Hello, I would like to configure RIP with different ACLs set on different RIP interfaces. For this purpose I thought I could use the '*ifname*' route attribute in bird filters. The problem I am facing is that when I use it, no RIP routes are announced at all, so maybe I am using a wrong syntax. If I don't use the *ifname = "eth0" *I see the following sent from the bird's RIP instance (10.0.4.1 is configured on eth1 and 172.16.0.4 on eth0). I would like the 10.2.4.1/32 route to be announced through eth0 only. I have also tried to use the *ifname ~ "eth0" *syntax with no luck. *tcpdump:* # tcpdump -i any -vvnn port 520 tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 13:02:58.664760 IP (tos 0xc0, ttl 1, id 27713, offset 0, flags [none], proto UDP (17), length 52) *10.0.4.1.520* > 224.0.0.9.520: [udp sum ok] RIPv2, Response, length: 24, routes: 1 or less AFI IPv4, *10.2.4.1/32 <http://10.2.4.1/32>*, tag 0x0000, metric: 1, next-hop: self 0x0000: 0202 0000 0002 0000 0a02 0401 ffff ffff 0x0010: 0000 0000 0000 0001 13:03:14.686163 IP (tos 0xc0, ttl 1, id 27714, offset 0, flags [none], proto UDP (17), length 52) *172.16.0.4.520* > 224.0.0.9.520: [udp sum ok] RIPv2, Response, length: 24, routes: 1 or less AFI IPv4, *10.2.4.1/32 <http://10.2.4.1/32>*, tag 0x0000, metric: 1, next-hop: self 0x0000: 0202 0000 0002 0000 0a02 0401 ffff ffff 0x0010: 0000 0000 0000 0001 *bird config:* protocol kernel { # persist; # Don't remove routes on BIRD shutdown scan time 20; # Scan kernel routing table every 20 seconds export all; # Default is export none learn; device routes; } protocol device { scan time 10; # Scan interfaces every 10 seconds } protocol direct { interface "*"; } filter rip_export { # redistribute connected + RIP + ACL if ( ( source = RTS_DEVICE || source = RTS_RIP ) && ( net ~ 10.2.4.0/24 && *ifname = "eth0"* ) ) then { print "net export accepted: ", net; accept; } reject; } protocol rip RIP { debug all; interface "eth0" {mode multicast; split horizon yes; poison reverse no; }; interface "eth1" {mode multicast; split horizon yes; poison reverse no; }; import all; export filter rip_export; } Any help would be appreciated, thank you. Alex
Ouch ... forgot a filter: ... access-list filter1 permit 10.2.4.0/24 access-list filter1 deny 0.0.0.0/0 ! access-list filter2 deny 0.0.0.0/0 ! interface eth0 interface eth1 ! router rip network eth0 distribute-list filter1 out eth0 network eth1 distribute-list filter2 out eth1 redistribute connected ... On Mon, Jul 4, 2016 at 3:49 PM, Alexander Velkov <alvel85@googlemail.com> wrote:
Hello,
I would like to configure RIP with different ACLs set on different RIP interfaces. For this purpose I thought I could use the '*ifname*' route attribute in bird filters. The problem I am facing is that when I use it, no RIP routes are announced at all, so maybe I am using a wrong syntax.
If I don't use the *ifname = "eth0" *I see the following sent from the bird's RIP instance (10.0.4.1 is configured on eth1 and 172.16.0.4 on eth0). I would like the 10.2.4.1/32 route to be announced through eth0 only. I have also tried to use the *ifname ~ "eth0" *syntax with no luck.
*tcpdump:* # tcpdump -i any -vvnn port 520 tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 13:02:58.664760 IP (tos 0xc0, ttl 1, id 27713, offset 0, flags [none], proto UDP (17), length 52) *10.0.4.1.520* > 224.0.0.9.520: [udp sum ok] RIPv2, Response, length: 24, routes: 1 or less AFI IPv4, *10.2.4.1/32 <http://10.2.4.1/32>*, tag 0x0000, metric: 1, next-hop: self 0x0000: 0202 0000 0002 0000 0a02 0401 ffff ffff 0x0010: 0000 0000 0000 0001 13:03:14.686163 IP (tos 0xc0, ttl 1, id 27714, offset 0, flags [none], proto UDP (17), length 52) *172.16.0.4.520* > 224.0.0.9.520: [udp sum ok] RIPv2, Response, length: 24, routes: 1 or less AFI IPv4, *10.2.4.1/32 <http://10.2.4.1/32>*, tag 0x0000, metric: 1, next-hop: self 0x0000: 0202 0000 0002 0000 0a02 0401 ffff ffff 0x0010: 0000 0000 0000 0001
*bird config:*
protocol kernel { # persist; # Don't remove routes on BIRD shutdown scan time 20; # Scan kernel routing table every 20 seconds export all; # Default is export none learn; device routes; }
protocol device { scan time 10; # Scan interfaces every 10 seconds }
protocol direct { interface "*"; }
filter rip_export { # redistribute connected + RIP + ACL if ( ( source = RTS_DEVICE || source = RTS_RIP ) && ( net ~ 10.2.4.0/24 && *ifname = "eth0"* ) ) then { print "net export accepted: ", net; accept; }
reject; }
protocol rip RIP { debug all;
interface "eth0" {mode multicast; split horizon yes; poison reverse no; }; interface "eth1" {mode multicast; split horizon yes; poison reverse no; };
import all; export filter rip_export; }
Any help would be appreciated, thank you.
Alex
On Mon, Jul 04, 2016 at 03:49:06PM +0200, Alexander Velkov wrote:
Hello,
I would like to configure RIP with different ACLs set on different RIP interfaces. For this purpose I thought I could use the '*ifname*' route attribute in bird filters. The problem I am facing is that when I use it, no RIP routes are announced at all, so maybe I am using a wrong syntax.
Hi 'ifname' represents an interface associated with the route (i.e. one to which the route aims), not the iface to which the route is announced by RIP. When route is accepted for protocol, it is accepted for all interfaces of the protocol (unless split horizon applies). It would be a good idea to have separate import/export filters per interface, but that is not supported now. If you want better control, you could configure two protocol instances, one for each interface. Such setup has some limitations and may require some tweaking, but should work. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Hi Ondrej, thanks for the Info!
'ifname' represents an interface associated with the route (i.e. one to which the route aims), not the iface to which the route is announced by RIP. When route is accepted for protocol, it is accepted for all interfaces of the protocol (unless split horizon applies).
yes, I saw that while debugging and that explains why the filter did not get activated. I also checked if the 'gw' and 'from' attributes could be used in some way, but the values were empty IPs.
If you want better control, you could configure two protocol instances, one for each interface. Such setup has some limitations and may require some tweaking, but should work.
I will try to configure it. Could you please elaborate what limitations you see in this approach ? Thanks, Alex On Mon, Jul 4, 2016 at 6:00 PM, Ondrej Zajicek <santiago@crfreenet.org> wrote:
On Mon, Jul 04, 2016 at 03:49:06PM +0200, Alexander Velkov wrote:
Hello,
I would like to configure RIP with different ACLs set on different RIP interfaces. For this purpose I thought I could use the '*ifname*' route attribute in bird filters. The problem I am facing is that when I use it, no RIP routes are announced at all, so maybe I am using a wrong syntax.
Hi
'ifname' represents an interface associated with the route (i.e. one to which the route aims), not the iface to which the route is announced by RIP. When route is accepted for protocol, it is accepted for all interfaces of the protocol (unless split horizon applies).
It would be a good idea to have separate import/export filters per interface, but that is not supported now.
If you want better control, you could configure two protocol instances, one for each interface. Such setup has some limitations and may require some tweaking, but should work.
-- Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
participants (2)
-
Alexander Velkov -
Ondrej Zajicek