filters in bgpd.conf when running IPv6 feeds on a 4.3 box

Wed, 24 Sep 2008 02:32:01 -0700 

Good evening all,
Forgive me if this is common knowledge, but my reading of bgpd.conf(5) on OpenBSD 4.3 did not make the following clear to me: 


When running BGP with only IPv4 prefixes, the examples given in the 
sample bgpd.conf work splendidly.



Reading the FILTERS section of bgpd.conf lead me to believe that simply 
adding

"allow from any inet6 prefixlen 12 - 48"

would allow the IPv6 prefixes that my neighbor was announcing to me be 
added from the RIB into the FIB, however this was not the case. After 
trying to specify each rule as explicitly pertaining to "inet" or 
"inet6" I found that bgpd would only match the announced IPv6 prefixes 
to my "allow" line when I qualified each "deny" line with a prefixlen, 
regardless of the CIDR mask appended to the address.
Specifically, the "deny from any prefix 0.0.0.0/0" line in the sample 
config would always match *all* IPv6 prefixes (but not clobber any of my 
IPv4 prefixes, which were merged into the FIB just fine), even if I 
inserted the "inet" parameter into the rule.


I ended up with the following minimum FILTER config, which works just fine:
-----------------------------
# filter out prefixes longer than 24 or shorter than 8 bits
deny from any
allow from any inet prefixlen 8 - 24

# allow most IPv6 prefixes
allow from any inet6 prefixlen 12 - 48

# do not accept a default route
deny from any inet prefix 0.0.0.0/0 prefixlen = 0

# filter bogus networks
deny from any inet prefix 10.0.0.0/8 prefixlen >= 8
deny from any inet prefix 172.16.0.0/12 prefixlen >= 12
deny from any inet prefix 192.168.0.0/16 prefixlen >= 16
deny from any inet prefix 169.254.0.0/16 prefixlen >= 16
deny from any inet prefix 192.0.2.0/24 prefixlen >= 24
deny from any inet prefix 224.0.0.0/4 prefixlen >= 4
deny from any inet prefix 240.0.0.0/4 prefixlen >= 4
----------------------------------


If this (having to always specify a prefixlen even if a CIDR mask is 
present) is the desired behavior (which is fine by me), I'll be happy to 
write a diff for bgpd.conf(5) but in my opinion it appears that at the 
very least the family (inet or inet6) parameter in the filter syntax is 
busted, though as I've just now noticed this I haven't looked at the 
source at all. I've also not yet tried to reproduce this behavior on 
-CURRENT, so forgive me if this is old news -- the only IPv6-related 
brokenness that I could find that seemed to even remotely be similar is 
http://marc.info/?l=openbsd-misc&m=121036759606446&w=2


et voila!

$ ping6 -S 2607:f618:1::1 ipv6.google.com     
PING6(56=40+8+8 bytes) 2607:f618:1::1 --> 2001:4860:0:2001::68

16 bytes from 2001:4860:0:2001::68, icmp_seq=0 hlim=59 time=76.009 ms

Anyhow, cheers!
-Tico























					Reply via email to