Community discussions

MikroTik App
 
alex_rhys-hurn
Member
Member
Topic Author
Posts: 348
Joined: Mon Jun 05, 2006 8:26 pm
Location: Kenya
Contact:

[SOLVED] BGP Route Filters match-chain not working

Sat Jun 06, 2020 10:41 am

Hi Everyone,

I have just connected to an internet exchange point, and am building my routing filters. In order to make it manageable I want to use includes instead of jumps, so I am trying out the match-chain feature of routing filters, but I cannot make it work, why?
Here is what the filter looks like:

First I make a chain that discards the ASNs that I want to throw away:
16 ;;; Discard HE.net
     chain=DISCARD-UNWANTED-ASes bgp-as-path=6939 invert-match=no action=discard set-bgp-prepend-path="" 
17 ;;; Discard FON
     chain=DISCARD-UNWANTED-ASes bgp-as-path=37305 invert-match=no action=discard set-bgp-prepend-path="" 
Then I include that chain in the inbound chain for my BGP peer:
 2   ;;; Discard Unwanted ASes
     chain=ASTEROID-IN-v4 match-chain=DISCARD-UNWANTED-ASes protocol=bgp invert-match=no action=discard set-bgp-prepend-path="" 
3    ;;; Accept whatever is remaining
      chain=ASTEROID-IN-v4 protocol=bgp invert-match=no action=accept set-bgp-prepend-path=""
But that doesn't work, and all the prefixes included in the DISCARD-UNWANTED-ASes chain are let in.

If I modify the filter like this, it works and the prefixes are discarded, so I am sure of my syntax in the bgp-as-path field.
 1   ;;; Discard HE.net
     chain=ASTEROID-IN-v4 protocol=bgp bgp-as-path=6939 invert-match=no action=discard 
     set-bgp-prepend-path="" 
 2   ;;; Discard FON
     chain=ASTEROID-IN-v4 protocol=bgp bgp-as-path=37305 invert-match=no action=discard 
     set-bgp-prepend-path="" 
3    ;;; Accept whatever is remaining
      chain=ASTEROID-IN-v4 protocol=bgp invert-match=no action=accept set-bgp-prepend-path=""
I have been sure to be aware of the route filters bugs by making sure that I click enable on each rule after modification to make sure that they are working.

Any help very much appreciated,

Alex
Last edited by alex_rhys-hurn on Wed Jun 10, 2020 4:33 pm, edited 1 time in total.
 
User avatar
netzwerghh
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Sun Aug 07, 2011 4:23 pm
Location: Hamburg, DE
Contact:

Re: BGP Route Filters match-chain not working

Tue Jun 09, 2020 1:42 pm

Hi Alex,

didn't try that style of filters on Mikrotik yet. But it it's that way on Juniper and as I read the syntax, it should be on Mikrotik too:

In your chain ASTEROID-IN-v4 you want to discard things that MATCH the chain DISCARD-UNWANTED-ASes.

So you probably should name that chain UNWANTED-ASes and do it this way:
;;; Discard HE.net
chain=UNWANTED-ASes bgp-as-path=6939 invert-match=no action=accept set-bgp-prepend-path="" 
;;; Discard FON
chain=UNWANTED-ASes bgp-as-path=37305 invert-match=no action=accept set-bgp-prepend-path="" 
chain=UNWANTED-ASes action=discard
 
chain=ASTEROID-IN-v4 match-chain=UNWANTED-ASes protocol=bgp invert-match=no action=discard set-bgp-prepend-path=""
chain=ASTEROID-IN-v4 protocol=bgp invert-match=no action=accept set-bgp-prepend-path=""
So this is no real include like in jump/return. It's a match what is accepted by another chain and do stuff with it.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: BGP Route Filters match-chain not working

Tue Jun 09, 2020 2:02 pm

@alex
it does not work that way. match-chain is the name of the chain which is used to evaluate the route. If the chain accepts the route, 'match-chain' property produces a true match
 
alex_rhys-hurn
Member
Member
Topic Author
Posts: 348
Joined: Mon Jun 05, 2006 8:26 pm
Location: Kenya
Contact:

Re: BGP Route Filters match-chain not working

Tue Jun 09, 2020 7:21 pm

@alex
it does not work that way. match-chain is the name of the chain which is used to evaluate the route. If the chain accepts the route, 'match-chain' property produces a true match
Hi,

Thanks so much for spotting my mistake. I dont follow you though, and cant see where I have gone wrong. You say "match-chain is the name of the chain which is used to evaluate the route" and this reads very much like the manual at the wiki @ https://wiki.mikrotik.com/wiki/Manual:R ... ng_filters which is what I used to come up with my config, I guess I dont understand the manual.

Can you, perhaps, share an example of how it should be?

Many thanks,

Alex
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: BGP Route Filters match-chain not working

Wed Jun 10, 2020 8:31 am

chain returns true only if action=accept. If you set action discard in match chain it will never return true, Discard in this case means discard prefix from match chain.

To translate your rules:
* chain ASTEROID-IN-v4 gets prefix with AS 6939
* rule nr.2 sends pefix to be matched in DISCARD-UNWANTED-ASes
* rule nr.16 discards the prefix meaning that chain will return false
* rule nr.2 since DISCARD-UNWANTED-ASes returned false, mach-chain=false and is not going to apply action of that rule
* prefix goes to next rule in the chain
 
alex_rhys-hurn
Member
Member
Topic Author
Posts: 348
Joined: Mon Jun 05, 2006 8:26 pm
Location: Kenya
Contact:

[SOLVED] Re: BGP Route Filters match-chain not working

Wed Jun 10, 2020 4:23 pm

Dear Both,

Thank you for clarifying. My problems are now solved and my filters are working as I wanted.

All the best,

Alex

Who is online

Users browsing this forum: RedFoxie and 16 guests