Add ip rule support
Toke Høiland-Jørgensen
toke at toke.dk
Mon May 2 22:14:33 CEST 2022
Ondrej Zajicek <santiago at crfreenet.org> writes:
> On Mon, May 02, 2022 at 05:06:48PM +0800, Huiyuze Zhi wrote:
>> Hi there,
>> I'm having some issues with using bird2 to carry downstream. I have
>> two different types of upstream. One can take downstream and the other
>> cannot. I use bgp_large_community (141011, 3, xxx) to mark every prefix
>> from upstream which can taken downstream and I sent those prefixes to my
>> downstream. But when my upstream(which can take downstream) and upstream(which
>> cannot take downstream) sent the same prefix, bgp_large_community ~
>> [(141011, 3 *)] then accept would filter both prefixes since they have the
>> same destination.
>>
>> For example,one has BGP.large_community (141011, 3, 27000) and other not.So
>> this prefix would be filtered, but I don't want it happens.
>
> Hi
>
> You can define downstream specific routing table (in BIRD)
>
> ipv6 table down6;
>
> and define pipe to connect it with master6 table:
>
> protocol pipe {
> table master6;
> peer table down6;
> import all;
> export where <condition selecting the proper upstream>;
> }
>
>
> As the pipe handles all routes, not just the best ones, it will propagate
> all routes from the upstream(which can take downstream) tho the second table.
>
>
>> In addition, if I successfully export the prefixes that come
>> from upstream
>> can take downstream. When packages go through the kernel, they may also go
>> through upstreamthat cannot take downstream.
>> My idea is to let two different types of prefixes in different route
>> tables. Table 100(All routing tables from BGP)and Table 101 (Only from Tier
>> 1 ISP and can carry downstream routing table) and use IP rule command let
>> ever prefixes that my downstream export to me via table 101. But there are
>> so many prefixes so I do it by manual is impossible. and it seems bird2
>> doesn't support ip rule.
>
> Yes, you can connect kernel protocol to the second bird table and feed the
> kernel table 101.
>
> You are right, bird2 does not support ip role. But if you have many
> prefixes from downstream, then putting them all as separate ip rules
> would be unreasonable anyways, ip rules are processed sequentially and
> would be slow with many rules (i do not know whether ip sets are allowed
> in ip rules or they are allowed just in netfilter).
You can't use sets directly in ip rules; you can match on fwmark,
though, and set that using sets in netfilter; but obviously that
requires a separate step to install such netfilter rules...
-Toke
More information about the Bird-users
mailing list