diff options
| author | Matthieu Texier <matthieu@texier.tv> | 2017-02-17 21:20:59 +0900 |
|---|---|---|
| committer | FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> | 2017-02-17 21:20:59 +0900 |
| commit | 6de16dc885ebfeffb9ff3470805980f6fac579c5 (patch) | |
| tree | 887b2deea8f346802688b296746d9d7c8cb316c9 /docs/sources/flowspec.md | |
| parent | a1aa21844ee456cead80e8ef88fc373bc95b7b04 (diff) | |
flowspec: comply with RFC 5575 about TCP flags rules
This patch proposes a new way to configure BGP flowspec TCP flags
rules It allows to comply with RFC 5575 by defining flags like this
=SA =A / '!SA' / '=SA&=!U' = means match, ! means not, & means and,
all TCP flags are identified by their first charater S for SYN A for
Ack ...
Diffstat (limited to 'docs/sources/flowspec.md')
| -rw-r--r-- | docs/sources/flowspec.md | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/docs/sources/flowspec.md b/docs/sources/flowspec.md index 8fddcccc..e2b02fcb 100644 --- a/docs/sources/flowspec.md +++ b/docs/sources/flowspec.md @@ -45,11 +45,11 @@ CLI syntax to add ipv4/ipv6 flowspec rule is ```shell % global rib add match <MATCH_EXPR> then <THEN_EXPR> -a [ipv4-flowspec|ipv6-flowspec] <MATCH_EXPR> : { destination <PREFIX> [<OFFSET>] | source <PREFIX> [<OFFSET>] | - protocol <PROTO>... | fragment <FRAGMENT_TYPE> | tcp-flags [not] [match] <TCPFLAG>... | + protocol <PROTO>... | fragment <FRAGMENT_TYPE> | tcp-flags [!] [=] <TCPFLAG>... | { port | destination-port | source-port | icmp-type | icmp-code | packet-length | dscp | label } <ITEM>... }... <PROTO> : ospf, pim, igp, udp, igmp, tcp, egp, rsvp, gre, ipip, unknown, icmp, sctp, <VALUE> <FRAGMENT_TYPE> : dont-fragment, is-fragment, first-fragment, last-fragment, not-a-fragment - <TCPFLAG> : rst, push, ack, urgent, fin, syn + <TCPFLAG> : U, C, E, F, S, R, P, A <ITEM> : &?{<|>|=}<value> <THEN_EXPR> : { accept | discard | rate-limit <value> | redirect <RT> | mark <value> | action { sample | terminal | sample-terminal } | rt <RT>... }... <RT> : xxx:yyy, xx.xx.xx.xx:yyy, xxx.xxx:yyy @@ -72,6 +72,9 @@ that for l2vpn flowspec rule is # add a flowspec rule which redirect flows with dst 10.0.0.0/24 and src 20.0.0.0/24 to VRF with RT 10:10 % gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 source 20.0.0.0/24 then redirect 10:10 +# add a flowspec rule wich discard flows with dst 2001::2/128 and port equals 80 and with TCP flags not match SA (SYN/ACK) and not match U (URG) +% gobgp global rib -a ipv6-flowspec add match destination 2001::2/128 port '=80' tcp-flags '=!SA&=!U' then discard + # show flowspec table % gobgp global rib -a ipv4-flowspec Network Next Hop AS_PATH Age Attrs |