Hi there, I'm having some issues with using bird2 to carry downstream. I have two different types of upstream. One can take downstream and the other cannot. I use bgp_large_community (141011, 3, xxx) to mark every prefix from upstream which can taken downstream and I sent those prefixes to my downstream. But when my upstream(which can take downstream) and upstream(which cannot take downstream) sent the same prefix, bgp_large_community ~ [(141011, 3 *)] then accept would filter both prefixes since they have the same destination. For example,one has BGP.large_community (141011, 3, 27000) and other not.So this prefix would be filtered, but I don't want it happens. 2600:380:180::/41 unicast [AS38008 00:47:10.975 from 2406:4440::1] * (110) [AS20057i] via 2406:4440::ffff:ffff:ffff:ffff on ens192 Type: BGP univ BGP.origin: IGP BGP.as_path: 38008 174 7018 20057 BGP.next_hop: 2406:4440::ffff:ffff:ffff:ffff fe80::b68a:5f00:6456:3005 BGP.local_pref: 100 BGP.aggregator: 107.112.201.68 AS64942 BGP.community: (174,21000) (174,22013) (38008,103) BGP.large_community: (141011, 1, 22000) unicast [HOME_1_ARCH 18:06:21.983] (100) [AS20057i] via 2a02:1218:2475::2 on home_1_arch Type: BGP univ BGP.origin: IGP BGP.as_path: 38136 6939 7018 20057 BGP.next_hop: 2a02:1218:2475::2 BGP.local_pref: 100 BGP.aggregator: 107.112.201.68 AS64942 BGP.originator_id: 103.149.145.104 BGP.cluster_list: 192.168.117.52 BGP.large_community: (38136, 1000, 17) (141011, 3, 27000) unicast [kskb 00:15:16.848] (100) [AS20057i] In addition, if I successfully export the prefixes that come from upstream can take downstream. When packages go through the kernel, they may also go through upstreamthat cannot take downstream. My idea is to let two different types of prefixes in different route tables. Table 100(All routing tables from BGP)and Table 101 (Only from Tier 1 ISP and can carry downstream routing table) and use IP rule command let ever prefixes that my downstream export to me via table 101. But there are so many prefixes so I do it by manual is impossible. and it seems bird2 doesn't support ip rule. [image: graph.png] -- *Huize Team* HUIZE LTD www.huize.asia <https://huize.asia/>| www.ixp.su | Twitter <https://twitter.com/zhihuiyuze> This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus.
On Mon, May 02, 2022 at 05:06:48PM +0800, Huiyuze Zhi wrote:
Hi there, I'm having some issues with using bird2 to carry downstream. I have two different types of upstream. One can take downstream and the other cannot. I use bgp_large_community (141011, 3, xxx) to mark every prefix from upstream which can taken downstream and I sent those prefixes to my downstream. But when my upstream(which can take downstream) and upstream(which cannot take downstream) sent the same prefix, bgp_large_community ~ [(141011, 3 *)] then accept would filter both prefixes since they have the same destination.
For example,one has BGP.large_community (141011, 3, 27000) and other not.So this prefix would be filtered, but I don't want it happens.
Hi You can define downstream specific routing table (in BIRD) ipv6 table down6; and define pipe to connect it with master6 table: protocol pipe { table master6; peer table down6; import all; export where <condition selecting the proper upstream>; } As the pipe handles all routes, not just the best ones, it will propagate all routes from the upstream(which can take downstream) tho the second table.
In addition, if I successfully export the prefixes that come from upstream can take downstream. When packages go through the kernel, they may also go through upstreamthat cannot take downstream. My idea is to let two different types of prefixes in different route tables. Table 100(All routing tables from BGP)and Table 101 (Only from Tier 1 ISP and can carry downstream routing table) and use IP rule command let ever prefixes that my downstream export to me via table 101. But there are so many prefixes so I do it by manual is impossible. and it seems bird2 doesn't support ip rule.
Yes, you can connect kernel protocol to the second bird table and feed the kernel table 101. You are right, bird2 does not support ip role. But if you have many prefixes from downstream, then putting them all as separate ip rules would be unreasonable anyways, ip rules are processed sequentially and would be slow with many rules (i do not know whether ip sets are allowed in ip rules or they are allowed just in netfilter). You have to mark them based on some other criteria than src IP, perhaps iface, if downstream and upstream are on the same router? -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Ondrej Zajicek <santiago@crfreenet.org> writes:
On Mon, May 02, 2022 at 05:06:48PM +0800, Huiyuze Zhi wrote:
Hi there, I'm having some issues with using bird2 to carry downstream. I have two different types of upstream. One can take downstream and the other cannot. I use bgp_large_community (141011, 3, xxx) to mark every prefix from upstream which can taken downstream and I sent those prefixes to my downstream. But when my upstream(which can take downstream) and upstream(which cannot take downstream) sent the same prefix, bgp_large_community ~ [(141011, 3 *)] then accept would filter both prefixes since they have the same destination.
For example,one has BGP.large_community (141011, 3, 27000) and other not.So this prefix would be filtered, but I don't want it happens.
Hi
You can define downstream specific routing table (in BIRD)
ipv6 table down6;
and define pipe to connect it with master6 table:
protocol pipe { table master6; peer table down6; import all; export where <condition selecting the proper upstream>; }
As the pipe handles all routes, not just the best ones, it will propagate all routes from the upstream(which can take downstream) tho the second table.
In addition, if I successfully export the prefixes that come from upstream can take downstream. When packages go through the kernel, they may also go through upstreamthat cannot take downstream. My idea is to let two different types of prefixes in different route tables. Table 100(All routing tables from BGP)and Table 101 (Only from Tier 1 ISP and can carry downstream routing table) and use IP rule command let ever prefixes that my downstream export to me via table 101. But there are so many prefixes so I do it by manual is impossible. and it seems bird2 doesn't support ip rule.
Yes, you can connect kernel protocol to the second bird table and feed the kernel table 101.
You are right, bird2 does not support ip role. But if you have many prefixes from downstream, then putting them all as separate ip rules would be unreasonable anyways, ip rules are processed sequentially and would be slow with many rules (i do not know whether ip sets are allowed in ip rules or they are allowed just in netfilter).
You can't use sets directly in ip rules; you can match on fwmark, though, and set that using sets in netfilter; but obviously that requires a separate step to install such netfilter rules... -Toke
*Hi Ondrej,* * Thanks for your help.* * If I use nftables to let all interfaces from downstream go to table 101. * * However, my nodes are directly connected to each other via BGP, which means I can't specify routing tables via interfaces. The fwmark should also not be used in different nodes, that is to say, the fwmark should disappear when the data packet is sent to my two nodes*.Is it right? On Tue, 3 May 2022, 04:14 Toke Høiland-Jørgensen, <toke@toke.dk> wrote:
Ondrej Zajicek <santiago@crfreenet.org> writes:
On Mon, May 02, 2022 at 05:06:48PM +0800, Huiyuze Zhi wrote:
Hi there, I'm having some issues with using bird2 to carry downstream. I have two different types of upstream. One can take downstream and the other cannot. I use bgp_large_community (141011, 3, xxx) to mark every prefix from upstream which can taken downstream and I sent those prefixes to my downstream. But when my upstream(which can take downstream) and upstream(which cannot take downstream) sent the same prefix, bgp_large_community ~ [(141011, 3 *)] then accept would filter both prefixes since they have the same destination.
For example,one has BGP.large_community (141011, 3, 27000) and other not.So this prefix would be filtered, but I don't want it happens.
Hi
You can define downstream specific routing table (in BIRD)
ipv6 table down6;
and define pipe to connect it with master6 table:
protocol pipe { table master6; peer table down6; import all; export where <condition selecting the proper upstream>; }
As the pipe handles all routes, not just the best ones, it will propagate all routes from the upstream(which can take downstream) tho the second table.
In addition, if I successfully export the prefixes that come from upstream can take downstream. When packages go through the kernel, they may also
go
through upstreamthat cannot take downstream. My idea is to let two different types of prefixes in different route tables. Table 100(All routing tables from BGP)and Table 101 (Only from Tier 1 ISP and can carry downstream routing table) and use IP rule command let ever prefixes that my downstream export to me via table 101. But there are so many prefixes so I do it by manual is impossible. and it seems bird2 doesn't support ip rule.
Yes, you can connect kernel protocol to the second bird table and feed the kernel table 101.
You are right, bird2 does not support ip role. But if you have many prefixes from downstream, then putting them all as separate ip rules would be unreasonable anyways, ip rules are processed sequentially and would be slow with many rules (i do not know whether ip sets are allowed in ip rules or they are allowed just in netfilter).
You can't use sets directly in ip rules; you can match on fwmark, though, and set that using sets in netfilter; but obviously that requires a separate step to install such netfilter rules...
-Toke
participants (3)
-
Huiyuze Zhi -
Ondrej Zajicek -
Toke Høiland-Jørgensen