allow us to write rules that match directly on the peer AS

...
allow from AS 1 prefix 192.0.2.0/24
...

Also adjust the IRR ruleset output to include the declared peer AS,
instead of hoping they listed their neighbor IP address!

OK benno@
older version OK: claudio@ henning@

diff --git a/usr.sbin/bgpctl/irr_output.c b/usr.sbin/bgpctl/irr_output.c
index 36e77ff..3a14e9b 100644 (file)
--- a/usr.sbin/bgpctl/irr_output.c
+++ b/usr.sbin/bgpctl/irr_output.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: irr_output.c,v 1.16 2015/01/16 06:40:15 deraadt Exp $ */
+/*     $OpenBSD: irr_output.c,v 1.17 2015/04/25 15:28:18 phessler Exp $ */
 
 /*
  * Copyright (c) 2007 Henning Brauer <henning@openbsd.org>
@@ -30,6 +30,7 @@
 #include <netinet/in.h>
 #include <arpa/inet.h>
 
+#include "bgpd.h"
 #include "irrfilter.h"
 
 int     process_policies(FILE *, struct policy_head *);
@@ -195,7 +196,7 @@ void
 print_rule(FILE *fh, struct policy_item *pi, char *sourceas,
     struct irr_prefix *prefix)
 {
-       char    *peer = "any";
+       char     peer[PEER_DESCR_LEN];
        char    *action = "";
        char    *dir;
        char    *srcas[2] = { "", "" };
@@ -208,7 +209,9 @@ print_rule(FILE *fh, struct policy_item *pi, char *sourceas,
                dir = "to";
 
        if (pi->peer_addr)
-               peer = pi->peer_addr;
+               snprintf(peer, PEER_DESCR_LEN, "%s", pi->peer_addr);
+       else
+               snprintf(peer, PEER_DESCR_LEN, "AS %s", log_as(pi->peer_as));
 
        if (pi->action)
                action = action_torule(pi->action);

diff --git a/usr.sbin/bgpd/bgpd.conf.5 b/usr.sbin/bgpd/bgpd.conf.5
index ae43851..bb220ab 100644 (file)
--- a/usr.sbin/bgpd/bgpd.conf.5
+++ b/usr.sbin/bgpd/bgpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: bgpd.conf.5,v 1.133 2015/02/28 21:51:57 bentley Exp $
+.\" $OpenBSD: bgpd.conf.5,v 1.134 2015/04/25 15:28:18 phessler Exp $
 .\"
 .\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org>
 .\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: February 28 2015 $
+.Dd $Mdocdate: April 25 2015 $
 .Dt BGPD.CONF 5
 .Os
 .Sh NAME
@@ -1147,6 +1147,8 @@ Any neighbor will be matched.
 Neighbors with this address will be matched.
 .It Ic group Ar descr
 Neighbors in this group will be matched.
+.It Ic AS Ar as-number
+Neighbors with this AS will be matched.
 .El
 .Pp
 Multiple

diff --git a/usr.sbin/bgpd/bgpd.h b/usr.sbin/bgpd/bgpd.h
index 48672e6..e21cfa8 100644 (file)
--- a/usr.sbin/bgpd/bgpd.h
+++ b/usr.sbin/bgpd/bgpd.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: bgpd.h,v 1.284 2015/03/14 03:52:42 claudio Exp $ */
+/*     $OpenBSD: bgpd.h,v 1.285 2015/04/25 15:28:18 phessler Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -694,6 +694,7 @@ enum comp_ops {
 struct filter_peers {
        u_int32_t       peerid;
        u_int32_t       groupid;
+       u_int32_t       remote_as;
        u_int16_t       ribid;
 };
 

diff --git a/usr.sbin/bgpd/parse.y b/usr.sbin/bgpd/parse.y
index 971fcdd..d50b500 100644 (file)
--- a/usr.sbin/bgpd/parse.y
+++ b/usr.sbin/bgpd/parse.y
@@ -1,4 +1,4 @@
-/*     $OpenBSD: parse.y,v 1.278 2015/03/14 03:52:42 claudio Exp $ */
+/*     $OpenBSD: parse.y,v 1.279 2015/04/25 15:28:18 phessler Exp $ */
 
 /*
  * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -1457,7 +1457,7 @@ filter_peer       : ANY           {
                        if (($$ = calloc(1, sizeof(struct filter_peers_l))) ==
                            NULL)
                                fatal(NULL);
-                       $$->p.groupid = $$->p.peerid = 0;
+                       $$->p.remote_as = $$->p.groupid = $$->p.peerid = 0;
                        $$->next = NULL;
                        for (p = peer_l; p != NULL; p = p->next)
                                if (!memcmp(&p->conf.remote_addr,
@@ -1471,13 +1471,20 @@ filter_peer     : ANY           {
                                YYERROR;
                        }
                }
+               | AS as4number  {
+                       if (($$ = calloc(1, sizeof(struct filter_peers_l))) ==
+                           NULL)
+                               fatal(NULL);
+                       $$->p.groupid = $$->p.peerid = 0;
+                       $$->p.remote_as = $2;
+               }
                | GROUP STRING  {
                        struct peer *p;
 
                        if (($$ = calloc(1, sizeof(struct filter_peers_l))) ==
                            NULL)
                                fatal(NULL);
-                       $$->p.peerid = 0;
+                       $$->p.remote_as = $$->p.peerid = 0;
                        $$->next = NULL;
                        for (p = peer_l; p != NULL; p = p->next)
                                if (!strcmp(p->conf.group, $2)) {

diff --git a/usr.sbin/bgpd/printconf.c b/usr.sbin/bgpd/printconf.c
index 685d87a..b7feb3b 100644 (file)
--- a/usr.sbin/bgpd/printconf.c
+++ b/usr.sbin/bgpd/printconf.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: printconf.c,v 1.93 2013/11/13 09:14:48 florian Exp $  */
+/*     $OpenBSD: printconf.c,v 1.94 2015/04/25 15:28:18 phessler Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -542,6 +542,8 @@ print_rule(struct peer *peer_l, struct filter_rule *r)
                        printf("group ? ");
                else
                        printf("group \"%s\" ", p->conf.group);
+       } else if (r->peer.remote_as) {
+               printf("AS %s ", log_as(r->peer.remote_as));
        } else
                printf("any ");
 

diff --git a/usr.sbin/bgpd/rde_filter.c b/usr.sbin/bgpd/rde_filter.c
index c75e61f..b82651a 100644 (file)
--- a/usr.sbin/bgpd/rde_filter.c
+++ b/usr.sbin/bgpd/rde_filter.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: rde_filter.c,v 1.72 2015/03/14 03:52:42 claudio Exp $ */
+/*     $OpenBSD: rde_filter.c,v 1.73 2015/04/25 15:28:18 phessler Exp $ */
 
 /*
  * Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org>
@@ -57,6 +57,9 @@ rde_filter(struct filter_head *rules, struct rde_aspath **new,
                if (f->peer.peerid != 0 &&
                    f->peer.peerid != peer->conf.id)
                        continue;
+               if (f->peer.remote_as != 0 &&
+                   f->peer.remote_as != peer->conf.remote_as)
+                       continue;
                if (rde_filter_match(f, asp, prefix, prefixlen, peer, from)) {
                        if (asp != NULL && new != NULL) {
                                /* asp may get modified so create a copy */
@@ -419,6 +422,12 @@ rde_filter_equal(struct filter_head *a, struct filter_head *b,
                        continue;
                }
 
+               if (peer != NULL && fa != NULL && fa->peer.remote_as != 0 &&
+                   fa->peer.remote_as != peer->conf.remote_as) {
+                       fa = TAILQ_NEXT(fa, entry);
+                       continue;
+               }
+
                /* compare the two rules */
                if ((fa == NULL && fb != NULL) || (fa != NULL && fb == NULL))
                        /* new rule added or removed */