diff --git a/filter_bgp.conf b/filter_bgp.conf index c3e8c4d..eb85db7 100644 --- a/filter_bgp.conf +++ b/filter_bgp.conf @@ -166,12 +166,36 @@ function handle_prepend(int dest_asn) { } function import_safe(bool allow_default) { - if is_default_route() then return allow_default; - if ip_bogon() then return false; - if bgp_path ~ ASN_BOGON then return false; - if bgp_path.len > 50 then return false; - if bad_prefix_len() then return false; - if rpki_invalid() then return false; + if is_default_route() then { + if allow_default then return true; + print proto, ": ", net, ": unexpected default route"; + return false; + } + + if ip_bogon() then { + print proto, ": ", net, ": bogon prefix"; + return false; + } + + if bgp_path ~ ASN_BOGON then { + print proto, ": ", net, ": bogon in AS path: ", bgp_path; + return false; + } + + if bgp_path.len > 50 then { + print proto, ": ", net, ": AS path too long: ", bgp_path; + return false; + } + + if bad_prefix_len() then { + print proto, ": ", net, ": invalid prefix length"; + return false; + } + + if rpki_invalid() then { + print proto, ": ", net, ": invalid RPKI"; + return false; + } export_downstream = 1; honour_graceful_shutdown(); @@ -188,10 +212,16 @@ function import_peer_trusted(int peer_asn) { } function import_peer(int peer_asn; prefix set prefixes; int set as_set) { - if net !~ prefixes then return false; + if net !~ prefixes then { + print proto, ": ", net, ": prefix not in as-set for peer AS", peer_asn; + return false; + } for int path_asn in bgp_path do { - if path_asn !~ as_set then return false; + if path_asn !~ as_set then { + print proto, ": ", net, ": AS", path_asn, " not in as-set for peer AS", peer_asn; + return false; + } } return import_peer_trusted(peer_asn); @@ -206,10 +236,16 @@ function import_ixp_trusted(int ixp_id) { } function import_ixp(int ixp_id; prefix set prefixes; int set as_set) { - if net !~ prefixes then return false; + if net !~ prefixes then { + print proto, ": ", net, ": prefix not in as-set for IXP"; + return false; + } for int path_asn in bgp_path do { - if path_asn !~ as_set then return false; + if path_asn !~ as_set then { + print proto, ": ", net, ": not in as-set for IXP"; + return false; + } } return import_ixp_trusted(ixp_id); @@ -224,14 +260,23 @@ function import_transit(int transit_asn; bool default_route) { } function import_downstream(int downstream_asn; prefix set prefixes; int set as_set) { - if net !~ prefixes then return false; + if net !~ prefixes then { + print proto, ": ", net, ": prefix not in as-set for downstream AS", downstream_asn; + return false; + } for int path_asn in bgp_path do { - if path_asn !~ as_set then return false; + if path_asn !~ as_set then { + print proto, ": ", net, ": not in as-set for downstream AS", downstream_asn; + return false; + } } # If they don't want to export this to us, then we won't take it at all. - if (MY_ASN, LC_NO_EXPORT, MY_ASN) ~ bgp_large_community then return false; + if (MY_ASN, LC_NO_EXPORT, MY_ASN) ~ bgp_large_community then { + print proto, ": ", net, ": rejected by no-export to AS", MY_ASN; + return false; + } bgp_large_community.delete([ (MY_ASN, 0..LC_DOWNSTREAM_START-1, *),