diff --git a/templates/bird/clients.j2 b/templates/bird/clients.j2 index d9a311a9..e33eba76 100644 --- a/templates/bird/clients.j2 +++ b/templates/bird/clients.j2 @@ -368,24 +368,19 @@ filter receive_from_{{ client.id }} { {% endif %} # Prefix: length - {% if client.ip|ipaddr_ver == 4 %} - {% set min_pref_len = client.cfg.filtering.ipv4_pref_len.min %} - {% set max_pref_len = client.cfg.filtering.ipv4_pref_len.max %} - {% else %} - {% set min_pref_len = client.cfg.filtering.ipv6_pref_len.min %} - {% set max_pref_len = client.cfg.filtering.ipv6_pref_len.max %} - {% endif %} {% if "2.0.0"|target_version_ge and client.cfg.rfc8950 and client.ip|ipaddr_ver == 6 %} - if net.type = NET_IP6 then { + {% set afis = [4, 6] %} + {% else %} + {% set afis = [ client.ip|ipaddr_ver ] %} {% endif %} - if !prefix_len_is_valid({{ min_pref_len }}, {{ max_pref_len }}) then - {{ reject(client, 13, '"prefix len [", net.len, "] not in ' ~ min_pref_len ~ '-' ~ max_pref_len ~ ' - REJECTING ", net') }} - {% if "2.0.0"|target_version_ge and client.cfg.rfc8950 and client.ip|ipaddr_ver == 6 %} - } else { - if !prefix_len_is_valid({{ client.cfg.filtering.ipv4_pref_len.min }}, {{ client.cfg.filtering.ipv4_pref_len.max }}) then - {{ reject(client, 13, '"prefix len [", net.len, "] not in ' ~ client.cfg.filtering.ipv4_pref_len.min ~ '-' ~ client.cfg.filtering.ipv4_pref_len.max ~ ' - REJECTING ", net') }} + {% for current_afi in afis %} + {% set min_pref_len = client.cfg.filtering["ipv" ~ current_afi ~ "_pref_len"].min %} + {% set max_pref_len = client.cfg.filtering["ipv" ~ current_afi ~ "_pref_len"].max %} + if net.type = NET_IP{{ current_afi }} then { + if !prefix_len_is_valid({{ min_pref_len }}, {{ max_pref_len }}) then + {{ reject(client, 13, '"prefix len [", net.len, "] not in ' ~ min_pref_len ~ '-' ~ max_pref_len ~ ' - REJECTING ", net') }} } - {% endif %} + {% endfor %} {% if cfg.graceful_shutdown.enabled %} {% if client.cfg.graceful_shutdown.enabled %} diff --git a/templates/fingerprints.yml b/templates/fingerprints.yml index 21ba48bf..d4235797 100644 --- a/templates/fingerprints.yml +++ b/templates/fingerprints.yml @@ -1,5 +1,5 @@ bird: - clients.j2: f4d3d45e77a793ec11d52de030aef3178a289d38c535ab111803494933b8c03f02c0f85c0d0570718f2d1b482d6d6eeea40e1f7c48bcb9b4b3069cec1ecb3233 + clients.j2: 4a59b6da873981b449bc0ef09e3d3c5aa70f865e05ca98284afaf37edc387e30ce036d50703fff8d13e9344ab5a9b59e0b8c562995d3b5153e187b3d760203a3 common.j2: 1888f590f24415b2df86b3f86f4a36ca8c348ae6e5ddfac664e1663928fd5093863b605d5165b4075da38df5bb041f1cbeebee9991efc1be02eb4a696d95e420 header.j2: 25f219ef4d0a4ee64c18b338bc557c246c4759b438f31865a7483ebef8a9a3795e09c85ba301da24d7036b474f7936f7a9ed758f93d66bca36e0624c23729170 irrdb.j2: 4ff9a0dba41a02737c17a2497613f2dcc179a80b79714f18d61162e9503907cfd53765ab426036119e8bcb716d9d24a5380d724235373ae4ab7340d6c6eb074a diff --git a/tests/live_tests/scenarios/rfc8950/base.py b/tests/live_tests/scenarios/rfc8950/base.py index ddffef19..14f2060d 100644 --- a/tests/live_tests/scenarios/rfc8950/base.py +++ b/tests/live_tests/scenarios/rfc8950/base.py @@ -218,3 +218,4 @@ def test_030_ipv4_prefixlen_ok(self): """{}: IPv4 prefix length within ipv6_pref_len but outside ipv4_pref_len""" for prefix in (self.DATA["AS1_v4_route14"],): self.receive_route(self.rs, prefix, filtered=True, reject_reason=13) + self.log_contains(self.rs, "prefix len [25] not in 8-24 - REJECTING " + prefix) diff --git a/tests/live_tests/scenarios/rfc8950/configs/RFC8950Scenario_BIRD2IPv6/bird2.conf b/tests/live_tests/scenarios/rfc8950/configs/RFC8950Scenario_BIRD2IPv6/bird2.conf index cd7be75b..799e587c 100644 --- a/tests/live_tests/scenarios/rfc8950/configs/RFC8950Scenario_BIRD2IPv6/bird2.conf +++ b/tests/live_tests/scenarios/rfc8950/configs/RFC8950Scenario_BIRD2IPv6/bird2.conf @@ -675,8 +675,14 @@ filter receive_from_AS1_1 { { tag_and_reject(14, 1); reject "RPKI, route is INVALID - REJECTING ", net; } # Prefix: length - if !prefix_len_is_valid(12, 48) then - { tag_and_reject(13, 1); reject "prefix len [", net.len, "] not in 12-48 - REJECTING ", net; } + if net.type = NET_IP4 then { + if !prefix_len_is_valid(8, 24) then + { tag_and_reject(13, 1); reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net; } + } + if net.type = NET_IP6 then { + if !prefix_len_is_valid(12, 48) then + { tag_and_reject(13, 1); reject "prefix len [", net.len, "] not in 12-48 - REJECTING ", net; } + } } @@ -891,8 +897,14 @@ filter receive_from_AS1_2 { { tag_and_reject(14, 1); reject "RPKI, route is INVALID - REJECTING ", net; } # Prefix: length - if !prefix_len_is_valid(12, 48) then - { tag_and_reject(13, 1); reject "prefix len [", net.len, "] not in 12-48 - REJECTING ", net; } + if net.type = NET_IP4 then { + if !prefix_len_is_valid(8, 24) then + { tag_and_reject(13, 1); reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net; } + } + if net.type = NET_IP6 then { + if !prefix_len_is_valid(12, 48) then + { tag_and_reject(13, 1); reject "prefix len [", net.len, "] not in 12-48 - REJECTING ", net; } + } } @@ -1105,8 +1117,14 @@ filter receive_from_AS2_1 { { tag_and_reject(14, 2); reject "RPKI, route is INVALID - REJECTING ", net; } # Prefix: length - if !prefix_len_is_valid(12, 48) then - { tag_and_reject(13, 2); reject "prefix len [", net.len, "] not in 12-48 - REJECTING ", net; } + if net.type = NET_IP4 then { + if !prefix_len_is_valid(8, 24) then + { tag_and_reject(13, 2); reject "prefix len [", net.len, "] not in 8-24 - REJECTING ", net; } + } + if net.type = NET_IP6 then { + if !prefix_len_is_valid(12, 48) then + { tag_and_reject(13, 2); reject "prefix len [", net.len, "] not in 12-48 - REJECTING ", net; } + } } diff --git a/tests/live_tests/scenarios/rfc8950/routes/RFC8950Scenario_BIRD2IPv6/bird2/AS2_1.txt b/tests/live_tests/scenarios/rfc8950/routes/RFC8950Scenario_BIRD2IPv6/bird2/AS2_1.txt index 7d5587aa..9b3eff33 100644 --- a/tests/live_tests/scenarios/rfc8950/routes/RFC8950Scenario_BIRD2IPv6/bird2/AS2_1.txt +++ b/tests/live_tests/scenarios/rfc8950/routes/RFC8950Scenario_BIRD2IPv6/bird2/AS2_1.txt @@ -1,25 +1,25 @@ -1.1.1.0/24, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 +1.0.0.0/8, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 std comms: ext comms: lrg comms: best: False, LOCAL_PREF: 100 filtered: True () -1.1.4.0/24, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 +1.1.1.0/24, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 std comms: ext comms: lrg comms: best: False, LOCAL_PREF: 100 filtered: True () -1.1.6.0/24, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 +1.1.4.0/24, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 std comms: ext comms: lrg comms: best: False, LOCAL_PREF: 100 filtered: True () -1.1.8.0/25, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 +1.1.6.0/24, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 std comms: ext comms: lrg comms: diff --git a/tests/live_tests/scenarios/rfc8950/routes/RFC8950Scenario_BIRD2IPv6/bird2/rs.txt b/tests/live_tests/scenarios/rfc8950/routes/RFC8950Scenario_BIRD2IPv6/bird2/rs.txt index 1bda1644..b8604cea 100644 --- a/tests/live_tests/scenarios/rfc8950/routes/RFC8950Scenario_BIRD2IPv6/bird2/rs.txt +++ b/tests/live_tests/scenarios/rfc8950/routes/RFC8950Scenario_BIRD2IPv6/bird2/rs.txt @@ -1,9 +1,9 @@ 1.0.0.0/8, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 - std comms: 65520:0, 65520:13, 65524:1 - ext comms: rfc8097-not-found, rt:65524:1 + std comms: + ext comms: rfc8097-not-found lrg comms: - best: False, LOCAL_PREF: 1 - filtered: True () + best: True, LOCAL_PREF: 100 + filtered: False () 1.1.1.0/24, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 std comms: @@ -48,11 +48,11 @@ filtered: True (14) 1.1.8.0/25, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 - std comms: + std comms: 65524:1 ext comms: rfc8097-not-found lrg comms: - best: True, LOCAL_PREF: 100 - filtered: False () + best: False, LOCAL_PREF: 1 + filtered: True (13) 104.0.0.0/24, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 std comms: