In working to streamline our utilization of each upstream's RTBH filtering mechanisms (e.g. http://www.he.net/adm/blackhole.html ), I'm having a heck of a time configuring BIRD to "mirror" Cisco product behaviors.
Here's the Cisco Way (where X.X.X.X is the ip to blackhole): conf t ip route X.X.X.X 255.255.255.255 Null0 router bgp YourAS network X.X.X.X mask 255.255.255.255 route-map blackhole route-map blackhole permit 10 set community 6939:666 end What I believe needs to happen w/ BIRD, and the Linux Kernel route tables: 1) Create and maintain a non-default Linux kernel route table, to accomplish blackholing at our gateways (working great). Also wanting to have BIRD to monitor this non-default route table, and :666 tag+announce upstream any /32 entries within our 199.127.224.0/22. 2) BIRD imports the non-default kernel route table (seems to be working ok). 3) For each "protocol bgp *Upstream*", use an export filter to identify and tag relevant "blackhole" route entries with a specific RTBH community (e.g. 6939:666)...this is what I'm struggling with. While snippets are below, our entire bird.conf (minus comments) can be found at: http://pastebin.com/xE1AxtGe Here's my breakdown of what seems to be happening: 1) Create/edit/update the non-default kernel route table (works great, the Linux kernel/route config drops this traffic without issue): "... ~$ sudo ip rule add from all table 10 priority 10; sudo ip route add blackhole 199.127.225.73/32 table 10; ..... ~$ sudo ip route show table 10 |wc -l 456 ~$ sudo ip rule 0: from all lookup local 10: from all lookup 10 ..." 2) Read the non-default kernel route table (from bird.conf): "... table blackroutes; protocol kernel blackhole { table blackroutes; kernel table 10; scan time 10; learn; import all; export all; } ..." BIRD seems to import the non-default kernel table without issue: "... ~$ sudo birdc show protocols all |grep blackhole -C 10 blackhole Kernel blackroutes up Mar17 Preference: 10 Input filter: ACCEPT Output filter: ACCEPT Routes: 454 imported, 0 exported, 454 preferred Route change stats: received rejected filtered ignored accepted Import updates: 1363 0 0 0 1363 Import withdraws: 909 0 --- 0 909 Export updates: 1363 1363 0 --- 0 Export withdraws: 909 --- --- --- 0 ~$ sudo ip route show table 10 |wc -l 456 ..." BTW: the bulk of our "blacklist" entries come from http://www.spamhaus.org/drop/drop.lasso, although we only want to tag+announce what we control (e.g. /32's within 199.127.224.0/22). 3) Can't seem to figure out correct tagging method/commands (from bird.conf): "... filter bgp_out_he { if (proto = "blackhole" ) then { bgp_community = -empty-; bgp_community.add((6939,666)); } if net ~ [65.49.94.0/24] then accept; if net ~ [199.127.224.0/22] then accept; reject; } ... protocol bgp HE { local as 14613; source address 65.19.175.14; neighbor 65.19.175.13 as 6939; import all; ... export filter bgp_out_he; } ..." Am I missing something obvious? Going about this the wrong way? Thanks greatly for any help, Gregg Berkholtz
