Skip to content

hack3ric/flow

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

125 Commits
.cargo
.cargo
 
 
.github/workflows
.github/workflows
 
 
src
src
 
 
xtask
xtask
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
rustfmt.toml
rustfmt.toml
 
 

Repository files navigation

Flow

Flow enables BGP Flow Specification (flowspec) on Linux software routers/firewalls. It acts as a sink that receives routes from another BGP speaker and transforms flowspecs into nftables rules and kernel routing tables via rtnetlink(7).

It:

  • executes BGP flowspec on Linux, using nftables;
  • enables what previously can only be done on commercial routers or bulky routing software on lightweight Linux systems.

It doesn't:

  • work as a full-blown BGP client; you will need another BGP implementation (likely running on the same node) like BIRD, OpenBGPD or GoBGP to peer with others;
  • allow multiple BGP sessions, only one-on-one;
  • initiate BGP session actively;
  • currently support VRF and VPN routes.

Implemented RFCs/Drafts

Usage

Run Flow with default settings that listens to wildcard with port 179, local AS 65000, router ID 127.0.0.1, and no restriction to the other BGP speaker:

# flow run

Allow only local AS (IBGP) and IPv6 loopback incoming IP for peer, and change listening port to 1179:

# flow run -b [::]:1179 -l 65001 -r 65001 -a ::1/128

The configuration options can be stored in a file and passed directly to Flow using the -f option:

# flow run -f flow.conf
# flow.conf

# Each line is exactly one argument without `--`, and spaces are preserved as-is.
# Empty lines and lines starting with '#' are ignored.

bind=[::1]:1179
local-as=65001
remote-as=65001

# The prefix length can be omitted if it contains only one IP
allowed-ips=::1

Configure the remote BGP speaker so it connects and sends flowspecs to Flow. You may need to enable multihop if they are connecting through loopback. For example in BIRD:

flow4 table myflow4;
flow6 table myflow6;

protocol bgp flow {
  local port 1180 as 65001;
  neighbor ::1 port 1179 as 65001;
  multihop;

  flow4 { table myflow4; import none; export all; };
  flow6 { table myflow6; import none; export all; };
}

Show information of currently running Flow instance:

# flow show

Future Work

  • Programmatic handling: custom traffic filter actions and route handling (not limited to flowspecs)
  • Validation procedure: currently this can be done from the connecting BGP speaker, but for the sake of completeness and also future programmability it should also be done here
  • VPN routes and VRF redirection: does not have many knowledge right now, but certainly doable
  • *BSD support: provide an alternative to Linux; first FreeBSD (that uses pf and reuse existing rtnetlink code), and then OpenBSD (route(4))

License

Flow is licensed under the BSD 2-Clause License. See LICENSE file for detail.

About

BGP flowspec executor

Topics

networking bgp flowspec nftables

Resources

Readme

License

BSD-2-Clause license
Activity

Stars

8 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

v0.1.0 Latest
Nov 2, 2024

Packages

No packages published

Languages