Implementing RTBH filtering / BGP tagging

Gregg Berkholtz gregg at
Tue Mar 20 00:59:59 CET 2012

In working to streamline our utilization of each upstream's RTBH filtering mechanisms (e.g. ), I'm having a heck of a time configuring BIRD to "mirror" Cisco product behaviors.

Here's the Cisco Way (where X.X.X.X is the ip to blackhole):
 conf t
 ip route X.X.X.X Null0
 router bgp YourAS
 network X.X.X.X mask route-map blackhole
 route-map blackhole permit 10
 set community 6939:666

What I believe needs to happen w/ BIRD, and the Linux Kernel route tables:
 1) Create and maintain a non-default Linux kernel route table, to accomplish blackholing at our gateways (working great). Also wanting to have BIRD to monitor this non-default route table, and :666 tag+announce upstream any /32 entries within our

 2) BIRD imports the non-default kernel route table (seems to be working ok).

 3) For each "protocol bgp *Upstream*", use an export filter to identify and tag relevant "blackhole" route entries with a specific RTBH community (e.g. 6939:666)...this is what I'm struggling with.

While snippets are below, our entire bird.conf (minus comments) can be found at:

Here's my breakdown of what seems to be happening:
 1) Create/edit/update the non-default kernel route table (works great, the Linux kernel/route config drops this traffic without issue):
~$ sudo ip rule add from all table 10 priority 10; sudo ip route add blackhole table 10; .....

~$ sudo ip route show table 10  |wc -l

~$ sudo ip rule 
0:	from all lookup local 
10:	from all lookup 10 

 2) Read the non-default kernel route table (from bird.conf):
table blackroutes;
protocol kernel blackhole {
  table blackroutes;
  kernel table 10;
  scan time 10;
  import all;
  export all;

BIRD seems to import the non-default kernel table without issue:
~$ sudo birdc show protocols all |grep blackhole -C 10
blackhole Kernel   blackroutes up     Mar17       
  Preference:     10
  Input filter:   ACCEPT
  Output filter:  ACCEPT
  Routes:         454 imported, 0 exported, 454 preferred
  Route change stats:     received   rejected   filtered    ignored   accepted
    Import updates:           1363          0          0          0       1363
    Import withdraws:          909          0        ---          0        909
    Export updates:           1363       1363          0        ---          0
    Export withdraws:          909        ---        ---        ---          0

~$ sudo ip route show table 10  |wc -l


BTW: the bulk of our "blacklist" entries come from, although we only want to tag+announce what we control (e.g. /32's within

3) Can't seem to figure out correct tagging method/commands (from bird.conf):
filter bgp_out_he {
        if (proto = "blackhole" ) then
          bgp_community = -empty-; bgp_community.add((6939,666));
        if net ~ [] then accept;
        if net ~ [] then accept;


protocol bgp HE {
    local as 14613;
    source address;
    neighbor as 6939;
    import all; 
    export filter bgp_out_he;

Am I missing something obvious? Going about this the wrong way?

Thanks greatly for any help,
Gregg Berkholtz

More information about the Bird-users mailing list