mirror of
https://gitlab.nic.cz/labs/bird.git
synced 2024-11-09 12:48:43 +00:00
3413 lines
147 KiB
Plaintext
3413 lines
147 KiB
Plaintext
<!doctype birddoc system>
|
|
|
|
<!--
|
|
BIRD documentation
|
|
|
|
This documentation can have 4 forms: sgml (this is master copy), html, ASCII
|
|
text and dvi/postscript (generated from sgml using sgmltools). You should always
|
|
edit master copy.
|
|
|
|
This is a slightly modified linuxdoc dtd. Anything in <descrip> tags is
|
|
considered definition of configuration primitives, <cf> is fragment of
|
|
configuration within normal text, <m> is "meta" information within fragment of
|
|
configuration - something in config which is not keyword.
|
|
|
|
(set-fill-column 80)
|
|
|
|
Copyright 1999,2000 Pavel Machek <pavel@ucw.cz>, distribute under GPL version 2 or later.
|
|
|
|
-->
|
|
|
|
<book>
|
|
|
|
<title>BIRD User's Guide
|
|
<author>
|
|
Ondrej Filip <it/<feela@network.cz>/,
|
|
Pavel Machek <it/<pavel@ucw.cz>/,
|
|
Martin Mares <it/<mj@ucw.cz>/,
|
|
Ondrej Zajicek <it/<santiago@crfreenet.org>/
|
|
</author>
|
|
|
|
<abstract>
|
|
This document contains user documentation for the BIRD Internet Routing Daemon project.
|
|
</abstract>
|
|
|
|
<!-- Table of contents -->
|
|
<toc>
|
|
|
|
<!-- Begin the document -->
|
|
|
|
|
|
<chapt>Introduction
|
|
|
|
<sect>What is BIRD
|
|
|
|
<p><label id="intro">
|
|
The name `BIRD' is actually an acronym standing for `BIRD Internet Routing
|
|
Daemon'. Let's take a closer look at the meaning of the name:
|
|
|
|
<p><em/BIRD/: Well, we think we have already explained that. It's an acronym
|
|
standing for `BIRD Internet Routing Daemon', you remember, don't you? :-)
|
|
|
|
<p><em/Internet Routing/: It's a program (well, a daemon, as you are going to
|
|
discover in a moment) which works as a dynamic router in an Internet type
|
|
network (that is, in a network running either the IPv4 or the IPv6 protocol).
|
|
Routers are devices which forward packets between interconnected networks in
|
|
order to allow hosts not connected directly to the same local area network to
|
|
communicate with each other. They also communicate with the other routers in the
|
|
Internet to discover the topology of the network which allows them to find
|
|
optimal (in terms of some metric) rules for forwarding of packets (which are
|
|
called routing tables) and to adapt themselves to the changing conditions such
|
|
as outages of network links, building of new connections and so on. Most of
|
|
these routers are costly dedicated devices running obscure firmware which is
|
|
hard to configure and not open to any changes (on the other hand, their special
|
|
hardware design allows them to keep up with lots of high-speed network
|
|
interfaces, better than general-purpose computer does). Fortunately, most
|
|
operating systems of the UNIX family allow an ordinary computer to act as a
|
|
router and forward packets belonging to the other hosts, but only according to a
|
|
statically configured table.
|
|
|
|
<p>A <em/Routing Daemon/ is in UNIX terminology a non-interactive program
|
|
running on background which does the dynamic part of Internet routing, that is
|
|
it communicates with the other routers, calculates routing tables and sends them
|
|
to the OS kernel which does the actual packet forwarding. There already exist
|
|
other such routing daemons: routed (RIP only), GateD (non-free),
|
|
Zebra <HTMLURL URL="http://www.zebra.org"> and
|
|
MRTD <HTMLURL URL="http://sourceforge.net/projects/mrt">,
|
|
but their capabilities are limited and they are relatively hard to configure
|
|
and maintain.
|
|
|
|
<p>BIRD is an Internet Routing Daemon designed to avoid all of these shortcomings,
|
|
to support all the routing technology used in the today's Internet or planned to
|
|
be used in near future and to have a clean extensible architecture allowing new
|
|
routing protocols to be incorporated easily. Among other features, BIRD
|
|
supports:
|
|
|
|
<itemize>
|
|
<item>both IPv4 and IPv6 protocols
|
|
<item>multiple routing tables
|
|
<item>the Border Gateway Protocol (BGPv4)
|
|
<item>the Routing Information Protocol (RIPv2)
|
|
<item>the Open Shortest Path First protocol (OSPFv2, OSPFv3)
|
|
<item>the Router Advertisements for IPv6 hosts
|
|
<item>a virtual protocol for exchange of routes between different
|
|
routing tables on a single host
|
|
<item>a command-line interface allowing on-line control and inspection
|
|
of status of the daemon
|
|
<item>soft reconfiguration (no need to use complex online commands to
|
|
change the configuration, just edit the configuration file and
|
|
notify BIRD to re-read it and it will smoothly switch itself to
|
|
the new configuration, not disturbing routing protocols unless
|
|
they are affected by the configuration changes)
|
|
<item>a powerful language for route filtering
|
|
</itemize>
|
|
|
|
<p>BIRD has been developed at the Faculty of Math and Physics, Charles
|
|
University, Prague, Czech Republic as a student project. It can be freely
|
|
distributed under the terms of the GNU General Public License.
|
|
|
|
<p>BIRD has been designed to work on all UNIX-like systems. It has been
|
|
developed and tested under Linux 2.0 to 2.6, and then ported to FreeBSD, NetBSD
|
|
and OpenBSD, porting to other systems (even non-UNIX ones) should be relatively
|
|
easy due to its highly modular architecture.
|
|
|
|
<p>BIRD supports either IPv4 or IPv6 protocol, but have to be compiled separately
|
|
for each one. Therefore, a dualstack router would run two instances of BIRD (one
|
|
for IPv4 and one for IPv6), with completely separate setups (configuration
|
|
files, tools ...).
|
|
|
|
|
|
<sect>Installing BIRD
|
|
|
|
<p>On a recent UNIX system with GNU development tools (GCC, binutils, m4, make)
|
|
and Perl, installing BIRD should be as easy as:
|
|
|
|
<code>
|
|
./configure
|
|
make
|
|
make install
|
|
vi /usr/local/etc/bird.conf
|
|
bird
|
|
</code>
|
|
|
|
<p>You can use <tt>./configure --help</tt> to get a list of configure
|
|
options. The most important ones are: <tt/--enable-ipv6/ which enables building
|
|
of an IPv6 version of BIRD, <tt/--with-protocols=/ to produce a slightly smaller
|
|
BIRD executable by configuring out routing protocols you don't use, and
|
|
<tt/--prefix=/ to install BIRD to a place different from <file>/usr/local</file>.
|
|
|
|
|
|
<sect>Running BIRD
|
|
|
|
<p>You can pass several command-line options to bird:
|
|
|
|
<descrip>
|
|
<tag>-c <m/config name/</tag>
|
|
use given configuration file instead of <it/prefix/<file>/etc/bird.conf</file>.
|
|
|
|
<tag>-d</tag>
|
|
enable debug messages and run bird in foreground.
|
|
|
|
<tag>-D <m/filename of debug log/</tag>
|
|
log debugging information to given file instead of stderr.
|
|
|
|
<tag>-p</tag>
|
|
just parse the config file and exit. Return value is zero if the config
|
|
file is valid, nonzero if there are some errors.
|
|
|
|
<tag>-s <m/name of communication socket/</tag>
|
|
use given filename for a socket for communications with the client,
|
|
default is <it/prefix/<file>/var/run/bird.ctl</file>.
|
|
|
|
<tag>-P <m/name of PID file/</tag>
|
|
create a PID file with given filename.
|
|
|
|
<tag>-u <m/user/</tag>
|
|
drop privileges and use that user ID, see the next section for details.
|
|
|
|
<tag>-g <m/group/</tag>
|
|
use that group ID, see the next section for details.
|
|
|
|
<tag>-f</tag>
|
|
run bird in foreground.
|
|
|
|
<tag>-R</tag>
|
|
apply graceful restart recovery after start.
|
|
</descrip>
|
|
|
|
<p>BIRD writes messages about its work to log files or syslog (according to config).
|
|
|
|
|
|
<sect>Privileges
|
|
|
|
<p>BIRD, as a routing daemon, uses several privileged operations (like setting
|
|
routing table and using raw sockets). Traditionally, BIRD is executed and runs
|
|
with root privileges, which may be prone to security problems. The recommended
|
|
way is to use a privilege restriction (options <cf/-u/, <cf/-g/). In that case
|
|
BIRD is executed with root privileges, but it changes its user and group ID to
|
|
an unprivileged ones, while using Linux capabilities to retain just required
|
|
privileges (capabilities CAP_NET_*). Note that the control socket is created
|
|
before the privileges are dropped, but the config file is read after that. The
|
|
privilege restriction is not implemented in BSD port of BIRD.
|
|
|
|
<p>A nonprivileged user (as an argument to <cf/-u/ options) may be the user
|
|
<cf/nobody/, but it is suggested to use a new dedicated user account (like
|
|
<cf/bird/). The similar considerations apply for the group option, but there is
|
|
one more condition -- the users in the same group can use <file/birdc/ to
|
|
control BIRD.
|
|
|
|
<p>Finally, there is a possibility to use external tools to run BIRD in an
|
|
environment with restricted privileges. This may need some configuration, but it
|
|
is generally easy -- BIRD needs just the standard library, privileges to read
|
|
the config file and create the control socket and the CAP_NET_* capabilities.
|
|
|
|
|
|
<chapt>About routing tables
|
|
|
|
<p>BIRD has one or more routing tables which may or may not be synchronized with
|
|
OS kernel and which may or may not be synchronized with each other (see the Pipe
|
|
protocol). Each routing table contains a list of known routes. Each route
|
|
consists of:
|
|
|
|
<itemize>
|
|
<item>network prefix this route is for (network address and prefix
|
|
length -- the number of bits forming the network part of the
|
|
address; also known as a netmask)
|
|
<item>preference of this route
|
|
<item>IP address of router which told us about this route
|
|
<item>IP address of router we should forward the packets to using this
|
|
route
|
|
<item>other attributes common to all routes
|
|
<item>dynamic attributes defined by protocols which may or may not be
|
|
present (typically protocol metrics)
|
|
</itemize>
|
|
|
|
Routing table maintains multiple entries for a network, but at most one entry
|
|
for one network and one protocol. The entry with the highest preference is used
|
|
for routing (we will call such an entry the <it/selected route/). If there are
|
|
more entries with the same preference and they are from the same protocol, the
|
|
protocol decides (typically according to metrics). If they aren't, an internal
|
|
ordering is used to break the tie. You can get the list of route attributes in
|
|
the Route attributes section.
|
|
|
|
<p>Each protocol is connected to a routing table through two filters which can
|
|
accept, reject and modify the routes. An <it/export/ filter checks routes passed
|
|
from the routing table to the protocol, an <it/import/ filter checks routes in
|
|
the opposite direction. When the routing table gets a route from a protocol, it
|
|
recalculates the selected route and broadcasts it to all protocols connected to
|
|
the table. The protocols typically send the update to other routers in the
|
|
network. Note that although most protocols are interested in receiving just
|
|
selected routes, some protocols (e.g. the <cf/Pipe/ protocol) receive and
|
|
process all entries in routing tables (accepted by filters).
|
|
|
|
<p><label id="dsc-sorted">Usually, a routing table just chooses a selected route
|
|
from a list of entries for one network. But if the <cf/sorted/ option is
|
|
activated, these lists of entries are kept completely sorted (according to
|
|
preference or some protocol-dependent metric). This is needed for some features
|
|
of some protocols (e.g. <cf/secondary/ option of BGP protocol, which allows to
|
|
accept not just a selected route, but the first route (in the sorted list) that
|
|
is accepted by filters), but it is incompatible with some other features (e.g.
|
|
<cf/deterministic med/ option of BGP protocol, which activates a way of choosing
|
|
selected route that cannot be described using comparison and ordering). Minor
|
|
advantage is that routes are shown sorted in <cf/show route/, minor disadvantage
|
|
is that it is slightly more computationally expensive.
|
|
|
|
|
|
<sect>Graceful restart
|
|
|
|
<p>When BIRD is started after restart or crash, it repopulates routing tables in
|
|
an uncoordinated manner, like after clean start. This may be impractical in some
|
|
cases, because if the forwarding plane (i.e. kernel routing tables) remains
|
|
intact, then its synchronization with BIRD would temporarily disrupt packet
|
|
forwarding until protocols converge. Graceful restart is a mechanism that could
|
|
help with this issue. Generally, it works by starting protocols and letting them
|
|
repopulate routing tables while deferring route propagation until protocols
|
|
acknowledge their convergence. Note that graceful restart behavior have to be
|
|
configured for all relevant protocols and requires protocol-specific support
|
|
(currently implemented for Kernel and BGP protocols), it is activated for
|
|
particular boot by option <cf/-R/.
|
|
|
|
|
|
<chapt>Configuration
|
|
|
|
<sect>Introduction
|
|
|
|
<p>BIRD is configured using a text configuration file. Upon startup, BIRD reads
|
|
<it/prefix/<file>/etc/bird.conf</file> (unless the <tt/-c/ command line option
|
|
is given). Configuration may be changed at user's request: if you modify the
|
|
config file and then signal BIRD with <tt/SIGHUP/, it will adjust to the new
|
|
config. Then there's the client which allows you to talk with BIRD in an
|
|
extensive way.
|
|
|
|
<p>In the config, everything on a line after <cf/#/ or inside <cf>/* */</cf> is
|
|
a comment, whitespace characters are treated as a single space. If there's a
|
|
variable number of options, they are grouped using the <cf/{ }/ brackets. Each
|
|
option is terminated by a <cf/;/. Configuration is case sensitive. There are two
|
|
ways how to name symbols (like protocol names, filter names, constats etc.). You
|
|
can either use a simple string starting with a letter followed by any
|
|
combination of letters and numbers (e.g. "R123", "myfilter", "bgp5") or you can
|
|
enclose the name into apostrophes (<cf/'/) and than you can use any combination
|
|
of numbers, letters. hyphens, dots and colons (e.g. "'1:strange-name'",
|
|
"'-NAME-'", "'cool::name'").
|
|
|
|
<p>Here is an example of a simple config file. It enables synchronization of
|
|
routing tables with OS kernel, scans for new network interfaces every 10 seconds
|
|
and runs RIP on all network interfaces found.
|
|
|
|
<code>
|
|
protocol kernel {
|
|
persist; # Don't remove routes on BIRD shutdown
|
|
scan time 20; # Scan kernel routing table every 20 seconds
|
|
export all; # Default is export none
|
|
}
|
|
|
|
protocol device {
|
|
scan time 10; # Scan interfaces every 10 seconds
|
|
}
|
|
|
|
protocol rip {
|
|
export all;
|
|
import all;
|
|
interface "*";
|
|
}
|
|
</code>
|
|
|
|
|
|
<sect>Global options
|
|
|
|
<p><descrip>
|
|
<tag>include "<m/filename/"</tag>
|
|
This statement causes inclusion of a new file. <m/Filename/ could also
|
|
be a wildcard. The maximal depth is 5. Note that this statement could be
|
|
used anywhere in the config file, not just as a top-level option.
|
|
|
|
<tag><label id="dsc-log">log "<m/filename/"|syslog [name <m/name/]|stderr all|{ <m/list of classes/ }</tag>
|
|
Set logging of messages having the given class (either <cf/all/ or
|
|
<cf/{ error, trace }/ etc.) into selected destination (a file specified
|
|
as a filename string, syslog with optional name argument, or the stderr
|
|
output). Classes are:
|
|
<cf/info/, <cf/warning/, <cf/error/ and <cf/fatal/ for messages about local problems,
|
|
<cf/debug/ for debugging messages,
|
|
<cf/trace/ when you want to know what happens in the network,
|
|
<cf/remote/ for messages about misbehavior of remote machines,
|
|
<cf/auth/ about authentication failures,
|
|
<cf/bug/ for internal BIRD bugs.
|
|
You may specify more than one <cf/log/ line to establish logging to
|
|
multiple destinations. Default: log everything to the system log.
|
|
|
|
<tag>debug protocols all|off|{ states, routes, filters, interfaces, events, packets }</tag>
|
|
Set global defaults of protocol debugging options. See <cf/debug/ in the
|
|
following section. Default: off.
|
|
|
|
<tag>debug commands <m/number/</tag>
|
|
Control logging of client connections (0 for no logging, 1 for logging
|
|
of connects and disconnects, 2 and higher for logging of all client
|
|
commands). Default: 0.
|
|
|
|
<tag>mrtdump "<m/filename/"</tag>
|
|
Set MRTdump file name. This option must be specified to allow MRTdump
|
|
feature. Default: no dump file.
|
|
|
|
<tag>mrtdump protocols all|off|{ states, messages }</tag>
|
|
Set global defaults of MRTdump options. See <cf/mrtdump/ in the
|
|
following section. Default: off.
|
|
|
|
<tag>filter <m/name local variables/{ <m/commands/ }</tag>
|
|
Define a filter. You can learn more about filters in the following
|
|
chapter.
|
|
|
|
<tag>function <m/name/ (<m/parameters/) <m/local variables/ { <m/commands/ }</tag>
|
|
Define a function. You can learn more about functions in the following chapter.
|
|
|
|
<tag>protocol rip|ospf|bgp|... [<m/name/ [from <m/name2/]] { <m>protocol options</m> }</tag>
|
|
Define a protocol instance called <cf><m/name/</cf> (or with a name like
|
|
"rip5" generated automatically if you don't specify any
|
|
<cf><m/name/</cf>). You can learn more about configuring protocols in
|
|
their own chapters. When <cf>from <m/name2/</cf> expression is used,
|
|
initial protocol options are taken from protocol or template
|
|
<cf><m/name2/</cf> You can run more than one instance of most protocols
|
|
(like RIP or BGP). By default, no instances are configured.
|
|
|
|
<tag>template rip|bgp|... [<m/name/ [from <m/name2/]] { <m>protocol options</m> }</tag>
|
|
Define a protocol template instance called <m/name/ (or with a name like
|
|
"bgp1" generated automatically if you don't specify any <m/name/).
|
|
Protocol templates can be used to group common options when many
|
|
similarly configured protocol instances are to be defined. Protocol
|
|
instances (and other templates) can use templates by using <cf/from/
|
|
expression and the name of the template. At the moment templates (and
|
|
<cf/from/ expression) are not implemented for OSPF protocol.
|
|
|
|
<tag>define <m/constant/ = <m/expression/</tag>
|
|
Define a constant. You can use it later in every place you could use a
|
|
value of the same type. Besides, there are some predefined numeric
|
|
constants based on /etc/iproute2/rt_* files. A list of defined constants
|
|
can be seen (together with other symbols) using 'show symbols' command.
|
|
|
|
<tag>router id <m/IPv4 address/</tag>
|
|
Set BIRD's router ID. It's a world-wide unique identification of your
|
|
router, usually one of router's IPv4 addresses. Default: in IPv4
|
|
version, the lowest IP address of a non-loopback interface. In IPv6
|
|
version, this option is mandatory.
|
|
|
|
<tag>router id from [-] [ "<m/mask/" ] [ <m/prefix/ ] [, ...]</tag>
|
|
Set BIRD's router ID based on an IP address of an interface specified by
|
|
an interface pattern. The option is applicable for IPv4 version only.
|
|
See <ref id="dsc-iface" name="interface"> section for detailed
|
|
description of interface patterns with extended clauses.
|
|
|
|
<tag>listen bgp [address <m/address/] [port <m/port/] [dual]</tag>
|
|
This option allows to specify address and port where BGP protocol should
|
|
listen. It is global option as listening socket is common to all BGP
|
|
instances. Default is to listen on all addresses (0.0.0.0) and port 179.
|
|
In IPv6 mode, option <cf/dual/ can be used to specify that BGP socket
|
|
should accept both IPv4 and IPv6 connections (but even in that case,
|
|
BIRD would accept IPv6 routes only). Such behavior was default in older
|
|
versions of BIRD.
|
|
|
|
<tag>graceful restart wait <m/number/</tag>
|
|
During graceful restart recovery, BIRD waits for convergence of routing
|
|
protocols. This option allows to specify a timeout for the recovery to
|
|
prevent waiting indefinitely if some protocols cannot converge. Default:
|
|
240 seconds.
|
|
|
|
<tag>timeformat route|protocol|base|log "<m/format1/" [<m/limit/ "<m/format2/"]</tag>
|
|
This option allows to specify a format of date/time used by BIRD. The
|
|
first argument specifies for which purpose such format is used.
|
|
<cf/route/ is a format used in 'show route' command output,
|
|
<cf/protocol/ is used in 'show protocols' command output, <cf/base/ is
|
|
used for other commands and <cf/log/ is used in a log file.
|
|
|
|
"<m/format1/" is a format string using <it/strftime(3)/ notation (see
|
|
<it/man strftime/ for details). <m/limit> and "<m/format2/" allow to
|
|
specify the second format string for times in past deeper than <m/limit/
|
|
seconds. There are few shorthands: <cf/iso long/ is a ISO 8601 date/time
|
|
format (YYYY-MM-DD hh:mm:ss) that can be also specified using <cf/"%F %T"/.
|
|
<cf/iso short/ is a variant of ISO 8601 that uses just the time format
|
|
(hh:mm:ss) for near times (up to 20 hours in the past) and the date
|
|
format (YYYY-MM-DD) for far times. This is a shorthand for
|
|
<cf/"%T" 72000 "%F"/.
|
|
|
|
By default, BIRD uses the <cf/iso short/ format for <cf/route/ and
|
|
<cf/protocol/ times, and the <cf/iso long/ format for <cf/base/ and
|
|
<cf/log/ times.
|
|
|
|
In pre-1.4.0 versions, BIRD used an short, ad-hoc format for <cf/route/
|
|
and <cf/protocol/ times, and a <cf/iso long/ similar format (DD-MM-YYYY
|
|
hh:mm:ss) for <cf/base/ and <cf/log/. These timeformats could be set by
|
|
<cf/old short/ and <cf/old long/ compatibility shorthands.
|
|
|
|
<tag>table <m/name/ [sorted]</tag>
|
|
Create a new routing table. The default routing table is created
|
|
implicitly, other routing tables have to be added by this command.
|
|
Option <cf/sorted/ can be used to enable sorting of routes, see
|
|
<ref id="dsc-sorted" name="sorted table"> description for details.
|
|
|
|
<tag>roa table <m/name/ [ { roa table options ... } ]</tag>
|
|
Create a new ROA (Route Origin Authorization) table. ROA tables can be
|
|
used to validate route origination of BGP routes. A ROA table contains
|
|
ROA entries, each consist of a network prefix, a max prefix length and
|
|
an AS number. A ROA entry specifies prefixes which could be originated
|
|
by that AS number. ROA tables could be filled with data from RPKI (RFC
|
|
6480) or from public databases like Whois. ROA tables are examined by
|
|
<cf/roa_check()/ operator in filters.
|
|
|
|
Currently, there is just one option, <cf>roa <m/prefix/ max <m/num/ as
|
|
<m/num/</cf>, which can be used to populate the ROA table with static
|
|
ROA entries. The option may be used multiple times. Other entries can be
|
|
added dynamically by <cf/add roa/ command.
|
|
|
|
<tag>eval <m/expr/</tag>
|
|
Evaluates given filter expression. It is used by us for testing of filters.
|
|
</descrip>
|
|
|
|
|
|
<sect>Protocol options
|
|
|
|
<p>For each protocol instance, you can configure a bunch of options. Some of
|
|
them (those described in this section) are generic, some are specific to the
|
|
protocol (see sections talking about the protocols).
|
|
|
|
<p>Several options use a <m/switch/ argument. It can be either <cf/on/,
|
|
<cf/yes/ or a numeric expression with a non-zero value for the option to be
|
|
enabled or <cf/off/, <cf/no/ or a numeric expression evaluating to zero to
|
|
disable it. An empty <m/switch/ is equivalent to <cf/on/ ("silence means
|
|
agreement").
|
|
|
|
<descrip>
|
|
<tag>preference <m/expr/</tag>
|
|
Sets the preference of routes generated by this protocol. Default:
|
|
protocol dependent.
|
|
|
|
<tag>disabled <m/switch/</tag>
|
|
Disables the protocol. You can change the disable/enable status from the
|
|
command line interface without needing to touch the configuration.
|
|
Disabled protocols are not activated. Default: protocol is enabled.
|
|
|
|
<tag>debug all|off|{ states, routes, filters, interfaces, events, packets }</tag>
|
|
Set protocol debugging options. If asked, each protocol is capable of
|
|
writing trace messages about its work to the log (with category
|
|
<cf/trace/). You can either request printing of <cf/all/ trace messages
|
|
or only of the types selected: <cf/states/ for protocol state changes
|
|
(protocol going up, down, starting, stopping etc.), <cf/routes/ for
|
|
routes exchanged with the routing table, <cf/filters/ for details on
|
|
route filtering, <cf/interfaces/ for interface change events sent to the
|
|
protocol, <cf/events/ for events internal to the protocol and <cf/packets/
|
|
for packets sent and received by the protocol. Default: off.
|
|
|
|
<tag>mrtdump all|off|{ states, messages }</tag>
|
|
Set protocol MRTdump flags. MRTdump is a standard binary format for
|
|
logging information from routing protocols and daemons. These flags
|
|
control what kind of information is logged from the protocol to the
|
|
MRTdump file (which must be specified by global <cf/mrtdump/ option, see
|
|
the previous section). Although these flags are similar to flags of
|
|
<cf/debug/ option, their meaning is different and protocol-specific. For
|
|
BGP protocol, <cf/states/ logs BGP state changes and <cf/messages/ logs
|
|
received BGP messages. Other protocols does not support MRTdump yet.
|
|
|
|
<tag>router id <m/IPv4 address/</tag>
|
|
This option can be used to override global router id for a given
|
|
protocol. Default: uses global router id.
|
|
|
|
<tag>import all | none | filter <m/name/ | filter { <m/filter commands/ } | where <m/filter expression/</tag>
|
|
Specify a filter to be used for filtering routes coming from the
|
|
protocol to the routing table. <cf/all/ is shorthand for <cf/where true/
|
|
and <cf/none/ is shorthand for <cf/where false/. Default: <cf/all/.
|
|
|
|
<tag>export <m/filter/</tag>
|
|
This is similar to the <cf>import</cf> keyword, except that it works in
|
|
the direction from the routing table to the protocol. Default: <cf/none/.
|
|
|
|
<tag>import keep filtered <m/switch/</tag>
|
|
Usually, if an import filter rejects a route, the route is forgotten.
|
|
When this option is active, these routes are kept in the routing table,
|
|
but they are hidden and not propagated to other protocols. But it is
|
|
possible to show them using <cf/show route filtered/. Note that this
|
|
option does not work for the pipe protocol. Default: off.
|
|
|
|
<tag><label id="import-limit">import limit [<m/number/ | off ] [action warn | block | restart | disable]</tag>
|
|
Specify an import route limit (a maximum number of routes imported from
|
|
the protocol) and optionally the action to be taken when the limit is
|
|
hit. Warn action just prints warning log message. Block action discards
|
|
new routes coming from the protocol. Restart and disable actions shut
|
|
the protocol down like appropriate commands. Disable is the default
|
|
action if an action is not explicitly specified. Note that limits are
|
|
reset during protocol reconfigure, reload or restart. Default: <cf/off/.
|
|
|
|
<tag>receive limit [<m/number/ | off ] [action warn | block | restart | disable]</tag>
|
|
Specify an receive route limit (a maximum number of routes received from
|
|
the protocol and remembered). It works almost identically to <cf>import
|
|
limit</cf> option, the only difference is that if <cf/import keep
|
|
filtered/ option is active, filtered routes are counted towards the
|
|
limit and blocked routes are forgotten, as the main purpose of the
|
|
receive limit is to protect routing tables from overflow. Import limit,
|
|
on the contrary, counts accepted routes only and routes blocked by the
|
|
limit are handled like filtered routes. Default: <cf/off/.
|
|
|
|
<tag>export limit [ <m/number/ | off ] [action warn | block | restart | disable]</tag>
|
|
Specify an export route limit, works similarly to the <cf>import
|
|
limit</cf> option, but for the routes exported to the protocol. This
|
|
option is experimental, there are some problems in details of its
|
|
behavior -- the number of exported routes can temporarily exceed the
|
|
limit without triggering it during protocol reload, exported routes
|
|
counter ignores route blocking and block action also blocks route
|
|
updates of already accepted routes -- and these details will probably
|
|
change in the future. Default: <cf/off/.
|
|
|
|
<tag>description "<m/text/"</tag>
|
|
This is an optional description of the protocol. It is displayed as a
|
|
part of the output of 'show route all' command.
|
|
|
|
<tag>table <m/name/</tag>
|
|
Connect this protocol to a non-default routing table.
|
|
</descrip>
|
|
|
|
<p>There are several options that give sense only with certain protocols:
|
|
|
|
<descrip>
|
|
<tag><label id="dsc-iface">interface [-] [ "<m/mask/" ] [ <m/prefix/ ] [, ...] [ { <m/option/ ; [...] } ]</tag>
|
|
Specifies a set of interfaces on which the protocol is activated with
|
|
given interface-specific options. A set of interfaces specified by one
|
|
interface option is described using an interface pattern. The interface
|
|
pattern consists of a sequence of clauses (separated by commas), each
|
|
clause is a mask specified as a shell-like pattern. Interfaces are
|
|
matched by their name.
|
|
|
|
An interface matches the pattern if it matches any of its clauses. If
|
|
the clause begins with <cf/-/, matching interfaces are excluded. Patterns
|
|
are processed left-to-right, thus <cf/interface "eth0", -"eth*", "*";/
|
|
means eth0 and all non-ethernets.
|
|
|
|
Some protocols (namely OSPFv2 and Direct) support extended clauses that
|
|
may contain a mask, a prefix, or both of them. An interface matches such
|
|
clause if its name matches the mask (if specified) and its address
|
|
matches the prefix (if specified). Extended clauses are used when the
|
|
protocol handles multiple addresses on an interface independently.
|
|
|
|
An interface option can be used more times with different interface-specific
|
|
options, in that case for given interface the first matching interface
|
|
option is used.
|
|
|
|
This option is allowed in BFD, Direct, OSPF, RAdv and RIP protocols, but
|
|
in OSPF protocol it is used in the <cf/area/ subsection.
|
|
|
|
Default: none.
|
|
|
|
Examples:
|
|
|
|
<cf>interface "*" { type broadcast; };</cf> - start the protocol on all
|
|
interfaces with <cf>type broadcast</cf> option.
|
|
|
|
<cf>interface "eth1", "eth4", "eth5" { type ptp; };</cf> - start the
|
|
protocol on enumerated interfaces with <cf>type ptp</cf> option.
|
|
|
|
<cf>interface -192.168.1.0/24, 192.168.0.0/16;</cf> - start the protocol
|
|
on all interfaces that have address from 192.168.0.0/16, but not from
|
|
192.168.1.0/24.
|
|
|
|
<cf>interface -192.168.1.0/24, 192.168.0.0/16;</cf> - start the protocol
|
|
on all interfaces that have address from 192.168.0.0/16, but not from
|
|
192.168.1.0/24.
|
|
|
|
<cf>interface "eth*" 192.168.1.0/24;</cf> - start the protocol on all
|
|
ethernet interfaces that have address from 192.168.1.0/24.
|
|
|
|
<tag><label id="dsc-prio">tx class|dscp <m/num/</tag>
|
|
This option specifies the value of ToS/DS/Class field in IP headers of
|
|
the outgoing protocol packets. This may affect how the protocol packets
|
|
are processed by the network relative to the other network traffic. With
|
|
<cf/class/ keyword, the value (0-255) is used for the whole ToS/Class
|
|
octet (but two bits reserved for ECN are ignored). With <cf/dscp/
|
|
keyword, the value (0-63) is used just for the DS field in the octet.
|
|
Default value is 0xc0 (DSCP 0x30 - CS6).
|
|
|
|
<tag>tx priority <m/num/</tag>
|
|
This option specifies the local packet priority. This may affect how the
|
|
protocol packets are processed in the local TX queues. This option is
|
|
Linux specific. Default value is 7 (highest priority, privileged traffic).
|
|
|
|
<tag><label id="dsc-pass">password "<m/password/" [ { id <m/num/; generate from <m/time/; generate to <m/time/; accept from <m/time/; accept to <m/time/; } ]</tag>
|
|
Specifies a password that can be used by the protocol. Password option
|
|
can be used more times to specify more passwords. If more passwords are
|
|
specified, it is a protocol-dependent decision which one is really
|
|
used. Specifying passwords does not mean that authentication is enabled,
|
|
authentication can be enabled by separate, protocol-dependent
|
|
<cf/authentication/ option.
|
|
|
|
This option is allowed in OSPF and RIP protocols. BGP has also
|
|
<cf/password/ option, but it is slightly different and described
|
|
separately.
|
|
|
|
Default: none.
|
|
</descrip>
|
|
|
|
<p>Password option can contain section with some (not necessary all) password sub-options:
|
|
|
|
<descrip>
|
|
<tag>id <M>num</M></tag>
|
|
ID of the password, (0-255). If it's not used, BIRD will choose ID based
|
|
on an order of the password item in the interface. For example, second
|
|
password item in one interface will have default ID 2. ID is used by
|
|
some routing protocols to identify which password was used to
|
|
authenticate protocol packets.
|
|
|
|
<tag>generate from "<m/time/"</tag>
|
|
The start time of the usage of the password for packet signing.
|
|
The format of <cf><m/time/</cf> is <tt>dd-mm-yyyy HH:MM:SS</tt>.
|
|
|
|
<tag>generate to "<m/time/"</tag>
|
|
The last time of the usage of the password for packet signing.
|
|
|
|
<tag>accept from "<m/time/"</tag>
|
|
The start time of the usage of the password for packet verification.
|
|
|
|
<tag>accept to "<m/time/"</tag>
|
|
The last time of the usage of the password for packet verification.
|
|
</descrip>
|
|
|
|
<chapt>Remote control
|
|
|
|
<p>You can use the command-line client <file>birdc</file> to talk with a running
|
|
BIRD. Communication is done using a <file/bird.ctl/ UNIX domain socket (unless
|
|
changed with the <tt/-s/ option given to both the server and the client). The
|
|
commands can perform simple actions such as enabling/disabling of protocols,
|
|
telling BIRD to show various information, telling it to show routing table
|
|
filtered by filter, or asking BIRD to reconfigure. Press <tt/?/ at any time to
|
|
get online help. Option <tt/-r/ can be used to enable a restricted mode of BIRD
|
|
client, which allows just read-only commands (<cf/show .../). Option <tt/-v/ can
|
|
be passed to the client, to make it dump numeric return codes along with the
|
|
messages. You do not necessarily need to use <file/birdc/ to talk to BIRD, your
|
|
own applications could do that, too -- the format of communication between BIRD
|
|
and <file/birdc/ is stable (see the programmer's documentation).
|
|
|
|
<p>There is also lightweight variant of BIRD client called <file/birdcl/, which
|
|
does not support command line editing and history and has minimal dependencies.
|
|
This is useful for running BIRD in resource constrained environments, where
|
|
Readline library (required for regular BIRD client) is not available.
|
|
|
|
<p>Many commands have the <m/name/ of the protocol instance as an argument.
|
|
This argument can be omitted if there exists only a single instance.
|
|
|
|
<p>Here is a brief list of supported functions:
|
|
|
|
<descrip>
|
|
<tag>show status</tag>
|
|
Show router status, that is BIRD version, uptime and time from last
|
|
reconfiguration.
|
|
|
|
<tag>show protocols [all]</tag>
|
|
Show list of protocol instances along with tables they are connected to
|
|
and protocol status, possibly giving verbose information, if <cf/all/ is
|
|
specified.
|
|
|
|
<tag>show ospf interface [<m/name/] ["<m/interface/"]</tag>
|
|
Show detailed information about OSPF interfaces.
|
|
|
|
<tag>show ospf neighbors [<m/name/] ["<m/interface/"]</tag>
|
|
Show a list of OSPF neighbors and a state of adjacency to them.
|
|
|
|
<tag>show ospf state [all] [<m/name/]</tag>
|
|
Show detailed information about OSPF areas based on a content of the
|
|
link-state database. It shows network topology, stub networks,
|
|
aggregated networks and routers from other areas and external routes.
|
|
The command shows information about reachable network nodes, use option
|
|
<cf/all/ to show information about all network nodes in the link-state
|
|
database.
|
|
|
|
<tag>show ospf topology [all] [<m/name/]</tag>
|
|
Show a topology of OSPF areas based on a content of the link-state
|
|
database. It is just a stripped-down version of 'show ospf state'.
|
|
|
|
<tag>show ospf lsadb [global | area <m/id/ | link] [type <m/num/] [lsid <m/id/] [self | router <m/id/] [<m/name/] </tag>
|
|
Show contents of an OSPF LSA database. Options could be used to filter
|
|
entries.
|
|
|
|
<tag>show static [<m/name/]</tag>
|
|
Show detailed information about static routes.
|
|
|
|
<tag>show bfd sessions [<m/name/]</tag>
|
|
Show information about BFD sessions.
|
|
|
|
<tag>show interfaces [summary]</tag>
|
|
Show the list of interfaces. For each interface, print its type, state,
|
|
MTU and addresses assigned.
|
|
|
|
<tag>show symbols [table|filter|function|protocol|template|roa|<m/symbol/]</tag>
|
|
Show the list of symbols defined in the configuration (names of
|
|
protocols, routing tables etc.).
|
|
|
|
<tag>show route [[for] <m/prefix/|<m/IP/] [table <m/sym/] [filter <m/f/|where <m/c/] [(export|preexport) <m/p/] [protocol <m/p/] [<m/options/]</tag>
|
|
Show contents of a routing table (by default of the main one or the
|
|
table attached to a respective protocol), that is routes, their metrics
|
|
and (in case the <cf/all/ switch is given) all their attributes.
|
|
|
|
<p>You can specify a <m/prefix/ if you want to print routes for a
|
|
specific network. If you use <cf>for <m/prefix or IP/</cf>, you'll get
|
|
the entry which will be used for forwarding of packets to the given
|
|
destination. By default, all routes for each network are printed with
|
|
the selected one at the top, unless <cf/primary/ is given in which case
|
|
only the selected route is shown.
|
|
|
|
<p>You can also ask for printing only routes processed and accepted by
|
|
a given filter (<cf>filter <m/name/</cf> or <cf>filter { <m/filter/ }
|
|
</cf> or matching a given condition (<cf>where <m/condition/</cf>).
|
|
The <cf/export/ and <cf/preexport/ switches ask for printing of entries
|
|
that are exported to the specified protocol. With <cf/preexport/, the
|
|
export filter of the protocol is skipped.
|
|
|
|
<p>You can also select just routes added by a specific protocol.
|
|
<cf>protocol <m/p/</cf>.
|
|
|
|
<p>If BIRD is configured to keep filtered routes (see <cf/import keep
|
|
filtered/ option), you can show them instead of routes by using
|
|
<cf/filtered/ switch.
|
|
|
|
<p>The <cf/stats/ switch requests showing of route statistics (the
|
|
number of networks, number of routes before and after filtering). If
|
|
you use <cf/count/ instead, only the statistics will be printed.
|
|
|
|
<tag>show roa [<m/prefix/ | in <m/prefix/ | for <m/prefix/] [as <m/num/] [table <m/t/>]</tag>
|
|
Show contents of a ROA table (by default of the first one). You can
|
|
specify a <m/prefix/ to print ROA entries for a specific network. If you
|
|
use <cf>for <m/prefix/</cf>, you'll get all entries relevant for route
|
|
validation of the network prefix; i.e., ROA entries whose prefixes cover
|
|
the network prefix. Or you can use <cf>in <m/prefix/</cf> to get ROA
|
|
entries covered by the network prefix. You could also use <cf/as/ option
|
|
to show just entries for given AS.
|
|
|
|
<tag>add roa <m/prefix/ max <m/num/] as <m/num/ [table <m/t/>]</tag>
|
|
Add a new ROA entry to a ROA table. Such entry is called <it/dynamic/
|
|
compared to <it/static/ entries specified in the config file. These
|
|
dynamic entries survive reconfiguration.
|
|
|
|
<tag>delete roa <m/prefix/ max <m/num/] as <m/num/ [table <m/t/>]</tag>
|
|
Delete the specified ROA entry from a ROA table. Only dynamic ROA
|
|
entries (i.e., the ones added by <cf/add roa/ command) can be deleted.
|
|
|
|
<tag>flush roa [table <m/t/>]</tag>
|
|
Remove all dynamic ROA entries from a ROA table.
|
|
|
|
<tag>configure [soft] ["<m/config file/"] [timeout [<m/num/]]</tag>
|
|
Reload configuration from a given file. BIRD will smoothly switch itself
|
|
to the new configuration, protocols are reconfigured if possible,
|
|
restarted otherwise. Changes in filters usually lead to restart of
|
|
affected protocols.
|
|
|
|
If <cf/soft/ option is used, changes in filters does not cause BIRD to
|
|
restart affected protocols, therefore already accepted routes (according
|
|
to old filters) would be still propagated, but new routes would be
|
|
processed according to the new filters.
|
|
|
|
If <cf/timeout/ option is used, config timer is activated. The new
|
|
configuration could be either confirmed using <cf/configure confirm/
|
|
command, or it will be reverted to the old one when the config timer
|
|
expires. This is useful for cases when reconfiguration breaks current
|
|
routing and a router becames inaccessible for an administrator. The
|
|
config timeout expiration is equivalent to <cf/configure undo/
|
|
command. The timeout duration could be specified, default is 300 s.
|
|
|
|
<tag>configure confirm</tag>
|
|
Deactivate the config undo timer and therefore confirm the current
|
|
configuration.
|
|
|
|
<tag>configure undo</tag>
|
|
Undo the last configuration change and smoothly switch back to the
|
|
previous (stored) configuration. If the last configuration change was
|
|
soft, the undo change is also soft. There is only one level of undo, but
|
|
in some specific cases when several reconfiguration requests are given
|
|
immediately in a row and the intermediate ones are skipped then the undo
|
|
also skips them back.
|
|
|
|
<tag>configure check ["<m/config file/"]</tag>
|
|
Read and parse given config file, but do not use it. useful for checking
|
|
syntactic and some semantic validity of an config file.
|
|
|
|
<tag>enable|disable|restart <m/name/|"<m/pattern/"|all</tag>
|
|
Enable, disable or restart a given protocol instance, instances matching
|
|
the <cf><m/pattern/</cf> or <cf/all/ instances.
|
|
|
|
<tag>reload [in|out] <m/name/|"<m/pattern/"|all</tag>
|
|
Reload a given protocol instance, that means re-import routes from the
|
|
protocol instance and re-export preferred routes to the instance. If
|
|
<cf/in/ or <cf/out/ options are used, the command is restricted to one
|
|
direction (re-import or re-export).
|
|
|
|
This command is useful if appropriate filters have changed but the
|
|
protocol instance was not restarted (or reloaded), therefore it still
|
|
propagates the old set of routes. For example when <cf/configure soft/
|
|
command was used to change filters.
|
|
|
|
Re-export always succeeds, but re-import is protocol-dependent and might
|
|
fail (for example, if BGP neighbor does not support route-refresh
|
|
extension). In that case, re-export is also skipped. Note that for the
|
|
pipe protocol, both directions are always reloaded together (<cf/in/ or
|
|
<cf/out/ options are ignored in that case).
|
|
|
|
<tag/down/
|
|
Shut BIRD down.
|
|
|
|
<tag>debug <m/protocol/|<m/pattern/|all all|off|{ states | routes | filters | events | packets }</tag>
|
|
Control protocol debugging.
|
|
|
|
<tag>dump resources|sockets|interfaces|neighbors|attributes|routes|protocols</tag>
|
|
Dump contents of internal data structures to the debugging output.
|
|
|
|
<tag>echo all|off|{ <m/list of log classes/ } [ <m/buffer-size/ ]</tag>
|
|
Control echoing of log messages to the command-line output.
|
|
See <ref id="dsc-log" name="log option"> for a list of log classes.
|
|
|
|
<tag>eval <m/expr/</tag>
|
|
Evaluate given expression.
|
|
</descrip>
|
|
|
|
|
|
<chapt>Filters
|
|
|
|
<sect>Introduction
|
|
|
|
<p>BIRD contains a simple programming language. (No, it can't yet read mail :-).
|
|
There are two objects in this language: filters and functions. Filters are
|
|
interpreted by BIRD core when a route is being passed between protocols and
|
|
routing tables. The filter language contains control structures such as if's and
|
|
switches, but it allows no loops. An example of a filter using many features can
|
|
be found in <file>filter/test.conf</file>.
|
|
|
|
<p>Filter gets the route, looks at its attributes and modifies some of them if
|
|
it wishes. At the end, it decides whether to pass the changed route through
|
|
(using <cf/accept/) or whether to <cf/reject/ it. A simple filter looks like
|
|
this:
|
|
|
|
<code>
|
|
filter not_too_far
|
|
int var;
|
|
{
|
|
if defined( rip_metric ) then
|
|
var = rip_metric;
|
|
else {
|
|
var = 1;
|
|
rip_metric = 1;
|
|
}
|
|
if rip_metric > 10 then
|
|
reject "RIP metric is too big";
|
|
else
|
|
accept "ok";
|
|
}
|
|
</code>
|
|
|
|
<p>As you can see, a filter has a header, a list of local variables, and a body.
|
|
The header consists of the <cf/filter/ keyword followed by a (unique) name of
|
|
filter. The list of local variables consists of <cf><M>type name</M>;</cf>
|
|
pairs where each pair defines one local variable. The body consists of <cf>
|
|
{ <M>statements</M> }</cf>. Each <m/statement/ is terminated by a <cf/;/. You
|
|
can group several statements to a single compound statement by using braces
|
|
(<cf>{ <M>statements</M> }</cf>) which is useful if you want to make a bigger
|
|
block of code conditional.
|
|
|
|
<p>BIRD supports functions, so that you don't have to repeat the same blocks of
|
|
code over and over. Functions can have zero or more parameters and they can have
|
|
local variables. Recursion is not allowed. Function definitions look like this:
|
|
|
|
<code>
|
|
function name ()
|
|
int local_variable;
|
|
{
|
|
local_variable = 5;
|
|
}
|
|
|
|
function with_parameters (int parameter)
|
|
{
|
|
print parameter;
|
|
}
|
|
</code>
|
|
|
|
<p>Unlike in C, variables are declared after the <cf/function/ line, but before
|
|
the first <cf/{/. You can't declare variables in nested blocks. Functions are
|
|
called like in C: <cf>name(); with_parameters(5);</cf>. Function may return
|
|
values using the <cf>return <m/[expr]/</cf> command. Returning a value exits
|
|
from current function (this is similar to C).
|
|
|
|
<p>Filters are declared in a way similar to functions except they can't have
|
|
explicit parameters. They get a route table entry as an implicit parameter, it
|
|
is also passed automatically to any functions called. The filter must terminate
|
|
with either <cf/accept/ or <cf/reject/ statement. If there's a runtime error in
|
|
filter, the route is rejected.
|
|
|
|
<p>A nice trick to debug filters is to use <cf>show route filter <m/name/</cf>
|
|
from the command line client. An example session might look like:
|
|
|
|
<code>
|
|
pavel@bug:~/bird$ ./birdc -s bird.ctl
|
|
BIRD 0.0.0 ready.
|
|
bird> show route
|
|
10.0.0.0/8 dev eth0 [direct1 23:21] (240)
|
|
195.113.30.2/32 dev tunl1 [direct1 23:21] (240)
|
|
127.0.0.0/8 dev lo [direct1 23:21] (240)
|
|
bird> show route ?
|
|
show route [<prefix>] [table <t>] [filter <f>] [all] [primary]...
|
|
bird> show route filter { if 127.0.0.5 ˜ net then accept; }
|
|
127.0.0.0/8 dev lo [direct1 23:21] (240)
|
|
bird>
|
|
</code>
|
|
|
|
|
|
<sect>Data types
|
|
|
|
<p>Each variable and each value has certain type. Booleans, integers and enums
|
|
are incompatible with each other (that is to prevent you from shooting in the
|
|
foot).
|
|
|
|
<descrip>
|
|
<tag/bool/
|
|
This is a boolean type, it can have only two values, <cf/true/ and
|
|
<cf/false/. Boolean is the only type you can use in <cf/if/ statements.
|
|
|
|
<tag/int/
|
|
This is a general integer type. It is an unsigned 32bit type; i.e., you
|
|
can expect it to store values from 0 to 4294967295. Overflows are not
|
|
checked. You can use <cf/0x1234/ syntax to write hexadecimal values.
|
|
|
|
<tag/pair/
|
|
This is a pair of two short integers. Each component can have values
|
|
from 0 to 65535. Literals of this type are written as <cf/(1234,5678)/.
|
|
The same syntax can also be used to construct a pair from two arbitrary
|
|
integer expressions (for example <cf/(1+2,a)/).
|
|
|
|
<tag/quad/
|
|
This is a dotted quad of numbers used to represent router IDs (and
|
|
others). Each component can have a value from 0 to 255. Literals of
|
|
this type are written like IPv4 addresses.
|
|
|
|
<tag/string/
|
|
This is a string of characters. There are no ways to modify strings in
|
|
filters. You can pass them between functions, assign them to variables
|
|
of type <cf/string/, print such variables, use standard string
|
|
comparison operations (e.g. <cf/=, !=, <, >, <=, >=/), but
|
|
you can't concatenate two strings. String literals are written as
|
|
<cf/"This is a string constant"/. Additionaly matching <cf/˜/
|
|
operator could be used to match a string value against a shell pattern
|
|
(represented also as a string).
|
|
|
|
<tag/ip/
|
|
This type can hold a single IP address. Depending on the compile-time
|
|
configuration of BIRD you are using, it is either an IPv4 or IPv6
|
|
address. IP addresses are written in the standard notation
|
|
(<cf/10.20.30.40/ or <cf/fec0:3:4::1/). You can apply special operator
|
|
<cf>.mask(<M>num</M>)</cf> on values of type ip. It masks out all but
|
|
first <cf><M>num</M></cf> bits from the IP address. So
|
|
<cf/1.2.3.4.mask(8) = 1.0.0.0/ is true.
|
|
|
|
<tag/prefix/
|
|
This type can hold a network prefix consisting of IP address and prefix
|
|
length. Prefix literals are written as <cf><m/ipaddress//<m/pxlen/</cf>,
|
|
or <cf><m>ipaddress</m>/<m>netmask</m></cf>. There are two special
|
|
operators on prefixes: <cf/.ip/ which extracts the IP address from the
|
|
pair, and <cf/.len/, which separates prefix length from the pair.
|
|
So <cf>1.2.0.0/16.pxlen = 16</cf> is true.
|
|
|
|
<tag/ec/
|
|
|
|
This is a specialized type used to represent BGP extended community
|
|
values. It is essentially a 64bit value, literals of this type are
|
|
usually written as <cf>(<m/kind/, <m/key/, <m/value/)</cf>, where
|
|
<cf/kind/ is a kind of extended community (e.g. <cf/rt/ / <cf/ro/ for a
|
|
route target / route origin communities), the format and possible values
|
|
of <cf/key/ and <cf/value/ are usually integers, but it depends on the
|
|
used kind. Similarly to pairs, ECs can be constructed using expressions
|
|
for <cf/key/ and <cf/value/ parts, (e.g. <cf/(ro, myas, 3*10)/, where
|
|
<cf/myas/ is an integer variable).
|
|
|
|
<tag/int|pair|quad|ip|prefix|ec|enum set/
|
|
Filters recognize four types of sets. Sets are similar to strings: you
|
|
can pass them around but you can't modify them. Literals of type <cf>int
|
|
set</cf> look like <cf> [ 1, 2, 5..7 ]</cf>. As you can see, both simple
|
|
values and ranges are permitted in sets.
|
|
|
|
For pair sets, expressions like <cf/(123,*)/ can be used to denote
|
|
ranges (in that case <cf/(123,0)..(123,65535)/). You can also use
|
|
<cf/(123,5..100)/ for range <cf/(123,5)..(123,100)/. You can also use
|
|
<cf/*/ and <cf/a..b/ expressions in the first part of a pair, note that
|
|
such expressions are translated to a set of intervals, which may be
|
|
memory intensive. E.g. <cf/(*,4..20)/ is translated to <cf/(0,4..20),
|
|
(1,4..20), (2,4..20), ... (65535, 4..20)/.
|
|
|
|
EC sets use similar expressions like pair sets, e.g. <cf/(rt, 123,
|
|
10..20)/ or <cf/(ro, 123, *)/. Expressions requiring the translation
|
|
(like <cf/(rt, *, 3)/) are not allowed (as they usually have 4B range
|
|
for ASNs).
|
|
|
|
You can also use expressions for int, pair and EC set values. However it
|
|
must be possible to evaluate these expressions before daemon boots. So
|
|
you can use only constants inside them. E.g.
|
|
|
|
<code>
|
|
define one=1;
|
|
define myas=64500;
|
|
int set odds;
|
|
pair set ps;
|
|
ec set es;
|
|
|
|
odds = [ one, 2+1, 6-one, 2*2*2-1, 9, 11 ];
|
|
ps = [ (1,one+one), (3,4)..(4,8), (5,*), (6,3..6), (7..9,*) ];
|
|
es = [ (rt, myas, 3*10), (rt, myas+one, 0..16*16*16-1), (ro, myas+2, *) ];
|
|
</code>
|
|
|
|
Sets of prefixes are special: their literals does not allow ranges, but
|
|
allows prefix patterns that are written
|
|
as <cf><M>ipaddress</M>/<M>pxlen</M>{<M>low</M>,<M>high</M>}</cf>.
|
|
Prefix <cf><m>ip1</m>/<m>len1</m></cf> matches prefix
|
|
pattern <cf><m>ip2</m>/<m>len2</m>{<m>l</m>,<m>h</m>}</cf> if the
|
|
first <cf>min(len1, len2)</cf> bits of <cf/ip1/ and <cf/ip2/ are
|
|
identical and <cf>len1 <= ip1 <= len2</cf>. A valid prefix pattern
|
|
has to satisfy <cf>low <= high</cf>, but <cf/pxlen/ is not
|
|
constrained by <cf/low/ or <cf/high/. Obviously, a prefix matches a
|
|
prefix set literal if it matches any prefix pattern in the prefix set
|
|
literal.
|
|
|
|
There are also two shorthands for prefix patterns: <cf><m/address//<m/len/+</cf>
|
|
is a shorthand for <cf><m/address//<m/len/{<m/len/,<m/maxlen/}</cf>
|
|
(where <cf><m/maxlen/</cf> is 32 for IPv4 and 128 for IPv6), that means
|
|
network prefix <cf><m/address//<m/len/</cf> and all its subnets.
|
|
<cf><m/address//<m/len/-</cf> is a shorthand for
|
|
<cf><m/address//<m/len/{0,<m/len/}</cf>, that means network prefix
|
|
<cf><m/address//<m/len/</cf> and all its supernets (network prefixes
|
|
that contain it).
|
|
|
|
For example, <cf>[ 1.0.0.0/8, 2.0.0.0/8+, 3.0.0.0/8-, 4.0.0.0/8{16,24}
|
|
]</cf> matches prefix <cf>1.0.0.0/8</cf>, all subprefixes of
|
|
<cf>2.0.0.0/8</cf>, all superprefixes of <cf>3.0.0.0/8</cf> and prefixes
|
|
<cf/4.X.X.X/ whose prefix length is 16 to 24. <cf>[ 0.0.0.0/0{20,24} ]</cf>
|
|
matches all prefixes (regardless of IP address) whose prefix length is
|
|
20 to 24, <cf>[ 1.2.3.4/32- ]</cf> matches any prefix that contains IP
|
|
address <cf>1.2.3.4</cf>. <cf>1.2.0.0/16 ˜ [ 1.0.0.0/8{15,17} ]</cf>
|
|
is true, but <cf>1.0.0.0/16 ˜ [ 1.0.0.0/8- ]</cf> is false.
|
|
|
|
Cisco-style patterns like <cf>10.0.0.0/8 ge 16 le 24</cf> can be expressed
|
|
in BIRD as <cf>10.0.0.0/8{16,24}</cf>, <cf>192.168.0.0/16 le 24</cf> as
|
|
<cf>192.168.0.0/16{16,24}</cf> and <cf>192.168.0.0/16 ge 24</cf> as
|
|
<cf>192.168.0.0/16{24,32}</cf>.
|
|
|
|
<tag/enum/
|
|
Enumeration types are fixed sets of possibilities. You can't define your
|
|
own variables of such type, but some route attributes are of enumeration
|
|
type. Enumeration types are incompatible with each other.
|
|
|
|
<tag/bgppath/
|
|
BGP path is a list of autonomous system numbers. You can't write
|
|
literals of this type. There are several special operators on bgppaths:
|
|
|
|
<cf><m/P/.first</cf> returns the first ASN (the neighbor ASN) in path <m/P/.
|
|
|
|
<cf><m/P/.last</cf> returns the last ASN (the source ASN) in path <m/P/.
|
|
|
|
Both <cf/first/ and <cf/last/ return zero if there is no appropriate
|
|
ASN, for example if the path contains an AS set element as the first (or
|
|
the last) part.
|
|
|
|
<cf><m/P/.len</cf> returns the length of path <m/P/.
|
|
|
|
<cf>prepend(<m/P/,<m/A/)</cf> prepends ASN <m/A/ to path <m/P/ and
|
|
returns the result.
|
|
|
|
<cf>delete(<m/P/,<m/A/)</cf> deletes all instances of ASN <m/A/ from
|
|
from path <m/P/ and returns the result. <m/A/ may also be an integer
|
|
set, in that case the operator deletes all ASNs from path <m/P/ that are
|
|
also members of set <m/A/.
|
|
|
|
<cf>filter(<m/P/,<m/A/)</cf> deletes all ASNs from path <m/P/ that are
|
|
not members of integer set <m/A/. I.e., <cf/filter/ do the same as
|
|
<cf/delete/ with inverted set <m/A/.
|
|
|
|
Statement <cf><m/P/ = prepend(<m/P/, <m/A/);</cf> can be shortened to
|
|
<cf><m/P/.prepend(<m/A/);</cf> if <m/P/ is appropriate route attribute
|
|
(for example <cf/bgp_path/). Similarly for <cf/delete/ and <cf/filter/.
|
|
|
|
<tag/bgpmask/
|
|
BGP masks are patterns used for BGP path matching (using <cf>path
|
|
˜ [= 2 3 5 * =]</cf> syntax). The masks resemble wildcard patterns
|
|
as used by UNIX shells. Autonomous system numbers match themselves,
|
|
<cf/*/ matches any (even empty) sequence of arbitrary AS numbers and
|
|
<cf/?/ matches one arbitrary AS number. For example, if <cf>bgp_path</cf>
|
|
is 4 3 2 1, then: <tt>bgp_path ˜ [= * 4 3 * =]</tt> is true,
|
|
but <tt>bgp_path ˜ [= * 4 5 * =]</tt> is false. BGP mask
|
|
expressions can also contain integer expressions enclosed in parenthesis
|
|
and integer variables, for example <tt>[= * 4 (1+2) a =]</tt>. There is
|
|
also old syntax that uses / .. / instead of [= .. =] and ? instead of *.
|
|
|
|
<tag/clist/
|
|
Clist is similar to a set, except that unlike other sets, it can be
|
|
modified. The type is used for community list (a set of pairs) and for
|
|
cluster list (a set of quads). There exist no literals of this type.
|
|
There are three special operators on clists:
|
|
|
|
<cf><m/C/.len</cf> returns the length of clist <m/C/.
|
|
|
|
<cf>add(<m/C/,<m/P/)</cf> adds pair (or quad) <m/P/ to clist <m/C/ and
|
|
returns the result. If item <m/P/ is already in clist <m/C/, it does
|
|
nothing. <m/P/ may also be a clist, in that case all its members are
|
|
added; i.e., it works as clist union.
|
|
|
|
<cf>delete(<m/C/,<m/P/)</cf> deletes pair (or quad) <m/P/ from clist
|
|
<m/C/ and returns the result. If clist <m/C/ does not contain item
|
|
<m/P/, it does nothing. <m/P/ may also be a pair (or quad) set, in that
|
|
case the operator deletes all items from clist <m/C/ that are also
|
|
members of set <m/P/. Moreover, <m/P/ may also be a clist, which works
|
|
analogously; i.e., it works as clist difference.
|
|
|
|
<cf>filter(<m/C/,<m/P/)</cf> deletes all items from clist <m/C/ that are
|
|
not members of pair (or quad) set <m/P/. I.e., <cf/filter/ do the same
|
|
as <cf/delete/ with inverted set <m/P/. <m/P/ may also be a clist, which
|
|
works analogously; i.e., it works as clist intersection.
|
|
|
|
Statement <cf><m/C/ = add(<m/C/, <m/P/);</cf> can be shortened to
|
|
<cf><m/C/.add(<m/P/);</cf> if <m/C/ is appropriate route attribute (for
|
|
example <cf/bgp_community/). Similarly for <cf/delete/ and <cf/filter/.
|
|
|
|
<tag/eclist/
|
|
Eclist is a data type used for BGP extended community lists. Eclists
|
|
are very similar to clists, but they are sets of ECs instead of pairs.
|
|
The same operations (like <cf/add/, <cf/delete/, or <cf/˜/
|
|
membership operator) can be used to modify or test eclists, with ECs
|
|
instead of pairs as arguments.
|
|
</descrip>
|
|
|
|
|
|
<sect>Operators
|
|
|
|
<p>The filter language supports common integer operators <cf>(+,-,*,/)</cf>,
|
|
parentheses <cf/(a*(b+c))/, comparison <cf/(a=b, a!=b, a<b, a>=b)/.
|
|
Logical operations include unary not (<cf/!/), and (<cf/&&/) and or
|
|
(<cf/||/). Special operators include <cf/˜/ for "is element
|
|
of a set" operation - it can be used on element and set of elements of the same
|
|
type (returning true if element is contained in the given set), or on two
|
|
strings (returning true if first string matches a shell-like pattern stored in
|
|
second string) or on IP and prefix (returning true if IP is within the range
|
|
defined by that prefix), or on prefix and prefix (returning true if first prefix
|
|
is more specific than second one) or on bgppath and bgpmask (returning true if
|
|
the path matches the mask) or on number and bgppath (returning true if the
|
|
number is in the path) or on bgppath and int (number) set (returning true if any
|
|
ASN from the path is in the set) or on pair/quad and clist (returning true if
|
|
the pair/quad is element of the clist) or on clist and pair/quad set (returning
|
|
true if there is an element of the clist that is also a member of the pair/quad
|
|
set).
|
|
|
|
<p>There is one operator related to ROA infrastructure - <cf/roa_check()/. It
|
|
examines a ROA table and does RFC 6483 route origin validation for a given
|
|
network prefix. The basic usage is <cf>roa_check(<m/table/)</cf>, which checks
|
|
current route (which should be from BGP to have AS_PATH argument) in the
|
|
specified ROA table and returns ROA_UNKNOWN if there is no relevant ROA,
|
|
ROA_VALID if there is a matching ROA, or ROA_INVALID if there are some relevant
|
|
ROAs but none of them match. There is also an extended variant
|
|
<cf>roa_check(<m/table/, <m/prefix/, <m/asn/)</cf>, which allows to specify a
|
|
prefix and an ASN as arguments.
|
|
|
|
|
|
<sect>Control structures
|
|
|
|
<p>Filters support two control structures: conditions and case switches.
|
|
|
|
<p>Syntax of a condition is: <cf>if <M>boolean expression</M> then <m/command1/;
|
|
else <m/command2/;</cf> and you can use <cf>{ <m/command_1/; <m/command_2/;
|
|
<M>...</M> }</cf> instead of either command. The <cf>else</cf> clause may be
|
|
omitted. If the <cf><m>boolean expression</m></cf> is true, <m/command1/ is
|
|
executed, otherwise <m/command2/ is executed.
|
|
|
|
<p>The <cf>case</cf> is similar to case from Pascal. Syntax is <cf>case
|
|
<m/expr/ { else: | <m/num_or_prefix [ .. num_or_prefix]/: <m/statement/ ; [
|
|
... ] }</cf>. The expression after <cf>case</cf> can be of any type which can be
|
|
on the left side of the ˜ operator and anything that could be a member of
|
|
a set is allowed before <cf/:/. Multiple commands are allowed without <cf/{}/
|
|
grouping. If <cf><m/expr/</cf> matches one of the <cf/:/ clauses, statements
|
|
between it and next <cf/:/ statement are executed. If <cf><m/expr/</cf> matches
|
|
neither of the <cf/:/ clauses, the statements after <cf/else:/ are executed.
|
|
|
|
<p>Here is example that uses <cf/if/ and <cf/case/ structures:
|
|
|
|
<code>
|
|
case arg1 {
|
|
2: print "two"; print "I can do more commands without {}";
|
|
3 .. 5: print "three to five";
|
|
else: print "something else";
|
|
}
|
|
|
|
if 1234 = i then printn "."; else {
|
|
print "not 1234";
|
|
print "You need {} around multiple commands";
|
|
}
|
|
</code>
|
|
|
|
|
|
<sect>Route attributes
|
|
|
|
<p>A filter is implicitly passed a route, and it can access its attributes just
|
|
like it accesses variables. Attempts to access undefined attribute result in a
|
|
runtime error; you can check if an attribute is defined by using the
|
|
<cf>defined( <m>attribute</m> )</cf> operator. One notable exception to this
|
|
rule are attributes of clist type, where undefined value is regarded as empty
|
|
clist for most purposes.
|
|
|
|
<descrip>
|
|
<tag><m/prefix/ net</tag>
|
|
Network the route is talking about. Read-only. (See the chapter about
|
|
routing tables.)
|
|
|
|
<tag><m/enum/ scope</tag>
|
|
The scope of the route. Possible values: <cf/SCOPE_HOST/ for routes
|
|
local to this host, <cf/SCOPE_LINK/ for those specific for a physical
|
|
link, <cf/SCOPE_SITE/ and <cf/SCOPE_ORGANIZATION/ for private routes and
|
|
<cf/SCOPE_UNIVERSE/ for globally visible routes. This attribute is not
|
|
interpreted by BIRD and can be used to mark routes in filters. The
|
|
default value for new routes is <cf/SCOPE_UNIVERSE/.
|
|
|
|
<tag><m/int/ preference</tag>
|
|
Preference of the route. Valid values are 0-65535. (See the chapter
|
|
about routing tables.)
|
|
|
|
<tag><m/ip/ from</tag>
|
|
The router which the route has originated from.
|
|
|
|
<tag><m/ip/ gw</tag>
|
|
Next hop packets routed using this route should be forwarded to.
|
|
|
|
<tag><m/string/ proto</tag>
|
|
The name of the protocol which the route has been imported from.
|
|
Read-only.
|
|
|
|
<tag><m/enum/ source</tag>
|
|
what protocol has told me about this route. Possible values:
|
|
<cf/RTS_DUMMY/, <cf/RTS_STATIC/, <cf/RTS_INHERIT/, <cf/RTS_DEVICE/,
|
|
<cf/RTS_STATIC_DEVICE/, <cf/RTS_REDIRECT/, <cf/RTS_RIP/, <cf/RTS_OSPF/,
|
|
<cf/RTS_OSPF_IA/, <cf/RTS_OSPF_EXT1/, <cf/RTS_OSPF_EXT2/, <cf/RTS_BGP/,
|
|
<cf/RTS_PIPE/.
|
|
|
|
<tag><m/enum/ cast</tag>
|
|
Route type (Currently <cf/RTC_UNICAST/ for normal routes,
|
|
<cf/RTC_BROADCAST/, <cf/RTC_MULTICAST/, <cf/RTC_ANYCAST/ will be used in
|
|
the future for broadcast, multicast and anycast routes). Read-only.
|
|
|
|
<tag><m/enum/ dest</tag>
|
|
Type of destination the packets should be sent to
|
|
(<cf/RTD_ROUTER/ for forwarding to a neighboring router,
|
|
<cf/RTD_DEVICE/ for routing to a directly-connected network,
|
|
<cf/RTD_MULTIPATH/ for multipath destinations,
|
|
<cf/RTD_BLACKHOLE/ for packets to be silently discarded,
|
|
<cf/RTD_UNREACHABLE/, <cf/RTD_PROHIBIT/ for packets that should be
|
|
returned with ICMP host unreachable / ICMP administratively prohibited
|
|
messages). Can be changed, but only to <cf/RTD_BLACKHOLE/,
|
|
<cf/RTD_UNREACHABLE/ or <cf/RTD_PROHIBIT/.
|
|
|
|
<tag><m/string/ ifname</tag>
|
|
Name of the outgoing interface. Sink routes (like blackhole, unreachable
|
|
or prohibit) and multipath routes have no interface associated with
|
|
them, so <cf/ifname/ returns an empty string for such routes. Read-only.
|
|
|
|
<tag><m/int/ ifindex</tag>
|
|
Index of the outgoing interface. System wide index of the interface. May
|
|
be used for interface matching, however indexes might change on interface
|
|
creation/removal. Zero is returned for routes with undefined outgoing
|
|
interfaces. Read-only.
|
|
|
|
<tag><m/int/ igp_metric</tag>
|
|
The optional attribute that can be used to specify a distance to the
|
|
network for routes that do not have a native protocol metric attribute
|
|
(like <cf/ospf_metric1/ for OSPF routes). It is used mainly by BGP to
|
|
compare internal distances to boundary routers (see below). It is also
|
|
used when the route is exported to OSPF as a default value for OSPF type
|
|
1 metric.
|
|
</descrip>
|
|
|
|
<p>There also exist some protocol-specific attributes which are described in the
|
|
corresponding protocol sections.
|
|
|
|
|
|
<sect>Other statements
|
|
|
|
<p>The following statements are available:
|
|
|
|
<descrip>
|
|
<tag><m/variable/ = <m/expr/</tag>
|
|
Set variable to a given value.
|
|
|
|
<tag>accept|reject [ <m/expr/ ]</tag>
|
|
Accept or reject the route, possibly printing <cf><m>expr</m></cf>.
|
|
|
|
<tag>return <m/expr/</tag>
|
|
Return <cf><m>expr</m></cf> from the current function, the function ends
|
|
at this point.
|
|
|
|
<tag>print|printn <m/expr/ [<m/, expr.../]</tag>
|
|
Prints given expressions; useful mainly while debugging filters. The
|
|
<cf/printn/ variant does not terminate the line.
|
|
|
|
<tag>quitbird</tag>
|
|
Terminates BIRD. Useful when debugging the filter interpreter.
|
|
</descrip>
|
|
|
|
|
|
<chapt>Protocols
|
|
|
|
<sect><label id="sect-bfd">BFD
|
|
|
|
<sect1>Introduction
|
|
|
|
<p>Bidirectional Forwarding Detection (BFD) is not a routing protocol itself, it
|
|
is an independent tool providing liveness and failure detection. Routing
|
|
protocols like OSPF and BGP use integrated periodic "hello" messages to monitor
|
|
liveness of neighbors, but detection times of these mechanisms are high (e.g. 40
|
|
seconds by default in OSPF, could be set down to several seconds). BFD offers
|
|
universal, fast and low-overhead mechanism for failure detection, which could be
|
|
attached to any routing protocol in an advisory role.
|
|
|
|
<p>BFD consists of mostly independent BFD sessions. Each session monitors an
|
|
unicast bidirectional path between two BFD-enabled routers. This is done by
|
|
periodically sending control packets in both directions. BFD does not handle
|
|
neighbor discovery, BFD sessions are created on demand by request of other
|
|
protocols (like OSPF or BGP), which supply appropriate information like IP
|
|
addresses and associated interfaces. When a session changes its state, these
|
|
protocols are notified and act accordingly (e.g. break an OSPF adjacency when
|
|
the BFD session went down).
|
|
|
|
<p>BIRD implements basic BFD behavior as defined in
|
|
RFC 5880<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5880.txt">
|
|
(some advanced features like the echo mode or authentication are not implemented),
|
|
IP transport for BFD as defined in
|
|
RFC 5881<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5881.txt"> and
|
|
RFC 5883<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5883.txt">
|
|
and interaction with client protocols as defined in
|
|
RFC 5882<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5882.txt">.
|
|
|
|
<p>Note that BFD implementation in BIRD is currently a new feature in
|
|
development, expect some rough edges and possible UI and configuration changes
|
|
in the future. Also note that we currently support at most one protocol instance.
|
|
|
|
<p>BFD packets are sent with a dynamic source port number. Linux systems use by
|
|
default a bit different dynamic port range than the IANA approved one
|
|
(49152-65535). If you experience problems with compatibility, please adjust
|
|
<cf>/proc/sys/net/ipv4/ip_local_port_range</cf>
|
|
|
|
<sect1>Configuration
|
|
|
|
<p>BFD configuration consists mainly of multiple definitions of interfaces.
|
|
Most BFD config options are session specific. When a new session is requested
|
|
and dynamically created, it is configured from one of these definitions. For
|
|
sessions to directly connected neighbors, <cf/interface/ definitions are chosen
|
|
based on the interface associated with the session, while <cf/multihop/
|
|
definition is used for multihop sessions. If no definition is relevant, the
|
|
session is just created with the default configuration. Therefore, an empty BFD
|
|
configuration is often sufficient.
|
|
|
|
<p>Note that to use BFD for other protocols like OSPF or BGP, these protocols
|
|
also have to be configured to request BFD sessions, usually by <cf/bfd/ option.
|
|
|
|
<p>Some of BFD session options require <m/time/ value, which has to be specified
|
|
with the appropriate unit: <m/num/ <cf/s/|<cf/ms/|<cf/us/. Although microseconds
|
|
are allowed as units, practical minimum values are usually in order of tens of
|
|
milliseconds.
|
|
|
|
<code>
|
|
protocol bfd [<name>] {
|
|
interface <interface pattern> {
|
|
interval <time>;
|
|
min rx interval <time>;
|
|
min tx interval <time>;
|
|
idle tx interval <time>;
|
|
multiplier <num>;
|
|
passive <switch>;
|
|
};
|
|
multihop {
|
|
interval <time>;
|
|
min rx interval <time>;
|
|
min tx interval <time>;
|
|
idle tx interval <time>;
|
|
multiplier <num>;
|
|
passive <switch>;
|
|
};
|
|
neighbor <ip> [dev "<interface>"] [local <ip>] [multihop <switch>];
|
|
}
|
|
</code>
|
|
|
|
<descrip>
|
|
<tag>interface <m/pattern [, ...]/ { <m/options/ }</tag>
|
|
Interface definitions allow to specify options for sessions associated
|
|
with such interfaces and also may contain interface specific options.
|
|
See <ref id="dsc-iface" name="interface"> common option for a detailed
|
|
description of interface patterns. Note that contrary to the behavior of
|
|
<cf/interface/ definitions of other protocols, BFD protocol would accept
|
|
sessions (in default configuration) even on interfaces not covered by
|
|
such definitions.
|
|
|
|
<tag>multihop { <m/options/ }</tag>
|
|
Multihop definitions allow to specify options for multihop BFD sessions,
|
|
in the same manner as <cf/interface/ definitions are used for directly
|
|
connected sessions. Currently only one such definition (for all multihop
|
|
sessions) could be used.
|
|
|
|
<tag>neighbor <m/ip/ [dev "<m/interface/"] [local <m/ip/] [multihop <m/switch/]</tag>
|
|
BFD sessions are usually created on demand as requested by other
|
|
protocols (like OSPF or BGP). This option allows to explicitly add
|
|
a BFD session to the specified neighbor regardless of such requests.
|
|
|
|
The session is identified by the IP address of the neighbor, with
|
|
optional specification of used interface and local IP. By default
|
|
the neighbor must be directly connected, unless the the session is
|
|
configured as multihop. Note that local IP must be specified for
|
|
multihop sessions.
|
|
</descrip>
|
|
|
|
<p>Session specific options (part of <cf/interface/ and <cf/multihop/ definitions):
|
|
|
|
<descrip>
|
|
<tag>interval <m/time/</tag>
|
|
BFD ensures availability of the forwarding path associated with the
|
|
session by periodically sending BFD control packets in both
|
|
directions. The rate of such packets is controlled by two options,
|
|
<cf/min rx interval/ and <cf/min tx interval/ (see below). This option
|
|
is just a shorthand to set both of these options together.
|
|
|
|
<tag>min rx interval <m/time/</tag>
|
|
This option specifies the minimum RX interval, which is announced to the
|
|
neighbor and used there to limit the neighbor's rate of generated BFD
|
|
control packets. Default: 10 ms.
|
|
|
|
<tag>min tx interval <m/time/</tag>
|
|
This option specifies the desired TX interval, which controls the rate
|
|
of generated BFD control packets (together with <cf/min rx interval/
|
|
announced by the neighbor). Note that this value is used only if the BFD
|
|
session is up, otherwise the value of <cf/idle tx interval/ is used
|
|
instead. Default: 100 ms.
|
|
|
|
<tag>idle tx interval <m/time/</tag>
|
|
In order to limit unnecessary traffic in cases where a neighbor is not
|
|
available or not running BFD, the rate of generated BFD control packets
|
|
is lower when the BFD session is not up. This option specifies the
|
|
desired TX interval in such cases instead of <cf/min tx interval/.
|
|
Default: 1 s.
|
|
|
|
<tag>multiplier <m/num/</tag>
|
|
Failure detection time for BFD sessions is based on established rate of
|
|
BFD control packets (<cf>min rx/tx interval</cf>) multiplied by this
|
|
multiplier, which is essentially (ignoring jitter) a number of missed
|
|
packets after which the session is declared down. Note that rates and
|
|
multipliers could be different in each direction of a BFD session.
|
|
Default: 5.
|
|
|
|
<tag>passive <m/switch/</tag>
|
|
Generally, both BFD session endpoinds try to establish the session by
|
|
sending control packets to the other side. This option allows to enable
|
|
passive mode, which means that the router does not send BFD packets
|
|
until it has received one from the other side. Default: disabled.
|
|
</descrip>
|
|
|
|
<sect1>Example
|
|
|
|
<p><code>
|
|
protocol bfd {
|
|
interface "eth*" {
|
|
min rx interval 20 ms;
|
|
min tx interval 50 ms;
|
|
idle tx interval 300 ms;
|
|
};
|
|
interface "gre*" {
|
|
interval 200 ms;
|
|
multiplier 10;
|
|
passive;
|
|
};
|
|
multihop {
|
|
interval 200 ms;
|
|
multiplier 10;
|
|
};
|
|
|
|
neighbor 192.168.1.10;
|
|
neighbor 192.168.2.2 dev "eth2";
|
|
neighbor 192.168.10.1 local 192.168.1.1 multihop;
|
|
}
|
|
</code>
|
|
|
|
|
|
<sect>BGP
|
|
|
|
<p>The Border Gateway Protocol is the routing protocol used for backbone level
|
|
routing in the today's Internet. Contrary to other protocols, its convergence
|
|
does not rely on all routers following the same rules for route selection,
|
|
making it possible to implement any routing policy at any router in the network,
|
|
the only restriction being that if a router advertises a route, it must accept
|
|
and forward packets according to it.
|
|
|
|
<p>BGP works in terms of autonomous systems (often abbreviated as AS). Each AS
|
|
is a part of the network with common management and common routing policy. It is
|
|
identified by a unique 16-bit number (ASN). Routers within each AS usually
|
|
exchange AS-internal routing information with each other using an interior
|
|
gateway protocol (IGP, such as OSPF or RIP). Boundary routers at the border of
|
|
the AS communicate global (inter-AS) network reachability information with their
|
|
neighbors in the neighboring AS'es via exterior BGP (eBGP) and redistribute
|
|
received information to other routers in the AS via interior BGP (iBGP).
|
|
|
|
<p>Each BGP router sends to its neighbors updates of the parts of its routing
|
|
table it wishes to export along with complete path information (a list of AS'es
|
|
the packet will travel through if it uses the particular route) in order to
|
|
avoid routing loops.
|
|
|
|
<p>BIRD supports all requirements of the BGP4 standard as defined in
|
|
RFC 4271<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4271.txt">
|
|
It also supports the community attributes
|
|
(RFC 1997<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc1997.txt">),
|
|
capability negotiation
|
|
(RFC 3392<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc3392.txt">),
|
|
MD5 password authentication
|
|
(RFC 2385<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc2385.txt">),
|
|
extended communities
|
|
(RFC 4360<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4360.txt">),
|
|
route reflectors
|
|
(RFC 4456<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4456.txt">),
|
|
graceful restart
|
|
(RFC 4724<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4724.txt">),
|
|
multiprotocol extensions
|
|
(RFC 4760<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4760.txt">),
|
|
4B AS numbers
|
|
(RFC 4893<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4893.txt">),
|
|
and 4B AS numbers in extended communities
|
|
(RFC 5668<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5668.txt">).
|
|
|
|
|
|
For IPv6, it uses the standard multiprotocol extensions defined in
|
|
RFC 4760<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4760.txt">
|
|
and applied to IPv6 according to
|
|
RFC 2545<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc2545.txt">.
|
|
|
|
<sect1>Route selection rules
|
|
|
|
<p>BGP doesn't have any simple metric, so the rules for selection of an optimal
|
|
route among multiple BGP routes with the same preference are a bit more complex
|
|
and they are implemented according to the following algorithm. It starts the
|
|
first rule, if there are more "best" routes, then it uses the second rule to
|
|
choose among them and so on.
|
|
|
|
<itemize>
|
|
<item>Prefer route with the highest Local Preference attribute.
|
|
<item>Prefer route with the shortest AS path.
|
|
<item>Prefer IGP origin over EGP and EGP origin over incomplete.
|
|
<item>Prefer the lowest value of the Multiple Exit Discriminator.
|
|
<item>Prefer routes received via eBGP over ones received via iBGP.
|
|
<item>Prefer routes with lower internal distance to a boundary router.
|
|
<item>Prefer the route with the lowest value of router ID of the
|
|
advertising router.
|
|
</itemize>
|
|
|
|
<sect1>IGP routing table
|
|
|
|
<p>BGP is mainly concerned with global network reachability and with routes to
|
|
other autonomous systems. When such routes are redistributed to routers in the
|
|
AS via BGP, they contain IP addresses of a boundary routers (in route attribute
|
|
NEXT_HOP). BGP depends on existing IGP routing table with AS-internal routes to
|
|
determine immediate next hops for routes and to know their internal distances to
|
|
boundary routers for the purpose of BGP route selection. In BIRD, there is
|
|
usually one routing table used for both IGP routes and BGP routes.
|
|
|
|
<sect1>Configuration
|
|
|
|
<p>Each instance of the BGP corresponds to one neighboring router. This allows
|
|
to set routing policy and all the other parameters differently for each neighbor
|
|
using the following configuration parameters:
|
|
|
|
<descrip>
|
|
<tag>local [<m/ip/] as <m/number/</tag>
|
|
Define which AS we are part of. (Note that contrary to other IP routers,
|
|
BIRD is able to act as a router located in multiple AS'es simultaneously,
|
|
but in such cases you need to tweak the BGP paths manually in the filters
|
|
to get consistent behavior.) Optional <cf/ip/ argument specifies a source
|
|
address, equivalent to the <cf/source address/ option (see below). This
|
|
parameter is mandatory.
|
|
|
|
<tag>neighbor <m/ip/ as <m/number/</tag>
|
|
Define neighboring router this instance will be talking to and what AS
|
|
it's located in. In case the neighbor is in the same AS as we are, we
|
|
automatically switch to iBGP. This parameter is mandatory.
|
|
|
|
<tag>direct</tag>
|
|
Specify that the neighbor is directly connected. The IP address of the
|
|
neighbor must be from a directly reachable IP range (i.e. associated
|
|
with one of your router's interfaces), otherwise the BGP session
|
|
wouldn't start but it would wait for such interface to appear. The
|
|
alternative is the <cf/multihop/ option. Default: enabled for eBGP.
|
|
|
|
<tag>multihop [<m/number/]</tag>
|
|
Configure multihop BGP session to a neighbor that isn't directly
|
|
connected. Accurately, this option should be used if the configured
|
|
neighbor IP address does not match with any local network subnets. Such
|
|
IP address have to be reachable through system routing table. The
|
|
alternative is the <cf/direct/ option. For multihop BGP it is
|
|
recommended to explicitly configure the source address to have it
|
|
stable. Optional <cf/number/ argument can be used to specify the number
|
|
of hops (used for TTL). Note that the number of networks (edges) in a
|
|
path is counted; i.e., if two BGP speakers are separated by one router,
|
|
the number of hops is 2. Default: enabled for iBGP.
|
|
|
|
<tag>source address <m/ip/</tag>
|
|
Define local address we should use for next hop calculation and as a
|
|
source address for the BGP session. Default: the address of the local
|
|
end of the interface our neighbor is connected to.
|
|
|
|
<tag>next hop self</tag>
|
|
Avoid calculation of the Next Hop attribute and always advertise our own
|
|
source address as a next hop. This needs to be used only occasionally to
|
|
circumvent misconfigurations of other routers. Default: disabled.
|
|
|
|
<tag>next hop keep</tag>
|
|
Forward the received Next Hop attribute even in situations where the
|
|
local address should be used instead, like when the route is sent to an
|
|
interface with a different subnet. Default: disabled.
|
|
|
|
<tag>missing lladdr self|drop|ignore</tag>
|
|
Next Hop attribute in BGP-IPv6 sometimes contains just the global IPv6
|
|
address, but sometimes it has to contain both global and link-local IPv6
|
|
addresses. This option specifies what to do if BIRD have to send both
|
|
addresses but does not know link-local address. This situation might
|
|
happen when routes from other protocols are exported to BGP, or when
|
|
improper updates are received from BGP peers. <cf/self/ means that BIRD
|
|
advertises its own local address instead. <cf/drop/ means that BIRD
|
|
skips that prefixes and logs error. <cf/ignore/ means that BIRD ignores
|
|
the problem and sends just the global address (and therefore forms
|
|
improper BGP update). Default: <cf/self/, unless BIRD is configured as a
|
|
route server (option <cf/rs client/), in that case default is <cf/ignore/,
|
|
because route servers usually do not forward packets themselves.
|
|
|
|
<tag>gateway direct|recursive</tag>
|
|
For received routes, their <cf/gw/ (immediate next hop) attribute is
|
|
computed from received <cf/bgp_next_hop/ attribute. This option
|
|
specifies how it is computed. Direct mode means that the IP address from
|
|
<cf/bgp_next_hop/ is used if it is directly reachable, otherwise the
|
|
neighbor IP address is used. Recursive mode means that the gateway is
|
|
computed by an IGP routing table lookup for the IP address from
|
|
<cf/bgp_next_hop/. Recursive mode is the behavior specified by the BGP
|
|
standard. Direct mode is simpler, does not require any routes in a
|
|
routing table, and was used in older versions of BIRD, but does not
|
|
handle well nontrivial iBGP setups and multihop. Recursive mode is
|
|
incompatible with <ref id="dsc-sorted" name="sorted tables">. Default:
|
|
<cf/direct/ for direct sessions, <cf/recursive/ for multihop sessions.
|
|
|
|
<tag>igp table <m/name/</tag>
|
|
Specifies a table that is used as an IGP routing table. Default: the
|
|
same as the table BGP is connected to.
|
|
|
|
<tag>bfd <M>switch</M></tag>
|
|
BGP could use BFD protocol as an advisory mechanism for neighbor
|
|
liveness and failure detection. If enabled, BIRD setups a BFD session
|
|
for the BGP neighbor and tracks its liveness by it. This has an
|
|
advantage of an order of magnitude lower detection times in case of
|
|
failure. Note that BFD protocol also has to be configured, see
|
|
<ref id="sect-bfd" name="BFD"> section for details. Default: disabled.
|
|
|
|
<tag>ttl security <m/switch/</tag>
|
|
Use GTSM (RFC 5082 - the generalized TTL security mechanism). GTSM
|
|
protects against spoofed packets by ignoring received packets with a
|
|
smaller than expected TTL. To work properly, GTSM have to be enabled on
|
|
both sides of a BGP session. If both <cf/ttl security/ and <cf/multihop/
|
|
options are enabled, <cf/multihop/ option should specify proper hop
|
|
value to compute expected TTL. Kernel support required: Linux: 2.6.34+
|
|
(IPv4), 2.6.35+ (IPv6), BSD: since long ago, IPv4 only. Note that full
|
|
(ICMP protection, for example) RFC 5082 support is provided by Linux
|
|
only. Default: disabled.
|
|
|
|
<tag>password <m/string/</tag>
|
|
Use this password for MD5 authentication of BGP sessions. Default: no
|
|
authentication. Password has to be set by external utility
|
|
(e.g. setkey(8)) on BSD systems.
|
|
|
|
<tag>passive <m/switch/</tag>
|
|
Standard BGP behavior is both initiating outgoing connections and
|
|
accepting incoming connections. In passive mode, outgoing connections
|
|
are not initiated. Default: off.
|
|
|
|
<tag>rr client</tag>
|
|
Be a route reflector and treat the neighbor as a route reflection
|
|
client. Default: disabled.
|
|
|
|
<tag>rr cluster id <m/IPv4 address/</tag>
|
|
Route reflectors use cluster id to avoid route reflection loops. When
|
|
there is one route reflector in a cluster it usually uses its router id
|
|
as a cluster id, but when there are more route reflectors in a cluster,
|
|
these need to be configured (using this option) to use a common cluster
|
|
id. Clients in a cluster need not know their cluster id and this option
|
|
is not allowed for them. Default: the same as router id.
|
|
|
|
<tag>rs client</tag>
|
|
Be a route server and treat the neighbor as a route server client.
|
|
A route server is used as a replacement for full mesh EBGP routing in
|
|
Internet exchange points in a similar way to route reflectors used in
|
|
IBGP routing. BIRD does not implement obsoleted RFC 1863, but uses
|
|
ad-hoc implementation, which behaves like plain EBGP but reduces
|
|
modifications to advertised route attributes to be transparent (for
|
|
example does not prepend its AS number to AS PATH attribute and keeps
|
|
MED attribute). Default: disabled.
|
|
|
|
<tag>secondary <m/switch/</tag>
|
|
Usually, if an export filter rejects a selected route, no other route is
|
|
propagated for that network. This option allows to try the next route in
|
|
order until one that is accepted is found or all routes for that network
|
|
are rejected. This can be used for route servers that need to propagate
|
|
different tables to each client but do not want to have these tables
|
|
explicitly (to conserve memory). This option requires that the connected
|
|
routing table is <ref id="dsc-sorted" name="sorted">. Default: off.
|
|
|
|
<tag>add paths <m/switch/|rx|tx</tag>
|
|
Standard BGP can propagate only one path (route) per destination network
|
|
(usually the selected one). This option controls the add-path protocol
|
|
extension, which allows to advertise any number of paths to a
|
|
destination. Note that to be active, add-path has to be enabled on both
|
|
sides of the BGP session, but it could be enabled separately for RX and
|
|
TX direction. When active, all available routes accepted by the export
|
|
filter are advertised to the neighbor. Default: off.
|
|
|
|
<tag>allow local as [<m/number/]</tag>
|
|
BGP prevents routing loops by rejecting received routes with the local
|
|
AS number in the AS path. This option allows to loose or disable the
|
|
check. Optional <cf/number/ argument can be used to specify the maximum
|
|
number of local ASNs in the AS path that is allowed for received
|
|
routes. When the option is used without the argument, the check is
|
|
completely disabled and you should ensure loop-free behavior by some
|
|
other means. Default: 0 (no local AS number allowed).
|
|
|
|
<tag>enable route refresh <m/switch/</tag>
|
|
When BGP speaker changes its import filter, it has to re-examine all
|
|
routes received from its neighbor against the new filter. As these
|
|
routes might not be available, there is a BGP protocol extension Route
|
|
Refresh (specified in RFC 2918) that allows BGP speaker to request
|
|
re-advertisement of all routes from its neighbor. This option specifies
|
|
whether BIRD advertises this capability and accepts such requests. Even
|
|
when disabled, BIRD can send route refresh requests. Default: on.
|
|
|
|
<tag>graceful restart <m/switch/|aware</tag>
|
|
When a BGP speaker restarts or crashes, neighbors will discard all
|
|
received paths from the speaker, which disrupts packet forwarding even
|
|
when the forwarding plane of the speaker remains intact. RFC 4724
|
|
specifies an optional graceful restart mechanism to alleviate this
|
|
issue. This option controls the mechanism. It has three states:
|
|
Disabled, when no support is provided. Aware, when the graceful restart
|
|
support is announced and the support for restarting neighbors is
|
|
provided, but no local graceful restart is allowed (i.e. receiving-only
|
|
role). Enabled, when the full graceful restart support is provided
|
|
(i.e. both restarting and receiving role). Note that proper support for
|
|
local graceful restart requires also configuration of other protocols.
|
|
Default: aware.
|
|
|
|
<tag>graceful restart time <m/number/</tag>
|
|
The restart time is announced in the BGP graceful restart capability
|
|
and specifies how long the neighbor would wait for the BGP session to
|
|
re-establish after a restart before deleting stale routes. Default:
|
|
120 seconds.
|
|
|
|
<tag>interpret communities <m/switch/</tag>
|
|
RFC 1997 demands that BGP speaker should process well-known communities
|
|
like no-export (65535, 65281) or no-advertise (65535, 65282). For
|
|
example, received route carrying a no-adverise community should not be
|
|
advertised to any of its neighbors. If this option is enabled (which is
|
|
by default), BIRD has such behavior automatically (it is evaluated when
|
|
a route is exported to the BGP protocol just before the export filter).
|
|
Otherwise, this integrated processing of well-known communities is
|
|
disabled. In that case, similar behavior can be implemented in the
|
|
export filter. Default: on.
|
|
|
|
<tag>enable as4 <m/switch/</tag>
|
|
BGP protocol was designed to use 2B AS numbers and was extended later to
|
|
allow 4B AS number. BIRD supports 4B AS extension, but by disabling this
|
|
option it can be persuaded not to advertise it and to maintain old-style
|
|
sessions with its neighbors. This might be useful for circumventing bugs
|
|
in neighbor's implementation of 4B AS extension. Even when disabled
|
|
(off), BIRD behaves internally as AS4-aware BGP router. Default: on.
|
|
|
|
<tag>capabilities <m/switch/</tag>
|
|
Use capability advertisement to advertise optional capabilities. This is
|
|
standard behavior for newer BGP implementations, but there might be some
|
|
older BGP implementations that reject such connection attempts. When
|
|
disabled (off), features that request it (4B AS support) are also
|
|
disabled. Default: on, with automatic fallback to off when received
|
|
capability-related error.
|
|
|
|
<tag>advertise ipv4 <m/switch/</tag>
|
|
Advertise IPv4 multiprotocol capability. This is not a correct behavior
|
|
according to the strict interpretation of RFC 4760, but it is widespread
|
|
and required by some BGP implementations (Cisco and Quagga). This option
|
|
is relevant to IPv4 mode with enabled capability advertisement
|
|
only. Default: on.
|
|
|
|
<tag>route limit <m/number/</tag>
|
|
The maximal number of routes that may be imported from the protocol. If
|
|
the route limit is exceeded, the connection is closed with an error.
|
|
Limit is currently implemented as <cf>import limit <m/number/ action
|
|
restart</cf>. This option is obsolete and it is replaced by
|
|
<ref id="import-limit" name="import limit option">. Default: no limit.
|
|
|
|
<tag>disable after error <m/switch/</tag>
|
|
When an error is encountered (either locally or by the other side),
|
|
disable the instance automatically and wait for an administrator to fix
|
|
the problem manually. Default: off.
|
|
|
|
<tag>hold time <m/number/</tag>
|
|
Time in seconds to wait for a Keepalive message from the other side
|
|
before considering the connection stale. Default: depends on agreement
|
|
with the neighboring router, we prefer 240 seconds if the other side is
|
|
willing to accept it.
|
|
|
|
<tag>startup hold time <m/number/</tag>
|
|
Value of the hold timer used before the routers have a chance to exchange
|
|
open messages and agree on the real value. Default: 240 seconds.
|
|
|
|
<tag>keepalive time <m/number/</tag>
|
|
Delay in seconds between sending of two consecutive Keepalive messages.
|
|
Default: One third of the hold time.
|
|
|
|
<tag>connect retry time <m/number/</tag>
|
|
Time in seconds to wait before retrying a failed attempt to connect.
|
|
Default: 120 seconds.
|
|
|
|
<tag>start delay time <m/number/</tag>
|
|
Delay in seconds between protocol startup and the first attempt to
|
|
connect. Default: 5 seconds.
|
|
|
|
<tag>error wait time <m/number/,<m/number/</tag>
|
|
Minimum and maximum delay in seconds between a protocol failure (either
|
|
local or reported by the peer) and automatic restart. Doesn't apply
|
|
when <cf/disable after error/ is configured. If consecutive errors
|
|
happen, the delay is increased exponentially until it reaches the
|
|
maximum. Default: 60, 300.
|
|
|
|
<tag>error forget time <m/number/</tag>
|
|
Maximum time in seconds between two protocol failures to treat them as a
|
|
error sequence which makes <cf/error wait time/ increase exponentially.
|
|
Default: 300 seconds.
|
|
|
|
<tag>path metric <m/switch/</tag>
|
|
Enable comparison of path lengths when deciding which BGP route is the
|
|
best one. Default: on.
|
|
|
|
<tag>med metric <m/switch/</tag>
|
|
Enable comparison of MED attributes (during best route selection) even
|
|
between routes received from different ASes. This may be useful if all
|
|
MED attributes contain some consistent metric, perhaps enforced in
|
|
import filters of AS boundary routers. If this option is disabled, MED
|
|
attributes are compared only if routes are received from the same AS
|
|
(which is the standard behavior). Default: off.
|
|
|
|
<tag>deterministic med <m/switch/</tag>
|
|
BGP route selection algorithm is often viewed as a comparison between
|
|
individual routes (e.g. if a new route appears and is better than the
|
|
current best one, it is chosen as the new best one). But the proper
|
|
route selection, as specified by RFC 4271, cannot be fully implemented
|
|
in that way. The problem is mainly in handling the MED attribute. BIRD,
|
|
by default, uses an simplification based on individual route comparison,
|
|
which in some cases may lead to temporally dependent behavior (i.e. the
|
|
selection is dependent on the order in which routes appeared). This
|
|
option enables a different (and slower) algorithm implementing proper
|
|
RFC 4271 route selection, which is deterministic. Alternative way how to
|
|
get deterministic behavior is to use <cf/med metric/ option. This option
|
|
is incompatible with <ref id="dsc-sorted" name="sorted tables">.
|
|
Default: off.
|
|
|
|
<tag>igp metric <m/switch/</tag>
|
|
Enable comparison of internal distances to boundary routers during best
|
|
route selection. Default: on.
|
|
|
|
<tag>prefer older <m/switch/</tag>
|
|
Standard route selection algorithm breaks ties by comparing router IDs.
|
|
This changes the behavior to prefer older routes (when both are external
|
|
and from different peer). For details, see RFC 5004. Default: off.
|
|
|
|
<tag>default bgp_med <m/number/</tag>
|
|
Value of the Multiple Exit Discriminator to be used during route
|
|
selection when the MED attribute is missing. Default: 0.
|
|
|
|
<tag>default bgp_local_pref <m/number/</tag>
|
|
A default value for the Local Preference attribute. It is used when
|
|
a new Local Preference attribute is attached to a route by the BGP
|
|
protocol itself (for example, if a route is received through eBGP and
|
|
therefore does not have such attribute). Default: 100 (0 in pre-1.2.0
|
|
versions of BIRD).
|
|
</descrip>
|
|
|
|
<sect1>Attributes
|
|
|
|
<p>BGP defines several route attributes. Some of them (those marked with
|
|
`<tt/I/' in the table below) are available on internal BGP connections only,
|
|
some of them (marked with `<tt/O/') are optional.
|
|
|
|
<descrip>
|
|
<tag>bgppath <cf/bgp_path/</tag>
|
|
Sequence of AS numbers describing the AS path the packet will travel
|
|
through when forwarded according to the particular route. In case of
|
|
internal BGP it doesn't contain the number of the local AS.
|
|
|
|
<tag>int <cf/bgp_local_pref/ [I]</tag>
|
|
Local preference value used for selection among multiple BGP routes (see
|
|
the selection rules above). It's used as an additional metric which is
|
|
propagated through the whole local AS.
|
|
|
|
<tag>int <cf/bgp_med/ [O]</tag>
|
|
The Multiple Exit Discriminator of the route is an optional attribute
|
|
which is used on external (inter-AS) links to convey to an adjacent AS
|
|
the optimal entry point into the local AS. The received attribute is
|
|
also propagated over internal BGP links. The attribute value is zeroed
|
|
when a route is exported to an external BGP instance to ensure that the
|
|
attribute received from a neighboring AS is not propagated to other
|
|
neighboring ASes. A new value might be set in the export filter of an
|
|
external BGP instance. See RFC 4451<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4451.txt">
|
|
for further discussion of BGP MED attribute.
|
|
|
|
<tag>enum <cf/bgp_origin/</tag>
|
|
Origin of the route: either <cf/ORIGIN_IGP/ if the route has originated
|
|
in an interior routing protocol or <cf/ORIGIN_EGP/ if it's been imported
|
|
from the <tt>EGP</tt> protocol (nowadays it seems to be obsolete) or
|
|
<cf/ORIGIN_INCOMPLETE/ if the origin is unknown.
|
|
|
|
<tag>ip <cf/bgp_next_hop/</tag>
|
|
Next hop to be used for forwarding of packets to this destination. On
|
|
internal BGP connections, it's an address of the originating router if
|
|
it's inside the local AS or a boundary router the packet will leave the
|
|
AS through if it's an exterior route, so each BGP speaker within the AS
|
|
has a chance to use the shortest interior path possible to this point.
|
|
|
|
<tag>void <cf/bgp_atomic_aggr/ [O]</tag>
|
|
This is an optional attribute which carries no value, but the sole
|
|
presence of which indicates that the route has been aggregated from
|
|
multiple routes by some router on the path from the originator.
|
|
|
|
<!-- we don't handle aggregators right since they are of a very obscure type
|
|
<tag>bgp_aggregator</tag>
|
|
-->
|
|
<tag>clist <cf/bgp_community/ [O]</tag>
|
|
List of community values associated with the route. Each such value is a
|
|
pair (represented as a <cf/pair/ data type inside the filters) of 16-bit
|
|
integers, the first of them containing the number of the AS which
|
|
defines the community and the second one being a per-AS identifier.
|
|
There are lots of uses of the community mechanism, but generally they
|
|
are used to carry policy information like "don't export to USA peers".
|
|
As each AS can define its own routing policy, it also has a complete
|
|
freedom about which community attributes it defines and what will their
|
|
semantics be.
|
|
|
|
<tag>eclist <cf/bgp_ext_community/ [O]</tag>
|
|
List of extended community values associated with the route. Extended
|
|
communities have similar usage as plain communities, but they have an
|
|
extended range (to allow 4B ASNs) and a nontrivial structure with a type
|
|
field. Individual community values are represented using an <cf/ec/ data
|
|
type inside the filters.
|
|
|
|
<tag>quad <cf/bgp_originator_id/ [I, O]</tag>
|
|
This attribute is created by the route reflector when reflecting the
|
|
route and contains the router ID of the originator of the route in the
|
|
local AS.
|
|
|
|
<tag>clist <cf/bgp_cluster_list/ [I, O]</tag>
|
|
This attribute contains a list of cluster IDs of route reflectors. Each
|
|
route reflector prepends its cluster ID when reflecting the route.
|
|
</descrip>
|
|
|
|
<sect1>Example
|
|
|
|
<p><code>
|
|
protocol bgp {
|
|
local as 65000; # Use a private AS number
|
|
neighbor 198.51.100.130 as 64496; # Our neighbor ...
|
|
multihop; # ... which is connected indirectly
|
|
export filter { # We use non-trivial export rules
|
|
if source = RTS_STATIC then { # Export only static routes
|
|
# Assign our community
|
|
bgp_community.add((65000,64501));
|
|
# Artificially increase path length
|
|
# by advertising local AS number twice
|
|
if bgp_path ~ [= 65000 =] then
|
|
bgp_path.prepend(65000);
|
|
accept;
|
|
}
|
|
reject;
|
|
};
|
|
import all;
|
|
source address 198.51.100.14; # Use a non-standard source address
|
|
}
|
|
</code>
|
|
|
|
|
|
<sect>Device
|
|
|
|
<p>The Device protocol is not a real routing protocol. It doesn't generate any
|
|
routes and it only serves as a module for getting information about network
|
|
interfaces from the kernel.
|
|
|
|
<p>Except for very unusual circumstances, you probably should include this
|
|
protocol in the configuration since almost all other protocols require network
|
|
interfaces to be defined for them to work with.
|
|
|
|
<sect1>Configuration
|
|
|
|
<p><descrip>
|
|
|
|
<tag>scan time <m/number/</tag>
|
|
|
|
Time in seconds between two scans of the network interface list. On
|
|
systems where we are notified about interface status changes
|
|
asynchronously (such as newer versions of Linux), we need to scan the
|
|
list only in order to avoid confusion by lost notification messages,
|
|
so the default time is set to a large value.
|
|
|
|
<tag>primary [ "<m/mask/" ] <m/prefix/</tag>
|
|
If a network interface has more than one network address, BIRD has to
|
|
choose one of them as a primary one. By default, BIRD chooses the
|
|
lexicographically smallest address as the primary one.
|
|
|
|
This option allows to specify which network address should be chosen as
|
|
a primary one. Network addresses that match <m/prefix/ are preferred to
|
|
non-matching addresses. If more <cf/primary/ options are used, the first
|
|
one has the highest preference. If "<m/mask/" is specified, then such
|
|
<cf/primary/ option is relevant only to matching network interfaces.
|
|
|
|
In all cases, an address marked by operating system as secondary cannot
|
|
be chosen as the primary one.
|
|
</descrip>
|
|
|
|
<p>As the Device protocol doesn't generate any routes, it cannot have
|
|
any attributes. Example configuration looks like this:
|
|
|
|
<p><code>
|
|
protocol device {
|
|
scan time 10; # Scan the interfaces often
|
|
primary "eth0" 192.168.1.1;
|
|
primary 192.168.0.0/16;
|
|
}
|
|
</code>
|
|
|
|
|
|
<sect>Direct
|
|
|
|
<p>The Direct protocol is a simple generator of device routes for all the
|
|
directly connected networks according to the list of interfaces provided by the
|
|
kernel via the Device protocol.
|
|
|
|
<p>The question is whether it is a good idea to have such device routes in BIRD
|
|
routing table. OS kernel usually handles device routes for directly connected
|
|
networks by itself so we don't need (and don't want) to export these routes to
|
|
the kernel protocol. OSPF protocol creates device routes for its interfaces
|
|
itself and BGP protocol is usually used for exporting aggregate routes. Although
|
|
there are some use cases that use the direct protocol (like abusing eBGP as an
|
|
IGP routing protocol), in most cases it is not needed to have these device
|
|
routes in BIRD routing table and to use the direct protocol.
|
|
|
|
<p>There is one notable case when you definitely want to use the direct protocol
|
|
-- running BIRD on BSD systems. Having high priority device routes for directly
|
|
connected networks from the direct protocol protects kernel device routes from
|
|
being overwritten or removed by IGP routes during some transient network
|
|
conditions, because a lower priority IGP route for the same network is not
|
|
exported to the kernel routing table. This is an issue on BSD systems only, as
|
|
on Linux systems BIRD cannot change non-BIRD route in the kernel routing table.
|
|
|
|
<p>The only configurable thing about direct is what interfaces it watches:
|
|
|
|
<p><descrip>
|
|
<tag>interface <m/pattern [, ...]/</tag>
|
|
By default, the Direct protocol will generate device routes for all the
|
|
interfaces available. If you want to restrict it to some subset of
|
|
interfaces or addresses (e.g. if you're using multiple routing tables
|
|
for policy routing and some of the policy domains don't contain all
|
|
interfaces), just use this clause. See <ref id="dsc-iface" name="interface">
|
|
common option for detailed description. The Direct protocol uses
|
|
extended interface clauses.
|
|
</descrip>
|
|
|
|
<p>Direct device routes don't contain any specific attributes.
|
|
|
|
<p>Example config might look like this:
|
|
|
|
<p><code>
|
|
protocol direct {
|
|
interface "-arc*", "*"; # Exclude the ARCnets
|
|
}
|
|
</code>
|
|
|
|
|
|
<sect>Kernel
|
|
|
|
<p>The Kernel protocol is not a real routing protocol. Instead of communicating
|
|
with other routers in the network, it performs synchronization of BIRD's routing
|
|
tables with the OS kernel. Basically, it sends all routing table updates to the
|
|
kernel and from time to time it scans the kernel tables to see whether some
|
|
routes have disappeared (for example due to unnoticed up/down transition of an
|
|
interface) or whether an `alien' route has been added by someone else (depending
|
|
on the <cf/learn/ switch, such routes are either ignored or accepted to our
|
|
table).
|
|
|
|
<p>Unfortunately, there is one thing that makes the routing table synchronization
|
|
a bit more complicated. In the kernel routing table there are also device routes
|
|
for directly connected networks. These routes are usually managed by OS itself
|
|
(as a part of IP address configuration) and we don't want to touch that. They
|
|
are completely ignored during the scan of the kernel tables and also the export
|
|
of device routes from BIRD tables to kernel routing tables is restricted to
|
|
prevent accidental interference. This restriction can be disabled using
|
|
<cf/device routes/ switch.
|
|
|
|
<p>If your OS supports only a single routing table, you can configure only one
|
|
instance of the Kernel protocol. If it supports multiple tables (in order to
|
|
allow policy routing; such an OS is for example Linux), you can run as many
|
|
instances as you want, but each of them must be connected to a different BIRD
|
|
routing table and to a different kernel table.
|
|
|
|
<p>Because the kernel protocol is partially integrated with the connected
|
|
routing table, there are two limitations - it is not possible to connect more
|
|
kernel protocols to the same routing table and changing route destination
|
|
(gateway) in an export filter of a kernel protocol does not work. Both
|
|
limitations can be overcome using another routing table and the pipe protocol.
|
|
|
|
<sect1>Configuration
|
|
|
|
<p><descrip>
|
|
<tag>persist <m/switch/</tag>
|
|
Tell BIRD to leave all its routes in the routing tables when it exits
|
|
(instead of cleaning them up).
|
|
|
|
<tag>scan time <m/number/</tag>
|
|
Time in seconds between two consecutive scans of the kernel routing
|
|
table.
|
|
|
|
<tag>learn <m/switch/</tag>
|
|
Enable learning of routes added to the kernel routing tables by other
|
|
routing daemons or by the system administrator. This is possible only on
|
|
systems which support identification of route authorship.
|
|
|
|
<tag>device routes <m/switch/</tag>
|
|
Enable export of device routes to the kernel routing table. By default,
|
|
such routes are rejected (with the exception of explicitly configured
|
|
device routes from the static protocol) regardless of the export filter
|
|
to protect device routes in kernel routing table (managed by OS itself)
|
|
from accidental overwriting or erasing.
|
|
|
|
<tag>kernel table <m/number/</tag>
|
|
Select which kernel table should this particular instance of the Kernel
|
|
protocol work with. Available only on systems supporting multiple
|
|
routing tables.
|
|
|
|
<tag>graceful restart <m/switch/</tag>
|
|
Participate in graceful restart recovery. If this option is enabled and
|
|
a graceful restart recovery is active, the Kernel protocol will defer
|
|
synchronization of routing tables until the end of the recovery. Note
|
|
that import of kernel routes to BIRD is not affected.
|
|
</descrip>
|
|
|
|
<sect1>Attributes
|
|
|
|
<p>The Kernel protocol defines several attributes. These attributes are
|
|
translated to appropriate system (and OS-specific) route attributes. We support
|
|
these attributes:
|
|
|
|
<descrip>
|
|
<tag>int <cf/krt_source/</tag>
|
|
The original source of the imported kernel route. The value is
|
|
system-dependent. On Linux, it is a value of the protocol field of the
|
|
route. See /etc/iproute2/rt_protos for common values. On BSD, it is
|
|
based on STATIC and PROTOx flags. The attribute is read-only.
|
|
|
|
<tag>int <cf/krt_metric/</tag>
|
|
The kernel metric of the route. When multiple same routes are in a
|
|
kernel routing table, the Linux kernel chooses one with lower metric.
|
|
|
|
<tag>ip <cf/krt_prefsrc/</tag> (Linux)
|
|
The preferred source address. Used in source address selection for
|
|
outgoing packets. Have to be one of IP addresses of the router.
|
|
|
|
<tag>int <cf/krt_realm/</tag> (Linux)
|
|
The realm of the route. Can be used for traffic classification.
|
|
</descrip>
|
|
|
|
<sect1>Example
|
|
|
|
<p>A simple configuration can look this way:
|
|
|
|
<p><code>
|
|
protocol kernel {
|
|
export all;
|
|
}
|
|
</code>
|
|
|
|
<p>Or for a system with two routing tables:
|
|
|
|
<p><code>
|
|
protocol kernel { # Primary routing table
|
|
learn; # Learn alien routes from the kernel
|
|
persist; # Don't remove routes on bird shutdown
|
|
scan time 10; # Scan kernel routing table every 10 seconds
|
|
import all;
|
|
export all;
|
|
}
|
|
|
|
protocol kernel { # Secondary routing table
|
|
table auxtable;
|
|
kernel table 100;
|
|
export all;
|
|
}
|
|
</code>
|
|
|
|
|
|
<sect>OSPF
|
|
|
|
<sect1>Introduction
|
|
|
|
<p>Open Shortest Path First (OSPF) is a quite complex interior gateway
|
|
protocol. The current IPv4 version (OSPFv2) is defined in RFC 2328
|
|
<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc2328.txt">
|
|
and the current IPv6 version (OSPFv3) is defined in RFC 5340
|
|
<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5340.txt">
|
|
It's a link state (a.k.a. shortest path first) protocol -- each router maintains
|
|
a database describing the autonomous system's topology. Each participating
|
|
router has an identical copy of the database and all routers run the same
|
|
algorithm calculating a shortest path tree with themselves as a root. OSPF
|
|
chooses the least cost path as the best path.
|
|
|
|
<p>In OSPF, the autonomous system can be split to several areas in order to
|
|
reduce the amount of resources consumed for exchanging the routing information
|
|
and to protect the other areas from incorrect routing data. Topology of the area
|
|
is hidden to the rest of the autonomous system.
|
|
|
|
<p>Another very important feature of OSPF is that it can keep routing information
|
|
from other protocols (like Static or BGP) in its link state database as external
|
|
routes. Each external route can be tagged by the advertising router, making it
|
|
possible to pass additional information between routers on the boundary of the
|
|
autonomous system.
|
|
|
|
<p>OSPF quickly detects topological changes in the autonomous system (such as
|
|
router interface failures) and calculates new loop-free routes after a short
|
|
period of convergence. Only a minimal amount of routing traffic is involved.
|
|
|
|
<p>Each router participating in OSPF routing periodically sends Hello messages
|
|
to all its interfaces. This allows neighbors to be discovered dynamically. Then
|
|
the neighbors exchange theirs parts of the link state database and keep it
|
|
identical by flooding updates. The flooding process is reliable and ensures that
|
|
each router detects all changes.
|
|
|
|
<sect1>Configuration
|
|
|
|
<p>In the main part of configuration, there can be multiple definitions of OSPF
|
|
areas, each with a different id. These definitions includes many other switches
|
|
and multiple definitions of interfaces. Definition of interface may contain many
|
|
switches and constant definitions and list of neighbors on nonbroadcast
|
|
networks.
|
|
|
|
<code>
|
|
protocol ospf <name> {
|
|
rfc1583compat <switch>;
|
|
stub router <switch>;
|
|
tick <num>;
|
|
ecmp <switch> [limit <num>];
|
|
area <id> {
|
|
stub;
|
|
nssa;
|
|
summary <switch>;
|
|
default nssa <switch>;
|
|
default cost <num>;
|
|
default cost2 <num>;
|
|
translator <switch>;
|
|
translator stability <num>;
|
|
|
|
networks {
|
|
<prefix>;
|
|
<prefix> hidden;
|
|
}
|
|
external {
|
|
<prefix>;
|
|
<prefix> hidden;
|
|
<prefix> tag <num>;
|
|
}
|
|
stubnet <prefix>;
|
|
stubnet <prefix> {
|
|
hidden <switch>;
|
|
summary <switch>;
|
|
cost <num>;
|
|
}
|
|
interface <interface pattern> [instance <num>] {
|
|
cost <num>;
|
|
stub <switch>;
|
|
hello <num>;
|
|
poll <num>;
|
|
retransmit <num>;
|
|
priority <num>;
|
|
wait <num>;
|
|
dead count <num>;
|
|
dead <num>;
|
|
secondary <switch>;
|
|
rx buffer [normal|large|<num>];
|
|
tx length <num>;
|
|
type [broadcast|bcast|pointopoint|ptp|
|
|
nonbroadcast|nbma|pointomultipoint|ptmp];
|
|
strict nonbroadcast <switch>;
|
|
real broadcast <switch>;
|
|
ptp netmask <switch>;
|
|
check link <switch>;
|
|
bfd <switch>;
|
|
ecmp weight <num>;
|
|
ttl security [<switch>; | tx only]
|
|
tx class|dscp <num>;
|
|
tx priority <num>;
|
|
authentication [none|simple|cryptographic];
|
|
password "<text>";
|
|
password "<text>" {
|
|
id <num>;
|
|
generate from "<date>";
|
|
generate to "<date>";
|
|
accept from "<date>";
|
|
accept to "<date>";
|
|
};
|
|
neighbors {
|
|
<ip>;
|
|
<ip> eligible;
|
|
};
|
|
};
|
|
virtual link <id> [instance <num>] {
|
|
hello <num>;
|
|
retransmit <num>;
|
|
wait <num>;
|
|
dead count <num>;
|
|
dead <num>;
|
|
authentication [none|simple|cryptographic];
|
|
password "<text>";
|
|
};
|
|
};
|
|
}
|
|
</code>
|
|
|
|
<descrip>
|
|
<tag>rfc1583compat <M>switch</M></tag>
|
|
This option controls compatibility of routing table calculation with
|
|
RFC 1583 <htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc1583.txt">.
|
|
Default value is no.
|
|
|
|
<tag>stub router <M>switch</M></tag>
|
|
This option configures the router to be a stub router, i.e., a router
|
|
that participates in the OSPF topology but does not allow transit
|
|
traffic. In OSPFv2, this is implemented by advertising maximum metric
|
|
for outgoing links, as suggested by
|
|
RFC 3137 <htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc3137.txt">.
|
|
In OSPFv3, the stub router behavior is announced by clearing the R-bit
|
|
in the router LSA. Default value is no.
|
|
|
|
<tag>tick <M>num</M></tag>
|
|
The routing table calculation and clean-up of areas' databases is not
|
|
performed when a single link state change arrives. To lower the CPU
|
|
utilization, it's processed later at periodical intervals of <m/num/
|
|
seconds. The default value is 1.
|
|
|
|
<tag>ecmp <M>switch</M> [limit <M>number</M>]</tag>
|
|
This option specifies whether OSPF is allowed to generate ECMP
|
|
(equal-cost multipath) routes. Such routes are used when there are
|
|
several directions to the destination, each with the same (computed)
|
|
cost. This option also allows to specify a limit on maximal number of
|
|
nexthops in one route. By default, ECMP is disabled. If enabled,
|
|
default value of the limit is 16.
|
|
|
|
<tag>area <M>id</M></tag>
|
|
This defines an OSPF area with given area ID (an integer or an IPv4
|
|
address, similarly to a router ID). The most important area is the
|
|
backbone (ID 0) to which every other area must be connected.
|
|
|
|
<tag>stub</tag>
|
|
This option configures the area to be a stub area. External routes are
|
|
not flooded into stub areas. Also summary LSAs can be limited in stub
|
|
areas (see option <cf/summary/). By default, the area is not a stub
|
|
area.
|
|
|
|
<tag>nssa</tag>
|
|
This option configures the area to be a NSSA (Not-So-Stubby Area). NSSA
|
|
is a variant of a stub area which allows a limited way of external route
|
|
propagation. Global external routes are not propagated into a NSSA, but
|
|
an external route can be imported into NSSA as a (area-wide) NSSA-LSA
|
|
(and possibly translated and/or aggregated on area boundary). By
|
|
default, the area is not NSSA.
|
|
|
|
<tag>summary <M>switch</M></tag>
|
|
This option controls propagation of summary LSAs into stub or NSSA
|
|
areas. If enabled, summary LSAs are propagated as usual, otherwise just
|
|
the default summary route (0.0.0.0/0) is propagated (this is sometimes
|
|
called totally stubby area). If a stub area has more area boundary
|
|
routers, propagating summary LSAs could lead to more efficient routing
|
|
at the cost of larger link state database. Default value is no.
|
|
|
|
<tag>default nssa <M>switch</M></tag>
|
|
When <cf/summary/ option is enabled, default summary route is no longer
|
|
propagated to the NSSA. In that case, this option allows to originate
|
|
default route as NSSA-LSA to the NSSA. Default value is no.
|
|
|
|
<tag>default cost <M>num</M></tag>
|
|
This option controls the cost of a default route propagated to stub and
|
|
NSSA areas. Default value is 1000.
|
|
|
|
<tag>default cost2 <M>num</M></tag>
|
|
When a default route is originated as NSSA-LSA, its cost can use either
|
|
type 1 or type 2 metric. This option allows to specify the cost of a
|
|
default route in type 2 metric. By default, type 1 metric (option
|
|
<cf/default cost/) is used.
|
|
|
|
<tag>translator <M>switch</M></tag>
|
|
This option controls translation of NSSA-LSAs into external LSAs. By
|
|
default, one translator per NSSA is automatically elected from area
|
|
boundary routers. If enabled, this area boundary router would
|
|
unconditionally translate all NSSA-LSAs regardless of translator
|
|
election. Default value is no.
|
|
|
|
<tag>translator stability <M>num</M></tag>
|
|
This option controls the translator stability interval (in seconds).
|
|
When the new translator is elected, the old one keeps translating until
|
|
the interval is over. Default value is 40.
|
|
|
|
<tag>networks { <m/set/ }</tag>
|
|
Definition of area IP ranges. This is used in summary LSA origination.
|
|
Hidden networks are not propagated into other areas.
|
|
|
|
<tag>external { <m/set/ }</tag>
|
|
Definition of external area IP ranges for NSSAs. This is used for
|
|
NSSA-LSA translation. Hidden networks are not translated into external
|
|
LSAs. Networks can have configured route tag.
|
|
|
|
<tag>stubnet <m/prefix/ { <m/options/ }</tag>
|
|
Stub networks are networks that are not transit networks between OSPF
|
|
routers. They are also propagated through an OSPF area as a part of a
|
|
link state database. By default, BIRD generates a stub network record
|
|
for each primary network address on each OSPF interface that does not
|
|
have any OSPF neighbors, and also for each non-primary network address
|
|
on each OSPF interface. This option allows to alter a set of stub
|
|
networks propagated by this router.
|
|
|
|
Each instance of this option adds a stub network with given network
|
|
prefix to the set of propagated stub network, unless option <cf/hidden/
|
|
is used. It also suppresses default stub networks for given network
|
|
prefix. When option <cf/summary/ is used, also default stub networks
|
|
that are subnetworks of given stub network are suppressed. This might be
|
|
used, for example, to aggregate generated stub networks.
|
|
|
|
<tag>interface <M>pattern</M> [instance <m/num/]</tag>
|
|
Defines that the specified interfaces belong to the area being defined.
|
|
See <ref id="dsc-iface" name="interface"> common option for detailed
|
|
description. In OSPFv2, extended interface clauses are used, because
|
|
OSPFv2 handles each network prefix as a separate virtual interface. In
|
|
OSPFv3, you can specify instance ID for that interface description, so
|
|
it is possible to have several instances of that interface with
|
|
different options or even in different areas.
|
|
|
|
<tag>virtual link <M>id</M> [instance <m/num/]</tag>
|
|
Virtual link to router with the router id. Virtual link acts as a
|
|
point-to-point interface belonging to backbone. The actual area is used
|
|
as transport area. This item cannot be in the backbone. In OSPFv3, you
|
|
could also use several virtual links to one destination with different
|
|
instance IDs.
|
|
|
|
<tag>cost <M>num</M></tag>
|
|
Specifies output cost (metric) of an interface. Default value is 10.
|
|
|
|
<tag>stub <M>switch</M></tag>
|
|
If set to interface it does not listen to any packet and does not send
|
|
any hello. Default value is no.
|
|
|
|
<tag>hello <M>num</M></tag>
|
|
Specifies interval in seconds between sending of Hello messages. Beware,
|
|
all routers on the same network need to have the same hello interval.
|
|
Default value is 10.
|
|
|
|
<tag>poll <M>num</M></tag>
|
|
Specifies interval in seconds between sending of Hello messages for some
|
|
neighbors on NBMA network. Default value is 20.
|
|
|
|
<tag>retransmit <M>num</M></tag>
|
|
Specifies interval in seconds between retransmissions of unacknowledged
|
|
updates. Default value is 5.
|
|
|
|
<tag>priority <M>num</M></tag>
|
|
On every multiple access network (e.g., the Ethernet) Designed Router
|
|
and Backup Designed router are elected. These routers have some special
|
|
functions in the flooding process. Higher priority increases preferences
|
|
in this election. Routers with priority 0 are not eligible. Default
|
|
value is 1.
|
|
|
|
<tag>wait <M>num</M></tag>
|
|
After start, router waits for the specified number of seconds between
|
|
starting election and building adjacency. Default value is 40.
|
|
|
|
<tag>dead count <M>num</M></tag>
|
|
When the router does not receive any messages from a neighbor in
|
|
<m/dead count/*<m/hello/ seconds, it will consider the neighbor down.
|
|
|
|
<tag>dead <M>num</M></tag>
|
|
When the router does not receive any messages from a neighbor in
|
|
<m/dead/ seconds, it will consider the neighbor down. If both directives
|
|
<cf/dead count/ and <cf/dead/ are used, <cf/dead/ has precendence.
|
|
|
|
<tag>secondary <M>switch</M></tag>
|
|
On BSD systems, older versions of BIRD supported OSPFv2 only for the
|
|
primary IP address of an interface, other IP ranges on the interface
|
|
were handled as stub networks. Since v1.4.1, regular operation on
|
|
secondary IP addresses is supported, but disabled by default for
|
|
compatibility. This option allows to enable it. The option is a
|
|
transitional measure, will be removed in the next major release as the
|
|
behavior will be changed. On Linux systems, the option is irrelevant, as
|
|
operation on non-primary addresses is already the regular behavior.
|
|
|
|
<tag>rx buffer <M>num</M></tag>
|
|
This option allows to specify the size of buffers used for packet
|
|
processing. The buffer size should be bigger than maximal size of any
|
|
packets. By default, buffers are dynamically resized as needed, but a
|
|
fixed value could be specified. Value <cf/large/ means maximal allowed
|
|
packet size - 65535.
|
|
|
|
<tag>tx length <M>num</M></tag>
|
|
Transmitted OSPF messages that contain large amount of information are
|
|
segmented to separate OSPF packets to avoid IP fragmentation. This
|
|
option specifies the soft ceiling for the length of generated OSPF
|
|
packets. Default value is the MTU of the network interface. Note that
|
|
larger OSPF packets may still be generated if underlying OSPF messages
|
|
cannot be splitted (e.g. when one large LSA is propagated).
|
|
|
|
<tag>type broadcast|bcast</tag>
|
|
BIRD detects a type of a connected network automatically, but sometimes
|
|
it's convenient to force use of a different type manually. On broadcast
|
|
networks (like ethernet), flooding and Hello messages are sent using
|
|
multicasts (a single packet for all the neighbors). A designated router
|
|
is elected and it is responsible for synchronizing the link-state
|
|
databases and originating network LSAs. This network type cannot be used
|
|
on physically NBMA networks and on unnumbered networks (networks without
|
|
proper IP prefix).
|
|
|
|
<tag>type pointopoint|ptp</tag>
|
|
Point-to-point networks connect just 2 routers together. No election is
|
|
performed and no network LSA is originated, which makes it simpler and
|
|
faster to establish. This network type is useful not only for physically
|
|
PtP ifaces (like PPP or tunnels), but also for broadcast networks used
|
|
as PtP links. This network type cannot be used on physically NBMA
|
|
networks.
|
|
|
|
<tag>type nonbroadcast|nbma</tag>
|
|
On NBMA networks, the packets are sent to each neighbor separately
|
|
because of lack of multicast capabilities. Like on broadcast networks,
|
|
a designated router is elected, which plays a central role in propagation
|
|
of LSAs. This network type cannot be used on unnumbered networks.
|
|
|
|
<tag>type pointomultipoint|ptmp</tag>
|
|
This is another network type designed to handle NBMA networks. In this
|
|
case the NBMA network is treated as a collection of PtP links. This is
|
|
useful if not every pair of routers on the NBMA network has direct
|
|
communication, or if the NBMA network is used as an (possibly
|
|
unnumbered) PtP link.
|
|
|
|
<tag>strict nonbroadcast <M>switch</M></tag>
|
|
If set, don't send hello to any undefined neighbor. This switch is
|
|
ignored on other than NBMA or PtMP networks. Default value is no.
|
|
|
|
<tag>real broadcast <m/switch/</tag>
|
|
In <cf/type broadcast/ or <cf/type ptp/ network configuration, OSPF
|
|
packets are sent as IP multicast packets. This option changes the
|
|
behavior to using old-fashioned IP broadcast packets. This may be useful
|
|
as a workaround if IP multicast for some reason does not work or does
|
|
not work reliably. This is a non-standard option and probably is not
|
|
interoperable with other OSPF implementations. Default value is no.
|
|
|
|
<tag>ptp netmask <m/switch/</tag>
|
|
In <cf/type ptp/ network configurations, OSPFv2 implementations should
|
|
ignore received netmask field in hello packets and should send hello
|
|
packets with zero netmask field on unnumbered PtP links. But some OSPFv2
|
|
implementations perform netmask checking even for PtP links. This option
|
|
specifies whether real netmask will be used in hello packets on <cf/type
|
|
ptp/ interfaces. You should ignore this option unless you meet some
|
|
compatibility problems related to this issue. Default value is no for
|
|
unnumbered PtP links, yes otherwise.
|
|
|
|
<tag>check link <M>switch</M></tag>
|
|
If set, a hardware link state (reported by OS) is taken into consideration.
|
|
When a link disappears (e.g. an ethernet cable is unplugged), neighbors
|
|
are immediately considered unreachable and only the address of the iface
|
|
(instead of whole network prefix) is propagated. It is possible that
|
|
some hardware drivers or platforms do not implement this feature.
|
|
Default value is no.
|
|
|
|
<tag>bfd <M>switch</M></tag>
|
|
OSPF could use BFD protocol as an advisory mechanism for neighbor
|
|
liveness and failure detection. If enabled, BIRD setups a BFD session
|
|
for each OSPF neighbor and tracks its liveness by it. This has an
|
|
advantage of an order of magnitude lower detection times in case of
|
|
failure. Note that BFD protocol also has to be configured, see
|
|
<ref id="sect-bfd" name="BFD"> section for details. Default value is no.
|
|
|
|
<tag>ttl security [<m/switch/ | tx only]</tag>
|
|
TTL security is a feature that protects routing protocols from remote
|
|
spoofed packets by using TTL 255 instead of TTL 1 for protocol packets
|
|
destined to neighbors. Because TTL is decremented when packets are
|
|
forwarded, it is non-trivial to spoof packets with TTL 255 from remote
|
|
locations. Note that this option would interfere with OSPF virtual
|
|
links.
|
|
|
|
If this option is enabled, the router will send OSPF packets with TTL
|
|
255 and drop received packets with TTL less than 255. If this option si
|
|
set to <cf/tx only/, TTL 255 is used for sent packets, but is not
|
|
checked for received packets. Default value is no.
|
|
|
|
<tag>tx class|dscp|priority <m/num/</tag>
|
|
These options specify the ToS/DiffServ/Traffic class/Priority of the
|
|
outgoing OSPF packets. See <ref id="dsc-prio" name="tx class"> common
|
|
option for detailed description.
|
|
|
|
<tag>ecmp weight <M>num</M></tag>
|
|
When ECMP (multipath) routes are allowed, this value specifies a
|
|
relative weight used for nexthops going through the iface. Allowed
|
|
values are 1-256. Default value is 1.
|
|
|
|
<tag>authentication none</tag>
|
|
No passwords are sent in OSPF packets. This is the default value.
|
|
|
|
<tag>authentication simple</tag>
|
|
Every packet carries 8 bytes of password. Received packets lacking this
|
|
password are ignored. This authentication mechanism is very weak.
|
|
|
|
<tag>authentication cryptographic</tag>
|
|
16-byte long MD5 digest is appended to every packet. For the digest
|
|
generation 16-byte long passwords are used. Those passwords are not sent
|
|
via network, so this mechanism is quite secure. Packets can still be
|
|
read by an attacker.
|
|
|
|
<tag>password "<M>text</M>"</tag>
|
|
An 8-byte or 16-byte password used for authentication. See
|
|
<ref id="dsc-pass" name="password"> common option for detailed
|
|
description.
|
|
|
|
<tag>neighbors { <m/set/ } </tag>
|
|
A set of neighbors to which Hello messages on NBMA or PtMP networks are
|
|
to be sent. For NBMA networks, some of them could be marked as eligible.
|
|
In OSPFv3, link-local addresses should be used, using global ones is
|
|
possible, but it is nonstandard and might be problematic. And definitely,
|
|
link-local and global addresses should not be mixed.
|
|
</descrip>
|
|
|
|
<sect1>Attributes
|
|
|
|
<p>OSPF defines four route attributes. Each internal route has a <cf/metric/.
|
|
|
|
<p>Metric is ranging from 1 to infinity (65535). External routes use
|
|
<cf/metric type 1/ or <cf/metric type 2/. A <cf/metric of type 1/ is comparable
|
|
with internal <cf/metric/, a <cf/metric of type 2/ is always longer than any
|
|
<cf/metric of type 1/ or any <cf/internal metric/. <cf/Internal metric/ or
|
|
<cf/metric of type 1/ is stored in attribute <cf/ospf_metric1/, <cf/metric type
|
|
2/ is stored in attribute <cf/ospf_metric2/. If you specify both metrics only
|
|
metric1 is used.
|
|
|
|
<p>Each external route can also carry attribute <cf/ospf_tag/ which is a 32-bit
|
|
integer which is used when exporting routes to other protocols; otherwise, it
|
|
doesn't affect routing inside the OSPF domain at all. The fourth attribute
|
|
<cf/ospf_router_id/ is a router ID of the router advertising that route /
|
|
network. This attribute is read-only. Default is <cf/ospf_metric2 = 10000/ and
|
|
<cf/ospf_tag = 0/.
|
|
|
|
<sect1>Example
|
|
|
|
<p><code>
|
|
protocol ospf MyOSPF {
|
|
rfc1583compat yes;
|
|
tick 2;
|
|
export filter {
|
|
if source = RTS_BGP then {
|
|
ospf_metric1 = 100;
|
|
accept;
|
|
}
|
|
reject;
|
|
};
|
|
area 0.0.0.0 {
|
|
interface "eth*" {
|
|
cost 11;
|
|
hello 15;
|
|
priority 100;
|
|
retransmit 7;
|
|
authentication simple;
|
|
password "aaa";
|
|
};
|
|
interface "ppp*" {
|
|
cost 100;
|
|
authentication cryptographic;
|
|
password "abc" {
|
|
id 1;
|
|
generate to "22-04-2003 11:00:06";
|
|
accept from "17-01-2001 12:01:05";
|
|
};
|
|
password "def" {
|
|
id 2;
|
|
generate to "22-07-2005 17:03:21";
|
|
accept from "22-02-2001 11:34:06";
|
|
};
|
|
};
|
|
interface "arc0" {
|
|
cost 10;
|
|
stub yes;
|
|
};
|
|
interface "arc1";
|
|
};
|
|
area 120 {
|
|
stub yes;
|
|
networks {
|
|
172.16.1.0/24;
|
|
172.16.2.0/24 hidden;
|
|
}
|
|
interface "-arc0" , "arc*" {
|
|
type nonbroadcast;
|
|
authentication none;
|
|
strict nonbroadcast yes;
|
|
wait 120;
|
|
poll 40;
|
|
dead count 8;
|
|
neighbors {
|
|
192.168.120.1 eligible;
|
|
192.168.120.2;
|
|
192.168.120.10;
|
|
};
|
|
};
|
|
};
|
|
}
|
|
</code>
|
|
|
|
|
|
<sect>Pipe
|
|
|
|
<sect1>Introduction
|
|
|
|
<p>The Pipe protocol serves as a link between two routing tables, allowing
|
|
routes to be passed from a table declared as primary (i.e., the one the pipe is
|
|
connected to using the <cf/table/ configuration keyword) to the secondary one
|
|
(declared using <cf/peer table/) and vice versa, depending on what's allowed by
|
|
the filters. Export filters control export of routes from the primary table to
|
|
the secondary one, import filters control the opposite direction.
|
|
|
|
<p>The Pipe protocol may work in the transparent mode mode or in the opaque
|
|
mode. In the transparent mode, the Pipe protocol retransmits all routes from
|
|
one table to the other table, retaining their original source and attributes.
|
|
If import and export filters are set to accept, then both tables would have
|
|
the same content. The transparent mode is the default mode.
|
|
|
|
<p>In the opaque mode, the Pipe protocol retransmits optimal route from one
|
|
table to the other table in a similar way like other protocols send and receive
|
|
routes. Retransmitted route will have the source set to the Pipe protocol, which
|
|
may limit access to protocol specific route attributes. This mode is mainly for
|
|
compatibility, it is not suggested for new configs. The mode can be changed by
|
|
<tt/mode/ option.
|
|
|
|
<p>The primary use of multiple routing tables and the Pipe protocol is for
|
|
policy routing, where handling of a single packet doesn't depend only on its
|
|
destination address, but also on its source address, source interface, protocol
|
|
type and other similar parameters. In many systems (Linux being a good example),
|
|
the kernel allows to enforce routing policies by defining routing rules which
|
|
choose one of several routing tables to be used for a packet according to its
|
|
parameters. Setting of these rules is outside the scope of BIRD's work (on
|
|
Linux, you can use the <tt/ip/ command), but you can create several routing
|
|
tables in BIRD, connect them to the kernel ones, use filters to control which
|
|
routes appear in which tables and also you can employ the Pipe protocol for
|
|
exporting a selected subset of one table to another one.
|
|
|
|
<sect1>Configuration
|
|
|
|
<p><descrip>
|
|
<tag>peer table <m/table/</tag>
|
|
Defines secondary routing table to connect to. The primary one is
|
|
selected by the <cf/table/ keyword.
|
|
|
|
<tag>mode opaque|transparent</tag>
|
|
Specifies the mode for the pipe to work in. Default is transparent.
|
|
</descrip>
|
|
|
|
<sect1>Attributes
|
|
|
|
<p>The Pipe protocol doesn't define any route attributes.
|
|
|
|
<sect1>Example
|
|
|
|
<p>Let's consider a router which serves as a boundary router of two different
|
|
autonomous systems, each of them connected to a subset of interfaces of the
|
|
router, having its own exterior connectivity and wishing to use the other AS as
|
|
a backup connectivity in case of outage of its own exterior line.
|
|
|
|
<p>Probably the simplest solution to this situation is to use two routing tables
|
|
(we'll call them <cf/as1/ and <cf/as2/) and set up kernel routing rules, so that
|
|
packets having arrived from interfaces belonging to the first AS will be routed
|
|
according to <cf/as1/ and similarly for the second AS. Thus we have split our
|
|
router to two logical routers, each one acting on its own routing table, having
|
|
its own routing protocols on its own interfaces. In order to use the other AS's
|
|
routes for backup purposes, we can pass the routes between the tables through a
|
|
Pipe protocol while decreasing their preferences and correcting their BGP paths
|
|
to reflect the AS boundary crossing.
|
|
|
|
<code>
|
|
table as1; # Define the tables
|
|
table as2;
|
|
|
|
protocol kernel kern1 { # Synchronize them with the kernel
|
|
table as1;
|
|
kernel table 1;
|
|
}
|
|
|
|
protocol kernel kern2 {
|
|
table as2;
|
|
kernel table 2;
|
|
}
|
|
|
|
protocol bgp bgp1 { # The outside connections
|
|
table as1;
|
|
local as 1;
|
|
neighbor 192.168.0.1 as 1001;
|
|
export all;
|
|
import all;
|
|
}
|
|
|
|
protocol bgp bgp2 {
|
|
table as2;
|
|
local as 2;
|
|
neighbor 10.0.0.1 as 1002;
|
|
export all;
|
|
import all;
|
|
}
|
|
|
|
protocol pipe { # The Pipe
|
|
table as1;
|
|
peer table as2;
|
|
export filter {
|
|
if net ~ [ 1.0.0.0/8+] then { # Only AS1 networks
|
|
if preference>10 then preference = preference-10;
|
|
if source=RTS_BGP then bgp_path.prepend(1);
|
|
accept;
|
|
}
|
|
reject;
|
|
};
|
|
import filter {
|
|
if net ~ [ 2.0.0.0/8+] then { # Only AS2 networks
|
|
if preference>10 then preference = preference-10;
|
|
if source=RTS_BGP then bgp_path.prepend(2);
|
|
accept;
|
|
}
|
|
reject;
|
|
};
|
|
}
|
|
</code>
|
|
|
|
|
|
<sect>RAdv
|
|
|
|
<sect1>Introduction
|
|
|
|
<p>The RAdv protocol is an implementation of Router Advertisements, which are
|
|
used in the IPv6 stateless autoconfiguration. IPv6 routers send (in irregular
|
|
time intervals or as an answer to a request) advertisement packets to connected
|
|
networks. These packets contain basic information about a local network (e.g. a
|
|
list of network prefixes), which allows network hosts to autoconfigure network
|
|
addresses and choose a default route. BIRD implements router behavior as defined
|
|
in RFC 4861<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4861.txt">
|
|
and also the DNS extensions from
|
|
RFC 6106<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc6106.txt">.
|
|
|
|
<sect1>Configuration
|
|
|
|
<p>There are several classes of definitions in RAdv configuration -- interface
|
|
definitions, prefix definitions and DNS definitions:
|
|
|
|
<descrip>
|
|
<tag>interface <m/pattern [, ...]/ { <m/options/ }</tag>
|
|
Interface definitions specify a set of interfaces on which the
|
|
protocol is activated and contain interface specific options.
|
|
See <ref id="dsc-iface" name="interface"> common options for
|
|
detailed description.
|
|
|
|
<tag>prefix <m/prefix/ { <m/options/ }</tag>
|
|
Prefix definitions allow to modify a list of advertised prefixes. By
|
|
default, the advertised prefixes are the same as the network prefixes
|
|
assigned to the interface. For each network prefix, the matching prefix
|
|
definition is found and its options are used. If no matching prefix
|
|
definition is found, the prefix is used with default options.
|
|
|
|
Prefix definitions can be either global or interface-specific. The
|
|
second ones are part of interface options. The prefix definition
|
|
matching is done in the first-match style, when interface-specific
|
|
definitions are processed before global definitions. As expected, the
|
|
prefix definition is matching if the network prefix is a subnet of the
|
|
prefix in prefix definition.
|
|
|
|
<tag>rdnss { <m/options/ }</tag>
|
|
RDNSS definitions allow to specify a list of advertised recursive DNS
|
|
servers together with their options. As options are seldom necessary,
|
|
there is also a short variant <cf>rdnss <m/address/</cf> that just
|
|
specifies one DNS server. Multiple definitions are cumulative. RDNSS
|
|
definitions may also be interface-specific when used inside interface
|
|
options. By default, interface uses both global and interface-specific
|
|
options, but that can be changed by <cf/rdnss local/ option.
|
|
|
|
<tag>dnssl { <m/options/ }</tag>
|
|
DNSSL definitions allow to specify a list of advertised DNS search
|
|
domains together with their options. Like <cf/rdnss/ above, multiple
|
|
definitions are cumulative, they can be used also as interface-specific
|
|
options and there is a short variant <cf>dnssl <m/domain/</cf> that just
|
|
specifies one DNS search domain.
|
|
|
|
<label id="dsc-trigger"> <tag>trigger <m/prefix/</tag>
|
|
RAdv protocol could be configured to change its behavior based on
|
|
availability of routes. When this option is used, the protocol waits in
|
|
suppressed state until a <it/trigger route/ (for the specified network)
|
|
is exported to the protocol, the protocol also returnsd to suppressed
|
|
state if the <it/trigger route/ disappears. Note that route export
|
|
depends on specified export filter, as usual. This option could be used,
|
|
e.g., for handling failover in multihoming scenarios.
|
|
|
|
During suppressed state, router advertisements are generated, but with
|
|
some fields zeroed. Exact behavior depends on which fields are zeroed,
|
|
this can be configured by <cf/sensitive/ option for appropriate
|
|
fields. By default, just <cf/default lifetime/ (also called <cf/router
|
|
lifetime/) is zeroed, which means hosts cannot use the router as a
|
|
default router. <cf/preferred lifetime/ and <cf/valid lifetime/ could
|
|
also be configured as <cf/sensitive/ for a prefix, which would cause
|
|
autoconfigured IPs to be deprecated or even removed.
|
|
</descrip>
|
|
|
|
<p>Interface specific options:
|
|
|
|
<descrip>
|
|
<tag>max ra interval <m/expr/</tag>
|
|
Unsolicited router advertisements are sent in irregular time intervals.
|
|
This option specifies the maximum length of these intervals, in seconds.
|
|
Valid values are 4-1800. Default: 600
|
|
|
|
<tag>min ra interval <m/expr/</tag>
|
|
This option specifies the minimum length of that intervals, in seconds.
|
|
Must be at least 3 and at most 3/4 * <cf/max ra interval/. Default:
|
|
about 1/3 * <cf/max ra interval/.
|
|
|
|
<tag>min delay <m/expr/</tag>
|
|
The minimum delay between two consecutive router advertisements, in
|
|
seconds. Default: 3
|
|
|
|
<tag>managed <m/switch/</tag>
|
|
This option specifies whether hosts should use DHCPv6 for IP address
|
|
configuration. Default: no
|
|
|
|
<tag>other config <m/switch/</tag>
|
|
This option specifies whether hosts should use DHCPv6 to receive other
|
|
configuration information. Default: no
|
|
|
|
<tag>link mtu <m/expr/</tag>
|
|
This option specifies which value of MTU should be used by hosts. 0
|
|
means unspecified. Default: 0
|
|
|
|
<tag>reachable time <m/expr/</tag>
|
|
This option specifies the time (in milliseconds) how long hosts should
|
|
assume a neighbor is reachable (from the last confirmation). Maximum is
|
|
3600000, 0 means unspecified. Default 0.
|
|
|
|
<tag>retrans timer <m/expr/</tag>
|
|
This option specifies the time (in milliseconds) how long hosts should
|
|
wait before retransmitting Neighbor Solicitation messages. 0 means
|
|
unspecified. Default 0.
|
|
|
|
<tag>current hop limit <m/expr/</tag>
|
|
This option specifies which value of Hop Limit should be used by
|
|
hosts. Valid values are 0-255, 0 means unspecified. Default: 64
|
|
|
|
<tag>default lifetime <m/expr/ [sensitive <m/switch/]</tag>
|
|
This option specifies the time (in seconds) how long (after the receipt
|
|
of RA) hosts may use the router as a default router. 0 means do not use
|
|
as a default router. For <cf/sensitive/ option, see <ref id="dsc-trigger" name="trigger">.
|
|
Default: 3 * <cf/max ra interval/, <cf/sensitive/ yes.
|
|
|
|
<tag>rdnss local <m/switch/</tag>
|
|
Use only local (interface-specific) RDNSS definitions for this
|
|
interface. Otherwise, both global and local definitions are used. Could
|
|
also be used to disable RDNSS for given interface if no local definitons
|
|
are specified. Default: no.
|
|
|
|
<tag>dnssl local <m/switch/</tag>
|
|
Use only local DNSSL definitions for this interface. See <cf/rdnss local/
|
|
option above. Default: no.
|
|
</descrip>
|
|
|
|
|
|
<p>Prefix specific options:
|
|
|
|
<descrip>
|
|
<tag>skip <m/switch/</tag>
|
|
This option allows to specify that given prefix should not be
|
|
advertised. This is useful for making exceptions from a default policy
|
|
of advertising all prefixes. Note that for withdrawing an already
|
|
advertised prefix it is more useful to advertise it with zero valid
|
|
lifetime. Default: no
|
|
|
|
<tag>onlink <m/switch/</tag>
|
|
This option specifies whether hosts may use the advertised prefix for
|
|
onlink determination. Default: yes
|
|
|
|
<tag>autonomous <m/switch/</tag>
|
|
This option specifies whether hosts may use the advertised prefix for
|
|
stateless autoconfiguration. Default: yes
|
|
|
|
<tag>valid lifetime <m/expr/ [sensitive <m/switch/]</tag>
|
|
This option specifies the time (in seconds) how long (after the
|
|
receipt of RA) the prefix information is valid, i.e., autoconfigured
|
|
IP addresses can be assigned and hosts with that IP addresses are
|
|
considered directly reachable. 0 means the prefix is no longer
|
|
valid. For <cf/sensitive/ option, see <ref id="dsc-trigger" name="trigger">.
|
|
Default: 86400 (1 day), <cf/sensitive/ no.
|
|
|
|
<tag>preferred lifetime <m/expr/ [sensitive <m/switch/]</tag>
|
|
This option specifies the time (in seconds) how long (after the
|
|
receipt of RA) IP addresses generated from the prefix using stateless
|
|
autoconfiguration remain preferred. For <cf/sensitive/ option,
|
|
see <ref id="dsc-trigger" name="trigger">. Default: 14400 (4 hours),
|
|
<cf/sensitive/ no.
|
|
</descrip>
|
|
|
|
|
|
<p>RDNSS specific options:
|
|
|
|
<descrip>
|
|
<tag>ns <m/address/</tag>
|
|
This option specifies one recursive DNS server. Can be used multiple
|
|
times for multiple servers. It is mandatory to have at least one
|
|
<cf/ns/ option in <cf/rdnss/ definition.
|
|
|
|
<tag>lifetime [mult] <m/expr/</tag>
|
|
This option specifies the time how long the RDNSS information may be
|
|
used by clients after the receipt of RA. It is expressed either in
|
|
seconds or (when <cf/mult/ is used) in multiples of <cf/max ra
|
|
interval/. Note that RDNSS information is also invalidated when
|
|
<cf/default lifetime/ expires. 0 means these addresses are no longer
|
|
valid DNS servers. Default: 3 * <cf/max ra interval/.
|
|
</descrip>
|
|
|
|
|
|
<p>DNSSL specific options:
|
|
|
|
<descrip>
|
|
<tag>domain <m/address/</tag>
|
|
This option specifies one DNS search domain. Can be used multiple times
|
|
for multiple domains. It is mandatory to have at least one <cf/domain/
|
|
option in <cf/dnssl/ definition.
|
|
|
|
<tag>lifetime [mult] <m/expr/</tag>
|
|
This option specifies the time how long the DNSSL information may be
|
|
used by clients after the receipt of RA. Details are the same as for
|
|
RDNSS <cf/lifetime/ option above. Default: 3 * <cf/max ra interval/.
|
|
</descrip>
|
|
|
|
|
|
<sect1>Example
|
|
|
|
<p><code>
|
|
protocol radv {
|
|
interface "eth2" {
|
|
max ra interval 5; # Fast failover with more routers
|
|
managed yes; # Using DHCPv6 on eth2
|
|
prefix ::/0 {
|
|
autonomous off; # So do not autoconfigure any IP
|
|
};
|
|
};
|
|
|
|
interface "eth*"; # No need for any other options
|
|
|
|
prefix 2001:0DB8:1234::/48 {
|
|
preferred lifetime 0; # Deprecated address range
|
|
};
|
|
|
|
prefix 2001:0DB8:2000::/48 {
|
|
autonomous off; # Do not autoconfigure
|
|
};
|
|
|
|
rdnss 2001:0DB8:1234::10; # Short form of RDNSS
|
|
|
|
rdnss {
|
|
lifetime mult 10;
|
|
ns 2001:0DB8:1234::11;
|
|
ns 2001:0DB8:1234::12;
|
|
};
|
|
|
|
dnssl {
|
|
lifetime 3600;
|
|
domain "abc.com";
|
|
domain "xyz.com";
|
|
};
|
|
}
|
|
</code>
|
|
|
|
|
|
<sect>RIP
|
|
|
|
<sect1>Introduction
|
|
|
|
<p>The RIP protocol (also sometimes called Rest In Pieces) is a simple protocol,
|
|
where each router broadcasts (to all its neighbors) distances to all networks it
|
|
can reach. When a router hears distance to another network, it increments it and
|
|
broadcasts it back. Broadcasts are done in regular intervals. Therefore, if some
|
|
network goes unreachable, routers keep telling each other that its distance is
|
|
the original distance plus 1 (actually, plus interface metric, which is usually
|
|
one). After some time, the distance reaches infinity (that's 15 in RIP) and all
|
|
routers know that network is unreachable. RIP tries to minimize situations where
|
|
counting to infinity is necessary, because it is slow. Due to infinity being 16,
|
|
you can't use RIP on networks where maximal distance is higher than 15
|
|
hosts. You can read more about RIP at
|
|
<HTMLURL URL="http://www.ietf.org/html.charters/rip-charter.html"
|
|
name="http://www.ietf.org/html.charters/rip-charter.html">. Both IPv4
|
|
(RFC 1723 <htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc1723.txt">) and IPv6
|
|
(RFC 2080 <htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc2080.txt">) versions
|
|
of RIP are supported by BIRD, historical RIPv1
|
|
(RFC 1058 <htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc1058.txt">) is not
|
|
currently supported. RIPv4 MD5 authentication
|
|
(RFC 2082 <htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc2082.txt">) is
|
|
supported.
|
|
|
|
<p>RIP is a very simple protocol, and it has a lot of shortcomings. Slow
|
|
convergence, big network load and inability to handle larger networks makes it
|
|
pretty much obsolete. It is still usable on very small networks.
|
|
|
|
<sect1>Configuration
|
|
|
|
<p>In addition to options common for all to other protocols, RIP supports the
|
|
following ones:
|
|
|
|
<descrip>
|
|
<tag>authentication none|plaintext|md5</tag>
|
|
Selects authentication method to be used. <cf/none/ means that packets
|
|
are not authenticated at all, <cf/plaintext/ means that a plaintext
|
|
password is embedded into each packet, and <cf/md5/ means that packets
|
|
are authenticated using a MD5 cryptographic hash. If you set
|
|
authentication to not-none, it is a good idea to add <cf>password</cf>
|
|
section. Default: none.
|
|
|
|
<tag>honor always|neighbor|never</tag>
|
|
Specifies when should requests for dumping routing table be honored.
|
|
(Always, when sent from a host on a directly connected network or
|
|
never.) Routing table updates are honored only from neighbors, that is
|
|
not configurable. Default: never.
|
|
</descrip>
|
|
|
|
<p>There are some options that can be specified per-interface:
|
|
|
|
<descrip>
|
|
<tag>metric <m/num/</tag>
|
|
This option specifies the metric of the interface. Valid
|
|
|
|
<tag>mode multicast|broadcast|quiet|nolisten|version1</tag>
|
|
This option selects the mode for RIP to use on the interface. If nothing
|
|
is specified, RIP runs in multicast mode. <cf/version1/ is currently
|
|
equivalent to <cf/broadcast/, and it makes RIP talk to a broadcast
|
|
address even through multicast mode is possible. <cf/quiet/ option means
|
|
that RIP will not transmit any periodic messages to this interface and
|
|
<cf/nolisten/ means that RIP will send to this interface butnot listen
|
|
to it.
|
|
|
|
<tag>ttl security [<m/switch/ | tx only]</tag>
|
|
TTL security is a feature that protects routing protocols from remote
|
|
spoofed packets by using TTL 255 instead of TTL 1 for protocol packets
|
|
destined to neighbors. Because TTL is decremented when packets are
|
|
forwarded, it is non-trivial to spoof packets with TTL 255 from remote
|
|
locations.
|
|
|
|
If this option is enabled, the router will send RIP packets with TTL 255
|
|
and drop received packets with TTL less than 255. If this option si set
|
|
to <cf/tx only/, TTL 255 is used for sent packets, but is not checked
|
|
for received packets. Such setting does not offer protection, but offers
|
|
compatibility with neighbors regardless of whether they use ttl
|
|
security.
|
|
|
|
Note that for RIPng, TTL security is a standard behavior (required by
|
|
RFC 2080), but BIRD uses <cf/tx only/ by default, for compatibility with
|
|
older versions. For IPv4 RIP, default value is no.
|
|
|
|
<tag>tx class|dscp|priority <m/num/</tag>
|
|
These options specify the ToS/DiffServ/Traffic class/Priority of the
|
|
outgoing RIP packets. See <ref id="dsc-prio" name="tx class"> common
|
|
option for detailed description.
|
|
</descrip>
|
|
|
|
<p>The following options generally override behavior specified in RFC. If you
|
|
use any of these options, BIRD will no longer be RFC-compliant, which means it
|
|
will not be able to talk to anything other than equally configured BIRD. I have
|
|
warned you.
|
|
|
|
<descrip>
|
|
<tag>port <M>number</M></tag>
|
|
Selects IP port to operate on, default 520. (This is useful when testing
|
|
BIRD, if you set this to an address >1024, you will not need to run
|
|
bird with UID==0).
|
|
|
|
<tag>infinity <M>number</M></tag>
|
|
Selects the value of infinity, default is 16. Bigger values will make
|
|
protocol convergence even slower.
|
|
|
|
<tag>period <M>number</M></tag>
|
|
Specifies the number of seconds between periodic updates. Default is 30
|
|
seconds. A lower number will mean faster convergence but bigger network
|
|
load. Do not use values lower than 12.
|
|
|
|
<tag>timeout time <M>number</M></tag>
|
|
Specifies how old route has to be to be considered unreachable.
|
|
Default is 4*<cf/period/.
|
|
|
|
<tag>garbage time <M>number</M></tag>
|
|
Specifies how old route has to be to be discarded. Default is
|
|
10*<cf/period/.
|
|
</descrip>
|
|
|
|
<sect1>Attributes
|
|
|
|
<p>RIP defines two route attributes:
|
|
|
|
<descrip>
|
|
<tag>int <cf/rip_metric/</tag>
|
|
RIP metric of the route (ranging from 0 to <cf/infinity/). When routes
|
|
from different RIP instances are available and all of them have the same
|
|
preference, BIRD prefers the route with lowest <cf/rip_metric/. When
|
|
importing a non-RIP route, the metric defaults to 5.
|
|
|
|
<tag>int <cf/rip_tag/</tag>
|
|
RIP route tag: a 16-bit number which can be used to carry additional
|
|
information with the route (for example, an originating AS number in
|
|
case of external routes). When importing a non-RIP route, the tag
|
|
defaults to 0.
|
|
</descrip>
|
|
|
|
<sect1>Example
|
|
|
|
<p><code>
|
|
protocol rip MyRIP_test {
|
|
debug all;
|
|
port 1520;
|
|
period 12;
|
|
garbage time 60;
|
|
interface "eth0" { metric 3; mode multicast; };
|
|
interface "eth*" { metric 2; mode broadcast; };
|
|
honor neighbor;
|
|
authentication none;
|
|
import filter { print "importing"; accept; };
|
|
export filter { print "exporting"; accept; };
|
|
}
|
|
</code>
|
|
|
|
|
|
<sect>Static
|
|
|
|
<p>The Static protocol doesn't communicate with other routers in the network,
|
|
but instead it allows you to define routes manually. This is often used for
|
|
specifying how to forward packets to parts of the network which don't use
|
|
dynamic routing at all and also for defining sink routes (i.e., those telling to
|
|
return packets as undeliverable if they are in your IP block, you don't have any
|
|
specific destination for them and you don't want to send them out through the
|
|
default route to prevent routing loops).
|
|
|
|
<p>There are five types of static routes: `classical' routes telling to forward
|
|
packets to a neighboring router, multipath routes specifying several (possibly
|
|
weighted) neighboring routers, device routes specifying forwarding to hosts on a
|
|
directly connected network, recursive routes computing their nexthops by doing
|
|
route table lookups for a given IP and special routes (sink, blackhole etc.)
|
|
which specify a special action to be done instead of forwarding the packet.
|
|
|
|
<p>When the particular destination is not available (the interface is down or
|
|
the next hop of the route is not a neighbor at the moment), Static just
|
|
uninstalls the route from the table it is connected to and adds it again as soon
|
|
as the destination becomes adjacent again.
|
|
|
|
<p>The Static protocol does not have many configuration options. The definition
|
|
of the protocol contains mainly a list of static routes:
|
|
|
|
<descrip>
|
|
<tag>route <m/prefix/ via <m/ip/</tag>
|
|
Static route through a neighboring router.
|
|
|
|
<tag>route <m/prefix/ multipath via <m/ip/ [weight <m/num/] [via ...]</tag>
|
|
Static multipath route. Contains several nexthops (gateways), possibly
|
|
with their weights.
|
|
|
|
<tag>route <m/prefix/ via <m/"interface"/</tag>
|
|
Static device route through an interface to hosts on a directly
|
|
connected network.
|
|
|
|
<tag>route <m/prefix/ recursive <m/ip/</tag>
|
|
Static recursive route, its nexthop depends on a route table lookup for
|
|
given IP address.
|
|
|
|
<tag>route <m/prefix/ blackhole|unreachable|prohibit</tag>
|
|
Special routes specifying to silently drop the packet, return it as
|
|
unreachable or return it as administratively prohibited. First two
|
|
targets are also known as <cf/drop/ and <cf/reject/.
|
|
|
|
<tag>check link <m/switch/</tag>
|
|
If set, hardware link states of network interfaces are taken into
|
|
consideration. When link disappears (e.g. ethernet cable is unplugged),
|
|
static routes directing to that interface are removed. It is possible
|
|
that some hardware drivers or platforms do not implement this feature.
|
|
Default: off.
|
|
|
|
<tag>igp table <m/name/</tag>
|
|
Specifies a table that is used for route table lookups of recursive
|
|
routes. Default: the same table as the protocol is connected to.
|
|
</descrip>
|
|
|
|
<p>Static routes have no specific attributes.
|
|
|
|
<p>Example static config might look like this:
|
|
|
|
<p><code>
|
|
protocol static {
|
|
table testable; # Connect to a non-default routing table
|
|
route 0.0.0.0/0 via 198.51.100.130; # Default route
|
|
route 10.0.0.0/8 multipath # Multipath route
|
|
via 198.51.100.10 weight 2
|
|
via 198.51.100.20
|
|
via 192.0.2.1;
|
|
route 203.0.113.0/24 unreachable; # Sink route
|
|
route 10.2.0.0/24 via "arc0"; # Secondary network
|
|
}
|
|
</code>
|
|
|
|
|
|
<chapt>Conclusions
|
|
|
|
<sect>Future work
|
|
|
|
<p>Although BIRD supports all the commonly used routing protocols, there are
|
|
still some features which would surely deserve to be implemented in future
|
|
versions of BIRD:
|
|
|
|
<itemize>
|
|
<item>Opaque LSA's
|
|
<item>Route aggregation and flap dampening
|
|
<item>Multipath routes
|
|
<item>Multicast routing protocols
|
|
<item>Ports to other systems
|
|
</itemize>
|
|
|
|
|
|
<sect>Getting more help
|
|
|
|
<p>If you use BIRD, you're welcome to join the bird-users mailing list
|
|
(<HTMLURL URL="mailto:bird-users@bird.network.cz" name="bird-users@bird.network.cz">)
|
|
where you can share your experiences with the other users and consult
|
|
your problems with the authors. To subscribe to the list, just send a
|
|
<tt/subscribe bird-users/ command in a body of a mail to
|
|
(<HTMLURL URL="mailto:majordomo@bird.network.cz" name="majordomo@bird.network.cz">).
|
|
The home page of BIRD can be found at <HTMLURL URL="http://bird.network.cz/" name="http://bird.network.cz/">.
|
|
|
|
<p>BIRD is a relatively young system and it probably contains some bugs. You can
|
|
report any problems to the bird-users list and the authors will be glad to solve
|
|
them, but before you do so, please make sure you have read the available
|
|
documentation and that you are running the latest version (available at
|
|
<HTMLURL URL="ftp://bird.network.cz/pub/bird" name="bird.network.cz:/pub/bird">).
|
|
(Of course, a patch which fixes the bug is always welcome as an attachment.)
|
|
|
|
<p>If you want to understand what is going inside, Internet standards are a good
|
|
and interesting reading. You can get them from
|
|
<HTMLURL URL="ftp://ftp.rfc-editor.org/" name="ftp.rfc-editor.org"> (or a
|
|
nicely sorted version from <HTMLURL URL="ftp://atrey.karlin.mff.cuni.cz/pub/rfc"
|
|
name="atrey.karlin.mff.cuni.cz:/pub/rfc">).
|
|
|
|
<p><it/Good luck!/
|
|
|
|
</book>
|
|
|
|
<!--
|
|
LocalWords: GPL IPv GateD BGPv RIPv OSPFv Linux sgml html dvi sgmltools Pavel
|
|
LocalWords: linuxdoc dtd descrip config conf syslog stderr auth ospf bgp Mbps
|
|
LocalWords: router's eval expr num birdc ctl UNIX if's enums bool int ip GCC
|
|
LocalWords: len ipaddress pxlen netmask enum bgppath bgpmask clist gw md eth
|
|
LocalWords: RTS printn quitbird iBGP AS'es eBGP RFC multiprotocol IGP Machek
|
|
LocalWords: EGP misconfigurations keepalive pref aggr aggregator BIRD's RTC
|
|
LocalWords: OS'es AS's multicast nolisten misconfigured UID blackhole MRTD MTU
|
|
LocalWords: uninstalls ethernets IP binutils ANYCAST anycast dest RTD ICMP rfc
|
|
LocalWords: compat multicasts nonbroadcast pointopoint loopback sym stats
|
|
LocalWords: Perl SIGHUP dd mm yy HH MM SS EXT IA UNICAST multihop Discriminator txt
|
|
LocalWords: proto wildcard Ondrej Filip
|
|
-->
|