From: phessler Date: Sat, 25 Apr 2015 15:28:18 +0000 (+0000) Subject: allow us to write rules that match directly on the peer AS X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=51e30acc2a3a1929305c69fef9ad77db4ba35117;p=openbsd allow us to write rules that match directly on the peer AS ... allow from AS 1 prefix 192.0.2.0/24 ... Also adjust the IRR ruleset output to include the declared peer AS, instead of hoping they listed their neighbor IP address! OK benno@ older version OK: claudio@ henning@ --- diff --git a/usr.sbin/bgpctl/irr_output.c b/usr.sbin/bgpctl/irr_output.c index 36e77ffb99d..3a14e9badac 100644 --- a/usr.sbin/bgpctl/irr_output.c +++ b/usr.sbin/bgpctl/irr_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: irr_output.c,v 1.16 2015/01/16 06:40:15 deraadt Exp $ */ +/* $OpenBSD: irr_output.c,v 1.17 2015/04/25 15:28:18 phessler Exp $ */ /* * Copyright (c) 2007 Henning Brauer @@ -30,6 +30,7 @@ #include #include +#include "bgpd.h" #include "irrfilter.h" int process_policies(FILE *, struct policy_head *); @@ -195,7 +196,7 @@ void print_rule(FILE *fh, struct policy_item *pi, char *sourceas, struct irr_prefix *prefix) { - char *peer = "any"; + char peer[PEER_DESCR_LEN]; char *action = ""; char *dir; char *srcas[2] = { "", "" }; @@ -208,7 +209,9 @@ print_rule(FILE *fh, struct policy_item *pi, char *sourceas, dir = "to"; if (pi->peer_addr) - peer = pi->peer_addr; + snprintf(peer, PEER_DESCR_LEN, "%s", pi->peer_addr); + else + snprintf(peer, PEER_DESCR_LEN, "AS %s", log_as(pi->peer_as)); if (pi->action) action = action_torule(pi->action); diff --git a/usr.sbin/bgpd/bgpd.conf.5 b/usr.sbin/bgpd/bgpd.conf.5 index ae43851824e..bb220ab7644 100644 --- a/usr.sbin/bgpd/bgpd.conf.5 +++ b/usr.sbin/bgpd/bgpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: bgpd.conf.5,v 1.133 2015/02/28 21:51:57 bentley Exp $ +.\" $OpenBSD: bgpd.conf.5,v 1.134 2015/04/25 15:28:18 phessler Exp $ .\" .\" Copyright (c) 2004 Claudio Jeker .\" Copyright (c) 2003, 2004 Henning Brauer @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: February 28 2015 $ +.Dd $Mdocdate: April 25 2015 $ .Dt BGPD.CONF 5 .Os .Sh NAME @@ -1147,6 +1147,8 @@ Any neighbor will be matched. Neighbors with this address will be matched. .It Ic group Ar descr Neighbors in this group will be matched. +.It Ic AS Ar as-number +Neighbors with this AS will be matched. .El .Pp Multiple diff --git a/usr.sbin/bgpd/bgpd.h b/usr.sbin/bgpd/bgpd.h index 48672e68102..e21cfa84ccf 100644 --- a/usr.sbin/bgpd/bgpd.h +++ b/usr.sbin/bgpd/bgpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bgpd.h,v 1.284 2015/03/14 03:52:42 claudio Exp $ */ +/* $OpenBSD: bgpd.h,v 1.285 2015/04/25 15:28:18 phessler Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -694,6 +694,7 @@ enum comp_ops { struct filter_peers { u_int32_t peerid; u_int32_t groupid; + u_int32_t remote_as; u_int16_t ribid; }; diff --git a/usr.sbin/bgpd/parse.y b/usr.sbin/bgpd/parse.y index 971fcddd6ec..d50b5001822 100644 --- a/usr.sbin/bgpd/parse.y +++ b/usr.sbin/bgpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.278 2015/03/14 03:52:42 claudio Exp $ */ +/* $OpenBSD: parse.y,v 1.279 2015/04/25 15:28:18 phessler Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer @@ -1457,7 +1457,7 @@ filter_peer : ANY { if (($$ = calloc(1, sizeof(struct filter_peers_l))) == NULL) fatal(NULL); - $$->p.groupid = $$->p.peerid = 0; + $$->p.remote_as = $$->p.groupid = $$->p.peerid = 0; $$->next = NULL; for (p = peer_l; p != NULL; p = p->next) if (!memcmp(&p->conf.remote_addr, @@ -1471,13 +1471,20 @@ filter_peer : ANY { YYERROR; } } + | AS as4number { + if (($$ = calloc(1, sizeof(struct filter_peers_l))) == + NULL) + fatal(NULL); + $$->p.groupid = $$->p.peerid = 0; + $$->p.remote_as = $2; + } | GROUP STRING { struct peer *p; if (($$ = calloc(1, sizeof(struct filter_peers_l))) == NULL) fatal(NULL); - $$->p.peerid = 0; + $$->p.remote_as = $$->p.peerid = 0; $$->next = NULL; for (p = peer_l; p != NULL; p = p->next) if (!strcmp(p->conf.group, $2)) { diff --git a/usr.sbin/bgpd/printconf.c b/usr.sbin/bgpd/printconf.c index 685d87a9f0b..b7feb3bfed6 100644 --- a/usr.sbin/bgpd/printconf.c +++ b/usr.sbin/bgpd/printconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: printconf.c,v 1.93 2013/11/13 09:14:48 florian Exp $ */ +/* $OpenBSD: printconf.c,v 1.94 2015/04/25 15:28:18 phessler Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -542,6 +542,8 @@ print_rule(struct peer *peer_l, struct filter_rule *r) printf("group ? "); else printf("group \"%s\" ", p->conf.group); + } else if (r->peer.remote_as) { + printf("AS %s ", log_as(r->peer.remote_as)); } else printf("any "); diff --git a/usr.sbin/bgpd/rde_filter.c b/usr.sbin/bgpd/rde_filter.c index c75e61feae2..b82651a0438 100644 --- a/usr.sbin/bgpd/rde_filter.c +++ b/usr.sbin/bgpd/rde_filter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rde_filter.c,v 1.72 2015/03/14 03:52:42 claudio Exp $ */ +/* $OpenBSD: rde_filter.c,v 1.73 2015/04/25 15:28:18 phessler Exp $ */ /* * Copyright (c) 2004 Claudio Jeker @@ -57,6 +57,9 @@ rde_filter(struct filter_head *rules, struct rde_aspath **new, if (f->peer.peerid != 0 && f->peer.peerid != peer->conf.id) continue; + if (f->peer.remote_as != 0 && + f->peer.remote_as != peer->conf.remote_as) + continue; if (rde_filter_match(f, asp, prefix, prefixlen, peer, from)) { if (asp != NULL && new != NULL) { /* asp may get modified so create a copy */ @@ -419,6 +422,12 @@ rde_filter_equal(struct filter_head *a, struct filter_head *b, continue; } + if (peer != NULL && fa != NULL && fa->peer.remote_as != 0 && + fa->peer.remote_as != peer->conf.remote_as) { + fa = TAILQ_NEXT(fa, entry); + continue; + } + /* compare the two rules */ if ((fa == NULL && fb != NULL) || (fa != NULL && fb == NULL)) /* new rule added or removed */