From 2917c94c0dbe77f384d1352c3c623d372636c6ae Mon Sep 17 00:00:00 2001 From: Mikael Magnusson Date: Mon, 15 Apr 2019 13:52:48 +0200 Subject: firewall protocol support Patch by Alexander V. Chernikov Hello list! This patch adds 'firewall' protocol permitting prefixes announced to this protocol to be put in configured firewall table with optional value. Supported firewalls: IPFW, PF, * Optional value support: IPFW, * Sample configuration: protocol bgp { .. import filter { fw_value = 42; accept; } # Set firewall optional value for each prefix } protocol firewall { fwtype ipfw; fwtable "2"; export all; flush always; # do flush both on startup and shutdown }; Tested on FreeBSD 8.X, PF should work on Open/NetBSD, too. [*] I can add support for ipset on demand. However I can't understand how it can be [effectively] used without some kind of radix/rbtree backend (according to docs). P.S. This can be thought as first step for implementation BGP FlowSpec (RFC 5575) --- nest/protocol.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'nest/protocol.h') diff --git a/nest/protocol.h b/nest/protocol.h index 56d66ed5..8d122135 100644 --- a/nest/protocol.h +++ b/nest/protocol.h @@ -53,6 +53,7 @@ enum protocol_class { PROTOCOL_RIP, PROTOCOL_RPKI, PROTOCOL_STATIC, + PROTOCOL_FIREWALL, PROTOCOL__MAX }; @@ -102,7 +103,7 @@ void protos_dump_all(void); extern struct protocol proto_device, proto_radv, proto_rip, proto_static, proto_mrt, proto_ospf, proto_perf, - proto_pipe, proto_bgp, proto_bfd, proto_babel, proto_rpki; + proto_pipe, proto_bgp, proto_bfd, proto_babel, proto_rpki, proto_firewall; /* * Routing Protocol Instance -- cgit v1.2.3