Re: bgpctl not showing rib entries, pftables empty

2018-10-29 Thread Ashe Connor 
On 29 Oct 2018, at 20:17, Claudio Jeker  wrote:
> On Mon, Oct 29, 2018 at 09:30:44AM +0100, Peter Hessler wrote:
>> Hi Ashe
>> 
>> Sorry about that, I forgot a part of the config file.
>> 
>> You'll need to add "nexthop qualify via default" to the global part of
>> the configuration.  Since the routers sending you the information are
>> not on your local link, there isn't a valid nexthop so the routes are
>> not selected.  Once the nexthops are accepted, the prefixes will be
>> processed and will be used.
> 
> Also don't forget the default deny policy of 6.4. Looking at the config it
> seems there is no 'allow from group "spam-bgp"' and so nothing is put into
> the RIB.


And just like that:

--8<--
elisheva:~$ cat /etc/bgpd.conf
spam_rs1="64.142.121.62"
spam_rs2="217.31.80.170"
spam_asn="65066"

AS 65500
fib-update no
nexthop qualify via default

group "spam-bgp" {
remote-as $spam_asn
multihop 64
export none
neighbor $spam_rs1
neighbor $spam_rs2
}

match from group "spam-bgp" community $spam_asn:42 set pftable 
"bgp_spamd_bypass"
match from group "spam-bgp" community $spam_asn:666 set pftable "bgp_spamd"
allow from group "spam-bgp"
elisheva:~$ bgpctl show
Neighbor   ASMsgRcvdMsgSent  OutQ Up/Down  State/PrfRcvd
217.31.80.170   65066222103 0 00:49:51  37172
64.142.121.62   65066226103 0 00:49:52  37172
elisheva:~$ bgpctl show rib | wc -l
   74350
elisheva:~$
--8<--

Thank you so much, both!

Ashe

bgpctl not showing rib entries, pftables empty

2018-10-28 Thread Ashe Connor 
Hi all,

I’ve set up bgpd for use with bgp-spamd.net’s servers.  As far as I can tell, 
the BGP connection and transfer is working fine:

--8<--
elisheva:~$ cat /etc/bgpd.conf
spam_rs1="64.142.121.62"
spam_rs2="217.31.80.170"
spam_asn="65066"

AS 65500
fib-update no

group "spam-bgp" {
remote-as $spam_asn
multihop 64
export none
neighbor $spam_rs1
neighbor $spam_rs2
}

match from group "spam-bgp" community $spam_asn:42 set pftable 
"bgp_spamd_bypass"
match from group "spam-bgp" community $spam_asn:666 set pftable "bgp_spamd"
elisheva:~$ bgpctl show
Neighbor   ASMsgRcvdMsgSent  OutQ Up/Down  State/PrfRcvd
217.31.80.170   65066410322 0 02:39:41  37096
64.142.121.62   65066460318 0 01:25:30  37096
elisheva:~$ bgpctl show rib memory
RDE memory statistics
 37096 IPv4 unicast network entries using 1.4M of memory
 37096 rib entries using 2.3M of memory
 74192 prefix entries using 6.8M of memory
10 BGP path attribute entries using 1.1K of memory
 2 BGP AS-PATH attribute entries using 82B of memory,
   and holding 10 references
 7 BGP attributes entries using 280B of memory
   and holding 10 references
 7 BGP attributes using 48B of memory
RIB using 10.5M of memory

RDE hash statistics
path hash: size 131072, 10 entires
min 0 max 2 avg/std-dev = 0.000/0.000
aspath hash: size 131072, 2 entires
min 0 max 1 avg/std-dev = 0.000/0.000
attr hash: size 16384, 7 entires
min 0 max 1 avg/std-dev = 0.000/0.000
--8<--

However, despite the entry counts being shown by `bgpctl show rib memory`, no 
other command lists entries as one might expect, and the pf tables are empty:

--8<--
elisheva:~$ bgpctl show rib
flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
   S = Stale, E = Error
origin validation state: N = not-found, V = valid, ! = invalid
origin: i = IGP, e = EGP, ? = Incomplete

flags ovs destination  gateway  lpref   med aspath origin
elisheva:~$ bgpctl show rib community 65066:42
flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
   S = Stale, E = Error
origin validation state: N = not-found, V = valid, ! = invalid
origin: i = IGP, e = EGP, ? = Incomplete

flags ovs destination  gateway  lpref   med aspath origin
elisheva:~$ doas pfctl -Ts -t bgp_spamd
elisheva:~$ doas pfctl -Ts -t bgp_spamd_bypass
elisheva:~$
--8<--

Any hints as to how to further diagnose?  I’ve tried most conceivable 
additional arguments to `bgpctl show rib` and I haven’t found a way to list 
entries yet.  Log entries are benign ((re)configuration success messages).

Thanks,

Ashe