diff options
author | Satoshi Fujimoto <satoshi.fujimoto7@gmail.com> | 2017-06-19 16:32:38 +0900 |
---|---|---|
committer | FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> | 2017-07-10 15:39:14 +0900 |
commit | 4b5e13376c70481aacc1c2c508738279f8cc9e5c (patch) | |
tree | eb653f3d42af5e31dc90c186834a49384f8dfd0f /docs/sources | |
parent | 15cd58e01f47357be5280ef6aa0775f42b811854 (diff) |
packet: Use bitmask operand format to fragment
RFC 5575 suggests using "bitmask operand format" for fragmentation
field, but GoBGP does not have an interface to configure it.
This patch introduce the way to configure bitmask operands for
"fragment" field.
The syntax is similar to TCP flags rules.
For example:
=not-a-fragment
=is-fragment&!last-fragment
Signed-off-by: Satoshi Fujimoto <satoshi.fujimoto7@gmail.com>
Diffstat (limited to 'docs/sources')
-rw-r--r-- | docs/sources/flowspec.md | 20 |
1 files changed, 12 insertions, 8 deletions
diff --git a/docs/sources/flowspec.md b/docs/sources/flowspec.md index da7d17f0..6d48d8a6 100644 --- a/docs/sources/flowspec.md +++ b/docs/sources/flowspec.md @@ -45,7 +45,7 @@ CLI syntax to add ipv4/ipv6 flowspec rule is ```shell % global rib add match <MATCH_EXPR> then <THEN_EXPR> -a [ipv4-flowspec|ipv6-flowspec] <MATCH_EXPR> : { destination <PREFIX> [<OFFSET>] | source <PREFIX> [<OFFSET>] | - protocol <PROTO>... | fragment <FRAGMENT_TYPE> | tcp-flags [!] [=] <TCPFLAG>... | + protocol <PROTO>... | fragment [!] [=] <FRAGMENT_TYPE> | tcp-flags [!] [=] <TCPFLAG>... | { port | destination-port | source-port | icmp-type | icmp-code | packet-length | dscp | label } <ITEM>... }... <PROTO> : ospf, pim, igp, udp, igmp, tcp, egp, rsvp, gre, ipip, unknown, icmp, sctp, <VALUE> <FRAGMENT_TYPE> : dont-fragment, is-fragment, first-fragment, last-fragment, not-a-fragment @@ -98,22 +98,26 @@ All decimal values like ports, destination port, source port, procotol number ca Network Next Hop AS_PATH Age Attrs *> [destination:10.0.0.0/24][source:20.0.0.0/24] 0.0.0.0 00:00:04 [{Origin: i} {Extcomms: [redirect: 10:10]}] -# add another flowspec rule which discard flows whose ip protocol is tcp and destination port is 80 or greater than or equal to 8080 and lesser than or equal to 8888 -% gobgp global rib -a ipv4-flowspec add match protocol tcp destination-port '==80' '>=8080&<=8888' then discard +# add another flowspec rule which discard flows whose + # ip protocol is tcp and + # destination port is 80 or greater than or equal to 8080 and lesser than or equal to 8888 and + # packet is a first fragment or a last fragment +% gobgp global rib -a ipv4-flowspec add match protocol tcp destination-port '==80' '>=8080&<=8888' fragment '=first-fragment =last-fragment' then discard # add flowspec rule to drop traffic not going to destination port 80, 443 or 22 gobgp global rib -a ipv4-flowspec add match destination 2.2.2.2/32 dest-port '!=80&!=443&!=22' then discard % gobgp global rib -a ipv4-flowspec - Network Next Hop AS_PATH Age Attrs -*> [destination:10.0.0.0/24][source:20.0.0.0/24] 0.0.0.0 00:03:19 [{Origin: i} {Extcomms: [redirect: 10:10]}] -*> [protocol: tcp][destination-port: ==80 >=8080&<=8888] 0.0.0.0 00:00:03 [{Origin: i} {Extcomms: [discard]}] + Network Next Hop AS_PATH Age Attrs +*> [destination:10.0.0.0/24][source:20.0.0.0/24] 0.0.0.0 00:03:19 [{Origin: i} {Extcomms: [redirect: 10:10]}] +*> [protocol:==tcp ][destination-port: ==80 >=8080&<=8888][fragment:=first-fragment =last-fragment ]0.0.0.0 00:00:05 [{Origin: ?} {Extcomms: [discard]}] + # delete a flowspec rule % gobgp global rib -a ipv4-flowspec del match destination 10.0.0.0/24 source 20.0.0.0/24 then redirect 10:10 % gobgp global rib -a ipv4-flowspec - Network Next Hop AS_PATH Age Attrs -*> [protocol: tcp][destination-port: ==80 >=8080&<=8888] 0.0.0.0 00:00:03 [{Origin: i} {Extcomms: [discard]}] + Network Next Hop AS_PATH Age Attrs +*> [protocol:==tcp ][destination-port: ==80 >=8080&<=8888][fragment:=first-fragment =last-fragment ]0.0.0.0 00:00:05 [{Origin: ?} {Extcomms: [discard]}] ``` |