Folks, I modified fastnetmon ban / unban scripts to use openBGPd to trigger remote blackholes using BGP (RTBH)
I have included an example bgpd filter rule set to achieve that and set Blackhole communities and custom communities to distinguish the blackhole routes In my setup fastnetmon runs and receives Sflow on a management Rdomain / VRF and then triggers OpenBGPD (which is running in rdomain0 to advertise routes.. to do this I modified doas.conf to allow fastnetmon to run the ban script as root to change rdomain and to add a bgp network advertisement using bgpctl I will submit a better comprehensive diff if the community agree with my approach I feel uncomfortable about fastnetmon having root on a shell script but I have not been able to lock down executing /sbin/route -T0 exec /usr/sbin/bgpctl network add $1/32 community $ASNUMBER:666 community BLACKHOLE because the arguments change (for each Ip address) I suppose I could add a specific line for each possible address but that could be a lot of lines in doas for an ISP network (let alone v6 networks) thinking out loud it would be nice if doas user could be permitted to run a shell script provided the checksum of the script matched a value set by the doas administrator I hope this helps and comments and feedback welcome, based on feedback Id like to push agreed approach upstream Thanks for all your help Tom On Mon, 25 May 2026 at 09:37, Tom Smyth <[email protected]> wrote: > Ok, > > on latest latest snapshot ( sunday afternoon UTC) > Compiles with warnings, I will discuss compiler warnings with upstream > and see what can be done about them, I see some low hanging fruit like > strcpy vs strlcpy etc... > > > make FETCH_PACKAGES= works, > make install and make package and makesum works, > works (after i update un-commenting fastnetmon entry in > /usr/ports/infrastructure/db/user.list > > > upgrade fromfastnetmon-1.1.7p2->1.2.9pre20260425: ok > > the system seems to be receiving flows and version information is correct > > I have a crash montior running to see if fastnetmon is running and to > restart it and log it > > It will be nice to see if the new version is more stable in OpenBSD, Ill > report back > , > > for info I have included, the check which I needed in the past to keep > fastnetmon running on OpenBSD > > > #minute hour mday month wday [flags] command > # > * * * * * /bin/ksh > /usr/local/sbin/crashdetect-fastnemon > # rotate log files every hour, if necessary > 0 * * * * /usr/bin/newsyslog > # send log file notifications, if necessary > #1-59 * * * * /usr/bin/newsyslog -m > # > # do daily/weekly/monthly maintenance > 30 1 * * * /bin/sh /etc/daily > 30 3 * * 6 /bin/sh /etc/weekly > 30 5 1 * * /bin/sh /etc/monthly > #~ * * * * /usr/libexec/spamd-setup > > #~ * * * * -ns rpki-client -v && bgpctl reload > mitigate1# cat /usr/local/sbin/crashdetect-fastnemon > #!/sbin/ksh - > # > pgrep ^fastnetmon$ >/dev/null > export ISNOTRUNNING=$? > if [ $ISNOTRUNNING -eq 1 ] ; then > echo fastnetmon not running >>/var/log/fastnetmon/crashdetect.log > date >>/var/log/fastnetmon/crashdetect.log > rcctl restart fastnetmon > else > echo 0 > fi > exit > > > > On Sat, 23 May 2026 at 14:15, Tom Smyth <[email protected]> > wrote: > >> ok ill try that.... the make did take a long time building ;) >> >> i really appreciate the help >> >> Kindest regards, >> Tom Smyth. >> >> On Sat 23 May 2026, 1:48 PM Stuart Henderson, <[email protected]> >> wrote: >> >>> use 'make FETCH_PACKAGES=' to use packages for deps so you don't need to >>> build cmake etc >>> >>> -- >>> Sent from a phone, apologies for poor formatting. >>> >>> >>> On 23 May 2026 12:47:47 Tom Smyth <[email protected]> wrote: >>> >>>> Hi folks, >>>> >>>> I updated src and ports on Thursday evening, >>>> and then copied and extracted fastnetmon.tgz t /usr/ports/net/fastnetmon >>>> >>>> make clean >>>> make fix-permissions >>>> make >>>> worked ok >>>> >>>> make install threw a few errors >>>> 4 errors generated. >>>> *** Error 1 in target >>>> 'Source/CMakeFiles/CTestLib.dir/CTest/cmCTestCurl.cxx.o' >>>> *** Error 1 in . (Source/CMakeFiles/CTestLib.dir/build.make:222 >>>> 'Source/CMakeFiles/CTestLib.dir/CTest/cmCTestCurl.cxx.o') >>>> *** Error 2 in . (CMakeFiles/Makefile2:2029 >>>> 'Source/CMakeFiles/CTestLib.dir/all') >>>> *** Error 2 in /usr/ports/pobj/cmake-core-3.31.8/cmake-3.31.8 >>>> (Makefile:169 'all') >>>> *** Error 2 in /usr/ports/devel/cmake/core >>>> (/usr/ports/infrastructure/mk/bsd.port.mk:3069 >>>> '/usr/ports/pobj/cmake-core-3.31.8/.build_done': @...) >>>> *** Error 2 in /usr/ports/devel/cmake/core >>>> (/usr/ports/infrastructure/mk/bsd.port.mk:2241 >>>> '/usr/ports/packages/amd64/all/cmake-core-3.31.8.tgz') >>>> *** Error 2 in /usr/ports/devel/cmake/core >>>> (/usr/ports/infrastructure/mk/bsd.port.mk:2239 >>>> '/usr/ports/packages/amd64/all/cmake-core-3.31.8.tgz') >>>> *** Error 2 in /usr/ports/devel/cmake/core >>>> (/usr/ports/infrastructure/mk/bsd.port.mk:2730 'subpackage': @:; (case >>>> X${_DEPENDS_CACHE} in X) ...) >>>> *** Error 2 in /usr/ports/devel/cmake/core >>>> (/usr/ports/infrastructure/mk/bsd.port.mk:2259 >>>> '/var/db/pkg/cmake-core-3.31.8/+CONTENTS': @cd /us...) >>>> *** Error 2 in /usr/ports/devel/cmake/core >>>> (/usr/ports/infrastructure/mk/bsd.port.mk:2712 'install': >>>> @lock=cmake-core-3.31.8; export _LOCKS...) >>>> *** Error 1 in /usr/ports/devel/capnproto (/usr/ports/infrastructure/mk/ >>>> bsd.port.mk:2392 >>>> '/usr/ports/pobj/capnproto-1.2.0/.dep-devel-cmake-core') >>>> *** Error 2 in /usr/ports/devel/capnproto (/usr/ports/infrastructure/mk/ >>>> bsd.port.mk:2804 '/usr/ports/pobj/capnproto-1.2.0/.extract_done': >>>> @c...) >>>> *** Error 2 in /usr/ports/devel/capnproto (/usr/ports/infrastructure/mk/ >>>> bsd.port.mk:2241 '/usr/ports/packages/amd64/all/capnproto-1.2.0.tgz') >>>> *** Error 2 in /usr/ports/devel/capnproto (/usr/ports/infrastructure/mk/ >>>> bsd.port.mk:2239 '/usr/ports/packages/amd64/all/capnproto-1.2.0.tgz') >>>> *** Error 2 in /usr/ports/devel/capnproto (/usr/ports/infrastructure/mk/ >>>> bsd.port.mk:2730 'subpackage': @:; (case X${_DEPENDS_CACHE} in X) >>>> _...) >>>> *** Error 2 in /usr/ports/devel/capnproto (/usr/ports/infrastructure/mk/ >>>> bsd.port.mk:2259 '/var/db/pkg/capnproto-1.2.0/+CONTENTS': @cd >>>> /usr/p...) >>>> *** Error 2 in /usr/ports/devel/capnproto (/usr/ports/infrastructure/mk/ >>>> bsd.port.mk:2712 'install': @lock=capnproto-1.2.0; export >>>> _LOCKS_HE...) >>>> *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2392 >>>> '/usr/ports/pobj/fastnetmon-1.2.9pre20260425/.dep-devel-capnproto': @unset >>>> _...) >>>> *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2804 >>>> '/usr/ports/pobj/fastnetmon-1.2.9pre20260425/.extract_done': @cd >>>> /usr/ports/...) >>>> *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2241 >>>> '/usr/ports/packages/amd64/all/fastnetmon-1.2.9pre20260425.tgz': @cd >>>> /usr/po...) >>>> *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2239 >>>> '/usr/ports/packages/amd64/all/fastnetmon-1.2.9pre20260425.tgz': @cd >>>> /usr/po...) >>>> *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2730 >>>> 'subpackage': @:; (case X${_DEPENDS_CACHE} in X) >>>> _DEPENDS_CACHE=$(/usr/bin/...) >>>> *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2259 >>>> '/var/db/pkg/fastnetmon-1.2.9pre20260425/+CONTENTS': @cd >>>> /usr/ports/net/fast...) >>>> *** Error 2 in /usr/ports/net/fastnetmon (/usr/ports/infrastructure/mk/ >>>> bsd.port.mk:2712 'install': @lock=fastnetmon-1.2.9pre20260425; >>>> expor...) >>>> >>>> >>>> Ill re-sync the ports and src and try again, >>>> >>>> >>>> On Thu, 21 May 2026 at 16:46, Tom Smyth <[email protected]> >>>> wrote: >>>> >>>>> Hi Stuart Ill test on 7.9 release, Ill test on current failing that >>>>> >>>>> Thanks >>>>> >>>>> >>>>> >>>>> On Thu, 21 May 2026 at 16:36, Tom Smyth <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Stuart, >>>>>> >>>>>> Ill Give this a test now, >>>>>> >>>>>> Thanks >>>>>> >>>>>> Tom Smyth >>>>>> >>>>>> On Thu, 21 May 2026 at 16:17, Stuart Henderson <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> On 2026/05/21 10:47, Tom Smyth wrote: >>>>>>> > Folks, >>>>>>> > I was talking to Pavel (from fastnetmon) and he responded >>>>>>> posively asked the following >>>>>>> > >>>>>>> > "Can you provide summary what's required from our side? " >>>>>>> >>>>>>> probably nothing >>>>>>> >>>>>>> you could give this a spin? >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Kindest regards, >>>>>> Tom Smyth. >>>>>> >>>>> >>>>> >>>>> -- >>>>> Kindest regards, >>>>> Tom Smyth. >>>>> >>>> >>>> >>>> -- >>>> Kindest regards, >>>> Tom Smyth. >>>> >>> >>> > > -- > Kindest regards, > Tom Smyth. > -- Kindest regards, Tom Smyth.
fastnetmonmods.tar.gz
Description: GNU Zip compressed data
