Possible FRR OSPF adds rules to each passive interface

Started by rudiservo, May 10, 2023, 07:15:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 10, 2023, 07:15:51 PM
I trying to understand the automatically added routes in opnsense by FRR, FRR adds 4 rules for each network added to OSPF and it appears on all networks, even passive ones.

So are theses rules "general" or per interface?
May 10, 2023, 08:06:22 PM #1
Do you mean routes or rules? Can you explain with screenshot?

May 11, 2023, 01:57:51 PM #2
Hi I did made a pull request but I think it needs improvements.

https://github.com/opnsense/plugins/pull/3432

So here is the issue, FRR adds Firewall filter rules to all interfaces, for each network it adds 2 in rules and 2 out rules.

I have tested locally and it does have a performance impact with these rules added with or without the interface, noticeable difference in intervlan routing in the branch office, everything fells faster to respond.

I questioned in github, what I do not know is what is the proper way to identify what interfaces to add these rules to, if it is the interfaces configure in the interfaces tab of OSPF or the non passive interfaces in the general tab.

The pull request code might need just one improvement to add the rules only once per enabled interface, but I would like some feedback on what is the proper way to identify and add the rules for the required interfaces to get OSPF running properly instead of general automated rules.

I am a bit rusty in OSPF, gimp skills are also bad, sorry.

Here is the original code that is creating all the rules, you can see the rules in any interface FW rules, there is a small line "automaticly added rules" just expand it and you can see the OSPF rules added.


Code Select

foreach ($ospf->networks->network->iterateItems() as $network) {
            if ((string)$network->enabled == '1') {
                $fw->registerFilterRule(
                    1, /* priority */
                    array(
                        'ipprotocol'     => 'inet',
                        'protocol'       => 'ospf',
                        'statetype'      => 'keep',
                        'label'          => 'Pass OSPF (autogenerated)',
                        'from'           => $network->ipaddr . '/' . $network->netmask,
                        'to'             => '224.0.0.0/24',
                        'direction'      => 'in',
                        'type'           => 'pass',
                        'disablereplyto' => 1,
                        'quick'          => true
                    ),
                    null
                );
                $fw->registerFilterRule(
                    1,
                    array(
                        'ipprotocol'     => 'inet',
                        'protocol'       => 'ospf',
                        'statetype'      => 'keep',
                        'label'          => 'Pass OSPF UNICAST (autogenerated)',
                        'from'           => $network->ipaddr . '/' . $network->netmask,
                        'to'             => '(self)',
                        'direction'      => 'in',
                        'type'           => 'pass',
                        'disablereplyto' => 1,
                        'quick'          => true
                    ),
                    null
                );
                $fw->registerFilterRule(
                    1,
                    array(
                        'ipprotocol'     => 'inet',
                        'protocol'       => 'ospf',
                        'statetype'      => 'keep',
                        'label'          => 'Pass OSPF (autogenerated)',
                        'from'           => '224.0.0.0/24',
                        'to'             => $network->ipaddr . '/' . $network->netmask,
                        'direction'      => 'out',
                        'type'           => 'pass',
                        'disablereplyto' => 1,
                        'quick'          => true
                    ),
                    null
                );
                $fw->registerFilterRule(
                    1,
                    array(
                        'ipprotocol'     => 'inet',
                        'protocol'       => 'ospf',
                        'statetype'      => 'keep',
                        'label'          => 'Pass OSPF UNICAST (autogenerated)',
                        'from'           => '(self)',
                        'to'             => $network->ipaddr . '/' . $network->netmask,
                        'direction'      => 'out',
                        'type'           => 'pass',
                        'disablereplyto' => 1,
                        'quick'          => true
                    ),
                    null
                );
Print
Go Up Pages1
User actions