rejected by protocol <prefix> unicast
Maria Matějka
maria.matejka at nic.cz
Tue Dec 10 23:04:10 CET 2019
Because in kernel protocol you shall write export filter. Also overlooked this at the first sight.
To accept routes from bgp to table, you write import filter, to send routes from table to kernel, you write export filter. The import/export semantics is table-centric.
Maria
On December 10, 2019 10:48:42 PM GMT+01:00, wax xitau <waxitau at gmail.com> wrote:
>Thanks for the prompt response Maria.
>
>I actually had import all and that did not work either. I've added
>accept
>to the kernel protocol with the same results.
>I also don't have any log line about a filter rejecting or accepting.
>
>// logs after restarting the bgp session
>
>2019-12-10 22:41:40.989 <INFO> Restarting protocol pe1
>2019-12-10 22:41:40.989 <TRACE> pe1: Shutting down
>2019-12-10 22:41:40.989 <TRACE> pe1: Shutdown requested
>2019-12-10 22:41:40.989 <TRACE> pe1: State changed to stop
>2019-12-10 22:41:40.989 <TRACE> pe1: BGP session closed
>2019-12-10 22:41:40.990 <TRACE> pe1 > removed [sole] 10.2.34.0/24
>unicast
>2019-12-10 22:41:40.990 <TRACE> pe1 > removed [sole] 10.1.12.0/24
>unicast
>2019-12-10 22:41:40.990 <TRACE> pe1: Sending NOTIFICATION(code=6.4)
>2019-12-10 22:41:40.990 <TRACE> pe1: Down
>2019-12-10 22:41:40.990 <TRACE> pe1: State changed to flush
>2019-12-10 22:41:40.990 <TRACE> pe1: State changed to down
>2019-12-10 22:41:40.990 <TRACE> pe1: Starting
>2019-12-10 22:41:40.990 <TRACE> pe1: State changed to start
>2019-12-10 22:41:40.990 <TRACE> pe1: Started
>2019-12-10 22:41:40.990 <TRACE> pe1: Connect delayed by 5 seconds
>2019-12-10 22:41:44.994 <TRACE> pe1: Connecting to 192.168.254.1 from
>local
>address 192.168.254.0
>2019-12-10 22:41:45.275 <TRACE> pe1: Connected
>2019-12-10 22:41:45.275 <TRACE> pe1: Sending
>OPEN(ver=4,as=65099,hold=90,id=ac100165)
>2019-12-10 22:41:45.363 <TRACE> pe1: Got
>OPEN(as=65001,hold=90,id=172.16.0.11)
>2019-12-10 22:41:45.363 <TRACE> pe1: Sending KEEPALIVE
>2019-12-10 22:41:45.576 <TRACE> pe1: Got KEEPALIVE
>2019-12-10 22:41:45.576 <TRACE> pe1: BGP session established
>2019-12-10 22:41:45.576 <TRACE> pe1: State changed to up
>2019-12-10 22:41:45.576 <TRACE> pe1: Got UPDATE
>2019-12-10 22:41:45.576 <TRACE> pe1 > *added [best] 10.2.34.0/24
><http://10.2.34.0/24> unicast*
>2019-12-10 22:41:45.576 <TRACE> pe1 < *rejected by protocol
>10.2.34.0/24
><http://10.2.34.0/24> unicast*
>2019-12-10 22:41:45.576 <TRACE> pe1: Got UPDATE
>2019-12-10 22:41:45.576 <TRACE> pe1 > *added [best] 10.1.12.0/24
><http://10.1.12.0/24> unicast*
>2019-12-10 22:41:45.576 <TRACE> pe1 < *rejected by protocol
>10.1.12.0/24
><http://10.1.12.0/24> unicast*
>2019-12-10 22:41:45.576 <TRACE> pe1: Got UPDATE
>2019-12-10 22:41:45.576 <TRACE> pe1: Got END-OF-RIB
>2019-12-10 22:41:45.576 <TRACE> pe1 < rejected by protocol 10.2.34.0/24
>unicast
>2019-12-10 22:41:45.576 <TRACE> pe1 < rejected by protocol 10.1.12.0/24
>unicast
>2019-12-10 22:41:45.576 <TRACE> pe1: Sending END-OF-RIB
>
>// kernel protocol
>
>protocol kernel {
> scan time 10;
> learn;
> persist;
> ipv4 {
> #import filter {
> # if net ~ [0.0.0.0/0, 192.168.255.0/24] then reject;
> # accept;
> #};
> # export all;
> import all;
> };
>}
>
>thx
>
>
>On Tue, Dec 10, 2019 at 10:25 PM Maria Matějka <maria.matejka at nic.cz>
>wrote:
>
>> The kernel protocol import filter is missing the accept; statement
>after
>> you selectively filter some prefices out. BIRD doesn't know whether
>you
>> want to accept or reject these routes. It also shall warn you in log.
>Do
>> you have any log line saying something about filter not rejecting nor
>> accepting?
>> Maria
>>
>> On December 10, 2019 10:09:06 PM GMT+01:00, wax xitau
><waxitau at gmail.com>
>> wrote:
>>>
>>> Hi,
>>>
>>> Prefixes sent over a eBGP session are getting rejected "by protocol"
>as
>>> can be seen in the logs below.
>>> The prefixes are "added" and then get "rejected" by protocol. This
>means
>>> that they are visible using the "show route protocol <protocol>"
>but not
>>> "show route all" (and therefore impossible to push them to the
>kernel
>>> routing table).
>>>
>>>
>>> // logs
>>>
>>> 2019-12-10 21:15:00.774 <TRACE> pe1: BGP session established
>>> 2019-12-10 21:15:00.774 <TRACE> pe1: State changed to up
>>> 2019-12-10 21:15:00.774 <TRACE> pe1: Sending END-OF-RIB
>>> 2019-12-10 21:15:00.984 <TRACE> pe1: Got UPDATE
>>> 2019-12-10 21:15:00.984 <TRACE> pe1 > *added [best] 10.2.34.0/24
>>> <http://10.2.34.0/24> unicast*
>>> 2019-12-10 21:15:00.984 <TRACE> pe1 < *rejected by protocol
>10.2.34.0/24
>>> <http://10.2.34.0/24> unicast*
>>> 2019-12-10 21:15:00.984 <TRACE> pe1: Got UPDATE
>>> 2019-12-10 21:15:00.984 <TRACE> pe1 > *added [best] 10.1.12.0/24
>>> <http://10.1.12.0/24> unicast*
>>> 2019-12-10 21:15:00.984 <TRACE> pe1 < *rejected by protocol
>10.1.12.0/24
>>> <http://10.1.12.0/24> unicast*
>>> 2019-12-10 21:15:00.984 <TRACE> pe1: Got UPDATE
>>> 2019-12-10 21:15:00.984 <TRACE> pe1: Got END-OF-RIB
>>>
>>> Tcp dump of the corresponding update message(s):
>>>
>>> // tcpdump
>>>
>>> 21:18:59.652705 IP (tos 0xc0, ttl 1, id 7035, offset 0, flags
>[none],
>>> proto TCP (6), length 177)
>>> *192.168.254.1*.bgp > 192.168.254.0.41073: Flags [P.], cksum
>0x4356
>>> (correct), seq 83:208, ack 73, win 16384, options [nop,nop,TS val
>>> 2249949122 ecr 1355158152], length 125: BGP
>>> Update Message (2), length: 51
>>> Origin (1), length: 1, Flags [T]: IGP
>>> 0x0000: 00
>>> AS Path (2), length: 10, Flags [T]: 65001 65500
>>> 0x0000: 0202 0000 fde9 0000 ffdc
>>> Next Hop (3), length: 4, Flags [T]: 192.168.254.1
>>> 0x0000: c0a8 fe01
>>> Updated routes:
>>> 10.1.12.0/24
>>> Update Message (2), length: 51
>>> Origin (1), length: 1, Flags [T]: Incomplete
>>> 0x0000: 02
>>> AS Path (2), length: 10, Flags [T]: 65001 65500
>>> 0x0000: 0202 0000 fde9 0000 ffdc
>>> Next Hop (3), length: 4, Flags [T]: *192.168.254.1*
>>> 0x0000: c0a8 fe01
>>> Updated routes:
>>> 10.2.34.0/24
>>> Update Message (2), length: 23
>>> End-of-Rib Marker (empty NLRI)
>>>
>>> The bgp session is over directly connected interfaces and the NLRI
>prefix
>>> next hops are therefore directly connected.
>>>
>>> // Configuration:
>>>
>>> protocol bgp pe1 {
>>> debug all;
>>> description "ebgp";
>>> hold time 90;
>>> local 192.168.254.0 as my_asn;
>>> neighbor 192.168.254.1 as peer_asn;
>>> direct;
>>> interpret communities off;
>>> ipv4 {
>>> table t_pe1;
>>> import all;
>>> export none;
>>> gateway direct;
>>> };
>>> }
>>>
>>> protocol device {
>>> scan time 10;
>>> };
>>>
>>> protocol direct {
>>> ipv4;
>>> };
>>>
>>> protocol kernel {
>>> scan time 10;
>>> learn;
>>> persist;
>>> ipv4 {
>>> import filter {
>>> if net ~ [0.0.0.0/0, 192.168.255.0/24] then
>>> reject;
>>> };
>>> };
>>> }
>>>
>>> // relevant show results
>>>
>>> bird> *show route protocol pe1*
>>> Table t_pe1:
>>> *10.2.34.0/24 <http://10.2.34.0/24>* unicast [pe1
>21:46:13.530]
>>> * (100) [AS65500?]
>>> via 192.168.254.1 on ens5
>>> *10.1.12.0/24 <http://10.1.12.0/24>* unicast [pe1
>21:46:13.530]
>>> * (100) [AS65500i]
>>> via 192.168.254.1 on ens5
>>> bird>
>>>
>>> bird> *show route all*
>>> Table master4:
>>> 172.16.0.11/32 unicast [rt_nh 20:25:25.379] * (200)
>>> via 192.168.254.1 on ens5
>>> Type: static univ
>>> 192.168.254.2/31 unicast [direct1 20:56:03.498] * (240)
>>> dev ens6
>>> Type: device univ
>>> 192.168.254.0/31 unicast [direct1 20:56:03.498] * (240)
>>> dev ens5
>>> Type: device univ
>>> 192.168.255.0/24 unicast [direct1 20:56:03.498] * (240)
>>> dev ens4
>>> Type: device univ
>>> 172.16.0.33/32 unicast [rt_nh 20:25:25.379] * (200)
>>> via 192.168.254.3 on ens6
>>> Type: static univ
>>>
>>> Thanks,
>>>
>>>
>>>
>>>
>> --
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20191210/a19135e9/attachment.htm>
More information about the Bird-users
mailing list