Skip to content

bgpd: add neighbor ip-transparent #18789

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
May 28, 2025

Conversation

vjardin
Copy link
Contributor

@vjardin vjardin commented May 10, 2025

Implement a per‑neighbor flag that sets IP_TRANSPARENT for the underlying TCP socket. With this flag bgpd can accept or initiate a session to/from an address that is not present on the host.

Typical use‑cases:

  • running bgpd inside a container without configuring the router loopback address inside that netns.
  • hitless switchover of a keepalived/VRRP VIP: the standby bgpd can pre‑bind and come up instantly after takeover.
  • BGP speakers when the IP address is not set (transparent firewall).

@donaldsharp
Copy link
Member

can we add a simple topotest that shows that this works?

Copy link
Member

@ton31337 ton31337 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a topotest to check if it works as expected.

@vjardin vjardin force-pushed the vj_addbgpiptransparent branch from a5a96aa to 8f05c96 Compare May 12, 2025 14:42
@vjardin
Copy link
Contributor Author

vjardin commented May 12, 2025

next: I'll submit the related topotest

@louis-6wind
Copy link
Contributor

  • hitless switchover of a keepalived/VRRP VIP: the standby bgpd can pre‑bind and come up instantly after takeover.

Interesting, if I understand right, this use case works with neighbor passive

@vjardin vjardin force-pushed the vj_addbgpiptransparent branch from 8f05c96 to d50b46a Compare May 18, 2025 21:57
@github-actions github-actions bot added size/L and removed size/M labels May 18, 2025
@vjardin vjardin force-pushed the vj_addbgpiptransparent branch from d50b46a to ef813aa Compare May 19, 2025 16:48
@frrbot frrbot bot added bugfix tests Topotests, make check, etc labels May 19, 2025
@github-actions github-actions bot added size/XL and removed size/L labels May 19, 2025
@vjardin vjardin force-pushed the vj_addbgpiptransparent branch from ef813aa to a6de6cf Compare May 19, 2025 16:49
@github-actions github-actions bot added size/L and removed size/XL labels May 19, 2025
@vjardin vjardin force-pushed the vj_addbgpiptransparent branch from a6de6cf to af44d1a Compare May 19, 2025 16:50
@vjardin
Copy link
Contributor Author

vjardin commented May 20, 2025

ci:rerun

unrelated failures

@ton31337
Copy link
Member

@vjardin please fix styling (frrbot).

Copy link
Member

@riw777 riw777 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good ... looks like you've added the topo tests, as well

Copy link

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@vjardin vjardin force-pushed the vj_addbgpiptransparent branch from af44d1a to a7993ba Compare May 22, 2025 08:38
@vjardin
Copy link
Contributor Author

vjardin commented May 22, 2025

@vjardin please fix styling (frrbot).

I have fixed all except for peer_flag_action_list since the report is beyond this related pull request:
https://gist.githubusercontent.com/polychaeta/85e8de8a5a79de3f590f483ef95eb70e/raw/a7528f0462cbf79967bdd84881ea2248bf65ea5e/style.diff

 static const struct peer_flag_action peer_flag_action_list[] = {
-	{PEER_FLAG_PASSIVE, 0, peer_change_reset},
-	{PEER_FLAG_SHUTDOWN, 0, peer_change_reset},
-	{PEER_FLAG_RTT_SHUTDOWN, 0, peer_change_none},
  ...
+	{ PEER_FLAG_PASSIVE, 0, peer_change_reset },
+	{ PEER_FLAG_SHUTDOWN, 0, peer_change_reset },
+	{ PEER_FLAG_RTT_SHUTDOWN, 0, peer_change_none },

@vjardin vjardin force-pushed the vj_addbgpiptransparent branch from eb458e9 to 7cdd080 Compare May 22, 2025 13:44
@donaldsharp
Copy link
Member

LGTM once CI finishes....

Copy link
Member

@ton31337 ton31337 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mixed peer->af_flags with peer->flags for PEER_FLAG_IP_TRANSPARENT.

@vjardin vjardin force-pushed the vj_addbgpiptransparent branch from 7cdd080 to d1a6e3c Compare May 23, 2025 16:25
@frrbot frrbot bot added the zebra label May 23, 2025
Copy link

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions github-actions bot added the rebase PR needs rebase label May 23, 2025
@vjardin vjardin force-pushed the vj_addbgpiptransparent branch from d1a6e3c to d219953 Compare May 23, 2025 16:26
@vjardin vjardin force-pushed the vj_addbgpiptransparent branch from d219953 to 00e2a6a Compare May 23, 2025 17:37
@vjardin vjardin requested a review from ton31337 May 23, 2025 17:39
@vjardin
Copy link
Contributor Author

vjardin commented May 25, 2025

ci:rerun

@riw777
Copy link
Member

riw777 commented May 27, 2025

waiting on blocker @ton31337 ... :-)

Add sockopt_ip_transparent(), a thin wrapper around
setsockopt(sock, SOL_IP, IP_TRANSPARENT) guarded by #ifdef IP_TRANSPARENT.

This lets daemons such as bgpd create transparent sockets when
running on kernels that support the option, while keeping the build
portable on systems that do not provide it.

Signed-off-by: Vincent Jardin <[email protected]>
@vjardin vjardin removed the bugfix label May 27, 2025
vjardin added 3 commits May 27, 2025 20:00
Implement a per‑neighbor flag that sets IP_TRANSPARENT for the
underlying TCP socket. With this flag bgpd can accept or initiate a
session to/from an address that is not present on the host.

Typical use‑cases:
  - running bgpd inside a container without configuring the router
    loopback address inside that netns.
  - hitless switchover of a keepalived/VRRP VIP: the standby bgpd
    can pre‑bind and come up instantly after takeover.
  - BGP speakers when the IP address is not set (transparent
    firewall).
  - others...

It is safeguarded by a CAP_NET_ADMIN.

Signed-off-by: Vincent Jardin <[email protected]>
When a neighbor is established for an ip-transparent
and the source address is well known, let's honor that
the connection.

Signed-off-by: Vincent Jardin <[email protected]>
r1 is a legacy bgp setting
r2 is configured using IP transparent

2 steps:
  - when IP transparent is not set, TCP session should not establish
  - when IP transparent is set, TCP session should establish

Signed-off-by: Vincent Jardin <[email protected]>
@vjardin vjardin force-pushed the vj_addbgpiptransparent branch from 00e2a6a to 4d07a2f Compare May 27, 2025 20:02
@ton31337 ton31337 merged commit 94e65ba into FRRouting:master May 28, 2025
13 checks passed
@vjardin vjardin deleted the vj_addbgpiptransparent branch May 28, 2025 08:19
@vjardin
Copy link
Contributor Author

vjardin commented May 28, 2025

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bgp libfrr master rebase PR needs rebase size/L tests Topotests, make check, etc zebra
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants