how to filterout private ip ranges
hi. I'm trying to filter out private ip ranges from ospf. I've defined filter: filter privateip { if net ~ [ 192.168.0.0/16+, 10.0.0.0/8+, 172.16.0.0/12+ ] then reject; accept; } and used in ospf protocol configuration: export filter privateip; in birdc using: show route filter privateip on this router shows only public ip prefixes. however on the neighbouring router I still get the private routes: 10.128.1.0/24 dev tap_infonet [ospf1 22:20] I (150/10) 172.29.201.0/24 via 10.128.1.1 on tap_infonet [ospf1 22:21] I (150/20) 172.16.7.0/24 via 10.128.1.1 on tap_infonet [ospf1 22:21] I (150/20) 172.23.0.128/25 via 10.128.1.1 on tap_infonet [ospf1 22:21] I (150/20) 172.16.30.0/24 via 10.128.1.1 on tap_infonet [ospf1 22:21] I (150/20) 172.23.4.128/25 via 10.128.1.1 on tap_infonet [ospf1 22:21] I (150/20) ospf export filter filters out some of the private prefixes, but not all. what bothers me is that using show route with the defined filter works right. is there something I'm doing wrong? thanks mk
On Thu, Jul 02, 2009 at 10:29:19PM +0200, Martin Kraus wrote:
hi. I'm trying to filter out private ip ranges from ospf. I've defined filter:
...
on this router shows only public ip prefixes. however on the neighbouring router I still get the private routes:
10.128.1.0/24 dev tap_infonet [ospf1 22:20] I (150/10) 172.29.201.0/24 via 10.128.1.1 on tap_infonet [ospf1 22:21] I (150/20) 172.16.7.0/24 via 10.128.1.1 on tap_infonet [ospf1 22:21] I (150/20)
...
what bothers me is that using show route with the defined filter works right. is there something I'm doing wrong?
It is answered in my answer to your previous mail: Another change is that 'secondary' address ranges are now by default propagated as stub networks (You can change it using 'stubnet' option). If you propagated that address through OSPF, you probably exported it to OSPF as external route, which is not needed now. So you probably would like to add something like: stubnet 172.16.0.0/12 { hidden; summary; } to your OSPF configuration. In current version, these stub networks are generated directly by OSPF protocol and therefore are not filtered by export filter. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On Fri, Jul 03, 2009 at 12:11:07AM +0200, Ondrej Zajicek wrote:
On Thu, Jul 02, 2009 at 10:29:19PM +0200, Martin Kraus wrote:
hi. I'm trying to filter out private ip ranges from ospf. I've defined filter:
...
on this router shows only public ip prefixes. however on the neighbouring router I still get the private routes:
10.128.1.0/24 dev tap_infonet [ospf1 22:20] I (150/10) 172.29.201.0/24 via 10.128.1.1 on tap_infonet [ospf1 22:21] I (150/20) 172.16.7.0/24 via 10.128.1.1 on tap_infonet [ospf1 22:21] I (150/20)
...
what bothers me is that using show route with the defined filter works right. is there something I'm doing wrong?
It is answered in my answer to your previous mail:
Another change is that 'secondary' address ranges are now by default propagated as stub networks (You can change it using 'stubnet' option). If you propagated that address through OSPF, you probably exported it to OSPF as external route, which is not needed now.
So you probably would like to add something like:
stubnet 172.16.0.0/12 { hidden; summary; }
to your OSPF configuration.
In current version, these stub networks are generated directly by OSPF protocol and therefore are not filtered by export filter.
ehm. my fault. those routes propagated to the other router are indeed only those set up on the ospf interface. the rest going throught the filter are rejected as should be. always asumed that ospf generates all the routes on its interface without thinking that those really can't go through export filters, so all the filters filtered routes from direct protocol. as to quote a classic: "assumption is a mother of all f***kups":( thanks mk
participants (2)
-
Martin Kraus -
Ondrej Zajicek