https://github.com/fsrv-xyz/bird-flowspec-daemon

Flowspec daemon for Bird2 on Linux
https://github.com/fsrv-xyz/bird-flowspec-daemon

bird2 firewall-rules flowspec golang linux protection security

Last synced: 12 days ago
JSON representation

Flowspec daemon for Bird2 on Linux

• Host: GitHub
• URL: https://github.com/fsrv-xyz/bird-flowspec-daemon
• Owner: fsrv-xyz
• License: mit
• Created: 2024-10-24T17:29:49.000Z (15 days ago)
• Default Branch: main
• Last Pushed: 2024-10-25T10:30:02.000Z (14 days ago)
• Last Synced: 2024-10-25T20:20:12.457Z (13 days ago)
• Topics: bird2, firewall-rules, flowspec, golang, linux, protection, security
• Language: Go
• Homepage:
• Size: 49.8 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# bird-flowspec-daemon

This is a daemon that connects to the Bird (version 2 required) routing daemon and regularly applies the flowspec rules to the host.

Currently, the following actions are supported (see https://datatracker.ietf.org/doc/html/rfc8955#traffic_extended_communities for more information):

- `traffic-rate-bytes`

- `traffic-rate-packets`

### Requirements

- Bird 2 or newer

- Nftables (see installation instructions for further information)

### Installation

This project requires the following structure in nftables:

```shell

#!/usr/sbin/nft -f

table inet filter {

  chain flowspec {} # Flowspec rules will be managed in here

  chain input {

    type filter hook input priority filter; policy accept;

  }

  chain forward {

    type filter hook forward priority filter; policy accept;

    jump flowspec # Jump to the flowspec chain to apply the rules

  }

  chain output {

    type filter hook output priority filter; policy accept;

  }

}

```

The flowspec rules will be inserted into the `flowspec` chain. A jump / goto to this chain is required in order to apply the rules.

### Configuration

Configuration can be done via command line arguments or environment variables.

This repository contains an example systemd service file that can be used to start the daemon.

The following options are available:

```

Flags:

  -h, --[no-]help            Show context-sensitive help (also try --help-long and --help-man).

  -d, --[no-]debug           Enable debug mode

      --bird-socket=/run/bird/bird.ctl

                             Path to BIRD socket ($BIRD_SOCKET_PATH)

      --metrics.listen-address="127.0.0.1:9302"

                             Address to listen on for metrics

      --interval=10s         Interval to check for new routes ($CHECK_INTERVAL)

      --[no-]enable-counter  Enable counter in nftables rules ($ENABLE_COUNTER)

```