Page MenuHomePhabricator
Create Task
Maniphest T267719

Prevent advertising invalid prefixes from customers
Closed, ResolvedPublic
Actions

Description

Since T265288 is done, WMCS is considered a customer.
But a customer that still have to advertise 172.16.0.0/21 to us.
Unfortunately we re-advertise customer prefixes to the world without any sanitizing, which means we're curently re-advertising 172.16.0.0/21.

Similarly to what we do in the border-out{4,6} firewall filter we need to at least discard prefix-list-filter special-ranges{4,6}.
Even though we could apply a big part of BGP_sanitize_in` I'd prefer to keep BGP_outfilter lightweight. And for example apply BGP_sanitize_in to our customer interfaces when able.

Details

SubjectRepoBranchLines +/-
Drop special-ranges in BGP_outfilteroperations/homer/publicmaster+14 -0
Customize query in gerrit

Related Objects

Event Timeline

ayounsi triaged this task as High priority.Nov 11 2020, 9:13 AM
ayounsi created this task.
Restricted Application added a project: SRE. · View Herald TranscriptNov 11 2020, 9:13 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot added a comment.Nov 11 2020, 9:17 AM

Change 640666 had a related patch set uploaded (by Ayounsi; owner: Ayounsi):
[operations/homer/public@master] Drop special-ranges in BGP_outfilter

https://gerrit.wikimedia.org/r/640666

gerritbot added a project: Patch-For-Review.Nov 11 2020, 9:17 AM
gerritbot added a comment.Nov 11 2020, 3:22 PM

Change 640666 merged by jenkins-bot:
[operations/homer/public@master] Drop special-ranges in BGP_outfilter

https://gerrit.wikimedia.org/r/640666

jenkins-bot mentioned this in rOHPU4ab4cd0d7e1a: Drop special-ranges in BGP_outfilter.Nov 11 2020, 3:26 PM
ayounsi added a comment.Nov 11 2020, 3:27 PM

Pushed to cr3-ulsfo:

before
  Prefix		  Nexthop	       MED     Lclpref    AS path
* 172.16.0.0/21           Self                                    I
* 185.15.56.0/24          Self                                    I
* 198.35.26.0/24          Self                                    I
* 198.35.27.0/24          Self                                    I
* 198.73.209.0/24         Self                                    11820 ?
after
* 185.15.56.0/24          Self                                    I
* 198.35.26.0/24          Self                                    I
* 198.35.27.0/24          Self                                    I
* 198.73.209.0/24         Self                                    11820 ?

Rolling everywhere.

Maintenance_bot removed a project: Patch-For-Review.Nov 11 2020, 4:10 PM
ayounsi closed this task as Resolved.Nov 11 2020, 4:52 PM

Done.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL