Page 1 of 1

OSPF out route filter V7.XX

Posted: Thu Jul 18, 2024 6:21 pm
by SapieH
Good day All,
there are numerous posts for inbound route filters for OSPF. I am struggling to find examples of outbound route filters. I need to prevent certain connected IP ranges from being distributed by ospf.

Re: OSPF out route filter V7.XX

Posted: Fri Jul 19, 2024 5:59 pm
by sirbryan
If you set up a filter for OSPF out, it will, by default, reject everything and only allow what you want to go out.

So, for example, if I want 10.0.0.0/24 to go out, my filter would be:
if (dst==10.0.0.0/24) { accept; }
In this case, I want to allow any subnets within the 10.0.0.0/8 range. Use "in" instead of "==" to allow for any subnets within the range to be announced.
if (dst in 10.0.0.0/8) { accept; }
If you want to be "lazy" and allow everything but a specific subnet, you'd have filters like the following.
if (dst==10.0.0.0/8) { reject; }
if (dst==192.168.0.0/16) { reject; }
accept;

Note that "==" explicitly matches on the subnet as written. If you want all smaller portions of a subnet to be filtered, you use "in" instead of "==":

if (dst in 10.0.0.0/8) { reject; }
if (dst in 192.168.0.0/16) { reject; }
accept;

It's usually smarter, though, to do what I did in the first example, which is allow the system to reject everything by default and specifically allow what you want.

From the CLI, these look like this:
# From a working example
/routing filter rule
# Allow CGNAT subnets to be advertised
add chain=ospf-out disabled=no rule="if (dst in 100.64.0.0/10 && dst-len in 24-32) { accept; }"
# Allow management IP's to be advertised
add chain=ospf-out disabled=no rule="if (dst in 10.0.0.0/8 && dst-len in 16-32) { accept; }"
# By default anything else the router has is rejected

Re: OSPF out route filter V7.XX

Posted: Sat Jul 20, 2024 1:17 pm
by elbob2002
That is such a great explanation. Wish the official docs were as good with practical examples!

Filtering has been wrecking my head since it first came out.