[Xorp-hackers] Issue in implementing PER PEER BGP POLICY. kindly help asap.

Santhosh Sundararaman santhosh at ku.edu
Fri Nov 24 00:14:24 PST 2006 

Hi,
I have been trying to implement Per Peer Policy for BGP in xorp by 
modifying the template file and doing changes in the background (Policy, 
BGP) as Atanu had suggested in the bugzilla thread. I was able to get 
the mechanism work for IMPORT policies in BGP. But Im having problems 
with export policies (for now im trying to apply simple export policies 
without any redistribution). After poking around a bit I figured out 
where the problem was, but am not able to understand why the BGP export 
policy tables are behaving the way they are.

Here is what i did. In the bgp.hh file i found that the filters were 
maintained in the object _policy_filters (of type VersionFilters). And 
this object is being used as the filter for all the PolicyTableFilterOut 
(export) tables in the plumbing. After trying several things, I created 
another object _peer_filters (of type VersionFilters) and now I used 
this object as the filter for the PolicyTableFilterOut tables of all the 
pipelines in the plumbing EXCEPT for the RIB's pipeline. The RIB's 
piplene still uses _policy_filters in its PolicyTableFilterOut.

Now irrespective of the filter configuration (in config.boot) the 
filters seems to be working only when it is applied in the 
PolicyTableFilterOut of the RIB's pipeline and policies configured on 
the PolicyTableFilterOut of all other pipelines does not have any effect 
at all.

Here is an example i tried.

    network4-list "PrefixesFrom105" {
        elements: "192.168.41.0/24,192.168.42.0/24,192.168.43.0/24"
    }
    policy-statement "BlockRoutesFrom105" {
        term "RoutesFrom105Blocked" {
            to {
                    neighbor: 172.16.10.3
                    network4-list: "PrefixesFrom105"
            }
            then {
                    trace: 1
                    reject
            }
        }
    }

Here are my test cases and results

Case 1:
When this configuration is used to configure _peer_filters (I changed 
the BGPMain::configure_filter method to configure _peer_filters instead 
of _policy_filters and i left _policy_filters unconfigured thereby using 
an empty filter on RIB's export filter table), the filter had no effect 
despite the fact that 172.16.10.3 is the router id of one of the 
established peers.

Case2:
Now i swapped configurations. I applied the above configuration for 
_policy_filters (effectively applying them to the RIB's export pipeline 
alone) and left _peer_filters empty (the export filter tables in all 
other pipelines except RIB will have no configuration and should let all 
routes through). This is where i noticed unexpected results. I expected 
this filter to have no effect on routes going to 172.16.10.3, as even 
though the filter config blocks routes to 172.16.10.3 it is applied only 
in the export pipeline of RIB and not on others, the other export 
pipelines had empty filters.
             But now the routes in the list were blocked from going to 
172.16.10.3 but other peer and local RIB received the routes, despite 
the fact that the filter config was applied only to the RIB's export 
pipeline.

Case 3:
Finally i removed the neighbor parameter from the config, letting it 
take default value. Now, when the config was applied to RIB's pipeline 
alone and not to others, the routes were blocked from all the peers and 
from the local RIB. When i swapped the config (with no neighbor set) by 
applying it to all the export pipelines except RIB's and leaving RIB's 
export policy config empty, the config had no effect and the routes were 
getting passed to all the peers and the RIB.

 From this it appears to me that RIB pipeline's PolicyTableFilterOut 
seems to be doing the bulk of export filtering (even for other 
pipelines) and the PolicyTableFilterOut in all other pipelines have no 
effect on export filtering at all. Have I overlooked something, or have 
I completely misunderstood Policy implementation in BGP. Kindly help me 
understand why im experiencing this behavior, is it supposed to work 
this way: is the RIB's PolicyTableFilterOut supposed to filter routes 
for all the peer's pipelines?? Kindly help me out!!!

Expecting a response asap.

Thanks,
Santhosh

More information about the Xorp-hackers mailing list