Le 04/04/2022 à 15:43, Claudio Jeker a écrit :
> On Tue, Mar 29, 2022 at 09:53:56AM +0200, Laurent CARON wrote:
>> Hi,
>>
>> I'm happily running several OpenBGPd routers (Openbsd 7.0).
>>
>> After having applied the folloxing filters (to blackhole traffic from
>> certain countries):
>>
>> include "/etc/bgpd/deny-asn.ru.bgpd"
>> include "/etc/bgpd/deny-asn.by.bgpd"
>> include "/etc/bgpd/deny-asn.ua.bgpd"
>>
>>
>> # head /etc/bgpd/deny-asn.ru.bgpd
>> match from any AS 2148 set { localpref 250 nexthop blackhole }
>> match from any AS 2585 set { localpref 250 nexthop blackhole }
>> match from any AS 2587 set { localpref 250 nexthop blackhole }
>> match from any AS 2599 set { localpref 250 nexthop blackhole }
>> match from any AS 2766 set { localpref 250 nexthop blackhole }
>> match from any AS 2848 set { localpref 250 nexthop blackhole }
>> match from any AS 2854 set { localpref 250 nexthop blackhole }
>> match from any AS 2875 set { localpref 250 nexthop blackhole }
>> match from any AS 2878 set { localpref 250 nexthop blackhole }
>> match from any AS 2895 set { localpref 250 nexthop blackhole }
>>
> You should really use as-set for this:
>
> as-set ru-set { 2148 2585 2587 ... }
>
> And also not match any (at least I think you don't really want that to
> match on ibgp sessions):
>
> match from ebgp AS as-set ru-set set { localpref 250 nexthop blackhole }
>
> If done right you can replace all your rules by one single one.
>
Hi Claudio,
Thanks for the hints.
Will change the config accordingly and report back.
Cheers,
Laurent
No comments:
Post a Comment