Merge branch 'issue130_ipv4_prefix_length_check_with_rfc8950'

pierky · Mar 26, 2024 · 9cd19b0 · 9cd19b0
2 parents 08e17f7 + a784789
commit 9cd19b0
Show file tree

Hide file tree

Showing 153 changed files with 893 additions and 777 deletions.
diff --git a/docs/SUPPORTED_SPEAKERS_CI.txt b/docs/SUPPORTED_SPEAKERS_CI.txt
@@ -6,7 +6,7 @@ Total test cases per BGP speaker
 =============== ========= ============ ============ ===========  
 **BGP speaker** **Total** **Passed ✔** **Failed ✖** **Skipped** 
 BIRD            830       821          0            9           
-BIRD v2         939       929          0            10          
+BIRD v2         940       930          0            10          
 BIRD v3         846       837          0            9           
 OpenBGPD 8.4    458       455          0            3           
 =============== ========= ============ ============ ===========  
@@ -131,18 +131,19 @@ reconfigure                         ✔        ✔           ✔
 RFC8950
 +++++++
 
-================================= ======== =========== =========== ================  
-**Test**                          **BIRD** **BIRD v2** **BIRD v3** **OpenBGPD 8.4** 
-RPKI VALID routes                          ✔                                        
-RPKI rejected routes, AS0                  ✔                                        
-RPKI rejected routes, INVALID              ✔                                        
-accepted routes                            ✔                                        
-dropped routes, not in r_set               ✔                                        
-log contains errors                        ✔                                        
-next hop authorized address AS2_1          ✔                                        
-next hop same-as AS1_2                     ✔                                        
-next hop strict mode on AS1_1              ✔                                        
-================================= ======== =========== =========== ================  
+================================================================= ======== =========== =========== ================  
+**Test**                                                          **BIRD** **BIRD v2** **BIRD v3** **OpenBGPD 8.4** 
+IPv4 prefix length within ipv6_pref_len but outside ipv4_pref_len          ✔                                        
+RPKI VALID routes                                                          ✔                                        
+RPKI rejected routes, AS0                                                  ✔                                        
+RPKI rejected routes, INVALID                                              ✔                                        
+accepted routes                                                            ✔                                        
+dropped routes, not in r_set                                               ✔                                        
+log contains errors                                                        ✔                                        
+next hop authorized address AS2_1                                          ✔                                        
+next hop same-as AS1_2                                                     ✔                                        
+next hop strict mode on AS1_1                                              ✔                                        
+================================================================= ======== =========== =========== ================  
 
 RPKI INVALID tagging, IPv4
 ++++++++++++++++++++++++++

diff --git a/examples/auto-config/bird4.conf b/examples/auto-config/bird4.conf
@@ -934,7 +934,7 @@ filter receive_from_AS10745_1 {
 			{ tag_and_reject(14, 10745); reject "RPKI, route is INVALID - REJECTING ", net; }
 
 		# Prefix: length
-		if !prefix_len_is_valid(8, 24) then
+		if net.type = NET_IP4 && !prefix_len_is_valid(8, 24) then
 			{ tag_and_reject(13, 10745); reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net; }
 
 		honor_graceful_shutdown();
@@ -1167,7 +1167,7 @@ filter receive_from_AS3333_1 {
 			{ tag_and_reject(14, 3333); reject "RPKI, route is INVALID - REJECTING ", net; }
 
 		# Prefix: length
-		if !prefix_len_is_valid(8, 24) then
+		if net.type = NET_IP4 && !prefix_len_is_valid(8, 24) then
 			{ tag_and_reject(13, 3333); reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net; }
 
 		honor_graceful_shutdown();
@@ -1393,7 +1393,7 @@ filter receive_from_AS65551_1 {
 			{ tag_and_reject(14, 65551); reject "RPKI, route is INVALID - REJECTING ", net; }
 
 		# Prefix: length
-		if !prefix_len_is_valid(8, 24) then
+		if net.type = NET_IP4 && !prefix_len_is_valid(8, 24) then
 			{ tag_and_reject(13, 65551); reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net; }
 
 		honor_graceful_shutdown();

diff --git a/examples/bird_hooks/bird4.conf b/examples/bird_hooks/bird4.conf
@@ -620,7 +620,7 @@ filter receive_from_AS10745_1 {
 
 
 		# Prefix: length
-		if !prefix_len_is_valid(8, 24) then
+		if net.type = NET_IP4 && !prefix_len_is_valid(8, 24) then
 			reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net;
 
 
@@ -835,7 +835,7 @@ filter receive_from_AS3333_1 {
 
 
 		# Prefix: length
-		if !prefix_len_is_valid(8, 24) then
+		if net.type = NET_IP4 && !prefix_len_is_valid(8, 24) then
 			reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net;
 
 

diff --git a/examples/bird_hooks/bird6.conf b/examples/bird_hooks/bird6.conf
@@ -662,7 +662,7 @@ filter receive_from_AS10745_2 {
 
 
 		# Prefix: length
-		if !prefix_len_is_valid(12, 48) then
+		if net.type = NET_IP6 && !prefix_len_is_valid(12, 48) then
 			reject "prefix len [", net.len, "] not in 12-48 - REJECTING ", net;
 
 

diff --git a/examples/default/bird4.conf b/examples/default/bird4.conf
@@ -361,7 +361,7 @@ filter receive_from_AS10745_1 {
 	} else {
 
 		# Prefix: length
-		if !prefix_len_is_valid(8, 24) then
+		if net.type = NET_IP4 && !prefix_len_is_valid(8, 24) then
 			reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net;
 
 
@@ -539,7 +539,7 @@ filter receive_from_AS3333_1 {
 	} else {
 
 		# Prefix: length
-		if !prefix_len_is_valid(8, 24) then
+		if net.type = NET_IP4 && !prefix_len_is_valid(8, 24) then
 			reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net;
 
 
@@ -715,7 +715,7 @@ filter receive_from_AS65551_1 {
 	} else {
 
 		# Prefix: length
-		if !prefix_len_is_valid(8, 24) then
+		if net.type = NET_IP4 && !prefix_len_is_valid(8, 24) then
 			reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net;
 
 

diff --git a/examples/default/bird6.conf b/examples/default/bird6.conf
@@ -396,7 +396,7 @@ filter receive_from_AS10745_2 {
 	} else {
 
 		# Prefix: length
-		if !prefix_len_is_valid(12, 48) then
+		if net.type = NET_IP6 && !prefix_len_is_valid(12, 48) then
 			reject "prefix len [", net.len, "] not in 12-48 - REJECTING ", net;
 
 

diff --git a/examples/default/bird_v2.conf b/examples/default/bird_v2.conf
@@ -471,7 +471,7 @@ filter receive_from_AS10745_1 {
 	} else {
 
 		# Prefix: length
-		if !prefix_len_is_valid(8, 24) then
+		if net.type = NET_IP4 && !prefix_len_is_valid(8, 24) then
 			reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net;
 
 
@@ -653,7 +653,7 @@ filter receive_from_AS10745_2 {
 	} else {
 
 		# Prefix: length
-		if !prefix_len_is_valid(12, 48) then
+		if net.type = NET_IP6 && !prefix_len_is_valid(12, 48) then
 			reject "prefix len [", net.len, "] not in 12-48 - REJECTING ", net;
 
 
@@ -831,7 +831,7 @@ filter receive_from_AS3333_1 {
 	} else {
 
 		# Prefix: length
-		if !prefix_len_is_valid(8, 24) then
+		if net.type = NET_IP4 && !prefix_len_is_valid(8, 24) then
 			reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net;
 
 
@@ -1007,7 +1007,7 @@ filter receive_from_AS65551_1 {
 	} else {
 
 		# Prefix: length
-		if !prefix_len_is_valid(8, 24) then
+		if net.type = NET_IP4 && !prefix_len_is_valid(8, 24) then
 			reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net;
 
 

diff --git a/examples/rich/bird4.conf b/examples/rich/bird4.conf
@@ -1878,7 +1878,7 @@ filter receive_from_AS10745_1 {
 
 
 		# Prefix: length
-		if !prefix_len_is_valid(8, 24) then
+		if net.type = NET_IP4 && !prefix_len_is_valid(8, 24) then
 			reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net;
 
 
@@ -2102,7 +2102,7 @@ filter receive_from_AS197000_1 {
 
 
 		# Prefix: length
-		if !prefix_len_is_valid(8, 24) then
+		if net.type = NET_IP4 && !prefix_len_is_valid(8, 24) then
 			reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net;
 
 
@@ -2331,7 +2331,7 @@ filter receive_from_AS3333_1 {
 
 
 		# Prefix: length
-		if !prefix_len_is_valid(8, 24) then
+		if net.type = NET_IP4 && !prefix_len_is_valid(8, 24) then
 			reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net;
 
 

diff --git a/examples/rich/bird6.conf b/examples/rich/bird6.conf
@@ -1897,7 +1897,7 @@ filter receive_from_AS10745_2 {
 
 
 		# Prefix: length
-		if !prefix_len_is_valid(12, 48) then
+		if net.type = NET_IP6 && !prefix_len_is_valid(12, 48) then
 			reject "prefix len [", net.len, "] not in 12-48 - REJECTING ", net;
 
 
@@ -2123,7 +2123,7 @@ filter receive_from_AS197000_2 {
 
 
 		# Prefix: length
-		if !prefix_len_is_valid(12, 48) then
+		if net.type = NET_IP6 && !prefix_len_is_valid(12, 48) then
 			reject "prefix len [", net.len, "] not in 12-48 - REJECTING ", net;
 
 

diff --git a/examples/rich/bird_v2.conf b/examples/rich/bird_v2.conf
@@ -2028,7 +2028,7 @@ filter receive_from_AS10745_1 {
 
 
 		# Prefix: length
-		if !prefix_len_is_valid(8, 24) then
+		if net.type = NET_IP4 && !prefix_len_is_valid(8, 24) then
 			reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net;
 
 
@@ -2254,7 +2254,7 @@ filter receive_from_AS10745_2 {
 
 
 		# Prefix: length
-		if !prefix_len_is_valid(12, 48) then
+		if net.type = NET_IP6 && !prefix_len_is_valid(12, 48) then
 			reject "prefix len [", net.len, "] not in 12-48 - REJECTING ", net;
 
 
@@ -2476,7 +2476,7 @@ filter receive_from_AS197000_1 {
 
 
 		# Prefix: length
-		if !prefix_len_is_valid(8, 24) then
+		if net.type = NET_IP4 && !prefix_len_is_valid(8, 24) then
 			reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net;
 
 
@@ -2702,7 +2702,7 @@ filter receive_from_AS197000_2 {
 
 
 		# Prefix: length
-		if !prefix_len_is_valid(12, 48) then
+		if net.type = NET_IP6 && !prefix_len_is_valid(12, 48) then
 			reject "prefix len [", net.len, "] not in 12-48 - REJECTING ", net;
 
 
@@ -2929,7 +2929,7 @@ filter receive_from_AS3333_1 {
 
 
 		# Prefix: length
-		if !prefix_len_is_valid(8, 24) then
+		if net.type = NET_IP4 && !prefix_len_is_valid(8, 24) then
 			reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net;
 
 

diff --git a/examples/rpki_rtr/bird_v2.conf b/examples/rpki_rtr/bird_v2.conf
@@ -504,7 +504,7 @@ filter receive_from_AS10745_1 {
 
 
 		# Prefix: length
-		if !prefix_len_is_valid(8, 24) then
+		if net.type = NET_IP4 && !prefix_len_is_valid(8, 24) then
 			reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net;
 
 
@@ -688,7 +688,7 @@ filter receive_from_AS10745_2 {
 
 
 		# Prefix: length
-		if !prefix_len_is_valid(12, 48) then
+		if net.type = NET_IP6 && !prefix_len_is_valid(12, 48) then
 			reject "prefix len [", net.len, "] not in 12-48 - REJECTING ", net;
 
 
@@ -868,7 +868,7 @@ filter receive_from_AS1_1 {
 
 
 		# Prefix: length
-		if !prefix_len_is_valid(8, 24) then
+		if net.type = NET_IP4 && !prefix_len_is_valid(8, 24) then
 			reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net;
 
 
@@ -1048,7 +1048,7 @@ filter receive_from_AS3333_1 {
 
 
 		# Prefix: length
-		if !prefix_len_is_valid(8, 24) then
+		if net.type = NET_IP4 && !prefix_len_is_valid(8, 24) then
 			reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net;
 
 

diff --git a/templates/bird/clients.j2 b/templates/bird/clients.j2
@@ -368,15 +368,18 @@ filter receive_from_{{ client.id }} {
 		{% endif %}
 
 		# Prefix: length
-		{% if client.ip|ipaddr_ver == 4 %}
-		{% set min_pref_len = client.cfg.filtering.ipv4_pref_len.min %}
-		{% set max_pref_len = client.cfg.filtering.ipv4_pref_len.max %}
+		{% if "2.0.0"|target_version_ge and client.cfg.rfc8950 and client.ip|ipaddr_ver == 6 %}
+		{%     set afis = [4, 6] %}
 		{% else %}
-		{% set min_pref_len = client.cfg.filtering.ipv6_pref_len.min %}
-		{% set max_pref_len = client.cfg.filtering.ipv6_pref_len.max %}
+		{%     set afis = [ client.ip|ipaddr_ver ] %}
 		{% endif %}
-		if !prefix_len_is_valid({{ min_pref_len }}, {{ max_pref_len }}) then
+		{% for current_afi in afis %}
+		{%	 set min_pref_len = client.cfg.filtering["ipv" ~ current_afi ~ "_pref_len"].min %}
+		{%   set max_pref_len = client.cfg.filtering["ipv" ~ current_afi ~ "_pref_len"].max %}
+		if {%- if "2.0"|target_version_ge %} net.type = NET_IP{{ current_afi }} && {% else %} {% endif -%}
+			!prefix_len_is_valid({{ min_pref_len }}, {{ max_pref_len }}) then
 			{{ reject(client, 13, '"prefix len [", net.len, "] not in ' ~ min_pref_len ~ '-' ~ max_pref_len ~ ' - REJECTING ", net') }}
+		{% endfor %}
 
 		{% if cfg.graceful_shutdown.enabled %}
 		{%	if client.cfg.graceful_shutdown.enabled %}

diff --git a/templates/fingerprints.yml b/templates/fingerprints.yml
@@ -1,5 +1,5 @@
 bird:
-  clients.j2: f4d3d45e77a793ec11d52de030aef3178a289d38c535ab111803494933b8c03f02c0f85c0d0570718f2d1b482d6d6eeea40e1f7c48bcb9b4b3069cec1ecb3233
+  clients.j2: 2b59e328f8f183a9d47af70d7a48b6ed573779696e23e1fa48049b0503d4d53daa5b29bd9e5047083d9d1f0f365f5d25ef1a6c14a43d7bb92452dd121368580a
   common.j2: 1888f590f24415b2df86b3f86f4a36ca8c348ae6e5ddfac664e1663928fd5093863b605d5165b4075da38df5bb041f1cbeebee9991efc1be02eb4a696d95e420
   header.j2: 25f219ef4d0a4ee64c18b338bc557c246c4759b438f31865a7483ebef8a9a3795e09c85ba301da24d7036b474f7936f7a9ed758f93d66bca36e0624c23729170
   irrdb.j2: 4ff9a0dba41a02737c17a2497613f2dcc179a80b79714f18d61162e9503907cfd53765ab426036119e8bcb716d9d24a5380d724235373ae4ab7340d6c6eb074a