On 2026-06-03, Tom Smyth <[email protected]> wrote: > I was discussing on the ports list a way of using OpenBGPd with Fastnetmon > to implement bans, with BGP using RTBH, > the way I had done this was to configure doas to allow _fastnetmon to run a > ban script as root > which would contain the line > /sbin/route -T0 exec /usr/sbin/bgpctl network add $1/32 community > $ASNUMBER:666 community > > or > /usr/sbin/bgpctl -s /var/run/bgpd.sock.$BGPD-RDOMAIN network add $1/32 > community $ASNUMBER:666 community > > however the issue with the second method is that the bgpd socket > permissions owner root group wheel, > > I have tried creating a custom socket in a directory where _fastnetmon is > owner / group and that has not worked...
something similar to that does work for me: <symphytum:~>$ ls -la /var/bgpd total 16 drwxr-xr-x 2 root _bgpd 512 Jun 8 10:50 . drwxr-xr-x 49 root wheel 1024 Jun 8 10:49 .. <symphytum:~>$ doas bgpd symphytum:~>$ ls -l /var/bgpd total 0 srw-rw---- 1 root _bgpd 0 Jun 8 10:55 bgpd.sock <symphytum:~>$ grep sock /etc/bgpd.conf socket "/var/bgpd/bgpd.sock" (bgpd sets mode 660, but doesn't change ownership/group, so it inherits the group from the directory). setting "socket" overrides the default path, so for easier use of bgpctl you may want "ln -s ../bgpd/bgpd.sock /var/run/bgpd.sock.0" in rc.local (/var/run is cleared at boot so it will need recreating). > is it useful / advisable to be able configure bgpd to set custom socket > permissions in the bgpd.conf as opposed to the usual root wheel option ? maybe, though it's not too horrible to workaround, and it could complicate things for config reload.
