bgpd action pftable doesn't work as expected in -current

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

bgpd action pftable doesn't work as expected in -current

Gregory Edigarov-5
Hello, just noticed that.

in pf.conf:

table bgp-spamd-block persists


in bgpd.conf

spamdAS="65066"
AS 65077
fib-update no    # Mandatory, to not update the local routing table
#log updates

group "spamd-bgp" {
         remote-as $spamdAS
         multihop 64
         export none     # Do not send Route Server any information

         # us.bgp-spamd.net
         neighbor 64.142.121.62

         # eu.bgp-spamd.net
         neighbor 217.31.80.170

         # IPv6 eu.bgp-spamd.net
         # neighbor 2a00:15a8:0:100:0:d91f:50aa:1
}

match from group spamd-bgp community $spamdAS:666  set pftable
"bgp-spamd-block"

bgpd is running

some time later:

lbld12# bgpctl sh
Neighbor                   AS    MsgRcvd    MsgSent  OutQ Up/Down
State/PrfRcvd
217.31.80.170           65066         78         20     0 00:08:53  38256
64.142.121.62           65066         76         20     0 00:08:53  38256

i.e. it receives the prefixes ok, but:

lbld12# pfctl -Tsh -t bgp-spamd-block | wc -l
        0

Reply | Threaded
Open this post in threaded view
|

Re: bgpd action pftable doesn't work as expected in -current

Pierre Emeriaud
Le mar. 6 nov. 2018 à 14:56, Gregory Edigarov <[hidden email]> a écrit :

>
> Hello, just noticed that.
>
> in pf.conf:
>
> table bgp-spamd-block persists
>
>
> in bgpd.conf
>
> spamdAS="65066"
> AS 65077
> fib-update no    # Mandatory, to not update the local routing table
> #log updates
>
> group "spamd-bgp" {
>          remote-as $spamdAS
>          multihop 64
>          export none     # Do not send Route Server any information
>
>          # us.bgp-spamd.net
>          neighbor 64.142.121.62
>
>          # eu.bgp-spamd.net
>          neighbor 217.31.80.170
>
>          # IPv6 eu.bgp-spamd.net
>          # neighbor 2a00:15a8:0:100:0:d91f:50aa:1
> }
>
> match from group spamd-bgp community $spamdAS:666  set pftable
> "bgp-spamd-block"
>
> bgpd is running
>
> some time later:
>
> lbld12# bgpctl sh
> Neighbor                   AS    MsgRcvd    MsgSent  OutQ Up/Down
> State/PrfRcvd
> 217.31.80.170           65066         78         20     0 00:08:53  38256
> 64.142.121.62           65066         76         20     0 00:08:53  38256
>
> i.e. it receives the prefixes ok, but:
>
> lbld12# pfctl -Tsh -t bgp-spamd-block | wc -l
>         0
what does 'bgpctl show nexthop' gives? On this kind of setup you might
need 'nexthop qualify via default' for nexthops to be validated and
prefixes to be accepted in pf tables.

Reply | Threaded
Open this post in threaded view
|

Re: bgpd action pftable doesn't work as expected in -current

Stuart Henderson
In reply to this post by Gregory Edigarov-5
On 2018/11/06 15:54, Gregory Edigarov wrote:

> Hello, just noticed that.
>
> in pf.conf:
>
> table bgp-spamd-block persists
>
>
> in bgpd.conf
>
> spamdAS="65066"
> AS 65077
> fib-update no    # Mandatory, to not update the local routing table
> #log updates
>
> group "spamd-bgp" {
>         remote-as $spamdAS
>         multihop 64
>         export none     # Do not send Route Server any information
>
>         # us.bgp-spamd.net
>         neighbor 64.142.121.62
>
>         # eu.bgp-spamd.net
>         neighbor 217.31.80.170
>
>         # IPv6 eu.bgp-spamd.net
>         # neighbor 2a00:15a8:0:100:0:d91f:50aa:1
> }
>
> match from group spamd-bgp community $spamdAS:666  set pftable
> "bgp-spamd-block"
>
> bgpd is running
>
> some time later:
>
> lbld12# bgpctl sh
> Neighbor                   AS    MsgRcvd    MsgSent  OutQ Up/Down
> State/PrfRcvd
> 217.31.80.170           65066         78         20     0 00:08:53  38256
> 64.142.121.62           65066         76         20     0 00:08:53  38256
>
> i.e. it receives the prefixes ok, but:
>
> lbld12# pfctl -Tsh -t bgp-spamd-block | wc -l
>        0
>

You have no "pass" line. See http://www.openbsd.org/faq/upgrade64.html#ConfigChanges

I think you will also need "nexthop qualify via default".

Reply | Threaded
Open this post in threaded view
|

Re: bgpd action pftable doesn't work as expected in -current

Jason McIntyre-2
In reply to this post by Gregory Edigarov-5
On Tue, Nov 06, 2018 at 03:54:15PM +0200, Gregory Edigarov wrote:

> Hello, just noticed that.
>
> in pf.conf:
>
> table bgp-spamd-block persists
>
>
> in bgpd.conf
>
> spamdAS="65066"
> AS 65077
> fib-update no?????? # Mandatory, to not update the local routing table
> #log updates
>
> group "spamd-bgp" {
>  ?????????????? remote-as $spamdAS
>  ?????????????? multihop 64
>  ?????????????? export none???????? # Do not send Route Server any information
>
>  ?????????????? # us.bgp-spamd.net
>  ?????????????? neighbor 64.142.121.62
>
>  ?????????????? # eu.bgp-spamd.net
>  ?????????????? neighbor 217.31.80.170
>
>  ?????????????? # IPv6 eu.bgp-spamd.net
>  ?????????????? # neighbor 2a00:15a8:0:100:0:d91f:50aa:1
> }
>
> match from group spamd-bgp community $spamdAS:666?? set pftable
> "bgp-spamd-block"
>
> bgpd is running
>
> some time later:
>
> lbld12# bgpctl sh
> Neighbor???????????????????????????????????? AS?????? MsgRcvd?????? MsgSent?? OutQ Up/Down
> State/PrfRcvd
> 217.31.80.170???????????????????? 65066???????????????? 78???????????????? 20???????? 0 00:08:53?? 38256
> 64.142.121.62???????????????????? 65066???????????????? 76???????????????? 20???????? 0 00:08:53?? 38256
>
> i.e. it receives the prefixes ok, but:
>
> lbld12# pfctl -Tsh -t bgp-spamd-block | wc -l
>  ???????????? 0
>

hi.

during 6.3 - 6.4 there were some big changes in bgpd. you should
probably read through the upgrade notes for them. i suspect what's
causing you problems is that bgpd now denies to/from any by default. so
probably you need to allow the spamd group:

        allow from group spamd-bgp

i don;t know if it's possible to do the match/allow bits with one rule
or not.

jmc

Reply | Threaded
Open this post in threaded view
|

Re: bgpd action pftable doesn't work as expected in -current

Claudio Jeker-3
In reply to this post by Gregory Edigarov-5
On Tue, Nov 06, 2018 at 03:54:15PM +0200, Gregory Edigarov wrote:

> Hello, just noticed that.
>
> in pf.conf:
>
> table bgp-spamd-block persists
>
>
> in bgpd.conf
>
> spamdAS="65066"
> AS 65077
> fib-update no    # Mandatory, to not update the local routing table
> #log updates
>
> group "spamd-bgp" {
>         remote-as $spamdAS
>         multihop 64
>         export none     # Do not send Route Server any information
>
>         # us.bgp-spamd.net
>         neighbor 64.142.121.62
>
>         # eu.bgp-spamd.net
>         neighbor 217.31.80.170
>
>         # IPv6 eu.bgp-spamd.net
>         # neighbor 2a00:15a8:0:100:0:d91f:50aa:1
> }
>
> match from group spamd-bgp community $spamdAS:666  set pftable
> "bgp-spamd-block"

By default bgpd denies everything so change the match to allow.
 
> bgpd is running
>
> some time later:
>
> lbld12# bgpctl sh
> Neighbor                   AS    MsgRcvd    MsgSent  OutQ Up/Down
> State/PrfRcvd
> 217.31.80.170           65066         78         20     0 00:08:53  38256
> 64.142.121.62           65066         76         20     0 00:08:53  38256

This just shows the counts for the unfiltered Adj-RIB-In, the prefixes may
still not be in the Loc-RIB where the pftable is attached to the prefix.
 
> i.e. it receives the prefixes ok, but:
>
> lbld12# pfctl -Tsh -t bgp-spamd-block | wc -l
>        0

--
:wq Claudio