Tables
Alexander V. Chernikov
melifaro at ipfw.ru
Tue Dec 6 09:13:04 CET 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Alexander V. Chernikov wrote:
> Alexander V. Chernikov wrote:
>> Pawel Tyll wrote:
>>>>> I would like to insert exported/imported prefixes to tables on
>>>>> FreeBSD, so I can easily and cheaply filter traffic on peer
>>>>> interfaces. Is there some facility in bird for this already? I didn't
>>>>> see anything like it in documentation.
>>>> Option: kernel table <number>
>>> I was talking about ipfw tables. Sorry for not being specific.
>> The "right" way is to write "firewall" protocol which can
>> insert/withdraw prefixes with optional constant (or filter-settable)
>> number. This is not so hard, btw (and I got one place where it is
>> definitely needed).
>
> If you're interested in testing, please take a look.
>
> This patch adds new 'firewall' protocol. ipfw is supported at the moment
> only. Per-prefix value cannot be set by filter now (this will change in
> near future). Configuration:
>
> protocol firewall {
> table igpr;
> fwtype ipfw;
> fwtable "2";
> export all;
> flush;
> };
Ups. Previous patch is a bit broken.
>
> Options are self-explaining. Flush clears firewall table on protocol
> startup.
>
>
> Building:
>
> Patch bird sources, do 'autoconf' in bird directory.
> (E.g. make patch from port directory, (cd work/bird ; patch -p1 <
> path/to/patch ; autoconfig). Do make install
>
>
>> Various custom blackhole communities can be implemented this way, too
>
>
>
>> At the moment you can do 'birdc show route table XXX' | awk | sort >
>> file1, ipfw table YYY list | sort > file2, diff -u file1 | file2 and do
>> ipfw add/del based on +- sign
>
>
>>> Cheers.
>>>
>>>
>>>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7dzpAACgkQwcJ4iSZ1q2lOzwCfWPzczXFXiW4tcdArp9LfRoM8
8IgAn1hN6t1glVwhl0Ex2PU7fLKEu+JB
=MLHn
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0001-Add-draft-support-for-firewall-protocol.patch
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20111206/d510d95c/attachment-0001.ksh>
More information about the Bird-users
mailing list