[Appendix B] B.2 The gated Configuration LanguagePrevious: B.1 The gated Command Appendix B A gated Reference Next: B.3 Directive Statements B.2 The gated Configuration Language The gate
Trang 1[Appendix B] A gated Reference
Traces the list of interfaces read from the kernel Use this to determine what interfaces are detected by the kernel interface scan
The advantage of placing a trace option on the command line is that it can trace activities that happen before the configuration file is processed For the two options listed above, this is an essential
advantage For other options it is not very important Most trace options are specified in the
configuration file See the traceoptions command later in this appendix for more details.
B.1.1 Signal Processing
gated processes the following signals:
SIGHUP
Tells gated to reread the configuration file The new configuration replaces the one that gated
is currently running SIGHUP loads the new configuration file without interrupting gated
service SIGHUP is available for quick configuration changes At most sites, the routing
configuration changes infrequently The few times you need to change to a new configuration,
terminate gated and rerun it with the new configuration This is a more accurate test of how
things will run at the next boot
SIGINT
Tells gated to snapshot its current state to the file /usr/tmp/gated_dump.
SIGTERM
Tells gated to shut down gracefully All protocols are shut down following the rules of that
protocol For example, EGP sends a CEASE message and waits for it to be confirmed
SIGTERM removes from the kernel routing table all routes learned via the exterior routing
protocols If you need to preserve those routes while gated is out of operation, use SIGKILL.
SIGKILL
Tells gated to terminate immediately and dump core Routes are not removed from the routing
table, and no graceful shutdown is attempted
SIGUSR1
Tells gated to toggle tracing If no trace flags are set, SIGUSR1 has no effect But if tracing is enabled, the first SIGUSR1 causes gated to toggle off tracing and to close the trace file The
next SIGUSR1 turns tracing back on and opens the trace file When the trace file is closed, it
can be moved or removed without interfering with the operation of gated Use this to
periodically empty out the trace file to prevent it from becoming too large
SIGUSR2
Tell gated to check for changes in the status of the network interfaces.
Trang 2[Appendix B] A gated Reference
The following is an example of gated signal handling First, the SIGUSR1 signal is passed to the
gated process using the process ID obtained from the gated.pid file (/var/run/gated.pid in this case).
# kill -USR1 `cat /var/run/gated.pid`
Next, the old trace file (/usr/tmp/gated.log in this case) is removed, and gated is passed another
SIGUSR1 signal
# rm /usr/tmp/gated.log
# kill -USR1 `cat /etc/gated.pid`
After receiving the second signal, gated opens a fresh trace file (still named /usr/tmp/gated.log) An ls
shows that the new file has been created
# ls -l /usr/tmp/gated.log
-rw-rw-r 1 root 105 Jul 6 16:41 /usr/tmp/gated.log
Previous: A.3 chat TCP/IP Network
Trang 3[Appendix B] B.2 The gated Configuration Language
Previous: B.1 The gated
Command
Appendix B
A gated Reference Next: B.3 Directive
Statements
B.2 The gated Configuration Language
The gated configuration language is a highly structured language similar to C in appearance
Comments either begin with a #, or they begin with /* and end with */ gated configuration
statements end with a semicolon, and groups of associated statements are enclosed in curly braces The language structure is familiar to most UNIX system administrators, and the structure makes it easy to see what parts of the configuration are associated with each other This is important when multiple protocols are configured in the same file
The configuration language is composed of nine types of statements Two statement types, directive
statements and trace statements, can occur anywhere in the gated.conf file and do not directly relate to
the configuration of any protocol These statements provide instructions to the parser and control
tracing from within the configuration file The other seven statement types are options statements,
interface statements, definition statements, protocol statements, static statements, control statements,
and aggregate statements These statements must appear in the configuration file in the correct order,
starting with options statements and ending with aggregate statements Entering a statement out of order causes an error when parsing the file
The remainder of this appendix provides a description of all commands in the gated configuration
language, organized by statement type
Previous: B.1 The gated
Command
TCP/IP Network Administration
Next: B.3 Directive Statements
[ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ]
Trang 4[Appendix B] B.3 Directive Statements
Previous: B.2 The gated
Configuration Language
Appendix B
A gated Reference Next: B.4 Trace Statements
B.3 Directive Statements
Directive statements provide direction to the gated command language parser about "include" files
An include file is an external file whose contents are parsed into the configuration as if it were part of
the original gated.conf file Include files can contain references to other include files, and these
references can be nested up to 10 levels deep
The two directive statements are:
%include filename
Identifies an include file The contents of the file are "included" in the gated.conf file at the
point in the gated.conf file where the %include directive is encountered filename is any valid UNIX filename If filename is not fully qualified, i.e., does not begin with a /, it is
considered to be relative to the directory defined in the %directory directive.
%directory pathname
Defines the directory where the include files are stored When it is used, gated looks in the
directory identified by pathname for any include file that does not have a fully qualified filename
Unless you have a very complex routing configuration, avoid using include files In a complex
environment, segmenting a large configuration into smaller, more easily understood segments can be
helpful, but most gated configurations are very small One of the great advantages of gated is that it
combines the configuration of several different routing protocols into a single file If that file is small and easy to read, segmenting the file unnecessarily complicates things
Previous: B.2 The gated
Configuration Language
TCP/IP Network Administration
Next: B.4 Trace Statements
B.2 The gated Configuration
Language
Book Index B.4 Trace Statements
Trang 5[Appendix B] B.3 Directive Statements
[ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ]
Trang 6Trace statements allow you to control the trace file and its contents from within the gated.conf file
The trace statement is:
traceoptions ["trace_file" [replace] [size bytes[k|m] files n]] [nostamp] trace_options
[except trace_options] ;
Its components are as follows:
trace_file
Identifies the file that receives the trace output It has exactly the same function as the
trace_file argument on the gated command line.
replace
Replaces the existing trace file If you do not use this keyword, the trace output is appended to the current contents of the file
size bytes[k|m] [files n]
Limits the trace file to a maximum size of bytes The optional k or m indicates thousands (k)
or millions (m) of bytes Thus 1000000 and 10m are equivalent entries The size of the trace
file cannot be less than 10k bytes n defines the maximum number of trace files that should be saved When the trace file reaches the maximum size, it is saved as trace_file.0,
trace_file.1, trace_file.2 up to trace_file.n The next save then overwrites
trace_file.0 The value for n must be at least 2
nostamp
Specifies that trace lines should not begin with a timestamp Timestamping each line of trace data is the default
trace_options
Define the events to be traced by gated Each trace option is specified by a keyword name The
available trace options are:
Trang 7Traces state machine transitions for protocols such as OSPF and BGP The RFCs
describe these protocols using finite state machine (FSM) diagrams or tables The
protocols transition from one state to another based on the occurrence of certain events
For example, the state might change from idle to connect when a connection open event
occurs This is a highly specialized trace flag, useful only to those who have a thorough understanding of the protocols involved Use this option within the protocol statement
to trace a specific protocol's transitions
Trang 8gated provides the flexibility for you to choose where you want to control tracing - on the command line or in the configuration file By and large, the same trace options can be set on the gated command line or in the configuration file detail, send and recv can be set only in the configuration file
Two others, symbols and iflist, are primarily used on the command line Refer to the section on the gated command line for a description of setting trace options with -t.
Some trace options are only useful for protocol developers and other experts For most of us, general, which enables normal and route tracing, is an appropriate level of information for debugging routing problems Occasionally policy is useful for testing a routing policy Most of the time, however, no
tracing is needed
Previous: B.3 Directive
Statements
TCP/IP Network Administration
Next: B.5 Options Statements
[ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ]
Trang 9[Appendix B] B.5 Options Statements
Options statements define parameters that direct gated to do special internal processing Options
statements appear before any other configuration statements in the gated.conf file
The options statement syntax is:
options
[nosend]
[noresolv]
[gendefault [preference preference] [gateway gateway]]
[syslog [upto] log_level]
[mark time]
;
An options statement can contain:
nosend
Instructs system not to send any packets This option tests gated without actually sending out
routing information Use for RIP and HELLO It is not yet implemented for BGP and is not useful for OSPF
noresolv
Instructs system not to use the Domain Name System (DNS) to resolve hostnames and
addresses DNS failures can cause gated to deadlock during startup Use this to prevent
deadlock
gendefault [preference preference] [gateway gateway]
Generates a default route, with a preference of 20, when gated peers with an EGP or BGP neighbor If gateway is not defined, the gateway in the generated route is the system itself; the
default route is not installed in the kernel table; and it is used only to advertise this system as a
default gateway If gateway is specified, the default route is installed in the kernel table with the specified router as the next hop This option can be overridden with the nogendefault
Trang 10[Appendix B] B.5 Options Statements
option
syslog [upto] log_level
Tells system to use the setlogmask facility to control gated logging See the setlogmask(3)
manpage if this facility is available on your system
mark time
Sends a periodic timestamp message to the trace file time defines how frequently the
timestamp should be issued Use this to determine if gated is running.
Previous: B.4 Trace
Statements
TCP/IP Network Administration
Next: B.6 Interface Statements
[ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ]
Trang 11[Appendix B] B.6 Interface Statements
An interface statement defines configuration options for the network interfaces The
interface_list identifies the interfaces affected by the configuration options The interfaces in
the list are identified by interface name (e.g., le0), by hostname, by IP address, or by the keyword all The keyword all refers to every interface on the system The interface name can refer to a single
interface or a group of interfaces For example, an interface name of eth0 refers to the interface eth0, whereas the name le refers to all installed interfaces that start with the letters le (which might include le0, le1, and le2) A hostname can be used if it resolves to only one address
Most system administrators prefer to use the IP address to identify an interface After all, IP addresses are inherently a part of TCP/IP, and it's TCP/IP routing that this file configures
Additionally, remote systems know this interface by its IP address, not its interface name Finally, DNS may provide more than one address for a hostname, and future UNIX operating systems may allow more than one address per interface IP addresses are safest
gated supports four types of interfaces: loopback, broadcast, point-to-point, and non-broadcast
access (NBMA) All of these are discussed in the text of this book except for NBMA It is a access interface, but the underlying network is not capable of broadcast Examples are frame relay and X.25
multi-gated ignores any interface in the list that has an invalid local, remote, or broadcast address, or an invalid subnet mask gated also ignores a point-to-point interface that has the same local and remote addresses gated assumes that interfaces that are not marked UP by the kernel do not exist.
The syntax of the interfaces statement is:
Trang 12[Appendix B] B.6 Interface Statements
Generates a fatal error if an interface is referenced in the configuration file that is not found
when gated scans the kernel at startup and is not listed in a define statement (See the define option later in this section.) Normally a warning message is issued and gated continues
running
scaninterval time
Specifies how often gated scans the kernel interface list for changes The default is every 15
seconds on most systems, and 60 seconds on systems that pass interface status changes through
the routing socket, e.g., BSD 4.4 Note that gated also scans the interface list on receipt of a
SIGUSR2
The interface command defines the interface_list and all of the options that affect the
specified interfaces Options available on this statement are:
preference preference
Sets the preference for this interface The value preference is a number between 0 and 255
gated prefers routes through interfaces with low preference numbers The default preference
for all directly attached network interfaces is 0
down preference preference
Sets the preference used when gated believes an interface is not functioning properly The
default is 120
passive
Prevents gated from downgrading the preference of the interface when it is not functioning properly gated assumes that an interface is down when it stops receiving routing information through that interface gated only performs this check if the interface is actively participating
in a routing protocol
simplex
Trang 13[Appendix B] B.6 Interface Statements
Specifies that gated should not use packets generated by this system as an indication that the
interface is functioning properly Only packets from remote systems are used to indicate that the interface is operating
reject | blackhole
Either of these keywords identifies the interface as the "blackhole interface" used to install rejected routes in the kernel (See the control statements for more about rejected routes.) This
is available only on BSD systems that have installed a reject/blackhole pseudo-interface
The define address command lists interfaces that might not be present when gated scans the kernel interface list at startup It overrides the strictinterfaces option for the interface defined by address
Possible options for the define command are:
broadcast address
Defines the broadcast address
pointopoint address
Defines the local address for a point-to-point interface (See Chapter 6, Configuring the
the define statement specifies the address of the remote host, and the address specified after the pointopoint keyword defines the local address Don't use both broadcast and pointopoint in the same define.
Next: B.7 Definition Statements
[ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ]
Trang 14[Appendix B] B.7 Definition Statements
Definition statements are general configuration statements that relate to more than one protocol
Definition statements must appear before any protocol statements in gated.conf The three definition
statements are:
autonomoussystem asn [loops n] ;
Defines the autonomous system number (asn) used by BGP or EGP The loops number
defines the number of times this autonomous system may appear in an AS path for path vector protocols, such as BGP The default value for n is 1
routerid address ;
Defines the router identifier used by BGP and OSPF Use the address of your primary OSPF or
BGP interface By default, gated uses the address of the first interface it encounters.
martians {
host address [allow];
address [mask mask | masklen number] [allow] ;
default [allow] ;
} ;
Changes the list of addresses about which all routing information is ignored Sometimes a
misconfigured system sends out obviously invalid destination addresses These invalid addresses, called martians, are rejected by the routing software This command allows changes to the list of
martian addresses A martian address can be specified as a host address by using the host keyword
before the address, or as a network address by simply specifying the address
An address mask can be defined for a network address The mask can be defined in dotted decimal
notation using the mask keyword or as a numeric prefix length using the masklen keyword The
address masks mask 255.255.0.0 and masklen 16 are equivalent If no address mask is
specified, the natural mask is used Specifying an address in the martians statement adds the address
to the martians list The allow keyword is used to remove an address from the martians list When an
address is removed from the martians list, it then becomes a valid address for routing
Trang 15[Appendix B] B.7 Definition Statements
gated contains a standard martian list of addresses that are known to be invalid This is the default martian list The option default allow removes all of the standard entries from the martians list and
permits unrestricted routing Don't do this if you're on a connected network
Here is a sample of each definition statement:
The statements in the sample perform the following functions:
● The autonomoussystem statement tells gated to use AS number 249 for its BGP or EGP
packets
● The routerid statement tells gated to use 172.16.12.2 as the router identifier for OSPF and
BGP
● The martians statement prevents routes to 0.0.0.26 from being included in the table, but it
allows routes to the private IP addresses in the range 192.168.0.0 to 192.168.255.255
Previous: B.6 Interface
Statements
TCP/IP Network Administration
Next: B.8 Protocol Statements
[ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ]
Trang 16[Appendix B] B.8 Protocol Statements
B.8.1 The ospf Statement
ospf yes | no | on | off [{
backbone | area number {
authtype 0 | 1 | none | simple ;
stub [cost cost] ;
networks {
address [mask mask |masklen number] [restrict] ;
host address [restrict] ; } ;
stubhosts {
address cost cost ; } ;
interface interface_list [nonbroadcast] [cost cost] {
pollinterval time ;
routers {
address [eligible] ; } ;
interface_parameters } ;
Trang 17[Appendix B] B.8 Protocol Statements
virtuallink neighborid router_id transitarea area {
interface_parameters } ;
} ;
} ] ;
The ospf statement enables or disables the Open Shortest Path First (OSPF) routing protocol By
default, OSPF is disabled It is enabled by specifying yes or on (it doesn't matter which you use) and it
is disabled with no or off.
NOTE: For the sake of brevity, this text explains only the first occurrence of any
gated.conf parameter if it is used the same way in subsequent commands Only
differences between commands are explained For example, yes | no | on | off is not
explained again, because it is always used in the same way to enable or disable a
routes from external autnomous systems See the description of OSFP in Chapter 7
preference preference
Defines the preference of OSPF ASE routes The default is 150
cost cost
Defines the cost used when advertising a non-OSPF route in an ASE The default is 1
tag [as] tag
Defines the OSPF ASE tag value The tag is not used by the OSPF protocol, but may be
used by an export policy to filter routes (See the export statement later in this appendix.) When the as keyword is specified, the tag field may contain AS path
information
type 1 | 2
Defines the type of ASE used The default is type 1 Type 1 contains routes learned from
an external protocol that provides a metric directly comparable to the OSPF metric The metric is added to the cost of reaching the border router when routes are advertised A type 2 ASE contains routes learned from an exterior gateway protocol that does not provide a routing metric comparable to the OSPF metric These routes are advertised with the cost of reaching the border router See Chapter 7
Trang 18[Appendix B] B.8 Protocol Statements
exportlimit routes
Defines the maximum number of ASE LSAs that will be flooded at one time The default is 100
exportinterval time
Defines how frequently ASE link-state advertisements are flooded to the network The default
is once per second
Defines the password used for ospf_monitor queries By default these queries are not
authenticated If monitorauthkey is specified, incoming queries must contain the specified
password
backbone | area number
Defines the OSPF area of which this router is a member Every router must belong to an area If more than one area is configured, at least one must be the backbone The backbone is defined
using the backbone keyword All other areas are defined by the area keyword and the number
Trang 19[Appendix B] B.8 Protocol Statements
of the area, e.g., area 1 See Chapter 7 for a discussion of OSPF areas Several configuration parameters are associated with each area:
authtype 0 | 1 | none | simple
Specifies the authentication scheme used in this area The authentication schemes can be
defined by none or 0 for no authentication, or simple or 1 for password authentication
Each system in an area must use this same authentication scheme
stub [cost cost]
Specifies that this is a stub area A stub area is one in which there are no ASE routes If
a cost is specified, it is used to advertise a default route into the stub area
address, or as a network address by simply specifying the address An address mask can
be defined for a network address The mask can be defined in dotted decimal notation
using the mask keyword or as a numeric prefix length using the masklen keyword The
address masks mask 255.255.0.0 and masklen 16 are equivalent If no address mask is specified, the natural mask is used This option can reduce the amount of
routing information propagated between areas
stubhosts
Lists the directly attached hosts, and their costs, that should be advertised as reachable from this router List point-to-point interfaces here
interface interface_list [nobroadcast] [cost cost]
Defines the interfaces used by OSPF If the keyword nobroadcast is specified, the interface connects to a non-broadcast multi-access (NBMA) network If nobroadcast is not used, the
interface connects to a broadcast or a point-to-point network Specify the cost of the interface
with the cost keyword, e.g., cost 5 The default cost is 1 Two options are specific to NBMA interfaces:
pollinterval time
Defines the time interval at which OSPF HELLO packets are sent to neighbors
routers
Lists all neighbors by address The eligible keyword indicates if the neighbor can
become a designated router
Trang 20[Appendix B] B.8 Protocol Statements
Point-to-point interfaces have one additional parameter:
nomulticast
Forces gated to unicast OSPF packets over this interface By default, OSPF packets to
neighbors on point-to-point interfaces are sent via the IP multicast mechanism Use this option if the remote neighbor does not support multicasting
All interfaces - NBMA, point-to-point, and broadcast - can use these parameters:
for a discussion of desginated routers
hellointerval time ;
Defines the number of seconds between transmissions of HELLO packets
routerdeadinterval time ;
Defines the timeout before a neighbor is declared down time is the maximum number
of seconds this router will wait for a neighbor's Hello packet
authkey key ;
Defines a key used to authenticate OSPF packets The key is specified as one to eight decimal digits separated by periods, a one- to eight-byte hexadecimal string preceded by 0x, or a one- to eight-character string in double quotes
virtuallink neighborid router_id transitarea area
Defines a virtual link for the backbone area The router_id is the router identifier of the remote router at the other end of the virtual link The transit area must be one of the other areas configured on this system All standard interface parameters defined above may be specified on
Trang 21[Appendix B] B.8 Protocol Statements
a virtual link
B.8.2 The rip Statement
rip yes | no | on | off [ {
[version 1 | 2 [multicast | broadcast]]
[[secondary] authentication [none | [simple | md5 password]] ;
Forces gated to broadcast RIP update packets even if the system has only one network
interface By default, RIP updates are not broadcast if the system has only one network
interface and are broadcast if it has more than one network interface; i.e., hosts do not broadcast
updates and routers do Forces gated to not broadcast RIP update packets even if the system has more than one network interface If a sourcegateways clause is present, routes are still unicast directly to that gateway See sourcegateways later in this section Specifies that gated
should not reject incoming version 1 RIP packets where the reserved fields are 0 Rejecting those packets is standard practice
preference preference ;
Sets the gated preference for routes learned from RIP The default preference for these routes is
100
defaultmetric metric ;
Defines the metric used when advertising routes via RIP that were learned from other
protocols The default metric is 16, which to RIP indicates an unusable route This means that by default, routes learned from other protocols are not advertised as valid routes by RIP
Trang 22[Appendix B] B.8 Protocol Statements
metric
query authentication [none | [simple | md5 key]] ;
Specifies the authentication used for non-router query packets The default is none If simple is
specified, the key is a 16-byte password If md5 is specified, the key is a 16-byte value used with the packet contents to generate a Message Digest 5 cryptographic checksum
Tells system not to send RIP packets out this interface The default is to send RIP on all
broadcast and non-broadcast interfaces when in broadcast mode See the nobroadcast
option defined earlier in this list
metricout
Specifies the RIP metric added to routes sent out this interface The default is 0 This option can only increase the metric
version 1 | 2 [multicast | broadcast]
Identifies the version of RIP used for updates sent out this interface Available versions are RIP 1 and RIP 2 RIP 1 is the default If RIP 2 is specified and IP multicast is
supported, full version 2 packets are sent via multicast If multicast is not available,
version 1-compatible version 2 packets are sent via broadcast The keyword multicast, the default, specifies this behavior The keyword broadcast specifies that RIP version 1-
compatible version 2 packets should be broadcast on this interface, even if IP multicast
is available Neither keyword is used with version 1
Trang 23[Appendix B] B.8 Protocol Statements
[secondary] authentication [none | simple | md5 key]
Defines the RIP version 2 authentication used on this interface The default
authentication type is none If simple is specified, the key is a 16-byte password If
md5 is specified, the key is a 16-byte value used with the packet contents to generate a
Message Digest 5 cryptographic checksum If secondary is specified, this defines the
secondary authentication Packets are always sent using the primary authentication technique The secondary authentication type is defined only for incoming packets Inbound packets are checked against both the primary and secondary authentication method before being discarded as invalid
trustedgateways gateway_list ;
Defines the list of gateways from which RIP accepts updates The gateway_list is simply a list of hostnames or IP addresses By default, all gateways on the shared network are trusted to
supply routing information But if the trustedgateways statement is used, only updates from
the gateways in the list are accepted
sourcegateways gateway_list ;
Defines a list of gateways to which RIP sends packets directly By default, RIP packets are broadcast or multicast to several systems on the shared network - but if this statement is used, RIP unicasts packets directly to the listed gateways
Traces any other type of RIP packet
B.8.3 The hello Statement
hello yes | no | on | off [ {
Trang 24[Appendix B] B.8 Protocol Statements
The hello statement has basically the same options as the rip statement The only command
differences are the keywords nohelloin and nohelloout, but they perform the same function for Hello
as noripin and noripout do for RIP.
The hello statement supports most of the standard trace options In addition, the option packets can be
specified to trace all HELLO packets
B.8.4 The isis Statement
isis yes | no | dual | ip | iso {
The isis statement enables the IS protocol By default, it is disabled The dual keyword enables
IS-IS for both IS-ISO and IP addressing The ip keyword enables it for IP addressing and iso enables it for ISO addressing The options that may appear in the isis statement are:
level
Indicates whether the router, called an intermediate system (IS) in OSI terminology, is a Level
1 (intra-area) or Level 2 (inter-area) IS Default is Level 1
traceoptions
Trang 25[Appendix B] B.8 Protocol Statements
Defines the IS-IS trace options These are different from other gated trace options The isis_traceoptions are: