diff options
author | Ondrej Zajicek (work) <santiago@crfreenet.org> | 2018-01-16 04:14:49 +0100 |
---|---|---|
committer | Ondrej Zajicek (work) <santiago@crfreenet.org> | 2018-01-16 04:14:49 +0100 |
commit | 3831b619661d08d935fd78656732cd2f339ff811 (patch) | |
tree | ad0f9f78f36b04b7b2c70d6b8c32fbd615e72a4f /proto/bgp | |
parent | 4db4ac7243bf54187029abda0b42cc9d29757d13 (diff) |
BGP: Require explicit import and export policies for EBGP channels
To comply with RFC 8212 requirements.
Diffstat (limited to 'proto/bgp')
-rw-r--r-- | proto/bgp/bgp.c | 17 | ||||
-rw-r--r-- | proto/bgp/config.Y | 2 |
2 files changed, 19 insertions, 0 deletions
diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c index 8da5b0aa..9db26050 100644 --- a/proto/bgp/bgp.c +++ b/proto/bgp/bgp.c @@ -99,6 +99,7 @@ * <item> <rfc id="7947"> - Internet Exchange BGP Route Server * <item> <rfc id="8092"> - BGP Large Communities Attribute * <item> <rfc id="8203"> - BGP Administrative Shutdown Communication + * <item> <rfc id="8212"> - Default EBGP Route Propagation Behavior without Policies * </itemize> */ @@ -113,6 +114,7 @@ #include "nest/cli.h" #include "nest/locks.h" #include "conf/conf.h" +#include "filter/filter.h" #include "lib/socket.h" #include "lib/resource.h" #include "lib/string.h" @@ -1621,6 +1623,7 @@ bgp_postconfig(struct proto_config *CF) { struct bgp_config *cf = (void *) CF; int internal = (cf->local_as == cf->remote_as); + int interior = internal || cf->confederation_member; /* Do not check templates at all */ if (cf->c.class == SYM_TEMPLATE) @@ -1677,6 +1680,20 @@ bgp_postconfig(struct proto_config *CF) struct bgp_channel_config *cc; WALK_LIST(cc, CF->channels) { + /* Handle undefined import filter */ + if (cc->c.in_filter == FILTER_UNDEF) + if (interior) + cc->c.in_filter = FILTER_ACCEPT; + else + cf_error("EBGP requires explicit import policy"); + + /* Handle undefined export filter */ + if (cc->c.out_filter == FILTER_UNDEF) + if (interior) + cc->c.out_filter = FILTER_REJECT; + else + cf_error("EBGP requires explicit export policy"); + /* Disable after error incompatible with restart limit action */ if ((cc->c.in_limit.action == PLA_RESTART) && cf->disable_after_error) cc->c.in_limit.action = PLA_DISABLE; diff --git a/proto/bgp/config.Y b/proto/bgp/config.Y index 4e819eb7..04e6d666 100644 --- a/proto/bgp/config.Y +++ b/proto/bgp/config.Y @@ -163,6 +163,8 @@ bgp_channel_start: bgp_afi /* New channel */ if (!BGP_CC->desc) { + BGP_CC->c.in_filter = FILTER_UNDEF; + BGP_CC->c.out_filter = FILTER_UNDEF; BGP_CC->c.ra_mode = RA_UNDEF; BGP_CC->afi = $1; BGP_CC->desc = desc; |