FAELIX/hphr
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

add BGP control plane filtering

Browse Source
This commit is contained in:
Marek Isalski
2019-10-01 14:43:57 +01:00
parent df5e80366e
commit b9c5154ec3
4 changed files with 32 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
bcp38.iptables.v6
View File

@ -1,5 +1,9 @@
*filter
:INPUT ACCEPT [0:0]
{% if salt["pillar.get"]("control-plane-protection:bgp:IPv6",None) != None %}
-A INPUT -p tcp --dport 179 -m set --match-set control-plane-bgp-v6 src -j ACCEPT
-A INPUT -p tcp --dport 179 -m tcp -j REJECT --reject-with tcp-reset
{% endif %}
:FORWARD ACCEPT [0:0]
-A FORWARD -m set --match-set bcp38-cone-oface-v6 src,dst -j ACCEPT
-A FORWARD -m set --match-set bcp38-else-oface-v6 src,dst -j DROP