OSPF 'accept all' filter

checkwire · January 6, 2024, 12:18am

Hello - I know this has been asked, I’ve searched, experimented, but I’m struggling.
In Ros v7, I’d like to create an OSPF-OUT filter that does the following:

DENIES: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 from leaving the router.
ALLOWS: everything else on the router, and passes thru anything ‘learnt’ from adjacent routers onward.

Basically, I’m trying to achieve what I could easily do on v6. I’ve read the docs, looked thru the forums, but struggling with this a lot.
In a way, I see the default rule of ‘denying/dropping’ as almost ‘breaking’ OSPF. I’m not sure I am grasping the concept here.

Thank you!

checkwire · January 6, 2024, 8:30pm

I believe this has been resolved. The following (below) seems to work. Originally, I had the ‘accept’ rule at the top of the filter set, not the bottom. Placing it at the bottom seemed to resolve the trouble I experienced. I’ve placed this code into it’s own ‘routing filter rule’, and attached it to the chain OSPF-OUT.

if ( dst in 192.168.0.0/16 && dst-len>16 ) { reject }
if ( dst in 10.0.0.0/8 && dst-len>8 ) { reject }
if ( dst in 172.16.0.0/12 && dst-len>12 ) { reject }
if ( dst-len > 0 ) { accept}