Hi, Is it possible in current BIRD 2.0.2 release to filter (more dynamically) VPNv4 prefixes based on RD? In our scenario, we want to use BIRD to connect large VPNv4 landscapes and want to filter prefixes based on RD on Route Server ingress. I can extract RD from VPNv4 prefix with special operator '.rd' filter vpnv4_ingress { if (net.rd = 5000:200) then accept; reject; } This is working but I don't want 1x if-statement per RD as we have lots of RD's. Any ranges or wildcards are not allowed. Something like '5000:200..299' does not work. Or '5000:*' also does not work. I tried to create a constant for a VPNv4 prefix to use it in a filter: function some_function() prefix set test; { test = [ 0:5000:200 10.0.0.0/24 ]; } Also not allowed. Creating a constant of data type 'vpnrd' did not work. Then I tried to handle the output of 'net.rd' as string to maybe use shell pattern. filter vpnv4_ingress string test; { test = "5000:20?"; if net.rd ~ test then accept; reject; } Results in error: "<ERR> filters, line 90: ~ applied on unknown type pair". Changing the if-statement to 'if net.rd = test then accept;' does work w/o error but all prefixes are filtered. The shell pattern is not working. I guess the output of 'net.rd' is not a string. I also cannot save 'net.rd' output in a string variable. Last but not least. I have found a undocumented function 'format()'. This function seems to return a string and shell patterns work. I guess the function should not be used in production so I just used it for testing. define test = "5000:20?"; filter vpnv4_ingress { if format(net.rd) ~ test then accept; reject; } <TRACE> some-router > added [best] 5000:200 200.200.200.0/24 unicast But this works only once. As soon as I run 'configure' in BIRD client, BIRD does crash. <INFO> Reconfiguring <BUG> Unknown instruction 70 in same (F) Long story short. Is there a best practice to filter VPNv4 based on RD? Or anything on the roadmap? Filtering on RT with Communities works fine but does not fit our purpose. Thanks in advance! Regards Tobias
On Thu, Oct 25, 2018 at 05:55:45AM +0000, Hombach, Tobias wrote:
Hi,
Is it possible in current BIRD 2.0.2 release to filter (more dynamically) VPNv4 prefixes based on RD? In our scenario, we want to use BIRD to connect large VPNv4 landscapes and want to filter prefixes based on RD on Route Server ingress.
Hi Seems like we forgot to add support for RD sets. I just fixed that in current int-new GIT branch, you can try that: https://gitlab.labs.nic.cz/labs/bird/commit/83715aa82966020100afa35f15d1ca56...
I can extract RD from VPNv4 prefix with special operator '.rd'
filter vpnv4_ingress { if (net.rd = 5000:200) then accept; reject; }
This is working but I don't want 1x if-statement per RD as we have lots of RD's. Any ranges or wildcards are not allowed. Something like '5000:200..299' does not work. Or '5000:*' also does not work. I tried to create a constant for a VPNv4 prefix to use it in a filter:
With the RD sets, this should work: if (net.rd ~ [10:20, 100000:100..100000:200]) ... Sorry, no wildcards yet.
Also not allowed. Creating a constant of data type 'vpnrd' did not work.
The data type is 'rd', variable of that type Then I tried to handle the output of 'net.rd' as string to maybe use shell pattern.
filter vpnv4_ingress string test; { test = "5000:20?"; if net.rd ~ test then accept; reject; }
Results in error: "<ERR> filters, line 90: ~ applied on unknown type pair". Changing the if-statement to 'if net.rd = test then accept;' does work w/o error but all prefixes are filtered. The shell pattern is not working. I guess the output of 'net.rd' is not a string. I also cannot save 'net.rd' output in a string variable.
Yes, this is expected, cannot match directly RD (or other objects) to string, and RD is not a string, so the second statement is false.
Last but not least. I have found a undocumented function 'format()'. This function seems to return a string and shell patterns work. I guess the function should not be used in production so I just used it for testing.
Well, it is just undocumented, should work without crash. Will fix that. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On Thu, Oct 25, 2018 at 11:39:59AM +0200, Ondrej Zajicek wrote:
Last but not least. I have found a undocumented function 'format()'. This function seems to return a string and shell patterns work. I guess the function should not be used in production so I just used it for testing.
Well, it is just undocumented, should work without crash. Will fix that.
Seems like the crash during reoncfiguration is already fixed in int-new branch. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
participants (2)
-
Hombach, Tobias -
Ondrej Zajicek