summaryrefslogtreecommitdiffhomepage
path: root/docs/sources
diff options
context:
space:
mode:
authorSatoshi Fujimoto <satoshi.fujimoto7@gmail.com>2017-06-19 16:32:38 +0900
committerFUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>2017-07-10 15:39:14 +0900
commit4b5e13376c70481aacc1c2c508738279f8cc9e5c (patch)
treeeb653f3d42af5e31dc90c186834a49384f8dfd0f /docs/sources
parent15cd58e01f47357be5280ef6aa0775f42b811854 (diff)
packet: Use bitmask operand format to fragment
RFC 5575 suggests using "bitmask operand format" for fragmentation field, but GoBGP does not have an interface to configure it. This patch introduce the way to configure bitmask operands for "fragment" field. The syntax is similar to TCP flags rules. For example: =not-a-fragment =is-fragment&!last-fragment Signed-off-by: Satoshi Fujimoto <satoshi.fujimoto7@gmail.com>
Diffstat (limited to 'docs/sources')
-rw-r--r--docs/sources/flowspec.md20
1 files changed, 12 insertions, 8 deletions
diff --git a/docs/sources/flowspec.md b/docs/sources/flowspec.md
index da7d17f0..6d48d8a6 100644
--- a/docs/sources/flowspec.md
+++ b/docs/sources/flowspec.md
@@ -45,7 +45,7 @@ CLI syntax to add ipv4/ipv6 flowspec rule is
```shell
% global rib add match <MATCH_EXPR> then <THEN_EXPR> -a [ipv4-flowspec|ipv6-flowspec]
<MATCH_EXPR> : { destination <PREFIX> [<OFFSET>] | source <PREFIX> [<OFFSET>] |
- protocol <PROTO>... | fragment <FRAGMENT_TYPE> | tcp-flags [!] [=] <TCPFLAG>... |
+ protocol <PROTO>... | fragment [!] [=] <FRAGMENT_TYPE> | tcp-flags [!] [=] <TCPFLAG>... |
{ port | destination-port | source-port | icmp-type | icmp-code | packet-length | dscp | label } <ITEM>... }...
<PROTO> : ospf, pim, igp, udp, igmp, tcp, egp, rsvp, gre, ipip, unknown, icmp, sctp, <VALUE>
<FRAGMENT_TYPE> : dont-fragment, is-fragment, first-fragment, last-fragment, not-a-fragment
@@ -98,22 +98,26 @@ All decimal values like ports, destination port, source port, procotol number ca
Network Next Hop AS_PATH Age Attrs
*> [destination:10.0.0.0/24][source:20.0.0.0/24] 0.0.0.0 00:00:04 [{Origin: i} {Extcomms: [redirect: 10:10]}]
-# add another flowspec rule which discard flows whose ip protocol is tcp and destination port is 80 or greater than or equal to 8080 and lesser than or equal to 8888
-% gobgp global rib -a ipv4-flowspec add match protocol tcp destination-port '==80' '>=8080&<=8888' then discard
+# add another flowspec rule which discard flows whose
+ # ip protocol is tcp and
+ # destination port is 80 or greater than or equal to 8080 and lesser than or equal to 8888 and
+ # packet is a first fragment or a last fragment
+% gobgp global rib -a ipv4-flowspec add match protocol tcp destination-port '==80' '>=8080&<=8888' fragment '=first-fragment =last-fragment' then discard
# add flowspec rule to drop traffic not going to destination port 80, 443 or 22
gobgp global rib -a ipv4-flowspec add match destination 2.2.2.2/32 dest-port '!=80&!=443&!=22' then discard
% gobgp global rib -a ipv4-flowspec
- Network Next Hop AS_PATH Age Attrs
-*> [destination:10.0.0.0/24][source:20.0.0.0/24] 0.0.0.0 00:03:19 [{Origin: i} {Extcomms: [redirect: 10:10]}]
-*> [protocol: tcp][destination-port: ==80 >=8080&<=8888] 0.0.0.0 00:00:03 [{Origin: i} {Extcomms: [discard]}]
+ Network Next Hop AS_PATH Age Attrs
+*> [destination:10.0.0.0/24][source:20.0.0.0/24] 0.0.0.0 00:03:19 [{Origin: i} {Extcomms: [redirect: 10:10]}]
+*> [protocol:==tcp ][destination-port: ==80 >=8080&<=8888][fragment:=first-fragment =last-fragment ]0.0.0.0 00:00:05 [{Origin: ?} {Extcomms: [discard]}]
+
# delete a flowspec rule
% gobgp global rib -a ipv4-flowspec del match destination 10.0.0.0/24 source 20.0.0.0/24 then redirect 10:10
% gobgp global rib -a ipv4-flowspec
- Network Next Hop AS_PATH Age Attrs
-*> [protocol: tcp][destination-port: ==80 >=8080&<=8888] 0.0.0.0 00:00:03 [{Origin: i} {Extcomms: [discard]}]
+ Network Next Hop AS_PATH Age Attrs
+*> [protocol:==tcp ][destination-port: ==80 >=8080&<=8888][fragment:=first-fragment =last-fragment ]0.0.0.0 00:00:05 [{Origin: ?} {Extcomms: [discard]}]
```