Filter Syntax
Routing filter rule implements script-like syntax. Example below is a quick demonstration of routing filter that matches prefixes with prefix length greater than 24 from subnet 192.168.1.0/24 and increments default distance by 1. If there is no match then subtract default distance by one.
/routing filter rule
add chain=myChain
rule="if (dst==192.168.1.0/24 && dst-len>24) {set distance +1; accept} else {set distance -1; accept}"
Filter rule may consist of multiple matchers and actions:
if ( [matchers] ) { [actions] } else { [actions] }
There are two types of properties:
- readable - ones that value is readable and can be used by matchers
- writable - ones that is used to set property value, used by filter actions
Readable properties can be matched by other readable properties or constant values using boolean operators.
[matchers]: [prop readable] [bool operator] [prop readable] [actions]: [action] [prop writeable] [value]
Boolean operator is not used if there is only one possible operation.
Example without boolean operator:
if ( protocol connected ) { accept }
Example with boolean operator:
if ( bgp-med < 30 ) { accept }
With readable flag properties, matcher is used without specified boolean operator and without value
if ( ospf-dn ) { reject }
List of readable properties:
| Property | Operators | Description |
|---|---|---|
| Numeric properties | ||
| dst-len | Destination prefix length | |
| bgp-path-len | ||
| bgp-input-local-as | ||
| bgp-input-remote-as | ||
| bgp-output-local-as | ||
| bgp-output-remote-as | ||
| ospf-metric | ||
| ospf-tag | ||
| rip-metric | ||
| rip-tag | ||
| Flag properties | ||
| active | ||
| bgp-atomic-aggregate | ||
| bgp-communities-empty | ||
| bgp-ext-communities-empty | ||
| bgp-large-communities-empty | ||
| bgp-network | ||
| ospf-dn | ||
| Prefix properties | ||
| dst | ||
| gw | ||
| ospf-fwd | ||
| ospf-ext-fwd | ||
| bgp-input-local-addr | ||
| bgp-input-remote-addr | ||
| bgp-output-local-addr | ||
| bgp-output-remote-addr | ||
List of writable properties:
| Property | Operators | Description |
|---|---|---|
| Numeric properties | ||
| distance | ||
| scope | ||
| scope-target | ||
| bgp-weight | ||
| bgp-med | ||
| bgp-out-med | ||
| bgp-local-pref | ||
| bgp-igp-metric | ||
| bgp-path-peer-prepend | ||
| bgp-path-prepend | ||
| ospf-ext-metric | ||
| ospf-ext-tag | ||
| rip-ext-metric | ||
| rip-ext-tag | ||
| Flag properties | ||
| ospf-ext-dn | ||
| blackhole | ||
| use-te-nexthop | ||
Commands
| Command | Params | Description |
|---|---|---|
| accept | accept matched prefix | |
| reject | reject matched prefix | |
| return | return to parent chain | |
| jump | jump chain_name | jump to specified chain |
| unset | unset prop_name | used to unset value of the following properties:pref-src|bgp-med|bgp-out-med|bgp-local-pref |
| append | append at the end of the list | |
| filter | ||
| delete | ||
| set | ||
| rpki-verify | rpki-verify rpki_group_name | Enable RPKI verification in current chain from specified RPKI group. |
[matcher] (all can be prefixed with 'not' to negate
bgp-communities|bgp-communities-ext|bgp-communities-large
equal|any|includes|subset
{inline set}
equal-set|any-set|includes-set|subset-set
{set name}
any-regexp|subset-regexp
{regexp}
comment
text|find|regexp
{string}
chain
{chain name}
vrf
{vrf}
rtab
{rtab}
gw-interface
{interface}
gw-check
none|arp|icmp|bfd|bfd-mh
afi
ipv4|ipv6|l2vpn|l2vpn-cisco|vpnv4|vpnv6
,...
protocol
connected|static|bgp|ospf|rip|dhcp|fantasy|modem|vpn
,...
bpg-origin
igp|egp|incomplete
,...
bgp-as-path
{regexp}
rpki
valid|invalid|unknown
ospf-type
intra|inter|ext1|ext2|nssa1|nssa2
ospf-ext-type
type1|type2
[num prop readable]
in
{int..int}|{int-int}
==|!=|<=|>=|<|>
{int}
[num prop readable]
[prfx prop readable]
!=|==|in
{address 46/}
[flag prop readable]
[block]
if ([matcher] &&/|| ...) { [block] } [ else {[block]} ]
accept|reject|return
jump {chain name}
unset
pref-src|bgp-med|bgp-out-med|bgp-local-pref
append
comment
{string}
bgp-communities|bgp-communities-ext|bgp-communities-large
{inline community set}|{set name}
filter
bgp-communities|bgp-communities-ext|bgp-communities-large
regexp
{regexp}
{inline community set}|{set name}
delete
bgp-communities
regexp
{regexp}
{inline community set}|{set name}
wk|other
,...
bgp-communities-ext
regexp
{regexp}
{inline community set}|{set name}
rt|soo|other
,...
bgp-communities-large
regexp
{regexp}
{inline community set}|{set name}
all
set
[num prop writable]
[+|-][num prop readable]|[num prop writable]
gw
{address 46i}
gw-interface
{interface}
gw-check
none|arp|icmp|bfd|bfd-mh
pref-src
{address 46}
bgp-origin
igp|egp|incomplete
ospf-ext-fwd
{address 46}
ospf-ext-type
type1|type2
comment
{string}
bgp-communities
{inline community set}|{set name}
bgp-communities-ext
{inline community set}|{set name}
bgp-communities-large
{inline community set}|{set name}
rpki-verify
{rpki group name}
Property Reference
/routing/filter/chain
Dynamic list of filter rule chains that can be referenced in bgp/ospf configuration.
Read-only properties:
| Property | Description | |
|---|---|---|
| dynamic (yes | no) | ||
| inactive (yes | no) | ||
| name (string) | ||
/routing/filter/community-ext-set
Allows to configure sets of extended communities to be easily reused in multiple filter configurations. Community sets can be used for both matching and appending/setting.
| Property | Description | |
|---|---|---|
| comment (string; Default: ) | ||
| communities (list of ext communities; Default: ) | List of extended communities expressed as raw integer value or in typed format: "type:value", where type can be:
Value depends on the type, for more info on RT and SoO values ask google. | |
| disabled (yes | no) | ||
| name (integer [string; Default: ) | Reference name. | |
| regexp (string) | Regexp matcher to match communities. Community set with only regexp parameter cannot be used to append communities. | |
/routing/filter/community-large-set
Allows to configure sets of large communities to be easily reused in multiple filter configurations. Community sets can be used for both matching and appending/setting.
| Property | Description | |
|---|---|---|
| comment (string; Default: ) | ||
| communities (list of large communities; Default: ) | List of large communities expressed in following format: "admin:value1:value2", where each section can be integer [0..4294967295]. | |
| disabled (yes | no) | ||
| name (integer [string; Default: ) | Reference name. | |
| regexp (string) | Regexp matcher to match communities. Community set with only regexp parameter cannot be used to append communities. | |
/routing/filter/community-set
Allows to configure sets of communities to be easily reused in multiple filter configurations. Community sets can be used for both matching and appending/setting.
| Property | Description | |
|---|---|---|
| comment (string; Default: ) | ||
| communities (list of communities; Default: ) | List of communities expressed either as well known name or in following format: "as:number", where each section can be integer [0..65535]. Accepted well known names: accept-own graceful-shutdown no-advertise no-llgr route-filter-6 | |
| disabled (yes | no) | ||
| name (integer [string; Default: ) | Reference name. | |
| regexp (string) | Regexp matcher to match communities. Community set with only regexp parameter cannot be used to append communities. | |
/routing/filter/num-set
Set of integer numbers that can be reused for number matching between multiple filter rules.
| Property | Description | |
|---|---|---|
| comment (string; Default: ) | ||
| disabled (yes | no) | ||
| name (integer [string; Default: ) | Reference name. | |
| range (start-[end]:: integer[0..4294967295]) | Range of numbers in numset | |
/routing/filter/rule
xx.
| Property | Description | |
|---|---|---|
| chain (string; Default: ) | Reference name of the chain | |
| comment (string; Default: ) | ||
| disabled (yes | no) | ||
| rule (string) | Accepts script like syntax to match and set route attribute and reject or accept prefixes. | |
/routing/filter/select-chain
Dynamic list of filter select chains that can be referenced in bgp/ospf configuration.
Read-only properties:
| Property | Description | |
|---|---|---|
| dynamic (yes | no) | ||
| inactive (yes | no) | ||
| name (string) | ||
/routing/filter/select-rule
xx.