Setting route destination for DNAT addresses
Brian Topping
brian.topping at gmail.com
Mon Apr 8 06:52:23 CEST 2019
In this thread[1], I realize I created a new problem in the BIRD BGP configuration with `dest = RTD_BLACKHOLE`. Setting a destination to blackhole works great when the routes are being propagated (no ICMP unreachable is sent by the kernel) and an address being managed by Kubernetes DNAT facilities will be caught in the netfilter chains and sent to the proper container. That configuration:
> router id UP.STREAM.143.113;
>
> protocol bgp bgp_metal_gw01 {
> local as ASLOCAL;
> neighbor 10.10.0.41 as ASLOCAL;
> passive yes;
> ipv4 {
> next hop self;
> import filter {
> bgp_origin = ORIGIN_IGP;
> dest = RTD_BLACKHOLE; # <=== DISCUSSION LINE
> accept;
> };
> export none;
> };
> }
The problem is when a service on the same host as the container needs to connect to the DNAT address presented for the container. Because the local kernel routing table is set to blackhole for an address, the traffic is immediately sunk instead of being offered to netfilter. Removing that dest line simply sets it to a default of RTD_UNREACHABLE, which does the same thing but politely tells the sender that it did so.
What I thought would work is to change the line to `ifname = “eno2”`, but doing so generates a parse error. This seems to be a bug in the documentation as the `ifname` attribute is not listed as read-only.
How can I set the route to a local interface in the filter?
Thanks! Brian
[1] https://marc.info/?l=bird-users&m=155458976221242&w=2
More information about the Bird-users
mailing list