[FROG] Route-map lets through unwanted routes

Thu Mar 4 00:40:55 UTC 2021

@Frank Kardel, thanks very much for the hint that "distribute-list"
and "redistribute" are sub-commands of "router $protocol".  I would
never have figured that out on my own; I completely missed traces of
that relation when trying to understand the code for the Quagga parser.
Now rip[ng]d are emitting packets.

However, those packets advertise all routes on the host, including the
default route, the next-hop's link local address, and the prefix route
for the uplink, whereas I'm trying to advertise just the route to a VM
on this host, which others need to connect to.  Here's output from
tcpdump -v with lines refolded; * indicates the wanted route:

```
21:28:46.097311 IP (tos 0xc0, ttl 1, id 12993, offset 0, flags [DF],
proto UDP (17), length 112)
     xenaeth.cft.ca.us.router > rip2-routers.mcast.net.router:
     RIPv2, Response, length: 84, routes: 4 or less
       Auth header: Packet Len 64, Key-ID 1, Auth Data Len 20,
       SeqNo 1614490126, MBZ 0, MBZ 0
       AFI IPv4, 0.0.0.0/0, tag 0x0, metric: 1, next-hop: 192.9.200.193
       AFI IPv4, 192.9.200.176/29, tag 0x0000, metric: 1, next-hop: self 
*
       Auth trailer:
       0x0000:  f848 b3d5 929a 8a0f ccfa cd6f 4e8b fe4b
21:28:46.296453 IP6 (class 0xc0, flowlabel 0x58655, hlim 255, 
next-header
UDP (17) payload length: 92)
     fe80::d237:45ff:febe:5a05.ripng > ff02::9.ripng: ripng-resp 4:
         2600:3c01:e000:306::/112 (1)    [uplink prefix]
         2600:3c01:e000:306::7:0/112 (1) [hosted VM] *
         fe80::5054:ff:fe09:c8c1/0 (255) [link local addr of default 
nexthop]
         ::/0 (1)                        [default route]
```

Here's the current conf file.  This time I've removed most comments, and
I split it with separate sections for ripd and ripngd.

```
password redacted#1
enable password redacted#2
log file /var/log/frr/frr.log

ip prefix-list xenanet4 permit 192.9.200.176/29 ge 29
ip prefix-list xenanet4 deny any
route-map cnmap4 permit 1
# route-map cnmap4 deny 2 -- Making this explicit didn't help.
match ip address prefix-list xenanet4

router rip
version 2
network 192.9.200.192/26
distribute-list xenanet4 in
distribute-list xenanet4 out
redistribute kernel
redistribute static
redistribute connected

ip protocol rip route-map cnmap4

ipv6 prefix-list xenanet6 permit 2600:3c01:e000:306::7:0/112 ge 112
ipv6 prefix-list xenanet6 deny any
route-map cnmap6 permit 1
match ipv6 address prefix-list xenanet6
route-map cnmap deny 6

# Duplicating the distribute-list and redistribute subcommands for ripng
router ripng
network 2600:3c01:e000:306::/112
distribute-list xenanet6 in
distribute-list xenanet6 out
redistribute kernel
redistribute static
redistribute connected

ip protocol ripng route-map cnmap6

# Turn on authentication (RIP v2 only and not for RIPng).
key chain CouchNet
key 1
key-string 4mGwyf$NWla
interface en0
ip rip authentication mode md5
ip rip authentication key-chain CouchNet
interface br0
ip rip authentication mode md5
ip rip authentication key-chain CouchNet
interface rad0
ip rip authentication mode md5
ip rip authentication key-chain CouchNet
interface tun0
ip rip authentication mode md5
ip rip authentication key-chain CouchNet
interface tun1
ip rip authentication mode md5
ip rip authentication key-chain CouchNet
interface tun9
ip rip authentication mode md5
ip rip authentication key-chain CouchNet
```

Does anyone have any idea why the various filtering lists are not
restricting the routes being sent out?

-- 
James F. Carter   Email: jimc at jfcarter.net
Web: http://www.math.ucla.edu/~jimc (q.v. for PGP key)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.frrouting.org/pipermail/frog/attachments/20210303/69d59872/attachment.sig>