Construction with single IP addresses passes syntax check, but filter does not work as expected - it passes all routes and does not filter anything. I have ugly workaround which works: filter permit_white { if net = 1.1.1.1/32 then { accept; } if net = 2.2.2.2/32 then { accept; } else { reject; } } There are no examples on the internet with 'case' statement, seems the feature is rarely used and even implemented with some mistakes, isn't it? ROA table would be helpful, but if I understood this feature correctly, it is used for BGP, but in my case I use OSPF only. ------------------------------------------ Служба поддержки серверов Группа сетевого администрирования ДПП.УТП.СПС ЗАО ПФ <СКБ-Контур>, Тел. +7 (343) 344-11-50 доб. 75352 e-mail: dc-noc@skbkontur.ru<mailto:dc-noc@skbkontur.ru> https://www.kontur.ru<https://www.kontur.ru/> From: Василий Олейников [mailto:oleynikov_v@ufanet.ru] Sent: Thursday, September 29, 2016 11:45 AM To: Войнович Андрей Александрович <andreyv@skbkontur.ru> Cc: bird-users@network.cz Subject: Re: filter all prefixes except a few with 'case' control It seems, that case doesn't work with prefix, only with single ip As I see, this construct: case net { 1.1.1.1:accept; 2.2.2.2:accept; else: reject; } works fine. Maybe, ROA table can help you to simplify config? Hi all! I try to implement simple filter which rejects all prefixes except a few with 'case' control this way: filter permit_white { case net { 1.1.1.1/32: accept; 2.2.2.2/32: accept; else: reject; } } But syntax check fails on line '1.1.1.1/32: accept;'. I read everything on Internet what was found, but cannot understand what is wrong. ------------------------------------------ Служба поддержки серверов Группа сетевого администрирования ДПП.УТП.СПС ЗАО ПФ <СКБ-Контур>, Тел. +7 (343) 344-11-50 доб. 75352 e-mail: dc-noc@skbkontur.ru<mailto:dc-noc@skbkontur.ru> https://www.kontur.ru<https://www.kontur.ru/> -- С уважением, Василий Олейников Системный администратор Отдел эксплуатации и развития магистральной сети Служба СПО ОАО "Уфанет" тел. +7 (347) 2-900-402 вн.3314 моб. +7 937 333 45 56

Thanks, Ondrej and Vasiliy, Construction if net ~ [1.1.1.1/32, 2.2.2.2/32, ...] then ... looks best and easiest way, forks fine. ------------------------------------------ Служба поддержки серверов Группа сетевого администрирования ДПП.УТП.СПС ЗАО ПФ «СКБ-Контур», Тел. +7 (343) 344-11-50 доб. 75352 e-mail: dc-noc@skbkontur.ru https://www.kontur.ru -----Original Message----- From: Ondrej Zajicek [mailto:santiago@crfreenet.org] Sent: Thursday, September 29, 2016 12:16 PM To: Войнович Андрей Александрович <andreyv@skbkontur.ru>; Василий Олейников <oleynikov_v@ufanet.ru> Cc: bird-users@network.cz Subject: Re: filter all prefixes except a few with 'case' control On Thu, Sep 29, 2016 at 07:01:00AM +0000, Войнович Андрей Александрович wrote:

Construction with single IP addresses passes syntax check, but filter does not work as expected - it passes all routes and does not filter anything.

H 1) Case expression works for most types with exception of prefixes. It is not implemented for prefixes. 2) Case expressio with ip addresses works, but you must put ip address and not network to it (i.e. use 'case net.ip { ... }') 3) What you are trying to do is usually done with a prefix set: if net ~ [1.1.1.1/32, 2.2.2.2/32, ...] then ... 4) ROA tables could be used with any prefixes even if they are non-BGP, just supply some dummy ASN. But prefix sets in this case are enough and much simpler. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."