Blackhole routes using a filter?

Ondrej Zajicek santiago at crfreenet.org
Fri May 4 10:38:12 CEST 2012


On Wed, May 02, 2012 at 10:23:54AM +0200, Dan Luedtke wrote:
> Hi everyone,
> 
> I am stuck with bird, could you please give me a hint?
> 
> The setup:
> My router peers with Team Cymru to get fullbogons via BGP.
> I want to blackhole these routes using a filter. My filter looks like this:
> 
> filter blackhole {
> 	gw = 2001:db8::1;
> 	accept;
> }

..

> Any ideas how to accomplish blackholing? Other approaches maybe?

It is not directly possible in current version, but patch is already in
GIT (see attachment). With that, you could use 'dest = RTD_UNREACHABLE;'
(or RTD_PROHIBIT or RTD_BLACKHOLE) to change route destination type.
Changing gw currently works only within one iface.

BTW, what is 2001:db8::1? Some well known blackhole address or just
any address unreachable on the router?

Another idea is that if you use 'gateway recursive' BGP option (default
for iBGP), you could use 'bgp_next_hop = some_unreachable_ip;' in BGP
import filter to make the route unreachable.

-- 
Elen sila lumenn' omentielvo

Ondrej 'SanTiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dest_change.patch
Type: text/x-diff
Size: 3008 bytes
Desc: not available
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20120504/7b3d73c9/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20120504/7b3d73c9/attachment-0001.asc>


More information about the Bird-users mailing list