Enhanced hyperscale firewall blackhole routing
NP7 hyperscale firewall blackhole routing (LPM) has been enhanced to separate the LPM from the NP7 network processor process (NPD) and move the routing state to user space. The new design should improve some issues that has been discovered with the original design without changing functionality.
The following new diagnose command is now available. This command replaces the former diagnose npd route and diagnose npd debug commands.
You can use the following diagnose command to view the current LPM routing configuration. You can also use this command to add and remove routes. Because this is a diagnose command, any changes are reverted to defaults when the FortiGate restarts:
diagnose lpmd route {add | del | dump | query | stats | ktrie | debug}
add add a route to the NP7 policy engine routing table.
del delete a route from the NP7 policy engine routing table.
dump list the NP7 policy engine routing table.
query look up detailed information for LPM entries.
stats display LPM compiler statistics.
ktrie {next_hop | stats | query | route | vdom} display KTRIE routing database information.
debug {set | show | query} set debug flags, show current debug level, and query kernel route entries.
The syntax for the add and del command is:
diagnose lpmd route {add | del} <dst> <prefixlen> <gwy> <oif> <table> <scope> <type> <proto> <prio> <tos> <flags>
For blackhole and loopback routes, set <flags> to the following nh_flags values:
-
For blackhole routes the
nh_flagsvalue is 0x80. -
For loopback routes, the
nh_flagsvalue is 0x100.
For example, use the following command to add a blackhole route to the NP7 policy engine routing table:
diagnose lpmd add 12.1.1.10 24 12.1.1.1 port24 254 253 1 2 0 1 1
The following command will delete this route from the NP7 policy engine routing table:
diagnose lpmd del 12.1.1.10 24 12.1.1.1 port24 254 253 1 2 0 1 1