You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ethernet type name, decimal number, true or false.
15
source-mac
-
MAC address.
16
destination-mac
-
MAC address.
17
llc-dsap
Numeric
Decimal number, true or false.
18
llc-ssap
Numeric
Decimal number, true or false.
19
llc-control
Numeric
Decimal number, true or false.
20
snap
Numeric
Decimal number, true or false.
21
vid
Numeric
Decimal number, true or false.
22
cos
Numeric
Decimal number, true or false.
23
inner-vid
Numeric
Decimal number, true or false.
24
inner-cos
Numeric
Decimal number, true or false.
Note: IPv4/VPNv4 FlowSpec families support types 1-12, IPv6/VPNv6 FlowSpec
families support types 1-13 and L2VPN FlowSpec family supports types 1-24.
Operator/Operand Types
Type
Value
Numeric
[&] [== | > | >= | < | <= | !=]
Bitmask
[&] [= | ! | !=]
Note: For the decimal type values (e.g., port), you can combine the
following operators and the reserved values. The following complies with
draft-ietf-idr-rfc5575.
lt
gt
eq
Operator/Value
0
0
0
true (no operator and independent of the value)
0
0
1
==
0
1
0
>
0
1
1
>=
1
0
0
<
1
0
1
<=
1
1
0
!=
1
1
1
false (no operator and independent of the value)
Note: For the bitmask operand, RFC5575 says "=value" and "value" is the
different in the bitwise match operation. With "=value", it is evaluated as
"(data & value) == value"; with "value" (without "="), "data & value" evaluates
to TRUE if any of the bits in the value mask are set in the data.
Example - Destination Prefix
Key
Value
destination
IP Prefix (or IP Address)
# gobgp global rib -a ipv4-flowspec add match destination <IPv4 Prefix> then <THEN>
$ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then accept
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?}]
# If IPv4 address is specified, it will be treated as /32 prefix
$ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.1 then accept
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [destination: 10.0.0.1/32] fictitious 00:00:00 [{Origin: ?}]
# gobgp global rib -a ipv6-flowspec add match destination <IPv6 Prefix> [OFFSET] then <THEN>
$ gobgp global rib -a ipv6-flowspec add match destination 2001:db8:1::/64 then accept
$ gobgp global rib -a ipv6-flowspec
Network Next Hop AS_PATH Age Attrs
*> [destination: 2001:db8:1::/64/0] fictitious 00:00:00 [{Origin: ?}]
# With prefix offset
$ gobgp global rib -a ipv6-flowspec add match destination 2001:db8:1::/64 32 then accept
$ gobgp global rib -a ipv6-flowspec
Network Next Hop AS_PATH Age Attrs
*> [destination: 2001:db8:1::/64/32] fictitious 00:00:00 [{Origin: ?}]
# As with IPv4 address, if IPv6 address is specified, it will be treated as /128 prefix
$ gobgp global rib -a ipv6-flowspec add match destination 2001:db8:1::1 then accept
$ gobgp global rib -a ipv6-flowspec
Network Next Hop AS_PATH Age Attrs
*> [destination: 2001:db8:1::1/128/0] fictitious 00:00:00 [{Origin: ?}]
# gobgp global rib -a ipv4-flowspec add match protocol <Protocol> then <THEN>
$ gobgp global rib -a ipv4-flowspec add match protocol tcp then accept
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [protocol: ==tcp] fictitious 00:00:00 [{Origin: ?}]
# Combination of rules# Note: "true" or "false" should be the last of rule without operator
$ gobgp global rib -a ipv4-flowspec add match protocol '==tcp &=udp icmp >igmp >=egp <igp <=rsvp !=gre &!ospf true'then accept
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [protocol: ==tcp&==udp ==icmp >igmp >=egp <igp <=rsvp !=gre&!=ospf true] fictitious 00:00:00 [{Origin: ?}]
Example - Port
Key
Operator
Value
port
[&] [== | > | >= | < | <= | !=]
Decimal number, true or false
# gobgp global rib -a ipv4-flowspec add match port <Port> then <THEN>
$ gobgp global rib -a ipv4-flowspec add match port 80 then accept
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [port: ==80] fictitious 00:00:00 [{Origin: ?}]
# Combination of rules# Note: "true" or "false" should be the last of rule without operator
$ gobgp global rib -a ipv4-flowspec add match port '==80 &=90 8080 >9090 >=10080 <10090 <=18080 !=19090 &!443 true'then accept
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [port: ==80&==90 ==8080 >9090 >=10080 <10090 <=18080 !=19090&!=443 true] fictitious 00:00:00 [{Origin: ?}]
Example - TCP flags
Key
Operand
Value
tcp-flags
[&] [= | ! | !=]
TCP flag or its combination.
Supported TCP Flags: F (=FIN), S (=SYN), R (=RST), P (=PUSH),
A (=ACK), U (=URGENT), C (=CWR), E (=ECE).
# gobgp global rib -a ipv4-flowspec add match tcp-flags <TCP Flags> then <THEN>
$ gobgp global rib -a ipv4-flowspec add match tcp-flags SA then accept
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [tcp-flags: SA] fictitious 00:00:00 [{Origin: ?}]
# Combination of rules# Note: '=!C' will be converted to '!=C' for the backward compatibility
$ gobgp global rib -a ipv4-flowspec add match tcp-flags '==S &=SA A !F !=U =!C'then accept
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [tcp-flags: =S&=SA A !F !=U !=C] fictitious 00:00:00 [{Origin: ?}]
Example - Fragment
Key
Operand
Value
fragment
[&] [= | ! | !=]
Fragment type or its combination joined with +.
Supported Fragment Types: not-a-fragment, dont-fragment, is-fragment,
first-fragment, last-fragment.
# gobgp global rib -a ipv4-flowspec add match fragment <Fragment> then <THEN>
$ gobgp global rib -a ipv4-flowspec add match fragment dont-fragment then accept
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [fragment: dont-fragment] fictitious 00:00:00 [{Origin: ?}]
# Combination of rules
$ gobgp global rib -a ipv4-flowspec add match fragment dont-fragment is-fragment+first-fragment then accept
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [fragment: dont-fragment is-fragment+first-fragment] fictitious 00:00:00 [{Origin: ?}]
Example - Ethernet Type
Key
Operand
Value
fragment
[&] [== | > | >= | < | <= | !=]
Ethernet type name, decimal number, true or false.
# gobgp global rib -a l2vpn-flowspec add rd <RD> match ether-type <Ethernet Type> then <THEN>
$ gobgp global rib -a l2vpn-flowspec add rd 65000:100 match ether-type arp then accept
$ gobgp global rib -a l2vpn-flowspec
Network Next Hop AS_PATH Age Attrs
*> [rd: 65000:100][ether-type: ==arp] fictitious 00:00:00 [{Origin: ?}]
Example - Source MAC
Key
Value
source-mac
MAC Address.
# gobgp global rib -a l2vpn-flowspec add rd <RD> match source-mac <MAC Address> then <THEN>
$ gobgp global rib -a l2vpn-flowspec add rd 65000:100 match source-mac aa:bb:cc:dd:ee:ff then accept
$ gobgp global rib -a l2vpn-flowspec
Network Next Hop AS_PATH Age Attrs
*> [rd: 65000:100][source-mac: aa:bb:cc:dd:ee:ff] fictitious 00:00:00 [{Origin: ?}]
Then (Traffic Filtering Actions)
Type
Action
Description
-
accept
Accept the traffic.
0x8006
discard
Discard the traffic using traffic-rate of 0.
0x8006
rate-limit <RATE> [as <AS>]
Specify the rate of traffic in float value.
0x8007
action sample
Enables the traffic sampling and logging.
0x8007
action terminal
Specify the termination of the traffic filter.
0x8007
action sample-terminal
Specify both of sample and terminal.
0x8008
redirect <RT>
Redirect to VRF which has the given RT in its import policy.
0x8009
mark <VALUE>
Modifies the DSCP in IPv4 or Traffic Class in IPv6 with the given value.
Example - accept/discard
# accept action
$ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then accept
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?}]
# discard action
$ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then discard
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [discard]}]
Example - rate-limit
$ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then rate-limit 100.0
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [rate: 100.000000]}]
# With the informational AS number
$ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then rate-limit 100.0 as 65000
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [rate: 100.000000(as: 65000)]}]
Example - action
# sample action
$ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then action sample
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [action: sample]}]
# terminal action
$ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then action terminal
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [action: terminal]}]
# sample-terminal action
$ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then action sample-terminal
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [action: terminal-sample]}]
Example - redirect
# with Two Octet AS specific RT
$ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then redirect 65000:100
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [redirect: 65000:100]}]
# with IPv4 address specific RT
$ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then redirect 1.1.1.1:100
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [redirect: 1.1.1.1:100]}]
# with IPv6 address specific RT
$ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then redirect 2001:db8::1:100
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [redirect: 2001:db8::1:100]}]
# with Four Octet AS specific RT
$ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then redirect 200.200:100
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [redirect: 200.200:100]}]
Example - mark
$ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 then mark 10
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [destination: 10.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [remark: 10]}]
Example of Combinations of Rules and Actions
# add a flowspec rule which redirect flows whose dst 10.0.0.0/24 and src 20.0.0.0/24 to VRF with RT 10:10
$ gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 source 20.0.0.0/24 then redirect 10:10
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [destination: 10.0.0.0/24][source: 20.0.0.0/24] fictitious 00:00:00 [{Origin: ?} {Extcomms: [redirect: 10:10]}]
# add a flowspec rule which discard flows whose dst 2001::2/128 and port equals 80 and with TCP flags not match SA (SYN/ACK) and not match U (URG)
$ gobgp global rib -a ipv6-flowspec add match destination 2001::2/128 port '==80' tcp-flags '!=SA&!=U'then discard
$ gobgp global rib -a ipv6-flowspec
Network Next Hop AS_PATH Age Attrs
*> [destination: 2001::2/128/0][port: ==80][tcp-flags: !=SA&!=U] fictitious 00:00:00 [{Origin: ?} {Extcomms: [discard]}]
# add another flowspec rule which discard flows whose# - ip protocol is tcp# - destination port is 80 or greater than or equal to 8080 and lesser than or equal to 8888# - packet is a first fragment or a last fragment
$ gobgp global rib -a ipv4-flowspec add match protocol tcp destination-port '==80''>=8080&<=8888' fragment '=first-fragment =last-fragment'then discard
$ gobgp global rib -a ipv4-flowspec
Network Next Hop AS_PATH Age Attrs
*> [protocol: ==tcp][destination-port: ==80 >=8080&<=8888][fragment: =first-fragment =last-fragment] fictitious 00:00:00 [{Origin: ?} {Extcomms: [discard]}]