Tables

Alexander V. Chernikov melifaro at ipfw.ru
Tue Dec 6 09:13:04 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alexander V. Chernikov wrote:
> Alexander V. Chernikov wrote:
>> Pawel Tyll wrote:
>>>>> I  would  like  to  insert  exported/imported  prefixes  to  tables on
>>>>> FreeBSD,   so  I  can  easily  and  cheaply  filter  traffic  on  peer
>>>>> interfaces.  Is there some facility in bird for this already? I didn't
>>>>> see anything like it in documentation.
>>>> Option: kernel table <number>
>>> I  was  talking  about  ipfw  tables. Sorry for not being specific.
>> The "right" way is to write "firewall" protocol which can
>> insert/withdraw prefixes with optional constant (or filter-settable)
>> number. This is not so hard, btw (and I got one place where it is
>> definitely needed).
> 
> If you're interested in testing, please take a look.
> 
> This patch adds new 'firewall' protocol. ipfw is supported at the moment
> only. Per-prefix value cannot be set by filter now (this will change in
> near future). Configuration:
> 
> protocol firewall {
>         table igpr;
>         fwtype ipfw;
>         fwtable "2";
>         export all;
>         flush;
> };
Ups. Previous patch is a bit broken.

> 
> Options are self-explaining. Flush clears firewall table on protocol
> startup.
> 
> 
> Building:
> 
> Patch bird sources, do 'autoconf' in bird directory.
> (E.g. make patch from port directory, (cd work/bird ; patch -p1 <
> path/to/patch ; autoconfig). Do make install
> 
> 
>> Various custom blackhole communities can be implemented this way, too
> 
> 
> 
>> At the moment you can do 'birdc show route table XXX' | awk | sort >
>> file1, ipfw table YYY list | sort > file2, diff -u file1 | file2 and do
>> ipfw add/del based on +- sign
> 
> 
>>> Cheers.
>>>
>>>
>>>
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7dzpAACgkQwcJ4iSZ1q2lOzwCfWPzczXFXiW4tcdArp9LfRoM8
8IgAn1hN6t1glVwhl0Ex2PU7fLKEu+JB
=MLHn
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0001-Add-draft-support-for-firewall-protocol.patch
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20111206/d510d95c/attachment-0001.ksh>


More information about the Bird-users mailing list