From 083f6d03ebda1582317463c9a5862ab5cefc6d19 Mon Sep 17 00:00:00 2001
From: Simon Marsh <simon@sesa.me.uk>
Date: Mon, 22 Apr 2019 21:06:29 +0100
Subject: [PATCH] Don't emit ROA rules if the prefix length is greater than the
 MaxLen defined in filter{,6}.txt

---
 roaapi.go | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/roaapi.go b/roaapi.go
index fa5fbc9..94d85b8 100644
--- a/roaapi.go
+++ b/roaapi.go
@@ -361,6 +361,7 @@ func (roa *ROA) CompileROA(registry *Registry,
 			continue
 		}
 
+		// don't allow routes that are denied in the filter rules
 		if filter.Action == "deny" {
 			log.WithFields(log.Fields{
 				"object": object.Ref,
@@ -370,10 +371,21 @@ func (roa *ROA) CompileROA(registry *Registry,
 			continue
 		}
 
-		// calculate the max-length for this object
-
 		mlen := filter.MaxLen
 
+		// if the prefix is greater than the filter.MaxLen
+		// then don't emit an ROA route (making the route invalid)
+		if ones, _ := pnet.Mask.Size(); ones > int(mlen) {
+			log.WithFields(log.Fields{
+				"object": object.Ref,
+				"prefix": prefix,
+				"filter": filter.Prefix,
+			}).Debug("Defined ROA: Prefix > filter MaxLen")
+			continue
+		}
+
+		// calculate the max-length for this object
+
 		// check if the attribute has max-length defined
 		mattrib := mlenIX.Objects[object]
 		if mattrib != nil {