On Wed, May 02, 2012 at 10:23:54AM +0200, Dan Luedtke wrote:
> Hi everyone,
>
> I am stuck with bird, could you please give me a hint?
>
> The setup:
> My router peers with Team Cymru to get fullbogons via BGP.
> I want to blackhole these routes using a filter. My filter looks like this:
>
> filter blackhole {
> gw = 2001:db8::1;
> accept;
> }.. > Any ideas how to accomplish blackholing? Other approaches maybe? It is not directly possible in current version, but patch is already in GIT (see attachment). With that, you could use 'dest = RTD_UNREACHABLE;' (or RTD_PROHIBIT or RTD_BLACKHOLE) to change route destination type. Changing gw currently works only within one iface. BTW, what is 2001:db8::1? Some well known blackhole address or just any address unreachable on the router? Another idea is that if you use 'gateway recursive' BGP option (default for iBGP), you could use 'bgp_next_hop = some_unreachable_ip;' in BGP import filter to make the route unreachable. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: [email protected]) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
commit 182a78957d60a4c91c1ff8d1ff0f09b1b64b70ba Author: Ondrej Zajicek <[email protected]> Date: Sun Apr 29 01:35:52 2012 +0200 Allows some modifications of dest attribute in filters. diff --git a/doc/bird.sgml b/doc/bird.sgml index a94fb9e..3edd6e0 100644 --- a/doc/bird.sgml +++ b/doc/bird.sgml @@ -1072,7 +1072,16 @@ undefined value is regarded as empty clist for most purposes. routes). Read-only. <tag><m/enum/ dest</tag> - Type of destination the packets should be sent to (<cf/RTD_ROUTER/ for forwarding to a neighboring router, <cf/RTD_DEVICE/ for routing to a directly-connected network, <cf/RTD_BLACKHOLE/ for packets to be silently discarded, <cf/RTD_UNREACHABLE/, <cf/RTD_PROHIBIT/ for packets that should be returned with ICMP host unreachable / ICMP administratively prohibited messages). Read-only. + Type of destination the packets should be sent to + (<cf/RTD_ROUTER/ for forwarding to a neighboring router, + <cf/RTD_DEVICE/ for routing to a directly-connected network, + <cf/RTD_MULTIPATH/ for multipath destinations, + <cf/RTD_BLACKHOLE/ for packets to be silently discarded, + <cf/RTD_UNREACHABLE/, <cf/RTD_PROHIBIT/ for packets that + should be returned with ICMP host unreachable / ICMP + administratively prohibited messages). Can be changed, but + only to <cf/RTD_BLACKHOLE/, <cf/RTD_UNREACHABLE/ or + <cf/RTD_PROHIBIT/. <tag><m/int/ igp_metric</tag> The optional attribute that can be used to specify a distance diff --git a/filter/config.Y b/filter/config.Y index 2e8b522..0eeb2ce 100644 --- a/filter/config.Y +++ b/filter/config.Y @@ -703,7 +703,7 @@ static_attr: | SOURCE { $$ = f_new_inst(); $$->aux = T_ENUM_RTS; $$->a2.i = OFFSETOF(struct rta, source); } | SCOPE { $$ = f_new_inst(); $$->aux = T_ENUM_SCOPE; $$->a2.i = OFFSETOF(struct rta, scope); $$->a1.i = 1; } | CAST { $$ = f_new_inst(); $$->aux = T_ENUM_RTC; $$->a2.i = OFFSETOF(struct rta, cast); } - | DEST { $$ = f_new_inst(); $$->aux = T_ENUM_RTD; $$->a2.i = OFFSETOF(struct rta, dest); } + | DEST { $$ = f_new_inst(); $$->aux = T_ENUM_RTD; $$->a2.i = OFFSETOF(struct rta, dest); $$->a1.i = 1; } ; term: diff --git a/filter/filter.c b/filter/filter.c index acdcfd2..49b6739 100644 --- a/filter/filter.c +++ b/filter/filter.c @@ -852,12 +852,25 @@ interpret(struct f_inst *what) { struct rta *rta = (*f_rte)->attrs; switch (what->aux) { - case T_ENUM: - * ((char *) rta + what->a2.i) = v1.val.i; - break; + case T_IP: * (ip_addr *) ((char *) rta + what->a2.i) = v1.val.px.ip; break; + + case T_ENUM_SCOPE: + rta->scope = v1.val.i; + break; + + case T_ENUM_RTD: + i = v1.val.i; + if ((i != RTD_BLACKHOLE) && (i != RTD_UNREACHABLE) && (i != RTD_PROHIBIT)) + runtime( "Destination can be changed only to blackhole, unreachable or prohibit" ); + rta->dest = i; + rta->gw = IPA_NONE; + rta->iface = NULL; + rta->nexthops = NULL; + break; + default: bug( "Unknown type in set of static attribute" ); }
signature.asc
Description: Digital signature
