Thank you for you reply Ondrej, I tried the filter as you mentioned, all is working fine, I made a bash script that import into a roa table,
all right! Thank you! On Wed, Apr 10, 2013 at 5:43 PM, Ondrej Zajicek <[email protected]>wrote: > On Wed, Apr 10, 2013 at 04:22:11PM +0200, Arnaud Fenioux wrote: > > Hello all, > > Hello > > > I would like to use ROA filtering on my bird setup to reject invalid > > prefixes announced by my peers. > > > > I know there is currently no easy way to bind bird to an RPKI validator, > > right? > > Yes > > > I have to create a table in my conf file with > > "roa table roa_table_name" > > Yes > > > I have read ( > > https://ripe65.ripe.net/presentations/191-BIRD-20120926-OF-RIPE-EIX.pdf) > there > > is a way to populate dynamically this table. > > How can I do that? "roa add" in cli? > > Is there a way to flush the table? > > These commands in CLI: > > show roa ... > add roa ... > delete roa ... > flush roa ... > > See http://bird.network.cz/?get_doc&f=bird-4.html > (Also try '?' in CLI for interactive help) > > Second alternative is to populate ROA table statically - generate > configuration for ROA table with specified ROA entries and call > configure after each change. You could have content of ROA table in > separate (generated) config and include it from the main config file. > > > Can I do a filter like this? > > > > protocol bgp my_peer { > > local as 65000; > > neighbor 192.0.2.1 as 65001; > > import filter peer_in; > > } > > > > filter peer_in { > > if roa_check(roa_table_name, net, bgp_path.last) = ROA_INVALID then > reject; > > accept; > > } > > This should work, but i would suggest to add 'print' for logging: > > { > if ... then { print "ROA check failed for ", net, " ASN ", > bgp_path.last; reject; } > accept > } > > > -- > Elen sila lumenn' omentielvo > > Ondrej 'SanTiago' Zajicek (email: [email protected]) > OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) > "To err is human -- to blame it on a computer is even more so." > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAlFliLEACgkQw1GB2RHercMjPQCfbZ/eo6pwFus3gKSfnx0L02HE > YBkAn069HY386NYMd6pZrDbhVJKsmvbt > =phkQ > -----END PGP SIGNATURE----- > >
