In this thread[1], I realize I created a new problem in the BIRD BGP configuration with `dest = RTD_BLACKHOLE`. Setting a destination to blackhole works great when the routes are being propagated (no ICMP unreachable is sent by the kernel) and an address being managed by Kubernetes DNAT facilities will be caught in the netfilter chains and sent to the proper container. That configuration:
router id UP.STREAM.143.113;
protocol bgp bgp_metal_gw01 { local as ASLOCAL; neighbor 10.10.0.41 as ASLOCAL; passive yes; ipv4 { next hop self; import filter { bgp_origin = ORIGIN_IGP; dest = RTD_BLACKHOLE; # <=== DISCUSSION LINE accept; }; export none; }; }
The problem is when a service on the same host as the container needs to connect to the DNAT address presented for the container. Because the local kernel routing table is set to blackhole for an address, the traffic is immediately sunk instead of being offered to netfilter. Removing that dest line simply sets it to a default of RTD_UNREACHABLE, which does the same thing but politely tells the sender that it did so. What I thought would work is to change the line to `ifname = “eno2”`, but doing so generates a parse error. This seems to be a bug in the documentation as the `ifname` attribute is not listed as read-only. How can I set the route to a local interface in the filter? Thanks! Brian [1] https://marc.info/?l=bird-users&m=155458976221242&w=2
On Sun, Apr 07, 2019 at 10:52:23PM -0600, Brian Topping wrote:
The problem is when a service on the same host as the container needs to connect to the DNAT address presented for the container. Because the local kernel routing table is set to blackhole for an address, the traffic is immediately sunk instead of being offered to netfilter. Removing that dest line simply sets it to a default of RTD_UNREACHABLE, which does the same thing but politely tells the sender that it did so.
That is probably because BGP_NEXT_HOP reported in the route is not resolvable though your local routing table.
What I thought would work is to change the line to `ifname = “eno2”`, but doing so generates a parse error. This seems to be a bug in the documentation as the `ifname` attribute is not listed as read-only.
That was changed just recently. Do you have latest version of BIRD? You can also set the direct next hop by setting 'gw'. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On Apr 12, 2019, at 4:34 AM, Ondrej Zajicek <santiago@crfreenet.org> wrote:
On Sun, Apr 07, 2019 at 10:52:23PM -0600, Brian Topping wrote:
The problem is when a service on the same host as the container needs to connect to the DNAT address presented for the container. Because the local kernel routing table is set to blackhole for an address, the traffic is immediately sunk instead of being offered to netfilter. Removing that dest line simply sets it to a default of RTD_UNREACHABLE, which does the same thing but politely tells the sender that it did so.
That is probably because BGP_NEXT_HOP reported in the route is not resolvable though your local routing table.
You can also set the direct next hop by setting 'gw’.
Thanks for both of those.
That was changed just recently. Do you have latest version of BIRD?
EPEL has 2.0.2, looks like 2.0.4 is the latest. I’ll build from the spec file and go from there. Cheers! B
participants (2)
-
Brian Topping -
Ondrej Zajicek