calico icon indicating copy to clipboard operation
calico copied to clipboard

Published 20 hours ago verified publisher icon projectcalico

BGPFilter: match on prefix length

Open defo89 opened this issue 1 year ago • 7 comments

Expected Behavior

In certain scenarios there might be a need to allow/deny prefixes with variable prefix length.

Example: Allow accepting prefixes within 77.0.0.0/16 but not /32 host routes, or more complex case: do not accept routes with prefix length greater than or equal /20 and less than or equal /24.

Another use case could be related to https://github.com/projectcalico/calico/issues/8374 (not yet sure if behaviour in the issue is intended): allow prefix advertisement within ClusterCIDR range but disable announcement of /32 prefixes.

If I understand bird filters correctly, that would look like this:

  exportV4:
    - action: Reject
      matchOperator: In
      cidr: 100.64.0.0/15{32}

From the above link:

Sets of prefixes are special: their literals does not allow ranges, but allows prefix patterns that are written as ipaddress/pxlen{low,high}. Prefix ip1/len1 matches prefix pattern ip2/len2{l,h} if the first min(len1, len2) bits of ip1 and ip2 are identical and len1 <= ip1 <= len2. A valid prefix pattern has to satisfy low <= high, but pxlen is not constrained by low or high. Obviously, a prefix matches a prefix set literal if it matches any prefix pattern in the prefix set literal.

There are also two shorthands for prefix patterns: address/len+ is a shorthand for address/len{len,maxlen} (where maxlen is 32 for IPv4 and 128 for IPv6), that means network prefix address/len and all its subnets. address/len- is a shorthand for address/len{0,len}, that means network prefix address/len and all its supernets (network prefixes that contain it).

For example, [ 1.0.0.0/8, 2.0.0.0/8+, 3.0.0.0/8-, 4.0.0.0/8{16,24} ] matches prefix 1.0.0.0/8, all subprefixes of 2.0.0.0/8, all superprefixes of 3.0.0.0/8 and prefixes 4.X.X.X whose prefix length is 16 to 24. [ 0.0.0.0/0{20,24} ] matches all prefixes (regardless of IP address) whose prefix length is 20 to 24, [ 1.2.3.4/32- ] matches any prefix that contains IP address 1.2.3.4. 1.2.0.0/16 ~ [ 1.0.0.0/8{15,17} ] is true, but 1.0.0.0/16 ~ [ 1.0.0.0/8- ] is false.

Cisco-style patterns like 10.0.0.0/8 ge 16 le 24 can be expressed in BIRD as 10.0.0.0/8{16,24}, 192.168.0.0/16 le 24 as 192.168.0.0/16{16,24} and 192.168.0.0/16 ge 24 as 192.168.0.0/16{24,32}.

Caveat: above works with cidr but I am not sure how the match would look like for communities.

defo89 avatar Dec 26 '23 11:12 defo89