import functions & filters at same time of BGP protocol
Hello, I would like to know what will happen if we use function & filters configured at same time on import direction of given BGP procotol. Which is first pass? Till now we use one function to many applied to many BGP protocol with arguments and everything seems fine. But when I decided to apply and "filter import <some filter>" all conditions and rules in my applied function was totally ignored. Only the condition in the filter was checked. Here is my simple filter configuration: filter in_AS1234 { if ( net = 10.10.10.0/24 ) then reject; else accept; } My BGP protocol has following structure: protocol bgp R0_88 from PEERS { description "0.88_Customer"; neighbor 10.0.0.88 as 1234; import where MM_BGP_IN(1234,1,1); export where MM_BGP_OUT(1234); import filter in_AS1234; table T1234; route limit 1000; } Thank you for your help in advance. Best~ -- --- Find out about our new Cloud service - Cloudware.bg <http://cloudware.bg/?utm_source=email&utm_medium=signature&utm_content=link&utm_campaign=newwebsite> Access anywhere. Manage it yourself. Pay as you go. ------------------------------------------------------------------------ *Javor Kliachev* IP Engineer Neterra Ltd. Telephone: +359 2 975 16 16 Fax: +359 2 975 34 36 www.neterra.net <http://www.neterra.net>
On Wed, Sep 11, 2013 at 06:47:09PM +0300, Javor Kliachev wrote:
Hello,
I would like to know what will happen if we use function & filters configured at same time on import direction of given BGP procotol. Which is first pass? Till now ... But when I decided to apply and "filter import <some filter>" all conditions and rules in my applied function was totally ignored. Only the condition in the filter was checked.
Hi This is expected. "import where COND;" is just a shorthand for "import filter { if COND then accept; else reject; };" Multiple import/export filter options are ignored, just the last one is used. If you want to mix several prepared functions/filters, then write everything as a function and use "import where FN1 && FN2 && FN3;". -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Hello Ondrej, Many thanks for your explanation and the solution. I have made the necessary changes according your advice but now I see following strange behaviour. I'm trying to implement "roa filter check" in separate function but unfortunately it doesn't work. May be I made something wrong but I don't know where or what :) I ask for your help again. Here is part of my conf in the lab: table T64778 roa table r64778 { roa 31.13.244.0/24 max 24 as 64778; } function AS64778_in() { /# This check seems not working. The network 87.120.111.0/24 is permitted which is strange.// # because it is not listed in my roa table. When I use the same but implemented in "import filter" it works. / if roa_check(r64778, net, bgp_path.last) = ROA_INVALID then return false; /# Fake networkf for test - it should not be accepted. // //# When I try to remove the comment bellow everything works as expected and the networks is reject successful.// /# if (net = 87.120.111.0/24) then return false; return true; } protocol pipe P64778 from PIPES { description "Monitoring"; peer table T64778; # export where bgp_out(64778); export where MM_PIPE_OUT(64778,[(1,1001..1999)]); } protocol bgp R0_252 from PEERS { description "0.252_Mon"; neighbor 10.0.0.252 as 64778; import where AS64778_in() && MM_BGP_IN(64778,1,1001); # import where MM_BGP_IN(64778,1,1001) && AS64778_in(); export where MM_BGP_OUT(64778); table T64778; } I hope my provided information to help to solve my problem. Thanks in advance! Best~ On 09/11/2013 08:21 PM, Ondrej Zajicek wrote:
On Wed, Sep 11, 2013 at 06:47:09PM +0300, Javor Kliachev wrote:
Hello,
I would like to know what will happen if we use function & filters configured at same time on import direction of given BGP procotol. Which is first pass? Till now ... But when I decided to apply and "filter import <some filter>" all conditions and rules in my applied function was totally ignored. Only the condition in the filter was checked. Hi
This is expected. "import where COND;" is just a shorthand for "import filter { if COND then accept; else reject; };"
Multiple import/export filter options are ignored, just the last one is used. If you want to mix several prepared functions/filters, then write everything as a function and use "import where FN1 && FN2 && FN3;".
-- --- Find out about our new Cloud service - Cloudware.bg <http://cloudware.bg/?utm_source=email&utm_medium=signature&utm_content=link&utm_campaign=newwebsite> Access anywhere. Manage it yourself. Pay as you go. ------------------------------------------------------------------------ *Javor Kliachev* IP Engineer Neterra Ltd. Telephone: +359 2 975 16 16 Fax: +359 2 975 34 36 www.neterra.net <http://www.neterra.net>
Hello, I managed to find where is my mistake :) In fact, ROA_INVALID check for valid record in the roa table, ROA_UNKNOWN check for existing entry at all. I made some changes and now everything works as expected. My functions looks like that: function AS64778_in() { if roa_check(r64778, net, bgp_path.last) = ROA_INVALID then { print "ROA check failed: hijacking attempt for ", net, " from ASN ", bgp_path.last , " via ", proto; return false; } if roa_check(r64778, net, bgp_path.last) = ROA_UNKNOWN then { print "ROA check failed: unallowed prefix - ", net, " ASN ", bgp_path.last , " via ", proto; return false; } return true; } protocol bgp R0_252 from PEERS { description "0.252_Mon"; neighbor 10.0.0.252 as 64778; import where AS64778_in() && MM_BGP_IN(64778,1,1001); export where MM_BGP_OUT(64778); table T64778; } Best~ On 09/12/2013 11:27 AM, Javor Kliachev wrote:
Hello Ondrej,
Many thanks for your explanation and the solution.
I have made the necessary changes according your advice but now I see following strange behaviour.
I'm trying to implement "roa filter check" in separate function but unfortunately it doesn't work. May be I made something wrong but I don't know where or what :)
I ask for your help again.
Here is part of my conf in the lab:
table T64778
roa table r64778 { roa 31.13.244.0/24 max 24 as 64778; }
function AS64778_in() {
/# This check seems not working. The network 87.120.111.0/24 is permitted which is strange.// # because it is not listed in my roa table. When I use the same but implemented in "import filter" it works.
/ if roa_check(r64778, net, bgp_path.last) = ROA_INVALID then return false;
/# Fake networkf for test - it should not be accepted. // //# When I try to remove the comment bellow everything works as expected and the networks is reject successful.// /# if (net = 87.120.111.0/24) then return false;
return true; }
protocol pipe P64778 from PIPES { description "Monitoring"; peer table T64778; # export where bgp_out(64778); export where MM_PIPE_OUT(64778,[(1,1001..1999)]); }
protocol bgp R0_252 from PEERS { description "0.252_Mon"; neighbor 10.0.0.252 as 64778; import where AS64778_in() && MM_BGP_IN(64778,1,1001); # import where MM_BGP_IN(64778,1,1001) && AS64778_in(); export where MM_BGP_OUT(64778); table T64778; }
I hope my provided information to help to solve my problem.
Thanks in advance!
Best~
On 09/11/2013 08:21 PM, Ondrej Zajicek wrote:
On Wed, Sep 11, 2013 at 06:47:09PM +0300, Javor Kliachev wrote:
Hello,
I would like to know what will happen if we use function & filters configured at same time on import direction of given BGP procotol. Which is first pass? Till now ... But when I decided to apply and "filter import <some filter>" all conditions and rules in my applied function was totally ignored. Only the condition in the filter was checked. Hi
This is expected. "import where COND;" is just a shorthand for "import filter { if COND then accept; else reject; };"
Multiple import/export filter options are ignored, just the last one is used. If you want to mix several prepared functions/filters, then write everything as a function and use "import where FN1 && FN2 && FN3;".
-- --- Find out about our new Cloud service - Cloudware.bg <http://cloudware.bg/?utm_source=email&utm_medium=signature&utm_content=link&utm_campaign=newwebsite> Access anywhere. Manage it yourself. Pay as you go. ------------------------------------------------------------------------ *Javor Kliachev* IP Engineer
Neterra Ltd. Telephone: +359 2 975 16 16 Fax: +359 2 975 34 36 www.neterra.net <http://www.neterra.net>
-- --- Find out about our new Cloud service - Cloudware.bg <http://cloudware.bg/?utm_source=email&utm_medium=signature&utm_content=link&utm_campaign=newwebsite> Access anywhere. Manage it yourself. Pay as you go. ------------------------------------------------------------------------ *Javor Kliachev* IP Engineer Neterra Ltd. Telephone: +359 2 975 16 16 Fax: +359 2 975 34 36 www.neterra.net <http://www.neterra.net>
participants (2)
-
Javor Kliachev -
Ondrej Zajicek