-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alexander V. Chernikov wrote:
Pawel Tyll wrote:
I would like to insert exported/imported prefixes to tables on FreeBSD, so I can easily and cheaply filter traffic on peer interfaces. Is there some facility in bird for this already? I didn't see anything like it in documentation. Option: kernel table <number> I was talking about ipfw tables. Sorry for not being specific.
The "right" way is to write "firewall" protocol which can insert/withdraw prefixes with optional constant (or filter-settable) number. This is not so hard, btw (and I got one place where it is definitely needed).
If you're interested in testing, please take a look. This patch adds new 'firewall' protocol. ipfw is supported at the moment only. Per-prefix value cannot be set by filter now (this will change in near future). Configuration: protocol firewall { table igpr; fwtype ipfw; fwtable "2"; export all; flush; }; Options are self-explaining. Flush clears firewall table on protocol startup. Building: Patch bird sources, do 'autoconf' in bird directory. (E.g. make patch from port directory, (cd work/bird ; patch -p1 < path/to/patch ; autoconfig). Do make install
Various custom blackhole communities can be implemented this way, too
At the moment you can do 'birdc show route table XXX' | awk | sort > file1, ipfw table YYY list | sort > file2, diff -u file1 | file2 and do ipfw add/del based on +- sign
Cheers.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7dzSgACgkQwcJ4iSZ1q2l3WQCgotv49bc67b51/K3ArsyqT+Ff TjgAnR5BOj5iCfhxJJHwJKStjZz5hyWN =2Az8 -----END PGP SIGNATURE-----