routeflapper: info/routeflapper.texi annotate

annotate info/routeflapper.texi @ 1:47f787af96c1

update documentation to match code

author	Carl Byington <carl@five-ten-sg.com>
date	Tue, 13 May 2008 15:46:53 -0700
parents	48d06780cf77
children

rev	line source
0 48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	1 routeflapper
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	2 Packages
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	3
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	4 The various source and binary packages are available at SGMLS_Attribute=ARRAY(0x8b71cc0), @uref{1http://www.five-ten-sg.com/routeflapper/packages/}
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	5 The most recent documentation is available at SGMLS_Attribute=ARRAY(0x8b45ae8), @uref{1http://www.five-ten-sg.com/routeflapper/}
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	6
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	7
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	8 A SGMLS_Attribute=ARRAY(0x8b45a04), @uref{1Mercurial} source
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	9 code repository for this project is available at SGMLS_Attribute=ARRAY(0x8b4c5fc), @uref{1http://hg.five-ten-sg.com/routeflapper/}.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	10 2008-04-12
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	11
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	12 @node routeflapper
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	13 @subsubsection routeflapper
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	14
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	15
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	16 @unnumberedsubsubsec Name
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	17 routeflapper --- detects suspicious routes
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	18 @unnumberedsubsubsec Synopsis
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	19 Synopsis
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	20 routeflapper-c-d n\nn@unnumberedsubsubsec Description
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	21
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	22 routeflapper is a daemon that monitors BGP
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	23 updates and SMTP connections to discover whether SMTP connections are
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	24 coming from ip addresses whose best route is suspicious.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	25
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	26 The routeflapper.conf(5) file specifies the syslog files
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	27 to be monitored, and the regular expressions (regex(7)) to be applied to new lines in those files.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	28
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	29 The discussion has focused on syslog files, but any ascii text
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	30 file can be used, so long as some other process appends lines to that
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	31 file, and those lines containing bgp updates can be matched
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	32 with some regular expression.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	33
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	34 Considering syslog files in particular, these are normally rotated
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	35 via logrotate. routeflapper properly detects and
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	36 handles this case by closing the old file, and reopening the newly
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	37 created file.\nn@unnumberedsubsubsec Options
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	38 @table @asis
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	39
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	40 @item -c
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	41 Load the configuration file, print a cannonical form
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	42 of the configuration on stdout, and exit.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	43
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	44
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	45 @item -d n
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	46 Set the debug level to n.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	47
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	48 @end table
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	49 \nn@unnumberedsubsubsec Usage
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	50
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	51 routeflapper -d 2\nn@unnumberedsubsubsec Configuration
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	52
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	53 The configuration file is documented in routeflapper.conf(5). Any change to the config file will cause it to be
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	54 reloaded within three minutes.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	55 \nn@unnumberedsubsubsec Introduction
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	56
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	57 Consider the hypothetical case of a spammer who is connected via a
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	58 provider that does not filter BGP routing announcements. The spammer
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	59 then has some options to announce ip address space to be used for
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	60 sending spam. Note that we only consider cases where the spammer
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	61 simply wants to anonymously use some ip address space. This is very
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	62 different from the case where the attacker wants to use some specific
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	63 address space belonging to another organization in order to impersonate
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	64 some service provided by that other organization.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	65
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	66
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	67 They can announce a more specific route, for example a /24, inside a
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	68 larger block. For example, consider 169.232.0.0/16. If the spammer
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	69 pokes around, they can probably find an unused /24 in there. So they
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	70 announce 169.232.240.0/24 and then send spam from that block. There
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	71 are two problems with this scheme. First, the announcement of such a
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	72 smaller block may be filtered out by many BGP routers, reducing their
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	73 reachability to their spam targets. Second, they may have made a
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	74 mistake, and that /24 is actually in use by some UCLA service that
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	75 will notice their hijack.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	76
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	77
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	78 They can announce a less specific route, for example a /16, covering
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	79 some individual smaller blocks. For example, they could announce
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	80 52.129.0.0/16. The spammer could then avoid the four existing
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	81 announcements inside that block, and instead spam from
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	82 52.129.128.0/17. That gives them 32K ip addresses to work with. The
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	83 advantage here is that their announcement of a large block won't be
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	84 filtered out by as many (if any) BGP routers, giving them better reachability
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	85 to their spam targets. And they know they won't interfere with any
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	86 existing use of that address space, since there was no previous BGP
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	87 announcement of that /17 or any subset of it.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	88
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	89
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	90 Or they can simply announce a prefix that is not assigned to anyone.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	91 For example, they could simply start announcing 185.10.0.0/16. This
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	92 has many of the same advantages as the previous scheme, but some BGP
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	93 routers may be configured to drop such bogon announcements.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	94
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	95
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	96 In each of these cases, the spammer can use BGP to announce some
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	97 address space, then send spam from those addresses, and then withdraw
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	98 the route annoucement. This would make it difficult for the recipient of
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	99 such spam to determine who actually sent it.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	100
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	101
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	102 In a paper from 2006 published at SGMLS_Attribute=ARRAY(0x8b728e8), @uref{1 http://www-static.cc.gatech.edu/~feamster/publications/p396-ramachandran.pdf
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	103 }, Ramachandran and Feamster claim evidence for the statement
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	104 that spammers are using such short-lived bogus BGP route announcements
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	105 to send spam from hijacked parts of the IPv4 address space.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	106
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	107
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	108 The question is, are spammers actually doing this today, or is this
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	109 just a hypothetical spam tactic that they could use in the future? To
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	110 help answer that question, this package monitors BGP annoucements,
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	111 classifies some of them as suspicious, and logs instances of SMTP
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	112 connections from suspicious prefixes.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	113
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	114
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	115 We track the history of the AS adjacency graph, by computing the union
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	116 of all AS adjacent pairs over all the announced prefixes. For example,
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	117 137.169.0.0/16 is currently announced here with an AS path of '22298
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	118 19080 3549 6517 14981', so we add (22298,19080) (19080,3549)
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	119 (3549,6517) and (6517,14981) as valid adjacent AS pairs.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	120
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	121
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	122 We track the history of the origin AS for each announced prefix. Both
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	123 the origin AS and AS adjacency pairs are tracked over a timescale of
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	124 100 hours, with an exponential decay half-life of 100 hours.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	125
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	126
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	127 A prefix announcement is suspicious if the origin AS is not in the
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	128 historical AS set for that prefix at least 20% of the time, or if the
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	129 AS path contains any adjacent AS pair that is not in the historical AS
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	130 adjacency graph at least 40% of the time.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	131
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	132
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	133 SGMLS_Attribute=ARRAY(0x8b4c728), @uref{1PHAS} is another
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	134 system that attempts to detect address space hijacking, but it is not
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	135 correlated with SMTP connections or spam attempts.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	136
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	137
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	138 SGMLS_Attribute=ARRAY(0x8b72f78), @uref{1IAR} is
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	139 another system that attempts to detect address space hijacking, but it
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	140 is not correlated with SMTP connections or spam attempts. IAR uses
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	141 methods detailed in SGMLS_Attribute=ARRAY(0x8b4c794), @uref{1PGBGP}
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	142 to detect suspicious routes. One problem with PGBGP as applied to our
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	143 hypothetical spammer problem, is that PGBGP is primarily looking for
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	144 hijacks where the attacker actually wants some specific ip address
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	145 space, either for a denial of service, or to impersonate the actual
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	146 owner. Our hypothetical spammer does not care about that - they only
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	147 care about sending spam anonymously. In particular, PGBGP ignores
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	148 super-prefix hijacks, but it seems likely that that is the preferred
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	149 method for our hypothetical spammer. However, the PGBGP paper does provide
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	150 useful data on the required timescale to avoid most of the normal AS
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	151 origin changes.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	152 \nn@unnumberedsubsubsec TODO
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	153
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	154 None.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	155 \nn@unnumberedsubsubsec Copyright
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	156
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	157 Copyright (C) 2008 by 510 Software Group <carl@@five-ten-sg.com>
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	158
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	159
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	160 This program is free software; you can redistribute it and/or modify it
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	161 under the terms of the GNU General Public License as published by the
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	162 Free Software Foundation; either version 3, or (at your option) any
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	163 later version.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	164
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	165
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	166 You should have received a copy of the GNU General Public License along
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	167 with this program; see the file COPYING. If not, please write to the
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	168 Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	169 \nn@unnumberedsubsubsec Version
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	170
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	171 1.0.1
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	172 2008-04-12
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	173
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	174 @node routeflapper.conf
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	175 @subsubsection routeflapper.conf
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	176
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	177
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	178 @unnumberedsubsubsec Name
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	179 routeflapper.conf --- configuration file for routeflapper
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	180 @unnumberedsubsubsec Synopsis
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	181 Synopsis
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	182 routeflapper.conf\nn@unnumberedsubsubsec Description
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	183
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	184 The routeflapper.conf configuration file is
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	185 specified by this partial bnf description. The entire config file
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	186 is case sensitive. All the keywords are lower case.
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	187
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	188
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	189 @example
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	190 CONFIG := @{FILE@}+
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	191 FILE := "file" FILENAME "@{" PATTERN+ "@};"
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	192 PATTERN := PATH \| ANNOUNCE \| WITHDRAW \| IP
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	193 PATH := "path" REGEX "@{" INDEXPATH '@}' ";"
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	194 ANNOUNCE := "path" REGEX "@{" INDEXVAL INDEXLEN '@}' ";"
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	195 WITHDRAW := "path" REGEX "@{" INDEXVAL INDEXLEN '@}' ";"
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	196 IP := "path" REGEX "@{" INDEXIP '@}' ";"
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	197 INDEXPATH := "index_path" REGEX-INTEGER-VALUE ";"
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	198 INDEXVAL := "index_value" REGEX-INTEGER-VALUE ";"
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	199 INDEXLEN := "index_length" REGEX-INTEGER-VALUE ";"
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	200 INDEXIP := "index_ip" REGEX-INTEGER-VALUE ";"
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	201
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	202 @end example
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	203 \nn@unnumberedsubsubsec Sample
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	204
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	205 @example
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	206 file "/var/log/bgp" @{
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	207 path " rcvd UPDATE w.* path (([0-9]\| )*[0-9])" @{
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	208 index_path 1;
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	209 @};
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	210 announce " rcvd (([0-9]\|\.))/([0-9])$" @{
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	211 index_value 1;
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	212 index_length 3;
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	213 @};
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	214 withdraw " rcvd UPDATE about (([0-9]\|\.))/([0-9]) -- withdrawn" @{
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	215 index_value 1;
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	216 index_length 3;
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	217 @};
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	218 @};
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	219
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	220 file "/var/log/maillog" @{
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	221 ip "NOQUEUE: connect from.* \[(.*)\]" @{
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	222 index_ip 1;
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	223 @};
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	224 @};
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	225
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	226 @end example
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	227 \nn@unnumberedsubsubsec Version
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	228
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	229 1.0.1
48d06780cf77 initial version Carl Byington <carl@five-ten-sg.com> parents: diff changeset	230

Mercurial > routeflapper

annotate info/routeflapper.texi @ 1:47f787af96c1