subject:"\[bgpd\] enforce local\-as no"

Re: [bgpd] enforce local-as no

2017-05-27 Thread Sebastian Benoit


reads ok

and yes on sthens suggestion

Peter Hessler(phess...@openbsd.org) on 2017.05.27 14:50:25 +0200:
> Allow us to receive our own AS paths from a neighbor.
> 
> Like several of the related diffs, this also invites dragons and grues
> into your network.
> 
> Probably needs the most love in the man page, as usual ;).
> 
> OK?
> 
> 
> Index: bgpd.conf.5
> ===
> RCS file: /cvs/openbsd/src/usr.sbin/bgpd/bgpd.conf.5,v
> retrieving revision 1.154
> diff -u -p -u -p -r1.154 bgpd.conf.5
> --- bgpd.conf.5   27 May 2017 10:33:15 -  1.154
> +++ bgpd.conf.5   27 May 2017 12:49:42 -
> @@ -767,6 +767,19 @@ section in
>  .Sx GLOBAL CONFIGURATION .
>  .Pp
>  .It Xo
> +.Ic enforce local-as
> +.Pq Ic yes Ns | Ns Ic no
> +.Xc
> +If set to
> +.Ic no ,
> +.Em AS paths
> +will not be checked for AS loop detection.
> +Since there is no AS path loop check, this option is dangerous, and
> +requires you to add filters to prevent receiving your own prefixes.
> +The default value is
> +.Ic yes .
> +.Pp
> +.It Xo
>  .Ic enforce neighbor-as
>  .Pq Ic yes Ns | Ns Ic no
>  .Xc
> Index: bgpd.h
> ===
> RCS file: /cvs/openbsd/src/usr.sbin/bgpd/bgpd.h,v
> retrieving revision 1.303
> diff -u -p -u -p -r1.303 bgpd.h
> --- bgpd.h27 May 2017 12:09:27 -  1.303
> +++ bgpd.h27 May 2017 12:34:57 -
> @@ -309,6 +309,7 @@ struct peer_config {
>   u_int32_tmax_prefix;
>   enum announce_type   announce_type;
>   enum enforce_as  enforce_as;
> + enum enforce_as  enforce_local_as;
>   enum reconf_action   reconf_action;
>   u_int16_tmax_prefix_restart;
>   u_int16_tholdtime;
> Index: parse.y
> ===
> RCS file: /cvs/openbsd/src/usr.sbin/bgpd/parse.y,v
> retrieving revision 1.303
> diff -u -p -u -p -r1.303 parse.y
> --- parse.y   27 May 2017 10:33:15 -  1.303
> +++ parse.y   27 May 2017 12:35:33 -
> @@ -1183,6 +1183,12 @@ peeropts   : REMOTEAS as4number{
>   else
>   curpeer->conf.enforce_as = ENFORCE_AS_OFF;
>   }
> + | ENFORCE LOCALAS yesno {
> + if ($3)
> + curpeer->conf.enforce_local_as = ENFORCE_AS_ON;
> + else
> + curpeer->conf.enforce_local_as = ENFORCE_AS_OFF;
> + }
>   | MAXPREFIX NUMBER restart {
>   if ($2 < 0 || $2 > UINT_MAX) {
>   yyerror("bad maximum number of prefixes");
> @@ -3690,6 +3696,8 @@ neighbor_consistent(struct peer *p)
>   if (p->conf.enforce_as == ENFORCE_AS_UNDEF)
>   p->conf.enforce_as = p->conf.ebgp ?
>   ENFORCE_AS_ON : ENFORCE_AS_OFF;
> + if (p->conf.enforce_local_as == ENFORCE_AS_UNDEF)
> + p->conf.enforce_local_as = ENFORCE_AS_ON;
>  
>   /* EBGP neighbors are not allowed in route reflector clusters */
>   if (p->conf.reflector_client && p->conf.ebgp) {
> Index: printconf.c
> ===
> RCS file: /cvs/openbsd/src/usr.sbin/bgpd/printconf.c,v
> retrieving revision 1.102
> diff -u -p -u -p -r1.102 printconf.c
> --- printconf.c   27 May 2017 10:33:15 -  1.102
> +++ printconf.c   27 May 2017 12:38:13 -
> @@ -470,6 +470,10 @@ print_peer(struct peer_config *p, struct
>   printf("%s\tenforce neighbor-as yes\n", c);
>   else
>   printf("%s\tenforce neighbor-as no\n", c);
> + if (p->enforce_local_as == ENFORCE_AS_ON)
> + printf("%s\tenforce local-as yes\n", c);
> + else
> + printf("%s\tenforce local-as no\n", c);
>   if (p->reflector_client) {
>   if (conf->clusterid == 0)
>   printf("%s\troute-reflector\n", c);
> Index: rde.c
> ===
> RCS file: /cvs/openbsd/src/usr.sbin/bgpd/rde.c,v
> retrieving revision 1.362
> diff -u -p -u -p -r1.362 rde.c
> --- rde.c 27 May 2017 10:33:15 -  1.362
> +++ rde.c 27 May 2017 12:41:06 -
> @@ -1104,6 +1104,7 @@ rde_update_dispatch(struct imsg *imsg)
>  
>   /* aspath needs to be loop free nota bene this is not a hard error */
>   if (peer->conf.ebgp &&
> + peer->conf.enforce_local_as == ENFORCE_AS_ON &&
>   !aspath_loopfree(asp->aspath, peer->conf.local_as))
>   asp->flags |= F_ATTR_LOOP;
>  
> 
> 
> 
> -- 
> The porcupine with the sharpest quills gets stuck on a tree more often.
>

Re: [bgpd] enforce local-as no

2017-05-27 Thread Stuart Henderson

On 2017/05/27 14:50, Peter Hessler wrote:
> Allow us to receive our own AS paths from a neighbor.
> 
> Like several of the related diffs, this also invites dragons and grues
> into your network.
> 
> Probably needs the most love in the man page, as usual ;).
> 
> OK?

> Index: bgpd.conf.5
> ===
> RCS file: /cvs/openbsd/src/usr.sbin/bgpd/bgpd.conf.5,v
> retrieving revision 1.154
> diff -u -p -u -p -r1.154 bgpd.conf.5
> --- bgpd.conf.5   27 May 2017 10:33:15 -  1.154
> +++ bgpd.conf.5   27 May 2017 12:49:42 -
> @@ -767,6 +767,19 @@ section in
>  .Sx GLOBAL CONFIGURATION .
>  .Pp
>  .It Xo
> +.Ic enforce local-as
> +.Pq Ic yes Ns | Ns Ic no
> +.Xc
> +If set to
> +.Ic no ,
> +.Em AS paths
> +will not be checked for AS loop detection.
> +Since there is no AS path loop check, this option is dangerous, and
> +requires you to add filters to prevent receiving your own prefixes.

That seems fine.

Is it worth adding something like "Similar to allowas-in in some other
BGP implementations" to help users find it if they already know the
term used by cisco/brocade?

> +.Pp
> +.It Xo

>  .Ic enforce neighbor-as
>  .Pq Ic yes Ns | Ns Ic no
>  .Xc
> Index: bgpd.h
> ===
> RCS file: /cvs/openbsd/src/usr.sbin/bgpd/bgpd.h,v
> retrieving revision 1.303
> diff -u -p -u -p -r1.303 bgpd.h
> --- bgpd.h27 May 2017 12:09:27 -  1.303
> +++ bgpd.h27 May 2017 12:34:57 -
> @@ -309,6 +309,7 @@ struct peer_config {
>   u_int32_tmax_prefix;
>   enum announce_type   announce_type;
>   enum enforce_as  enforce_as;
> + enum enforce_as  enforce_local_as;
>   enum reconf_action   reconf_action;
>   u_int16_tmax_prefix_restart;
>   u_int16_tholdtime;
> Index: parse.y
> ===
> RCS file: /cvs/openbsd/src/usr.sbin/bgpd/parse.y,v
> retrieving revision 1.303
> diff -u -p -u -p -r1.303 parse.y
> --- parse.y   27 May 2017 10:33:15 -  1.303
> +++ parse.y   27 May 2017 12:35:33 -
> @@ -1183,6 +1183,12 @@ peeropts   : REMOTEAS as4number{
>   else
>   curpeer->conf.enforce_as = ENFORCE_AS_OFF;
>   }
> + | ENFORCE LOCALAS yesno {
> + if ($3)
> + curpeer->conf.enforce_local_as = ENFORCE_AS_ON;
> + else
> + curpeer->conf.enforce_local_as = ENFORCE_AS_OFF;
> + }
>   | MAXPREFIX NUMBER restart {
>   if ($2 < 0 || $2 > UINT_MAX) {
>   yyerror("bad maximum number of prefixes");
> @@ -3690,6 +3696,8 @@ neighbor_consistent(struct peer *p)
>   if (p->conf.enforce_as == ENFORCE_AS_UNDEF)
>   p->conf.enforce_as = p->conf.ebgp ?
>   ENFORCE_AS_ON : ENFORCE_AS_OFF;
> + if (p->conf.enforce_local_as == ENFORCE_AS_UNDEF)
> + p->conf.enforce_local_as = ENFORCE_AS_ON;
>  
>   /* EBGP neighbors are not allowed in route reflector clusters */
>   if (p->conf.reflector_client && p->conf.ebgp) {
> Index: printconf.c
> ===
> RCS file: /cvs/openbsd/src/usr.sbin/bgpd/printconf.c,v
> retrieving revision 1.102
> diff -u -p -u -p -r1.102 printconf.c
> --- printconf.c   27 May 2017 10:33:15 -  1.102
> +++ printconf.c   27 May 2017 12:38:13 -
> @@ -470,6 +470,10 @@ print_peer(struct peer_config *p, struct
>   printf("%s\tenforce neighbor-as yes\n", c);
>   else
>   printf("%s\tenforce neighbor-as no\n", c);
> + if (p->enforce_local_as == ENFORCE_AS_ON)
> + printf("%s\tenforce local-as yes\n", c);
> + else
> + printf("%s\tenforce local-as no\n", c);
>   if (p->reflector_client) {
>   if (conf->clusterid == 0)
>   printf("%s\troute-reflector\n", c);
> Index: rde.c
> ===
> RCS file: /cvs/openbsd/src/usr.sbin/bgpd/rde.c,v
> retrieving revision 1.362
> diff -u -p -u -p -r1.362 rde.c
> --- rde.c 27 May 2017 10:33:15 -  1.362
> +++ rde.c 27 May 2017 12:41:06 -
> @@ -1104,6 +1104,7 @@ rde_update_dispatch(struct imsg *imsg)
>  
>   /* aspath needs to be loop free nota bene this is not a hard error */
>   if (peer->conf.ebgp &&
> + peer->conf.enforce_local_as == ENFORCE_AS_ON &&
>   !aspath_loopfree(asp->aspath, peer->conf.local_as))
>   asp->flags |= F_ATTR_LOOP;
>  

ok.

[bgpd] enforce local-as no

2017-05-27 Thread Peter Hessler

Allow us to receive our own AS paths from a neighbor.

Like several of the related diffs, this also invites dragons and grues
into your network.

Probably needs the most love in the man page, as usual ;).

OK?


Index: bgpd.conf.5
===
RCS file: /cvs/openbsd/src/usr.sbin/bgpd/bgpd.conf.5,v
retrieving revision 1.154
diff -u -p -u -p -r1.154 bgpd.conf.5
--- bgpd.conf.5 27 May 2017 10:33:15 -  1.154
+++ bgpd.conf.5 27 May 2017 12:49:42 -
@@ -767,6 +767,19 @@ section in
 .Sx GLOBAL CONFIGURATION .
 .Pp
 .It Xo
+.Ic enforce local-as
+.Pq Ic yes Ns | Ns Ic no
+.Xc
+If set to
+.Ic no ,
+.Em AS paths
+will not be checked for AS loop detection.
+Since there is no AS path loop check, this option is dangerous, and
+requires you to add filters to prevent receiving your own prefixes.
+The default value is
+.Ic yes .
+.Pp
+.It Xo
 .Ic enforce neighbor-as
 .Pq Ic yes Ns | Ns Ic no
 .Xc
Index: bgpd.h
===
RCS file: /cvs/openbsd/src/usr.sbin/bgpd/bgpd.h,v
retrieving revision 1.303
diff -u -p -u -p -r1.303 bgpd.h
--- bgpd.h  27 May 2017 12:09:27 -  1.303
+++ bgpd.h  27 May 2017 12:34:57 -
@@ -309,6 +309,7 @@ struct peer_config {
u_int32_tmax_prefix;
enum announce_type   announce_type;
enum enforce_as  enforce_as;
+   enum enforce_as  enforce_local_as;
enum reconf_action   reconf_action;
u_int16_tmax_prefix_restart;
u_int16_tholdtime;
Index: parse.y
===
RCS file: /cvs/openbsd/src/usr.sbin/bgpd/parse.y,v
retrieving revision 1.303
diff -u -p -u -p -r1.303 parse.y
--- parse.y 27 May 2017 10:33:15 -  1.303
+++ parse.y 27 May 2017 12:35:33 -
@@ -1183,6 +1183,12 @@ peeropts : REMOTEAS as4number{
else
curpeer->conf.enforce_as = ENFORCE_AS_OFF;
}
+   | ENFORCE LOCALAS yesno {
+   if ($3)
+   curpeer->conf.enforce_local_as = ENFORCE_AS_ON;
+   else
+   curpeer->conf.enforce_local_as = ENFORCE_AS_OFF;
+   }
| MAXPREFIX NUMBER restart {
if ($2 < 0 || $2 > UINT_MAX) {
yyerror("bad maximum number of prefixes");
@@ -3690,6 +3696,8 @@ neighbor_consistent(struct peer *p)
if (p->conf.enforce_as == ENFORCE_AS_UNDEF)
p->conf.enforce_as = p->conf.ebgp ?
ENFORCE_AS_ON : ENFORCE_AS_OFF;
+   if (p->conf.enforce_local_as == ENFORCE_AS_UNDEF)
+   p->conf.enforce_local_as = ENFORCE_AS_ON;
 
/* EBGP neighbors are not allowed in route reflector clusters */
if (p->conf.reflector_client && p->conf.ebgp) {
Index: printconf.c
===
RCS file: /cvs/openbsd/src/usr.sbin/bgpd/printconf.c,v
retrieving revision 1.102
diff -u -p -u -p -r1.102 printconf.c
--- printconf.c 27 May 2017 10:33:15 -  1.102
+++ printconf.c 27 May 2017 12:38:13 -
@@ -470,6 +470,10 @@ print_peer(struct peer_config *p, struct
printf("%s\tenforce neighbor-as yes\n", c);
else
printf("%s\tenforce neighbor-as no\n", c);
+   if (p->enforce_local_as == ENFORCE_AS_ON)
+   printf("%s\tenforce local-as yes\n", c);
+   else
+   printf("%s\tenforce local-as no\n", c);
if (p->reflector_client) {
if (conf->clusterid == 0)
printf("%s\troute-reflector\n", c);
Index: rde.c
===
RCS file: /cvs/openbsd/src/usr.sbin/bgpd/rde.c,v
retrieving revision 1.362
diff -u -p -u -p -r1.362 rde.c
--- rde.c   27 May 2017 10:33:15 -  1.362
+++ rde.c   27 May 2017 12:41:06 -
@@ -1104,6 +1104,7 @@ rde_update_dispatch(struct imsg *imsg)
 
/* aspath needs to be loop free nota bene this is not a hard error */
if (peer->conf.ebgp &&
+   peer->conf.enforce_local_as == ENFORCE_AS_ON &&
!aspath_loopfree(asp->aspath, peer->conf.local_as))
asp->flags |= F_ATTR_LOOP;
 



-- 
The porcupine with the sharpest quills gets stuck on a tree more often.

Re: [bgpd] enforce local-as no

Re: [bgpd] enforce local-as no

[bgpd] enforce local-as no

3 matches

Site Navigation

Mail list logo

Footer information