Filter Syntax
Routing filter rule implements script-like syntax. Example below is a quick demonstration of routing filter that matches prefixes with prefix length greater than 24 from subnet 192.168.1.0/24 and increments default distance by 1. If there is no match then subtract default distance by one.
/routing filter rule
add chain=myChain
rule="if (dst==192.168.1.0/24 && dst-len>24) {set distance +1; accept} else {set distance -1; accept}"
Filter rule may consist of multiple matchers and actions:
if ( [matchers] ) { [actions] } else { [actions] }
There are two types of properties:
- only readable - ones that value is only readable and cannot be rewritten, these properties can be used only by matchers
- readable/writable - ones that value is readable and writeable, used by filter actions and also can be used by matchers
Readable properties can be matched by other readable properties or constant values using boolean operators.
[matchers]: [prop readable] [bool operator] [prop readable] [actions]: [action] [prop writeable] [value]
Boolean operator is not used if there is only one possible operation.
Example without boolean operator:
if ( protocol connected ) { accept }
Example with boolean operator:
if ( bgp-med < 30 ) { accept }
With readable flag properties, matcher is used without specified boolean operator and without value
if ( ospf-dn ) { reject }
Only Readable Properties
| Property | Type | Description |
|---|---|---|
| Numeric properties | ||
| dst-len | Destination prefix length | |
| bgp-path-len | Current length of the BGP AS PATH | |
| bgp-input-local-as | AS number of the local peer to which the prefix was sent | |
| bgp-input-remote-as | AS number of the remote peer from which the prefix was received | |
| bgp-output-local-as | AS number of the peer that will advertise the prefix | |
| bgp-output-remote-as | AS number of the peer to which the prefix will be advertised | |
| ospf-metric | Current OSPF metric | |
| ospf-tag | Current OSPF tag | |
| rip-metric | Current RIP metric | |
| rip-tag | Current RIP tag | |
| Flag properties | ||
| active | indicates whether route is active | |
| bgp-atomic-aggregate | ||
| bgp-communities-empty | indicates if BGP Communities attribute is empty | |
| bgp-ext-communities-empty | indicates if BGP Extended Communities attribute is empty | |
| bgp-large-communities-empty | indicates if BGP Large Communities attribute is empty | |
| bgp-network | Indicates if prefix is originated from BGP networks | |
| ospf-dn | Indicates if OSPF route has DN bit set. | |
| Prefix properties | ||
| dst | Destination | |
| ospf-fwd | Current OSPF forwarding address | |
| bgp-input-local-addr | IP address of the local peer to which the prefix was sent | |
| bgp-input-remote-addr | IP address of the remote peer from which the prefix was received | |
| bgp-output-local-addr | IP address of the peer that will advertise the prefix | |
| bgp-output-remote-addr | IP address of the peer to which the prefix will be advertised | |
Writeable Properties
| Property | Type | Description |
|---|---|---|
| Numeric properties | ||
| distance | route distance | |
| scope | ||
| scope-target | target scope | |
| bgp-weight | BGP WEIGHT attribute | |
| bgp-med | BGP MED attribute local to the router. | |
| bgp-out-med | BGP MED attribute to be sent to remote peer. Should be used in output chain | |
| bgp-local-pref | BGP LOCALPREF attribute | |
| bgp-igp-metric | BGP IGP METRIC | |
| bgp-path-peer-prepend | Prepend last received remote peers ASN. If prefix is originated from the router, then this parameter will not do anything on the routers output, because ASN does not exist yet. If used as matcher in BGP input, it is possible to filter prefixes exceeding certain number of prepends. For example, if remote peer prepends its ASN 5 times, but we want to allow max 4 times prepended ASN, then we can use: " This parameter also overrides any prepends received from remote peer, for example, if remote peer prepended its AS 3 times, we can remove this prepend by setting " | |
| bgp-path-prepend | Prepend routers ASN, should be used in BGP output. | |
| ospf-ext-metric | OSPF External route metric | |
| ospf-ext-tag | OSPF External route tag | |
| rip-ext-metric | RIP External route metric | |
| rip-ext-tag | RIP External route tag | |
| Flag properties | ||
| ospf-ext-dn | DN bit for external OSPF routes | |
| blackhole | ||
| use-te-nexthop | ||
| Other properties | ||
| gw | ipv4/6 address | |
| gw-interface | interface_name | |
| gw-check | none|arp|icmp|bfd|bfd-mh | |
| pref-src | ipv4/6 address | |
| bgp-origin | igp|egp|incomplete | |
| ospf-ext-fwd | ipv4/6 address | |
| ospf-ext-type | type1|type2 | |
| comment | string | |
| bgp-communites | inline_community_set | set_name | |
| bgp-ext-communities | ||
| bgp-large-communities | ||
Commands
| Command | Params | Description |
|---|---|---|
| accept | accept matched prefix | |
| reject | reject matched prefix | |
| return | return to parent chain | |
| jump | jump chain_name | jump to specified chain |
| unset | unset prop_name | used to unset value of the following properties:pref-src|bgp-med|bgp-out-med|bgp-local-pref |
| append | append at the end of the list | |
| filter | ||
| delete | ||
| set | set prop_writeable value | Command is used to set new value to writeable properties. Value can be set from other readable properties of matching types. For numeric properties it is possible to prefix value with +/- which will increment or decrement current property value by given amount. For example, "set pref-src +1" will increment current pref-src by one, or extract value from other readable num property, "set distance +ospf-ext-metric" |
| rpki-verify | rpki-verify rpki_group_name | Enable RPKI verification in current chain from specified RPKI group. |
Operators
Matcher operators
| Operator | Description | Example |
|---|---|---|
| && | Logical AND operator | if (dst == 192.168.0.0/16 && dst-len in 16-32) {reject;} |
| || | Logical OR operator | |
| not | Logical NOT operator | if ( not bgp-network) {reject; } |
Num Prop Operators
| Operator | Description |
|---|---|
| in | return true if the value is in provided numeric range. Numeric range can be written in following formats: {int..int}, {int-int} |
| == | return true if numeric values are equal |
| != | return true if numeric values are not equal |
| > | return true if the left numeric value is greater than the right numeric value |
| < | return true if the left numeric value is less than the right numeric value |
| >= | return true if the left numeric value is greater than or equal to the right numeric value |
| <= | return true if the left numeric value is less than or equal to the right numeric value |
Prefix Operators
| Operator | Description |
|---|---|
| in | Return true if the prefix is the subnet of provided network |
| != | Return true if the prefix is not equal to provided value |
| == | Return true if the prefix is equal to provided value |
BGP Community Operators
| Operator | Description | Example |
|---|---|---|
| equal | return true if provided communities is equal to the property value | |
| equal-set | ||
| any | ||
| any-set | ||
| includes | ||
| includes-set | ||
| subset | ||
| subset-set | ||
| any-regexp | ||
| subset-regexp |
String Operators
| Operator | Description |
|---|---|
| find | Check if provided substring is the part of the property value |
| regexp | Match string regexp of the property value |
[matcher] (all can be prefixed with 'not' to negate
bgp-communities|bgp-communities-ext|bgp-communities-large
equal|any|includes|subset
{inline set}
equal-set|any-set|includes-set|subset-set
{set name}
any-regexp|subset-regexp
{regexp}
comment
text|find|regexp
{string}
chain
{chain name}
vrf
{vrf}
rtab
{rtab}
gw-interface
{interface}
gw-check
none|arp|icmp|bfd|bfd-mh
afi
ipv4|ipv6|l2vpn|l2vpn-cisco|vpnv4|vpnv6
,...
protocol
connected|static|bgp|ospf|rip|dhcp|fantasy|modem|vpn
,...
bpg-origin
igp|egp|incomplete
,...
bgp-as-path
{regexp}
rpki
valid|invalid|unknown
ospf-type
intra|inter|ext1|ext2|nssa1|nssa2
ospf-ext-type
type1|type2
[num prop readable]
in
{int..int}|{int-int}
==|!=|<=|>=|<|>
{int}
[num prop readable]
[prfx prop readable]
!=|==|in
{address 46/}
[flag prop readable]
[block]
if ([matcher] &&/|| ...) { [block] } [ else {[block]} ]
accept|reject|return
jump {chain name}
unset
pref-src|bgp-med|bgp-out-med|bgp-local-pref
append
comment
{string}
bgp-communities|bgp-communities-ext|bgp-communities-large
{inline community set}|{set name}
filter
bgp-communities|bgp-communities-ext|bgp-communities-large
regexp
{regexp}
{inline community set}|{set name}
delete
bgp-communities
regexp
{regexp}
{inline community set}|{set name}
wk|other
,...
bgp-communities-ext
regexp
{regexp}
{inline community set}|{set name}
rt|soo|other
,...
bgp-communities-large
regexp
{regexp}
{inline community set}|{set name}
all
set
[num prop writable]
[+|-][num prop readable]|[num prop writable]
gw
{address 46i}
gw-interface
{interface}
gw-check
none|arp|icmp|bfd|bfd-mh
pref-src
{address 46}
bgp-origin
igp|egp|incomplete
ospf-ext-fwd
{address 46}
ospf-ext-type
type1|type2
comment
{string}
bgp-communities
{inline community set}|{set name}
bgp-communities-ext
{inline community set}|{set name}
bgp-communities-large
{inline community set}|{set name}
rpki-verify
{rpki group name}
Property Reference
/routing/filter/chain
Dynamic list of filter rule chains that can be referenced in bgp/ospf configuration.
Read-only properties:
| Property | Description | |
|---|---|---|
| dynamic (yes | no) | ||
| inactive (yes | no) | ||
| name (string) | ||
/routing/filter/community-ext-set
Allows to configure sets of extended communities to be easily reused in multiple filter configurations. Community sets can be used for both matching and appending/setting.
| Property | Description | |
|---|---|---|
| comment (string; Default: ) | ||
| communities (list of ext communities; Default: ) | List of extended communities expressed as raw integer value or in typed format: "type:value", where type can be:
Value depends on the type, for more info on RT and SoO values ask google. | |
| disabled (yes | no) | ||
| name (integer [string; Default: ) | Reference name. | |
| regexp (string) | Regexp matcher to match communities. Community set with only regexp parameter cannot be used to append communities. | |
/routing/filter/community-large-set
Allows to configure sets of large communities to be easily reused in multiple filter configurations. Community sets can be used for both matching and appending/setting.
| Property | Description | |
|---|---|---|
| comment (string; Default: ) | ||
| communities (list of large communities; Default: ) | List of large communities expressed in following format: "admin:value1:value2", where each section can be integer [0..4294967295]. | |
| disabled (yes | no) | ||
| name (integer [string; Default: ) | Reference name. | |
| regexp (string) | Regexp matcher to match communities. Community set with only regexp parameter cannot be used to append communities. | |
/routing/filter/community-set
Allows to configure sets of communities to be easily reused in multiple filter configurations. Community sets can be used for both matching and appending/setting.
| Property | Description | |
|---|---|---|
| comment (string; Default: ) | ||
| communities (list of communities; Default: ) | List of communities expressed either as well known name or in following format: "as:number", where each section can be integer [0..65535]. Accepted well known names: accept-own graceful-shutdown no-advertise no-llgr route-filter-6 | |
| disabled (yes | no) | ||
| name (integer [string; Default: ) | Reference name. | |
| regexp (string) | Regexp matcher to match communities. Community set with only regexp parameter cannot be used to append communities. | |
/routing/filter/num-set
Set of integer numbers that can be reused for number matching between multiple filter rules.
| Property | Description | |
|---|---|---|
| comment (string; Default: ) | ||
| disabled (yes | no) | ||
| name (integer [string; Default: ) | Reference name. | |
| range (start-[end]:: integer[0..4294967295]) | Range of numbers in numset | |
/routing/filter/rule
xx.
| Property | Description | |
|---|---|---|
| chain (string; Default: ) | Reference name of the chain | |
| comment (string; Default: ) | ||
| disabled (yes | no) | ||
| rule (string) | Accepts script like syntax to match and set route attribute and reject or accept prefixes. | |
/routing/filter/select-chain
Dynamic list of filter select chains that can be referenced in bgp/ospf configuration.
Read-only properties:
| Property | Description | |
|---|---|---|
| dynamic (yes | no) | ||
| inactive (yes | no) | ||
| name (string) | ||
/routing/filter/select-rule
xx.