Bug #11392
closedFRR - Advanced Routing Behavior - Network Import Check: Flag should be reversed
100%
Description
In Services -> FRR -> BGP -> Advanced -> Advanced Routing Behavior
There is a "Network Import Check" that is not enabled by default in the GUI. Enabling it will add "bgp network import-check" to the configuration.
Disabling it will remove "bgp network import-check" from the configuration rather then add "no bgp network import-check" to the configuration.
Because FRR 7.5 now defaults to "frr defaults traditional" this flag is assumed even if not specified.
pfSense should modify configuration to reflect "no bgp network import-check" if the "Network Import Check" option in the UI is unchecked.
Files
Updated by Jim Pingle almost 4 years ago
- Project changed from pfSense to pfSense Packages
- Category changed from Web Interface to FRR
- Target version deleted (
CE-Next)
Updated by M Felden almost 4 years ago
Ok I am up and running now and after some testing I can rephrase the issue more clearly.
- We have some changes between FRR 7.3 and 7.5 regarding RFC8212. This is good.
- An upgrade from 2.4.5-p1 to 2.5.0-RC means the config from FRR 7.3 gets migrated to 7.5.
- If the environment was previously configured in a way where the announced prefix is not in the RIB, FRR will now not announce the prefix.
From FRR docu:
For versions 7.3 and before frr defaults for datacenter were the network must exist, traditional did not check for existence. For versions 7.4 and beyond both traditional and datacenter the network must exist.
- pfSense 2.5.0-RC exposes most FRR options, including Services -> FRR -> BGP -> Advanced -> Advanced Routing Behavior -> Network Import Check
The flag is not set by default. But the underlying FRR configuration on versions > 7.3 assumes this is set unless otherwise specified.
Thus setting or not setting this option in the GUI has no operational effect. If it is set, we add the line explicitly, if it is not set the option is assumed implicitly.
Suggest we either make it so that the option is a negative statement, similar to how "Disable eBGP Require Policy" works. Meaning if nothing is selected, we do nothing to the config. If it is checked, we add "no bgp network import-check" to the configuration.
Updated by Viktor Gurov almost 4 years ago
add "no bgp network import-check" if unchecked:
https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/54
Updated by Jim Pingle almost 4 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho almost 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Viktor Gurov
PR has been merged. Thanks!
Updated by Jim Pingle over 3 years ago
- Status changed from Feedback to In Progress
- Assignee changed from Viktor Gurov to Jim Pingle
This doesn't add the option when there is no frrbgpadvanced
config present, and it should since we want it to be the default behavior.
Easy fix, will push momentarily.
Updated by Jim Pingle over 3 years ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Fixed committed and merged everywhere it is relevant.
Updated by Alhusein Zawi over 3 years ago
"bgp network import-check" will not be shown up in configuration if I did not enable it once.
if I enabled it it will be displayed in configuration
router bgp 61000
bgp network import-check
neighbor 192.168.1.88 remote-as 61000
or disabled
router bgp 61000
no bgp network import-check
neighbor 192.168.1.88 remote-as 61000
Updated by Jim Pingle over 3 years ago
That's what I fixed yesterday but there isn't a new package yet. Wait for pfSense-pkg-frr version 1.1.0_10.
Updated by Alhusein Zawi over 3 years ago
fixed.
"bgp network import-check" is shown up in configuration by default.
router bgp 61000
no bgp network import-check
Enabling/disabling is shown up in configuration too.