Page MenuHomeVyOS Platform
Create Task
Maniphest T5069

BGP large-community-list regex validation is incomplete
Closed, ResolvedPublicBUG
Actions

Description

FRR supports using regex patterns to specify large communities. At the moment this is implemented in src/validators/bgp-large-community-list; However, the code has several issues:

  • It assumes GLOB matching (regex "12345:*:23"), even though FRR uses regex substring match, i.e., this setting would actually match 12345:23.* (and technically 12345::23.*; but that won't happen). This was introduced in https://github.com/vyos/vyos-1x/pull/1025
  • The code only allows for '*' in the second field, i.e., to match 12345:.*:.*, one has to set 12345:*:.* (thereby matching 12345:.* effectively)
  • The code strictly enforces three seperating ":", which are not strictly needed for a regex (even though that leap _could_ be made if documented)

In general, the current matching code severely restricts the capabilities of this feature in FRR.

The problem with validation is that _technically_ one would want to make sure that the supplied regex matches something resembling a large community; However, in absence of that, technically anything looking like a bgp-regex should be fine (see: https://docs.frrouting.org/en/latest/bgp.html?highlight=large-community#bgp-regular-expressions ; Still, _technically_ this seems to be more limited than POSIX 1003.2)

I took a quick shot at how i'd make this look assuming pure POSIX 1003.2; If someone finds a nice lib in python that implements proper BGP regex, that would be a drop-in replacement for re.compile, i guess.

https://github.com/vyos/vyos-1x/compare/current...ichdasich:vyos-1x:bgp_large_community_validator_new

Details

Version
1.4
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

tfiebig created this task.Mar 8 2023, 7:39 PM
pasik subscribed.Mar 9 2023, 10:38 AM
tfiebig added a comment.Mar 9 2023, 2:45 PM

Just put this on a live system, and it behaves as intended (so far). Special meaning of _ would certainly have to be added to the check, i guess, but that needs further delving into bgp-regex syntax.

dmbaturin triaged this task as High priority.Jan 9 2024, 5:52 PM
dmbaturin added a project: VyOS 1.5 Circinus.
Viacheslav subscribed.Feb 13 2024, 4:23 PM

@tfiebig Could you add a PR?

tfiebig added a comment.Feb 13 2024, 4:25 PM

Honestly? Rather not. Even though i have been testing this extensively, there needs to be some discussion re: old-config-impact (+some testing); Similarly, _ideally_ this would not just go for standard python regex, but instead try to figure out what frr _acutally_ uses. So, while a poc, i think this needs a bit more work.

tfiebig added a comment.Feb 13 2024, 9:32 PM

The patch is btw here, in case anyone want to use it as inspiration: https://github.com/vyos/vyos-1x/compare/current...ichdasich:vyos-1x:bgp_large_community_validator_new

dmbaturin added a project: Restricted Project.Feb 15 2024, 1:01 PM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.0-epa1); removed VyOS 1.4 Sagitta.Feb 15 2024, 3:03 PM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.0-epa3); removed VyOS 1.4 Sagitta (1.4.0-epa1).Apr 4 2024, 10:24 PM
dmbaturin subscribed.

Well, someone should make a PR so that we can discuss the code. :)

syncer moved this task from 1.4.0-epa3 to 1.4.0-GA on the VyOS 1.4 Sagitta board.May 15 2024, 9:30 AM
syncer edited projects, added VyOS 1.4 Sagitta (1.4.0-GA); removed VyOS 1.4 Sagitta (1.4.0-epa3).
syncer lowered the priority of this task from High to Wishlist.May 19 2024, 1:36 PM
syncer removed projects: VyOS 1.4 Sagitta (1.4.0-GA), Restricted Project.
talmakion subscribed.EditedJun 18 2024, 2:13 PM

Looking at the code in FRR, it just expands '_' to the full match '(^|[,{}()]|$)' and sends that whole match off to regexec().

Adding this to my TODO-list:

  • Simple form validation can itself be done by regex, such as` '^(\d+:){2}\d+$'`, we get a standard match
  • Something that doesn't match should be a valid regular expression (we can expand _ before checking), we get an extended match

There's no simple wrappers for POSIX regex in Python, so either a re.compile() would be "close enough" or it could be filtered through something that does use POSIX regex, like an echo 'test' | grep -E 'expr' - and look for exit code 2.

IMO just using re.compile() should be fine - you'd have to really try hard to find something that passes and wouldn't just be a dud non-matching POSIX regex.

talmakion added a comment.Jun 18 2024, 2:29 PM

Looking at it, T5816 already attempted to fix this and is probably better for users - doesn't give the full flexibility of regex and doesn't handle '_' at all, but does have a strict format expectation.

I've bumped into large community regexes being odd with older versions, T5816 would cover my use cases without a problem.

dmbaturin added a project: Bugs.Sep 15 2024, 5:04 PM
syncer edited projects, added VyOS Rolling; removed VyOS 1.5 Circinus.Oct 30 2024, 3:40 PM
syncer added a subscriber: Global Notifications.Nov 1 2024, 9:19 PM
talmakion added a comment.Apr 29 2025, 6:04 AM

I've issued a PR for this at https://github.com/vyos/vyos-1x/pull/4482, attempting to address a few things T5816 missed.

Restricted Repository Identity mentioned this in rVYOSONEX7c9f908f8658: policy: T5069: large-community-list regex validator should allow whitespace.May 20 2025, 1:33 PM
Restricted Repository Identity mentioned this in rVYOSONEX532a2ef2f9c4: Merge pull request #4482 from talmakion/bugfix/T5069/permit-compound-regex.May 20 2025, 1:33 PM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.3), VyOS 1.5 Circinus (1.5-stream-2025-Q2); removed Bugs.May 28 2025, 10:15 PM
dmbaturin changed Is it a breaking change? from Behavior change to Perfectly compatible.
dmbaturin edited projects, added VyOS 1.5 Circinus (1.5-stream-2025-Q3), VyOS 1.4 Sagitta (1.4.4); removed VyOS 1.5 Circinus (1.5-stream-2025-Q2), VyOS 1.4 Sagitta (1.4.3).Jul 9 2025, 1:26 PM
Viacheslav closed this task as Resolved.Jul 31 2025, 9:04 AM
Viacheslav claimed this task.
Viacheslav moved this task from Open to Finished on the VyOS 1.5 Circinus (1.5-stream-2025-Q3) board.
Viacheslav moved this task from Backlog to Finished on the VyOS 1.4 Sagitta (1.4.4) board.
Viacheslav moved this task from Need Triage to Completed on the VyOS Rolling board.
dmbaturin renamed this task from bgp large-community-list regex validation incomplete to BGP large-community-list regex validation is incomplete.Thu, Nov 13, 2:19 AM
dmbaturin edited projects, added VyOS 1.5 Circinus (2025.11); removed VyOS 1.4 Sagitta (1.4.4), VyOS 1.5 Circinus (1.5-stream-2025-Q3), VyOS Rolling.