<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hello,<br>
<br>
I managed to find where is my mistake :)<br>
<br>
In fact, ROA_INVALID check for valid record in the roa table,
ROA_UNKNOWN check for existing entry at all.<br>
<br>
I made some changes and now everything works as expected. <br>
<br>
My functions looks like that:<br>
<br>
function AS64778_in() {<br>
<br>
if roa_check(r64778, net, bgp_path.last) = ROA_INVALID
then {<br>
print "ROA check failed: hijacking attempt for ",
net, " from ASN ", bgp_path.last , " via ", proto; return false;<br>
}<br>
<br>
if roa_check(r64778, net, bgp_path.last) = ROA_UNKNOWN
then {<br>
print "ROA check failed: unallowed prefix - ",
net, " ASN ", bgp_path.last , " via ", proto; return false;<br>
}<br>
<br>
return true;<br>
}<br>
<br>
protocol bgp R0_252 from PEERS {<br>
description "0.252_Mon";<br>
neighbor 10.0.0.252 as 64778;<br>
import where AS64778_in() && MM_BGP_IN(64778,1,1001);<br>
export where MM_BGP_OUT(64778);<br>
table T64778;<br>
}<br>
<br>
Best~<br>
<br>
On 09/12/2013 11:27 AM, Javor Kliachev wrote:<br>
</div>
<blockquote cite="mid:52317ADC.6030307@neterra.net" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Hello Ondrej,<br>
<br>
Many thanks for your explanation and the solution.<br>
<br>
I have made the necessary changes according your advice but now
I see following strange behaviour.<br>
<br>
I'm trying to implement "roa filter check" in separate function
but unfortunately it doesn't work. <br>
May be I made something wrong but I don't know where or what :)
<br>
<br>
I ask for your help again.<br>
<br>
Here is part of my conf in the lab:<br>
<br>
table T64778<br>
<br>
roa table r64778 {<br>
roa 31.13.244.0/24 max 24 as 64778;<br>
}<br>
<br>
function AS64778_in() {<br>
<br>
<i># This check seems not working. The network 87.120.111.0/24
is permitted which is strange.</i><i><br>
# because it is not listed in my roa table. When I use the
same but implemented in "import filter" it works.<br>
<br>
</i> if roa_check(r64778, net, bgp_path.last) = ROA_INVALID
then return false;<br>
<br>
<br>
<i># Fake networkf for test - it should not be accepted. </i><i><br>
</i><i># When I try to remove the comment bellow everything
works as expected and the networks is reject successful.</i><i><br>
</i># if (net = 87.120.111.0/24) then return false;<br>
<br>
return true;<br>
}<br>
<br>
<br>
protocol pipe P64778 from PIPES {<br>
description "Monitoring";<br>
peer table T64778; <br>
# export where bgp_out(64778);<br>
export where MM_PIPE_OUT(64778,[(1,1001..1999)]);<br>
}<br>
<br>
protocol bgp R0_252 from PEERS {<br>
description "0.252_Mon";<br>
neighbor 10.0.0.252 as 64778;<br>
import where AS64778_in() && MM_BGP_IN(64778,1,1001);<br>
# import where MM_BGP_IN(64778,1,1001) && AS64778_in();<br>
export where MM_BGP_OUT(64778);<br>
table T64778;<br>
}<br>
<br>
I hope my provided information to help to solve my problem.<br>
<br>
Thanks in advance!<br>
<br>
Best~<br>
<br>
On 09/11/2013 08:21 PM, Ondrej Zajicek wrote:<br>
</div>
<blockquote cite="mid:20130911172123.GP5182@localhost" type="cite">
<pre wrap="">On Wed, Sep 11, 2013 at 06:47:09PM +0300, Javor Kliachev wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hello,
I would like to know what will happen if we use function & filters
configured at same time
on import direction of given BGP procotol. Which is first pass? Till now
</pre>
</blockquote>
<pre wrap="">...
</pre>
<blockquote type="cite">
<pre wrap="">But when I decided to apply and "filter import <some filter>" all
conditions and rules in my applied
function was totally ignored. Only the condition in the filter was checked.
</pre>
</blockquote>
<pre wrap="">Hi
This is expected. "import where COND;" is just a shorthand for
"import filter { if COND then accept; else reject; };"
Multiple import/export filter options are ignored, just the last one
is used. If you want to mix several prepared functions/filters, then write
everything as a function and use "import where FN1 && FN2 && FN3;".
</pre>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
---<br>
<a moz-do-not-send="true"
href="http://cloudware.bg/?utm_source=email&utm_medium=signature&utm_content=link&utm_campaign=newwebsite"
style="font-family:Verdana; color:#00ACE5; font-size:12px;
text-decoration:none;">Find out about our new Cloud service -
Cloudware.bg</a><br>
<div style="font-family:Verdana; color:#A0A0A0;font-size:12px;">Access
anywhere. Manage it yourself. Pay as you go.</div>
<hr align="left" color="#103E81" noshade="noshade" size="1"
width="400px">
<div style="font-family:Verdana; color:#103E81; font-size:12px;">
<strong>Javor Kliachev</strong><br>
IP Engineer<br>
<br>
Neterra Ltd.<br>
Telephone: +359 2 975 16 16<br>
Fax: +359 2 975 34 36<br>
</div>
<a moz-do-not-send="true" href="http://www.neterra.net"
style="font-size:12px; font-family:Verdana; color:#00ACE5;
text-decoration:none;">www.neterra.net</a> <br>
<br>
<br>
</div>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
---<br>
<a
href="http://cloudware.bg/?utm_source=email&utm_medium=signature&utm_content=link&utm_campaign=newwebsite"
style="font-family:Verdana; color:#00ACE5; font-size:12px;
text-decoration:none;">Find out about our new Cloud service -
Cloudware.bg</a><br>
<div style="font-family:Verdana; color:#A0A0A0;font-size:12px;">Access
anywhere. Manage it yourself. Pay as you go.</div>
<hr align="left" color="#103E81" noshade="noshade" size="1"
width="400px">
<div style="font-family:Verdana; color:#103E81; font-size:12px;">
<strong>Javor Kliachev</strong><br>
IP Engineer<br>
<br>
Neterra Ltd.<br>
Telephone: +359 2 975 16 16<br>
Fax: +359 2 975 34 36<br>
</div>
<a href="http://www.neterra.net" style="font-size:12px;
font-family:Verdana; color:#00ACE5; text-decoration:none;">www.neterra.net</a>
<br>
<br>
<br>
</div>
</body>
</html>