|
Patch by Alexander V. Chernikov <melifaro@ipfw.ru>
Hello list!
This patch adds 'firewall' protocol permitting prefixes announced to
this protocol to be put in configured firewall table with optional value.
Supported firewalls: IPFW, PF, *
Optional value support: IPFW, *
Sample configuration:
protocol bgp {
..
import filter { fw_value = 42; accept; } # Set firewall optional value
for each prefix
}
protocol firewall {
fwtype ipfw;
fwtable "2";
export all;
flush always; # do flush both on startup and shutdown
};
Tested on FreeBSD 8.X, PF should work on Open/NetBSD, too.
[*] I can add support for ipset on demand. However I can't understand
how it can be [effectively] used without some kind of radix/rbtree
backend (according to docs).
P.S.
This can be thought as first step for implementation BGP FlowSpec (RFC 5575)
|
