github.com/osrg/gobgp/v3@v3.30.0/docs/sources/flowspec.md (about) 1 # Flow Specification 2 3 GoBGP supports [RFC5575](https://tools.ietf.org/html/rfc5575), 4 [RFC7674](https://tools.ietf.org/html/rfc7674), 5 [draft-ietf-idr-flow-spec-v6](https://tools.ietf.org/html/draft-ietf-idr-flow-spec-v6) 6 and [draft-ietf-idr-flowspec-l2vpn](https://tools.ietf.org/html/draft-ietf-idr-flowspec-l2vpn). 7 8 ## Prerequisites 9 10 Assume you finished [Getting Started](getting-started.md). 11 12 ## Contents 13 14 - [Configuration](#configuration) 15 - [CLI Syntax](#cli-syntax) 16 17 ## Configuration 18 19 To enable FlowSpec family, please enumerate the corresponding "afi-safi-name" in 20 "neighbors.afi-safis" section like the below. 21 22 ```toml 23 [[neighbors]] 24 # ...(snip)... 25 [[neighbors.afi-safis]] 26 [neighbors.afi-safis.config] 27 afi-safi-name = "ipv4-flowspec" 28 [[neighbors.afi-safis]] 29 [neighbors.afi-safis.config] 30 afi-safi-name = "ipv6-flowspec" 31 [[neighbors.afi-safis]] 32 [neighbors.afi-safis.config] 33 afi-safi-name = "l3vpn-ipv4-flowspec" 34 [[neighbors.afi-safis]] 35 [neighbors.afi-safis.config] 36 afi-safi-name = "l3vpn-ipv6-flowspec" 37 [[neighbors.afi-safis]] 38 [neighbors.afi-safis.config] 39 afi-safi-name = "l2vpn-flowspec" 40 # ...(snip)... 41 ``` 42 43 ## CLI Syntax 44 45 ### IPv4/IPv6 FlowSpec 46 47 ```bash 48 # Add a route 49 $ gobgp global rib -a {ipv4-flowspec|ipv6-flowspec} add match <MATCH> then <THEN> 50 <MATCH> : { destination <PREFIX> [<OFFSET>] | 51 source <PREFIX> [<OFFSET>] | 52 protocol <PROTOCOLS>... | 53 fragment <FRAGMENTS>... | 54 tcp-flags <TCP_FLAGS>... | 55 port <ITEM>... | 56 destination-port <ITEM>... | 57 source-port <ITEM>... | 58 icmp-type <ITEM>... | 59 icmp-code <ITEM>... | 60 packet-length <ITEM>... | 61 dscp <ITEM>... | 62 label <ITEM>... }... 63 <PROTOCOLS> : [&] [<|<=|>|>=|==|!=] <PROTOCOL> 64 <PROTOCOL> : egp, gre, icmp, igmp, igp, ipip, ospf, pim, rsvp, sctp, tcp, udp, unknown, <DEC_NUM> 65 <FRAGMENTS> : [&] [=|!|!=] <FRAGMENT> 66 <FRAGMENT> : dont-fragment, is-fragment, first-fragment, last-fragment, not-a-fragment 67 <TCP_FLAGS> : [&] [=|!|!=] <TCP_FLAG> 68 <TCP_FLAG> : F, S, R, P, A, U, E, C 69 <ITEM> : [&] [<|<=|>|>=|==|!=] <DEC_NUM> 70 <THEN> : { accept | 71 discard | 72 rate-limit <RATE> [as <AS>] | 73 redirect <RT> | 74 mark <DEC_NUM> | 75 action { sample | terminal | sample-terminal } }... 76 <RT> : xxx:yyy, xxx.xxx.xxx.xxx:yyy, xxxx::xxxx:yyy, xxx.xxx:yyy 77 78 # Show routes 79 $ gobgp global rib -a {ipv4-flowspec|ipv6-flowspec} 80 81 # Delete route 82 $ gobgp global rib -a {ipv4-flowspec|ipv6-flowspec} del match <MATCH_EXPR> 83 ``` 84 85 ### VPNv4/VPNv6 FlowSpec 86 87 ```bash 88 # Add a route 89 $ gobgp global rib -a {ipv4-l3vpn-flowspec|ipv6-l3vpn-flowspec} add rd <RD> match <MATCH> then <THEN> [rt <RT>] 90 <RD> : xxx:yyy, xxx.xxx.xxx.xxx:yyy, xxx.xxx:yyy 91 <MATCH> : { destination <PREFIX> [<OFFSET>] | 92 source <PREFIX> [<OFFSET>] | 93 protocol <PROTOCOLS>... | 94 fragment <FRAGMENTS>... | 95 tcp-flags <TCP_FLAGS>... | 96 port <ITEM>... | 97 destination-port <ITEM>... | 98 source-port <ITEM>... | 99 icmp-type <ITEM>... | 100 icmp-code <ITEM>... | 101 packet-length <ITEM>... | 102 dscp <ITEM>... | 103 label <ITEM>...}... 104 <PROTOCOLS> : [&] [<|<=|>|>=|==|!=] <PROTOCOL> 105 <PROTOCOL> : egp, gre, icmp, igmp, igp, ipip, ospf, pim, rsvp, sctp, tcp, udp, unknown, <DEC_NUM> 106 <FRAGMENTS> : [&] [=|!|!=] <FRAGMENT> 107 <FRAGMENT> : dont-fragment, is-fragment, first-fragment, last-fragment, not-a-fragment 108 <TCP_FLAGS> : [&] [=|!|!=] <TCP_FLAG> 109 <TCP_FLAG> : F, S, R, P, A, U, E, C 110 <ITEM> : [&] [<|<=|>|>=|==|!=] <DEC_NUM> 111 <THEN> : { accept | 112 discard | 113 rate-limit <RATE> [as <AS>] | 114 redirect <RT> | 115 mark <DEC_NUM> | 116 action { sample | terminal | sample-terminal } }... 117 <RT> : xxx:yyy, xxx.xxx.xxx.xxx:yyy, xxxx::xxxx:yyy, xxx.xxx:yyy 118 119 # Show routes 120 $ gobgp global rib -a {ipv4-l3vpn-flowspec|ipv6-l3vpn-flowspec} 121 122 # Delete route 123 $ gobgp global rib -a {ipv4-l3vpn-flowspec|ipv6-l3vpn-flowspec} del rd <RD> match <MATCH_EXPR> 124 ``` 125 126 ### L2VPN FlowSpec 127 128 ```bash 129 # Add a route 130 $ gobgp global rib -a l2vpn-flowspec add rd <RD> match <MATCH> then <THEN> [rt <RT>] 131 <RD> : xxx:yyy, xxx.xxx.xxx.xxx:yyy, xxx.xxx:yyy 132 <MATCH> : { destination <PREFIX> [<OFFSET>] | 133 source <PREFIX> [<OFFSET>] | 134 protocol <PROTOCOLS>... | 135 fragment <FRAGMENTS>... | 136 tcp-flags <TCP_FLAGS>... | 137 port <ITEM>... | 138 destination-port <ITEM>... | 139 source-port <ITEM>... | 140 icmp-type <ITEM>... | 141 icmp-code <ITEM>... | 142 packet-length <ITEM>... | 143 dscp <ITEM>... | 144 label <ITEM>... | 145 destination-mac <MAC_ADDRESS> | 146 source-mac <MAC_ADDRESS> | 147 ether-type <ETHER_TYPES>... | 148 llc-dsap <ITEM>... | 149 llc-ssap <ITEM>... | 150 llc-control <ITEM>... | 151 snap <ITEM>... | 152 vid <ITEM>... | 153 cos <ITEM>... | 154 inner-vid <ITEM>... | 155 inner-cos <ITEM>... }... 156 <PROTOCOLS> : [&] [<|<=|>|>=|==|!=] <PROTOCOL> 157 <PROTOCOL> : egp, gre, icmp, igmp, igp, ipip, ospf, pim, rsvp, sctp, tcp, udp, unknown, <DEC_NUM> 158 <FRAGMENTS> : [&] [=|!|!=] <FRAGMENT> 159 <FRAGMENT> : dont-fragment, is-fragment, first-fragment, last-fragment, not-a-fragment 160 <TCP_FLAGS> : [&] [=|!|!=] <TCP_FLAG> 161 <TCP_FLAG> : F, S, R, P, A, U, E, C 162 <ETHER_TYPES> : [&] [<|<=|>|>=|==|!=] <ETHER_TYPE> 163 <ETHER_TYPE> : aarp, apple-talk, arp, ipv4, ipv6, ipx, loopback, net-bios, pppoe-discovery, pppoe-session, rarp, snmp, vmtp, xtp, <DEC_NUM> 164 <ITEM> : [&] [<|<=|>|>=|==|!=] <DEC_NUM> 165 <THEN> : { accept | 166 discard | 167 rate-limit <RATE> [as <AS>] | 168 redirect <RT> | 169 mark <DEC_NUM> | 170 action { sample | terminal | sample-terminal } }... 171 <RT> : xxx:yyy, xxx.xxx.xxx.xxx:yyy, xxxx::xxxx:yyy, xxx.xxx:yyy 172 173 # Show routes 174 $ gobgp global rib -a l2vpn-flowspec 175 176 # Delete route 177 $ gobgp global rib -a l2vpn-flowspec del rd <RD> match <MATCH_EXPR> 178 ``` 179 180 ### Match (Traffic Filtering Rules) 181 182 | Type | Key | Operator/Operand Type | Value | 183 | ---- | ---------------- | --------------------- | ------------------------------------------------------ | 184 | 1 | destination | - | IP Prefix (or IP Address). | 185 | 2 | source | - | IP Prefix (or IP Address). | 186 | 3 | protocol | Numeric | Protocol name, decimal number, `true` or `false`. | 187 | 4 | port | Numeric | Decimal number, `true` or `false`. | 188 | 5 | destination-port | Numeric | Decimal number, `true` or `false`. | 189 | 6 | source-port | Numeric | Decimal number, `true` or `false`. | 190 | 7 | icmp-type | Numeric | Decimal number, `true` or `false`. | 191 | 8 | icmp-code | Numeric | Decimal number, `true` or `false`. | 192 | 9 | tcp-flags | Bitmask | TCP flag or its combination. | 193 | 10 | packet-length | Numeric | Decimal number, `true` or `false`. | 194 | 11 | dscp | Numeric | Decimal number, `true` or `false`. | 195 | 12 | fragment | Bitmask | Fragment type or its combination joined with `+`. | 196 | 13 | label | Numeric | Decimal number, `true` or `false`. | 197 | 14 | ether-type | Numeric | Ethernet type name, decimal number, `true` or `false`. | 198 | 15 | source-mac | - | MAC address. | 199 | 16 | destination-mac | - | MAC address. | 200 | 17 | llc-dsap | Numeric | Decimal number, `true` or `false`. | 201 | 18 | llc-ssap | Numeric | Decimal number, `true` or `false`. | 202 | 19 | llc-control | Numeric | Decimal number, `true` or `false`. | 203 | 20 | snap | Numeric | Decimal number, `true` or `false`. | 204 | 21 | vid | Numeric | Decimal number, `true` or `false`. | 205 | 22 | cos | Numeric | Decimal number, `true` or `false`. | 206 | 23 | inner-vid | Numeric | Decimal number, `true` or `false`. | 207 | 24 | inner-cos | Numeric | Decimal number, `true` or `false`. | 208 209 **Note:** IPv4/VPNv4 FlowSpec families support types 1-12, IPv6/VPNv6 FlowSpec 210 families support types 1-13 and L2VPN FlowSpec family supports types 1-24. 211 212 #### Operator/Operand Types 213 214 | Type | Value | 215 | ------- | ---------------------------------------------------------- | 216 | Numeric | \[&] \[== | > | >= | < | <= | !=] | 217 | Bitmask | \[&] \[= | ! | !=] | 218 219 **Note:** For the decimal type values (e.g., `port`), you can combine the 220 following operators and the reserved values. The following complies with 221 [draft-ietf-idr-rfc5575](https://tools.ietf.org/html/draft-ietf-idr-rfc5575bis-06#section-4.2.3). 222 223 | lt | gt | eq | Operator/Value | 224 | ---- | ---- | ---- | -------------------------------------------------- | 225 | 0 | 0 | 0 | `true` (no operator and independent of the value) | 226 | 0 | 0 | 1 | == | 227 | 0 | 1 | 0 | \> | 228 | 0 | 1 | 1 | \>= | 229 | 1 | 0 | 0 | \< | 230 | 1 | 0 | 1 | \<= | 231 | 1 | 1 | 0 | != | 232 | 1 | 1 | 1 | `false` (no operator and independent of the value) | 233 234 **Note:** For the bitmask operand, RFC5575 says "=value" and "value" is the 235 different in the bitwise match operation. With "=value", it is evaluated as 236 "(data & value) == value"; with "value" (without "="), "data & value" evaluates 237 to TRUE if any of the bits in the value mask are set in the data. 238 239 #### Example - Destination Prefix 240 241 | Key | Value | 242 | ----------- | ------------------------- | 243 | destination | IP Prefix (or IP Address) | 244 245 ```bash 246 # gobgp global rib -a ipv4-flowspec add match destination <IPv4 Prefix> then <THEN> 247 $ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then accept 248 $ gobgp global rib -a ipv4-flowspec 249 Network Next Hop AS_PATH Age Attrs 250 *> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?}] 251 252 # If IPv4 address is specified, it will be treated as /32 prefix 253 $ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.1 then accept 254 $ gobgp global rib -a ipv4-flowspec 255 Network Next Hop AS_PATH Age Attrs 256 *> [destination: 10.0.0.1/32] fictitious 00:00:00 [{Origin: ?}] 257 258 # gobgp global rib -a ipv6-flowspec add match destination <IPv6 Prefix> [OFFSET] then <THEN> 259 $ gobgp global rib -a ipv6-flowspec add match destination 2001:db8:1::/64 then accept 260 $ gobgp global rib -a ipv6-flowspec 261 Network Next Hop AS_PATH Age Attrs 262 *> [destination: 2001:db8:1::/64/0] fictitious 00:00:00 [{Origin: ?}] 263 264 # With prefix offset 265 $ gobgp global rib -a ipv6-flowspec add match destination 2001:db8:1::/64 32 then accept 266 $ gobgp global rib -a ipv6-flowspec 267 Network Next Hop AS_PATH Age Attrs 268 *> [destination: 2001:db8:1::/64/32] fictitious 00:00:00 [{Origin: ?}] 269 270 # As with IPv4 address, if IPv6 address is specified, it will be treated as /128 prefix 271 $ gobgp global rib -a ipv6-flowspec add match destination 2001:db8:1::1 then accept 272 $ gobgp global rib -a ipv6-flowspec 273 Network Next Hop AS_PATH Age Attrs 274 *> [destination: 2001:db8:1::1/128/0] fictitious 00:00:00 [{Origin: ?}] 275 ``` 276 277 #### Example - IP Protocol/Next Header 278 279 | Key | Operator | Value | 280 | -------- | ---------------------------------------------------------- | ------------------------------------------------- | 281 | protocol | \[&] \[== | > | >= | < | <= | !=] | Protocol name, decimal number, `true` or `false`. | 282 283 Supported Protocol Names: `icmp`, `igmp`, `tcp`, `egp`, `igp`, `udp`, `rsvp`, 284 `gre`, `ospf`, `ipip`, `pim`, `sctp`. 285 286 ```bash 287 # gobgp global rib -a ipv4-flowspec add match protocol <Protocol> then <THEN> 288 $ gobgp global rib -a ipv4-flowspec add match protocol tcp then accept 289 $ gobgp global rib -a ipv4-flowspec 290 Network Next Hop AS_PATH Age Attrs 291 *> [protocol: ==tcp] fictitious 00:00:00 [{Origin: ?}] 292 293 # Combination of rules 294 # Note: "true" or "false" should be the last of rule without operator 295 $ gobgp global rib -a ipv4-flowspec add match protocol '==tcp &=udp icmp >igmp >=egp <igp <=rsvp !=gre &!ospf true' then accept 296 $ gobgp global rib -a ipv4-flowspec 297 Network Next Hop AS_PATH Age Attrs 298 *> [protocol: ==tcp&==udp ==icmp >igmp >=egp <igp <=rsvp !=gre&!=ospf true] fictitious 00:00:00 [{Origin: ?}] 299 ``` 300 301 #### Example - Port 302 303 | Key | Operator | Value | 304 | ---- | ---------------------------------------------------------- | --------------------------------- | 305 | port | \[&] \[== | > | >= | < | <= | !=] | Decimal number, `true` or `false` | 306 307 ```bash 308 # gobgp global rib -a ipv4-flowspec add match port <Port> then <THEN> 309 $ gobgp global rib -a ipv4-flowspec add match port 80 then accept 310 $ gobgp global rib -a ipv4-flowspec 311 Network Next Hop AS_PATH Age Attrs 312 *> [port: ==80] fictitious 00:00:00 [{Origin: ?}] 313 314 # Combination of rules 315 # Note: "true" or "false" should be the last of rule without operator 316 $ gobgp global rib -a ipv4-flowspec add match port '==80 &=90 8080 >9090 >=10080 <10090 <=18080 !=19090 &!443 true' then accept 317 $ gobgp global rib -a ipv4-flowspec 318 Network Next Hop AS_PATH Age Attrs 319 *> [port: ==80&==90 ==8080 >9090 >=10080 <10090 <=18080 !=19090&!=443 true] fictitious 00:00:00 [{Origin: ?}] 320 ``` 321 322 #### Example - TCP flags 323 324 | Key | Operand | Value | 325 | --------- | ---------------------------- | ---------------------------- | 326 | tcp-flags | \[&] \[= | ! | !=] | TCP flag or its combination. | 327 328 Supported TCP Flags: `F (=FIN)`, `S (=SYN)`, `R (=RST)`, `P (=PUSH)`, 329 `A (=ACK)`, `U (=URGENT)`, `C (=CWR)`, `E (=ECE)`. 330 331 ```bash 332 # gobgp global rib -a ipv4-flowspec add match tcp-flags <TCP Flags> then <THEN> 333 $ gobgp global rib -a ipv4-flowspec add match tcp-flags SA then accept 334 $ gobgp global rib -a ipv4-flowspec 335 Network Next Hop AS_PATH Age Attrs 336 *> [tcp-flags: SA] fictitious 00:00:00 [{Origin: ?}] 337 338 # Combination of rules 339 # Note: '=!C' will be converted to '!=C' for the backward compatibility 340 $ gobgp global rib -a ipv4-flowspec add match tcp-flags '==S &=SA A !F !=U =!C' then accept 341 $ gobgp global rib -a ipv4-flowspec 342 Network Next Hop AS_PATH Age Attrs 343 *> [tcp-flags: =S&=SA A !F !=U !=C] fictitious 00:00:00 [{Origin: ?}] 344 ``` 345 346 #### Example - Fragment 347 348 | Key | Operand | Value | 349 | -------- | ---------------------------- | ------------------------------------------------- | 350 | fragment | \[&] \[= | ! | !=] | Fragment type or its combination joined with `+`. | 351 352 Supported Fragment Types: `not-a-fragment`, `dont-fragment`, `is-fragment`, 353 `first-fragment`, `last-fragment`. 354 355 ```bash 356 # gobgp global rib -a ipv4-flowspec add match fragment <Fragment> then <THEN> 357 $ gobgp global rib -a ipv4-flowspec add match fragment dont-fragment then accept 358 $ gobgp global rib -a ipv4-flowspec 359 Network Next Hop AS_PATH Age Attrs 360 *> [fragment: dont-fragment] fictitious 00:00:00 [{Origin: ?}] 361 362 # Combination of rules 363 $ gobgp global rib -a ipv4-flowspec add match fragment dont-fragment is-fragment+first-fragment then accept 364 $ gobgp global rib -a ipv4-flowspec 365 Network Next Hop AS_PATH Age Attrs 366 *> [fragment: dont-fragment is-fragment+first-fragment] fictitious 00:00:00 [{Origin: ?}] 367 ``` 368 369 #### Example - Ethernet Type 370 371 | Key | Operand | Value | 372 | -------- | ---------------------------------------------------------- | ------------------------------------------------------ | 373 | ether-type | \[&] \[== | > | >= | < | <= | !=] | Ethernet type name, decimal number, `true` or `false`. | 374 375 Supported Ethernet Type Names: `ipv4`, `arp`, `rarp`, `vmtp`, `apple-talk`, 376 `aarp`, `ipx`, `snmp`, `net-bios`, `xtp`, `ipv6`, `pppoe-discovery`, 377 `pppoe-session`, `loopback`. 378 379 ```bash 380 # gobgp global rib -a l2vpn-flowspec add rd <RD> match ether-type <Ethernet Type> then <THEN> 381 $ gobgp global rib -a l2vpn-flowspec add rd 65000:100 match ether-type arp then accept 382 $ gobgp global rib -a l2vpn-flowspec 383 Network Next Hop AS_PATH Age Attrs 384 *> [rd: 65000:100][ether-type: ==arp] fictitious 00:00:00 [{Origin: ?}] 385 ``` 386 387 #### Example - Source MAC 388 389 | Key | Value | 390 | ---------- | ------------ | 391 | source-mac | MAC Address. | 392 393 ```bash 394 # gobgp global rib -a l2vpn-flowspec add rd <RD> match source-mac <MAC Address> then <THEN> 395 $ gobgp global rib -a l2vpn-flowspec add rd 65000:100 match source-mac aa:bb:cc:dd:ee:ff then accept 396 $ gobgp global rib -a l2vpn-flowspec 397 Network Next Hop AS_PATH Age Attrs 398 *> [rd: 65000:100][source-mac: aa:bb:cc:dd:ee:ff] fictitious 00:00:00 [{Origin: ?}] 399 ``` 400 401 ### Then (Traffic Filtering Actions) 402 403 | Type | Action | Description | 404 | ------ | ------------------------------ | ------------------------------------------------------------------------ | 405 | - | accept | Accept the traffic. | 406 | 0x8006 | discard | Discard the traffic using traffic-rate of 0. | 407 | 0x8006 | rate-limit \<RATE> \[as \<AS>] | Specify the rate of traffic in float value. | 408 | 0x8007 | action sample | Enables the traffic sampling and logging. | 409 | 0x8007 | action terminal | Specify the termination of the traffic filter. | 410 | 0x8007 | action sample-terminal | Specify both of sample and terminal. | 411 | 0x8008 | redirect \<RT> | Redirect to VRF which has the given RT in its import policy. | 412 | 0x8009 | mark \<VALUE> | Modifies the DSCP in IPv4 or Traffic Class in IPv6 with the given value. | 413 414 #### Example - accept/discard 415 416 ```bash 417 # accept action 418 $ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then accept 419 $ gobgp global rib -a ipv4-flowspec 420 Network Next Hop AS_PATH Age Attrs 421 *> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?}] 422 423 424 # discard action 425 $ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then discard 426 $ gobgp global rib -a ipv4-flowspec 427 Network Next Hop AS_PATH Age Attrs 428 *> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [discard]}] 429 ``` 430 431 #### Example - rate-limit 432 433 ```bash 434 $ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then rate-limit 100.0 435 $ gobgp global rib -a ipv4-flowspec 436 Network Next Hop AS_PATH Age Attrs 437 *> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [rate: 100.000000]}] 438 439 # With the informational AS number 440 $ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then rate-limit 100.0 as 65000 441 $ gobgp global rib -a ipv4-flowspec 442 Network Next Hop AS_PATH Age Attrs 443 *> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [rate: 100.000000(as: 65000)]}] 444 ``` 445 446 #### Example - action 447 448 ```bash 449 # sample action 450 $ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then action sample 451 $ gobgp global rib -a ipv4-flowspec 452 Network Next Hop AS_PATH Age Attrs 453 *> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [action: sample]}] 454 455 # terminal action 456 $ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then action terminal 457 $ gobgp global rib -a ipv4-flowspec 458 Network Next Hop AS_PATH Age Attrs 459 *> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [action: terminal]}] 460 461 # sample-terminal action 462 $ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then action sample-terminal 463 $ gobgp global rib -a ipv4-flowspec 464 Network Next Hop AS_PATH Age Attrs 465 *> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [action: terminal-sample]}] 466 ``` 467 468 #### Example - redirect 469 470 ```bash 471 # with Two Octet AS specific RT 472 $ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then redirect 65000:100 473 $ gobgp global rib -a ipv4-flowspec 474 Network Next Hop AS_PATH Age Attrs 475 *> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [redirect: 65000:100]}] 476 477 # with IPv4 address specific RT 478 $ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then redirect 1.1.1.1:100 479 $ gobgp global rib -a ipv4-flowspec 480 Network Next Hop AS_PATH Age Attrs 481 *> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [redirect: 1.1.1.1:100]}] 482 483 # with IPv6 address specific RT 484 $ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then redirect 2001:db8::1:100 485 $ gobgp global rib -a ipv4-flowspec 486 Network Next Hop AS_PATH Age Attrs 487 *> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [redirect: 2001:db8::1:100]}] 488 489 # with Four Octet AS specific RT 490 $ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then redirect 200.200:100 491 $ gobgp global rib -a ipv4-flowspec 492 Network Next Hop AS_PATH Age Attrs 493 *> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [redirect: 200.200:100]}] 494 ``` 495 496 #### Example - mark 497 498 ```bash 499 $ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then mark 10 500 $ gobgp global rib -a ipv4-flowspec 501 Network Next Hop AS_PATH Age Attrs 502 *> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [remark: 10]}] 503 ``` 504 505 ### Example of Combinations of Rules and Actions 506 507 ```bash 508 # add a flowspec rule which redirect flows whose dst 10.0.0.0/24 and src 20.0.0.0/24 to VRF with RT 10:10 509 $ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 source 20.0.0.0/24 then redirect 10:10 510 $ gobgp global rib -a ipv4-flowspec 511 Network Next Hop AS_PATH Age Attrs 512 *> [destination: 10.0.0.0/24][source: 20.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [redirect: 10:10]}] 513 514 # add a flowspec rule which discard flows whose dst 2001::2/128 and port equals 80 and with TCP flags not match SA (SYN/ACK) and not match U (URG) 515 $ gobgp global rib -a ipv6-flowspec add match destination 2001::2/128 port '==80' tcp-flags '!=SA&!=U' then discard 516 $ gobgp global rib -a ipv6-flowspec 517 Network Next Hop AS_PATH Age Attrs 518 *> [destination: 2001::2/128/0][port: ==80][tcp-flags: !=SA&!=U] fictitious 00:00:00 [{Origin: ?} {Extcomms: [discard]}] 519 520 # add another flowspec rule which discard flows whose 521 # - ip protocol is tcp 522 # - destination port is 80 or greater than or equal to 8080 and lesser than or equal to 8888 523 # - packet is a first fragment or a last fragment 524 $ gobgp global rib -a ipv4-flowspec add match protocol tcp destination-port '==80' '>=8080&<=8888' fragment '=first-fragment =last-fragment' then discard 525 $ gobgp global rib -a ipv4-flowspec 526 Network Next Hop AS_PATH Age Attrs 527 *> [protocol: ==tcp][destination-port: ==80 >=8080&<=8888][fragment: =first-fragment =last-fragment] fictitious 00:00:00 [{Origin: ?} {Extcomms: [discard]}] 528 ```