Jerry/bird
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

BGP: Require explicit import and export policies for EBGP channels

Browse source 
To comply with RFC 8212 requirements.
This commit is contained in:
Ondrej Zajicek (work) 2018-01-16 04:14:49 +01:00
parent 4db4ac7243
commit 3831b61966
4 changed files with 39 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
doc/bird.sgml
View file

@ -794,11 +794,13 @@ inherited from templates can be updated by new definitions.
<tag><label id="proto-import">import all | none | filter <m/name/ | filter { <m/filter commands/ } | where <m/boolean filter expression/</tag> <tag><label id="proto-import">import all | none | filter <m/name/ | filter { <m/filter commands/ } | where <m/boolean filter expression/</tag>
Specify a filter to be used for filtering routes coming from the Specify a filter to be used for filtering routes coming from the
protocol to the routing table. <cf/all/ is for keeping all routes, protocol to the routing table. <cf/all/ is for keeping all routes,
<cf/none/ is for dropping all routes. Default: <cf/all/. <cf/none/ is for dropping all routes. Default: <cf/all/ (except for
EBGP).
<tag><label id="proto-export">export <m/filter/</tag> <tag><label id="proto-export">export <m/filter/</tag>
This is similar to the <cf>import</cf> keyword, except that it works in This is similar to the <cf>import</cf> keyword, except that it works in
the direction from the routing table to the protocol. Default: <cf/none/. the direction from the routing table to the protocol. Default: <cf/none/
(except for EBGP).
<tag><label id="proto-import-keep-filtered">import keep filtered <m/switch/</tag> <tag><label id="proto-import-keep-filtered">import keep filtered <m/switch/</tag>
Usually, if an import filter rejects a route, the route is forgotten. Usually, if an import filter rejects a route, the route is forgotten.
@ -866,10 +868,12 @@ template bgp {
ipv4 { ipv4 {
table mytable4; table mytable4;
import filter { ... }; import filter { ... };
export none;
}; };
ipv6 { ipv6 {
table mytable6; table mytable6;
import filter { ... }; import filter { ... };
export none;
}; };
} }
@ -2073,6 +2077,7 @@ avoid routing loops.
<item> <rfc id="7947"> - Internet Exchange BGP Route Server <item> <rfc id="7947"> - Internet Exchange BGP Route Server
<item> <rfc id="8092"> - BGP Large Communities Attribute <item> <rfc id="8092"> - BGP Large Communities Attribute
<item> <rfc id="8203"> - BGP Administrative Shutdown Communication <item> <rfc id="8203"> - BGP Administrative Shutdown Communication
<item> <rfc id="8212"> - Default EBGP Route Propagation Behavior without Policies
</itemize> </itemize>
<sect1>Route selection rules <sect1>Route selection rules
@ -2459,6 +2464,12 @@ together with their appropriate channels follows.
</tabular> </tabular>
</table> </table>
<p>Due to <rfc id="8212">, external BGP protocol requires explicit configuration
of import and export policies (in contrast to other protocols, where default
policies of <cf/import all/ and <cf/export none/ are used in absence of explicit
configuration). Note that blanket policies like <cf/all/ or <cf/none/ can still
be used in explicit configuration.
<p>BGP channels have additional config options (together with the common ones): <p>BGP channels have additional config options (together with the common ones):
<descrip> <descrip>
@ -3631,13 +3642,13 @@ protocol kernel kern2 {
} }
protocol bgp bgp1 { # The outside connections protocol bgp bgp1 { # The outside connections
ipv4 { table as1; export all; }; ipv4 { table as1; import all; export all; };
local as 1; local as 1;
neighbor 192.168.0.1 as 1001; neighbor 192.168.0.1 as 1001;
} }
protocol bgp bgp2 { protocol bgp bgp2 {
ipv4 { table as2; export all; }; ipv4 { table as2; import all; export all; };
local as 2; local as 2;
neighbor 10.0.0.1 as 1002; neighbor 10.0.0.1 as 1002;
} }
@ -4419,7 +4430,10 @@ protocol bgp {
debug all; debug all;
local as 65000; local as 65000;
neighbor 192.168.2.1 as 65001; neighbor 192.168.2.1 as 65001;
ipv4 { import filter peer_in_v4; }; ipv4 {
import filter peer_in_v4;
export none;
};
} }
</code> </code>

1
filter/filter.h
View file

@ -122,6 +122,7 @@ void val_format(struct f_val v, buffer *buf);
#define FILTER_ACCEPT NULL #define FILTER_ACCEPT NULL
#define FILTER_REJECT ((void *) 1) #define FILTER_REJECT ((void *) 1)
#define FILTER_UNDEF ((void *) 2) /* Used in BGP */
/* Type numbers must be in 0..0xff range */ /* Type numbers must be in 0..0xff range */
#define T_MASK 0xff #define T_MASK 0xff

17
proto/bgp/bgp.c
View file

@ -99,6 +99,7 @@
* <item> <rfc id="7947"> - Internet Exchange BGP Route Server * <item> <rfc id="7947"> - Internet Exchange BGP Route Server
* <item> <rfc id="8092"> - BGP Large Communities Attribute * <item> <rfc id="8092"> - BGP Large Communities Attribute
* <item> <rfc id="8203"> - BGP Administrative Shutdown Communication * <item> <rfc id="8203"> - BGP Administrative Shutdown Communication
* <item> <rfc id="8212"> - Default EBGP Route Propagation Behavior without Policies
* </itemize> * </itemize>
*/ */
@ -113,6 +114,7 @@
#include "nest/cli.h" #include "nest/cli.h"
#include "nest/locks.h" #include "nest/locks.h"
#include "conf/conf.h" #include "conf/conf.h"
#include "filter/filter.h"
#include "lib/socket.h" #include "lib/socket.h"
#include "lib/resource.h" #include "lib/resource.h"
#include "lib/string.h" #include "lib/string.h"
@ -1621,6 +1623,7 @@ bgp_postconfig(struct proto_config *CF)
{ {
struct bgp_config *cf = (void *) CF; struct bgp_config *cf = (void *) CF;
int internal = (cf->local_as == cf->remote_as); int internal = (cf->local_as == cf->remote_as);
int interior = internal || cf->confederation_member;
/* Do not check templates at all */ /* Do not check templates at all */
if (cf->c.class == SYM_TEMPLATE) if (cf->c.class == SYM_TEMPLATE)
@ -1677,6 +1680,20 @@ bgp_postconfig(struct proto_config *CF)
struct bgp_channel_config *cc; struct bgp_channel_config *cc;
WALK_LIST(cc, CF->channels) WALK_LIST(cc, CF->channels)
{ {
/* Handle undefined import filter */
if (cc->c.in_filter == FILTER_UNDEF)
if (interior)
cc->c.in_filter = FILTER_ACCEPT;
else
cf_error("EBGP requires explicit import policy");
/* Handle undefined export filter */
if (cc->c.out_filter == FILTER_UNDEF)
if (interior)
cc->c.out_filter = FILTER_REJECT;
else
cf_error("EBGP requires explicit export policy");
/* Disable after error incompatible with restart limit action */ /* Disable after error incompatible with restart limit action */
if ((cc->c.in_limit.action == PLA_RESTART) && cf->disable_after_error) if ((cc->c.in_limit.action == PLA_RESTART) && cf->disable_after_error)
cc->c.in_limit.action = PLA_DISABLE; cc->c.in_limit.action = PLA_DISABLE;

2
proto/bgp/config.Y
View file

@ -163,6 +163,8 @@ bgp_channel_start: bgp_afi
/* New channel */ /* New channel */
if (!BGP_CC->desc) if (!BGP_CC->desc)
{ {
BGP_CC->c.in_filter = FILTER_UNDEF;
BGP_CC->c.out_filter = FILTER_UNDEF;
BGP_CC->c.ra_mode = RA_UNDEF; BGP_CC->c.ra_mode = RA_UNDEF;
BGP_CC->afi = $1; BGP_CC->afi = $1;
BGP_CC->desc = desc; BGP_CC->desc = desc;