How can I ask for that? Now I am using just RPKI as filter and I can check invalid roa in syslog or with 'show route table name all filtered'.
I would like to check valid/unknown roa too and I could do something like this: if (roa_check(r4, net, bgp_path.last) = ROA_VALID) then { print "RPKI valid ", net, " for ASN ", bgp_path.last; } and then check the syslog, but I think using communities would be better so that I can use a command such as this one: 'show route table t_0002_as2 where bgp_large_community ~ [(1,1101,13)]' or 'show route table t_0002_as2 where bgp_large_community ~ [(1,1101,13)] count' . But how can I make BIRD working with filtered routes? Thanks, Fabiano Il giorno lun 20 apr 2020 alle ore 15:50 Maria Matejka <maria.mate...@nic.cz> ha scritto: > Ooops, filtered. The filtered routes are by default excluded from the > filters. You have to explicitly ask for filtered routes to make BIRD > work with them. > > Maria > > On 4/20/20 3:47 PM, Fabiano D'Agostino wrote: > > Thanks, I did it but it is still not working. Nevermind I will use 'show > > route filtered'. > > > > Il giorno lun 20 apr 2020 alle ore 15:27 Maria Matejka > > <maria.mate...@nic.cz <mailto:maria.mate...@nic.cz>> ha scritto: > > > > The tilde operator is not symmetric, although it visually seems to > be. > > It can be (at least in this case) vaguely interpreted as »left > operand > > is contained by the right operand«. > > > > In other words, exchange the operands of the tilde. > > > > Maria > > > > On 4/20/20 3:19 PM, Fabiano D'Agostino wrote: > > > Thanks, it worked. So the community isn't needed? I tried 'show > > route > > > table t_0002_as2 where bgp_large_community ~ [(1,1101,13)]' and > > it prints: > > > Table t_0002_as2: > > > > > > Il giorno lun 20 apr 2020 alle ore 15:00 Maria Matejka > > > <maria.mate...@nic.cz <mailto:maria.mate...@nic.cz> > > <mailto:maria.mate...@nic.cz <mailto:maria.mate...@nic.cz>>> ha > scritto: > > > > > > show route all filtered > > > > > > shows only routes from master4 and master6 tables > > > > > > to show routes from this protocol, use > > > > > > show route table t_0002_as2 all filtered > > > > > > Maria > > > > > > On 4/20/20 2:50 PM, Fabiano D'Agostino wrote: > > > > Yes, I just enabled it: > > > > protocol bgp { > > > > ... > > > > ipv4{ > > > > import keep fitlered; > > > > import limit 250 action restart; > > > > import filter filter_rpki; > > > > table t_0002_as2; > > > > } > > > > } > > > > > > > > RPKI is working because if I check the syslog I find the > > invalid > > > printed > > > > prefixes, but 'show route all filtered' doesn't show > anything. > > > > > > > > Il giorno lun 20 apr 2020 alle ore 14:05 Maria Matejka > > > > <maria.mate...@nic.cz <mailto:maria.mate...@nic.cz> > > <mailto:maria.mate...@nic.cz <mailto:maria.mate...@nic.cz>> > > > <mailto:maria.mate...@nic.cz <mailto:maria.mate...@nic.cz> > > <mailto:maria.mate...@nic.cz <mailto:maria.mate...@nic.cz>>>> ha > > scritto: > > > > > > > > And do you have > > > > import keep filtered; > > > > in your config? > > > > Maria > > > > > > > > On 4/20/20 11:19 AM, Fabiano D'Agostino wrote: > > > > > Hi, > > > > > In my route server bird.conf I did this: > > > > > define FILTERED_RPKI_INVALID = (1,1101,13); > > > > > > > > > > filter filter_rpki{ > > > > > if roa_check(..)=ROA_INVALID then > > > > > > > {bgp_large_community.add(FILTERED_RPKI_INVALID);reject;} > > > > > } > > > > > > > > > > But when I do 'show route all filtered' I get > > nothing, I also > > > > tried with > > > > > 'show route bgp_large_community ~ [(1,1101,13)]' > and I > > > have the > > > > same result. > > > > > Because I would like to have some statistics about > > > > > VALID/INVALID/UNKOWN prefixes and I saw that I > > could use the > > > > 'show route > > > > > stats' command. > > > > > > > > > > Thanks, > > > > > > > > > > Fabiano > > > > > > > > > > Il giorno dom 19 apr 2020 alle ore 21:30 Alarig Le > Lay > > > > > <ala...@swordarmor.fr <mailto:ala...@swordarmor.fr> > > <mailto:ala...@swordarmor.fr <mailto:ala...@swordarmor.fr>> > > > <mailto:ala...@swordarmor.fr <mailto:ala...@swordarmor.fr> > > <mailto:ala...@swordarmor.fr <mailto:ala...@swordarmor.fr>>> > > > > <mailto:ala...@swordarmor.fr > > <mailto:ala...@swordarmor.fr> <mailto:ala...@swordarmor.fr > > <mailto:ala...@swordarmor.fr>> > > > <mailto:ala...@swordarmor.fr <mailto:ala...@swordarmor.fr> > > <mailto:ala...@swordarmor.fr <mailto:ala...@swordarmor.fr>>>>> ha > > > scritto: > > > > > > > > > > On Sun 19 Apr 2020 20:42:21 GMT, Fabiano > > D'Agostino wrote: > > > > > > Thanks! > > > > > > But can I also use birdc to check rejected > > prefixes? > > > > > > > > > > If you add a community, it will be visible with > > `show > > > route all > > > > > filtered` > > > > > > > > > > > Anyway why do you suggest to use > > > bgp_path.last_noaggregated? > > > > > > > > > > Because you don’t want to check ROA against > another > > > ASN in the > > > > > aggregated path. > > > > > > > > > > -- > > > > > Alarig > > > > > > > > > > > > > > >