Hi list, I would like to insert exported/imported prefixes to tables on FreeBSD, so I can easily and cheaply filter traffic on peer interfaces. Is there some facility in bird for this already? I didn't see anything like it in documentation. Cheers.
W dniu 2011-12-04 03:25, Pawel Tyll pisze:
Hi list,
I would like to insert exported/imported prefixes to tables on FreeBSD, so I can easily and cheaply filter traffic on peer interfaces. Is there some facility in bird for this already? I didn't see anything like it in documentation.
Cheers.
Option: kernel table <number> at http://bird.network.cz/?get_doc&f=bird-6.html#ss6.4 <http://bird.network.cz/?get_doc&f=bird-6.html#ss6.4>
I would like to insert exported/imported prefixes to tables on FreeBSD, so I can easily and cheaply filter traffic on peer interfaces. Is there some facility in bird for this already? I didn't see anything like it in documentation. Option: kernel table <number> I was talking about ipfw tables. Sorry for not being specific.
Cheers.
Pawel Tyll wrote:
I would like to insert exported/imported prefixes to tables on FreeBSD, so I can easily and cheaply filter traffic on peer interfaces. Is there some facility in bird for this already? I didn't see anything like it in documentation. Option: kernel table <number> I was talking about ipfw tables. Sorry for not being specific.
The "right" way is to write "firewall" protocol which can insert/withdraw prefixes with optional constant (or filter-settable) number. This is not so hard, btw (and I got one place where it is definitely needed). Various custom blackhole communities can be implemented this way, too At the moment you can do 'birdc show route table XXX' | awk | sort > file1, ipfw table YYY list | sort > file2, diff -u file1 | file2 and do ipfw add/del based on +- sign
Cheers.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alexander V. Chernikov wrote:
Pawel Tyll wrote:
I would like to insert exported/imported prefixes to tables on FreeBSD, so I can easily and cheaply filter traffic on peer interfaces. Is there some facility in bird for this already? I didn't see anything like it in documentation. Option: kernel table <number> I was talking about ipfw tables. Sorry for not being specific.
The "right" way is to write "firewall" protocol which can insert/withdraw prefixes with optional constant (or filter-settable) number. This is not so hard, btw (and I got one place where it is definitely needed).
If you're interested in testing, please take a look. This patch adds new 'firewall' protocol. ipfw is supported at the moment only. Per-prefix value cannot be set by filter now (this will change in near future). Configuration: protocol firewall { table igpr; fwtype ipfw; fwtable "2"; export all; flush; }; Options are self-explaining. Flush clears firewall table on protocol startup. Building: Patch bird sources, do 'autoconf' in bird directory. (E.g. make patch from port directory, (cd work/bird ; patch -p1 < path/to/patch ; autoconfig). Do make install
Various custom blackhole communities can be implemented this way, too
At the moment you can do 'birdc show route table XXX' | awk | sort > file1, ipfw table YYY list | sort > file2, diff -u file1 | file2 and do ipfw add/del based on +- sign
Cheers.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7dzSgACgkQwcJ4iSZ1q2l3WQCgotv49bc67b51/K3ArsyqT+Ff TjgAnR5BOj5iCfhxJJHwJKStjZz5hyWN =2Az8 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alexander V. Chernikov wrote:
Alexander V. Chernikov wrote:
Pawel Tyll wrote:
I would like to insert exported/imported prefixes to tables on FreeBSD, so I can easily and cheaply filter traffic on peer interfaces. Is there some facility in bird for this already? I didn't see anything like it in documentation. Option: kernel table <number> I was talking about ipfw tables. Sorry for not being specific. The "right" way is to write "firewall" protocol which can insert/withdraw prefixes with optional constant (or filter-settable) number. This is not so hard, btw (and I got one place where it is definitely needed).
If you're interested in testing, please take a look.
This patch adds new 'firewall' protocol. ipfw is supported at the moment only. Per-prefix value cannot be set by filter now (this will change in near future). Configuration:
protocol firewall { table igpr; fwtype ipfw; fwtable "2"; export all; flush; }; Ups. Previous patch is a bit broken.
Options are self-explaining. Flush clears firewall table on protocol startup.
Building:
Patch bird sources, do 'autoconf' in bird directory. (E.g. make patch from port directory, (cd work/bird ; patch -p1 < path/to/patch ; autoconfig). Do make install
Various custom blackhole communities can be implemented this way, too
At the moment you can do 'birdc show route table XXX' | awk | sort > file1, ipfw table YYY list | sort > file2, diff -u file1 | file2 and do ipfw add/del based on +- sign
Cheers.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7dzpAACgkQwcJ4iSZ1q2lOzwCfWPzczXFXiW4tcdArp9LfRoM8 8IgAn1hN6t1glVwhl0Ex2PU7fLKEu+JB =MLHn -----END PGP SIGNATURE-----
participants (3)
-
Alexander V. Chernikov -
Marek Wajdzik -
Pawel Tyll