bgp filter problem

maaathieu · April 6, 2022, 10:24am

Hi

Since ros v7.1, I have a problem with a bgp filter concerning the bogon list that I receive from team cymru.

My filter looks like this:

 1   chain=cymru-in rule="if ( bgp-communities includes 65332:888 ) { set blackhole yes; accept;} else { reject;}"

but the routes are not blackholed, for example:

 Fb   afi=ip4 contribution=filtered dst-address=23.135.225.0/24 routing-table=main gateway=38.229.6.20 immediate-gw=1.2.3.4%ether5_832 distance=20 scope=40 
       target-scope=30 belongs-to="BGP IP routes from 38.229.6.20" 
       bgp.peer-cache-id=*B000004 .as-path="65332" .communities=65332:888,no-export .atomic-aggregate=no .origin=igp 
       debug.fwp-ptr=0x20282360

If I append a ramdom community before this rule, like this:

 0   chain=cymru-in rule="append bgp-communities 1:1" 

 1   chain=cymru-in rule="if ( bgp-communities includes 65332:888 ) { set blackhole yes; accept;} else { reject;}"

then it works:

 Ab B afi=ip4 contribution=active dst-address=23.135.225.0/24 routing-table=main immediate-gw="" distance=20 scope=40 target-scope=30 
       belongs-to="BGP IP routes from 38.229.6.20" 
       bgp.peer-cache-id=*B000004 .as-path="65332" .communities=1:1,no-export,65332:888 .atomic-aggregate=no .origin=igp 
       debug.fwp-ptr=0x202823C0

Am I doing something wrong, or is this a bug ?

Thanks,

Mat

bigd35 · May 28, 2023, 11:23am

Hi

I see the same on my part. The route filters are not getting blackholed. Will hear what Mikrotik Support says

ZillnerIT · November 15, 2024, 11:47pm

is this fixed?
does Mikrotik Support answer?

oreggin · November 16, 2024, 6:02pm

As I see in your example, in the first case, the route was filtered but we don’t see the first element in your routing filter ruleset.
On RoS v7.16.1 we using routing filters mathing on BGP ext communities:

chain=BGP_RR_in4 rule="if (bgp-ext-communities any-list RTList_sulinet) {accept}"

Also we need to define /routing/filter/community-ext-list to works.

You might need something like this:

/routing/filter/community-list/add list=BGP_COM_List communities=65332:888  
/routing/filter/community-list/print
Flags: X - disabled
 0   list=BGP_COM_List communities=65332:888
 /routing/filter/rule/add chain=cymru-in rule="if (bgp-communities any-list BGP_COM_List) {set blackhole yes; accept}"