Skip to content

fix(api,agent): Move anycast prefixes filter to routing-profiles #1780

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bcavnvidia merged 1 commit into from
May 20, 2026
Merged

fix(api,agent): Move anycast prefixes filter to routing-profiles #1780

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions crates/admin-cli/src/tenant/update/args.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,7 @@ pub struct Args {
#[clap(
short = 'p',
long,
help = "Optional, routing profile name to apply to the tenant",
default_value(None)
help = "Optional, routing profile name to apply to the tenant"
)]
pub routing_profile_type: Option<String>,

Expand Down
12 changes: 12 additions & 0 deletions crates/agent/src/ethernet_virtualization.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -470,6 +470,11 @@ pub async fn update_nvue(
.iter()
.map(|l| l.prefix.to_owned())
.collect(),
allowed_anycast_prefixes: rp
.allowed_anycast_prefixes
.iter()
.map(|p| p.prefix.to_owned())
.collect(),
})
},
bgp_leaf_session_password: nc.bgp_leaf_session_password.clone(),
Expand Down Expand Up @@ -2590,6 +2595,9 @@ mod tests {
} else {
vec![]
},
allowed_anycast_prefixes: vec![rpc::PrefixFilterPolicyEntry {
prefix: "5.255.254.0/24".to_string(),
}],
route_target_imports: vec![rpc_common::RouteTarget {
asn: 44444,
vni: 55555,
Expand Down Expand Up @@ -2844,6 +2852,7 @@ mod tests {
leak_default_route_from_underlay: false,
leak_tenant_host_routes_to_underlay: false,
accepted_leaks_from_underlay: vec![],
allowed_anycast_prefixes: vec!["5.255.254.0/24".to_string()],
route_target_imports: vec![nvue::RouteTargetConfig {
asn: 44444,
vni: 55555,
Expand Down Expand Up @@ -3079,6 +3088,9 @@ mod tests {
leak_default_route_from_underlay: false,
leak_tenant_host_routes_to_underlay: false,
accepted_leaks_from_underlay: vec![],
allowed_anycast_prefixes: vec![rpc::PrefixFilterPolicyEntry {
prefix: "5.255.254.0/24".to_string(),
}],
route_target_imports: vec![rpc_common::RouteTarget {
asn: 44444,
vni: 55555,
Expand Down
26 changes: 25 additions & 1 deletion crates/agent/src/nvue.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,13 +127,17 @@ pub fn build(conf: NvueConfig) -> eyre::Result<String> {
// and make a later transition easier.
let routing_profile = conf.ct_routing_profile.as_ref().map(|rt| {
let (v4leaks, v6leaks) = split_prefixes_by_family(&rt.accepted_leaks_from_underlay, 1);
let (v4allowed_anycast, v6allowed_anycast) =
split_prefixes_by_family(&rt.allowed_anycast_prefixes, 1);

TmplRoutingProfile {
TenantLeakCommunitiesAccepted: rt.tenant_leak_communities_accepted,
LeakDefaultRouteFromUnderlay: rt.leak_default_route_from_underlay,
LeakTenantHostRoutesToUnderlay: rt.leak_tenant_host_routes_to_underlay,
AcceptedLeaksFromUnderlayIpv4: v4leaks,
AcceptedLeaksFromUnderlayIpv6: v6leaks,
AllowedAnycastPrefixesIpv4: v4allowed_anycast,
AllowedAnycastPrefixesIpv6: v6allowed_anycast,
RouteTargetImports: rt
.route_target_imports
.iter()
Expand Down Expand Up @@ -346,6 +350,14 @@ pub fn build(conf: NvueConfig) -> eyre::Result<String> {
.iter()
.map(|vni| TmplVni { Vni: *vni })
.collect(),
HasAllowedAnycastPrefixesIpv4: routing_profile
.as_ref()
.map(|p| !p.AllowedAnycastPrefixesIpv4.is_empty())
.unwrap_or_default(),
HasAllowedAnycastPrefixesIpv6: routing_profile
.as_ref()
.map(|p| !p.AllowedAnycastPrefixesIpv6.is_empty())
.unwrap_or_default(),
RoutingProfile: routing_profile.clone(),
PortPrefixes: port.VpcPrefixes.clone(),
PortPrefixesIpv6: port.VpcPrefixesIpv6.clone(),
Expand Down Expand Up @@ -1008,6 +1020,8 @@ pub struct RoutingProfile {
pub route_targets_on_exports: Vec<RouteTargetConfig>,
pub tenant_leak_communities_accepted: bool,
pub accepted_leaks_from_underlay: Vec<String>,
#[serde(default)]
pub allowed_anycast_prefixes: Vec<String>,
}

#[derive(Clone, Deserialize, Debug)]
Expand Down Expand Up @@ -1297,6 +1311,8 @@ struct TmplRoutingProfile {
TenantLeakCommunitiesAccepted: bool,
AcceptedLeaksFromUnderlayIpv4: Vec<Prefix>,
AcceptedLeaksFromUnderlayIpv6: Vec<Prefix>,
AllowedAnycastPrefixesIpv4: Vec<Prefix>,
AllowedAnycastPrefixesIpv6: Vec<Prefix>,
}

#[allow(non_snake_case)]
Expand Down Expand Up @@ -1407,6 +1423,9 @@ struct TmplVpc {
HasVpcPeerVnis: bool,
VpcPeerVnis: Vec<TmplVni>,

HasAllowedAnycastPrefixesIpv4: bool,
HasAllowedAnycastPrefixesIpv6: bool,

RoutingProfile: Option<TmplRoutingProfile>,
}

Expand All @@ -1418,7 +1437,7 @@ struct TmplHostInterfaces {
/// IPv6 host address (if dual-stack).
HostIPv6: Option<String>,

// HostRoute in the context of FNN-L3 is the /30 prefix allocation.
// HostRoute in the context of FNN-L3 is the /31 prefix allocation.
// This used to be populated as the HostIP + "/32", but then with
// the advent of interface prefix allocations (where ETV is just a /32,
// and FNN-L3 is a /31), HostRoute became the allocation (which was
Expand Down Expand Up @@ -1717,6 +1736,7 @@ mod tests {
route_target_imports: vec![],
route_targets_on_exports: vec![],
accepted_leaks_from_underlay: vec![],
allowed_anycast_prefixes: vec![],
});
conf.ct_port_configs = vec![PortConfig {
interface_name: "pf0vf0_if".into(),
Expand Down Expand Up @@ -1798,6 +1818,7 @@ mod tests {
route_target_imports: vec![],
route_targets_on_exports: vec![],
accepted_leaks_from_underlay: vec![],
allowed_anycast_prefixes: vec![],
});
conf.ct_port_configs = vec![PortConfig {
interface_name: "pf0vf0_if".into(),
Expand Down Expand Up @@ -1882,6 +1903,7 @@ mod tests {
route_target_imports: vec![],
route_targets_on_exports: vec![],
accepted_leaks_from_underlay: vec![],
allowed_anycast_prefixes: vec![],
});
conf.ct_port_configs = vec![
PortConfig {
Expand Down Expand Up @@ -1953,6 +1975,7 @@ mod tests {
route_target_imports: vec![],
route_targets_on_exports: vec![],
accepted_leaks_from_underlay: vec![],
allowed_anycast_prefixes: vec![],
});
conf.ct_port_configs = vec![PortConfig {
interface_name: "pf0vf0_if".into(),
Expand Down Expand Up @@ -2115,6 +2138,7 @@ mod tests {
route_target_imports: vec![],
route_targets_on_exports: vec![],
accepted_leaks_from_underlay: vec![],
allowed_anycast_prefixes: vec![],
}
}

Expand Down
1 change: 1 addition & 0 deletions crates/agent/src/tests/full.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -842,6 +842,7 @@ async fn handle_netconf(AxumState(state): AxumState<Arc<Mutex<State>>>) -> impl
leak_default_route_from_underlay: false,
leak_tenant_host_routes_to_underlay: false,
accepted_leaks_from_underlay: vec![],
allowed_anycast_prefixes: vec![],
route_target_imports: vec![rpc_common::RouteTarget {
asn: 44444,
vni: 55555,
Expand Down
50 changes: 31 additions & 19 deletions crates/agent/templates/nvue_startup_fnn.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -229,41 +229,53 @@
action: deny
match:
any: {}
DPU_FROM_INSTANCE_PREFIX_LIST:
{{- range $vpc := $tenant.Vpcs }}
DPU_FROM_INSTANCE_PREFIX_LIST_{{ $vpc.VrfName }}:
rule:
{{- range $nvueConfig.AnycastSitePrefixes }}
{{- if eq (len $vpc.RoutingProfile.AllowedAnycastPrefixesIpv4) 0 }}{{/* This can be removed after a version or two to allow a grace/deprecation period. */}}
{{- range $nvueConfig.AnycastSitePrefixes }}
'{{ .Index }}':
action: permit
match:
{{ .Prefix }}:
max-prefix-len: 32
{{- end }}
{{- else }}
{{- range $vpc.RoutingProfile.AllowedAnycastPrefixesIpv4 }}
'{{ .Index }}':
action: permit
match:
{{ .Prefix }}:
min-prefix-len: 32
max-prefix-len: 32
{{- end }}
{{- end }}
'65535':
action: deny
match:
any: {}
DPU_FROM_TRAFFIC_INTERCEPT_PEER_PREFIX_LIST:
DPU_FROM_INSTANCE_PREFIX_LIST_IPV6_{{ $vpc.VrfName }}:
type: ipv6
rule:
{{- range $nvueConfig.TrafficInterceptPublicPrefixes }}
{{- range $vpc.RoutingProfile.AllowedAnycastPrefixesIpv6 }}
'{{ .Index }}':
action: permit
match:
{{ .Prefix }}: {}
{{- end }}
{{ .Prefix }}:
max-prefix-len: 128
{{- end }}
'65535':
action: deny
match:
any: {}
DPU_FROM_INSTANCE_PREFIX_LIST_IPV6:
type: ipv6
{{- end }}
DPU_FROM_TRAFFIC_INTERCEPT_PEER_PREFIX_LIST:
rule:
{{- range $nvueConfig.AnycastSitePrefixesIpv6 }}
{{- range $nvueConfig.TrafficInterceptPublicPrefixes }}
'{{ .Index }}':
action: permit
match:
{{ .Prefix }}:
min-prefix-len: 128
{{- end }}
{{ .Prefix }}: {}
{{- end }}
'65535':
action: deny
match:
Expand Down Expand Up @@ -472,7 +484,7 @@
permit: {}{{/* We allow it in because we might need to leak to some targets and drop to others, so we tag it for later. */}}
match:
type: ipv4
ip-prefix-list: DPU_FROM_INSTANCE_PREFIX_LIST
ip-prefix-list: DPU_FROM_INSTANCE_PREFIX_LIST_{{ $vpc.VrfName }}
community-list: BYOIP_LEAK_AND_DROP_EVPN_COMMUNITY_LIST
set:
tag: 65102{{/* tag it so we can match on the tag and use it for leaking and dropping later */}}
Expand All @@ -485,7 +497,7 @@
permit: {}
match:
type: ipv4
ip-prefix-list: DPU_FROM_INSTANCE_PREFIX_LIST
ip-prefix-list: DPU_FROM_INSTANCE_PREFIX_LIST_{{ $vpc.VrfName }}
community-list: BYOIP_LEAK_COMMUNITY_LIST
set:
tag: 65100{{/* tag it so we can match on the tag and use it for leaking later */}}
Expand All @@ -499,7 +511,7 @@
permit: {}
match:
type: ipv4
ip-prefix-list: DPU_FROM_INSTANCE_PREFIX_LIST
ip-prefix-list: DPU_FROM_INSTANCE_PREFIX_LIST_{{ $vpc.VrfName }}
set:
tag: 65101{{/* tag it so we can match on the tag and use it for leaking later */}}
community:
Expand All @@ -517,7 +529,7 @@
permit: {}{{/* We allow it in because we might need to leak to some targets and drop to others, so we tag it for later. */}}
match:
type: ipv6
ip-prefix-list: DPU_FROM_INSTANCE_PREFIX_LIST_IPV6
ip-prefix-list: DPU_FROM_INSTANCE_PREFIX_LIST_IPV6_{{ $vpc.VrfName }}
community-list: BYOIP_LEAK_AND_DROP_EVPN_COMMUNITY_LIST
set:
tag: 65102{{/* tag it so we can match on the tag and use it for leaking and dropping later */}}
Expand All @@ -530,7 +542,7 @@
permit: {}
match:
type: ipv6
ip-prefix-list: DPU_FROM_INSTANCE_PREFIX_LIST_IPV6
ip-prefix-list: DPU_FROM_INSTANCE_PREFIX_LIST_IPV6_{{ $vpc.VrfName }}
community-list: BYOIP_LEAK_COMMUNITY_LIST
set:
tag: 65100
Expand All @@ -544,7 +556,7 @@
permit: {}
match:
type: ipv6
ip-prefix-list: DPU_FROM_INSTANCE_PREFIX_LIST_IPV6
ip-prefix-list: DPU_FROM_INSTANCE_PREFIX_LIST_IPV6_{{ $vpc.VrfName }}
set:
tag: 65101
community:
Expand Down
22 changes: 11 additions & 11 deletions crates/agent/templates/tests/full_nvue_startup_fnn_l3.yaml.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,30 +96,30 @@
action: deny
match:
any: {}
DPU_FROM_INSTANCE_PREFIX_LIST:
DPU_FROM_INSTANCE_PREFIX_LIST_vpc_10101:
rule:
'1000':
action: permit
match:
5.255.255.0/24:
min-prefix-len: 32
max-prefix-len: 32
'65535':
action: deny
match:
any: {}
DPU_FROM_TRAFFIC_INTERCEPT_PEER_PREFIX_LIST:
DPU_FROM_INSTANCE_PREFIX_LIST_IPV6_vpc_10101:
type: ipv6
rule:
'1':
action: permit
match:
7.8.0.0/16: {}
'65535':
action: deny
match:
any: {}
DPU_FROM_INSTANCE_PREFIX_LIST_IPV6:
type: ipv6
DPU_FROM_TRAFFIC_INTERCEPT_PEER_PREFIX_LIST:
rule:
'1':
action: permit
match:
7.8.0.0/16: {}
'65535':
action: deny
match:
Expand Down Expand Up @@ -273,7 +273,7 @@
permit: {}
match:
type: ipv4
ip-prefix-list: DPU_FROM_INSTANCE_PREFIX_LIST
ip-prefix-list: DPU_FROM_INSTANCE_PREFIX_LIST_vpc_10101
set:
tag: 65101
community:
Expand All @@ -290,7 +290,7 @@
permit: {}
match:
type: ipv6
ip-prefix-list: DPU_FROM_INSTANCE_PREFIX_LIST_IPV6
ip-prefix-list: DPU_FROM_INSTANCE_PREFIX_LIST_IPV6_vpc_10101
set:
tag: 65101
community:
Expand Down
12 changes: 6 additions & 6 deletions crates/agent/templates/tests/nvue_build_fnn_dual_stack.yaml.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,20 +74,20 @@
action: deny
match:
any: {}
DPU_FROM_INSTANCE_PREFIX_LIST:
DPU_FROM_INSTANCE_PREFIX_LIST_vpc_100:
rule:
'65535':
action: deny
match:
any: {}
DPU_FROM_TRAFFIC_INTERCEPT_PEER_PREFIX_LIST:
DPU_FROM_INSTANCE_PREFIX_LIST_IPV6_vpc_100:
type: ipv6
rule:
'65535':
action: deny
match:
any: {}
DPU_FROM_INSTANCE_PREFIX_LIST_IPV6:
type: ipv6
DPU_FROM_TRAFFIC_INTERCEPT_PEER_PREFIX_LIST:
rule:
'65535':
action: deny
Expand Down Expand Up @@ -242,7 +242,7 @@
permit: {}
match:
type: ipv4
ip-prefix-list: DPU_FROM_INSTANCE_PREFIX_LIST
ip-prefix-list: DPU_FROM_INSTANCE_PREFIX_LIST_vpc_100
set:
tag: 65101
community:
Expand All @@ -259,7 +259,7 @@
permit: {}
match:
type: ipv6
ip-prefix-list: DPU_FROM_INSTANCE_PREFIX_LIST_IPV6
ip-prefix-list: DPU_FROM_INSTANCE_PREFIX_LIST_IPV6_vpc_100
set:
tag: 65101
community:
Expand Down
Loading
Loading