frrcfgd: does not push 'ip protocol bgp route-map', resulting in incorrect default source address selection

[toreanderson]

Description

When using the FRR configuration management framework, the route-map that ensures that locally originated traffic (e.g., ICMP errors) are sourced from the Loopback0 address is no longer included in the FRR configuration by default, nor does it seem possible to manually create it from entries in ConfigDB.

This results in 240.127.1.1 (assigned to docker0) inappropriately being used as the default source address for locally originated traffic that are routed to interfaces without IPv4 addresses assigned, which is the case for routes learned from unnumbered BGP neighbours, for example.

Steps to reproduce the issue:

1. Download and start a SONiC virtual switch image (convenient links and instructions)
2. Log in and observe that the the default FRR configuration contains the required configuration:

admin@sonic:~$ vtysh -c 'sh run' | egrep -U1 'set src|ip protocol'
route-map RM_SET_SRC permit 10
 set src 10.1.0.1
exit
--
!
ip protocol bgp route-map RM_SET_SRC
!

3. Enable the FRR configuration management framework and restart the bgp container:

admin@sonic:~$ sonic-db-cli CONFIG_DB HSET 'DEVICE_METADATA|localhost' 'frr_mgmt_framework_config' 'true'
admin@sonic:~$ docker restart bgp

Describe the results you received:

The ip protocol bgp route-map configuration is missing:

admin@sonic:~$ vtysh -c 'sh run' | egrep -U1 'set src|ip protocol'
admin@sonic:~$

It is possible to take it one step further and establish some unnumbered BGP peerings where some routes are being learned. Observing the routing table with ip route will then reveal that the src attribute is missing. Attempting, e.g., ping <remote-ip-learned-from-unnumberd-BGP> will use 240.127.1.1 as the source address and will therefore not receive any replies.

Describe the results you expected:

A ip protocol bgp route-map should have been created to set the default source address to the one assigned to Loopback0, this should have been visible in the output from ip route, and ping <remote-ip-learned-from-unnumberd-BGP> should have used the Loopback0 address and should have received responses.

Alternatively, the current behaviour could have been acceptable as the default, but only if there was some other way for the user to manually instruct frrcfgd to create the necessary FRR configuration from ConfigDB keys. However, after reading through the documentation and the templates I have come to the conclusion that this is currently not possible.

Output of show version:

SONiC Software Version: SONiC.master.230570-2ba2ff139
Distribution: Debian 11.6
Kernel: 5.10.0-18-2-amd64
Build commit: 2ba2ff139
Build date: Wed Mar  8 12:15:30 UTC 2023
Built by: AzDevOps@vmss-soni000N1W

Platform: x86_64-kvm_x86_64-r0
HwSKU: Force10-S6000
ASIC: vs
ASIC Count: 1
Serial Number: N/A
Model Number: N/A
Hardware Revision: N/A
Uptime: 09:23:10 up  1:03,  1 user,  load average: 1.43, 1.38, 1.20
Date: Fri 10 Mar 2023 09:23:10

Docker images:
REPOSITORY                    TAG                       IMAGE ID       SIZE
docker-orchagent              latest                    4c4128e7e414   385MB
docker-orchagent              master.230570-2ba2ff139   4c4128e7e414   385MB
docker-fpm-frr                latest                    340cd7de86de   403MB
docker-fpm-frr                master.230570-2ba2ff139   340cd7de86de   403MB
docker-teamd                  latest                    f26cae2b668f   374MB
docker-teamd                  master.230570-2ba2ff139   f26cae2b668f   374MB
docker-macsec                 latest                    b6e09b53b4bb   376MB
docker-gbsyncd-vs             latest                    6c10451c8285   367MB
docker-gbsyncd-vs             master.230570-2ba2ff139   6c10451c8285   367MB
docker-dhcp-relay             latest                    100d68b0a27d   367MB
docker-eventd                 latest                    d623516ae7e6   357MB
docker-eventd                 master.230570-2ba2ff139   d623516ae7e6   357MB
docker-sonic-p4rt             latest                    92c7e289a575   927MB
docker-sonic-p4rt             master.230570-2ba2ff139   92c7e289a575   927MB
docker-snmp                   latest                    65b282028ded   397MB
docker-snmp                   master.230570-2ba2ff139   65b282028ded   397MB
docker-sonic-telemetry        latest                    bae0ea5371d2   655MB
docker-sonic-telemetry        master.230570-2ba2ff139   bae0ea5371d2   655MB
docker-router-advertiser      latest                    28a9f44bf920   357MB
docker-router-advertiser      master.230570-2ba2ff139   28a9f44bf920   357MB
docker-platform-monitor       latest                    4bb5dc870f93   479MB
docker-platform-monitor       master.230570-2ba2ff139   4bb5dc870f93   479MB
docker-lldp                   latest                    60c8b95bede8   399MB
docker-lldp                   master.230570-2ba2ff139   60c8b95bede8   399MB
docker-mux                    latest                    5d7058026034   405MB
docker-mux                    master.230570-2ba2ff139   5d7058026034   405MB
docker-database               latest                    bc8b9bdf1dfd   357MB
docker-database               master.230570-2ba2ff139   bc8b9bdf1dfd   357MB
docker-nat                    latest                    f2c659617602   351MB
docker-nat                    master.230570-2ba2ff139   f2c659617602   351MB
docker-sflow                  latest                    2ad97554d27c   349MB
docker-sflow                  master.230570-2ba2ff139   2ad97554d27c   349MB
docker-sonic-mgmt-framework   latest                    65d70ceeac73   476MB
docker-sonic-mgmt-framework   master.230570-2ba2ff139   65d70ceeac73   476MB
docker-syncd-vs               latest                    7d56167dd272   346MB
docker-syncd-vs               master.230570-2ba2ff139   7d56167dd272   346MB

Output of show techsupport:

sonic_dump_sonic_20230310_092339.tar.gz

Additional information you deem important (e.g. issue happens only occasionally):

This is the template that renders the necessary FRR configuration when the FRR configuration management framework is not in use: zebra.set_src.conf.j2.

[lukasstockner]

In case it's intentional that by default this is not configured, here's a patch that adds support for configuring it manually through the config DB: genesiscloud@c2ec9bf

[matofeder]

In case it's intentional that by default this is not configured, here's a patch that adds support for configuring it manually through the config DB: genesiscloud@c2ec9bf

Is there any chance of pushing the above proposal upstream?

[venkatmahalingam]

@lukasstockner @matofeder Can you create a pull request for review?

[matofeder]

@lukasstockner @matofeder Can you create a pull request for review?

I'm on it

[lukasstockner]

Here's a PR: #20332

Who should I add as reviewers?

[matofeder]

I added this commit that should add ipv6 support for the set src. It is in a separate PR #20333 (it would be great to merge it with PR #20332, but first discuss whether my additions are valid).

The main differences from #20332 are:

• IPv6 support
• zebra daemon is specified for route_map, route_map_ipv6, and set_src. As the frrcfgd just skipped the vtysh commands as not valid for bgpd, if the zebra daemon was not selected
• Removing the ip protocol bgp route-map <route-map-name> does not work (in both PRs). I guess that it is caused by this line. I did not figure out how to fix this in frrcfgd so far.

[toreanderson]

For what it is worth, I ended up adding the following workaround on my switches. Posting it here in case it is of use to anyone else.

/usr/local/bin/set-default-source-ip

#!/bin/bash -x

# Set the default source address for BGP routes to the Loopback0 address.
# Assumes there is only a single IPv4 address configured on Loopback0.
# Workaround for https://github.com/sonic-net/sonic-buildimage/issues/14195
# [email protected] 2025

SRCIP=$(sonic-db-cli CONFIG_DB KEYS 'LOOPBACK_INTERFACE|Loopback0|*')
SRCIP=${SRCIP#LOOPBACK_INTERFACE|Loopback0|}
SRCIP=${SRCIP%/32}

if test -z "$SRCIP"; then
	echo "ERROR: unable to determine Loopback0 IP address"
	exit 1
fi

/usr/bin/vtysh \
	--echo \
	--command 'configure' \
	--command 'route-map RM_SET_SRC permit 10' \
	--command "set src ${SRCIP}" \
	--command 'exit' \
	--command 'ip protocol bgp route-map RM_SET_SRC'

/etc/systemd/system/set-default-source-ip.service

[Unit]
Description=Set default source IP for BGP routes
Requires=bgp.service
After=bgp.service

[Service]
ExecStart=/usr/local/bin/set-default-source-ip
Restart=on-failure
RestartSec=5
RemainAfterExit=true

[Install]
WantedBy=bgp.service

Enable with systemctl enable --now set-default-source-ip.service. This will enable that the workaround is automatically applied whenever the BGP container (re)starts.