I tried to search this issue but found no useful information. I think that this is a bug in BGP filter.
This was tested on RouterOS v7.12
I have two router with BGP sesion:
The router A
The router B contains /32 prefixes using static blackhole route and address added to a interface. These are 100.120.2.1/32 (address), and two blackhole routes: 100.120.0.0/24 and 100.120.1.0/24
I have set in Router B, output network bgp2 which only includes /24 and /22 prefixes, not /32. The prefixes in bgp2 are 100.120.1.0/24 and 100.120.0.0/22
With this configuration, issuing /routing/bgp/advertisements/print will output:
[admin@prebo-t] > /routing/bgp/advertisements/print
0 peer=test-1 dst=100.120.2.1 afi=ip nexthop=100.127.93.81 origin=0
as-path=sequence 655300 peer=test-1 dst=100.120.1.0/24 afi=ip nexthop=100.127.93.81 origin=0
as-path=sequence 65530
AS you can see, It should not advertise 100.120.2.1 because it’s not in the address list “bgp2”. It should only list 100.120.1.0/24. Also it fails in output.filter-chain
The /27 prefix in the example, is to check if it will include other prefixes, which it’s not and It’s ok.
The router A receives the advertisement seen in router B
The workaround I found is to include at first of the output-filter:
if ( dst-len == 32 ) { reject }
In output filter, the command “if (dst in bgp2) { reject }” doesn’t work neither, it will include /32 prefixes.
Following is the code of Router B to reproduce the issue
/ip address
add address=100.127.93.81/30 interface=ether3 network=100.127.93.80
add address=100.120.2.1 interface=ether3 network=100.120.2.1
/ip firewall address-list
add address=100.120.1.0/24 list=bgp2
add address=100.120.0.0/22 list=bgp2
/ip route
add blackhole disabled=no dst-address=100.120.0.0/24 gateway="" routing-table=\
main suppress-hw-offload=no
add blackhole disabled=no dst-address=100.120.1.0/24 gateway="" routing-table=\
main suppress-hw-offload=no
add blackhole disabled=no distance=1 dst-address=100.120.3.32/27 gateway="" \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=\
10
/routing bgp connection
add as=65530 disabled=no local.address=100.127.93.81 .role=ebgp .ttl=10 \
multihop=yes name=test output.filter-chain=bgp-out .network=bgp2 \
remote.address=100.127.93.82/32 .as=27893 .ttl=10 routing-table=main \
templates=default
/routing filter rule
add chain=bgp-out disabled=no rule="if ( dst in bgp2 ) { accept; }\r\
\n"
At the Router A, the configuration is simple BGP peering without filter.