From 4372d79a57de24b8bf4547383bfd9603291f77b1 Mon Sep 17 00:00:00 2001 From: Barry O'Donovan Date: Mon, 13 Apr 2020 09:59:17 +0100 Subject: [PATCH] [IM] Fully disable standard community filtering if route server ASN is 32bit While strictly speaking the first filter (0,peeasn) could work, the other do will not. Better to be explicit and match the documentation and fully disable community based filtering for route servers with a 32bit asn. Reminder: we discourage using 32bit ASNs for route servers: > You are strongly advised to use / request a 16-bit ASN from your RIR > for route server use. If you do not, you will be unable to offer your > members standard community based filtering. Separatrely, we have a feature in development that will allow people to set filters in the UI and which uses large BGP communities internally. --- data/travis-ci/known-good/ci-apiv4-b2-rs1-lan1-ipv4.conf | 2 +- data/travis-ci/known-good/ci-apiv4-b2-rs1-lan1-ipv6.conf | 2 +- .../views/api/v4/router/server/bird2/community-filter.foil.php | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/data/travis-ci/known-good/ci-apiv4-b2-rs1-lan1-ipv4.conf b/data/travis-ci/known-good/ci-apiv4-b2-rs1-lan1-ipv4.conf index 5f72f0c04..5a671d61d 100644 --- a/data/travis-ci/known-good/ci-apiv4-b2-rs1-lan1-ipv4.conf +++ b/data/travis-ci/known-good/ci-apiv4-b2-rs1-lan1-ipv4.conf @@ -172,7 +172,7 @@ function ixp_community_filter(int peerasn) return true; # it's unwise to conduct a 32-bit check on a 16-bit value - if peerasn > 65535 then + if routeserverasn > 65535 || peerasn > 65535 then return true; # Implement widely used community filtering schema. diff --git a/data/travis-ci/known-good/ci-apiv4-b2-rs1-lan1-ipv6.conf b/data/travis-ci/known-good/ci-apiv4-b2-rs1-lan1-ipv6.conf index 6df284110..373ceed6e 100644 --- a/data/travis-ci/known-good/ci-apiv4-b2-rs1-lan1-ipv6.conf +++ b/data/travis-ci/known-good/ci-apiv4-b2-rs1-lan1-ipv6.conf @@ -183,7 +183,7 @@ function ixp_community_filter(int peerasn) return true; # it's unwise to conduct a 32-bit check on a 16-bit value - if peerasn > 65535 then + if routeserverasn > 65535 || peerasn > 65535 then return true; # Implement widely used community filtering schema. diff --git a/resources/views/api/v4/router/server/bird2/community-filter.foil.php b/resources/views/api/v4/router/server/bird2/community-filter.foil.php index 531ddc0ee..fe6637884 100644 --- a/resources/views/api/v4/router/server/bird2/community-filter.foil.php +++ b/resources/views/api/v4/router/server/bird2/community-filter.foil.php @@ -70,7 +70,7 @@ function ixp_community_filter(int peerasn) # it's unwise to conduct a 32-bit check on a 16-bit value - if peerasn > 65535 then + if routeserverasn > 65535 || peerasn > 65535 then return true; # Implement widely used community filtering schema.