If you set up a filter for OSPF out, it will, by default, reject
everything and only allow what you want to go out.
So, for example, if I want 10.0.0.0/24 to go out, my filter would be:
if (dst==10.0.0.0/24) { accept; }
In this case, I want to allow any subnets within the 10.0.0.0/8 range. Use "in" instead of "==" to allow for any subnets within the range to be announced.
if (dst in 10.0.0.0/8) { accept; }
If you want to be "lazy" and allow everything but a specific subnet, you'd have filters like the following.
if (dst==10.0.0.0/8) { reject; }
if (dst==192.168.0.0/16) { reject; }
accept;
Note that "==" explicitly matches on the subnet as written. If you want all smaller portions of a subnet to be filtered, you use "in" instead of "==":
if (dst in 10.0.0.0/8) { reject; }
if (dst in 192.168.0.0/16) { reject; }
accept;
It's usually smarter, though, to do what I did in the first example, which is allow the system to
reject everything by default and specifically allow what you want.
From the CLI, these look like this:
# From a working example
/routing filter rule
# Allow CGNAT subnets to be advertised
add chain=ospf-out disabled=no rule="if (dst in 100.64.0.0/10 && dst-len in 24-32) { accept; }"
# Allow management IP's to be advertised
add chain=ospf-out disabled=no rule="if (dst in 10.0.0.0/8 && dst-len in 16-32) { accept; }"
# By default anything else the router has is rejected