]>
Commit | Line | Data |
---|---|---|
04a22949 | 1 | <!doctype birddoc system> |
d37f899b PM |
2 | |
3 | <!-- | |
d150c637 | 4 | BIRD documentation |
d37f899b | 5 | |
dad92c30 OZ |
6 | This documentation can have 4 forms: sgml (this is master copy), html, ASCII |
7 | text and dvi/postscript (generated from sgml using sgmltools). You should always | |
8 | edit master copy. | |
02357f96 | 9 | |
dad92c30 OZ |
10 | This is a slightly modified linuxdoc dtd. Anything in <descrip> tags is |
11 | considered definition of configuration primitives, <cf> is fragment of | |
12 | configuration within normal text, <m> is "meta" information within fragment of | |
13 | configuration - something in config which is not keyword. | |
d37f899b | 14 | |
dad92c30 | 15 | (set-fill-column 80) |
d37f899b PM |
16 | |
17 | Copyright 1999,2000 Pavel Machek <pavel@ucw.cz>, distribute under GPL version 2 or later. | |
18 | ||
19 | --> | |
20 | ||
371adba6 | 21 | <book> |
d37f899b | 22 | |
aa185265 | 23 | <title>BIRD User's Guide |
d37f899b | 24 | <author> |
aa185265 MM |
25 | Ondrej Filip <it/<feela@network.cz>/, |
26 | Pavel Machek <it/<pavel@ucw.cz>/, | |
5516a66d OF |
27 | Martin Mares <it/<mj@ucw.cz>/, |
28 | Ondrej Zajicek <it/<santiago@crfreenet.org>/ | |
aa185265 | 29 | </author> |
d37f899b | 30 | |
d37f899b | 31 | <abstract> |
aa185265 | 32 | This document contains user documentation for the BIRD Internet Routing Daemon project. |
d37f899b PM |
33 | </abstract> |
34 | ||
35 | <!-- Table of contents --> | |
36 | <toc> | |
37 | ||
38 | <!-- Begin the document --> | |
39 | ||
dad92c30 | 40 | |
371adba6 | 41 | <chapt>Introduction |
d37f899b | 42 | |
371adba6 | 43 | <sect>What is BIRD |
d37f899b | 44 | |
897cd7aa | 45 | <p><label id="intro"> |
dad92c30 OZ |
46 | The name `BIRD' is actually an acronym standing for `BIRD Internet Routing |
47 | Daemon'. Let's take a closer look at the meaning of the name: | |
48 | ||
49 | <p><em/BIRD/: Well, we think we have already explained that. It's an acronym | |
50 | standing for `BIRD Internet Routing Daemon', you remember, don't you? :-) | |
51 | ||
52 | <p><em/Internet Routing/: It's a program (well, a daemon, as you are going to | |
53 | discover in a moment) which works as a dynamic router in an Internet type | |
54 | network (that is, in a network running either the IPv4 or the IPv6 protocol). | |
55 | Routers are devices which forward packets between interconnected networks in | |
56 | order to allow hosts not connected directly to the same local area network to | |
57 | communicate with each other. They also communicate with the other routers in the | |
58 | Internet to discover the topology of the network which allows them to find | |
59 | optimal (in terms of some metric) rules for forwarding of packets (which are | |
60 | called routing tables) and to adapt themselves to the changing conditions such | |
61 | as outages of network links, building of new connections and so on. Most of | |
62 | these routers are costly dedicated devices running obscure firmware which is | |
63 | hard to configure and not open to any changes (on the other hand, their special | |
64 | hardware design allows them to keep up with lots of high-speed network | |
65 | interfaces, better than general-purpose computer does). Fortunately, most | |
66 | operating systems of the UNIX family allow an ordinary computer to act as a | |
67 | router and forward packets belonging to the other hosts, but only according to a | |
68 | statically configured table. | |
69 | ||
70 | <p>A <em/Routing Daemon/ is in UNIX terminology a non-interactive program | |
71 | running on background which does the dynamic part of Internet routing, that is | |
72 | it communicates with the other routers, calculates routing tables and sends them | |
73 | to the OS kernel which does the actual packet forwarding. There already exist | |
74 | other such routing daemons: routed (RIP only), GateD (non-free), | |
75 | Zebra <HTMLURL URL="http://www.zebra.org"> and | |
76 | MRTD <HTMLURL URL="http://sourceforge.net/projects/mrt">, | |
77 | but their capabilities are limited and they are relatively hard to configure | |
78 | and maintain. | |
897cd7aa MM |
79 | |
80 | <p>BIRD is an Internet Routing Daemon designed to avoid all of these shortcomings, | |
dad92c30 OZ |
81 | to support all the routing technology used in the today's Internet or planned to |
82 | be used in near future and to have a clean extensible architecture allowing new | |
83 | routing protocols to be incorporated easily. Among other features, BIRD | |
84 | supports: | |
897cd7aa MM |
85 | |
86 | <itemize> | |
87 | <item>both IPv4 and IPv6 protocols | |
88 | <item>multiple routing tables | |
89 | <item>the Border Gateway Protocol (BGPv4) | |
96264d4d | 90 | <item>the Routing Information Protocol (RIPv2) |
0c75411b | 91 | <item>the Open Shortest Path First protocol (OSPFv2, OSPFv3) |
6bcef225 | 92 | <item>the Router Advertisements for IPv6 hosts |
dad92c30 OZ |
93 | <item>a virtual protocol for exchange of routes between different |
94 | routing tables on a single host | |
897cd7aa MM |
95 | <item>a command-line interface allowing on-line control and inspection |
96 | of status of the daemon | |
dad92c30 OZ |
97 | <item>soft reconfiguration (no need to use complex online commands to |
98 | change the configuration, just edit the configuration file and | |
99 | notify BIRD to re-read it and it will smoothly switch itself to | |
100 | the new configuration, not disturbing routing protocols unless | |
101 | they are affected by the configuration changes) | |
02357f96 | 102 | <item>a powerful language for route filtering |
897cd7aa MM |
103 | </itemize> |
104 | ||
dad92c30 OZ |
105 | <p>BIRD has been developed at the Faculty of Math and Physics, Charles |
106 | University, Prague, Czech Republic as a student project. It can be freely | |
107 | distributed under the terms of the GNU General Public License. | |
108 | ||
109 | <p>BIRD has been designed to work on all UNIX-like systems. It has been | |
110 | developed and tested under Linux 2.0 to 2.6, and then ported to FreeBSD, NetBSD | |
111 | and OpenBSD, porting to other systems (even non-UNIX ones) should be relatively | |
112 | easy due to its highly modular architecture. | |
897cd7aa | 113 | |
dad92c30 OZ |
114 | <p>BIRD supports either IPv4 or IPv6 protocol, but have to be compiled separately |
115 | for each one. Therefore, a dualstack router would run two instances of BIRD (one | |
116 | for IPv4 and one for IPv6), with completely separate setups (configuration | |
117 | files, tools ...). | |
5adc02a6 | 118 | |
d37f899b | 119 | |
371adba6 | 120 | <sect>Installing BIRD |
440439e3 | 121 | |
dad92c30 OZ |
122 | <p>On a recent UNIX system with GNU development tools (GCC, binutils, m4, make) |
123 | and Perl, installing BIRD should be as easy as: | |
440439e3 PM |
124 | |
125 | <code> | |
dad92c30 OZ |
126 | ./configure |
127 | make | |
128 | make install | |
129 | vi /usr/local/etc/bird.conf | |
c184d9d0 | 130 | bird |
440439e3 PM |
131 | </code> |
132 | ||
02357f96 | 133 | <p>You can use <tt>./configure --help</tt> to get a list of configure |
dad92c30 OZ |
134 | options. The most important ones are: <tt/--enable-ipv6/ which enables building |
135 | of an IPv6 version of BIRD, <tt/--with-protocols=/ to produce a slightly smaller | |
136 | BIRD executable by configuring out routing protocols you don't use, and | |
137 | <tt/--prefix=/ to install BIRD to a place different from <file>/usr/local</file>. | |
138 | ||
b093c328 | 139 | |
02357f96 | 140 | <sect>Running BIRD |
36032ded | 141 | |
c184d9d0 | 142 | <p>You can pass several command-line options to bird: |
d26524fa | 143 | |
c184d9d0 PM |
144 | <descrip> |
145 | <tag>-c <m/config name/</tag> | |
66701947 | 146 | use given configuration file instead of <it/prefix/<file>/etc/bird.conf</file>. |
c184d9d0 PM |
147 | |
148 | <tag>-d</tag> | |
02357f96 | 149 | enable debug messages and run bird in foreground. |
c184d9d0 | 150 | |
02357f96 | 151 | <tag>-D <m/filename of debug log/</tag> |
a4644ed6 OZ |
152 | log debugging information to given file instead of stderr. |
153 | ||
154 | <tag>-p</tag> | |
dad92c30 OZ |
155 | just parse the config file and exit. Return value is zero if the config |
156 | file is valid, nonzero if there are some errors. | |
c184d9d0 PM |
157 | |
158 | <tag>-s <m/name of communication socket/</tag> | |
dad92c30 OZ |
159 | use given filename for a socket for communications with the client, |
160 | default is <it/prefix/<file>/var/run/bird.ctl</file>. | |
0aeac9cb OZ |
161 | |
162 | <tag>-P <m/name of PID file/</tag> | |
9637c7c0 | 163 | create a PID file with given filename. |
e8b89a61 OZ |
164 | |
165 | <tag>-u <m/user/</tag> | |
166 | drop privileges and use that user ID, see the next section for details. | |
167 | ||
168 | <tag>-g <m/group/</tag> | |
169 | use that group ID, see the next section for details. | |
1cd198cf OF |
170 | |
171 | <tag>-f</tag> | |
172 | run bird in foreground. | |
6eda3f13 OZ |
173 | |
174 | <tag>-R</tag> | |
175 | apply graceful restart recovery after start. | |
c184d9d0 | 176 | </descrip> |
d26524fa | 177 | |
02357f96 PM |
178 | <p>BIRD writes messages about its work to log files or syslog (according to config). |
179 | ||
dad92c30 | 180 | |
e8b89a61 OZ |
181 | <sect>Privileges |
182 | ||
dad92c30 OZ |
183 | <p>BIRD, as a routing daemon, uses several privileged operations (like setting |
184 | routing table and using raw sockets). Traditionally, BIRD is executed and runs | |
185 | with root privileges, which may be prone to security problems. The recommended | |
186 | way is to use a privilege restriction (options <cf/-u/, <cf/-g/). In that case | |
187 | BIRD is executed with root privileges, but it changes its user and group ID to | |
188 | an unprivileged ones, while using Linux capabilities to retain just required | |
189 | privileges (capabilities CAP_NET_*). Note that the control socket is created | |
190 | before the privileges are dropped, but the config file is read after that. The | |
191 | privilege restriction is not implemented in BSD port of BIRD. | |
192 | ||
193 | <p>A nonprivileged user (as an argument to <cf/-u/ options) may be the user | |
194 | <cf/nobody/, but it is suggested to use a new dedicated user account (like | |
195 | <cf/bird/). The similar considerations apply for the group option, but there is | |
196 | one more condition -- the users in the same group can use <file/birdc/ to | |
197 | control BIRD. | |
198 | ||
199 | <p>Finally, there is a possibility to use external tools to run BIRD in an | |
200 | environment with restricted privileges. This may need some configuration, but it | |
201 | is generally easy -- BIRD needs just the standard library, privileges to read | |
202 | the config file and create the control socket and the CAP_NET_* capabilities. | |
e8b89a61 | 203 | |
6eda3f13 | 204 | |
a852c139 PM |
205 | <chapt>About routing tables |
206 | ||
dad92c30 OZ |
207 | <p>BIRD has one or more routing tables which may or may not be synchronized with |
208 | OS kernel and which may or may not be synchronized with each other (see the Pipe | |
209 | protocol). Each routing table contains a list of known routes. Each route | |
210 | consists of: | |
a852c139 PM |
211 | |
212 | <itemize> | |
dad92c30 OZ |
213 | <item>network prefix this route is for (network address and prefix |
214 | length -- the number of bits forming the network part of the | |
215 | address; also known as a netmask) | |
96264d4d PM |
216 | <item>preference of this route |
217 | <item>IP address of router which told us about this route | |
dad92c30 OZ |
218 | <item>IP address of router we should forward the packets to using this |
219 | route | |
a852c139 | 220 | <item>other attributes common to all routes |
dad92c30 OZ |
221 | <item>dynamic attributes defined by protocols which may or may not be |
222 | present (typically protocol metrics) | |
a852c139 PM |
223 | </itemize> |
224 | ||
dad92c30 OZ |
225 | Routing table maintains multiple entries for a network, but at most one entry |
226 | for one network and one protocol. The entry with the highest preference is used | |
227 | for routing (we will call such an entry the <it/selected route/). If there are | |
228 | more entries with the same preference and they are from the same protocol, the | |
229 | protocol decides (typically according to metrics). If they aren't, an internal | |
230 | ordering is used to break the tie. You can get the list of route attributes in | |
231 | the Route attributes section. | |
232 | ||
233 | <p>Each protocol is connected to a routing table through two filters which can | |
234 | accept, reject and modify the routes. An <it/export/ filter checks routes passed | |
235 | from the routing table to the protocol, an <it/import/ filter checks routes in | |
236 | the opposite direction. When the routing table gets a route from a protocol, it | |
237 | recalculates the selected route and broadcasts it to all protocols connected to | |
238 | the table. The protocols typically send the update to other routers in the | |
239 | network. Note that although most protocols are interested in receiving just | |
240 | selected routes, some protocols (e.g. the <cf/Pipe/ protocol) receive and | |
241 | process all entries in routing tables (accepted by filters). | |
242 | ||
243 | <p><label id="dsc-sorted">Usually, a routing table just chooses a selected route | |
244 | from a list of entries for one network. But if the <cf/sorted/ option is | |
245 | activated, these lists of entries are kept completely sorted (according to | |
246 | preference or some protocol-dependent metric). This is needed for some features | |
247 | of some protocols (e.g. <cf/secondary/ option of BGP protocol, which allows to | |
248 | accept not just a selected route, but the first route (in the sorted list) that | |
249 | is accepted by filters), but it is incompatible with some other features (e.g. | |
250 | <cf/deterministic med/ option of BGP protocol, which activates a way of choosing | |
251 | selected route that cannot be described using comparison and ordering). Minor | |
252 | advantage is that routes are shown sorted in <cf/show route/, minor disadvantage | |
253 | is that it is slightly more computationally expensive. | |
254 | ||
48cf5e84 | 255 | |
6eda3f13 OZ |
256 | <sect>Graceful restart |
257 | ||
258 | <p>When BIRD is started after restart or crash, it repopulates routing tables in | |
259 | an uncoordinated manner, like after clean start. This may be impractical in some | |
260 | cases, because if the forwarding plane (i.e. kernel routing tables) remains | |
261 | intact, then its synchronization with BIRD would temporarily disrupt packet | |
262 | forwarding until protocols converge. Graceful restart is a mechanism that could | |
263 | help with this issue. Generally, it works by starting protocols and letting them | |
264 | repopulate routing tables while deferring route propagation until protocols | |
265 | acknowledge their convergence. Note that graceful restart behavior have to be | |
266 | configured for all relevant protocols and requires protocol-specific support | |
267 | (currently implemented for Kernel and BGP protocols), it is activated for | |
268 | particular boot by option <cf/-R/. | |
269 | ||
a852c139 | 270 | |
371adba6 | 271 | <chapt>Configuration |
af0b25d2 | 272 | |
371adba6 | 273 | <sect>Introduction |
d37f899b | 274 | |
dad92c30 OZ |
275 | <p>BIRD is configured using a text configuration file. Upon startup, BIRD reads |
276 | <it/prefix/<file>/etc/bird.conf</file> (unless the <tt/-c/ command line option | |
277 | is given). Configuration may be changed at user's request: if you modify the | |
278 | config file and then signal BIRD with <tt/SIGHUP/, it will adjust to the new | |
279 | config. Then there's the client which allows you to talk with BIRD in an | |
280 | extensive way. | |
281 | ||
282 | <p>In the config, everything on a line after <cf/#/ or inside <cf>/* */</cf> is | |
283 | a comment, whitespace characters are treated as a single space. If there's a | |
284 | variable number of options, they are grouped using the <cf/{ }/ brackets. Each | |
285 | option is terminated by a <cf/;/. Configuration is case sensitive. There are two | |
286 | ways how to name symbols (like protocol names, filter names, constats etc.). You | |
287 | can either use a simple string starting with a letter followed by any | |
288 | combination of letters and numbers (e.g. "R123", "myfilter", "bgp5") or you can | |
289 | enclose the name into apostrophes (<cf/'/) and than you can use any combination | |
290 | of numbers, letters. hyphens, dots and colons (e.g. "'1:strange-name'", | |
291 | "'-NAME-'", "'cool::name'"). | |
292 | ||
293 | <p>Here is an example of a simple config file. It enables synchronization of | |
294 | routing tables with OS kernel, scans for new network interfaces every 10 seconds | |
295 | and runs RIP on all network interfaces found. | |
d37f899b | 296 | |
a0dd1c74 | 297 | <code> |
d37f899b | 298 | protocol kernel { |
d150c637 | 299 | persist; # Don't remove routes on BIRD shutdown |
d37f899b PM |
300 | scan time 20; # Scan kernel routing table every 20 seconds |
301 | export all; # Default is export none | |
302 | } | |
303 | ||
304 | protocol device { | |
305 | scan time 10; # Scan interfaces every 10 seconds | |
306 | } | |
307 | ||
308 | protocol rip { | |
309 | export all; | |
310 | import all; | |
f434d191 | 311 | interface "*"; |
d37f899b | 312 | } |
a0dd1c74 | 313 | </code> |
d37f899b | 314 | |
326e33f5 | 315 | |
371adba6 | 316 | <sect>Global options |
af0b25d2 | 317 | |
a0dd1c74 | 318 | <p><descrip> |
523f020b | 319 | <tag>include "<m/filename/"</tag> |
4a5eb284 | 320 | This statement causes inclusion of a new file. <m/Filename/ could also |
9d5960cf | 321 | be a wildcard. The maximal depth is 8. Note that this statement could be |
4a5eb284 | 322 | used anywhere in the config file, not just as a top-level option. |
48ec367a | 323 | |
523f020b | 324 | <tag><label id="dsc-log">log "<m/filename/"|syslog [name <m/name/]|stderr all|{ <m/list of classes/ }</tag> |
dad92c30 OZ |
325 | Set logging of messages having the given class (either <cf/all/ or |
326 | <cf/{ error, trace }/ etc.) into selected destination (a file specified | |
327 | as a filename string, syslog with optional name argument, or the stderr | |
328 | output). Classes are: | |
1632f1fe | 329 | <cf/info/, <cf/warning/, <cf/error/ and <cf/fatal/ for messages about local problems, |
523f020b OZ |
330 | <cf/debug/ for debugging messages, |
331 | <cf/trace/ when you want to know what happens in the network, | |
332 | <cf/remote/ for messages about misbehavior of remote machines, | |
02357f96 | 333 | <cf/auth/ about authentication failures, |
dad92c30 OZ |
334 | <cf/bug/ for internal BIRD bugs. |
335 | You may specify more than one <cf/log/ line to establish logging to | |
336 | multiple destinations. Default: log everything to the system log. | |
02357f96 | 337 | |
7581b81b | 338 | <tag>debug protocols all|off|{ states, routes, filters, interfaces, events, packets }</tag> |
dad92c30 OZ |
339 | Set global defaults of protocol debugging options. See <cf/debug/ in the |
340 | following section. Default: off. | |
5a203dac PM |
341 | |
342 | <tag>debug commands <m/number/</tag> | |
dad92c30 OZ |
343 | Control logging of client connections (0 for no logging, 1 for logging |
344 | of connects and disconnects, 2 and higher for logging of all client | |
345 | commands). Default: 0. | |
249d238c | 346 | |
8bcb5fb1 OZ |
347 | <tag>debug latency <m/switch/</tag> |
348 | Activate tracking of elapsed time for internal events. Recent events | |
349 | could be examined using <cf/dump events/ command. Default: off. | |
350 | ||
351 | <tag>debug latency limit <m/time/</tag> | |
352 | If <cf/debug latency/ is enabled, this option allows to specify a limit | |
353 | for elapsed time. Events exceeding the limit are logged. Default: 1 s. | |
354 | ||
355 | <tag>watchdog warning <m/time/</tag> | |
356 | Set time limit for I/O loop cycle. If one iteration took more time to | |
357 | complete, a warning is logged. Default: 5 s. | |
358 | ||
359 | <tag>watchdog timeout <m/time/</tag> | |
360 | Set time limit for I/O loop cycle. If the limit is breached, BIRD is | |
361 | killed by abort signal. The timeout has effective granularity of | |
362 | seconds, zero means disabled. Default: disabled (0). | |
363 | ||
cf31112f | 364 | <tag>mrtdump "<m/filename/"</tag> |
dad92c30 OZ |
365 | Set MRTdump file name. This option must be specified to allow MRTdump |
366 | feature. Default: no dump file. | |
cf31112f OZ |
367 | |
368 | <tag>mrtdump protocols all|off|{ states, messages }</tag> | |
dad92c30 OZ |
369 | Set global defaults of MRTdump options. See <cf/mrtdump/ in the |
370 | following section. Default: off. | |
cf31112f | 371 | |
dad92c30 OZ |
372 | <tag>filter <m/name local variables/{ <m/commands/ }</tag> |
373 | Define a filter. You can learn more about filters in the following | |
374 | chapter. | |
326e33f5 | 375 | |
dad92c30 OZ |
376 | <tag>function <m/name/ (<m/parameters/) <m/local variables/ { <m/commands/ }</tag> |
377 | Define a function. You can learn more about functions in the following chapter. | |
523f020b | 378 | |
a7f23f58 | 379 | <tag>protocol rip|ospf|bgp|... [<m/name/ [from <m/name2/]] { <m>protocol options</m> }</tag> |
dad92c30 OZ |
380 | Define a protocol instance called <cf><m/name/</cf> (or with a name like |
381 | "rip5" generated automatically if you don't specify any | |
382 | <cf><m/name/</cf>). You can learn more about configuring protocols in | |
383 | their own chapters. When <cf>from <m/name2/</cf> expression is used, | |
384 | initial protocol options are taken from protocol or template | |
385 | <cf><m/name2/</cf> You can run more than one instance of most protocols | |
386 | (like RIP or BGP). By default, no instances are configured. | |
a7f23f58 OZ |
387 | |
388 | <tag>template rip|bgp|... [<m/name/ [from <m/name2/]] { <m>protocol options</m> }</tag> | |
dad92c30 OZ |
389 | Define a protocol template instance called <m/name/ (or with a name like |
390 | "bgp1" generated automatically if you don't specify any <m/name/). | |
391 | Protocol templates can be used to group common options when many | |
392 | similarly configured protocol instances are to be defined. Protocol | |
393 | instances (and other templates) can use templates by using <cf/from/ | |
394 | expression and the name of the template. At the moment templates (and | |
395 | <cf/from/ expression) are not implemented for OSPF protocol. | |
249d238c | 396 | |
f4830d8c | 397 | <tag>define <m/constant/ = <m/expression/</tag> |
dad92c30 OZ |
398 | Define a constant. You can use it later in every place you could use a |
399 | value of the same type. Besides, there are some predefined numeric | |
400 | constants based on /etc/iproute2/rt_* files. A list of defined constants | |
401 | can be seen (together with other symbols) using 'show symbols' command. | |
249d238c | 402 | |
79b4e12e | 403 | <tag>router id <m/IPv4 address/</tag> |
dad92c30 OZ |
404 | Set BIRD's router ID. It's a world-wide unique identification of your |
405 | router, usually one of router's IPv4 addresses. Default: in IPv4 | |
406 | version, the lowest IP address of a non-loopback interface. In IPv6 | |
407 | version, this option is mandatory. | |
79b4e12e OZ |
408 | |
409 | <tag>router id from [-] [ "<m/mask/" ] [ <m/prefix/ ] [, ...]</tag> | |
dad92c30 OZ |
410 | Set BIRD's router ID based on an IP address of an interface specified by |
411 | an interface pattern. The option is applicable for IPv4 version only. | |
412 | See <ref id="dsc-iface" name="interface"> section for detailed | |
d7c06285 | 413 | description of interface patterns with extended clauses. |
249d238c | 414 | |
fcf5a4f4 | 415 | <tag>listen bgp [address <m/address/] [port <m/port/] [dual]</tag> |
dad92c30 OZ |
416 | This option allows to specify address and port where BGP protocol should |
417 | listen. It is global option as listening socket is common to all BGP | |
418 | instances. Default is to listen on all addresses (0.0.0.0) and port 179. | |
419 | In IPv6 mode, option <cf/dual/ can be used to specify that BGP socket | |
420 | should accept both IPv4 and IPv6 connections (but even in that case, | |
421 | BIRD would accept IPv6 routes only). Such behavior was default in older | |
422 | versions of BIRD. | |
27579857 | 423 | |
6eda3f13 OZ |
424 | <tag>graceful restart wait <m/number/</tag> |
425 | During graceful restart recovery, BIRD waits for convergence of routing | |
426 | protocols. This option allows to specify a timeout for the recovery to | |
427 | prevent waiting indefinitely if some protocols cannot converge. Default: | |
428 | 240 seconds. | |
429 | ||
9be9a264 | 430 | <tag>timeformat route|protocol|base|log "<m/format1/" [<m/limit/ "<m/format2/"]</tag> |
dad92c30 OZ |
431 | This option allows to specify a format of date/time used by BIRD. The |
432 | first argument specifies for which purpose such format is used. | |
433 | <cf/route/ is a format used in 'show route' command output, | |
434 | <cf/protocol/ is used in 'show protocols' command output, <cf/base/ is | |
435 | used for other commands and <cf/log/ is used in a log file. | |
436 | ||
437 | "<m/format1/" is a format string using <it/strftime(3)/ notation (see | |
438 | <it/man strftime/ for details). <m/limit> and "<m/format2/" allow to | |
439 | specify the second format string for times in past deeper than <m/limit/ | |
440 | seconds. There are few shorthands: <cf/iso long/ is a ISO 8601 date/time | |
441 | format (YYYY-MM-DD hh:mm:ss) that can be also specified using <cf/"%F %T"/. | |
442 | <cf/iso short/ is a variant of ISO 8601 that uses just the time format | |
443 | (hh:mm:ss) for near times (up to 20 hours in the past) and the date | |
444 | format (YYYY-MM-DD) for far times. This is a shorthand for | |
445 | <cf/"%T" 72000 "%F"/. | |
c37e7851 | 446 | |
90eb5e7a OZ |
447 | By default, BIRD uses the <cf/iso short/ format for <cf/route/ and |
448 | <cf/protocol/ times, and the <cf/iso long/ format for <cf/base/ and | |
449 | <cf/log/ times. | |
450 | ||
dad92c30 OZ |
451 | In pre-1.4.0 versions, BIRD used an short, ad-hoc format for <cf/route/ |
452 | and <cf/protocol/ times, and a <cf/iso long/ similar format (DD-MM-YYYY | |
453 | hh:mm:ss) for <cf/base/ and <cf/log/. These timeformats could be set by | |
454 | <cf/old short/ and <cf/old long/ compatibility shorthands. | |
c37e7851 | 455 | |
48cf5e84 | 456 | <tag>table <m/name/ [sorted]</tag> |
dad92c30 OZ |
457 | Create a new routing table. The default routing table is created |
458 | implicitly, other routing tables have to be added by this command. | |
459 | Option <cf/sorted/ can be used to enable sorting of routes, see | |
460 | <ref id="dsc-sorted" name="sorted table"> description for details. | |
af0b25d2 | 461 | |
48cf5e84 | 462 | <tag>roa table <m/name/ [ { roa table options ... } ]</tag> |
dad92c30 OZ |
463 | Create a new ROA (Route Origin Authorization) table. ROA tables can be |
464 | used to validate route origination of BGP routes. A ROA table contains | |
465 | ROA entries, each consist of a network prefix, a max prefix length and | |
466 | an AS number. A ROA entry specifies prefixes which could be originated | |
467 | by that AS number. ROA tables could be filled with data from RPKI (RFC | |
468 | 6480) or from public databases like Whois. ROA tables are examined by | |
469 | <cf/roa_check()/ operator in filters. | |
470 | ||
471 | Currently, there is just one option, <cf>roa <m/prefix/ max <m/num/ as | |
472 | <m/num/</cf>, which can be used to populate the ROA table with static | |
473 | ROA entries. The option may be used multiple times. Other entries can be | |
474 | added dynamically by <cf/add roa/ command. | |
af582c48 | 475 | |
f8e8fcfa OZ |
476 | <tag>eval <m/expr/</tag> |
477 | Evaluates given filter expression. It is used by us for testing of filters. | |
249d238c PM |
478 | </descrip> |
479 | ||
dad92c30 | 480 | |
371adba6 | 481 | <sect>Protocol options |
bfd71178 | 482 | |
dad92c30 OZ |
483 | <p>For each protocol instance, you can configure a bunch of options. Some of |
484 | them (those described in this section) are generic, some are specific to the | |
485 | protocol (see sections talking about the protocols). | |
7581b81b | 486 | |
dad92c30 OZ |
487 | <p>Several options use a <m/switch/ argument. It can be either <cf/on/, |
488 | <cf/yes/ or a numeric expression with a non-zero value for the option to be | |
489 | enabled or <cf/off/, <cf/no/ or a numeric expression evaluating to zero to | |
490 | disable it. An empty <m/switch/ is equivalent to <cf/on/ ("silence means | |
491 | agreement"). | |
7581b81b | 492 | |
5a203dac | 493 | <descrip> |
dad92c30 OZ |
494 | <tag>preference <m/expr/</tag> |
495 | Sets the preference of routes generated by this protocol. Default: | |
496 | protocol dependent. | |
5a203dac | 497 | |
dad92c30 OZ |
498 | <tag>disabled <m/switch/</tag> |
499 | Disables the protocol. You can change the disable/enable status from the | |
500 | command line interface without needing to touch the configuration. | |
501 | Disabled protocols are not activated. Default: protocol is enabled. | |
5a203dac PM |
502 | |
503 | <tag>debug all|off|{ states, routes, filters, interfaces, events, packets }</tag> | |
504 | Set protocol debugging options. If asked, each protocol is capable of | |
505 | writing trace messages about its work to the log (with category | |
506 | <cf/trace/). You can either request printing of <cf/all/ trace messages | |
507 | or only of the types selected: <cf/states/ for protocol state changes | |
dad92c30 OZ |
508 | (protocol going up, down, starting, stopping etc.), <cf/routes/ for |
509 | routes exchanged with the routing table, <cf/filters/ for details on | |
510 | route filtering, <cf/interfaces/ for interface change events sent to the | |
511 | protocol, <cf/events/ for events internal to the protocol and <cf/packets/ | |
512 | for packets sent and received by the protocol. Default: off. | |
5a203dac | 513 | |
cf31112f | 514 | <tag>mrtdump all|off|{ states, messages }</tag> |
dad92c30 OZ |
515 | Set protocol MRTdump flags. MRTdump is a standard binary format for |
516 | logging information from routing protocols and daemons. These flags | |
517 | control what kind of information is logged from the protocol to the | |
518 | MRTdump file (which must be specified by global <cf/mrtdump/ option, see | |
519 | the previous section). Although these flags are similar to flags of | |
520 | <cf/debug/ option, their meaning is different and protocol-specific. For | |
521 | BGP protocol, <cf/states/ logs BGP state changes and <cf/messages/ logs | |
522 | received BGP messages. Other protocols does not support MRTdump yet. | |
cf31112f | 523 | |
cff430f3 | 524 | <tag>router id <m/IPv4 address/</tag> |
dad92c30 OZ |
525 | This option can be used to override global router id for a given |
526 | protocol. Default: uses global router id. | |
4cdd0784 | 527 | |
523f020b | 528 | <tag>import all | none | filter <m/name/ | filter { <m/filter commands/ } | where <m/filter expression/</tag> |
dad92c30 OZ |
529 | Specify a filter to be used for filtering routes coming from the |
530 | protocol to the routing table. <cf/all/ is shorthand for <cf/where true/ | |
531 | and <cf/none/ is shorthand for <cf/where false/. Default: <cf/all/. | |
bfd71178 | 532 | |
bf422073 | 533 | <tag>export <m/filter/</tag> |
dad92c30 OZ |
534 | This is similar to the <cf>import</cf> keyword, except that it works in |
535 | the direction from the routing table to the protocol. Default: <cf/none/. | |
af0b25d2 | 536 | |
6ac4f87a | 537 | <tag>import keep filtered <m/switch/</tag> |
dad92c30 OZ |
538 | Usually, if an import filter rejects a route, the route is forgotten. |
539 | When this option is active, these routes are kept in the routing table, | |
540 | but they are hidden and not propagated to other protocols. But it is | |
541 | possible to show them using <cf/show route filtered/. Note that this | |
542 | option does not work for the pipe protocol. Default: off. | |
cf98be7b | 543 | |
b0a8c7fc | 544 | <tag><label id="import-limit">import limit [<m/number/ | off ] [action warn | block | restart | disable]</tag> |
dad92c30 OZ |
545 | Specify an import route limit (a maximum number of routes imported from |
546 | the protocol) and optionally the action to be taken when the limit is | |
547 | hit. Warn action just prints warning log message. Block action discards | |
548 | new routes coming from the protocol. Restart and disable actions shut | |
549 | the protocol down like appropriate commands. Disable is the default | |
550 | action if an action is not explicitly specified. Note that limits are | |
551 | reset during protocol reconfigure, reload or restart. Default: <cf/off/. | |
b662290f | 552 | |
0bc3542a | 553 | <tag>receive limit [<m/number/ | off ] [action warn | block | restart | disable]</tag> |
dad92c30 OZ |
554 | Specify an receive route limit (a maximum number of routes received from |
555 | the protocol and remembered). It works almost identically to <cf>import | |
556 | limit</cf> option, the only difference is that if <cf/import keep | |
557 | filtered/ option is active, filtered routes are counted towards the | |
558 | limit and blocked routes are forgotten, as the main purpose of the | |
559 | receive limit is to protect routing tables from overflow. Import limit, | |
560 | on the contrary, counts accepted routes only and routes blocked by the | |
561 | limit are handled like filtered routes. Default: <cf/off/. | |
d9b77cc2 | 562 | |
0bc3542a | 563 | <tag>export limit [ <m/number/ | off ] [action warn | block | restart | disable]</tag> |
dad92c30 OZ |
564 | Specify an export route limit, works similarly to the <cf>import |
565 | limit</cf> option, but for the routes exported to the protocol. This | |
566 | option is experimental, there are some problems in details of its | |
567 | behavior -- the number of exported routes can temporarily exceed the | |
568 | limit without triggering it during protocol reload, exported routes | |
569 | counter ignores route blocking and block action also blocks route | |
570 | updates of already accepted routes -- and these details will probably | |
571 | change in the future. Default: <cf/off/. | |
ebecb6f6 | 572 | |
fd6cbe90 | 573 | <tag>description "<m/text/"</tag> |
dad92c30 OZ |
574 | This is an optional description of the protocol. It is displayed as a |
575 | part of the output of 'show route all' command. | |
62aa96ca | 576 | |
fd6cbe90 OZ |
577 | <tag>table <m/name/</tag> |
578 | Connect this protocol to a non-default routing table. | |
7581b81b PM |
579 | </descrip> |
580 | ||
a7c9f7c0 | 581 | <p>There are several options that give sense only with certain protocols: |
7581b81b PM |
582 | |
583 | <descrip> | |
f434d191 | 584 | <tag><label id="dsc-iface">interface [-] [ "<m/mask/" ] [ <m/prefix/ ] [, ...] [ { <m/option/ ; [...] } ]</tag> |
f434d191 OZ |
585 | Specifies a set of interfaces on which the protocol is activated with |
586 | given interface-specific options. A set of interfaces specified by one | |
dad92c30 OZ |
587 | interface option is described using an interface pattern. The interface |
588 | pattern consists of a sequence of clauses (separated by commas), each | |
d7c06285 OZ |
589 | clause is a mask specified as a shell-like pattern. Interfaces are |
590 | matched by their name. | |
dad92c30 OZ |
591 | |
592 | An interface matches the pattern if it matches any of its clauses. If | |
593 | the clause begins with <cf/-/, matching interfaces are excluded. Patterns | |
d7c06285 | 594 | are processed left-to-right, thus <cf/interface "eth0", -"eth*", "*";/ |
dad92c30 OZ |
595 | means eth0 and all non-ethernets. |
596 | ||
d7c06285 OZ |
597 | Some protocols (namely OSPFv2 and Direct) support extended clauses that |
598 | may contain a mask, a prefix, or both of them. An interface matches such | |
599 | clause if its name matches the mask (if specified) and its address | |
600 | matches the prefix (if specified). Extended clauses are used when the | |
601 | protocol handles multiple addresses on an interface independently. | |
602 | ||
dad92c30 OZ |
603 | An interface option can be used more times with different interface-specific |
604 | options, in that case for given interface the first matching interface | |
605 | option is used. | |
523f020b | 606 | |
d7c06285 OZ |
607 | This option is allowed in BFD, Direct, OSPF, RAdv and RIP protocols, but |
608 | in OSPF protocol it is used in the <cf/area/ subsection. | |
f434d191 OZ |
609 | |
610 | Default: none. | |
611 | ||
612 | Examples: | |
613 | ||
dad92c30 OZ |
614 | <cf>interface "*" { type broadcast; };</cf> - start the protocol on all |
615 | interfaces with <cf>type broadcast</cf> option. | |
f434d191 | 616 | |
dad92c30 OZ |
617 | <cf>interface "eth1", "eth4", "eth5" { type ptp; };</cf> - start the |
618 | protocol on enumerated interfaces with <cf>type ptp</cf> option. | |
523f020b | 619 | |
dad92c30 OZ |
620 | <cf>interface -192.168.1.0/24, 192.168.0.0/16;</cf> - start the protocol |
621 | on all interfaces that have address from 192.168.0.0/16, but not from | |
622 | 192.168.1.0/24. | |
f434d191 | 623 | |
dad92c30 OZ |
624 | <cf>interface -192.168.1.0/24, 192.168.0.0/16;</cf> - start the protocol |
625 | on all interfaces that have address from 192.168.0.0/16, but not from | |
626 | 192.168.1.0/24. | |
f434d191 OZ |
627 | |
628 | <cf>interface "eth*" 192.168.1.0/24;</cf> - start the protocol on all | |
629 | ethernet interfaces that have address from 192.168.1.0/24. | |
630 | ||
ef4a50be | 631 | <tag><label id="dsc-prio">tx class|dscp <m/num/</tag> |
dad92c30 OZ |
632 | This option specifies the value of ToS/DS/Class field in IP headers of |
633 | the outgoing protocol packets. This may affect how the protocol packets | |
634 | are processed by the network relative to the other network traffic. With | |
635 | <cf/class/ keyword, the value (0-255) is used for the whole ToS/Class | |
636 | octet (but two bits reserved for ECN are ignored). With <cf/dscp/ | |
637 | keyword, the value (0-63) is used just for the DS field in the octet. | |
638 | Default value is 0xc0 (DSCP 0x30 - CS6). | |
ef4a50be OZ |
639 | |
640 | <tag>tx priority <m/num/</tag> | |
dad92c30 OZ |
641 | This option specifies the local packet priority. This may affect how the |
642 | protocol packets are processed in the local TX queues. This option is | |
643 | Linux specific. Default value is 7 (highest priority, privileged traffic). | |
ef4a50be | 644 | |
f434d191 | 645 | <tag><label id="dsc-pass">password "<m/password/" [ { id <m/num/; generate from <m/time/; generate to <m/time/; accept from <m/time/; accept to <m/time/; } ]</tag> |
dad92c30 OZ |
646 | Specifies a password that can be used by the protocol. Password option |
647 | can be used more times to specify more passwords. If more passwords are | |
f434d191 | 648 | specified, it is a protocol-dependent decision which one is really |
dad92c30 OZ |
649 | used. Specifying passwords does not mean that authentication is enabled, |
650 | authentication can be enabled by separate, protocol-dependent | |
f434d191 | 651 | <cf/authentication/ option. |
523f020b | 652 | |
f434d191 OZ |
653 | This option is allowed in OSPF and RIP protocols. BGP has also |
654 | <cf/password/ option, but it is slightly different and described | |
655 | separately. | |
656 | ||
657 | Default: none. | |
658 | </descrip> | |
659 | ||
660 | <p>Password option can contain section with some (not necessary all) password sub-options: | |
661 | ||
662 | <descrip> | |
663 | <tag>id <M>num</M></tag> | |
dad92c30 OZ |
664 | ID of the password, (0-255). If it's not used, BIRD will choose ID based |
665 | on an order of the password item in the interface. For example, second | |
666 | password item in one interface will have default ID 2. ID is used by | |
667 | some routing protocols to identify which password was used to | |
668 | authenticate protocol packets. | |
f434d191 OZ |
669 | |
670 | <tag>generate from "<m/time/"</tag> | |
dad92c30 OZ |
671 | The start time of the usage of the password for packet signing. |
672 | The format of <cf><m/time/</cf> is <tt>dd-mm-yyyy HH:MM:SS</tt>. | |
f434d191 OZ |
673 | |
674 | <tag>generate to "<m/time/"</tag> | |
dad92c30 | 675 | The last time of the usage of the password for packet signing. |
f434d191 OZ |
676 | |
677 | <tag>accept from "<m/time/"</tag> | |
dad92c30 | 678 | The start time of the usage of the password for packet verification. |
5a203dac | 679 | |
f434d191 | 680 | <tag>accept to "<m/time/"</tag> |
dad92c30 | 681 | The last time of the usage of the password for packet verification. |
7581b81b | 682 | </descrip> |
d37f899b | 683 | |
5a203dac | 684 | <chapt>Remote control |
36032ded | 685 | |
dad92c30 OZ |
686 | <p>You can use the command-line client <file>birdc</file> to talk with a running |
687 | BIRD. Communication is done using a <file/bird.ctl/ UNIX domain socket (unless | |
688 | changed with the <tt/-s/ option given to both the server and the client). The | |
689 | commands can perform simple actions such as enabling/disabling of protocols, | |
690 | telling BIRD to show various information, telling it to show routing table | |
691 | filtered by filter, or asking BIRD to reconfigure. Press <tt/?/ at any time to | |
692 | get online help. Option <tt/-r/ can be used to enable a restricted mode of BIRD | |
693 | client, which allows just read-only commands (<cf/show .../). Option <tt/-v/ can | |
694 | be passed to the client, to make it dump numeric return codes along with the | |
695 | messages. You do not necessarily need to use <file/birdc/ to talk to BIRD, your | |
696 | own applications could do that, too -- the format of communication between BIRD | |
697 | and <file/birdc/ is stable (see the programmer's documentation). | |
698 | ||
699 | <p>There is also lightweight variant of BIRD client called <file/birdcl/, which | |
700 | does not support command line editing and history and has minimal dependencies. | |
701 | This is useful for running BIRD in resource constrained environments, where | |
702 | Readline library (required for regular BIRD client) is not available. | |
a5e9f3d2 OZ |
703 | |
704 | <p>Many commands have the <m/name/ of the protocol instance as an argument. | |
f434d191 OZ |
705 | This argument can be omitted if there exists only a single instance. |
706 | ||
5a203dac | 707 | <p>Here is a brief list of supported functions: |
64722c98 PM |
708 | |
709 | <descrip> | |
5a203dac | 710 | <tag>show status</tag> |
dad92c30 OZ |
711 | Show router status, that is BIRD version, uptime and time from last |
712 | reconfiguration. | |
5a203dac PM |
713 | |
714 | <tag>show protocols [all]</tag> | |
dad92c30 OZ |
715 | Show list of protocol instances along with tables they are connected to |
716 | and protocol status, possibly giving verbose information, if <cf/all/ is | |
717 | specified. | |
64722c98 | 718 | |
f434d191 OZ |
719 | <tag>show ospf interface [<m/name/] ["<m/interface/"]</tag> |
720 | Show detailed information about OSPF interfaces. | |
721 | ||
722 | <tag>show ospf neighbors [<m/name/] ["<m/interface/"]</tag> | |
723 | Show a list of OSPF neighbors and a state of adjacency to them. | |
724 | ||
0ea8fb4a | 725 | <tag>show ospf state [all] [<m/name/]</tag> |
dad92c30 OZ |
726 | Show detailed information about OSPF areas based on a content of the |
727 | link-state database. It shows network topology, stub networks, | |
728 | aggregated networks and routers from other areas and external routes. | |
729 | The command shows information about reachable network nodes, use option | |
730 | <cf/all/ to show information about all network nodes in the link-state | |
731 | database. | |
0ea8fb4a OZ |
732 | |
733 | <tag>show ospf topology [all] [<m/name/]</tag> | |
dad92c30 OZ |
734 | Show a topology of OSPF areas based on a content of the link-state |
735 | database. It is just a stripped-down version of 'show ospf state'. | |
64722c98 | 736 | |
20ab192b | 737 | <tag>show ospf lsadb [global | area <m/id/ | link] [type <m/num/] [lsid <m/id/] [self | router <m/id/] [<m/name/] </tag> |
dad92c30 OZ |
738 | Show contents of an OSPF LSA database. Options could be used to filter |
739 | entries. | |
20ab192b | 740 | |
5a203dac | 741 | <tag>show static [<m/name/]</tag> |
f434d191 OZ |
742 | Show detailed information about static routes. |
743 | ||
12201fd8 OZ |
744 | <tag>show bfd sessions [<m/name/]</tag> |
745 | Show information about BFD sessions. | |
746 | ||
5a203dac | 747 | <tag>show interfaces [summary]</tag> |
dad92c30 OZ |
748 | Show the list of interfaces. For each interface, print its type, state, |
749 | MTU and addresses assigned. | |
5a203dac | 750 | |
89647357 | 751 | <tag>show symbols [table|filter|function|protocol|template|roa|<m/symbol/]</tag> |
dad92c30 OZ |
752 | Show the list of symbols defined in the configuration (names of |
753 | protocols, routing tables etc.). | |
5a203dac | 754 | |
7aa80901 | 755 | <tag>show route [[for] <m/prefix/|<m/IP/] [table <m/sym/] [filter <m/f/|where <m/c/] [(export|preexport|noexport) <m/p/] [protocol <m/p/] [<m/options/]</tag> |
dad92c30 OZ |
756 | Show contents of a routing table (by default of the main one or the |
757 | table attached to a respective protocol), that is routes, their metrics | |
758 | and (in case the <cf/all/ switch is given) all their attributes. | |
5a203dac PM |
759 | |
760 | <p>You can specify a <m/prefix/ if you want to print routes for a | |
761 | specific network. If you use <cf>for <m/prefix or IP/</cf>, you'll get | |
762 | the entry which will be used for forwarding of packets to the given | |
763 | destination. By default, all routes for each network are printed with | |
764 | the selected one at the top, unless <cf/primary/ is given in which case | |
765 | only the selected route is shown. | |
766 | ||
767 | <p>You can also ask for printing only routes processed and accepted by | |
768 | a given filter (<cf>filter <m/name/</cf> or <cf>filter { <m/filter/ } | |
769 | </cf> or matching a given condition (<cf>where <m/condition/</cf>). | |
7aa80901 OZ |
770 | |
771 | The <cf/export/, <cf/preexport/ and <cf/noexport/ switches ask for | |
772 | printing of routes that are exported to the specified protocol. | |
773 | With <cf/preexport/, the export filter of the protocol is skipped. | |
774 | With <cf/noexport/, routes rejected by the export filter are printed | |
775 | instead. Note that routes not exported to the protocol for other reasons | |
776 | (e.g. secondary routes or routes imported from that protocol) are not | |
777 | printed even with <cf/noexport/. | |
5a203dac | 778 | |
4d176e14 OF |
779 | <p>You can also select just routes added by a specific protocol. |
780 | <cf>protocol <m/p/</cf>. | |
781 | ||
dad92c30 OZ |
782 | <p>If BIRD is configured to keep filtered routes (see <cf/import keep |
783 | filtered/ option), you can show them instead of routes by using | |
784 | <cf/filtered/ switch. | |
cf98be7b | 785 | |
5a203dac PM |
786 | <p>The <cf/stats/ switch requests showing of route statistics (the |
787 | number of networks, number of routes before and after filtering). If | |
788 | you use <cf/count/ instead, only the statistics will be printed. | |
789 | ||
c47d037e | 790 | <tag>show roa [<m/prefix/ | in <m/prefix/ | for <m/prefix/] [as <m/num/] [table <m/t/>]</tag> |
dad92c30 OZ |
791 | Show contents of a ROA table (by default of the first one). You can |
792 | specify a <m/prefix/ to print ROA entries for a specific network. If you | |
793 | use <cf>for <m/prefix/</cf>, you'll get all entries relevant for route | |
794 | validation of the network prefix; i.e., ROA entries whose prefixes cover | |
795 | the network prefix. Or you can use <cf>in <m/prefix/</cf> to get ROA | |
796 | entries covered by the network prefix. You could also use <cf/as/ option | |
af582c48 OZ |
797 | to show just entries for given AS. |
798 | ||
799 | <tag>add roa <m/prefix/ max <m/num/] as <m/num/ [table <m/t/>]</tag> | |
dad92c30 OZ |
800 | Add a new ROA entry to a ROA table. Such entry is called <it/dynamic/ |
801 | compared to <it/static/ entries specified in the config file. These | |
802 | dynamic entries survive reconfiguration. | |
af582c48 OZ |
803 | |
804 | <tag>delete roa <m/prefix/ max <m/num/] as <m/num/ [table <m/t/>]</tag> | |
dad92c30 OZ |
805 | Delete the specified ROA entry from a ROA table. Only dynamic ROA |
806 | entries (i.e., the ones added by <cf/add roa/ command) can be deleted. | |
af582c48 OZ |
807 | |
808 | <tag>flush roa [table <m/t/>]</tag> | |
809 | Remove all dynamic ROA entries from a ROA table. | |
810 | ||
a92cf57d | 811 | <tag>configure [soft] ["<m/config file/"] [timeout [<m/num/]]</tag> |
dad92c30 OZ |
812 | Reload configuration from a given file. BIRD will smoothly switch itself |
813 | to the new configuration, protocols are reconfigured if possible, | |
814 | restarted otherwise. Changes in filters usually lead to restart of | |
815 | affected protocols. | |
816 | ||
817 | If <cf/soft/ option is used, changes in filters does not cause BIRD to | |
818 | restart affected protocols, therefore already accepted routes (according | |
819 | to old filters) would be still propagated, but new routes would be | |
820 | processed according to the new filters. | |
821 | ||
822 | If <cf/timeout/ option is used, config timer is activated. The new | |
823 | configuration could be either confirmed using <cf/configure confirm/ | |
824 | command, or it will be reverted to the old one when the config timer | |
825 | expires. This is useful for cases when reconfiguration breaks current | |
826 | routing and a router becames inaccessible for an administrator. The | |
827 | config timeout expiration is equivalent to <cf/configure undo/ | |
828 | command. The timeout duration could be specified, default is 300 s. | |
a92cf57d OZ |
829 | |
830 | <tag>configure confirm</tag> | |
831 | Deactivate the config undo timer and therefore confirm the current | |
832 | configuration. | |
833 | ||
834 | <tag>configure undo</tag> | |
dad92c30 OZ |
835 | Undo the last configuration change and smoothly switch back to the |
836 | previous (stored) configuration. If the last configuration change was | |
837 | soft, the undo change is also soft. There is only one level of undo, but | |
838 | in some specific cases when several reconfiguration requests are given | |
839 | immediately in a row and the intermediate ones are skipped then the undo | |
840 | also skips them back. | |
a92cf57d OZ |
841 | |
842 | <tag>configure check ["<m/config file/"]</tag> | |
dad92c30 OZ |
843 | Read and parse given config file, but do not use it. useful for checking |
844 | syntactic and some semantic validity of an config file. | |
a92cf57d | 845 | |
bf47fe4b | 846 | <tag>enable|disable|restart <m/name/|"<m/pattern/"|all</tag> |
dad92c30 OZ |
847 | Enable, disable or restart a given protocol instance, instances matching |
848 | the <cf><m/pattern/</cf> or <cf/all/ instances. | |
bf47fe4b | 849 | |
8a7fb885 | 850 | <tag>reload [in|out] <m/name/|"<m/pattern/"|all</tag> |
dad92c30 OZ |
851 | Reload a given protocol instance, that means re-import routes from the |
852 | protocol instance and re-export preferred routes to the instance. If | |
853 | <cf/in/ or <cf/out/ options are used, the command is restricted to one | |
854 | direction (re-import or re-export). | |
855 | ||
856 | This command is useful if appropriate filters have changed but the | |
857 | protocol instance was not restarted (or reloaded), therefore it still | |
858 | propagates the old set of routes. For example when <cf/configure soft/ | |
859 | command was used to change filters. | |
860 | ||
861 | Re-export always succeeds, but re-import is protocol-dependent and might | |
862 | fail (for example, if BGP neighbor does not support route-refresh | |
863 | extension). In that case, re-export is also skipped. Note that for the | |
864 | pipe protocol, both directions are always reloaded together (<cf/in/ or | |
865 | <cf/out/ options are ignored in that case). | |
8a7fb885 | 866 | |
5a203dac PM |
867 | <tag/down/ |
868 | Shut BIRD down. | |
64722c98 | 869 | |
a4601845 | 870 | <tag>debug <m/protocol/|<m/pattern/|all all|off|{ states | routes | filters | events | packets }</tag> |
64722c98 | 871 | Control protocol debugging. |
508d9360 OZ |
872 | |
873 | <tag>dump resources|sockets|interfaces|neighbors|attributes|routes|protocols</tag> | |
874 | Dump contents of internal data structures to the debugging output. | |
875 | ||
876 | <tag>echo all|off|{ <m/list of log classes/ } [ <m/buffer-size/ ]</tag> | |
877 | Control echoing of log messages to the command-line output. | |
878 | See <ref id="dsc-log" name="log option"> for a list of log classes. | |
879 | ||
880 | <tag>eval <m/expr/</tag> | |
881 | Evaluate given expression. | |
64722c98 | 882 | </descrip> |
36032ded | 883 | |
dad92c30 | 884 | |
371adba6 | 885 | <chapt>Filters |
d37f899b | 886 | |
371adba6 | 887 | <sect>Introduction |
d37f899b | 888 | |
dad92c30 OZ |
889 | <p>BIRD contains a simple programming language. (No, it can't yet read mail :-). |
890 | There are two objects in this language: filters and functions. Filters are | |
891 | interpreted by BIRD core when a route is being passed between protocols and | |
892 | routing tables. The filter language contains control structures such as if's and | |
893 | switches, but it allows no loops. An example of a filter using many features can | |
894 | be found in <file>filter/test.conf</file>. | |
d37f899b | 895 | |
dad92c30 OZ |
896 | <p>Filter gets the route, looks at its attributes and modifies some of them if |
897 | it wishes. At the end, it decides whether to pass the changed route through | |
898 | (using <cf/accept/) or whether to <cf/reject/ it. A simple filter looks like | |
899 | this: | |
d37f899b | 900 | |
a0dd1c74 | 901 | <code> |
d37f899b PM |
902 | filter not_too_far |
903 | int var; | |
904 | { | |
905 | if defined( rip_metric ) then | |
906 | var = rip_metric; | |
907 | else { | |
908 | var = 1; | |
909 | rip_metric = 1; | |
910 | } | |
911 | if rip_metric > 10 then | |
912 | reject "RIP metric is too big"; | |
913 | else | |
914 | accept "ok"; | |
915 | } | |
a0dd1c74 | 916 | </code> |
d37f899b | 917 | |
dad92c30 OZ |
918 | <p>As you can see, a filter has a header, a list of local variables, and a body. |
919 | The header consists of the <cf/filter/ keyword followed by a (unique) name of | |
920 | filter. The list of local variables consists of <cf><M>type name</M>;</cf> | |
921 | pairs where each pair defines one local variable. The body consists of <cf> | |
922 | { <M>statements</M> }</cf>. Each <m/statement/ is terminated by a <cf/;/. You | |
923 | can group several statements to a single compound statement by using braces | |
924 | (<cf>{ <M>statements</M> }</cf>) which is useful if you want to make a bigger | |
925 | block of code conditional. | |
1632f1fe | 926 | |
dad92c30 OZ |
927 | <p>BIRD supports functions, so that you don't have to repeat the same blocks of |
928 | code over and over. Functions can have zero or more parameters and they can have | |
929 | local variables. Recursion is not allowed. Function definitions look like this: | |
0e5373fd PM |
930 | |
931 | <code> | |
932 | function name () | |
933 | int local_variable; | |
934 | { | |
935 | local_variable = 5; | |
936 | } | |
937 | ||
938 | function with_parameters (int parameter) | |
939 | { | |
940 | print parameter; | |
941 | } | |
942 | </code> | |
943 | ||
dad92c30 OZ |
944 | <p>Unlike in C, variables are declared after the <cf/function/ line, but before |
945 | the first <cf/{/. You can't declare variables in nested blocks. Functions are | |
946 | called like in C: <cf>name(); with_parameters(5);</cf>. Function may return | |
947 | values using the <cf>return <m/[expr]/</cf> command. Returning a value exits | |
948 | from current function (this is similar to C). | |
0e5373fd | 949 | |
dad92c30 OZ |
950 | <p>Filters are declared in a way similar to functions except they can't have |
951 | explicit parameters. They get a route table entry as an implicit parameter, it | |
952 | is also passed automatically to any functions called. The filter must terminate | |
953 | with either <cf/accept/ or <cf/reject/ statement. If there's a runtime error in | |
954 | filter, the route is rejected. | |
0e5373fd | 955 | |
dad92c30 OZ |
956 | <p>A nice trick to debug filters is to use <cf>show route filter <m/name/</cf> |
957 | from the command line client. An example session might look like: | |
c184d9d0 PM |
958 | |
959 | <code> | |
960 | pavel@bug:~/bird$ ./birdc -s bird.ctl | |
961 | BIRD 0.0.0 ready. | |
c184d9d0 PM |
962 | bird> show route |
963 | 10.0.0.0/8 dev eth0 [direct1 23:21] (240) | |
964 | 195.113.30.2/32 dev tunl1 [direct1 23:21] (240) | |
965 | 127.0.0.0/8 dev lo [direct1 23:21] (240) | |
966 | bird> show route ? | |
1632f1fe | 967 | show route [<prefix>] [table <t>] [filter <f>] [all] [primary]... |
66701947 | 968 | bird> show route filter { if 127.0.0.5 ˜ net then accept; } |
c184d9d0 PM |
969 | 127.0.0.0/8 dev lo [direct1 23:21] (240) |
970 | bird> | |
971 | </code> | |
972 | ||
dad92c30 | 973 | |
371adba6 | 974 | <sect>Data types |
d37f899b | 975 | |
dad92c30 OZ |
976 | <p>Each variable and each value has certain type. Booleans, integers and enums |
977 | are incompatible with each other (that is to prevent you from shooting in the | |
978 | foot). | |
d37f899b PM |
979 | |
980 | <descrip> | |
dad92c30 OZ |
981 | <tag/bool/ |
982 | This is a boolean type, it can have only two values, <cf/true/ and | |
983 | <cf/false/. Boolean is the only type you can use in <cf/if/ statements. | |
984 | ||
985 | <tag/int/ | |
986 | This is a general integer type. It is an unsigned 32bit type; i.e., you | |
987 | can expect it to store values from 0 to 4294967295. Overflows are not | |
988 | checked. You can use <cf/0x1234/ syntax to write hexadecimal values. | |
989 | ||
990 | <tag/pair/ | |
991 | This is a pair of two short integers. Each component can have values | |
992 | from 0 to 65535. Literals of this type are written as <cf/(1234,5678)/. | |
993 | The same syntax can also be used to construct a pair from two arbitrary | |
994 | integer expressions (for example <cf/(1+2,a)/). | |
995 | ||
996 | <tag/quad/ | |
997 | This is a dotted quad of numbers used to represent router IDs (and | |
998 | others). Each component can have a value from 0 to 255. Literals of | |
999 | this type are written like IPv4 addresses. | |
1000 | ||
1001 | <tag/string/ | |
1002 | This is a string of characters. There are no ways to modify strings in | |
1003 | filters. You can pass them between functions, assign them to variables | |
1004 | of type <cf/string/, print such variables, use standard string | |
1005 | comparison operations (e.g. <cf/=, !=, <, >, <=, >=/), but | |
1006 | you can't concatenate two strings. String literals are written as | |
1007 | <cf/"This is a string constant"/. Additionaly matching <cf/˜/ | |
1008 | operator could be used to match a string value against a shell pattern | |
1009 | (represented also as a string). | |
1010 | ||
1011 | <tag/ip/ | |
1012 | This type can hold a single IP address. Depending on the compile-time | |
1013 | configuration of BIRD you are using, it is either an IPv4 or IPv6 | |
1014 | address. IP addresses are written in the standard notation | |
1015 | (<cf/10.20.30.40/ or <cf/fec0:3:4::1/). You can apply special operator | |
1016 | <cf>.mask(<M>num</M>)</cf> on values of type ip. It masks out all but | |
1017 | first <cf><M>num</M></cf> bits from the IP address. So | |
1018 | <cf/1.2.3.4.mask(8) = 1.0.0.0/ is true. | |
1019 | ||
1020 | <tag/prefix/ | |
1021 | This type can hold a network prefix consisting of IP address and prefix | |
1022 | length. Prefix literals are written as <cf><m/ipaddress//<m/pxlen/</cf>, | |
1023 | or <cf><m>ipaddress</m>/<m>netmask</m></cf>. There are two special | |
1024 | operators on prefixes: <cf/.ip/ which extracts the IP address from the | |
1025 | pair, and <cf/.len/, which separates prefix length from the pair. | |
1026 | So <cf>1.2.0.0/16.pxlen = 16</cf> is true. | |
1027 | ||
1028 | <tag/ec/ | |
dad92c30 OZ |
1029 | This is a specialized type used to represent BGP extended community |
1030 | values. It is essentially a 64bit value, literals of this type are | |
1031 | usually written as <cf>(<m/kind/, <m/key/, <m/value/)</cf>, where | |
1032 | <cf/kind/ is a kind of extended community (e.g. <cf/rt/ / <cf/ro/ for a | |
1033 | route target / route origin communities), the format and possible values | |
1034 | of <cf/key/ and <cf/value/ are usually integers, but it depends on the | |
1035 | used kind. Similarly to pairs, ECs can be constructed using expressions | |
1036 | for <cf/key/ and <cf/value/ parts, (e.g. <cf/(ro, myas, 3*10)/, where | |
1037 | <cf/myas/ is an integer variable). | |
dcde7ae5 | 1038 | |
dad92c30 OZ |
1039 | <tag/int|pair|quad|ip|prefix|ec|enum set/ |
1040 | Filters recognize four types of sets. Sets are similar to strings: you | |
1041 | can pass them around but you can't modify them. Literals of type <cf>int | |
1042 | set</cf> look like <cf> [ 1, 2, 5..7 ]</cf>. As you can see, both simple | |
1043 | values and ranges are permitted in sets. | |
1044 | ||
1045 | For pair sets, expressions like <cf/(123,*)/ can be used to denote | |
1046 | ranges (in that case <cf/(123,0)..(123,65535)/). You can also use | |
1047 | <cf/(123,5..100)/ for range <cf/(123,5)..(123,100)/. You can also use | |
1048 | <cf/*/ and <cf/a..b/ expressions in the first part of a pair, note that | |
1049 | such expressions are translated to a set of intervals, which may be | |
1050 | memory intensive. E.g. <cf/(*,4..20)/ is translated to <cf/(0,4..20), | |
1051 | (1,4..20), (2,4..20), ... (65535, 4..20)/. | |
1052 | ||
1053 | EC sets use similar expressions like pair sets, e.g. <cf/(rt, 123, | |
1054 | 10..20)/ or <cf/(ro, 123, *)/. Expressions requiring the translation | |
1055 | (like <cf/(rt, *, 3)/) are not allowed (as they usually have 4B range | |
1056 | for ASNs). | |
1057 | ||
1058 | You can also use expressions for int, pair and EC set values. However it | |
1059 | must be possible to evaluate these expressions before daemon boots. So | |
1060 | you can use only constants inside them. E.g. | |
1061 | ||
946dc15c OF |
1062 | <code> |
1063 | define one=1; | |
8815d846 | 1064 | define myas=64500; |
946dc15c OF |
1065 | int set odds; |
1066 | pair set ps; | |
8815d846 | 1067 | ec set es; |
946dc15c | 1068 | |
8815d846 | 1069 | odds = [ one, 2+1, 6-one, 2*2*2-1, 9, 11 ]; |
b54ad333 | 1070 | ps = [ (1,one+one), (3,4)..(4,8), (5,*), (6,3..6), (7..9,*) ]; |
8815d846 | 1071 | es = [ (rt, myas, 3*10), (rt, myas+one, 0..16*16*16-1), (ro, myas+2, *) ]; |
946dc15c | 1072 | </code> |
b1a597e0 | 1073 | |
dad92c30 OZ |
1074 | Sets of prefixes are special: their literals does not allow ranges, but |
1075 | allows prefix patterns that are written | |
1076 | as <cf><M>ipaddress</M>/<M>pxlen</M>{<M>low</M>,<M>high</M>}</cf>. | |
1077 | Prefix <cf><m>ip1</m>/<m>len1</m></cf> matches prefix | |
1078 | pattern <cf><m>ip2</m>/<m>len2</m>{<m>l</m>,<m>h</m>}</cf> if the | |
1079 | first <cf>min(len1, len2)</cf> bits of <cf/ip1/ and <cf/ip2/ are | |
1080 | identical and <cf>len1 <= ip1 <= len2</cf>. A valid prefix pattern | |
1081 | has to satisfy <cf>low <= high</cf>, but <cf/pxlen/ is not | |
1082 | constrained by <cf/low/ or <cf/high/. Obviously, a prefix matches a | |
1083 | prefix set literal if it matches any prefix pattern in the prefix set | |
1084 | literal. | |
1085 | ||
1086 | There are also two shorthands for prefix patterns: <cf><m/address//<m/len/+</cf> | |
1087 | is a shorthand for <cf><m/address//<m/len/{<m/len/,<m/maxlen/}</cf> | |
1088 | (where <cf><m/maxlen/</cf> is 32 for IPv4 and 128 for IPv6), that means | |
1089 | network prefix <cf><m/address//<m/len/</cf> and all its subnets. | |
1090 | <cf><m/address//<m/len/-</cf> is a shorthand for | |
1091 | <cf><m/address//<m/len/{0,<m/len/}</cf>, that means network prefix | |
1092 | <cf><m/address//<m/len/</cf> and all its supernets (network prefixes | |
1093 | that contain it). | |
1094 | ||
1095 | For example, <cf>[ 1.0.0.0/8, 2.0.0.0/8+, 3.0.0.0/8-, 4.0.0.0/8{16,24} | |
1096 | ]</cf> matches prefix <cf>1.0.0.0/8</cf>, all subprefixes of | |
1097 | <cf>2.0.0.0/8</cf>, all superprefixes of <cf>3.0.0.0/8</cf> and prefixes | |
1098 | <cf/4.X.X.X/ whose prefix length is 16 to 24. <cf>[ 0.0.0.0/0{20,24} ]</cf> | |
1099 | matches all prefixes (regardless of IP address) whose prefix length is | |
1100 | 20 to 24, <cf>[ 1.2.3.4/32- ]</cf> matches any prefix that contains IP | |
1101 | address <cf>1.2.3.4</cf>. <cf>1.2.0.0/16 ˜ [ 1.0.0.0/8{15,17} ]</cf> | |
1102 | is true, but <cf>1.0.0.0/16 ˜ [ 1.0.0.0/8- ]</cf> is false. | |
1103 | ||
1104 | Cisco-style patterns like <cf>10.0.0.0/8 ge 16 le 24</cf> can be expressed | |
523f020b | 1105 | in BIRD as <cf>10.0.0.0/8{16,24}</cf>, <cf>192.168.0.0/16 le 24</cf> as |
dad92c30 OZ |
1106 | <cf>192.168.0.0/16{16,24}</cf> and <cf>192.168.0.0/16 ge 24</cf> as |
1107 | <cf>192.168.0.0/16{24,32}</cf>. | |
d37f899b PM |
1108 | |
1109 | <tag/enum/ | |
dad92c30 OZ |
1110 | Enumeration types are fixed sets of possibilities. You can't define your |
1111 | own variables of such type, but some route attributes are of enumeration | |
1112 | type. Enumeration types are incompatible with each other. | |
0e5373fd PM |
1113 | |
1114 | <tag/bgppath/ | |
dad92c30 OZ |
1115 | BGP path is a list of autonomous system numbers. You can't write |
1116 | literals of this type. There are several special operators on bgppaths: | |
4cdd0784 | 1117 | |
dad92c30 | 1118 | <cf><m/P/.first</cf> returns the first ASN (the neighbor ASN) in path <m/P/. |
4cdd0784 | 1119 | |
dad92c30 | 1120 | <cf><m/P/.last</cf> returns the last ASN (the source ASN) in path <m/P/. |
4cdd0784 | 1121 | |
dad92c30 OZ |
1122 | Both <cf/first/ and <cf/last/ return zero if there is no appropriate |
1123 | ASN, for example if the path contains an AS set element as the first (or | |
1124 | the last) part. | |
4cdd0784 | 1125 | |
dad92c30 | 1126 | <cf><m/P/.len</cf> returns the length of path <m/P/. |
4cdd0784 | 1127 | |
dad92c30 OZ |
1128 | <cf>prepend(<m/P/,<m/A/)</cf> prepends ASN <m/A/ to path <m/P/ and |
1129 | returns the result. | |
bff9ce51 | 1130 | |
dad92c30 OZ |
1131 | <cf>delete(<m/P/,<m/A/)</cf> deletes all instances of ASN <m/A/ from |
1132 | from path <m/P/ and returns the result. <m/A/ may also be an integer | |
1133 | set, in that case the operator deletes all ASNs from path <m/P/ that are | |
1134 | also members of set <m/A/. | |
bff9ce51 | 1135 | |
dad92c30 OZ |
1136 | <cf>filter(<m/P/,<m/A/)</cf> deletes all ASNs from path <m/P/ that are |
1137 | not members of integer set <m/A/. I.e., <cf/filter/ do the same as | |
1138 | <cf/delete/ with inverted set <m/A/. | |
bff9ce51 | 1139 | |
dad92c30 OZ |
1140 | Statement <cf><m/P/ = prepend(<m/P/, <m/A/);</cf> can be shortened to |
1141 | <cf><m/P/.prepend(<m/A/);</cf> if <m/P/ is appropriate route attribute | |
1142 | (for example <cf/bgp_path/). Similarly for <cf/delete/ and <cf/filter/. | |
4a5bb2bf | 1143 | |
5a203dac | 1144 | <tag/bgpmask/ |
dad92c30 OZ |
1145 | BGP masks are patterns used for BGP path matching (using <cf>path |
1146 | ˜ [= 2 3 5 * =]</cf> syntax). The masks resemble wildcard patterns | |
1147 | as used by UNIX shells. Autonomous system numbers match themselves, | |
1148 | <cf/*/ matches any (even empty) sequence of arbitrary AS numbers and | |
523f020b | 1149 | <cf/?/ matches one arbitrary AS number. For example, if <cf>bgp_path</cf> |
dad92c30 OZ |
1150 | is 4 3 2 1, then: <tt>bgp_path ˜ [= * 4 3 * =]</tt> is true, |
1151 | but <tt>bgp_path ˜ [= * 4 5 * =]</tt> is false. BGP mask | |
1152 | expressions can also contain integer expressions enclosed in parenthesis | |
1153 | and integer variables, for example <tt>[= * 4 (1+2) a =]</tt>. There is | |
1154 | also old syntax that uses / .. / instead of [= .. =] and ? instead of *. | |
4cdd0784 | 1155 | |
126683fe | 1156 | <tag/clist/ |
dad92c30 OZ |
1157 | Clist is similar to a set, except that unlike other sets, it can be |
1158 | modified. The type is used for community list (a set of pairs) and for | |
1159 | cluster list (a set of quads). There exist no literals of this type. | |
1160 | There are three special operators on clists: | |
1161 | ||
1162 | <cf><m/C/.len</cf> returns the length of clist <m/C/. | |
1163 | ||
1164 | <cf>add(<m/C/,<m/P/)</cf> adds pair (or quad) <m/P/ to clist <m/C/ and | |
1165 | returns the result. If item <m/P/ is already in clist <m/C/, it does | |
1166 | nothing. <m/P/ may also be a clist, in that case all its members are | |
1167 | added; i.e., it works as clist union. | |
1168 | ||
1169 | <cf>delete(<m/C/,<m/P/)</cf> deletes pair (or quad) <m/P/ from clist | |
1170 | <m/C/ and returns the result. If clist <m/C/ does not contain item | |
1171 | <m/P/, it does nothing. <m/P/ may also be a pair (or quad) set, in that | |
1172 | case the operator deletes all items from clist <m/C/ that are also | |
1173 | members of set <m/P/. Moreover, <m/P/ may also be a clist, which works | |
1174 | analogously; i.e., it works as clist difference. | |
1175 | ||
1176 | <cf>filter(<m/C/,<m/P/)</cf> deletes all items from clist <m/C/ that are | |
1177 | not members of pair (or quad) set <m/P/. I.e., <cf/filter/ do the same | |
1178 | as <cf/delete/ with inverted set <m/P/. <m/P/ may also be a clist, which | |
1179 | works analogously; i.e., it works as clist intersection. | |
1180 | ||
1181 | Statement <cf><m/C/ = add(<m/C/, <m/P/);</cf> can be shortened to | |
1182 | <cf><m/C/.add(<m/P/);</cf> if <m/C/ is appropriate route attribute (for | |
1183 | example <cf/bgp_community/). Similarly for <cf/delete/ and <cf/filter/. | |
8815d846 OZ |
1184 | |
1185 | <tag/eclist/ | |
dad92c30 OZ |
1186 | Eclist is a data type used for BGP extended community lists. Eclists |
1187 | are very similar to clists, but they are sets of ECs instead of pairs. | |
1188 | The same operations (like <cf/add/, <cf/delete/, or <cf/˜/ | |
1189 | membership operator) can be used to modify or test eclists, with ECs | |
1190 | instead of pairs as arguments. | |
d37f899b PM |
1191 | </descrip> |
1192 | ||
dad92c30 | 1193 | |
a7c9f7c0 | 1194 | <sect>Operators |
d37f899b | 1195 | |
dad92c30 OZ |
1196 | <p>The filter language supports common integer operators <cf>(+,-,*,/)</cf>, |
1197 | parentheses <cf/(a*(b+c))/, comparison <cf/(a=b, a!=b, a<b, a>=b)/. | |
1198 | Logical operations include unary not (<cf/!/), and (<cf/&&/) and or | |
1199 | (<cf/||/). Special operators include <cf/˜/ for "is element | |
1200 | of a set" operation - it can be used on element and set of elements of the same | |
1201 | type (returning true if element is contained in the given set), or on two | |
1202 | strings (returning true if first string matches a shell-like pattern stored in | |
1203 | second string) or on IP and prefix (returning true if IP is within the range | |
1204 | defined by that prefix), or on prefix and prefix (returning true if first prefix | |
1205 | is more specific than second one) or on bgppath and bgpmask (returning true if | |
1206 | the path matches the mask) or on number and bgppath (returning true if the | |
1207 | number is in the path) or on bgppath and int (number) set (returning true if any | |
1208 | ASN from the path is in the set) or on pair/quad and clist (returning true if | |
1209 | the pair/quad is element of the clist) or on clist and pair/quad set (returning | |
1210 | true if there is an element of the clist that is also a member of the pair/quad | |
1211 | set). | |
1212 | ||
1213 | <p>There is one operator related to ROA infrastructure - <cf/roa_check()/. It | |
1214 | examines a ROA table and does RFC 6483 route origin validation for a given | |
1215 | network prefix. The basic usage is <cf>roa_check(<m/table/)</cf>, which checks | |
1216 | current route (which should be from BGP to have AS_PATH argument) in the | |
1217 | specified ROA table and returns ROA_UNKNOWN if there is no relevant ROA, | |
1218 | ROA_VALID if there is a matching ROA, or ROA_INVALID if there are some relevant | |
af582c48 | 1219 | ROAs but none of them match. There is also an extended variant |
dad92c30 OZ |
1220 | <cf>roa_check(<m/table/, <m/prefix/, <m/asn/)</cf>, which allows to specify a |
1221 | prefix and an ASN as arguments. | |
af582c48 | 1222 | |
d37f899b | 1223 | |
371adba6 | 1224 | <sect>Control structures |
d37f899b | 1225 | |
523f020b | 1226 | <p>Filters support two control structures: conditions and case switches. |
a7c9f7c0 | 1227 | |
dad92c30 OZ |
1228 | <p>Syntax of a condition is: <cf>if <M>boolean expression</M> then <m/command1/; |
1229 | else <m/command2/;</cf> and you can use <cf>{ <m/command_1/; <m/command_2/; | |
1230 | <M>...</M> }</cf> instead of either command. The <cf>else</cf> clause may be | |
1231 | omitted. If the <cf><m>boolean expression</m></cf> is true, <m/command1/ is | |
1232 | executed, otherwise <m/command2/ is executed. | |
1233 | ||
1234 | <p>The <cf>case</cf> is similar to case from Pascal. Syntax is <cf>case | |
1235 | <m/expr/ { else: | <m/num_or_prefix [ .. num_or_prefix]/: <m/statement/ ; [ | |
1236 | ... ] }</cf>. The expression after <cf>case</cf> can be of any type which can be | |
1237 | on the left side of the ˜ operator and anything that could be a member of | |
1238 | a set is allowed before <cf/:/. Multiple commands are allowed without <cf/{}/ | |
1239 | grouping. If <cf><m/expr/</cf> matches one of the <cf/:/ clauses, statements | |
1240 | between it and next <cf/:/ statement are executed. If <cf><m/expr/</cf> matches | |
1241 | neither of the <cf/:/ clauses, the statements after <cf/else:/ are executed. | |
d37f899b | 1242 | |
a7c9f7c0 | 1243 | <p>Here is example that uses <cf/if/ and <cf/case/ structures: |
af0b25d2 PM |
1244 | |
1245 | <code> | |
1246 | case arg1 { | |
1247 | 2: print "two"; print "I can do more commands without {}"; | |
1248 | 3 .. 5: print "three to five"; | |
1249 | else: print "something else"; | |
a7c9f7c0 | 1250 | } |
af0b25d2 | 1251 | |
523f020b OZ |
1252 | if 1234 = i then printn "."; else { |
1253 | print "not 1234"; | |
1254 | print "You need {} around multiple commands"; | |
8798c811 | 1255 | } |
af0b25d2 PM |
1256 | </code> |
1257 | ||
dad92c30 | 1258 | |
371adba6 | 1259 | <sect>Route attributes |
0e5373fd | 1260 | |
dad92c30 OZ |
1261 | <p>A filter is implicitly passed a route, and it can access its attributes just |
1262 | like it accesses variables. Attempts to access undefined attribute result in a | |
1263 | runtime error; you can check if an attribute is defined by using the | |
1264 | <cf>defined( <m>attribute</m> )</cf> operator. One notable exception to this | |
1265 | rule are attributes of clist type, where undefined value is regarded as empty | |
1266 | clist for most purposes. | |
a7c9f7c0 | 1267 | |
36032ded | 1268 | <descrip> |
cd4fecb6 | 1269 | <tag><m/prefix/ net</tag> |
dad92c30 OZ |
1270 | Network the route is talking about. Read-only. (See the chapter about |
1271 | routing tables.) | |
a7c9f7c0 PM |
1272 | |
1273 | <tag><m/enum/ scope</tag> | |
dad92c30 OZ |
1274 | The scope of the route. Possible values: <cf/SCOPE_HOST/ for routes |
1275 | local to this host, <cf/SCOPE_LINK/ for those specific for a physical | |
1276 | link, <cf/SCOPE_SITE/ and <cf/SCOPE_ORGANIZATION/ for private routes and | |
1277 | <cf/SCOPE_UNIVERSE/ for globally visible routes. This attribute is not | |
1278 | interpreted by BIRD and can be used to mark routes in filters. The | |
1279 | default value for new routes is <cf/SCOPE_UNIVERSE/. | |
0e5373fd | 1280 | |
cd4fecb6 | 1281 | <tag><m/int/ preference</tag> |
dad92c30 OZ |
1282 | Preference of the route. Valid values are 0-65535. (See the chapter |
1283 | about routing tables.) | |
c184d9d0 | 1284 | |
cd4fecb6 | 1285 | <tag><m/ip/ from</tag> |
00192d5a | 1286 | The router which the route has originated from. |
523f020b | 1287 | |
cd4fecb6 | 1288 | <tag><m/ip/ gw</tag> |
a7c9f7c0 | 1289 | Next hop packets routed using this route should be forwarded to. |
0e5373fd | 1290 | |
e29fa06e | 1291 | <tag><m/string/ proto</tag> |
dad92c30 OZ |
1292 | The name of the protocol which the route has been imported from. |
1293 | Read-only. | |
e29fa06e | 1294 | |
cd4fecb6 | 1295 | <tag><m/enum/ source</tag> |
dad92c30 OZ |
1296 | what protocol has told me about this route. Possible values: |
1297 | <cf/RTS_DUMMY/, <cf/RTS_STATIC/, <cf/RTS_INHERIT/, <cf/RTS_DEVICE/, | |
1298 | <cf/RTS_STATIC_DEVICE/, <cf/RTS_REDIRECT/, <cf/RTS_RIP/, <cf/RTS_OSPF/, | |
1299 | <cf/RTS_OSPF_IA/, <cf/RTS_OSPF_EXT1/, <cf/RTS_OSPF_EXT2/, <cf/RTS_BGP/, | |
1300 | <cf/RTS_PIPE/. | |
c184d9d0 | 1301 | |
cd4fecb6 | 1302 | <tag><m/enum/ cast</tag> |
ff2857b0 | 1303 | Route type (Currently <cf/RTC_UNICAST/ for normal routes, |
dad92c30 OZ |
1304 | <cf/RTC_BROADCAST/, <cf/RTC_MULTICAST/, <cf/RTC_ANYCAST/ will be used in |
1305 | the future for broadcast, multicast and anycast routes). Read-only. | |
c184d9d0 | 1306 | |
cd4fecb6 | 1307 | <tag><m/enum/ dest</tag> |
182a7895 OZ |
1308 | Type of destination the packets should be sent to |
1309 | (<cf/RTD_ROUTER/ for forwarding to a neighboring router, | |
1310 | <cf/RTD_DEVICE/ for routing to a directly-connected network, | |
1311 | <cf/RTD_MULTIPATH/ for multipath destinations, | |
1312 | <cf/RTD_BLACKHOLE/ for packets to be silently discarded, | |
dad92c30 OZ |
1313 | <cf/RTD_UNREACHABLE/, <cf/RTD_PROHIBIT/ for packets that should be |
1314 | returned with ICMP host unreachable / ICMP administratively prohibited | |
1315 | messages). Can be changed, but only to <cf/RTD_BLACKHOLE/, | |
1316 | <cf/RTD_UNREACHABLE/ or <cf/RTD_PROHIBIT/. | |
b74f45f8 | 1317 | |
a5fc5958 | 1318 | <tag><m/string/ ifname</tag> |
dad92c30 OZ |
1319 | Name of the outgoing interface. Sink routes (like blackhole, unreachable |
1320 | or prohibit) and multipath routes have no interface associated with | |
1321 | them, so <cf/ifname/ returns an empty string for such routes. Read-only. | |
a5fc5958 OZ |
1322 | |
1323 | <tag><m/int/ ifindex</tag> | |
dad92c30 OZ |
1324 | Index of the outgoing interface. System wide index of the interface. May |
1325 | be used for interface matching, however indexes might change on interface | |
1326 | creation/removal. Zero is returned for routes with undefined outgoing | |
a5fc5958 OZ |
1327 | interfaces. Read-only. |
1328 | ||
b74f45f8 | 1329 | <tag><m/int/ igp_metric</tag> |
dad92c30 OZ |
1330 | The optional attribute that can be used to specify a distance to the |
1331 | network for routes that do not have a native protocol metric attribute | |
1332 | (like <cf/ospf_metric1/ for OSPF routes). It is used mainly by BGP to | |
1333 | compare internal distances to boundary routers (see below). It is also | |
1334 | used when the route is exported to OSPF as a default value for OSPF type | |
1335 | 1 metric. | |
ba1dda49 | 1336 | </descrip> |
0e5373fd | 1337 | |
dad92c30 OZ |
1338 | <p>There also exist some protocol-specific attributes which are described in the |
1339 | corresponding protocol sections. | |
1340 | ||
0e5373fd | 1341 | |
1632f1fe | 1342 | <sect>Other statements |
69477cad | 1343 | |
a7c9f7c0 | 1344 | <p>The following statements are available: |
69477cad PM |
1345 | |
1346 | <descrip> | |
dad92c30 OZ |
1347 | <tag><m/variable/ = <m/expr/</tag> |
1348 | Set variable to a given value. | |
326e33f5 | 1349 | |
dad92c30 OZ |
1350 | <tag>accept|reject [ <m/expr/ ]</tag> |
1351 | Accept or reject the route, possibly printing <cf><m>expr</m></cf>. | |
326e33f5 | 1352 | |
dad92c30 OZ |
1353 | <tag>return <m/expr/</tag> |
1354 | Return <cf><m>expr</m></cf> from the current function, the function ends | |
1355 | at this point. | |
326e33f5 | 1356 | |
a7c9f7c0 | 1357 | <tag>print|printn <m/expr/ [<m/, expr.../]</tag> |
dad92c30 OZ |
1358 | Prints given expressions; useful mainly while debugging filters. The |
1359 | <cf/printn/ variant does not terminate the line. | |
69477cad PM |
1360 | |
1361 | <tag>quitbird</tag> | |
1632f1fe | 1362 | Terminates BIRD. Useful when debugging the filter interpreter. |
69477cad PM |
1363 | </descrip> |
1364 | ||
dad92c30 | 1365 | |
371adba6 | 1366 | <chapt>Protocols |
d37f899b | 1367 | |
1ec52253 OZ |
1368 | <sect><label id="sect-bfd">BFD |
1369 | ||
1370 | <sect1>Introduction | |
1371 | ||
1372 | <p>Bidirectional Forwarding Detection (BFD) is not a routing protocol itself, it | |
1373 | is an independent tool providing liveness and failure detection. Routing | |
1374 | protocols like OSPF and BGP use integrated periodic "hello" messages to monitor | |
1375 | liveness of neighbors, but detection times of these mechanisms are high (e.g. 40 | |
1376 | seconds by default in OSPF, could be set down to several seconds). BFD offers | |
1377 | universal, fast and low-overhead mechanism for failure detection, which could be | |
1378 | attached to any routing protocol in an advisory role. | |
1379 | ||
1380 | <p>BFD consists of mostly independent BFD sessions. Each session monitors an | |
1381 | unicast bidirectional path between two BFD-enabled routers. This is done by | |
1382 | periodically sending control packets in both directions. BFD does not handle | |
1383 | neighbor discovery, BFD sessions are created on demand by request of other | |
1384 | protocols (like OSPF or BGP), which supply appropriate information like IP | |
1385 | addresses and associated interfaces. When a session changes its state, these | |
1386 | protocols are notified and act accordingly (e.g. break an OSPF adjacency when | |
1387 | the BFD session went down). | |
1388 | ||
1389 | <p>BIRD implements basic BFD behavior as defined in | |
1390 | RFC 5880<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5880.txt"> | |
1391 | (some advanced features like the echo mode or authentication are not implemented), | |
1392 | IP transport for BFD as defined in | |
1393 | RFC 5881<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5881.txt"> and | |
1394 | RFC 5883<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5883.txt"> | |
1395 | and interaction with client protocols as defined in | |
1396 | RFC 5882<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5882.txt">. | |
1397 | ||
1398 | <p>Note that BFD implementation in BIRD is currently a new feature in | |
1399 | development, expect some rough edges and possible UI and configuration changes | |
1400 | in the future. Also note that we currently support at most one protocol instance. | |
1401 | ||
d96ec7f6 OZ |
1402 | <p>BFD packets are sent with a dynamic source port number. Linux systems use by |
1403 | default a bit different dynamic port range than the IANA approved one | |
1404 | (49152-65535). If you experience problems with compatibility, please adjust | |
1405 | <cf>/proc/sys/net/ipv4/ip_local_port_range</cf> | |
1406 | ||
1ec52253 OZ |
1407 | <sect1>Configuration |
1408 | ||
1409 | <p>BFD configuration consists mainly of multiple definitions of interfaces. | |
1410 | Most BFD config options are session specific. When a new session is requested | |
1411 | and dynamically created, it is configured from one of these definitions. For | |
1412 | sessions to directly connected neighbors, <cf/interface/ definitions are chosen | |
1413 | based on the interface associated with the session, while <cf/multihop/ | |
1414 | definition is used for multihop sessions. If no definition is relevant, the | |
1415 | session is just created with the default configuration. Therefore, an empty BFD | |
1416 | configuration is often sufficient. | |
1417 | ||
1418 | <p>Note that to use BFD for other protocols like OSPF or BGP, these protocols | |
1419 | also have to be configured to request BFD sessions, usually by <cf/bfd/ option. | |
1420 | ||
1421 | <p>Some of BFD session options require <m/time/ value, which has to be specified | |
1422 | with the appropriate unit: <m/num/ <cf/s/|<cf/ms/|<cf/us/. Although microseconds | |
1423 | are allowed as units, practical minimum values are usually in order of tens of | |
1424 | milliseconds. | |
1425 | ||
1426 | <code> | |
1427 | protocol bfd [<name>] { | |
1428 | interface <interface pattern> { | |
1429 | interval <time>; | |
1430 | min rx interval <time>; | |
1431 | min tx interval <time>; | |
1432 | idle tx interval <time>; | |
1433 | multiplier <num>; | |
1434 | passive <switch>; | |
1435 | }; | |
1436 | multihop { | |
1437 | interval <time>; | |
1438 | min rx interval <time>; | |
1439 | min tx interval <time>; | |
1440 | idle tx interval <time>; | |
1441 | multiplier <num>; | |
1442 | passive <switch>; | |
1443 | }; | |
1444 | neighbor <ip> [dev "<interface>"] [local <ip>] [multihop <switch>]; | |
1445 | } | |
1446 | </code> | |
1447 | ||
1448 | <descrip> | |
dad92c30 | 1449 | <tag>interface <m/pattern [, ...]/ { <m/options/ }</tag> |
1ec52253 OZ |
1450 | Interface definitions allow to specify options for sessions associated |
1451 | with such interfaces and also may contain interface specific options. | |
1452 | See <ref id="dsc-iface" name="interface"> common option for a detailed | |
1453 | description of interface patterns. Note that contrary to the behavior of | |
1454 | <cf/interface/ definitions of other protocols, BFD protocol would accept | |
1455 | sessions (in default configuration) even on interfaces not covered by | |
1456 | such definitions. | |
1457 | ||
1458 | <tag>multihop { <m/options/ }</tag> | |
1459 | Multihop definitions allow to specify options for multihop BFD sessions, | |
1460 | in the same manner as <cf/interface/ definitions are used for directly | |
1461 | connected sessions. Currently only one such definition (for all multihop | |
1462 | sessions) could be used. | |
1463 | ||
1464 | <tag>neighbor <m/ip/ [dev "<m/interface/"] [local <m/ip/] [multihop <m/switch/]</tag> | |
1465 | BFD sessions are usually created on demand as requested by other | |
1466 | protocols (like OSPF or BGP). This option allows to explicitly add | |
1467 | a BFD session to the specified neighbor regardless of such requests. | |
523f020b | 1468 | |
1ec52253 | 1469 | The session is identified by the IP address of the neighbor, with |
dad92c30 | 1470 | optional specification of used interface and local IP. By default |
1ec52253 OZ |
1471 | the neighbor must be directly connected, unless the the session is |
1472 | configured as multihop. Note that local IP must be specified for | |
1473 | multihop sessions. | |
1474 | </descrip> | |
1475 | ||
1476 | <p>Session specific options (part of <cf/interface/ and <cf/multihop/ definitions): | |
1477 | ||
1478 | <descrip> | |
1479 | <tag>interval <m/time/</tag> | |
1480 | BFD ensures availability of the forwarding path associated with the | |
1481 | session by periodically sending BFD control packets in both | |
1482 | directions. The rate of such packets is controlled by two options, | |
1483 | <cf/min rx interval/ and <cf/min tx interval/ (see below). This option | |
1484 | is just a shorthand to set both of these options together. | |
1485 | ||
1486 | <tag>min rx interval <m/time/</tag> | |
1487 | This option specifies the minimum RX interval, which is announced to the | |
1488 | neighbor and used there to limit the neighbor's rate of generated BFD | |
1489 | control packets. Default: 10 ms. | |
1490 | ||
1491 | <tag>min tx interval <m/time/</tag> | |
1492 | This option specifies the desired TX interval, which controls the rate | |
1493 | of generated BFD control packets (together with <cf/min rx interval/ | |
1494 | announced by the neighbor). Note that this value is used only if the BFD | |
1495 | session is up, otherwise the value of <cf/idle tx interval/ is used | |
1496 | instead. Default: 100 ms. | |
1497 | ||
1498 | <tag>idle tx interval <m/time/</tag> | |
1499 | In order to limit unnecessary traffic in cases where a neighbor is not | |
1500 | available or not running BFD, the rate of generated BFD control packets | |
1501 | is lower when the BFD session is not up. This option specifies the | |
1502 | desired TX interval in such cases instead of <cf/min tx interval/. | |
1503 | Default: 1 s. | |
1504 | ||
1505 | <tag>multiplier <m/num/</tag> | |
1506 | Failure detection time for BFD sessions is based on established rate of | |
1507 | BFD control packets (<cf>min rx/tx interval</cf>) multiplied by this | |
1508 | multiplier, which is essentially (ignoring jitter) a number of missed | |
1509 | packets after which the session is declared down. Note that rates and | |
1510 | multipliers could be different in each direction of a BFD session. | |
1511 | Default: 5. | |
1512 | ||
1513 | <tag>passive <m/switch/</tag> | |
1514 | Generally, both BFD session endpoinds try to establish the session by | |
1515 | sending control packets to the other side. This option allows to enable | |
1516 | passive mode, which means that the router does not send BFD packets | |
1517 | until it has received one from the other side. Default: disabled. | |
1518 | </descrip> | |
1519 | ||
1520 | <sect1>Example | |
1521 | ||
1522 | <p><code> | |
1523 | protocol bfd { | |
1524 | interface "eth*" { | |
1525 | min rx interval 20 ms; | |
1526 | min tx interval 50 ms; | |
1527 | idle tx interval 300 ms; | |
1528 | }; | |
1529 | interface "gre*" { | |
1530 | interval 200 ms; | |
1531 | multiplier 10; | |
1532 | passive; | |
1533 | }; | |
1534 | multihop { | |
1535 | interval 200 ms; | |
1536 | multiplier 10; | |
1537 | }; | |
1538 | ||
1539 | neighbor 192.168.1.10; | |
1540 | neighbor 192.168.2.2 dev "eth2"; | |
1541 | neighbor 192.168.10.1 local 192.168.1.1 multihop; | |
1542 | } | |
1543 | </code> | |
1544 | ||
dad92c30 | 1545 | |
371adba6 | 1546 | <sect>BGP |
1b55b1a3 | 1547 | |
dad92c30 OZ |
1548 | <p>The Border Gateway Protocol is the routing protocol used for backbone level |
1549 | routing in the today's Internet. Contrary to other protocols, its convergence | |
1550 | does not rely on all routers following the same rules for route selection, | |
1551 | making it possible to implement any routing policy at any router in the network, | |
1552 | the only restriction being that if a router advertises a route, it must accept | |
1553 | and forward packets according to it. | |
1554 | ||
1555 | <p>BGP works in terms of autonomous systems (often abbreviated as AS). Each AS | |
1556 | is a part of the network with common management and common routing policy. It is | |
1557 | identified by a unique 16-bit number (ASN). Routers within each AS usually | |
1558 | exchange AS-internal routing information with each other using an interior | |
1559 | gateway protocol (IGP, such as OSPF or RIP). Boundary routers at the border of | |
1560 | the AS communicate global (inter-AS) network reachability information with their | |
1561 | neighbors in the neighboring AS'es via exterior BGP (eBGP) and redistribute | |
1562 | received information to other routers in the AS via interior BGP (iBGP). | |
1563 | ||
1564 | <p>Each BGP router sends to its neighbors updates of the parts of its routing | |
1565 | table it wishes to export along with complete path information (a list of AS'es | |
1566 | the packet will travel through if it uses the particular route) in order to | |
1567 | avoid routing loops. | |
56ab03c7 | 1568 | |
5459fac6 | 1569 | <p>BIRD supports all requirements of the BGP4 standard as defined in |
1adc17b4 OZ |
1570 | RFC 4271<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4271.txt"> |
1571 | It also supports the community attributes | |
1572 | (RFC 1997<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc1997.txt">), | |
1573 | capability negotiation | |
1574 | (RFC 3392<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc3392.txt">), | |
1575 | MD5 password authentication | |
1576 | (RFC 2385<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc2385.txt">), | |
8815d846 OZ |
1577 | extended communities |
1578 | (RFC 4360<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4360.txt">), | |
523f020b | 1579 | route reflectors |
1adc17b4 | 1580 | (RFC 4456<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4456.txt">), |
6eda3f13 OZ |
1581 | graceful restart |
1582 | (RFC 4724<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4724.txt">), | |
e8ba557c OZ |
1583 | multiprotocol extensions |
1584 | (RFC 4760<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4760.txt">), | |
523f020b | 1585 | 4B AS numbers |
8815d846 OZ |
1586 | (RFC 4893<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4893.txt">), |
1587 | and 4B AS numbers in extended communities | |
1588 | (RFC 5668<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5668.txt">). | |
1adc17b4 OZ |
1589 | |
1590 | ||
5459fac6 | 1591 | For IPv6, it uses the standard multiprotocol extensions defined in |
6eda3f13 | 1592 | RFC 4760<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4760.txt"> |
5459fac6 MM |
1593 | and applied to IPv6 according to |
1594 | RFC 2545<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc2545.txt">. | |
1595 | ||
371adba6 | 1596 | <sect1>Route selection rules |
5459fac6 MM |
1597 | |
1598 | <p>BGP doesn't have any simple metric, so the rules for selection of an optimal | |
1599 | route among multiple BGP routes with the same preference are a bit more complex | |
dad92c30 OZ |
1600 | and they are implemented according to the following algorithm. It starts the |
1601 | first rule, if there are more "best" routes, then it uses the second rule to | |
1602 | choose among them and so on. | |
5459fac6 MM |
1603 | |
1604 | <itemize> | |
5a203dac | 1605 | <item>Prefer route with the highest Local Preference attribute. |
5459fac6 | 1606 | <item>Prefer route with the shortest AS path. |
b74f45f8 | 1607 | <item>Prefer IGP origin over EGP and EGP origin over incomplete. |
5459fac6 | 1608 | <item>Prefer the lowest value of the Multiple Exit Discriminator. |
b74f45f8 OZ |
1609 | <item>Prefer routes received via eBGP over ones received via iBGP. |
1610 | <item>Prefer routes with lower internal distance to a boundary router. | |
5a203dac | 1611 | <item>Prefer the route with the lowest value of router ID of the |
5459fac6 MM |
1612 | advertising router. |
1613 | </itemize> | |
56ab03c7 | 1614 | |
b74f45f8 OZ |
1615 | <sect1>IGP routing table |
1616 | ||
dad92c30 OZ |
1617 | <p>BGP is mainly concerned with global network reachability and with routes to |
1618 | other autonomous systems. When such routes are redistributed to routers in the | |
1619 | AS via BGP, they contain IP addresses of a boundary routers (in route attribute | |
1620 | NEXT_HOP). BGP depends on existing IGP routing table with AS-internal routes to | |
1621 | determine immediate next hops for routes and to know their internal distances to | |
1622 | boundary routers for the purpose of BGP route selection. In BIRD, there is | |
1623 | usually one routing table used for both IGP routes and BGP routes. | |
b74f45f8 | 1624 | |
371adba6 | 1625 | <sect1>Configuration |
56ab03c7 | 1626 | |
dad92c30 OZ |
1627 | <p>Each instance of the BGP corresponds to one neighboring router. This allows |
1628 | to set routing policy and all the other parameters differently for each neighbor | |
1629 | using the following configuration parameters: | |
5459fac6 MM |
1630 | |
1631 | <descrip> | |
dad92c30 OZ |
1632 | <tag>local [<m/ip/] as <m/number/</tag> |
1633 | Define which AS we are part of. (Note that contrary to other IP routers, | |
1634 | BIRD is able to act as a router located in multiple AS'es simultaneously, | |
1635 | but in such cases you need to tweak the BGP paths manually in the filters | |
1636 | to get consistent behavior.) Optional <cf/ip/ argument specifies a source | |
1637 | address, equivalent to the <cf/source address/ option (see below). This | |
f3e59178 OZ |
1638 | parameter is mandatory. |
1639 | ||
a1beb8f3 | 1640 | <tag>neighbor [<m/ip/] [port <m/number/] [as <m/number/]</tag> |
dad92c30 | 1641 | Define neighboring router this instance will be talking to and what AS |
a1beb8f3 OZ |
1642 | it is located in. In case the neighbor is in the same AS as we are, we |
1643 | automatically switch to iBGP. Optionally, the remote port may also be | |
1644 | specified. The parameter may be used multiple times with different | |
1645 | sub-options (e.g., both <cf/neighbor 10.0.0.1 as 65000;/ and | |
1646 | <cf/neighbor 10.0.0.1; neighbor as 65000;/ are valid). This parameter is | |
1647 | mandatory. | |
1648 | ||
1649 | <tag>interface <m/string/</tag> | |
1650 | Define interface we should use for link-local BGP IPv6 sessions. | |
1651 | Interface can also be specified as a part of <cf/neighbor address/ | |
1652 | (e.g., <cf/neighbor fe80::1234%eth0 as 65000;/). It is an error to use | |
1653 | this parameter for non link-local sessions. | |
dad92c30 OZ |
1654 | |
1655 | <tag>direct</tag> | |
1656 | Specify that the neighbor is directly connected. The IP address of the | |
1657 | neighbor must be from a directly reachable IP range (i.e. associated | |
1658 | with one of your router's interfaces), otherwise the BGP session | |
1659 | wouldn't start but it would wait for such interface to appear. The | |
1660 | alternative is the <cf/multihop/ option. Default: enabled for eBGP. | |
1661 | ||
1662 | <tag>multihop [<m/number/]</tag> | |
1663 | Configure multihop BGP session to a neighbor that isn't directly | |
1664 | connected. Accurately, this option should be used if the configured | |
1665 | neighbor IP address does not match with any local network subnets. Such | |
1666 | IP address have to be reachable through system routing table. The | |
1667 | alternative is the <cf/direct/ option. For multihop BGP it is | |
1668 | recommended to explicitly configure the source address to have it | |
1669 | stable. Optional <cf/number/ argument can be used to specify the number | |
1670 | of hops (used for TTL). Note that the number of networks (edges) in a | |
1671 | path is counted; i.e., if two BGP speakers are separated by one router, | |
1672 | the number of hops is 2. Default: enabled for iBGP. | |
1673 | ||
1674 | <tag>source address <m/ip/</tag> | |
1675 | Define local address we should use for next hop calculation and as a | |
1676 | source address for the BGP session. Default: the address of the local | |
9be9a264 OZ |
1677 | end of the interface our neighbor is connected to. |
1678 | ||
dad92c30 OZ |
1679 | <tag>next hop self</tag> |
1680 | Avoid calculation of the Next Hop attribute and always advertise our own | |
1681 | source address as a next hop. This needs to be used only occasionally to | |
1682 | circumvent misconfigurations of other routers. Default: disabled. | |
1683 | ||
1684 | <tag>next hop keep</tag> | |
1685 | Forward the received Next Hop attribute even in situations where the | |
1686 | local address should be used instead, like when the route is sent to an | |
1687 | interface with a different subnet. Default: disabled. | |
1688 | ||
1689 | <tag>missing lladdr self|drop|ignore</tag> | |
1690 | Next Hop attribute in BGP-IPv6 sometimes contains just the global IPv6 | |
1691 | address, but sometimes it has to contain both global and link-local IPv6 | |
1692 | addresses. This option specifies what to do if BIRD have to send both | |
1693 | addresses but does not know link-local address. This situation might | |
1694 | happen when routes from other protocols are exported to BGP, or when | |
1695 | improper updates are received from BGP peers. <cf/self/ means that BIRD | |
1696 | advertises its own local address instead. <cf/drop/ means that BIRD | |
1697 | skips that prefixes and logs error. <cf/ignore/ means that BIRD ignores | |
1698 | the problem and sends just the global address (and therefore forms | |
1699 | improper BGP update). Default: <cf/self/, unless BIRD is configured as a | |
1700 | route server (option <cf/rs client/), in that case default is <cf/ignore/, | |
1701 | because route servers usually do not forward packets themselves. | |
1702 | ||
1703 | <tag>gateway direct|recursive</tag> | |
1704 | For received routes, their <cf/gw/ (immediate next hop) attribute is | |
1705 | computed from received <cf/bgp_next_hop/ attribute. This option | |
1706 | specifies how it is computed. Direct mode means that the IP address from | |
1707 | <cf/bgp_next_hop/ is used if it is directly reachable, otherwise the | |
1708 | neighbor IP address is used. Recursive mode means that the gateway is | |
1709 | computed by an IGP routing table lookup for the IP address from | |
1710 | <cf/bgp_next_hop/. Recursive mode is the behavior specified by the BGP | |
1711 | standard. Direct mode is simpler, does not require any routes in a | |
1712 | routing table, and was used in older versions of BIRD, but does not | |
1713 | handle well nontrivial iBGP setups and multihop. Recursive mode is | |
1714 | incompatible with <ref id="dsc-sorted" name="sorted tables">. Default: | |
1715 | <cf/direct/ for direct sessions, <cf/recursive/ for multihop sessions. | |
1716 | ||
1717 | <tag>igp table <m/name/</tag> | |
1718 | Specifies a table that is used as an IGP routing table. Default: the | |
1719 | same as the table BGP is connected to. | |
1ec52253 | 1720 | |
523f020b OZ |
1721 | <tag>check link <M>switch</M></tag> |
1722 | BGP could use hardware link state into consideration. If enabled, | |
1723 | BIRD tracks the link state of the associated interface and when link | |
1724 | disappears (e.g. an ethernet cable is unplugged), the BGP session is | |
1725 | immediately shut down. Note that this option cannot be used with | |
1726 | multihop BGP. Default: disabled. | |
1727 | ||
1ec52253 OZ |
1728 | <tag>bfd <M>switch</M></tag> |
1729 | BGP could use BFD protocol as an advisory mechanism for neighbor | |
1730 | liveness and failure detection. If enabled, BIRD setups a BFD session | |
1731 | for the BGP neighbor and tracks its liveness by it. This has an | |
1732 | advantage of an order of magnitude lower detection times in case of | |
1733 | failure. Note that BFD protocol also has to be configured, see | |
1734 | <ref id="sect-bfd" name="BFD"> section for details. Default: disabled. | |
1735 | ||
dad92c30 OZ |
1736 | <tag>ttl security <m/switch/</tag> |
1737 | Use GTSM (RFC 5082 - the generalized TTL security mechanism). GTSM | |
1738 | protects against spoofed packets by ignoring received packets with a | |
1739 | smaller than expected TTL. To work properly, GTSM have to be enabled on | |
1740 | both sides of a BGP session. If both <cf/ttl security/ and <cf/multihop/ | |
1741 | options are enabled, <cf/multihop/ option should specify proper hop | |
1742 | value to compute expected TTL. Kernel support required: Linux: 2.6.34+ | |
1743 | (IPv4), 2.6.35+ (IPv6), BSD: since long ago, IPv4 only. Note that full | |
1744 | (ICMP protection, for example) RFC 5082 support is provided by Linux | |
b1b19433 | 1745 | only. Default: disabled. |
523f020b | 1746 | |
dad92c30 OZ |
1747 | <tag>password <m/string/</tag> |
1748 | Use this password for MD5 authentication of BGP sessions. Default: no | |
1749 | authentication. Password has to be set by external utility | |
1750 | (e.g. setkey(8)) on BSD systems. | |
1751 | ||
1752 | <tag>passive <m/switch/</tag> | |
1753 | Standard BGP behavior is both initiating outgoing connections and | |
1754 | accepting incoming connections. In passive mode, outgoing connections | |
1755 | are not initiated. Default: off. | |
1756 | ||
1757 | <tag>rr client</tag> | |
1758 | Be a route reflector and treat the neighbor as a route reflection | |
1759 | client. Default: disabled. | |
1760 | ||
1761 | <tag>rr cluster id <m/IPv4 address/</tag> | |
1762 | Route reflectors use cluster id to avoid route reflection loops. When | |
1763 | there is one route reflector in a cluster it usually uses its router id | |
1764 | as a cluster id, but when there are more route reflectors in a cluster, | |
1765 | these need to be configured (using this option) to use a common cluster | |
1766 | id. Clients in a cluster need not know their cluster id and this option | |
1767 | is not allowed for them. Default: the same as router id. | |
1768 | ||
523f020b | 1769 | <tag>rs client</tag> |
dad92c30 OZ |
1770 | Be a route server and treat the neighbor as a route server client. |
1771 | A route server is used as a replacement for full mesh EBGP routing in | |
1772 | Internet exchange points in a similar way to route reflectors used in | |
1773 | IBGP routing. BIRD does not implement obsoleted RFC 1863, but uses | |
1774 | ad-hoc implementation, which behaves like plain EBGP but reduces | |
1775 | modifications to advertised route attributes to be transparent (for | |
1776 | example does not prepend its AS number to AS PATH attribute and keeps | |
1777 | MED attribute). Default: disabled. | |
1778 | ||
1779 | <tag>secondary <m/switch/</tag> | |
1780 | Usually, if an export filter rejects a selected route, no other route is | |
1781 | propagated for that network. This option allows to try the next route in | |
1782 | order until one that is accepted is found or all routes for that network | |
1783 | are rejected. This can be used for route servers that need to propagate | |
1784 | different tables to each client but do not want to have these tables | |
1785 | explicitly (to conserve memory). This option requires that the connected | |
1786 | routing table is <ref id="dsc-sorted" name="sorted">. Default: off. | |
48cf5e84 | 1787 | |
10115b1d OZ |
1788 | <tag>add paths <m/switch/|rx|tx</tag> |
1789 | Standard BGP can propagate only one path (route) per destination network | |
1790 | (usually the selected one). This option controls the add-path protocol | |
1791 | extension, which allows to advertise any number of paths to a | |
1792 | destination. Note that to be active, add-path has to be enabled on both | |
1793 | sides of the BGP session, but it could be enabled separately for RX and | |
1794 | TX direction. When active, all available routes accepted by the export | |
1795 | filter are advertised to the neighbor. Default: off. | |
1796 | ||
523f020b | 1797 | <tag>allow local as [<m/number/]</tag> |
dad92c30 OZ |
1798 | BGP prevents routing loops by rejecting received routes with the local |
1799 | AS number in the AS path. This option allows to loose or disable the | |
1800 | check. Optional <cf/number/ argument can be used to specify the maximum | |
1801 | number of local ASNs in the AS path that is allowed for received | |
1802 | routes. When the option is used without the argument, the check is | |
1803 | completely disabled and you should ensure loop-free behavior by some | |
1804 | other means. Default: 0 (no local AS number allowed). | |
1805 | ||
1806 | <tag>enable route refresh <m/switch/</tag> | |
9aed29e6 OZ |
1807 | After the initial route exchange, BGP protocol uses incremental updates |
1808 | to keep BGP speakers synchronized. Sometimes (e.g., if BGP speaker | |
1809 | changes its import filter, or if there is suspicion of inconsistency) it | |
1810 | is necessary to do a new complete route exchange. BGP protocol extension | |
1811 | Route Refresh (RFC 2918) allows BGP speaker to request re-advertisement | |
1812 | of all routes from its neighbor. BGP protocol extension Enhanced Route | |
1813 | Refresh (RFC 7313) specifies explicit begin and end for such exchanges, | |
1814 | therefore the receiver can remove stale routes that were not advertised | |
1815 | during the exchange. This option specifies whether BIRD advertises these | |
1816 | capabilities and supports related procedures. Note that even when | |
1817 | disabled, BIRD can send route refresh requests. Default: on. | |
bf47fe4b | 1818 | |
6eda3f13 OZ |
1819 | <tag>graceful restart <m/switch/|aware</tag> |
1820 | When a BGP speaker restarts or crashes, neighbors will discard all | |
1821 | received paths from the speaker, which disrupts packet forwarding even | |
1822 | when the forwarding plane of the speaker remains intact. RFC 4724 | |
1823 | specifies an optional graceful restart mechanism to alleviate this | |
1824 | issue. This option controls the mechanism. It has three states: | |
1825 | Disabled, when no support is provided. Aware, when the graceful restart | |
1826 | support is announced and the support for restarting neighbors is | |
1827 | provided, but no local graceful restart is allowed (i.e. receiving-only | |
1828 | role). Enabled, when the full graceful restart support is provided | |
1829 | (i.e. both restarting and receiving role). Note that proper support for | |
1830 | local graceful restart requires also configuration of other protocols. | |
1831 | Default: aware. | |
1832 | ||
1833 | <tag>graceful restart time <m/number/</tag> | |
1834 | The restart time is announced in the BGP graceful restart capability | |
1835 | and specifies how long the neighbor would wait for the BGP session to | |
1836 | re-establish after a restart before deleting stale routes. Default: | |
1837 | 120 seconds. | |
1838 | ||
dad92c30 OZ |
1839 | <tag>interpret communities <m/switch/</tag> |
1840 | RFC 1997 demands that BGP speaker should process well-known communities | |
1841 | like no-export (65535, 65281) or no-advertise (65535, 65282). For | |
1842 | example, received route carrying a no-adverise community should not be | |
1843 | advertised to any of its neighbors. If this option is enabled (which is | |
1844 | by default), BIRD has such behavior automatically (it is evaluated when | |
1845 | a route is exported to the BGP protocol just before the export filter). | |
1846 | Otherwise, this integrated processing of well-known communities is | |
1847 | disabled. In that case, similar behavior can be implemented in the | |
1848 | export filter. Default: on. | |
1849 | ||
1850 | <tag>enable as4 <m/switch/</tag> | |
1851 | BGP protocol was designed to use 2B AS numbers and was extended later to | |
1852 | allow 4B AS number. BIRD supports 4B AS extension, but by disabling this | |
1853 | option it can be persuaded not to advertise it and to maintain old-style | |
1854 | sessions with its neighbors. This might be useful for circumventing bugs | |
1855 | in neighbor's implementation of 4B AS extension. Even when disabled | |
1856 | (off), BIRD behaves internally as AS4-aware BGP router. Default: on. | |
1857 | ||
1858 | <tag>capabilities <m/switch/</tag> | |
1859 | Use capability advertisement to advertise optional capabilities. This is | |
1860 | standard behavior for newer BGP implementations, but there might be some | |
1861 | older BGP implementations that reject such connection attempts. When | |
1862 | disabled (off), features that request it (4B AS support) are also | |
1863 | disabled. Default: on, with automatic fallback to off when received | |
1864 | capability-related error. | |
1865 | ||
1866 | <tag>advertise ipv4 <m/switch/</tag> | |
1867 | Advertise IPv4 multiprotocol capability. This is not a correct behavior | |
1868 | according to the strict interpretation of RFC 4760, but it is widespread | |
1869 | and required by some BGP implementations (Cisco and Quagga). This option | |
1870 | is relevant to IPv4 mode with enabled capability advertisement | |
1871 | only. Default: on. | |
1872 | ||
1873 | <tag>route limit <m/number/</tag> | |
1874 | The maximal number of routes that may be imported from the protocol. If | |
1875 | the route limit is exceeded, the connection is closed with an error. | |
1876 | Limit is currently implemented as <cf>import limit <m/number/ action | |
1877 | restart</cf>. This option is obsolete and it is replaced by | |
1878 | <ref id="import-limit" name="import limit option">. Default: no limit. | |
1879 | ||
1880 | <tag>disable after error <m/switch/</tag> | |
1881 | When an error is encountered (either locally or by the other side), | |
1882 | disable the instance automatically and wait for an administrator to fix | |
1883 | the problem manually. Default: off. | |
1884 | ||
1885 | <tag>hold time <m/number/</tag> | |
1886 | Time in seconds to wait for a Keepalive message from the other side | |
1887 | before considering the connection stale. Default: depends on agreement | |
1888 | with the neighboring router, we prefer 240 seconds if the other side is | |
1889 | willing to accept it. | |
1890 | ||
1891 | <tag>startup hold time <m/number/</tag> | |
1892 | Value of the hold timer used before the routers have a chance to exchange | |
1893 | open messages and agree on the real value. Default: 240 seconds. | |
1894 | ||
1895 | <tag>keepalive time <m/number/</tag> | |
1896 | Delay in seconds between sending of two consecutive Keepalive messages. | |
1897 | Default: One third of the hold time. | |
1898 | ||
6cf72d7a OZ |
1899 | <tag>connect delay time <m/number/</tag> |
1900 | Delay in seconds between protocol startup and the first attempt to | |
1901 | connect. Default: 5 seconds. | |
1902 | ||
dad92c30 OZ |
1903 | <tag>connect retry time <m/number/</tag> |
1904 | Time in seconds to wait before retrying a failed attempt to connect. | |
1905 | Default: 120 seconds. | |
1906 | ||
dad92c30 OZ |
1907 | <tag>error wait time <m/number/,<m/number/</tag> |
1908 | Minimum and maximum delay in seconds between a protocol failure (either | |
1909 | local or reported by the peer) and automatic restart. Doesn't apply | |
1910 | when <cf/disable after error/ is configured. If consecutive errors | |
1911 | happen, the delay is increased exponentially until it reaches the | |
1912 | maximum. Default: 60, 300. | |
1913 | ||
1914 | <tag>error forget time <m/number/</tag> | |
1915 | Maximum time in seconds between two protocol failures to treat them as a | |
1916 | error sequence which makes <cf/error wait time/ increase exponentially. | |
1917 | Default: 300 seconds. | |
1918 | ||
1919 | <tag>path metric <m/switch/</tag> | |
1920 | Enable comparison of path lengths when deciding which BGP route is the | |
1921 | best one. Default: on. | |
1922 | ||
1923 | <tag>med metric <m/switch/</tag> | |
1924 | Enable comparison of MED attributes (during best route selection) even | |
1925 | between routes received from different ASes. This may be useful if all | |
1926 | MED attributes contain some consistent metric, perhaps enforced in | |
1927 | import filters of AS boundary routers. If this option is disabled, MED | |
1928 | attributes are compared only if routes are received from the same AS | |
1929 | (which is the standard behavior). Default: off. | |
1930 | ||
1931 | <tag>deterministic med <m/switch/</tag> | |
1932 | BGP route selection algorithm is often viewed as a comparison between | |
1933 | individual routes (e.g. if a new route appears and is better than the | |
1934 | current best one, it is chosen as the new best one). But the proper | |
1935 | route selection, as specified by RFC 4271, cannot be fully implemented | |
1936 | in that way. The problem is mainly in handling the MED attribute. BIRD, | |
1937 | by default, uses an simplification based on individual route comparison, | |
1938 | which in some cases may lead to temporally dependent behavior (i.e. the | |
1939 | selection is dependent on the order in which routes appeared). This | |
1940 | option enables a different (and slower) algorithm implementing proper | |
1941 | RFC 4271 route selection, which is deterministic. Alternative way how to | |
1942 | get deterministic behavior is to use <cf/med metric/ option. This option | |
1943 | is incompatible with <ref id="dsc-sorted" name="sorted tables">. | |
48cf5e84 | 1944 | Default: off. |
be4cd99a | 1945 | |
dad92c30 OZ |
1946 | <tag>igp metric <m/switch/</tag> |
1947 | Enable comparison of internal distances to boundary routers during best | |
1948 | route selection. Default: on. | |
1949 | ||
1950 | <tag>prefer older <m/switch/</tag> | |
1951 | Standard route selection algorithm breaks ties by comparing router IDs. | |
1952 | This changes the behavior to prefer older routes (when both are external | |
1953 | and from different peer). For details, see RFC 5004. Default: off. | |
1954 | ||
1955 | <tag>default bgp_med <m/number/</tag> | |
1956 | Value of the Multiple Exit Discriminator to be used during route | |
1957 | selection when the MED attribute is missing. Default: 0. | |
1958 | ||
1959 | <tag>default bgp_local_pref <m/number/</tag> | |
1960 | A default value for the Local Preference attribute. It is used when | |
1961 | a new Local Preference attribute is attached to a route by the BGP | |
1962 | protocol itself (for example, if a route is received through eBGP and | |
1963 | therefore does not have such attribute). Default: 100 (0 in pre-1.2.0 | |
1964 | versions of BIRD). | |
5459fac6 MM |
1965 | </descrip> |
1966 | ||
371adba6 | 1967 | <sect1>Attributes |
56ab03c7 | 1968 | |
dad92c30 OZ |
1969 | <p>BGP defines several route attributes. Some of them (those marked with |
1970 | `<tt/I/' in the table below) are available on internal BGP connections only, | |
1971 | some of them (marked with `<tt/O/') are optional. | |
5459fac6 MM |
1972 | |
1973 | <descrip> | |
dad92c30 OZ |
1974 | <tag>bgppath <cf/bgp_path/</tag> |
1975 | Sequence of AS numbers describing the AS path the packet will travel | |
1976 | through when forwarded according to the particular route. In case of | |
1977 | internal BGP it doesn't contain the number of the local AS. | |
1978 | ||
1979 | <tag>int <cf/bgp_local_pref/ [I]</tag> | |
1980 | Local preference value used for selection among multiple BGP routes (see | |
1981 | the selection rules above). It's used as an additional metric which is | |
1982 | propagated through the whole local AS. | |
1983 | ||
1984 | <tag>int <cf/bgp_med/ [O]</tag> | |
1985 | The Multiple Exit Discriminator of the route is an optional attribute | |
1986 | which is used on external (inter-AS) links to convey to an adjacent AS | |
1987 | the optimal entry point into the local AS. The received attribute is | |
1988 | also propagated over internal BGP links. The attribute value is zeroed | |
1989 | when a route is exported to an external BGP instance to ensure that the | |
1990 | attribute received from a neighboring AS is not propagated to other | |
1991 | neighboring ASes. A new value might be set in the export filter of an | |
1992 | external BGP instance. See RFC 4451<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4451.txt"> | |
b6bf284a | 1993 | for further discussion of BGP MED attribute. |
5a203dac | 1994 | |
dad92c30 OZ |
1995 | <tag>enum <cf/bgp_origin/</tag> |
1996 | Origin of the route: either <cf/ORIGIN_IGP/ if the route has originated | |
1997 | in an interior routing protocol or <cf/ORIGIN_EGP/ if it's been imported | |
1998 | from the <tt>EGP</tt> protocol (nowadays it seems to be obsolete) or | |
1999 | <cf/ORIGIN_INCOMPLETE/ if the origin is unknown. | |
5a203dac | 2000 | |
dad92c30 OZ |
2001 | <tag>ip <cf/bgp_next_hop/</tag> |
2002 | Next hop to be used for forwarding of packets to this destination. On | |
2003 | internal BGP connections, it's an address of the originating router if | |
2004 | it's inside the local AS or a boundary router the packet will leave the | |
2005 | AS through if it's an exterior route, so each BGP speaker within the AS | |
2006 | has a chance to use the shortest interior path possible to this point. | |
5a203dac | 2007 | |
dad92c30 OZ |
2008 | <tag>void <cf/bgp_atomic_aggr/ [O]</tag> |
2009 | This is an optional attribute which carries no value, but the sole | |
2010 | presence of which indicates that the route has been aggregated from | |
2011 | multiple routes by some router on the path from the originator. | |
5a203dac | 2012 | |
5459fac6 MM |
2013 | <!-- we don't handle aggregators right since they are of a very obscure type |
2014 | <tag>bgp_aggregator</tag> | |
2015 | --> | |
dad92c30 OZ |
2016 | <tag>clist <cf/bgp_community/ [O]</tag> |
2017 | List of community values associated with the route. Each such value is a | |
2018 | pair (represented as a <cf/pair/ data type inside the filters) of 16-bit | |
2019 | integers, the first of them containing the number of the AS which | |
2020 | defines the community and the second one being a per-AS identifier. | |
2021 | There are lots of uses of the community mechanism, but generally they | |
2022 | are used to carry policy information like "don't export to USA peers". | |
2023 | As each AS can define its own routing policy, it also has a complete | |
2024 | freedom about which community attributes it defines and what will their | |
2025 | semantics be. | |
2026 | ||
2027 | <tag>eclist <cf/bgp_ext_community/ [O]</tag> | |
2028 | List of extended community values associated with the route. Extended | |
2029 | communities have similar usage as plain communities, but they have an | |
2030 | extended range (to allow 4B ASNs) and a nontrivial structure with a type | |
2031 | field. Individual community values are represented using an <cf/ec/ data | |
2032 | type inside the filters. | |
2033 | ||
2034 | <tag>quad <cf/bgp_originator_id/ [I, O]</tag> | |
2035 | This attribute is created by the route reflector when reflecting the | |
2036 | route and contains the router ID of the originator of the route in the | |
2037 | local AS. | |
2038 | ||
2039 | <tag>clist <cf/bgp_cluster_list/ [I, O]</tag> | |
2040 | This attribute contains a list of cluster IDs of route reflectors. Each | |
2041 | route reflector prepends its cluster ID when reflecting the route. | |
5459fac6 MM |
2042 | </descrip> |
2043 | ||
371adba6 | 2044 | <sect1>Example |
56ab03c7 | 2045 | |
5459fac6 MM |
2046 | <p><code> |
2047 | protocol bgp { | |
96264d4d | 2048 | local as 65000; # Use a private AS number |
9491f9f5 | 2049 | neighbor 198.51.100.130 as 64496; # Our neighbor ... |
6bcef225 | 2050 | multihop; # ... which is connected indirectly |
96264d4d PM |
2051 | export filter { # We use non-trivial export rules |
2052 | if source = RTS_STATIC then { # Export only static routes | |
a852c139 | 2053 | # Assign our community |
9491f9f5 | 2054 | bgp_community.add((65000,64501)); |
a852c139 | 2055 | # Artificially increase path length |
5a203dac | 2056 | # by advertising local AS number twice |
9491f9f5 OZ |
2057 | if bgp_path ~ [= 65000 =] then |
2058 | bgp_path.prepend(65000); | |
5459fac6 MM |
2059 | accept; |
2060 | } | |
2061 | reject; | |
2062 | }; | |
2063 | import all; | |
9491f9f5 | 2064 | source address 198.51.100.14; # Use a non-standard source address |
5459fac6 MM |
2065 | } |
2066 | </code> | |
2067 | ||
dad92c30 | 2068 | |
371adba6 | 2069 | <sect>Device |
1b55b1a3 | 2070 | |
dad92c30 OZ |
2071 | <p>The Device protocol is not a real routing protocol. It doesn't generate any |
2072 | routes and it only serves as a module for getting information about network | |
79a2b697 MM |
2073 | interfaces from the kernel. |
2074 | ||
dad92c30 OZ |
2075 | <p>Except for very unusual circumstances, you probably should include this |
2076 | protocol in the configuration since almost all other protocols require network | |
2077 | interfaces to be defined for them to work with. | |
79a2b697 | 2078 | |
6f5603ba | 2079 | <sect1>Configuration |
79a2b697 MM |
2080 | |
2081 | <p><descrip> | |
dad92c30 OZ |
2082 | |
2083 | <tag>scan time <m/number/</tag> | |
2084 | ||
2085 | Time in seconds between two scans of the network interface list. On | |
2086 | systems where we are notified about interface status changes | |
2087 | asynchronously (such as newer versions of Linux), we need to scan the | |
2088 | list only in order to avoid confusion by lost notification messages, | |
2089 | so the default time is set to a large value. | |
2090 | ||
2091 | <tag>primary [ "<m/mask/" ] <m/prefix/</tag> | |
2092 | If a network interface has more than one network address, BIRD has to | |
2093 | choose one of them as a primary one. By default, BIRD chooses the | |
2094 | lexicographically smallest address as the primary one. | |
2095 | ||
2096 | This option allows to specify which network address should be chosen as | |
2097 | a primary one. Network addresses that match <m/prefix/ are preferred to | |
2098 | non-matching addresses. If more <cf/primary/ options are used, the first | |
2099 | one has the highest preference. If "<m/mask/" is specified, then such | |
2100 | <cf/primary/ option is relevant only to matching network interfaces. | |
2101 | ||
2102 | In all cases, an address marked by operating system as secondary cannot | |
2103 | be chosen as the primary one. | |
79a2b697 MM |
2104 | </descrip> |
2105 | ||
79a2b697 | 2106 | <p>As the Device protocol doesn't generate any routes, it cannot have |
6f5603ba | 2107 | any attributes. Example configuration looks like this: |
79a2b697 MM |
2108 | |
2109 | <p><code> | |
2110 | protocol device { | |
2111 | scan time 10; # Scan the interfaces often | |
6f5603ba OZ |
2112 | primary "eth0" 192.168.1.1; |
2113 | primary 192.168.0.0/16; | |
79a2b697 MM |
2114 | } |
2115 | </code> | |
2116 | ||
dad92c30 | 2117 | |
371adba6 | 2118 | <sect>Direct |
1b55b1a3 | 2119 | |
79a2b697 | 2120 | <p>The Direct protocol is a simple generator of device routes for all the |
dad92c30 OZ |
2121 | directly connected networks according to the list of interfaces provided by the |
2122 | kernel via the Device protocol. | |
2123 | ||
2124 | <p>The question is whether it is a good idea to have such device routes in BIRD | |
2125 | routing table. OS kernel usually handles device routes for directly connected | |
2126 | networks by itself so we don't need (and don't want) to export these routes to | |
2127 | the kernel protocol. OSPF protocol creates device routes for its interfaces | |
2128 | itself and BGP protocol is usually used for exporting aggregate routes. Although | |
2129 | there are some use cases that use the direct protocol (like abusing eBGP as an | |
2130 | IGP routing protocol), in most cases it is not needed to have these device | |
c429d4a4 | 2131 | routes in BIRD routing table and to use the direct protocol. |
79a2b697 | 2132 | |
dad92c30 OZ |
2133 | <p>There is one notable case when you definitely want to use the direct protocol |
2134 | -- running BIRD on BSD systems. Having high priority device routes for directly | |
2135 | connected networks from the direct protocol protects kernel device routes from | |
2136 | being overwritten or removed by IGP routes during some transient network | |
2137 | conditions, because a lower priority IGP route for the same network is not | |
2138 | exported to the kernel routing table. This is an issue on BSD systems only, as | |
2139 | on Linux systems BIRD cannot change non-BIRD route in the kernel routing table. | |
cf3a704b | 2140 | |
5a203dac | 2141 | <p>The only configurable thing about direct is what interfaces it watches: |
79a2b697 MM |
2142 | |
2143 | <p><descrip> | |
dad92c30 OZ |
2144 | <tag>interface <m/pattern [, ...]/</tag> |
2145 | By default, the Direct protocol will generate device routes for all the | |
2146 | interfaces available. If you want to restrict it to some subset of | |
d7c06285 OZ |
2147 | interfaces or addresses (e.g. if you're using multiple routing tables |
2148 | for policy routing and some of the policy domains don't contain all | |
2149 | interfaces), just use this clause. See <ref id="dsc-iface" name="interface"> | |
2150 | common option for detailed description. The Direct protocol uses | |
2151 | extended interface clauses. | |
79a2b697 MM |
2152 | </descrip> |
2153 | ||
79a2b697 MM |
2154 | <p>Direct device routes don't contain any specific attributes. |
2155 | ||
4f88ac47 | 2156 | <p>Example config might look like this: |
79a2b697 MM |
2157 | |
2158 | <p><code> | |
2159 | protocol direct { | |
2160 | interface "-arc*", "*"; # Exclude the ARCnets | |
2161 | } | |
2162 | </code> | |
2163 | ||
dad92c30 | 2164 | |
371adba6 | 2165 | <sect>Kernel |
1b55b1a3 | 2166 | |
0e4789c2 | 2167 | <p>The Kernel protocol is not a real routing protocol. Instead of communicating |
c429d4a4 | 2168 | with other routers in the network, it performs synchronization of BIRD's routing |
dad92c30 OZ |
2169 | tables with the OS kernel. Basically, it sends all routing table updates to the |
2170 | kernel and from time to time it scans the kernel tables to see whether some | |
2171 | routes have disappeared (for example due to unnoticed up/down transition of an | |
2172 | interface) or whether an `alien' route has been added by someone else (depending | |
2173 | on the <cf/learn/ switch, such routes are either ignored or accepted to our | |
f8e2d916 | 2174 | table). |
0e4789c2 | 2175 | |
dad92c30 OZ |
2176 | <p>Unfortunately, there is one thing that makes the routing table synchronization |
2177 | a bit more complicated. In the kernel routing table there are also device routes | |
2178 | for directly connected networks. These routes are usually managed by OS itself | |
2179 | (as a part of IP address configuration) and we don't want to touch that. They | |
2180 | are completely ignored during the scan of the kernel tables and also the export | |
2181 | of device routes from BIRD tables to kernel routing tables is restricted to | |
2182 | prevent accidental interference. This restriction can be disabled using | |
c429d4a4 OZ |
2183 | <cf/device routes/ switch. |
2184 | ||
dad92c30 OZ |
2185 | <p>If your OS supports only a single routing table, you can configure only one |
2186 | instance of the Kernel protocol. If it supports multiple tables (in order to | |
2187 | allow policy routing; such an OS is for example Linux), you can run as many | |
2188 | instances as you want, but each of them must be connected to a different BIRD | |
2189 | routing table and to a different kernel table. | |
0e4789c2 | 2190 | |
dad92c30 OZ |
2191 | <p>Because the kernel protocol is partially integrated with the connected |
2192 | routing table, there are two limitations - it is not possible to connect more | |
2193 | kernel protocols to the same routing table and changing route destination | |
2194 | (gateway) in an export filter of a kernel protocol does not work. Both | |
2195 | limitations can be overcome using another routing table and the pipe protocol. | |
71ca7716 | 2196 | |
371adba6 | 2197 | <sect1>Configuration |
0e4789c2 MM |
2198 | |
2199 | <p><descrip> | |
6eda3f13 OZ |
2200 | <tag>persist <m/switch/</tag> |
2201 | Tell BIRD to leave all its routes in the routing tables when it exits | |
2202 | (instead of cleaning them up). | |
2203 | ||
2204 | <tag>scan time <m/number/</tag> | |
2205 | Time in seconds between two consecutive scans of the kernel routing | |
2206 | table. | |
2207 | ||
2208 | <tag>learn <m/switch/</tag> | |
2209 | Enable learning of routes added to the kernel routing tables by other | |
2210 | routing daemons or by the system administrator. This is possible only on | |
2211 | systems which support identification of route authorship. | |
2212 | ||
2213 | <tag>device routes <m/switch/</tag> | |
2214 | Enable export of device routes to the kernel routing table. By default, | |
2215 | such routes are rejected (with the exception of explicitly configured | |
2216 | device routes from the static protocol) regardless of the export filter | |
2217 | to protect device routes in kernel routing table (managed by OS itself) | |
2218 | from accidental overwriting or erasing. | |
2219 | ||
2220 | <tag>kernel table <m/number/</tag> | |
2221 | Select which kernel table should this particular instance of the Kernel | |
2222 | protocol work with. Available only on systems supporting multiple | |
2223 | routing tables. | |
2224 | ||
2225 | <tag>graceful restart <m/switch/</tag> | |
2226 | Participate in graceful restart recovery. If this option is enabled and | |
2227 | a graceful restart recovery is active, the Kernel protocol will defer | |
2228 | synchronization of routing tables until the end of the recovery. Note | |
2229 | that import of kernel routes to BIRD is not affected. | |
0e4789c2 MM |
2230 | </descrip> |
2231 | ||
71ca7716 OZ |
2232 | <sect1>Attributes |
2233 | ||
dad92c30 OZ |
2234 | <p>The Kernel protocol defines several attributes. These attributes are |
2235 | translated to appropriate system (and OS-specific) route attributes. We support | |
2236 | these attributes: | |
71ca7716 OZ |
2237 | |
2238 | <descrip> | |
dad92c30 OZ |
2239 | <tag>int <cf/krt_source/</tag> |
2240 | The original source of the imported kernel route. The value is | |
2241 | system-dependent. On Linux, it is a value of the protocol field of the | |
2242 | route. See /etc/iproute2/rt_protos for common values. On BSD, it is | |
72aed1a0 OZ |
2243 | based on STATIC and PROTOx flags. The attribute is read-only. |
2244 | ||
dad92c30 OZ |
2245 | <tag>int <cf/krt_metric/</tag> |
2246 | The kernel metric of the route. When multiple same routes are in a | |
2247 | kernel routing table, the Linux kernel chooses one with lower metric. | |
9ba2798c | 2248 | |
dad92c30 OZ |
2249 | <tag>ip <cf/krt_prefsrc/</tag> (Linux) |
2250 | The preferred source address. Used in source address selection for | |
9fdf9d29 | 2251 | outgoing packets. Has to be one of the IP addresses of the router. |
71ca7716 | 2252 | |
dad92c30 OZ |
2253 | <tag>int <cf/krt_realm/</tag> (Linux) |
2254 | The realm of the route. Can be used for traffic classification. | |
71ca7716 OZ |
2255 | </descrip> |
2256 | ||
2257 | <sect1>Example | |
2258 | ||
326e33f5 | 2259 | <p>A simple configuration can look this way: |
0e4789c2 MM |
2260 | |
2261 | <p><code> | |
2262 | protocol kernel { | |
0e4789c2 MM |
2263 | export all; |
2264 | } | |
2265 | </code> | |
2266 | ||
2267 | <p>Or for a system with two routing tables: | |
2268 | ||
2269 | <p><code> | |
2270 | protocol kernel { # Primary routing table | |
2271 | learn; # Learn alien routes from the kernel | |
2272 | persist; # Don't remove routes on bird shutdown | |
2273 | scan time 10; # Scan kernel routing table every 10 seconds | |
2274 | import all; | |
2275 | export all; | |
2276 | } | |
2277 | ||
2278 | protocol kernel { # Secondary routing table | |
2279 | table auxtable; | |
2280 | kernel table 100; | |
2281 | export all; | |
a2a3ced8 | 2282 | } |
0e4789c2 MM |
2283 | </code> |
2284 | ||
dad92c30 | 2285 | |
371adba6 | 2286 | <sect>OSPF |
1b55b1a3 | 2287 | |
8fd12e6b OF |
2288 | <sect1>Introduction |
2289 | ||
3ca3e999 | 2290 | <p>Open Shortest Path First (OSPF) is a quite complex interior gateway |
dad92c30 OZ |
2291 | protocol. The current IPv4 version (OSPFv2) is defined in RFC 2328 |
2292 | <htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc2328.txt"> | |
2293 | and the current IPv6 version (OSPFv3) is defined in RFC 5340 | |
2294 | <htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc5340.txt"> | |
2295 | It's a link state (a.k.a. shortest path first) protocol -- each router maintains | |
2296 | a database describing the autonomous system's topology. Each participating | |
2297 | router has an identical copy of the database and all routers run the same | |
2298 | algorithm calculating a shortest path tree with themselves as a root. OSPF | |
2299 | chooses the least cost path as the best path. | |
2300 | ||
2301 | <p>In OSPF, the autonomous system can be split to several areas in order to | |
2302 | reduce the amount of resources consumed for exchanging the routing information | |
2303 | and to protect the other areas from incorrect routing data. Topology of the area | |
2304 | is hidden to the rest of the autonomous system. | |
2305 | ||
2306 | <p>Another very important feature of OSPF is that it can keep routing information | |
2307 | from other protocols (like Static or BGP) in its link state database as external | |
2308 | routes. Each external route can be tagged by the advertising router, making it | |
2309 | possible to pass additional information between routers on the boundary of the | |
2310 | autonomous system. | |
2311 | ||
2312 | <p>OSPF quickly detects topological changes in the autonomous system (such as | |
2313 | router interface failures) and calculates new loop-free routes after a short | |
2314 | period of convergence. Only a minimal amount of routing traffic is involved. | |
8fd12e6b | 2315 | |
3ca3e999 | 2316 | <p>Each router participating in OSPF routing periodically sends Hello messages |
dad92c30 OZ |
2317 | to all its interfaces. This allows neighbors to be discovered dynamically. Then |
2318 | the neighbors exchange theirs parts of the link state database and keep it | |
2319 | identical by flooding updates. The flooding process is reliable and ensures that | |
2320 | each router detects all changes. | |
8fd12e6b OF |
2321 | |
2322 | <sect1>Configuration | |
2323 | ||
dad92c30 OZ |
2324 | <p>In the main part of configuration, there can be multiple definitions of OSPF |
2325 | areas, each with a different id. These definitions includes many other switches | |
2326 | and multiple definitions of interfaces. Definition of interface may contain many | |
2327 | switches and constant definitions and list of neighbors on nonbroadcast | |
2328 | networks. | |
8fd12e6b OF |
2329 | |
2330 | <code> | |
088bc8ad | 2331 | protocol ospf <name> { |
1632f1fe | 2332 | rfc1583compat <switch>; |
178a197a | 2333 | instance id <num>; |
f623ab98 | 2334 | stub router <switch>; |
62eee823 | 2335 | tick <num>; |
e91f6960 | 2336 | ecmp <switch> [limit <num>]; |
145368f5 | 2337 | merge external <switch>; |
088bc8ad | 2338 | area <id> { |
2918e610 OZ |
2339 | stub; |
2340 | nssa; | |
bde872bb | 2341 | summary <switch>; |
2918e610 OZ |
2342 | default nssa <switch>; |
2343 | default cost <num>; | |
2344 | default cost2 <num>; | |
bde872bb OZ |
2345 | translator <switch>; |
2346 | translator stability <num>; | |
2347 | ||
16319aeb OF |
2348 | networks { |
2349 | <prefix>; | |
2350 | <prefix> hidden; | |
2351 | } | |
bde872bb OZ |
2352 | external { |
2353 | <prefix>; | |
2354 | <prefix> hidden; | |
2355 | <prefix> tag <num>; | |
2356 | } | |
38675202 OZ |
2357 | stubnet <prefix>; |
2358 | stubnet <prefix> { | |
2359 | hidden <switch>; | |
2360 | summary <switch>; | |
2361 | cost <num>; | |
2362 | } | |
0ec031f7 | 2363 | interface <interface pattern> [instance <num>] { |
088bc8ad | 2364 | cost <num>; |
e3bc10fd | 2365 | stub <switch>; |
088bc8ad | 2366 | hello <num>; |
a190e720 | 2367 | poll <num>; |
088bc8ad OF |
2368 | retransmit <num>; |
2369 | priority <num>; | |
2370 | wait <num>; | |
2371 | dead count <num>; | |
d8c7d9e8 | 2372 | dead <num>; |
48e5f32d | 2373 | secondary <switch>; |
94c42054 | 2374 | rx buffer [normal|large|<num>]; |
48e5f32d | 2375 | tx length <num>; |
919f5411 OZ |
2376 | type [broadcast|bcast|pointopoint|ptp| |
2377 | nonbroadcast|nbma|pointomultipoint|ptmp]; | |
70945cb6 | 2378 | link lsa suppression <switch>; |
a190e720 | 2379 | strict nonbroadcast <switch>; |
95127cbb | 2380 | real broadcast <switch>; |
8df02847 | 2381 | ptp netmask <switch>; |
e91f6960 | 2382 | check link <switch>; |
1ec52253 | 2383 | bfd <switch>; |
e91f6960 | 2384 | ecmp weight <num>; |
6ac4f87a OZ |
2385 | ttl security [<switch>; | tx only] |
2386 | tx class|dscp <num>; | |
2387 | tx priority <num>; | |
3242ab43 | 2388 | authentication [none|simple|cryptographic]; |
088bc8ad | 2389 | password "<text>"; |
b21f68b4 OZ |
2390 | password "<text>" { |
2391 | id <num>; | |
2392 | generate from "<date>"; | |
2393 | generate to "<date>"; | |
2394 | accept from "<date>"; | |
2395 | accept to "<date>"; | |
ea357b8b | 2396 | }; |
8fd12e6b | 2397 | neighbors { |
088bc8ad | 2398 | <ip>; |
a190e720 | 2399 | <ip> eligible; |
8fd12e6b OF |
2400 | }; |
2401 | }; | |
0ec031f7 | 2402 | virtual link <id> [instance <num>] { |
98ac6176 | 2403 | hello <num>; |
98ac6176 OF |
2404 | retransmit <num>; |
2405 | wait <num>; | |
2406 | dead count <num>; | |
d8c7d9e8 | 2407 | dead <num>; |
3242ab43 | 2408 | authentication [none|simple|cryptographic]; |
98ac6176 OF |
2409 | password "<text>"; |
2410 | }; | |
8fd12e6b OF |
2411 | }; |
2412 | } | |
2413 | </code> | |
2414 | ||
2415 | <descrip> | |
1632f1fe | 2416 | <tag>rfc1583compat <M>switch</M></tag> |
dad92c30 OZ |
2417 | This option controls compatibility of routing table calculation with |
2418 | RFC 1583 <htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc1583.txt">. | |
2419 | Default value is no. | |
e91f6960 | 2420 | |
178a197a OZ |
2421 | <tag>instance id <m/num/</tag> |
2422 | When multiple OSPF protocol instances are active on the same links, they | |
2423 | should use different instance IDs to distinguish their packets. Although | |
2424 | it could be done on per-interface basis, it is often preferred to set | |
2425 | one instance ID to whole OSPF domain/topology (e.g., when multiple | |
2426 | instances are used to represent separate logical topologies on the same | |
2427 | physical network). This option specifies the default instance ID for all | |
2428 | interfaces of the OSPF instance. Note that this option, if used, must | |
2429 | precede interface definitions. Default value is 0. | |
2430 | ||
f623ab98 | 2431 | <tag>stub router <M>switch</M></tag> |
dad92c30 OZ |
2432 | This option configures the router to be a stub router, i.e., a router |
2433 | that participates in the OSPF topology but does not allow transit | |
2434 | traffic. In OSPFv2, this is implemented by advertising maximum metric | |
178a197a OZ |
2435 | for outgoing links. In OSPFv3, the stub router behavior is announced by |
2436 | clearing the R-bit in the router LSA. See RFC 6987 | |
2437 | <htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc6987.txt"> for | |
2438 | details. Default value is no. | |
f623ab98 | 2439 | |
e91f6960 | 2440 | <tag>tick <M>num</M></tag> |
dad92c30 OZ |
2441 | The routing table calculation and clean-up of areas' databases is not |
2442 | performed when a single link state change arrives. To lower the CPU | |
2443 | utilization, it's processed later at periodical intervals of <m/num/ | |
2444 | seconds. The default value is 1. | |
e91f6960 OZ |
2445 | |
2446 | <tag>ecmp <M>switch</M> [limit <M>number</M>]</tag> | |
dad92c30 OZ |
2447 | This option specifies whether OSPF is allowed to generate ECMP |
2448 | (equal-cost multipath) routes. Such routes are used when there are | |
2449 | several directions to the destination, each with the same (computed) | |
2450 | cost. This option also allows to specify a limit on maximal number of | |
2451 | nexthops in one route. By default, ECMP is disabled. If enabled, | |
2452 | default value of the limit is 16. | |
e91f6960 | 2453 | |
145368f5 OZ |
2454 | <tag>merge external <M>switch</M></tag> |
2455 | This option specifies whether OSPF should merge external routes from | |
2456 | different routers/LSAs for the same destination. When enabled together | |
2457 | with <cf/ecmp/, equal-cost external routes will be combined to multipath | |
2458 | routes in the same way as regular routes. When disabled, external routes | |
2459 | from different LSAs are treated as separate even if they represents the | |
2460 | same destination. Default value is no. | |
2461 | ||
8fd12e6b | 2462 | <tag>area <M>id</M></tag> |
dad92c30 OZ |
2463 | This defines an OSPF area with given area ID (an integer or an IPv4 |
2464 | address, similarly to a router ID). The most important area is the | |
2465 | backbone (ID 0) to which every other area must be connected. | |
8fd12e6b | 2466 | |
2918e610 | 2467 | <tag>stub</tag> |
dad92c30 OZ |
2468 | This option configures the area to be a stub area. External routes are |
2469 | not flooded into stub areas. Also summary LSAs can be limited in stub | |
2470 | areas (see option <cf/summary/). By default, the area is not a stub | |
2471 | area. | |
bde872bb | 2472 | |
2918e610 | 2473 | <tag>nssa</tag> |
dad92c30 OZ |
2474 | This option configures the area to be a NSSA (Not-So-Stubby Area). NSSA |
2475 | is a variant of a stub area which allows a limited way of external route | |
2476 | propagation. Global external routes are not propagated into a NSSA, but | |
2477 | an external route can be imported into NSSA as a (area-wide) NSSA-LSA | |
2478 | (and possibly translated and/or aggregated on area boundary). By | |
2479 | default, the area is not NSSA. | |
bde872bb OZ |
2480 | |
2481 | <tag>summary <M>switch</M></tag> | |
dad92c30 OZ |
2482 | This option controls propagation of summary LSAs into stub or NSSA |
2483 | areas. If enabled, summary LSAs are propagated as usual, otherwise just | |
2484 | the default summary route (0.0.0.0/0) is propagated (this is sometimes | |
2485 | called totally stubby area). If a stub area has more area boundary | |
2486 | routers, propagating summary LSAs could lead to more efficient routing | |
2487 | at the cost of larger link state database. Default value is no. | |
bde872bb | 2488 | |
2918e610 | 2489 | <tag>default nssa <M>switch</M></tag> |
dad92c30 OZ |
2490 | When <cf/summary/ option is enabled, default summary route is no longer |
2491 | propagated to the NSSA. In that case, this option allows to originate | |
2492 | default route as NSSA-LSA to the NSSA. Default value is no. | |
2918e610 OZ |
2493 | |
2494 | <tag>default cost <M>num</M></tag> | |
dad92c30 OZ |
2495 | This option controls the cost of a default route propagated to stub and |
2496 | NSSA areas. Default value is 1000. | |
bde872bb | 2497 | |
2918e610 | 2498 | <tag>default cost2 <M>num</M></tag> |
dad92c30 OZ |
2499 | When a default route is originated as NSSA-LSA, its cost can use either |
2500 | type 1 or type 2 metric. This option allows to specify the cost of a | |
2501 | default route in type 2 metric. By default, type 1 metric (option | |
2502 | <cf/default cost/) is used. | |
2918e610 | 2503 | |
bde872bb | 2504 | <tag>translator <M>switch</M></tag> |
dad92c30 OZ |
2505 | This option controls translation of NSSA-LSAs into external LSAs. By |
2506 | default, one translator per NSSA is automatically elected from area | |
2507 | boundary routers. If enabled, this area boundary router would | |
2508 | unconditionally translate all NSSA-LSAs regardless of translator | |
2509 | election. Default value is no. | |
bde872bb OZ |
2510 | |
2511 | <tag>translator stability <M>num</M></tag> | |
dad92c30 OZ |
2512 | This option controls the translator stability interval (in seconds). |
2513 | When the new translator is elected, the old one keeps translating until | |
2514 | the interval is over. Default value is 40. | |
8fd12e6b | 2515 | |
16319aeb | 2516 | <tag>networks { <m/set/ }</tag> |
dad92c30 OZ |
2517 | Definition of area IP ranges. This is used in summary LSA origination. |
2518 | Hidden networks are not propagated into other areas. | |
16319aeb | 2519 | |
bde872bb | 2520 | <tag>external { <m/set/ }</tag> |
dad92c30 OZ |
2521 | Definition of external area IP ranges for NSSAs. This is used for |
2522 | NSSA-LSA translation. Hidden networks are not translated into external | |
2523 | LSAs. Networks can have configured route tag. | |
bde872bb | 2524 | |
38675202 | 2525 | <tag>stubnet <m/prefix/ { <m/options/ }</tag> |
dad92c30 OZ |
2526 | Stub networks are networks that are not transit networks between OSPF |
2527 | routers. They are also propagated through an OSPF area as a part of a | |
2528 | link state database. By default, BIRD generates a stub network record | |
2529 | for each primary network address on each OSPF interface that does not | |
2530 | have any OSPF neighbors, and also for each non-primary network address | |
2531 | on each OSPF interface. This option allows to alter a set of stub | |
2532 | networks propagated by this router. | |
2533 | ||
2534 | Each instance of this option adds a stub network with given network | |
2535 | prefix to the set of propagated stub network, unless option <cf/hidden/ | |
2536 | is used. It also suppresses default stub networks for given network | |
2537 | prefix. When option <cf/summary/ is used, also default stub networks | |
2538 | that are subnetworks of given stub network are suppressed. This might be | |
2539 | used, for example, to aggregate generated stub networks. | |
178a197a | 2540 | |
0ec031f7 | 2541 | <tag>interface <M>pattern</M> [instance <m/num/]</tag> |
dad92c30 OZ |
2542 | Defines that the specified interfaces belong to the area being defined. |
2543 | See <ref id="dsc-iface" name="interface"> common option for detailed | |
d7c06285 | 2544 | description. In OSPFv2, extended interface clauses are used, because |
178a197a OZ |
2545 | each network prefix is handled as a separate virtual interface. |
2546 | ||
2547 | You can specify alternative instance ID for the interface definition, | |
2548 | therefore it is possible to have several instances of that interface | |
2549 | with different options or even in different areas. For OSPFv2, | |
2550 | instance ID support is an extension (RFC 6549 | |
2551 | <htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc6549.txt">) and is | |
2552 | supposed to be set per-protocol. For OSPFv3, it is an integral feature. | |
0ec031f7 OZ |
2553 | |
2554 | <tag>virtual link <M>id</M> [instance <m/num/]</tag> | |
dad92c30 OZ |
2555 | Virtual link to router with the router id. Virtual link acts as a |
2556 | point-to-point interface belonging to backbone. The actual area is used | |
178a197a OZ |
2557 | as a transport area. This item cannot be in the backbone. Like with |
2558 | <cf/interface/ option, you could also use several virtual links to one | |
2559 | destination with different instance IDs. | |
98ac6176 | 2560 | |
8fd12e6b | 2561 | <tag>cost <M>num</M></tag> |
dad92c30 | 2562 | Specifies output cost (metric) of an interface. Default value is 10. |
8fd12e6b | 2563 | |
e3bc10fd | 2564 | <tag>stub <M>switch</M></tag> |
dad92c30 OZ |
2565 | If set to interface it does not listen to any packet and does not send |
2566 | any hello. Default value is no. | |
e3bc10fd | 2567 | |
8fd12e6b | 2568 | <tag>hello <M>num</M></tag> |
dad92c30 OZ |
2569 | Specifies interval in seconds between sending of Hello messages. Beware, |
2570 | all routers on the same network need to have the same hello interval. | |
2571 | Default value is 10. | |
8fd12e6b | 2572 | |
a190e720 | 2573 | <tag>poll <M>num</M></tag> |
dad92c30 OZ |
2574 | Specifies interval in seconds between sending of Hello messages for some |
2575 | neighbors on NBMA network. Default value is 20. | |
a190e720 | 2576 | |
8fd12e6b | 2577 | <tag>retransmit <M>num</M></tag> |
dad92c30 OZ |
2578 | Specifies interval in seconds between retransmissions of unacknowledged |
2579 | updates. Default value is 5. | |
8fd12e6b | 2580 | |
dad92c30 OZ |
2581 | <tag>priority <M>num</M></tag> |
2582 | On every multiple access network (e.g., the Ethernet) Designed Router | |
2583 | and Backup Designed router are elected. These routers have some special | |
2584 | functions in the flooding process. Higher priority increases preferences | |
2585 | in this election. Routers with priority 0 are not eligible. Default | |
2586 | value is 1. | |
8fd12e6b OF |
2587 | |
2588 | <tag>wait <M>num</M></tag> | |
dad92c30 | 2589 | After start, router waits for the specified number of seconds between |
178a197a OZ |
2590 | starting election and building adjacency. Default value is 4*<m/hello/. |
2591 | ||
8fd12e6b | 2592 | <tag>dead count <M>num</M></tag> |
dad92c30 OZ |
2593 | When the router does not receive any messages from a neighbor in |
2594 | <m/dead count/*<m/hello/ seconds, it will consider the neighbor down. | |
8fd12e6b | 2595 | |
d8c7d9e8 | 2596 | <tag>dead <M>num</M></tag> |
dad92c30 OZ |
2597 | When the router does not receive any messages from a neighbor in |
2598 | <m/dead/ seconds, it will consider the neighbor down. If both directives | |
2599 | <cf/dead count/ and <cf/dead/ are used, <cf/dead/ has precendence. | |
48e5f32d OZ |
2600 | |
2601 | <tag>secondary <M>switch</M></tag> | |
2602 | On BSD systems, older versions of BIRD supported OSPFv2 only for the | |
2603 | primary IP address of an interface, other IP ranges on the interface | |
2604 | were handled as stub networks. Since v1.4.1, regular operation on | |
2605 | secondary IP addresses is supported, but disabled by default for | |
2606 | compatibility. This option allows to enable it. The option is a | |
2607 | transitional measure, will be removed in the next major release as the | |
2608 | behavior will be changed. On Linux systems, the option is irrelevant, as | |
2609 | operation on non-primary addresses is already the regular behavior. | |
d8c7d9e8 | 2610 | |
94c42054 | 2611 | <tag>rx buffer <M>num</M></tag> |
48e5f32d OZ |
2612 | This option allows to specify the size of buffers used for packet |
2613 | processing. The buffer size should be bigger than maximal size of any | |
2614 | packets. By default, buffers are dynamically resized as needed, but a | |
2615 | fixed value could be specified. Value <cf/large/ means maximal allowed | |
2616 | packet size - 65535. | |
2617 | ||
2618 | <tag>tx length <M>num</M></tag> | |
2619 | Transmitted OSPF messages that contain large amount of information are | |
2620 | segmented to separate OSPF packets to avoid IP fragmentation. This | |
2621 | option specifies the soft ceiling for the length of generated OSPF | |
2622 | packets. Default value is the MTU of the network interface. Note that | |
2623 | larger OSPF packets may still be generated if underlying OSPF messages | |
2624 | cannot be splitted (e.g. when one large LSA is propagated). | |
94c42054 | 2625 | |
919f5411 | 2626 | <tag>type broadcast|bcast</tag> |
dad92c30 OZ |
2627 | BIRD detects a type of a connected network automatically, but sometimes |
2628 | it's convenient to force use of a different type manually. On broadcast | |
2629 | networks (like ethernet), flooding and Hello messages are sent using | |
2630 | multicasts (a single packet for all the neighbors). A designated router | |
2631 | is elected and it is responsible for synchronizing the link-state | |
2632 | databases and originating network LSAs. This network type cannot be used | |
2633 | on physically NBMA networks and on unnumbered networks (networks without | |
2634 | proper IP prefix). | |
919f5411 OZ |
2635 | |
2636 | <tag>type pointopoint|ptp</tag> | |
dad92c30 OZ |
2637 | Point-to-point networks connect just 2 routers together. No election is |
2638 | performed and no network LSA is originated, which makes it simpler and | |
2639 | faster to establish. This network type is useful not only for physically | |
2640 | PtP ifaces (like PPP or tunnels), but also for broadcast networks used | |
2641 | as PtP links. This network type cannot be used on physically NBMA | |
2642 | networks. | |
919f5411 OZ |
2643 | |
2644 | <tag>type nonbroadcast|nbma</tag> | |
dad92c30 OZ |
2645 | On NBMA networks, the packets are sent to each neighbor separately |
2646 | because of lack of multicast capabilities. Like on broadcast networks, | |
2647 | a designated router is elected, which plays a central role in propagation | |
2648 | of LSAs. This network type cannot be used on unnumbered networks. | |
919f5411 OZ |
2649 | |
2650 | <tag>type pointomultipoint|ptmp</tag> | |
dad92c30 OZ |
2651 | This is another network type designed to handle NBMA networks. In this |
2652 | case the NBMA network is treated as a collection of PtP links. This is | |
2653 | useful if not every pair of routers on the NBMA network has direct | |
2654 | communication, or if the NBMA network is used as an (possibly | |
2655 | unnumbered) PtP link. | |
8fd12e6b | 2656 | |
70945cb6 OZ |
2657 | <tag>link lsa suppression <m/switch/</tag> |
2658 | In OSPFv3, link LSAs are generated for each link, announcing link-local | |
2659 | IPv6 address of the router to its local neighbors. These are useless on | |
2660 | PtP or PtMP networks and this option allows to suppress the link LSA | |
2661 | origination for such interfaces. The option is ignored on other than PtP | |
2662 | or PtMP interfaces. Default value is no. | |
2663 | ||
2664 | <tag>strict nonbroadcast <m/switch/</tag> | |
dad92c30 | 2665 | If set, don't send hello to any undefined neighbor. This switch is |
70945cb6 | 2666 | ignored on other than NBMA or PtMP interfaces. Default value is no. |
8fd12e6b | 2667 | |
95127cbb | 2668 | <tag>real broadcast <m/switch/</tag> |
dad92c30 OZ |
2669 | In <cf/type broadcast/ or <cf/type ptp/ network configuration, OSPF |
2670 | packets are sent as IP multicast packets. This option changes the | |
2671 | behavior to using old-fashioned IP broadcast packets. This may be useful | |
2672 | as a workaround if IP multicast for some reason does not work or does | |
2673 | not work reliably. This is a non-standard option and probably is not | |
2674 | interoperable with other OSPF implementations. Default value is no. | |
95127cbb | 2675 | |
8df02847 | 2676 | <tag>ptp netmask <m/switch/</tag> |
dad92c30 OZ |
2677 | In <cf/type ptp/ network configurations, OSPFv2 implementations should |
2678 | ignore received netmask field in hello packets and should send hello | |
2679 | packets with zero netmask field on unnumbered PtP links. But some OSPFv2 | |
2680 | implementations perform netmask checking even for PtP links. This option | |
2681 | specifies whether real netmask will be used in hello packets on <cf/type | |
2682 | ptp/ interfaces. You should ignore this option unless you meet some | |
2683 | compatibility problems related to this issue. Default value is no for | |
2684 | unnumbered PtP links, yes otherwise. | |
8df02847 | 2685 | |
391931d4 | 2686 | <tag>check link <M>switch</M></tag> |
dad92c30 OZ |
2687 | If set, a hardware link state (reported by OS) is taken into consideration. |
2688 | When a link disappears (e.g. an ethernet cable is unplugged), neighbors | |
2689 | are immediately considered unreachable and only the address of the iface | |
2690 | (instead of whole network prefix) is propagated. It is possible that | |
2691 | some hardware drivers or platforms do not implement this feature. | |
2692 | Default value is no. | |
e91f6960 | 2693 | |
1ec52253 OZ |
2694 | <tag>bfd <M>switch</M></tag> |
2695 | OSPF could use BFD protocol as an advisory mechanism for neighbor | |
2696 | liveness and failure detection. If enabled, BIRD setups a BFD session | |
2697 | for each OSPF neighbor and tracks its liveness by it. This has an | |
2698 | advantage of an order of magnitude lower detection times in case of | |
2699 | failure. Note that BFD protocol also has to be configured, see | |
2700 | <ref id="sect-bfd" name="BFD"> section for details. Default value is no. | |
2701 | ||
6ac4f87a | 2702 | <tag>ttl security [<m/switch/ | tx only]</tag> |
dad92c30 OZ |
2703 | TTL security is a feature that protects routing protocols from remote |
2704 | spoofed packets by using TTL 255 instead of TTL 1 for protocol packets | |
2705 | destined to neighbors. Because TTL is decremented when packets are | |
2706 | forwarded, it is non-trivial to spoof packets with TTL 255 from remote | |
2707 | locations. Note that this option would interfere with OSPF virtual | |
2708 | links. | |
2709 | ||
2710 | If this option is enabled, the router will send OSPF packets with TTL | |
2711 | 255 and drop received packets with TTL less than 255. If this option si | |
2712 | set to <cf/tx only/, TTL 255 is used for sent packets, but is not | |
2713 | checked for received packets. Default value is no. | |
6ac4f87a | 2714 | |
ef4a50be | 2715 | <tag>tx class|dscp|priority <m/num/</tag> |
dad92c30 OZ |
2716 | These options specify the ToS/DiffServ/Traffic class/Priority of the |
2717 | outgoing OSPF packets. See <ref id="dsc-prio" name="tx class"> common | |
2718 | option for detailed description. | |
ef4a50be | 2719 | |
e91f6960 | 2720 | <tag>ecmp weight <M>num</M></tag> |
dad92c30 OZ |
2721 | When ECMP (multipath) routes are allowed, this value specifies a |
2722 | relative weight used for nexthops going through the iface. Allowed | |
2723 | values are 1-256. Default value is 1. | |
391931d4 | 2724 | |
4e8ec666 | 2725 | <tag>authentication none</tag> |
dad92c30 | 2726 | No passwords are sent in OSPF packets. This is the default value. |
8fd12e6b | 2727 | |
4e8ec666 | 2728 | <tag>authentication simple</tag> |
dad92c30 OZ |
2729 | Every packet carries 8 bytes of password. Received packets lacking this |
2730 | password are ignored. This authentication mechanism is very weak. | |
8fd12e6b | 2731 | |
ea357b8b | 2732 | <tag>authentication cryptographic</tag> |
dad92c30 OZ |
2733 | 16-byte long MD5 digest is appended to every packet. For the digest |
2734 | generation 16-byte long passwords are used. Those passwords are not sent | |
2735 | via network, so this mechanism is quite secure. Packets can still be | |
2736 | read by an attacker. | |
ea357b8b | 2737 | |
5a203dac | 2738 | <tag>password "<M>text</M>"</tag> |
dad92c30 OZ |
2739 | An 8-byte or 16-byte password used for authentication. See |
2740 | <ref id="dsc-pass" name="password"> common option for detailed | |
2741 | description. | |
8fd12e6b | 2742 | |
5a203dac | 2743 | <tag>neighbors { <m/set/ } </tag> |
dad92c30 OZ |
2744 | A set of neighbors to which Hello messages on NBMA or PtMP networks are |
2745 | to be sent. For NBMA networks, some of them could be marked as eligible. | |
2746 | In OSPFv3, link-local addresses should be used, using global ones is | |
2747 | possible, but it is nonstandard and might be problematic. And definitely, | |
2748 | link-local and global addresses should not be mixed. | |
8fd12e6b OF |
2749 | </descrip> |
2750 | ||
2751 | <sect1>Attributes | |
2752 | ||
c27b2449 | 2753 | <p>OSPF defines four route attributes. Each internal route has a <cf/metric/. |
8fd12e6b | 2754 | |
dad92c30 OZ |
2755 | <p>Metric is ranging from 1 to infinity (65535). External routes use |
2756 | <cf/metric type 1/ or <cf/metric type 2/. A <cf/metric of type 1/ is comparable | |
2757 | with internal <cf/metric/, a <cf/metric of type 2/ is always longer than any | |
2758 | <cf/metric of type 1/ or any <cf/internal metric/. <cf/Internal metric/ or | |
2759 | <cf/metric of type 1/ is stored in attribute <cf/ospf_metric1/, <cf/metric type | |
2760 | 2/ is stored in attribute <cf/ospf_metric2/. If you specify both metrics only | |
2761 | metric1 is used. | |
2762 | ||
2763 | <p>Each external route can also carry attribute <cf/ospf_tag/ which is a 32-bit | |
2764 | integer which is used when exporting routes to other protocols; otherwise, it | |
2765 | doesn't affect routing inside the OSPF domain at all. The fourth attribute | |
2766 | <cf/ospf_router_id/ is a router ID of the router advertising that route / | |
2767 | network. This attribute is read-only. Default is <cf/ospf_metric2 = 10000/ and | |
2768 | <cf/ospf_tag = 0/. | |
8fd12e6b | 2769 | |
dad92c30 | 2770 | <sect1>Example |
8fd12e6b | 2771 | |
9637c7c0 | 2772 | <p><code> |
8fd12e6b | 2773 | protocol ospf MyOSPF { |
dad92c30 OZ |
2774 | rfc1583compat yes; |
2775 | tick 2; | |
76c7efec OF |
2776 | export filter { |
2777 | if source = RTS_BGP then { | |
2778 | ospf_metric1 = 100; | |
2779 | accept; | |
2780 | } | |
98ac6176 | 2781 | reject; |
f434d191 | 2782 | }; |
8fd12e6b | 2783 | area 0.0.0.0 { |
8fd12e6b OF |
2784 | interface "eth*" { |
2785 | cost 11; | |
2786 | hello 15; | |
2787 | priority 100; | |
2788 | retransmit 7; | |
2789 | authentication simple; | |
2790 | password "aaa"; | |
2791 | }; | |
2792 | interface "ppp*" { | |
2793 | cost 100; | |
3b16080c | 2794 | authentication cryptographic; |
f434d191 OZ |
2795 | password "abc" { |
2796 | id 1; | |
2797 | generate to "22-04-2003 11:00:06"; | |
2798 | accept from "17-01-2001 12:01:05"; | |
2799 | }; | |
2800 | password "def" { | |
2801 | id 2; | |
2802 | generate to "22-07-2005 17:03:21"; | |
2803 | accept from "22-02-2001 11:34:06"; | |
3b16080c | 2804 | }; |
8fd12e6b | 2805 | }; |
e3bc10fd OF |
2806 | interface "arc0" { |
2807 | cost 10; | |
2808 | stub yes; | |
2809 | }; | |
3b16080c | 2810 | interface "arc1"; |
8fd12e6b OF |
2811 | }; |
2812 | area 120 { | |
2813 | stub yes; | |
98ac6176 OF |
2814 | networks { |
2815 | 172.16.1.0/24; | |
2816 | 172.16.2.0/24 hidden; | |
2817 | } | |
8fd12e6b OF |
2818 | interface "-arc0" , "arc*" { |
2819 | type nonbroadcast; | |
2820 | authentication none; | |
e3bc10fd | 2821 | strict nonbroadcast yes; |
a190e720 OF |
2822 | wait 120; |
2823 | poll 40; | |
2824 | dead count 8; | |
8fd12e6b | 2825 | neighbors { |
a190e720 | 2826 | 192.168.120.1 eligible; |
8fd12e6b OF |
2827 | 192.168.120.2; |
2828 | 192.168.120.10; | |
2829 | }; | |
2830 | }; | |
2831 | }; | |
2832 | } | |
2833 | </code> | |
2834 | ||
dad92c30 | 2835 | |
371adba6 | 2836 | <sect>Pipe |
1b55b1a3 | 2837 | |
371adba6 | 2838 | <sect1>Introduction |
a2a3ced8 | 2839 | |
dad92c30 OZ |
2840 | <p>The Pipe protocol serves as a link between two routing tables, allowing |
2841 | routes to be passed from a table declared as primary (i.e., the one the pipe is | |
2842 | connected to using the <cf/table/ configuration keyword) to the secondary one | |
2843 | (declared using <cf/peer table/) and vice versa, depending on what's allowed by | |
2844 | the filters. Export filters control export of routes from the primary table to | |
2845 | the secondary one, import filters control the opposite direction. | |
2846 | ||
2847 | <p>The Pipe protocol may work in the transparent mode mode or in the opaque | |
2848 | mode. In the transparent mode, the Pipe protocol retransmits all routes from | |
2849 | one table to the other table, retaining their original source and attributes. | |
2850 | If import and export filters are set to accept, then both tables would have | |
2851 | the same content. The transparent mode is the default mode. | |
2852 | ||
2853 | <p>In the opaque mode, the Pipe protocol retransmits optimal route from one | |
2854 | table to the other table in a similar way like other protocols send and receive | |
2855 | routes. Retransmitted route will have the source set to the Pipe protocol, which | |
2856 | may limit access to protocol specific route attributes. This mode is mainly for | |
2857 | compatibility, it is not suggested for new configs. The mode can be changed by | |
f98e2915 OZ |
2858 | <tt/mode/ option. |
2859 | ||
dad92c30 OZ |
2860 | <p>The primary use of multiple routing tables and the Pipe protocol is for |
2861 | policy routing, where handling of a single packet doesn't depend only on its | |
2862 | destination address, but also on its source address, source interface, protocol | |
2863 | type and other similar parameters. In many systems (Linux being a good example), | |
2864 | the kernel allows to enforce routing policies by defining routing rules which | |
2865 | choose one of several routing tables to be used for a packet according to its | |
2866 | parameters. Setting of these rules is outside the scope of BIRD's work (on | |
2867 | Linux, you can use the <tt/ip/ command), but you can create several routing | |
2868 | tables in BIRD, connect them to the kernel ones, use filters to control which | |
2869 | routes appear in which tables and also you can employ the Pipe protocol for | |
2870 | exporting a selected subset of one table to another one. | |
a2a3ced8 | 2871 | |
371adba6 | 2872 | <sect1>Configuration |
a2a3ced8 MM |
2873 | |
2874 | <p><descrip> | |
dad92c30 OZ |
2875 | <tag>peer table <m/table/</tag> |
2876 | Defines secondary routing table to connect to. The primary one is | |
2877 | selected by the <cf/table/ keyword. | |
f98e2915 | 2878 | |
dad92c30 OZ |
2879 | <tag>mode opaque|transparent</tag> |
2880 | Specifies the mode for the pipe to work in. Default is transparent. | |
a2a3ced8 MM |
2881 | </descrip> |
2882 | ||
371adba6 | 2883 | <sect1>Attributes |
a2a3ced8 MM |
2884 | |
2885 | <p>The Pipe protocol doesn't define any route attributes. | |
2886 | ||
371adba6 | 2887 | <sect1>Example |
a2a3ced8 | 2888 | |
dad92c30 OZ |
2889 | <p>Let's consider a router which serves as a boundary router of two different |
2890 | autonomous systems, each of them connected to a subset of interfaces of the | |
2891 | router, having its own exterior connectivity and wishing to use the other AS as | |
2892 | a backup connectivity in case of outage of its own exterior line. | |
2893 | ||
2894 | <p>Probably the simplest solution to this situation is to use two routing tables | |
2895 | (we'll call them <cf/as1/ and <cf/as2/) and set up kernel routing rules, so that | |
2896 | packets having arrived from interfaces belonging to the first AS will be routed | |
2897 | according to <cf/as1/ and similarly for the second AS. Thus we have split our | |
2898 | router to two logical routers, each one acting on its own routing table, having | |
2899 | its own routing protocols on its own interfaces. In order to use the other AS's | |
2900 | routes for backup purposes, we can pass the routes between the tables through a | |
2901 | Pipe protocol while decreasing their preferences and correcting their BGP paths | |
2902 | to reflect the AS boundary crossing. | |
a2a3ced8 MM |
2903 | |
2904 | <code> | |
2905 | table as1; # Define the tables | |
2906 | table as2; | |
2907 | ||
2908 | protocol kernel kern1 { # Synchronize them with the kernel | |
2909 | table as1; | |
2910 | kernel table 1; | |
2911 | } | |
2912 | ||
2913 | protocol kernel kern2 { | |
2914 | table as2; | |
2915 | kernel table 2; | |
2916 | } | |
2917 | ||
2918 | protocol bgp bgp1 { # The outside connections | |
2919 | table as1; | |
2920 | local as 1; | |
2921 | neighbor 192.168.0.1 as 1001; | |
2922 | export all; | |
2923 | import all; | |
2924 | } | |
2925 | ||
2926 | protocol bgp bgp2 { | |
2927 | table as2; | |
2928 | local as 2; | |
2929 | neighbor 10.0.0.1 as 1002; | |
2930 | export all; | |
2931 | import all; | |
2932 | } | |
2933 | ||
2934 | protocol pipe { # The Pipe | |
2935 | table as1; | |
2936 | peer table as2; | |
2937 | export filter { | |
2938 | if net ~ [ 1.0.0.0/8+] then { # Only AS1 networks | |
2939 | if preference>10 then preference = preference-10; | |
2940 | if source=RTS_BGP then bgp_path.prepend(1); | |
2941 | accept; | |
2942 | } | |
2943 | reject; | |
2944 | }; | |
2945 | import filter { | |
2946 | if net ~ [ 2.0.0.0/8+] then { # Only AS2 networks | |
2947 | if preference>10 then preference = preference-10; | |
2948 | if source=RTS_BGP then bgp_path.prepend(2); | |
2949 | accept; | |
2950 | } | |
2951 | reject; | |
2952 | }; | |
2953 | } | |
2954 | </code> | |
2955 | ||
dad92c30 | 2956 | |
6bcef225 OZ |
2957 | <sect>RAdv |
2958 | ||
2959 | <sect1>Introduction | |
2960 | ||
dad92c30 OZ |
2961 | <p>The RAdv protocol is an implementation of Router Advertisements, which are |
2962 | used in the IPv6 stateless autoconfiguration. IPv6 routers send (in irregular | |
2963 | time intervals or as an answer to a request) advertisement packets to connected | |
2964 | networks. These packets contain basic information about a local network (e.g. a | |
2965 | list of network prefixes), which allows network hosts to autoconfigure network | |
2966 | addresses and choose a default route. BIRD implements router behavior as defined | |
2967 | in RFC 4861<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc4861.txt"> | |
0e224d59 OZ |
2968 | and also the DNS extensions from |
2969 | RFC 6106<htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc6106.txt">. | |
6bcef225 OZ |
2970 | |
2971 | <sect1>Configuration | |
2972 | ||
dad92c30 OZ |
2973 | <p>There are several classes of definitions in RAdv configuration -- interface |
2974 | definitions, prefix definitions and DNS definitions: | |
6bcef225 OZ |
2975 | |
2976 | <descrip> | |
dad92c30 | 2977 | <tag>interface <m/pattern [, ...]/ { <m/options/ }</tag> |
6bcef225 OZ |
2978 | Interface definitions specify a set of interfaces on which the |
2979 | protocol is activated and contain interface specific options. | |
2980 | See <ref id="dsc-iface" name="interface"> common options for | |
2981 | detailed description. | |
2982 | ||
0e224d59 | 2983 | <tag>prefix <m/prefix/ { <m/options/ }</tag> |
dad92c30 OZ |
2984 | Prefix definitions allow to modify a list of advertised prefixes. By |
2985 | default, the advertised prefixes are the same as the network prefixes | |
2986 | assigned to the interface. For each network prefix, the matching prefix | |
2987 | definition is found and its options are used. If no matching prefix | |
2988 | definition is found, the prefix is used with default options. | |
2989 | ||
2990 | Prefix definitions can be either global or interface-specific. The | |
2991 | second ones are part of interface options. The prefix definition | |
2992 | matching is done in the first-match style, when interface-specific | |
2993 | definitions are processed before global definitions. As expected, the | |
2994 | prefix definition is matching if the network prefix is a subnet of the | |
2995 | prefix in prefix definition. | |
0e224d59 OZ |
2996 | |
2997 | <tag>rdnss { <m/options/ }</tag> | |
dad92c30 OZ |
2998 | RDNSS definitions allow to specify a list of advertised recursive DNS |
2999 | servers together with their options. As options are seldom necessary, | |
3000 | there is also a short variant <cf>rdnss <m/address/</cf> that just | |
3001 | specifies one DNS server. Multiple definitions are cumulative. RDNSS | |
3002 | definitions may also be interface-specific when used inside interface | |
3003 | options. By default, interface uses both global and interface-specific | |
0e224d59 OZ |
3004 | options, but that can be changed by <cf/rdnss local/ option. |
3005 | ||
3006 | <tag>dnssl { <m/options/ }</tag> | |
dad92c30 OZ |
3007 | DNSSL definitions allow to specify a list of advertised DNS search |
3008 | domains together with their options. Like <cf/rdnss/ above, multiple | |
3009 | definitions are cumulative, they can be used also as interface-specific | |
3010 | options and there is a short variant <cf>dnssl <m/domain/</cf> that just | |
3011 | specifies one DNS search domain. | |
36da2857 OZ |
3012 | |
3013 | <label id="dsc-trigger"> <tag>trigger <m/prefix/</tag> | |
dad92c30 OZ |
3014 | RAdv protocol could be configured to change its behavior based on |
3015 | availability of routes. When this option is used, the protocol waits in | |
3016 | suppressed state until a <it/trigger route/ (for the specified network) | |
3017 | is exported to the protocol, the protocol also returnsd to suppressed | |
3018 | state if the <it/trigger route/ disappears. Note that route export | |
3019 | depends on specified export filter, as usual. This option could be used, | |
3020 | e.g., for handling failover in multihoming scenarios. | |
3021 | ||
3022 | During suppressed state, router advertisements are generated, but with | |
3023 | some fields zeroed. Exact behavior depends on which fields are zeroed, | |
3024 | this can be configured by <cf/sensitive/ option for appropriate | |
3025 | fields. By default, just <cf/default lifetime/ (also called <cf/router | |
3026 | lifetime/) is zeroed, which means hosts cannot use the router as a | |
3027 | default router. <cf/preferred lifetime/ and <cf/valid lifetime/ could | |
3028 | also be configured as <cf/sensitive/ for a prefix, which would cause | |
3029 | autoconfigured IPs to be deprecated or even removed. | |
6bcef225 OZ |
3030 | </descrip> |
3031 | ||
3032 | <p>Interface specific options: | |
3033 | ||
3034 | <descrip> | |
3035 | <tag>max ra interval <m/expr/</tag> | |
dad92c30 OZ |
3036 | Unsolicited router advertisements are sent in irregular time intervals. |
3037 | This option specifies the maximum length of these intervals, in seconds. | |
3038 | Valid values are 4-1800. Default: 600 | |
6bcef225 OZ |
3039 | |
3040 | <tag>min ra interval <m/expr/</tag> | |
dad92c30 OZ |
3041 | This option specifies the minimum length of that intervals, in seconds. |
3042 | Must be at least 3 and at most 3/4 * <cf/max ra interval/. Default: | |
3043 | about 1/3 * <cf/max ra interval/. | |
6bcef225 OZ |
3044 | |
3045 | <tag>min delay <m/expr/</tag> | |
dad92c30 OZ |
3046 | The minimum delay between two consecutive router advertisements, in |
3047 | seconds. Default: 3 | |
6bcef225 OZ |
3048 | |
3049 | <tag>managed <m/switch/</tag> | |
dad92c30 OZ |
3050 | This option specifies whether hosts should use DHCPv6 for IP address |
3051 | configuration. Default: no | |
6bcef225 OZ |
3052 | |
3053 | <tag>other config <m/switch/</tag> | |
dad92c30 OZ |
3054 | This option specifies whether hosts should use DHCPv6 to receive other |
3055 | configuration information. Default: no | |
6bcef225 OZ |
3056 | |
3057 | <tag>link mtu <m/expr/</tag> | |
dad92c30 OZ |
3058 | This option specifies which value of MTU should be used by hosts. 0 |
3059 | means unspecified. Default: 0 | |
6bcef225 OZ |
3060 | |
3061 | <tag>reachable time <m/expr/</tag> | |
dad92c30 OZ |
3062 | This option specifies the time (in milliseconds) how long hosts should |
3063 | assume a neighbor is reachable (from the last confirmation). Maximum is | |
3064 | 3600000, 0 means unspecified. Default 0. | |
6bcef225 OZ |
3065 | |
3066 | <tag>retrans timer <m/expr/</tag> | |
dad92c30 OZ |
3067 | This option specifies the time (in milliseconds) how long hosts should |
3068 | wait before retransmitting Neighbor Solicitation messages. 0 means | |
3069 | unspecified. Default 0. | |
6bcef225 OZ |
3070 | |
3071 | <tag>current hop limit <m/expr/</tag> | |
dad92c30 OZ |
3072 | This option specifies which value of Hop Limit should be used by |
3073 | hosts. Valid values are 0-255, 0 means unspecified. Default: 64 | |
6bcef225 | 3074 | |
36da2857 | 3075 | <tag>default lifetime <m/expr/ [sensitive <m/switch/]</tag> |
dad92c30 OZ |
3076 | This option specifies the time (in seconds) how long (after the receipt |
3077 | of RA) hosts may use the router as a default router. 0 means do not use | |
3078 | as a default router. For <cf/sensitive/ option, see <ref id="dsc-trigger" name="trigger">. | |
3079 | Default: 3 * <cf/max ra interval/, <cf/sensitive/ yes. | |
0e224d59 | 3080 | |
75148289 OZ |
3081 | <tag>default preference low|medium|high</tag> |
3082 | This option specifies the Default Router Preference value to advertise | |
3083 | to hosts. Default: medium. | |
3084 | ||
cf98be7b | 3085 | <tag>rdnss local <m/switch/</tag> |
0e224d59 | 3086 | Use only local (interface-specific) RDNSS definitions for this |
dad92c30 OZ |
3087 | interface. Otherwise, both global and local definitions are used. Could |
3088 | also be used to disable RDNSS for given interface if no local definitons | |
3089 | are specified. Default: no. | |
0e224d59 | 3090 | |
cf98be7b | 3091 | <tag>dnssl local <m/switch/</tag> |
dad92c30 OZ |
3092 | Use only local DNSSL definitions for this interface. See <cf/rdnss local/ |
3093 | option above. Default: no. | |
6bcef225 OZ |
3094 | </descrip> |
3095 | ||
3096 | ||
3097 | <p>Prefix specific options: | |
3098 | ||
3099 | <descrip> | |
d214ae4f OZ |
3100 | <tag>skip <m/switch/</tag> |
3101 | This option allows to specify that given prefix should not be | |
dad92c30 OZ |
3102 | advertised. This is useful for making exceptions from a default policy |
3103 | of advertising all prefixes. Note that for withdrawing an already | |
3104 | advertised prefix it is more useful to advertise it with zero valid | |
3105 | lifetime. Default: no | |
d214ae4f | 3106 | |
6bcef225 | 3107 | <tag>onlink <m/switch/</tag> |
dad92c30 OZ |
3108 | This option specifies whether hosts may use the advertised prefix for |
3109 | onlink determination. Default: yes | |
6bcef225 OZ |
3110 | |
3111 | <tag>autonomous <m/switch/</tag> | |
dad92c30 OZ |
3112 | This option specifies whether hosts may use the advertised prefix for |
3113 | stateless autoconfiguration. Default: yes | |
6bcef225 | 3114 | |
36da2857 | 3115 | <tag>valid lifetime <m/expr/ [sensitive <m/switch/]</tag> |
dad92c30 OZ |
3116 | This option specifies the time (in seconds) how long (after the |
3117 | receipt of RA) the prefix information is valid, i.e., autoconfigured | |
3118 | IP addresses can be assigned and hosts with that IP addresses are | |
3119 | considered directly reachable. 0 means the prefix is no longer | |
3120 | valid. For <cf/sensitive/ option, see <ref id="dsc-trigger" name="trigger">. | |
3121 | Default: 86400 (1 day), <cf/sensitive/ no. | |
6bcef225 | 3122 | |
36da2857 | 3123 | <tag>preferred lifetime <m/expr/ [sensitive <m/switch/]</tag> |
dad92c30 OZ |
3124 | This option specifies the time (in seconds) how long (after the |
3125 | receipt of RA) IP addresses generated from the prefix using stateless | |
3126 | autoconfiguration remain preferred. For <cf/sensitive/ option, | |
3127 | see <ref id="dsc-trigger" name="trigger">. Default: 14400 (4 hours), | |
3128 | <cf/sensitive/ no. | |
6bcef225 OZ |
3129 | </descrip> |
3130 | ||
0e224d59 OZ |
3131 | |
3132 | <p>RDNSS specific options: | |
3133 | ||
3134 | <descrip> | |
3135 | <tag>ns <m/address/</tag> | |
dad92c30 OZ |
3136 | This option specifies one recursive DNS server. Can be used multiple |
3137 | times for multiple servers. It is mandatory to have at least one | |
3138 | <cf/ns/ option in <cf/rdnss/ definition. | |
0e224d59 OZ |
3139 | |
3140 | <tag>lifetime [mult] <m/expr/</tag> | |
dad92c30 OZ |
3141 | This option specifies the time how long the RDNSS information may be |
3142 | used by clients after the receipt of RA. It is expressed either in | |
3143 | seconds or (when <cf/mult/ is used) in multiples of <cf/max ra | |
3144 | interval/. Note that RDNSS information is also invalidated when | |
3145 | <cf/default lifetime/ expires. 0 means these addresses are no longer | |
3146 | valid DNS servers. Default: 3 * <cf/max ra interval/. | |
0e224d59 OZ |
3147 | </descrip> |
3148 | ||
3149 | ||
3150 | <p>DNSSL specific options: | |
3151 | ||
3152 | <descrip> | |
3153 | <tag>domain <m/address/</tag> | |
dad92c30 OZ |
3154 | This option specifies one DNS search domain. Can be used multiple times |
3155 | for multiple domains. It is mandatory to have at least one <cf/domain/ | |
3156 | option in <cf/dnssl/ definition. | |
0e224d59 OZ |
3157 | |
3158 | <tag>lifetime [mult] <m/expr/</tag> | |
dad92c30 OZ |
3159 | This option specifies the time how long the DNSSL information may be |
3160 | used by clients after the receipt of RA. Details are the same as for | |
3161 | RDNSS <cf/lifetime/ option above. Default: 3 * <cf/max ra interval/. | |
0e224d59 OZ |
3162 | </descrip> |
3163 | ||
3164 | ||
6bcef225 OZ |
3165 | <sect1>Example |
3166 | ||
3167 | <p><code> | |
3168 | protocol radv { | |
3169 | interface "eth2" { | |
3170 | max ra interval 5; # Fast failover with more routers | |
3171 | managed yes; # Using DHCPv6 on eth2 | |
3172 | prefix ::/0 { | |
3173 | autonomous off; # So do not autoconfigure any IP | |
3174 | }; | |
3175 | }; | |
3176 | ||
3177 | interface "eth*"; # No need for any other options | |
3178 | ||
3179 | prefix 2001:0DB8:1234::/48 { | |
3180 | preferred lifetime 0; # Deprecated address range | |
3181 | }; | |
3182 | ||
3183 | prefix 2001:0DB8:2000::/48 { | |
3184 | autonomous off; # Do not autoconfigure | |
3185 | }; | |
fc06fb62 OZ |
3186 | |
3187 | rdnss 2001:0DB8:1234::10; # Short form of RDNSS | |
3188 | ||
3189 | rdnss { | |
3190 | lifetime mult 10; | |
3191 | ns 2001:0DB8:1234::11; | |
3192 | ns 2001:0DB8:1234::12; | |
3193 | }; | |
3194 | ||
3195 | dnssl { | |
3196 | lifetime 3600; | |
3197 | domain "abc.com"; | |
3198 | domain "xyz.com"; | |
3199 | }; | |
6bcef225 OZ |
3200 | } |
3201 | </code> | |
3202 | ||
dad92c30 | 3203 | |
1532a244 | 3204 | <sect>RIP |
d37f899b | 3205 | |
371adba6 | 3206 | <sect1>Introduction |
d37f899b | 3207 | |
dad92c30 OZ |
3208 | <p>The RIP protocol (also sometimes called Rest In Pieces) is a simple protocol, |
3209 | where each router broadcasts (to all its neighbors) distances to all networks it | |
3210 | can reach. When a router hears distance to another network, it increments it and | |
3211 | broadcasts it back. Broadcasts are done in regular intervals. Therefore, if some | |
3212 | network goes unreachable, routers keep telling each other that its distance is | |
3213 | the original distance plus 1 (actually, plus interface metric, which is usually | |
3214 | one). After some time, the distance reaches infinity (that's 15 in RIP) and all | |
3215 | routers know that network is unreachable. RIP tries to minimize situations where | |
3216 | counting to infinity is necessary, because it is slow. Due to infinity being 16, | |
3217 | you can't use RIP on networks where maximal distance is higher than 15 | |
3218 | hosts. You can read more about RIP at | |
3219 | <HTMLURL URL="http://www.ietf.org/html.charters/rip-charter.html" | |
3220 | name="http://www.ietf.org/html.charters/rip-charter.html">. Both IPv4 | |
3221 | (RFC 1723 <htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc1723.txt">) and IPv6 | |
3222 | (RFC 2080 <htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc2080.txt">) versions | |
3223 | of RIP are supported by BIRD, historical RIPv1 | |
3224 | (RFC 1058 <htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc1058.txt">) is not | |
3225 | currently supported. RIPv4 MD5 authentication | |
3226 | (RFC 2082 <htmlurl url="ftp://ftp.rfc-editor.org/in-notes/rfc2082.txt">) is | |
3227 | supported. | |
440439e3 | 3228 | |
1532a244 | 3229 | <p>RIP is a very simple protocol, and it has a lot of shortcomings. Slow |
dad92c30 OZ |
3230 | convergence, big network load and inability to handle larger networks makes it |
3231 | pretty much obsolete. It is still usable on very small networks. | |
d37f899b | 3232 | |
371adba6 | 3233 | <sect1>Configuration |
d37f899b | 3234 | |
dad92c30 OZ |
3235 | <p>In addition to options common for all to other protocols, RIP supports the |
3236 | following ones: | |
d37f899b PM |
3237 | |
3238 | <descrip> | |
dad92c30 OZ |
3239 | <tag>authentication none|plaintext|md5</tag> |
3240 | Selects authentication method to be used. <cf/none/ means that packets | |
3241 | are not authenticated at all, <cf/plaintext/ means that a plaintext | |
3242 | password is embedded into each packet, and <cf/md5/ means that packets | |
3243 | are authenticated using a MD5 cryptographic hash. If you set | |
3244 | authentication to not-none, it is a good idea to add <cf>password</cf> | |
3245 | section. Default: none. | |
3246 | ||
3247 | <tag>honor always|neighbor|never</tag> | |
3248 | Specifies when should requests for dumping routing table be honored. | |
3249 | (Always, when sent from a host on a directly connected network or | |
3250 | never.) Routing table updates are honored only from neighbors, that is | |
3251 | not configurable. Default: never. | |
d37f899b PM |
3252 | </descrip> |
3253 | ||
ef4a50be OZ |
3254 | <p>There are some options that can be specified per-interface: |
3255 | ||
3256 | <descrip> | |
3257 | <tag>metric <m/num/</tag> | |
dad92c30 | 3258 | This option specifies the metric of the interface. Valid |
ef4a50be OZ |
3259 | |
3260 | <tag>mode multicast|broadcast|quiet|nolisten|version1</tag> | |
dad92c30 OZ |
3261 | This option selects the mode for RIP to use on the interface. If nothing |
3262 | is specified, RIP runs in multicast mode. <cf/version1/ is currently | |
3263 | equivalent to <cf/broadcast/, and it makes RIP talk to a broadcast | |
3264 | address even through multicast mode is possible. <cf/quiet/ option means | |
3265 | that RIP will not transmit any periodic messages to this interface and | |
3266 | <cf/nolisten/ means that RIP will send to this interface butnot listen | |
3267 | to it. | |
ef4a50be | 3268 | |
6ac4f87a | 3269 | <tag>ttl security [<m/switch/ | tx only]</tag> |
dad92c30 OZ |
3270 | TTL security is a feature that protects routing protocols from remote |
3271 | spoofed packets by using TTL 255 instead of TTL 1 for protocol packets | |
3272 | destined to neighbors. Because TTL is decremented when packets are | |
3273 | forwarded, it is non-trivial to spoof packets with TTL 255 from remote | |
3274 | locations. | |
3275 | ||
3276 | If this option is enabled, the router will send RIP packets with TTL 255 | |
3277 | and drop received packets with TTL less than 255. If this option si set | |
3278 | to <cf/tx only/, TTL 255 is used for sent packets, but is not checked | |
3279 | for received packets. Such setting does not offer protection, but offers | |
3280 | compatibility with neighbors regardless of whether they use ttl | |
3281 | security. | |
3282 | ||
3283 | Note that for RIPng, TTL security is a standard behavior (required by | |
3284 | RFC 2080), but BIRD uses <cf/tx only/ by default, for compatibility with | |
3285 | older versions. For IPv4 RIP, default value is no. | |
6ac4f87a | 3286 | |
ef4a50be | 3287 | <tag>tx class|dscp|priority <m/num/</tag> |
dad92c30 OZ |
3288 | These options specify the ToS/DiffServ/Traffic class/Priority of the |
3289 | outgoing RIP packets. See <ref id="dsc-prio" name="tx class"> common | |
3290 | option for detailed description. | |
ef4a50be | 3291 | </descrip> |
d37f899b | 3292 | |
dad92c30 OZ |
3293 | <p>The following options generally override behavior specified in RFC. If you |
3294 | use any of these options, BIRD will no longer be RFC-compliant, which means it | |
3295 | will not be able to talk to anything other than equally configured BIRD. I have | |
3296 | warned you. | |
d37f899b PM |
3297 | |
3298 | <descrip> | |
0e7a720a | 3299 | <tag>port <M>number</M></tag> |
dad92c30 OZ |
3300 | Selects IP port to operate on, default 520. (This is useful when testing |
3301 | BIRD, if you set this to an address >1024, you will not need to run | |
3302 | bird with UID==0). | |
d37f899b | 3303 | |
0e7a720a | 3304 | <tag>infinity <M>number</M></tag> |
dad92c30 OZ |
3305 | Selects the value of infinity, default is 16. Bigger values will make |
3306 | protocol convergence even slower. | |
d37f899b | 3307 | |
dad92c30 OZ |
3308 | <tag>period <M>number</M></tag> |
3309 | Specifies the number of seconds between periodic updates. Default is 30 | |
3310 | seconds. A lower number will mean faster convergence but bigger network | |
3311 | load. Do not use values lower than 12. | |
d37f899b | 3312 | |
dad92c30 OZ |
3313 | <tag>timeout time <M>number</M></tag> |
3314 | Specifies how old route has to be to be considered unreachable. | |
3315 | Default is 4*<cf/period/. | |
d37f899b | 3316 | |
dad92c30 OZ |
3317 | <tag>garbage time <M>number</M></tag> |
3318 | Specifies how old route has to be to be discarded. Default is | |
3319 | 10*<cf/period/. | |
d37f899b PM |
3320 | </descrip> |
3321 | ||
371adba6 | 3322 | <sect1>Attributes |
d37f899b | 3323 | |
1b55b1a3 MM |
3324 | <p>RIP defines two route attributes: |
3325 | ||
3326 | <descrip> | |
dad92c30 OZ |
3327 | <tag>int <cf/rip_metric/</tag> |
3328 | RIP metric of the route (ranging from 0 to <cf/infinity/). When routes | |
3329 | from different RIP instances are available and all of them have the same | |
3330 | preference, BIRD prefers the route with lowest <cf/rip_metric/. When | |
3331 | importing a non-RIP route, the metric defaults to 5. | |
3332 | ||
3333 | <tag>int <cf/rip_tag/</tag> | |
3334 | RIP route tag: a 16-bit number which can be used to carry additional | |
3335 | information with the route (for example, an originating AS number in | |
3336 | case of external routes). When importing a non-RIP route, the tag | |
3337 | defaults to 0. | |
1b55b1a3 MM |
3338 | </descrip> |
3339 | ||
371adba6 | 3340 | <sect1>Example |
1b55b1a3 MM |
3341 | |
3342 | <p><code> | |
d37f899b PM |
3343 | protocol rip MyRIP_test { |
3344 | debug all; | |
3345 | port 1520; | |
2bf59bf4 | 3346 | period 12; |
326e33f5 | 3347 | garbage time 60; |
f434d191 OZ |
3348 | interface "eth0" { metric 3; mode multicast; }; |
3349 | interface "eth*" { metric 2; mode broadcast; }; | |
326e33f5 | 3350 | honor neighbor; |
d37f899b PM |
3351 | authentication none; |
3352 | import filter { print "importing"; accept; }; | |
3353 | export filter { print "exporting"; accept; }; | |
3354 | } | |
a0dd1c74 | 3355 | </code> |
d37f899b | 3356 | |
dad92c30 | 3357 | |
371adba6 | 3358 | <sect>Static |
1b55b1a3 | 3359 | |
0e4789c2 | 3360 | <p>The Static protocol doesn't communicate with other routers in the network, |
f8e2d916 | 3361 | but instead it allows you to define routes manually. This is often used for |
79a2b697 | 3362 | specifying how to forward packets to parts of the network which don't use |
dad92c30 OZ |
3363 | dynamic routing at all and also for defining sink routes (i.e., those telling to |
3364 | return packets as undeliverable if they are in your IP block, you don't have any | |
3365 | specific destination for them and you don't want to send them out through the | |
3366 | default route to prevent routing loops). | |
3367 | ||
3368 | <p>There are five types of static routes: `classical' routes telling to forward | |
3369 | packets to a neighboring router, multipath routes specifying several (possibly | |
3370 | weighted) neighboring routers, device routes specifying forwarding to hosts on a | |
3371 | directly connected network, recursive routes computing their nexthops by doing | |
3372 | route table lookups for a given IP and special routes (sink, blackhole etc.) | |
3373 | which specify a special action to be done instead of forwarding the packet. | |
79a2b697 MM |
3374 | |
3375 | <p>When the particular destination is not available (the interface is down or | |
3376 | the next hop of the route is not a neighbor at the moment), Static just | |
326e33f5 | 3377 | uninstalls the route from the table it is connected to and adds it again as soon |
a00c7a18 | 3378 | as the destination becomes adjacent again. |
79a2b697 | 3379 | |
dad92c30 OZ |
3380 | <p>The Static protocol does not have many configuration options. The definition |
3381 | of the protocol contains mainly a list of static routes: | |
79a2b697 MM |
3382 | |
3383 | <descrip> | |
dad92c30 OZ |
3384 | <tag>route <m/prefix/ via <m/ip/</tag> |
3385 | Static route through a neighboring router. | |
3386 | ||
e91f6960 OZ |
3387 | <tag>route <m/prefix/ multipath via <m/ip/ [weight <m/num/] [via ...]</tag> |
3388 | Static multipath route. Contains several nexthops (gateways), possibly | |
3389 | with their weights. | |
dad92c30 OZ |
3390 | |
3391 | <tag>route <m/prefix/ via <m/"interface"/</tag> | |
3392 | Static device route through an interface to hosts on a directly | |
3393 | connected network. | |
3394 | ||
3395 | <tag>route <m/prefix/ recursive <m/ip/</tag> | |
3396 | Static recursive route, its nexthop depends on a route table lookup for | |
3397 | given IP address. | |
3398 | ||
3399 | <tag>route <m/prefix/ blackhole|unreachable|prohibit</tag> | |
3400 | Special routes specifying to silently drop the packet, return it as | |
3401 | unreachable or return it as administratively prohibited. First two | |
3402 | targets are also known as <cf/drop/ and <cf/reject/. | |
391931d4 | 3403 | |
4116db18 | 3404 | <tag>check link <m/switch/</tag> |
dad92c30 OZ |
3405 | If set, hardware link states of network interfaces are taken into |
3406 | consideration. When link disappears (e.g. ethernet cable is unplugged), | |
3407 | static routes directing to that interface are removed. It is possible | |
3408 | that some hardware drivers or platforms do not implement this feature. | |
3409 | Default: off. | |
3410 | ||
3411 | <tag>igp table <m/name/</tag> | |
3412 | Specifies a table that is used for route table lookups of recursive | |
3413 | routes. Default: the same table as the protocol is connected to. | |
79a2b697 MM |
3414 | </descrip> |
3415 | ||
79a2b697 MM |
3416 | <p>Static routes have no specific attributes. |
3417 | ||
4f88ac47 | 3418 | <p>Example static config might look like this: |
79a2b697 MM |
3419 | |
3420 | <p><code> | |
3421 | protocol static { | |
96264d4d | 3422 | table testable; # Connect to a non-default routing table |
9491f9f5 | 3423 | route 0.0.0.0/0 via 198.51.100.130; # Default route |
e91f6960 | 3424 | route 10.0.0.0/8 multipath # Multipath route |
9491f9f5 OZ |
3425 | via 198.51.100.10 weight 2 |
3426 | via 198.51.100.20 | |
3427 | via 192.0.2.1; | |
80a9cadc | 3428 | route 203.0.113.0/24 unreachable; # Sink route |
96264d4d | 3429 | route 10.2.0.0/24 via "arc0"; # Secondary network |
79a2b697 MM |
3430 | } |
3431 | </code> | |
3432 | ||
dad92c30 | 3433 | |
96264d4d PM |
3434 | <chapt>Conclusions |
3435 | ||
3436 | <sect>Future work | |
3437 | ||
dad92c30 OZ |
3438 | <p>Although BIRD supports all the commonly used routing protocols, there are |
3439 | still some features which would surely deserve to be implemented in future | |
3440 | versions of BIRD: | |
96264d4d PM |
3441 | |
3442 | <itemize> | |
55b58d8c | 3443 | <item>Opaque LSA's |
96264d4d | 3444 | <item>Route aggregation and flap dampening |
96264d4d PM |
3445 | <item>Multipath routes |
3446 | <item>Multicast routing protocols | |
3447 | <item>Ports to other systems | |
3448 | </itemize> | |
3449 | ||
dad92c30 | 3450 | |
96264d4d PM |
3451 | <sect>Getting more help |
3452 | ||
3453 | <p>If you use BIRD, you're welcome to join the bird-users mailing list | |
d148d0af | 3454 | (<HTMLURL URL="mailto:bird-users@network.cz" name="bird-users@network.cz">) |
96264d4d | 3455 | where you can share your experiences with the other users and consult |
d148d0af OF |
3456 | your problems with the authors. To subscribe to the list, visit |
3457 | <HTMLURL URL="http://bird.network.cz/?m_list" name="http://bird.network.cz/?m_list">. | |
96264d4d PM |
3458 | The home page of BIRD can be found at <HTMLURL URL="http://bird.network.cz/" name="http://bird.network.cz/">. |
3459 | ||
dad92c30 OZ |
3460 | <p>BIRD is a relatively young system and it probably contains some bugs. You can |
3461 | report any problems to the bird-users list and the authors will be glad to solve | |
3462 | them, but before you do so, please make sure you have read the available | |
3463 | documentation and that you are running the latest version (available at | |
3464 | <HTMLURL URL="ftp://bird.network.cz/pub/bird" name="bird.network.cz:/pub/bird">). | |
3465 | (Of course, a patch which fixes the bug is always welcome as an attachment.) | |
3466 | ||
3467 | <p>If you want to understand what is going inside, Internet standards are a good | |
3468 | and interesting reading. You can get them from | |
3469 | <HTMLURL URL="ftp://ftp.rfc-editor.org/" name="ftp.rfc-editor.org"> (or a | |
3470 | nicely sorted version from <HTMLURL URL="ftp://atrey.karlin.mff.cuni.cz/pub/rfc" | |
3471 | name="atrey.karlin.mff.cuni.cz:/pub/rfc">). | |
69477cad | 3472 | |
c184d9d0 | 3473 | <p><it/Good luck!/ |
69477cad | 3474 | |
371adba6 | 3475 | </book> |
7581b81b | 3476 | |
a0dd1c74 | 3477 | <!-- |
75317ab8 MM |
3478 | LocalWords: GPL IPv GateD BGPv RIPv OSPFv Linux sgml html dvi sgmltools Pavel |
3479 | LocalWords: linuxdoc dtd descrip config conf syslog stderr auth ospf bgp Mbps | |
5a203dac | 3480 | LocalWords: router's eval expr num birdc ctl UNIX if's enums bool int ip GCC |
75317ab8 MM |
3481 | LocalWords: len ipaddress pxlen netmask enum bgppath bgpmask clist gw md eth |
3482 | LocalWords: RTS printn quitbird iBGP AS'es eBGP RFC multiprotocol IGP Machek | |
4e8ec666 | 3483 | LocalWords: EGP misconfigurations keepalive pref aggr aggregator BIRD's RTC |
5a203dac | 3484 | LocalWords: OS'es AS's multicast nolisten misconfigured UID blackhole MRTD MTU |
4e8ec666 | 3485 | LocalWords: uninstalls ethernets IP binutils ANYCAST anycast dest RTD ICMP rfc |
5a203dac | 3486 | LocalWords: compat multicasts nonbroadcast pointopoint loopback sym stats |
64722c98 | 3487 | LocalWords: Perl SIGHUP dd mm yy HH MM SS EXT IA UNICAST multihop Discriminator txt |
5adc02a6 | 3488 | LocalWords: proto wildcard Ondrej Filip |
5a64ac70 | 3489 | --> |