From 63d03dab164bb44ce4747629f14a022086aac3ec Mon Sep 17 00:00:00 2001 From: jim-p Date: Tue, 12 Nov 2013 12:35:23 -0500 Subject: Teach Quagga about accept filtering, either custom or a per-interface settign to deny certain routes delivered from remote OSPF peers. This should finally solve the Multi-WAN+VPN issue with learned routes for interconnects preventing a VPN from restarting. Fixes #2712 --- config/quagga_ospfd/quagga_ospfd.inc | 14 ++++++++++++++ config/quagga_ospfd/quagga_ospfd.xml | 9 ++++++++- config/quagga_ospfd/quagga_ospfd_interfaces.xml | 6 ++++++ pkg_config.8.xml | 2 +- pkg_config.8.xml.amd64 | 2 +- 5 files changed, 30 insertions(+), 3 deletions(-) diff --git a/config/quagga_ospfd/quagga_ospfd.inc b/config/quagga_ospfd/quagga_ospfd.inc index aabd27a8..b2f800eb 100644 --- a/config/quagga_ospfd/quagga_ospfd.inc +++ b/config/quagga_ospfd/quagga_ospfd.inc @@ -73,6 +73,8 @@ function quagga_ospfd_install_conf() { // Since we need to embed this in a string, copy to a var. Can't embed constnats. $quagga_config_base = PKG_QUAGGA_CONFIG_BASE; + $noaccept = ""; + if ($config['installedpackages']['quaggaospfd']['rawconfig'] && $config['installedpackages']['quaggaospfd']['rawconfig']['item']) { // if there is a raw config specifyed in tthe config.xml use that instead of the assisted config $conffile = implode("\n",$config['installedpackages']['quaggaospfd']['rawconfig']['item']); @@ -132,6 +134,9 @@ function quagga_ospfd_install_conf() { if ($interface_subnet == 32) $interface_subnet = 30; $subnet = gen_subnet($interface_ip, $interface_subnet); + if (!empty($conf['acceptfilter'])) { + $noaccept .= "ip prefix-list ACCEPTFILTER deny {$subnet}/{$interface_subnet}\n"; + } if (!empty($conf['interfacearea'])) { $interface_networks[] = array( "subnet" => "{$subnet}/{$interface_subnet}", "area" => $conf['interfacearea']); } @@ -151,6 +156,9 @@ function quagga_ospfd_install_conf() { foreach ($ospfd_conf['row'] as $redistr) { if (empty($redistr['routevalue'])) continue; + if (isset($redistr['acceptfilter'])) { + $noaccept .= "ip prefix-list ACCEPTFILTER deny {$redistr['routevalue']}\n"; + } if (isset($redistr['redistribute'])) { $noredist .= " access-list dnr-list deny {$redistr['routevalue']}\n"; } else { @@ -239,6 +247,12 @@ function quagga_ospfd_install_conf() { $zebraconffile .= "password {$ospfd_conf['password']}\n"; if ($ospfd_conf['logging']) $zebraconffile .= "log syslog\n"; + if (!empty($noaccept)) { + $zebraconffile .= $noaccept; + $zebraconffile .= "route-map ACCEPTFILTER permit 10\n"; + $zebraconffile .= "match ip address prefix-list ACCEPTFILTER\n"; + $zebraconffile .= "ip protocol ospf route-map ACCEPTFILTER\n"; + } $fd = fopen("{$quagga_config_base}/zebra.conf", "w"); fwrite($fd, $zebraconffile); fclose($fd); diff --git a/config/quagga_ospfd/quagga_ospfd.xml b/config/quagga_ospfd/quagga_ospfd.xml index 61bf3e94..86baaefb 100644 --- a/config/quagga_ospfd/quagga_ospfd.xml +++ b/config/quagga_ospfd/quagga_ospfd.xml @@ -1,6 +1,6 @@ quagga_ospfd - 0.5.4 + 0.6 Services: Quagga OSPFd /usr/local/pkg/quagga_ospfd.inc pkg_edit.php?xml=quagga_ospfd.xml&id=0 @@ -164,6 +164,13 @@ checkbox 20 + + Disable <br/>Acceptance + acceptfilter + Accept Filter + checkbox + 20 + Subnet to Route routevalue diff --git a/config/quagga_ospfd/quagga_ospfd_interfaces.xml b/config/quagga_ospfd/quagga_ospfd_interfaces.xml index 21bc877f..beb6f2b0 100644 --- a/config/quagga_ospfd/quagga_ospfd_interfaces.xml +++ b/config/quagga_ospfd/quagga_ospfd_interfaces.xml @@ -86,6 +86,12 @@ Prevent transmission and reception of OSPF packets on this interface. The specified interface will be announced as a stub network. checkbox + + Accept Filter + acceptfilter + Do not add routes for this interface subnet from OSPF into the routing table. (Suggested for Multi-WAN environments). + checkbox + Enable MD5 password for this Quagga OSPFd interface (default no) md5password diff --git a/pkg_config.8.xml b/pkg_config.8.xml index e5ff9281..87af456e 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -1757,7 +1757,7 @@ Quagga OSPF OSPF routing protocol using Quagga -- WARNING! Installs files to the same place as OpenOSPFD and OpenBGPD. Installing both will break things. jimp@pfsense.org - 0.99.22.3 v0.5.4 + 0.99.22.3 v0.6 Routing BETA http://files.pfsense.org/packages/8/All/ diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index a66f3d1c..090bc71a 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -1744,7 +1744,7 @@ Quagga OSPF OSPF routing protocol using Quagga -- WARNING! Installs files to the same place as OpenOSPFD and OpenBGPD. Installing both will break things. jimp@pfsense.org - 0.99.22.3 v0.5.4 + 0.99.22.3 v0.6 Routing BETA http://files.pfsense.org/packages/amd64/8/All/ -- cgit v1.2.3