Community discussions

MikroTik App
 
StepBee
just joined
Topic Author
Posts: 10
Joined: Wed Oct 19, 2022 8:44 pm

BGP route filter "dst in address_list" exact prefix match question

Wed Oct 19, 2022 8:57 pm

Hi Mikrotik folks,

with great joy i saw ROS v7.6 brought back displaying route advertisements - awesome!

This way i could see an, from my point of view, unexpected behavior of a route filter.
According to the documentation of (BGP) route filters

Prefix Operators
IN - Return true if the prefix is the subnet of the provided network. If an operator is used to match prefixes from the address list (e.g "dst in list_name"), then it will match only the exact prefix.

I am using the following rule:
chain=ipv4-ebgp-provider-out rule="if (afi ipv4 && dst in ipv4-subnets-own-remote) {set bgp-path-prepend 2;accept}"

And i have the following entry in the list "ipv4-subnets-own-remote":
list=ipv4-subnets-own-remote address=123.87.184.0/24

For my understanding according to the documentation, the rule should only accept exactly "123.87.184.0/24"
Not 123.87.184.0/25, not 123.87.184.123/32 or anything else, only the exactly prefix match.

Looking at the advertisements, i see
peer=ipv4-ebgp-provider-1 dst=123.87.184.16 nexthop=99.115.135.123 origin=2

When i disable the rule above, the IP is not advertised - so i can be sure it's this rule which is accepting.

Is my understanding of the documentation wrong
(If an operator is used to match prefixes from the address list (e.g "dst in list_name"), then it will match only the exact prefix)
or is there a difference between the implementation and the documentation?

Do you have any other hint how i can make sure only the exact prefix of the address is accepted?

Thanks and best regards,
Stephan
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: BGP route filter "dst in address_list" exact prefix match question

Wed Oct 19, 2022 9:25 pm

Login point of view:
3 in 0-10 = true
4 in 0-5 = true
5 in 0-4 = false
24 on 24 = true

is the same for IPs, for match exactly 123.87.184.0/24
chain=ipv4-ebgp-provider-out rule="if (afi ipv4 && dst in 123.87.184.0/24 && dst-len in 24) {set bgp-path-prepend 2;accept}"

# OR

chain=ipv4-ebgp-provider-out rule="if (afi ipv4 && dst == 123.87.184.0/24) {set bgp-path-prepend 2;accept}"

But as wroted on help guide, is possible to use address-list with an operator ("in", "==" and "!="), but really can be used only with "in".
But it work "eactly" if used "in", do not check that is exact also the "dst-len"
In this case is like are present multiple rules
/ip firewall address-list add list=test_list address=123.87.184.0/24
/ip firewall address-list add list=test_list address=132.74.14.0/22
/ip firewall address-list add list=test_list address=6.0.0.0/8
chain=ipv4-ebgp-provider-out rule="if (afi ipv4 && dst in test_list) {set bgp-path-prepend 2;accept}"

# OR

chain=ipv4-ebgp-provider-out rule="if (afi ipv4 && dst in 123.87.184.0/24) {set bgp-path-prepend 2;accept}"
chain=ipv4-ebgp-provider-out rule="if (afi ipv4 && dst in 132.74.14.0/22) {set bgp-path-prepend 2;accept}"
chain=ipv4-ebgp-provider-out rule="if (afi ipv4 && dst in 6.0.0.0/8) {set bgp-path-prepend 2;accept}"
 
StepBee
just joined
Topic Author
Posts: 10
Joined: Wed Oct 19, 2022 8:44 pm

Re: BGP route filter "dst in address_list" exact prefix match question

Wed Oct 19, 2022 9:45 pm

Hi rextended,

thanks for your fast reply.

Indeed, your example will match the first part of the documentation
IN - Return true if the prefix is the subnet of the provided network
3 in 0-10 = true
4 in 0-5 = true
5 in 0-4 = false
24 on 24 = true


But for my understanding it will not match the second part of the documentation
If an operator is used to match prefixes from the address list (e.g "dst in list_name"), then it will match only the exact prefix

Many thanks for your edited example config checking on address lists with "==", i didnt notice that option so far and will try that

Thanks,
Stephan
Last edited by StepBee on Wed Oct 19, 2022 9:48 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: BGP route filter "dst in address_list" exact prefix match question

Wed Oct 19, 2022 9:47 pm

please read again the previous post, I added a 2nd part as example at time your write your reply
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: BGP route filter "dst in address_list" exact prefix match question

Wed Oct 19, 2022 9:51 pm

I hope I have helped, is first time today I can help on BGPv7 because only from today I use it on production...
 
StepBee
just joined
Topic Author
Posts: 10
Joined: Wed Oct 19, 2022 8:44 pm

Re: BGP route filter "dst in address_list" exact prefix match question

Wed Oct 19, 2022 9:52 pm

I just checked, but "==" cannot be used on address lists.

/routing/filter/rule/set numbers=2 rule="if (afi ipv4 && dst == ipv4-subnets-own-remote) {set bgp-path-prepend 2;accept}"
failure: "Word {dst} == Word {ipv4-subnets-own-remote} " - invalid argument

The documentation i am referring to is
https://help.mikrotik.com/docs/display/ ... nd+Filters
Last edited by StepBee on Wed Oct 19, 2022 9:56 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: BGP route filter "dst in address_list" exact prefix match question

Wed Oct 19, 2022 9:55 pm

True, is not writed well...

Must not writed "If an operator is used" but something like «If "in" operator is used»
on this way do not cause misunderstandings

I have updated the 2nd example again for consistency
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: BGP route filter "dst in address_list" exact prefix match question

Wed Oct 19, 2022 10:45 pm

I just checked, but "==" cannot be used on address lists.
[…]
The documentation i am referring to is
https://help.mikrotik.com/docs/display/ ... nd+Filters
Sorry, but I must CONFIRM that the guide is wrong, I have updated all my previous post on this tread for keep consistency on this.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: BGP route filter "dst in address_list" exact prefix match question

Wed Oct 19, 2022 10:52 pm

For check also the "dst-len", must be do something like that:
/ip firewall address-list add list=test_list_24 address=135.71.184.0/24
/ip firewall address-list add list=test_list_24 address=122.99.22.0/24
/ip firewall address-list add list=test_list_22 address=87.86.85.0/22
/ip firewall address-list add list=test_list_22 address=92.74.15.0/22
/ip firewall address-list add list=test_list_8 address=6.0.0.0/8
/ip firewall address-list add list=test_list_8 address=7.0.0.0/8

chain=ipv4-ebgp-provider-out rule="if (afi ipv4 && dst in test_list_24 && dst-len in 24) {set bgp-path-prepend 2;accept}"
chain=ipv4-ebgp-provider-out rule="if (afi ipv4 && dst in test_list_22 && dst-len in 22) {set bgp-path-prepend 2;accept}"
chain=ipv4-ebgp-provider-out rule="if (afi ipv4 && dst in test_list_8 && dst-len in 8) {set bgp-path-prepend 2;accept}"

# and the 3 rules are the equivalent of

chain=ipv4-ebgp-provider-out rule="if (afi ipv4 && dst == 135.71.184.0/24 && dst-len in 24) {set bgp-path-prepend 2;accept}"
chain=ipv4-ebgp-provider-out rule="if (afi ipv4 && dst == 122.99.22.0/24 && dst-len in 24) {set bgp-path-prepend 2;accept}"
chain=ipv4-ebgp-provider-out rule="if (afi ipv4 && dst == 87.86.85.0/22 && dst-len in 22) {set bgp-path-prepend 2;accept}"
chain=ipv4-ebgp-provider-out rule="if (afi ipv4 && dst == 92.74.15.0/22 && dst-len in 22) {set bgp-path-prepend 2;accept}"
chain=ipv4-ebgp-provider-out rule="if (afi ipv4 && dst == 6.0.0.0/8 && dst-len in 8) {set bgp-path-prepend 2;accept}"
chain=ipv4-ebgp-provider-out rule="if (afi ipv4 && dst == 7.0.0.0/8 && dst-len in 8) {set bgp-path-prepend 2;accept}"

But if you have only /24 inside your "test_list" is sufficent only one line
 
StepBee
just joined
Topic Author
Posts: 10
Joined: Wed Oct 19, 2022 8:44 pm

Re: BGP route filter "dst in address_list" exact prefix match question

Thu Oct 20, 2022 1:23 pm

Hi rextended,

thanks for the idea to build separate address lists, depending on the subnet size.
This could indeed be a workaround, depending on how many different subnet sizes we have to maintain.

Thanks,
Stephan
 
troy
Member
Member
Posts: 320
Joined: Thu Jun 30, 2005 6:47 pm

Re: BGP route filter "dst in address_list" exact prefix match question

Fri Oct 21, 2022 10:58 pm

This is one of the dumber things MT did with ROS7. 192.168.234.0/24 is *IN* 192.168.232/21 and should therefore match perfectly.

Would also be useful for BOGON filtering. If you're using 172.28.0.0/16 for your internal management network, it's *IN* 172.16.0.0/12 and should match just like it would in a firewall rule.

IMO, route filters are broke in ROS7 anyways. I can break BGP quite easily and even managed to crash 7.5 CHR by simply adding/moving filter rules.
 
StepBee
just joined
Topic Author
Posts: 10
Joined: Wed Oct 19, 2022 8:44 pm

Re: BGP route filter "dst in address_list" exact prefix match question

Sun Oct 23, 2022 9:52 pm

Hi troy,

I am not sure if I misunderstand your answer or you misunderstood my finding and question.

The IN operator actually works on address lists as you describe.
But for me the documentation is writing that the IN operator is only matching on exact matches (and not on smaller subnets of the subnet listed in the address list), which is not the case.

I am looking for a way to write a rule to only match on exact match and not on smaller subnets.

Thanks,
Stephan
 
StepBee
just joined
Topic Author
Posts: 10
Joined: Wed Oct 19, 2022 8:44 pm

Re: BGP route filter "dst in address_list" exact prefix match question

Thu Dec 01, 2022 2:46 pm

For everyone facing the same issue, i did further testing and Mikrotik support just confirmed:
The exact match is actually working, but has a bug to match on /32 subnets as well.

No other subnet sizes are affected.
 
FezzFest
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Wed Jun 03, 2015 12:03 am

Re: BGP route filter "dst in address_list" exact prefix match question

Fri Nov 03, 2023 2:21 am

This issue still exists in RouterOS v7.12rc4. Matching the exact prefixes defined in an address list using in "if (dst in address-list) {accept}" does not work properly and will accept every single /32 in the specified prefixes as well.
 
nellicus
just joined
Posts: 4
Joined: Sat Nov 18, 2023 1:03 pm

Re: BGP route filter "dst in address_list" exact prefix match question

Sun Nov 19, 2023 1:28 am

I would also like to get a resolution or final clarification for this behavior will either remain as is, or if the operator will be modified. I currently using this bug/feature to my advantage for BGP filtering to allow in from customers the proper prefix with strict matching of what is set in the customer prefix list. By a stroke of luck if a /32 or /128 is advertised from the customer it passes through the initial filter rule in the customer chain and is captured by a blackhole rule.

In AS0000_CID_IPV6_PL
192.168.0.0/22

In Customer Chain
if ( dst in AS0000_CID_IPV6_PL ) { jump ALL_CUSTOMER_IPV6_IN; } else { reject; }

In ALL_CUSTOMER_IPV6_IN
if (  bgp-large-communities equal 0000:666:666 && ( dst-len == 32 || dst-len == 128 ) ) { set blackhole yes; return; } else { return; }

Curious if anyone has suggestions on a better way to accomplish this?
 
twofatmonkeys
just joined
Posts: 1
Joined: Tue Jan 16, 2024 11:21 am

Re: BGP route filter "dst in address_list" exact prefix match question

Sun Feb 11, 2024 12:31 am

This behavior is very non intuitive and makes filter automation much more difficult.

IMO, when using lists, the following should occur:
address-list add list=test_list address=192.168.1.0/24
address-list add list=test_list address=10.0.0.0/8

#accept 192.168.1.0/24, 192.168.1.128/29, 10.1.2.0/24
#deny 1.1.1.0/24
chain=test_bgp_rule="if (afi ipv4 && dst in test_list) {set bgp-path-prepend 2;accept}"
chain=test_bgp_rule="reject;"

#accept 192.168.1.0/24
#deny 1.1.1.0/24, 192.168.1.128/29, 10.1.2.0/24
chain=test_bgp_rule="if (afi ipv4 && dst == test_list) {set bgp-path-prepend 2;accept}"
chain=test_bgp_rule="reject;"

#accept 1.1.1.0/24, 192.168.1.128/29, 10.1.2.0/24
#deny 192.168.1.0/24
chain=test_bgp_rule="if (afi ipv4 && dst != test_list) {set bgp-path-prepend 2;accept}"
chain=test_bgp_rule="reject;"
Then also perhaps consider adding a new, not in prefix operator, "!in"
address-list add list=test_list address=192.168.1.0/24
address-list add list=test_list address=10.0.0.0/8

#accept 1.1.1.0/24
#deny 192.168.1.0/24, 192.168.1.128/29, 10.1.2.0/24
chain=test_bgp_rule="if (afi ipv4 && dst !in test_list) {set bgp-path-prepend 2;accept}"
chain=test_bgp_rule="reject;"

Who is online

Users browsing this forum: No registered users and 15 guests