Update: Went ahead and implemented the standard communities except redirect. The rate limiter could probably be faster, and could support more than a one-packet burst, but it all seems to work. One other comment, the NET_FLOW type docs (copied below) seem to indicate that I should be able to do net.src... or net.dst... in a filter importing a flowspec rule, but BIRD seems to refuse to allow that. Matt
NET_FLOW4 and NET_FLOW6 hold an IP prefix together with a flowspec rule. Filters currently do not support much flowspec parsing, only .src and .dst operators to get source and destination parts of the flowspec as separate NET_IP4 / NET_IP6 values.
On 4/5/21 14:45, Matt Corallo wrote:
Replies to both responses.
On 4/5/21 05:04, Maria Matejka wrote:
Hello!
On 4/4/21 6:18 PM, Matt Corallo wrote:
For context, I'm currently writing a birdc-flowspec -> XDP parser/transpiler, so exact formal grammar and behavior is important :). You can find it at https://github.com/TheBlueMatt/flowspec-xdp.
Would you benefit from having Python API in BIRD, getting the flowspec rules as proper objects?
Hmm, probably, I guess? Its not really that hard to parse the birdc output as long as I figure out the exact semantics to convert a X-match string into an AST. Putting in the work to write a whole Python API sounds like more work than its worth, but, hey, if you build it, I'll use it :)
It currently only supports drop/pass, however, and doesn't parse the action communities as it doesn't appear BIRD supports them? The RFC indicates extended community types in the 0x800X range, but BIRD appears to only support rt/ro. I may be missing something entirely obvious here, though.
I remember coding something around that, anyway I don't remember whether we actually merged it. Will look for that.
See below from Tim - (generic, X, Y). I do not believe this is documented anywhere.
On 4/5/21 03:49, Tim Weippert wrote:
You can add the exetended communities via generic extended communitiy in bird:
bgp_ext_community.add( (generic, 0x80060000, 0x00000000 ) );
the output in birdc will look like:
flow4 { dst 203.0.113.53/32; src 198.51.100.10/32; } [S_FLOWSPEC_v4 07:48:34.659] * (200) Type: static univ BGP.ext_community: (generic, 0x80060000, 0x0)
Thanks! Will update to at least do rate limiting by maps this week/weekend.
Matt