bgp_large_community wildcard in conditional
Hello, I was wondering if it's possible to create a conditional that matches on a wildcard for a part of a BGP large community. For example: if ([*, 600, 6939]) ~ bgp_large_community then reject; This currently results in a syntax error at the position of the comma after the *.
On 29 Oct 2020 15:00, Brooks Swinnerton wrote:
I was wondering if it's possible to create a conditional that matches on a wildcard for a part of a BGP large community. For example:
if ([*, 600, 6939]) ~ bgp_large_community then reject;
This currently results in a syntax error at the position of the comma after the *.
as far as I know, It's possible when adding or removing communities to use wildcard '*' char. Not entirely sure it's possible when matching in conditional if() statement... ❔ https://github.com/coloclue/kees/blob/master/templates/filter.j2#L37-L43 Specifically for conditional if() statements I am only aware of the possibility of using XOR matching condition for BGP communities. Looking into the Docs for Bird 2. It seems to be possible. https://bird.network.cz/?get_doc&v=20&f=bird-5.html#ss5.2 \--> sub-section: "int|pair|quad|ip|prefix|ec|lc|enum set"
On Thu, Oct 29, 2020 at 10:00:58AM -0400, Brooks Swinnerton wrote:
Hello,
I was wondering if it's possible to create a conditional that matches on a wildcard for a part of a BGP large community. For example:
if ([*, 600, 6939]) ~ bgp_large_community then reject;
Hello Note that it would be [(*, 600, 6939)], not ([*, 600, 6939]). But for large communities, BIRD allows wildcard only on the more specific part. You can have [(64496, 600, *)], [(64496, *, *)] or even [(*, *, *)], but not [(*, 600, 6939)]. Also, wildcard (*, 600, 6939) does not really make sense, as meaning of the second and third part is determined by the first (global admin), and may be different for different first parts. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Even using the correct syntax as described by Ondrej I am not able to get this to work. When I try, I get the following error in my logs:
filters, line 117: ~ applied on unknown type pair
I am trying to build filters that check multiple things, add a community for each thing (if it is true), then reject the route if any of the communities exist. It doesn't seem like it's possible to check if any member of a set is in another set - only if a particular element is in another set. I.e. I can do (1,2,3) ~ bgp_large_community but not [(1,2,*)] ~ bgp_large_community Can anyone confirm? Is this possible via a different method? Thanks! On Thu, Oct 29, 2020 at 2:49 PM Ondrej Zajicek <santiago@crfreenet.org> wrote:
On Thu, Oct 29, 2020 at 10:00:58AM -0400, Brooks Swinnerton wrote:
Hello,
I was wondering if it's possible to create a conditional that matches on a wildcard for a part of a BGP large community. For example:
if ([*, 600, 6939]) ~ bgp_large_community then reject;
Hello
Note that it would be [(*, 600, 6939)], not ([*, 600, 6939]).
But for large communities, BIRD allows wildcard only on the more specific part. You can have [(64496, 600, *)], [(64496, *, *)] or even [(*, *, *)], but not [(*, 600, 6939)].
Also, wildcard (*, 600, 6939) does not really make sense, as meaning of the second and third part is determined by the first (global admin), and may be different for different first parts.
-- Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On Sun, Oct 17, 2021 at 04:58:06AM -0400, Ross Tajvar wrote:
Even using the correct syntax as described by Ondrej I am not able to get this to work. When I try, I get the following error in my logs:
filters, line 117: ~ applied on unknown type pair
I am trying to build filters that check multiple things, add a community for each thing (if it is true), then reject the route if any of the communities exist. It doesn't seem like it's possible to check if any member of a set is in another set - only if a particular element is in another set.
I.e. I can do (1,2,3) ~ bgp_large_community but not [(1,2,*)] ~ bgp_large_community.
It should be bgp_large_community ~ [(1,2,*)]. In the first case the meaning is whether (1,2,3) is a member of bgp_large_community, while in the second is whether any community from bgp_large_community is a member of set [(1,2,*)].
On Thu, Oct 29, 2020 at 2:49 PM Ondrej Zajicek <santiago@crfreenet.org> wrote:
On Thu, Oct 29, 2020 at 10:00:58AM -0400, Brooks Swinnerton wrote:
Hello,
I was wondering if it's possible to create a conditional that matches on a wildcard for a part of a BGP large community. For example:
if ([*, 600, 6939]) ~ bgp_large_community then reject;
Hello
Note that it would be [(*, 600, 6939)], not ([*, 600, 6939]).
But for large communities, BIRD allows wildcard only on the more specific part. You can have [(64496, 600, *)], [(64496, *, *)] or even [(*, *, *)], but not [(*, 600, 6939)].
Also, wildcard (*, 600, 6939) does not really make sense, as meaning of the second and third part is determined by the first (global admin), and may be different for different first parts.
-- Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
-- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
This worked, thank you! It may be better to throw a syntax error and refuse to load (or reload) the configuration than to just accept it but to log errors at runtime...after I made this change, my filter started rejecting all routes and it took me a lot of troubleshooting to understand why. On Sun, Oct 17, 2021 at 7:53 AM Ondrej Zajicek <santiago@crfreenet.org> wrote:
On Sun, Oct 17, 2021 at 04:58:06AM -0400, Ross Tajvar wrote:
Even using the correct syntax as described by Ondrej I am not able to get this to work. When I try, I get the following error in my logs:
filters, line 117: ~ applied on unknown type pair
I am trying to build filters that check multiple things, add a community for each thing (if it is true), then reject the route if any of the communities exist. It doesn't seem like it's possible to check if any member of a set is in another set - only if a particular element is in another set.
I.e. I can do (1,2,3) ~ bgp_large_community but not [(1,2,*)] ~ bgp_large_community.
It should be bgp_large_community ~ [(1,2,*)].
In the first case the meaning is whether (1,2,3) is a member of bgp_large_community, while in the second is whether any community from bgp_large_community is a member of set [(1,2,*)].
On Thu, Oct 29, 2020 at 2:49 PM Ondrej Zajicek <santiago@crfreenet.org> wrote:
On Thu, Oct 29, 2020 at 10:00:58AM -0400, Brooks Swinnerton wrote:
Hello,
I was wondering if it's possible to create a conditional that matches on a wildcard for a part of a BGP large community. For example:
if ([*, 600, 6939]) ~ bgp_large_community then reject;
Hello
Note that it would be [(*, 600, 6939)], not ([*, 600, 6939]).
But for large communities, BIRD allows wildcard only on the more specific part. You can have [(64496, 600, *)], [(64496, *, *)] or even [(*, *, *)], but not [(*, 600, 6939)].
Also, wildcard (*, 600, 6939) does not really make sense, as meaning of the second and third part is determined by the first (global admin), and may be different for different first parts.
-- Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net ) "To err is human -- to blame it on a computer is even more so."
-- Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Some people will use two tables for exactly this reason. One table contains the PROD data (master). The other table (non-master) contains the data with revised (new) filters applied. -- Chriztoffer On Sun, 17 Oct 2021, 23:06 Ross Tajvar, <ross@tajvar.io> wrote:
It may be better to throw a syntax error and refuse to load (or reload) the configuration than to just accept it but to log errors at runtime...after I made this change, my filter started rejecting all routes and it took me a lot of troubleshooting to understand why.
On Sun, Oct 17, 2021 at 05:06:41PM -0400, Ross Tajvar wrote:
This worked, thank you!
It may be better to throw a syntax error and refuse to load (or reload) the configuration than to just accept it but to log errors at runtime...after I made this change, my filter started rejecting all routes and it took me a lot of troubleshooting to understand why.
Well, we added parse-time type checking for many expressions in latest version, but unfortunately not for operator ~, we should extend that. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
participants (5)
-
Brooks Swinnerton -
Chriztoffer Hansen -
Chriztoffer Hansen -
Ondrej Zajicek -
Ross Tajvar