Thanks for the function optimization. This does indeed make it simpler! I also believe I had misunderstood the documentation when I expected this to work - obviously "ip" and "prefix" are different types, and now that I've re-read the documentation on the ~ operator - "it can be used on element and set of elements of the same type " My apologies. I appreciate the patch and will apply it shortly. Thanks, -JJ On Fri, Nov 8, 2013 at 3:58 AM, Sergey Popovich <popovich_sergei@mail.ru>wrote:
В письме от 7 ноября 2013 16:05:50 пользователь John Jensen написал:
Hi,
We're about to migrate our exchange to a /23 and we're likely going to do it over time. I have a simple filter in place to check and make sure that the NEXT_HOP is within our exchange's subnet. Originally it looked like this:
function check_ixp_next_hop(ip nexthop) prefix ixpnet; { ixpnet = x.x.x.x/24; if ! (nexthop ~ ixpnet) then return false; return true; }
And then within the inbound filter for each peer's ASN:
if ! (check_ixp_next_hop(bgp_next_hop)) then reject;
Since we're going to be caring about two distinct prefixes while we perform the migration, I changed the filter to look like this:
function check_ixp_next_hop(ip nexthop) prefix set ixpnet; { ixpnet = [ x.x.x.x/24, y.y.y.y/23 ];
Also, pay attention, you should use something like
ixpnet = [ x.x.x.x/24+, y.y.y.y/23+ ];
To match subnets.
if ! (nexthop ~ ixpnet) then return false; return true; }
Even simpler: -------------
function check_ixp_next_hop(ip nexthop) { return nexthop ~ [ x.x.x.x/24+, y.y.y.y/23+ ]; }
-- SP5474-RIPE Sergey Popovich