Tables

Alexander V. Chernikov melifaro at ipfw.ru
Tue Dec 6 09:07:04 CET 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alexander V. Chernikov wrote:
> Pawel Tyll wrote:
>>>> I  would  like  to  insert  exported/imported  prefixes  to  tables on
>>>> FreeBSD,   so  I  can  easily  and  cheaply  filter  traffic  on  peer
>>>> interfaces.  Is there some facility in bird for this already? I didn't
>>>> see anything like it in documentation.
>>> Option: kernel table <number>
>> I  was  talking  about  ipfw  tables. Sorry for not being specific.
> 
> The "right" way is to write "firewall" protocol which can
> insert/withdraw prefixes with optional constant (or filter-settable)
> number. This is not so hard, btw (and I got one place where it is
> definitely needed).

If you're interested in testing, please take a look.

This patch adds new 'firewall' protocol. ipfw is supported at the moment
only. Per-prefix value cannot be set by filter now (this will change in
near future). Configuration:

protocol firewall {
        table igpr;
        fwtype ipfw;
        fwtable "2";
        export all;
        flush;
};

Options are self-explaining. Flush clears firewall table on protocol
startup.


Building:

Patch bird sources, do 'autoconf' in bird directory.
(E.g. make patch from port directory, (cd work/bird ; patch -p1 <
path/to/patch ; autoconfig). Do make install


> 
> Various custom blackhole communities can be implemented this way, too
> 
> 
> 
> At the moment you can do 'birdc show route table XXX' | awk | sort >
> file1, ipfw table YYY list | sort > file2, diff -u file1 | file2 and do
> ipfw add/del based on +- sign
> 
> 
>> Cheers.
>>
>>
>>
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7dzSgACgkQwcJ4iSZ1q2l3WQCgotv49bc67b51/K3ArsyqT+Ff
TjgAnR5BOj5iCfhxJJHwJKStjZz5hyWN
=2Az8
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0001-Add-draft-support-for-firewall-protocol.patch
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20111206/925defec/attachment-0001.ksh>

More information about the Bird-users mailing list