diff options
| author | Mikael Magnusson <mikma@users.sourceforge.net> | 2019-04-15 13:52:48 +0200 |
|---|---|---|
| committer | Mikael Magnusson <mikma@users.sourceforge.net> | 2019-04-15 14:04:23 +0200 |
| commit | 2917c94c0dbe77f384d1352c3c623d372636c6ae (patch) | |
| tree | 87def2a9e6e99b7d57c41159aaf607c4b4209b36 /nest/protocol.h | |
| parent | 6ff811976513132c831a352bd0aa0f3600252acb (diff) | |
firewall protocol supportproto-firewall
Patch by Alexander V. Chernikov <melifaro@ipfw.ru>
Hello list!
This patch adds 'firewall' protocol permitting prefixes announced to
this protocol to be put in configured firewall table with optional value.
Supported firewalls: IPFW, PF, *
Optional value support: IPFW, *
Sample configuration:
protocol bgp {
..
import filter { fw_value = 42; accept; } # Set firewall optional value
for each prefix
}
protocol firewall {
fwtype ipfw;
fwtable "2";
export all;
flush always; # do flush both on startup and shutdown
};
Tested on FreeBSD 8.X, PF should work on Open/NetBSD, too.
[*] I can add support for ipset on demand. However I can't understand
how it can be [effectively] used without some kind of radix/rbtree
backend (according to docs).
P.S.
This can be thought as first step for implementation BGP FlowSpec (RFC 5575)
Diffstat (limited to 'nest/protocol.h')
| -rw-r--r-- | nest/protocol.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/nest/protocol.h b/nest/protocol.h index 56d66ed5..8d122135 100644 --- a/nest/protocol.h +++ b/nest/protocol.h @@ -53,6 +53,7 @@ enum protocol_class { PROTOCOL_RIP, PROTOCOL_RPKI, PROTOCOL_STATIC, + PROTOCOL_FIREWALL, PROTOCOL__MAX }; @@ -102,7 +103,7 @@ void protos_dump_all(void); extern struct protocol proto_device, proto_radv, proto_rip, proto_static, proto_mrt, proto_ospf, proto_perf, - proto_pipe, proto_bgp, proto_bfd, proto_babel, proto_rpki; + proto_pipe, proto_bgp, proto_bfd, proto_babel, proto_rpki, proto_firewall; /* * Routing Protocol Instance |