This diff removes the extra "allow" from the aspa-set provider-set element
spec. The allow is not needed and confuses more than it helps.
This change adjusts the parser, printconf, rpki-client and the regress
tests. Job and I decided that the filters will use avs (ASPA validation
state) as keyword, so adjust that as well.
Also try to document the aspa-set in bgpd.conf.5
--
:wq Claudio
? BUILDTIME
Index: regress/usr.sbin/bgpd/config/bgpd.conf.14.in
===================================================================
RCS file: /cvs/src/regress/usr.sbin/bgpd/config/bgpd.conf.14.in,v
retrieving revision 1.1
diff -u -p -r1.1 bgpd.conf.14.in
--- regress/usr.sbin/bgpd/config/bgpd.conf.14.in 18 Nov 2022 10:26:04
-0000 1.1
+++ regress/usr.sbin/bgpd/config/bgpd.conf.14.in 20 Jan 2023 14:30:25
-0000
@@ -27,10 +27,10 @@ aspa-set {
aspa-set {
customer-as 3 provider-as { 5 }
customer-as 2 expires 1668181648 provider-as { 3 4 }
- customer-as 5 provider-as { 1 2 allow inet 7 allow inet6 }
+ customer-as 5 provider-as { 1, 2 inet, 7 inet6 }
}
-#match from any aspa unknown
-#match from any aspa invalid
-#match from any aspa valid
+#match from any avs unknown
+#match from any avs invalid
+#match from any avs valid
Index: regress/usr.sbin/bgpd/config/bgpd.conf.14.ok
===================================================================
RCS file: /cvs/src/regress/usr.sbin/bgpd/config/bgpd.conf.14.ok,v
retrieving revision 1.1
diff -u -p -r1.1 bgpd.conf.14.ok
--- regress/usr.sbin/bgpd/config/bgpd.conf.14.ok 18 Nov 2022 10:26:04
-0000 1.1
+++ regress/usr.sbin/bgpd/config/bgpd.conf.14.ok 20 Jan 2023 14:30:25
-0000
@@ -12,7 +12,7 @@ aspa-set {
customer-as 1 provider-as { 2 3 4 5 6 }
customer-as 2 expires 1668181648 provider-as { 3 4 }
customer-as 3 provider-as { 5 }
- customer-as 5 provider-as { 1 2 allow inet 7 allow inet6 }
+ customer-as 5 provider-as { 1 2 inet 7 inet6 }
customer-as 17 provider-as { 12 }
customer-as 41 provider-as { 2 }
customer-as 42 expires 12345 provider-as { 3 4 }
Index: usr.sbin/bgpd/bgpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/bgpd.conf.5,v
retrieving revision 1.228
diff -u -p -r1.228 bgpd.conf.5
--- usr.sbin/bgpd/bgpd.conf.5 4 Jan 2023 14:33:30 -0000 1.228
+++ usr.sbin/bgpd/bgpd.conf.5 20 Jan 2023 14:30:27 -0000
@@ -426,12 +426,16 @@ may be defined, against which
will validate the origin of each prefix.
The
.Ic roa-set
-is merged with the tables received via
+and
+.Ic aspa-set
+are merged with the corresponding tables received via
.Ic rtr
sessions.
.Pp
A set definition can span multiple lines, and an optional comma is allowed
between elements.
+The same set can be defined more than once, in this case the definitions are
+merged into one common set.
.Pp
.Bl -tag -width Ds -compact
.It Xo
@@ -443,6 +447,30 @@ An
stores AS numbers, and can be used with the AS specific parameter in
.Sx FILTER
rules.
+.Pp
+.It Xo
+.Ic aspa-set
+.Ic { Ic customer-as Ar as-number
+.Op Ic expires Ar seconds
+.Ic provider-as Ic { Ar as-number
+.Op Ic inet Ns | Ns Ic inet6
+.Ic ... Ic } ... Ic }
+.Xc
+The
+.Ic aspa-set
+holds a collection of
+.Em Validated ASPA Payloads Pq VAPs .
+Each as AS_PATH received from an eBGP peer is checked against the
+.Ic aspa-set ,
+and the ASAP Validation State (AVS) is set.
+.Ic expires
+can be set to the seconds since Epoch until when this VAP is valid.
+.Bd -literal -offset indent
+roa-set {
+ customer-as 64511 provider-as { 64496 65496 }
+ customer-as 64496 provider-as { 65496 64544 }
+}
+.Ed
.Pp
.It Xo
.Ic origin-set Ar name
Index: usr.sbin/bgpd/parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/parse.y,v
retrieving revision 1.438
diff -u -p -r1.438 parse.y
--- usr.sbin/bgpd/parse.y 4 Jan 2023 14:33:30 -0000 1.438
+++ usr.sbin/bgpd/parse.y 20 Jan 2023 14:30:27 -0000
@@ -636,11 +636,11 @@ aspa_tas : as4number_any {
$$->aid = AID_UNSPEC;
$$->num = 1;
}
- | as4number_any ALLOW family {
+ | as4number_any family {
if (($$ = calloc(1, sizeof(*$$))) == NULL)
fatal(NULL);
$$->as = $1;
- $$->aid = $3;
+ $$->aid = $2;
$$->num = 1;
}
;
Index: usr.sbin/bgpd/printconf.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/printconf.c,v
retrieving revision 1.161
diff -u -p -r1.161 printconf.c
--- usr.sbin/bgpd/printconf.c 4 Jan 2023 14:33:30 -0000 1.161
+++ usr.sbin/bgpd/printconf.c 20 Jan 2023 14:30:27 -0000
@@ -609,9 +609,8 @@ print_aspa(struct aspa_tree *a)
printf(" provider-as { ");
for (i = 0; i < aspa->num; i++) {
printf("%s ", log_as(aspa->tas[i]));
- if (aspa->tas_aid != NULL &&
- aspa->tas_aid[i] != AID_UNSPEC)
- printf("allow %s ", print_af(aspa->tas_aid[i]));
+ if (aspa->tas_aid[i] != AID_UNSPEC)
+ printf("%s ", print_af(aspa->tas_aid[i]));
}
printf("}");
}
Index: usr.sbin/rpki-client/output-bgpd.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/output-bgpd.c,v
retrieving revision 1.25
diff -u -p -r1.25 output-bgpd.c
--- usr.sbin/rpki-client/output-bgpd.c 13 Jan 2023 08:58:36 -0000 1.25
+++ usr.sbin/rpki-client/output-bgpd.c 20 Jan 2023 14:30:27 -0000
@@ -67,11 +67,11 @@ output_bgpd(FILE *out, struct vrp_tree *
return -1;
switch (vap->providers[i].afi) {
case AFI_IPV4:
- if (fprintf(out, "allow inet") < 0)
+ if (fprintf(out, "inet") < 0)
return -1;
break;
case AFI_IPV6:
- if (fprintf(out, "allow inet6") < 0)
+ if (fprintf(out, "inet6") < 0)
return -1;
break;
}
