> Not sure if it's going to be any use for your particular setup, but if
> these are coming in as AS External LSAs ("ospfctl sh da ext") and you
> have a way to get an "External route tag" set on them, you can have
> ospfd tag the routes with a route label, and then PF can match addresses
> on route labels. See "rtlabel" in ospfd.conf(5) and you can match with
> "route <label>" in pf.conf where you would normally use an address or
> prefix.
>
> Another possibility would be if these subnets could be fed by BGP
> instead of OSPF. You can use any of the usual match rules (so criteria
> can include things like community, peer, nexthop, prefixes within a
> certain range, etc) to match incoming updates, and feed them straight
> into a PF table.Thanks for these hints Stuart, I'll have to check them out! -Martin
