Filter Syntax
Routing filter rule implements script-like syntax. Example below is a quick demonstration of routing filter that matches prefixes with prefix length greater than 24 from subnet 192.168.1.0/24 and increments default distance by 1. If there is no match then subtract default distance by one.
/routing filter rule add chain=myChain rule="if (dst==192.168.1.0/24 && dst-len>24) {set distance +1; accept} else {set distance -1; accept}"
Filter rule may consist of multiple matchers and actions:
if ( [matchers] ) { [actions] } else { [actions] }
There are two types of properties:
- only readable - ones that value is only readable and cannot be rewritten, these properties can be used only by matchers
- readable/writable - ones that value is readable and writeable, used by filter actions and also can be used by matchers
Readable properties can be matched by other readable properties or constant values using boolean operators.
[matchers]: [prop readable] [bool operator] [prop readable] [actions]: [action] [prop writeable] [value]
Boolean operator is not used if there is only one possible operation.
Example without boolean operator:
if ( protocol connected ) { accept }
Example with boolean operator:
if ( bgp-med < 30 ) { accept }
With readable flag properties, matcher is used without specified boolean operator and without value
if ( ospf-dn ) { reject }
Only Readable Properties
Property | Type | Description |
---|---|---|
Numeric properties | ||
dst-len | Destination prefix length | |
bgp-path-len | Current length of the BGP AS PATH | |
bgp-input-local-as | AS number of the local peer to which the prefix was sent | |
bgp-input-remote-as | AS number of the remote peer from which the prefix was received | |
bgp-output-local-as | AS number of the peer that will advertise the prefix | |
bgp-output-remote-as | AS number of the peer to which the prefix will be advertised | |
ospf-metric | Current OSPF metric | |
ospf-tag | Current OSPF tag | |
rip-metric | Current RIP metric | |
rip-tag | Current RIP tag | |
Flag properties | ||
active | indicates whether route is active | |
bgp-atomic-aggregate | ||
bgp-communities-empty | indicates if BGP Communities attribute is empty | |
bgp-ext-communities-empty | indicates if BGP Extended Communities attribute is empty | |
bgp-large-communities-empty | indicates if BGP Large Communities attribute is empty | |
bgp-network | Indicates if prefix is originated from BGP networks | |
ospf-dn | Indicates if OSPF route has DN bit set. | |
Prefix properties | ||
dst | Destination | |
ospf-fwd | Current OSPF forwarding address | |
bgp-input-local-addr | IP address of the local peer to which the prefix was sent | |
bgp-input-remote-addr | IP address of the remote peer from which the prefix was received | |
bgp-output-local-addr | IP address of the peer that will advertise the prefix | |
bgp-output-remote-addr | IP address of the peer to which the prefix will be advertised |
Writeable Properties
Property | Type | Description |
---|---|---|
Numeric properties | ||
distance | route distance | |
scope | ||
scope-target | target scope | |
bgp-weight | BGP WEIGHT attribute | |
bgp-med | BGP MED attribute local to the router. | |
bgp-out-med | BGP MED attribute to be sent to remote peer. Should be used in output chain | |
bgp-local-pref | BGP LOCALPREF attribute | |
bgp-igp-metric | BGP IGP METRIC | |
bgp-path-peer-prepend | Prepend last received remote peers ASN. If prefix is originated from the router, then this parameter will not do anything on the routers output, because ASN does not exist yet. If used as matcher in BGP input, it is possible to filter prefixes exceeding certain number of prepends. For example, if remote peer prepends its ASN 5 times, but we want to allow max 4 times prepended ASN, then we can use: " This parameter also overrides any prepends received from remote peer, for example, if remote peer prepended its AS 3 times, we can remove this prepend by setting " | |
bgp-path-prepend | Prepend routers ASN, should be used in BGP output. | |
ospf-ext-metric | OSPF External route metric | |
ospf-ext-tag | OSPF External route tag | |
rip-ext-metric | RIP External route metric | |
rip-ext-tag | RIP External route tag | |
Flag properties | ||
ospf-ext-dn | DN bit for external OSPF routes | |
blackhole | ||
use-te-nexthop | ||
Other properties | ||
gw | ipv4/6 address | |
gw-interface | interface_name | |
gw-check | none|arp|icmp|bfd|bfd-mh | |
pref-src | ipv4/6 address | |
bgp-origin | igp|egp|incomplete | |
ospf-ext-fwd | ipv4/6 address | |
ospf-ext-type | type1|type2 | |
comment | string | |
bgp-communites | inline_community_set | set_name | |
bgp-ext-communities | ||
bgp-large-communities |
Commands
Command | Params | Description |
---|---|---|
accept | accept matched prefix | |
reject | reject matched prefix | |
return | return to parent chain | |
jump | jump chain_name | jump to specified chain |
unset | unset prop_name | used to unset value of the following properties:pref-src|bgp-med|bgp-out-med|bgp-local-pref |
append | append at the end of the list | |
filter | ||
delete | ||
set | set prop_writeable value | Command is used to set new value to writeable properties. Value can be set from other readable properties of matching types. For numeric properties it is possible to prefix value with +/- which will increment or decrement current property value by given amount. For example, "set pref-src +1 " will increment current pref-src by one, or extract value from other readable num property, "set distance +ospf-ext-metric " |
rpki-verify | rpki-verify rpki_group_name | Enable RPKI verification in current chain from specified RPKI group. |
Operators
Matcher operators
Operator | Description | Example |
---|---|---|
&& | Logical AND operator | if (dst == 192.168.0.0/16 && dst-len in 16-32) {reject;} |
|| | Logical OR operator | |
not | Logical NOT operator | if ( not bgp-network) {reject; } |
Num Prop Operators
Operator | Description |
---|---|
in | return true if the value is in provided numeric range. Numeric range can be written in following formats: {int..int}, {int-int} |
== | return true if numeric values are equal |
!= | return true if numeric values are not equal |
> | return true if the left numeric value is greater than the right numeric value |
< | return true if the left numeric value is less than the right numeric value |
>= | return true if the left numeric value is greater than or equal to the right numeric value |
<= | return true if the left numeric value is less than or equal to the right numeric value |
Prefix Operators
Operator | Description |
---|---|
in | Return true if the prefix is the subnet of provided network |
!= | Return true if the prefix is not equal to provided value |
== | Return true if the prefix is equal to provided value |
BGP Community Operators
Operator | Description | Example |
---|---|---|
equal | return true if provided communities is equal to the property value | |
equal-set | ||
any | ||
any-set | ||
includes | ||
includes-set | ||
subset | ||
subset-set | ||
any-regexp | ||
subset-regexp |
String Operators
Operator | Description |
---|---|
find | Check if provided substring is the part of the property value |
regexp | Match string regexp of the property value |
[matcher] (all can be prefixed with 'not' to negate bgp-communities|bgp-communities-ext|bgp-communities-large equal|any|includes|subset {inline set} equal-set|any-set|includes-set|subset-set {set name} any-regexp|subset-regexp {regexp} comment text|find|regexp {string} chain {chain name} vrf {vrf} rtab {rtab} gw-interface {interface} gw-check none|arp|icmp|bfd|bfd-mh afi ipv4|ipv6|l2vpn|l2vpn-cisco|vpnv4|vpnv6 ,... protocol connected|static|bgp|ospf|rip|dhcp|fantasy|modem|vpn ,... bpg-origin igp|egp|incomplete ,... bgp-as-path {regexp} rpki valid|invalid|unknown ospf-type intra|inter|ext1|ext2|nssa1|nssa2 ospf-ext-type type1|type2 [num prop readable] in {int..int}|{int-int} ==|!=|<=|>=|<|> {int} [num prop readable] [prfx prop readable] !=|==|in {address 46/} [flag prop readable] [block] if ([matcher] &&/|| ...) { [block] } [ else {[block]} ] accept|reject|return jump {chain name} unset pref-src|bgp-med|bgp-out-med|bgp-local-pref append comment {string} bgp-communities|bgp-communities-ext|bgp-communities-large {inline community set}|{set name} filter bgp-communities|bgp-communities-ext|bgp-communities-large regexp {regexp} {inline community set}|{set name} delete bgp-communities regexp {regexp} {inline community set}|{set name} wk|other ,... bgp-communities-ext regexp {regexp} {inline community set}|{set name} rt|soo|other ,... bgp-communities-large regexp {regexp} {inline community set}|{set name} all set [num prop writable] [+|-][num prop readable]|[num prop writable] gw {address 46i} gw-interface {interface} gw-check none|arp|icmp|bfd|bfd-mh pref-src {address 46} bgp-origin igp|egp|incomplete ospf-ext-fwd {address 46} ospf-ext-type type1|type2 comment {string} bgp-communities {inline community set}|{set name} bgp-communities-ext {inline community set}|{set name} bgp-communities-large {inline community set}|{set name} rpki-verify {rpki group name}
Property Reference
/routing/filter/chain
Dynamic list of filter rule chains that can be referenced in bgp/ospf configuration.
Read-only properties:
Property | Description | |
---|---|---|
dynamic (yes | no) | ||
inactive (yes | no) | ||
name (string) |
/routing/filter/community-ext-set
Allows to configure sets of extended communities to be easily reused in multiple filter configurations. Community sets can be used for both matching and appending/setting.
Property | Description | |
---|---|---|
comment (string; Default: ) | ||
communities (list of ext communities; Default: ) | List of extended communities expressed as raw integer value or in typed format: "type:value", where type can be:
Value depends on the type, for more info on RT and SoO values ask google. | |
disabled (yes | no) | ||
name (integer [string; Default: ) | Reference name. | |
regexp (string) | Regexp matcher to match communities. Community set with only regexp parameter cannot be used to append communities. |
/routing/filter/community-large-set
Allows to configure sets of large communities to be easily reused in multiple filter configurations. Community sets can be used for both matching and appending/setting.
Property | Description | |
---|---|---|
comment (string; Default: ) | ||
communities (list of large communities; Default: ) | List of large communities expressed in following format: "admin:value1:value2", where each section can be integer [0..4294967295]. | |
disabled (yes | no) | ||
name (integer [string; Default: ) | Reference name. | |
regexp (string) | Regexp matcher to match communities. Community set with only regexp parameter cannot be used to append communities. |
/routing/filter/community-set
Allows to configure sets of communities to be easily reused in multiple filter configurations. Community sets can be used for both matching and appending/setting.
Property | Description | |
---|---|---|
comment (string; Default: ) | ||
communities (list of communities; Default: ) | List of communities expressed either as well known name or in following format: "as:number", where each section can be integer [0..65535]. Accepted well known names: accept-own graceful-shutdown no-advertise no-llgr route-filter-6 | |
disabled (yes | no) | ||
name (integer [string; Default: ) | Reference name. | |
regexp (string) | Regexp matcher to match communities. Community set with only regexp parameter cannot be used to append communities. |
/routing/filter/num-set
Set of integer numbers that can be reused for number matching between multiple filter rules.
Property | Description | |
---|---|---|
comment (string; Default: ) | ||
disabled (yes | no) | ||
name (integer [string; Default: ) | Reference name. | |
range (start-[end]:: integer[0..4294967295]) | Range of numbers in numset |
/routing/filter/rule
xx.
Property | Description | |
---|---|---|
chain (string; Default: ) | Reference name of the chain | |
comment (string; Default: ) | ||
disabled (yes | no) | ||
rule (string) | Accepts script like syntax to match and set route attribute and reject or accept prefixes. |
/routing/filter/select-chain
Dynamic list of filter select chains that can be referenced in bgp/ospf configuration.
Read-only properties:
Property | Description | |
---|---|---|
dynamic (yes | no) | ||
inactive (yes | no) | ||
name (string) |
/routing/filter/select-rule
xx.