Switching bgpd to a default deny policy had one bad side-effect. Some

withdraw were suddenly filtered out because the filter ran into the
default deny. So for this case (state == NULL) change action to default
allow. This bug was haunting bgpd for a while now causing prefixes to be
stuck for no obvious reason.
OK benno@, sthen@

1 files changed, 4 insertions, 1 deletions

diff --git a/usr.sbin/bgpd/rde_filter.c b/usr.sbin/bgpd/rde_filter.c
index f0e7fc52778..10d4735d820 100644
--- a/usr.sbin/bgpd/rde_filter.c
+++ b/usr.sbin/bgpd/rde_filter.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: rde_filter.c,v 1.109 2018/09/26 13:26:32 claudio Exp $ */
+/*	$OpenBSD: rde_filter.c,v 1.110 2018/09/26 15:01:36 claudio Exp $ */
 
 /*
  * Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org>
@@ -1018,6 +1018,9 @@ rde_filter(struct filter_head *rules, struct rde_peer *peer,
 	struct filter_rule	*f;
 	enum filter_actions	 action = ACTION_DENY; /* default deny */
 
+	if (state == NULL) /* withdraw should be accepted by default */
+		action = ACTION_ALLOW;
+
 	if (state && state->aspath.flags & F_ATTR_PARSE_ERR)
 		/*
 		 * don't try to filter bad updates just deny them