<div dir="ltr">How can I ask for that? <div>Now I am using just RPKI as filter and I can check invalid roa in syslog or with 'show route table name all filtered'.</div><div><br></div><div>I would like to check valid/unknown roa too and I could do something like this:</div><div>if (roa_check(r4, net, bgp_path.last) = ROA_VALID) then<br>{<br>print "RPKI valid ", net, " for ASN ", bgp_path.last; }<br></div><div><br></div><div>and then check the syslog, but I think using communities would be better so that I can use a command such as this one:</div><div> 'show route table t_0002_as2 where bgp_large_community <span style="font-family:arial,sans-serif">~ [(1,1101,13)]'</span> or 'show route table t_0002_as2 where bgp_large_community <span style="font-family:arial,sans-serif">~ [(1,1101,13)] count'</span> . </div><div>But how can I make BIRD working with filtered routes?</div><div><br></div><div>Thanks,</div><div>Fabiano</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Il giorno lun 20 apr 2020 alle ore 15:50 Maria Matejka <<a href="mailto:maria.matejka@nic.cz" target="_blank">maria.matejka@nic.cz</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Ooops, filtered. The filtered routes are by default excluded from the <br>
filters. You have to explicitly ask for filtered routes to make BIRD <br>
work with them.<br>
<br>
Maria<br>
<br>
On 4/20/20 3:47 PM, Fabiano D'Agostino wrote:<br>
> Thanks, I did it but it is still not working. Nevermind I will use 'show <br>
> route filtered'.<br>
> <br>
> Il giorno lun 20 apr 2020 alle ore 15:27 Maria Matejka <br>
> <<a href="mailto:maria.matejka@nic.cz" target="_blank">maria.matejka@nic.cz</a> <mailto:<a href="mailto:maria.matejka@nic.cz" target="_blank">maria.matejka@nic.cz</a>>> ha scritto:<br>
> <br>
> The tilde operator is not symmetric, although it visually seems to be.<br>
> It can be (at least in this case) vaguely interpreted as »left operand<br>
> is contained by the right operand«.<br>
> <br>
> In other words, exchange the operands of the tilde.<br>
> <br>
> Maria<br>
> <br>
> On 4/20/20 3:19 PM, Fabiano D'Agostino wrote:<br>
> > Thanks, it worked. So the community isn't needed? I tried 'show<br>
> route<br>
> > table t_0002_as2 where bgp_large_community ~ [(1,1101,13)]' and<br>
> it prints:<br>
> > Table t_0002_as2:<br>
> ><br>
> > Il giorno lun 20 apr 2020 alle ore 15:00 Maria Matejka<br>
> > <<a href="mailto:maria.matejka@nic.cz" target="_blank">maria.matejka@nic.cz</a> <mailto:<a href="mailto:maria.matejka@nic.cz" target="_blank">maria.matejka@nic.cz</a>><br>
> <mailto:<a href="mailto:maria.matejka@nic.cz" target="_blank">maria.matejka@nic.cz</a> <mailto:<a href="mailto:maria.matejka@nic.cz" target="_blank">maria.matejka@nic.cz</a>>>> ha scritto:<br>
> ><br>
> > show route all filtered<br>
> ><br>
> > shows only routes from master4 and master6 tables<br>
> ><br>
> > to show routes from this protocol, use<br>
> ><br>
> > show route table t_0002_as2 all filtered<br>
> ><br>
> > Maria<br>
> ><br>
> > On 4/20/20 2:50 PM, Fabiano D'Agostino wrote:<br>
> > > Yes, I just enabled it:<br>
> > > protocol bgp {<br>
> > > ...<br>
> > > ipv4{<br>
> > > import keep fitlered;<br>
> > > import limit 250 action restart;<br>
> > > import filter filter_rpki;<br>
> > > table t_0002_as2;<br>
> > > }<br>
> > > }<br>
> > ><br>
> > > RPKI is working because if I check the syslog I find the<br>
> invalid<br>
> > printed<br>
> > > prefixes, but 'show route all filtered' doesn't show anything.<br>
> > ><br>
> > > Il giorno lun 20 apr 2020 alle ore 14:05 Maria Matejka<br>
> > > <<a href="mailto:maria.matejka@nic.cz" target="_blank">maria.matejka@nic.cz</a> <mailto:<a href="mailto:maria.matejka@nic.cz" target="_blank">maria.matejka@nic.cz</a>><br>
> <mailto:<a href="mailto:maria.matejka@nic.cz" target="_blank">maria.matejka@nic.cz</a> <mailto:<a href="mailto:maria.matejka@nic.cz" target="_blank">maria.matejka@nic.cz</a>>><br>
> > <mailto:<a href="mailto:maria.matejka@nic.cz" target="_blank">maria.matejka@nic.cz</a> <mailto:<a href="mailto:maria.matejka@nic.cz" target="_blank">maria.matejka@nic.cz</a>><br>
> <mailto:<a href="mailto:maria.matejka@nic.cz" target="_blank">maria.matejka@nic.cz</a> <mailto:<a href="mailto:maria.matejka@nic.cz" target="_blank">maria.matejka@nic.cz</a>>>>> ha<br>
> scritto:<br>
> > ><br>
> > > And do you have<br>
> > > import keep filtered;<br>
> > > in your config?<br>
> > > Maria<br>
> > ><br>
> > > On 4/20/20 11:19 AM, Fabiano D'Agostino wrote:<br>
> > > > Hi,<br>
> > > > In my route server bird.conf I did this:<br>
> > > > define FILTERED_RPKI_INVALID = (1,1101,13);<br>
> > > ><br>
> > > > filter filter_rpki{<br>
> > > > if roa_check(..)=ROA_INVALID then<br>
> > > ><br>
> {bgp_large_community.add(FILTERED_RPKI_INVALID);reject;}<br>
> > > > }<br>
> > > ><br>
> > > > But when I do 'show route all filtered' I get<br>
> nothing, I also<br>
> > > tried with<br>
> > > > 'show route bgp_large_community ~ [(1,1101,13)]' and I<br>
> > have the<br>
> > > same result.<br>
> > > > Because I would like to have some statistics about<br>
> > > > VALID/INVALID/UNKOWN prefixes and I saw that I<br>
> could use the<br>
> > > 'show route<br>
> > > > stats' command.<br>
> > > ><br>
> > > > Thanks,<br>
> > > ><br>
> > > > Fabiano<br>
> > > ><br>
> > > > Il giorno dom 19 apr 2020 alle ore 21:30 Alarig Le Lay<br>
> > > > <<a href="mailto:alarig@swordarmor.fr" target="_blank">alarig@swordarmor.fr</a> <mailto:<a href="mailto:alarig@swordarmor.fr" target="_blank">alarig@swordarmor.fr</a>><br>
> <mailto:<a href="mailto:alarig@swordarmor.fr" target="_blank">alarig@swordarmor.fr</a> <mailto:<a href="mailto:alarig@swordarmor.fr" target="_blank">alarig@swordarmor.fr</a>>><br>
> > <mailto:<a href="mailto:alarig@swordarmor.fr" target="_blank">alarig@swordarmor.fr</a> <mailto:<a href="mailto:alarig@swordarmor.fr" target="_blank">alarig@swordarmor.fr</a>><br>
> <mailto:<a href="mailto:alarig@swordarmor.fr" target="_blank">alarig@swordarmor.fr</a> <mailto:<a href="mailto:alarig@swordarmor.fr" target="_blank">alarig@swordarmor.fr</a>>>><br>
> > > <mailto:<a href="mailto:alarig@swordarmor.fr" target="_blank">alarig@swordarmor.fr</a><br>
> <mailto:<a href="mailto:alarig@swordarmor.fr" target="_blank">alarig@swordarmor.fr</a>> <mailto:<a href="mailto:alarig@swordarmor.fr" target="_blank">alarig@swordarmor.fr</a><br>
> <mailto:<a href="mailto:alarig@swordarmor.fr" target="_blank">alarig@swordarmor.fr</a>>><br>
> > <mailto:<a href="mailto:alarig@swordarmor.fr" target="_blank">alarig@swordarmor.fr</a> <mailto:<a href="mailto:alarig@swordarmor.fr" target="_blank">alarig@swordarmor.fr</a>><br>
> <mailto:<a href="mailto:alarig@swordarmor.fr" target="_blank">alarig@swordarmor.fr</a> <mailto:<a href="mailto:alarig@swordarmor.fr" target="_blank">alarig@swordarmor.fr</a>>>>>> ha<br>
> > scritto:<br>
> > > ><br>
> > > > On Sun 19 Apr 2020 20:42:21 GMT, Fabiano<br>
> D'Agostino wrote:<br>
> > > > > Thanks!<br>
> > > > > But can I also use birdc to check rejected<br>
> prefixes?<br>
> > > ><br>
> > > > If you add a community, it will be visible with<br>
> `show<br>
> > route all<br>
> > > > filtered`<br>
> > > ><br>
> > > > > Anyway why do you suggest to use<br>
> > bgp_path.last_noaggregated?<br>
> > > ><br>
> > > > Because you don’t want to check ROA against another<br>
> > ASN in the<br>
> > > > aggregated path.<br>
> > > ><br>
> > > > --<br>
> > > > Alarig<br>
> > > ><br>
> > ><br>
> ><br>
> <br>
</blockquote></div>