On Tue, Jan 03, 2006 at 07:15:36PM +0100, Sylvain Coutant wrote:
> Hi and happy new year to all,
>
> I try to apply a "nexthop blackhole" filter without success on OpenBSD 3.8.
>
> I receive the bogon list from cymru and try to force "blackholing" of
> the routes without success. Here is my configuration :
>
> group "BGPBogon" {
> remote-as 65333
> announce none
> multihop 255
> set localpref 999
>
> neighbor x.x.x.x {
> descr BGP-Bogon
> local-address y.y.y.y
> }
> }
>
> Later I apply the filter :
>
> match from group BGPBogon community 65333:888 set nexthop blackhole
>
>
> I tried several combinations with the reject keyword and without
> community filter also, but routes are installed in the fib with a valid
> nexthop anyway and the server sends the packets for those routes. I even
> tried to force the nexthop at the group level without success ... !
>
> If someone can explain me what I'm missing - any help welcome ;-)
>
I just tried a filter like this:
match from any AS 29166 set nexthop blackhole
and that did work:
# bgpctl show rib as 29166
*> 194.40.224.0/22 62.48.4.4 100 222 65001 8271 3320 3303
29166 i
# route -n get 194.40.224.1
route to: 194.40.224.1
destination: 194.40.224.0
mask: 255.255.252.0
gateway: 62.48.4.4
interface: em0
if address: 62.48.4.34
flags: <UP,GATEWAY,DONE,BLACKHOLE,PROTO1>
...
You could do a "set nexthop blackhole" on the in the network or group
block. Also try to verify if the "match form group BGPBogon ..." is
working by adjusting localpref or the metric (both are visible in the
bgpctl show rib output).
--
:wq Claudio
