From 5a9f0ac26a669d58fee8dd8686ec87f8f5014603 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Sat, 21 Sep 2024 16:13:59 +0200
Subject: [PATCH] exit: strip own AS prefix from routes received by firewalls
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

For some reason routes with own ASN are not imported into default VRF.
Maybe also others. These routes forward packets through the firewalls.
As long as both exits are up this is not a problem, because routes
going to peer exit don’t include this exit’s own ASN.

If the peer goes down, all remaining routes sent by firewalls have our
own ASN and are not imported into default VRF, so L3 servers lose
connectivity to internal networks.

If the exit strips own ASN from received routes, importing works OK.
We strip both our and peer’s ASNs to keep path lengths the same.

This has involved an indecent amount of poking knobs and knobbing
pokes and it might cause other issues elsewhere.
---
 roles/exit/templates/frr.conf.j2 | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/roles/exit/templates/frr.conf.j2 b/roles/exit/templates/frr.conf.j2
index e02943c..13723a6 100644
--- a/roles/exit/templates/frr.conf.j2
+++ b/roles/exit/templates/frr.conf.j2
@@ -392,10 +392,12 @@ route-map firewall->outside permit 41
 route-map firewall-{{ loop.index }}->inside permit 1
   set tag {{ loop.index }}
   set weight {{ 100 * loop.index }}
+  set as-path exclude {{ asn.asn }} {{ hostvars[peer].asn.asn }}
   call firewall->inside
 route-map firewall-{{ loop.index }}->outside permit 1
   set tag {{ loop.index }}
   set weight {{ 100 * loop.index }}
+  set as-path exclude {{ asn.asn }} {{ hostvars[peer].asn.asn }}
   call firewall->outside
 {% endfor %}