Exact Definition of numbers-match bitmask-match and fragmentation-type
Matt Corallo
birdlist at as397444.net
Tue Apr 6 18:48:07 CEST 2021
Update: Went ahead and implemented the standard communities except redirect. The rate limiter could probably be faster,
and could support more than a one-packet burst, but it all seems to work.
One other comment, the NET_FLOW type docs (copied below) seem to indicate that I should be able to do net.src... or
net.dst... in a filter importing a flowspec rule, but BIRD seems to refuse to allow that.
Matt
> NET_FLOW4 and NET_FLOW6 hold an IP prefix together with a flowspec rule. Filters currently do not support much
flowspec parsing, only .src and .dst operators to get source and destination parts of the flowspec as separate NET_IP4 /
NET_IP6 values.
On 4/5/21 14:45, Matt Corallo wrote:
> Replies to both responses.
>
> On 4/5/21 05:04, Maria Matejka wrote:
>> Hello!
>>
>> On 4/4/21 6:18 PM, Matt Corallo wrote:
>>> For context, I'm currently writing a birdc-flowspec -> XDP parser/transpiler, so exact formal grammar and behavior is
>>> important :). You can find it at https://github.com/TheBlueMatt/flowspec-xdp.
>>
>> Would you benefit from having Python API in BIRD, getting the flowspec rules as proper objects?
>
> Hmm, probably, I guess? Its not really that hard to parse the birdc output as long as I figure out the exact semantics
> to convert a X-match string into an AST. Putting in the work to write a whole Python API sounds like more work than its
> worth, but, hey, if you build it, I'll use it :)
>
>>> It currently only supports drop/pass, however, and doesn't parse the action communities as it doesn't appear BIRD
>>> supports them? The RFC indicates extended community types in the 0x800X range, but BIRD appears to only support
>>> rt/ro. I may be missing something entirely obvious here, though.
>>
>> I remember coding something around that, anyway I don't remember whether we actually merged it. Will look for that.
>
> See below from Tim - (generic, X, Y). I do not believe this is documented anywhere.
>
> On 4/5/21 03:49, Tim Weippert wrote:
> > You can add the exetended communities via generic extended communitiy in
> > bird:
> >
> > bgp_ext_community.add( (generic, 0x80060000, 0x00000000 ) );
> >
> > the output in birdc will look like:
> >
> > flow4 { dst 203.0.113.53/32; src 198.51.100.10/32; } [S_FLOWSPEC_v4 07:48:34.659] * (200)
> > Type: static univ
> > BGP.ext_community: (generic, 0x80060000, 0x0)
> >
>
> Thanks! Will update to at least do rate limiting by maps this week/weekend.
>
> Matt
More information about the Bird-users
mailing list