Enable "bgp network import-check exact" by default. Without this it is

very easy to blackhole routes.

Signed-off-by: Daniel Walton <dwalton@cumulusnetworks.com>
Reviewed-by:   Donald Sharp <sharpd@cumulusnetworks.com>

Ticket: CM-6649

bgpd/bgp_nht.c

@@ -175,14 +175,14 @@ bgp_find_or_add_nexthop (struct bgp *bgp, afi_t afi, struct bgp_info *ri,
       SET_FLAG(bnc->flags, BGP_STATIC_ROUTE);
 
       /* If we're toggling the type, re-register */
-      if ((bgp_flag_check(bgp, BGP_FLAG_IMPORT_CHECK_EXACT_MATCH)) &&
+      if ((bgp_flag_check(bgp, BGP_FLAG_IMPORT_CHECK)) &&
 	  !CHECK_FLAG(bnc->flags, BGP_STATIC_ROUTE_EXACT_MATCH))
 	{
 	  SET_FLAG(bnc->flags, BGP_STATIC_ROUTE_EXACT_MATCH);
 	  UNSET_FLAG(bnc->flags, BGP_NEXTHOP_REGISTERED);
 	  UNSET_FLAG(bnc->flags, BGP_NEXTHOP_VALID);
 	}
-      else if ((!bgp_flag_check(bgp, BGP_FLAG_IMPORT_CHECK_EXACT_MATCH)) &&
+      else if ((!bgp_flag_check(bgp, BGP_FLAG_IMPORT_CHECK)) &&
 	       CHECK_FLAG(bnc->flags, BGP_STATIC_ROUTE_EXACT_MATCH))
 	{
 	  UNSET_FLAG(bnc->flags, BGP_STATIC_ROUTE_EXACT_MATCH);

bgpd/bgp_vty.c

@@ -2153,45 +2153,26 @@ DEFUN (no_bgp_default_show_hostname,
 /* "bgp import-check" configuration.  */
 DEFUN (bgp_network_import_check,
        bgp_network_import_check_cmd,
-       "bgp network import-check {exact}",
+       "bgp network import-check",
        "BGP specific commands\n"
        "BGP network command\n"
-       "Check BGP network route exists in IGP\n"
-       "Match route precisely")
+       "Check BGP network route exists in IGP\n")
 {
   struct bgp *bgp;
-  int trigger = 0;
 
   bgp = vty->index;
   if (!bgp_flag_check(bgp, BGP_FLAG_IMPORT_CHECK))
     {
       bgp_flag_set (bgp, BGP_FLAG_IMPORT_CHECK);
-      trigger = 1;
-    }
-
-  if (argv[0] != NULL)
-    {
-      if (!bgp_flag_check(bgp, BGP_FLAG_IMPORT_CHECK_EXACT_MATCH))
-	{
-	  bgp_flag_set (bgp, BGP_FLAG_IMPORT_CHECK_EXACT_MATCH);
-	  trigger = 1;
-	}
-    }
-  else if (bgp_flag_check(bgp, BGP_FLAG_IMPORT_CHECK_EXACT_MATCH))
-    {
-      bgp_flag_unset (bgp, BGP_FLAG_IMPORT_CHECK_EXACT_MATCH);
-      trigger = 1;
+      bgp_static_redo_import_check(bgp);
     }
 
-  if (trigger)
-    bgp_static_redo_import_check(bgp);
-
   return CMD_SUCCESS;
 }
 
 DEFUN (no_bgp_network_import_check,
        no_bgp_network_import_check_cmd,
-       "no bgp network import-check {exact}",
+       "no bgp network import-check",
        NO_STR
        "BGP specific commands\n"
        "BGP network command\n"
@@ -2203,9 +2184,9 @@ DEFUN (no_bgp_network_import_check,
   if (bgp_flag_check(bgp, BGP_FLAG_IMPORT_CHECK))
     {
       bgp_flag_unset (bgp, BGP_FLAG_IMPORT_CHECK);
-      bgp_flag_unset (bgp, BGP_FLAG_IMPORT_CHECK_EXACT_MATCH);
       bgp_static_redo_import_check(bgp);
     }
+
   return CMD_SUCCESS;
 }
 

bgpd/bgpd.c

@@ -2698,6 +2698,7 @@ bgp_create (as_t *as, const char *name)
   bgp->stalepath_time = BGP_DEFAULT_STALEPATH_TIME;
   bgp->dynamic_neighbors_limit = BGP_DYNAMIC_NEIGHBORS_LIMIT_DEFAULT;
   bgp->dynamic_neighbors_count = 0;
+  bgp_flag_set (bgp, BGP_FLAG_IMPORT_CHECK);
 
   bgp->as = *as;
 
@@ -6792,10 +6793,8 @@ bgp_config_write (struct vty *vty)
 	}
 
       /* BGP network import check. */
-      if (bgp_flag_check (bgp, BGP_FLAG_IMPORT_CHECK_EXACT_MATCH))
-	vty_out (vty, " bgp network import-check exact%s", VTY_NEWLINE);
-      else if (bgp_flag_check (bgp, BGP_FLAG_IMPORT_CHECK))
-	vty_out (vty, " bgp network import-check%s", VTY_NEWLINE);
+      if (!bgp_flag_check (bgp, BGP_FLAG_IMPORT_CHECK))
+	vty_out (vty, " no bgp network import-check%s", VTY_NEWLINE);
 
       /* BGP flag dampening. */
       if (CHECK_FLAG (bgp->af_flags[AFI_IP][SAFI_UNICAST],

bgpd/bgpd.h

@@ -255,8 +255,7 @@ struct bgp
 #define BGP_FLAG_DISABLE_NH_CONNECTED_CHK (1 << 16)
 #define BGP_FLAG_MULTIPATH_RELAX_NO_AS_SET (1 << 17)
 #define BGP_FLAG_FORCE_STATIC_PROCESS     (1 << 18)
-#define BGP_FLAG_IMPORT_CHECK_EXACT_MATCH (1 << 19)
-#define BGP_FLAG_SHOW_HOSTNAME            (1 << 20)
+#define BGP_FLAG_SHOW_HOSTNAME            (1 << 19)
 
   /* BGP Per AF flags */
   u_int16_t af_flags[AFI_MAX][SAFI_MAX];