.0/16 then accept;
> else reject;
> };
> }
>
> protocol bgp cpr201 from cpr_ne {
> neighbor 10.10.10.201 as 65201;
> }
> protocol bgp cpr202 from cpr_ne {
> neighbor 10.10.10.202 as 65202;
> }
> protocol bgp cpr203 from cpr_ne {
> neighbor 10.10.10.203 as 65203;
> }
> protocol bgp cpr204 from cpr_ne {
> neighbor 10.10.10.204 as 65204;
> }
> protocol bgp cpr205 from cpr_ne {
> neighbor 10.10.10.205 as 65205;
> }
> protocol bgp cpr206 from cpr_ne {
> neighbor 10.10.10.206 as 65206;
> }
> protocol bgp cpr207 from cpr_ne {
> neighbor 10.10.10.207 as 65207;
> }
> protocol bgp cpr208 from cpr_ne {
> neighbor 10.10.10.208 as 65208;
> }
> ==== remote bird.conf ====