[FROG] Route-map lets through unwanted routes
jimc
jimc at jfcarter.net
Thu Mar 4 00:40:55 UTC 2021
@Frank Kardel, thanks very much for the hint that "distribute-list"
and "redistribute" are sub-commands of "router $protocol". I would
never have figured that out on my own; I completely missed traces of
that relation when trying to understand the code for the Quagga parser.
Now rip[ng]d are emitting packets.
However, those packets advertise all routes on the host, including the
default route, the next-hop's link local address, and the prefix route
for the uplink, whereas I'm trying to advertise just the route to a VM
on this host, which others need to connect to. Here's output from
tcpdump -v with lines refolded; * indicates the wanted route:
```
21:28:46.097311 IP (tos 0xc0, ttl 1, id 12993, offset 0, flags [DF],
proto UDP (17), length 112)
xenaeth.cft.ca.us.router > rip2-routers.mcast.net.router:
RIPv2, Response, length: 84, routes: 4 or less
Auth header: Packet Len 64, Key-ID 1, Auth Data Len 20,
SeqNo 1614490126, MBZ 0, MBZ 0
AFI IPv4, 0.0.0.0/0, tag 0x0, metric: 1, next-hop: 192.9.200.193
AFI IPv4, 192.9.200.176/29, tag 0x0000, metric: 1, next-hop: self
*
Auth trailer:
0x0000: f848 b3d5 929a 8a0f ccfa cd6f 4e8b fe4b
21:28:46.296453 IP6 (class 0xc0, flowlabel 0x58655, hlim 255,
next-header
UDP (17) payload length: 92)
fe80::d237:45ff:febe:5a05.ripng > ff02::9.ripng: ripng-resp 4:
2600:3c01:e000:306::/112 (1) [uplink prefix]
2600:3c01:e000:306::7:0/112 (1) [hosted VM] *
fe80::5054:ff:fe09:c8c1/0 (255) [link local addr of default
nexthop]
::/0 (1) [default route]
```
Here's the current conf file. This time I've removed most comments, and
I split it with separate sections for ripd and ripngd.
```
password redacted#1
enable password redacted#2
log file /var/log/frr/frr.log
ip prefix-list xenanet4 permit 192.9.200.176/29 ge 29
ip prefix-list xenanet4 deny any
route-map cnmap4 permit 1
# route-map cnmap4 deny 2 -- Making this explicit didn't help.
match ip address prefix-list xenanet4
router rip
version 2
network 192.9.200.192/26
distribute-list xenanet4 in
distribute-list xenanet4 out
redistribute kernel
redistribute static
redistribute connected
ip protocol rip route-map cnmap4
ipv6 prefix-list xenanet6 permit 2600:3c01:e000:306::7:0/112 ge 112
ipv6 prefix-list xenanet6 deny any
route-map cnmap6 permit 1
match ipv6 address prefix-list xenanet6
route-map cnmap deny 6
# Duplicating the distribute-list and redistribute subcommands for ripng
router ripng
network 2600:3c01:e000:306::/112
distribute-list xenanet6 in
distribute-list xenanet6 out
redistribute kernel
redistribute static
redistribute connected
ip protocol ripng route-map cnmap6
# Turn on authentication (RIP v2 only and not for RIPng).
key chain CouchNet
key 1
key-string 4mGwyf$NWla
interface en0
ip rip authentication mode md5
ip rip authentication key-chain CouchNet
interface br0
ip rip authentication mode md5
ip rip authentication key-chain CouchNet
interface rad0
ip rip authentication mode md5
ip rip authentication key-chain CouchNet
interface tun0
ip rip authentication mode md5
ip rip authentication key-chain CouchNet
interface tun1
ip rip authentication mode md5
ip rip authentication key-chain CouchNet
interface tun9
ip rip authentication mode md5
ip rip authentication key-chain CouchNet
```
Does anyone have any idea why the various filtering lists are not
restricting the routes being sent out?
--
James F. Carter Email: jimc at jfcarter.net
Web: http://www.math.ucla.edu/~jimc (q.v. for PGP key)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.frrouting.org/pipermail/frog/attachments/20210303/69d59872/attachment.sig>
More information about the frog
mailing list