Page MenuHomeVyOS Platform
Create Task
Maniphest T4266

Add controller for nftables bgp flowspec routes
Open, NormalPublicFEATURE REQUEST
Actions

Description

We need a controller which will parse bgp flowspec data and generate nftables rules.
Examples mentioned in FRR https://github.com/FRRouting/frr/blob/master/doc/user/flowspec.rst work with iptables and ipset, neither of them not used in VyOS 1.4

As an alternative way we have 2 options:

  1. Try to parse FRR data with "custom LUA scripts" http://docs.frrouting.org/projects/dev-guide/en/latest/scripting.html
  2. Use ExaBGP as a controller which will generate nft rules for VyOS.

ExaBGP seems preferable as it uses a lot of python code.
I think it is a good idea that Controller should communicate with VyOS via API
Example

Some plays for developing:

set protocols bgp local-as '65001'
set protocols bgp neighbor 192.168.29.11 address-family ipv4-flowspec soft-reconfiguration inbound
set protocols bgp neighbor 192.168.29.11 address-family ipv4-unicast
set protocols bgp neighbor 192.168.29.11 description 'Controller'
set protocols bgp neighbor 192.168.29.11 remote-as '65001'

set container name exabgp image 'biwhite/exabgp'
set container name exabgp network NET01 address '192.168.29.11'
set container name exabgp volume exabgp destination '/etc/exabgp'
set container name exabgp volume exabgp source '/etc/exabgp'
set container network NET01 prefix '192.168.29.0/24'

ExaBGP configuration in container:

bash-4.4# cat /etc/exabgp/exabgp.conf 
process acl {
   run ./acl.py;
   encoder json;
}

template {
  neighbor controller {
    family {
      ipv4 flow;
    }
    api speaking {
      processes [ acl ];
      neighbor-changes;
      receive {
         parsed;
         update;
      }
    }
  }
}

neighbor 192.168.29.1 {
  inherit controller;
  router-id 192.168.29.11;
  local-as 65001;
  peer-as 65001;
  local-address 0.0.0.0;
  connect 179;
}

Debug:

exabgp --debug /etc/exabgp/exabgp.conf 

14:05:33 | 18580  | parser        | announced NLRI none
14:05:33 | 18580  | peer-1        | << UPDATE #1
14:05:33 | 18580  | peer-1        |    UPDATE #1 nlri  (  12) flow destination-ipv4 192.0.2.0/24 protocol =udp destination-port =53
14:05:33 | 18580  | peer-1        |    UPDATE #1 nlri  (  16) flow destination-ipv4 0.0.0.0/0 source-ipv4 203.0.113.55/32 protocol =udp destination-port =8080

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects