import functions & filters at same time of BGP protocol

Javor Kliachev jkliachev at neterra.net
Thu Sep 12 13:45:14 CEST 2013


Hello,

I managed to find where is my mistake :)

In fact, ROA_INVALID check for valid record in the roa table, 
ROA_UNKNOWN check for existing entry at all.

I made some changes and now everything works as expected.

My functions looks like that:

function AS64778_in() {

         if roa_check(r64778, net, bgp_path.last) = ROA_INVALID then {
                 print "ROA check failed: hijacking attempt for ", net, 
" from ASN ", bgp_path.last , " via ", proto; return false;
         }

         if roa_check(r64778, net, bgp_path.last) = ROA_UNKNOWN then {
                 print "ROA check failed: unallowed prefix - ", net, " 
ASN ", bgp_path.last , " via ", proto; return false;
         }

return true;
}

protocol bgp R0_252 from PEERS {
   description "0.252_Mon";
   neighbor 10.0.0.252 as 64778;
   import where AS64778_in() && MM_BGP_IN(64778,1,1001);
   export where MM_BGP_OUT(64778);
   table T64778;
}

Best~

On 09/12/2013 11:27 AM, Javor Kliachev wrote:
> Hello Ondrej,
>
> Many thanks for your explanation and the solution.
>
> I have made the necessary changes according your advice but now I see 
> following strange behaviour.
>
> I'm trying to implement "roa filter check" in separate function but 
> unfortunately it doesn't work.
> May be I made something wrong but I don't know where or what :)
>
> I ask for your help again.
>
> Here is part of my conf in the lab:
>
> table T64778
>
> roa table r64778 {
>      roa 31.13.244.0/24 max 24 as 64778;
> }
>
> function AS64778_in() {
>
> /# This check seems not working. The network 87.120.111.0/24 is 
> permitted which is strange.//
> # because it is not listed in my roa table. When I use the same but 
> implemented in "import filter" it works.
>
> /  if roa_check(r64778, net, bgp_path.last) = ROA_INVALID then return 
> false;
>
>
> /#  Fake networkf for test - it should not be accepted. //
> //#  When I try to remove the comment bellow everything works as 
> expected and the networks is reject successful.//
> /#  if (net = 87.120.111.0/24) then return false;
>
>   return true;
> }
>
>
> protocol pipe P64778 from PIPES {
>   description "Monitoring";
>   peer table T64778;
> # export where bgp_out(64778);
>   export where MM_PIPE_OUT(64778,[(1,1001..1999)]);
> }
>
> protocol bgp R0_252 from PEERS {
>   description "0.252_Mon";
>   neighbor 10.0.0.252 as 64778;
>    import where AS64778_in() && MM_BGP_IN(64778,1,1001);
> # import where MM_BGP_IN(64778,1,1001) && AS64778_in();
>   export where MM_BGP_OUT(64778);
>   table T64778;
> }
>
> I hope my provided information to help to solve my problem.
>
> Thanks in advance!
>
> Best~
>
> On 09/11/2013 08:21 PM, Ondrej Zajicek wrote:
>> On Wed, Sep 11, 2013 at 06:47:09PM +0300, Javor Kliachev wrote:
>>> Hello,
>>>
>>> I would like to know what will happen if we use function & filters
>>> configured at same time
>>> on import direction of given BGP procotol. Which is first pass? Till now
>> ...
>>> But when I decided to apply and "filter import <some filter>" all
>>> conditions and rules in my applied
>>> function was totally ignored. Only the condition in the filter was checked.
>> Hi
>>
>> This is expected. "import where COND;" is just a shorthand for
>> "import filter { if COND then accept; else reject; };"
>>
>> Multiple import/export filter options are ignored, just the last one
>> is used. If you want to mix several prepared functions/filters, then write
>> everything as a function and use "import where FN1 && FN2 && FN3;".
>>
>
>
> -- 
> ---
> Find out about our new Cloud service - Cloudware.bg 
> <http://cloudware.bg/?utm_source=email&utm_medium=signature&utm_content=link&utm_campaign=newwebsite>
> Access anywhere. Manage it yourself. Pay as you go.
> ------------------------------------------------------------------------
> *Javor Kliachev*
> IP Engineer
>
> Neterra Ltd.
> Telephone: +359 2 975 16 16
> Fax: +359 2 975 34 36
> www.neterra.net <http://www.neterra.net>
>
>


-- 
---
Find out about our new Cloud service - Cloudware.bg 
<http://cloudware.bg/?utm_source=email&utm_medium=signature&utm_content=link&utm_campaign=newwebsite>
Access anywhere. Manage it yourself. Pay as you go.
------------------------------------------------------------------------
*Javor Kliachev*
IP Engineer

Neterra Ltd.
Telephone: +359 2 975 16 16
Fax: +359 2 975 34 36
www.neterra.net <http://www.neterra.net>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20130912/7caa39ef/attachment-0001.html>


More information about the Bird-users mailing list