1.6 KiB
Implement max-len filter
To implement a max-length filter, we need a rule/policy/filter file that contains the corresponding prefixes with their maximum length and a list with the prefixes without maxlen to distinguish if the prefix belongs to CRXN or to dn42. The entitydb contains a bash script build_maxlen_filter.sh
for this purpose. If you run this script with the argument bird
, you will get a bird-compatible list with the maximum lengths. If you run the script with the bird prefix-list
parameter, you will get a prefix list without the maximum lengths.
define CRXN_IPs = [
include "<path-to-file-1>";
];
define CRXN_MAXLEN = [
include "<path-to-file-2>";
];
function is_crxn_net() {
return net ~ CRXN_IPs;
}
function is_maxlen_valid() {
return net ~ CRXN_MAXLEN;
}
This bird configuration can be used to load the file. You have to replace <path-to-file-1>
with the path of the filter file without maximum lengths and <path-to-file-2>
with the path of the filter file with maximum lengths. Function is_crxn_net
then checks if the prefix belongs to the CRXN network and function is_maxlen_valid
then checks if the prefix is maxlen-valid.
if (is_crxn_net() && (! is_maxlen_valid())) then {
print "[CRXN] Invalid crxn route: ", net;
reject;
}
This instruction checks whether a prefix belongs to the CRXN network and then whether the prefix is maxlen-valid. If it is not maxlen-valid, it is filtered and a message is issued.
This configuration can then be added to your import filter before accept
. The line with print
is optional. If you leave this line, every hjack attempt will be logged in the bird log output.