Add default blackhole

1 files changed, 24 insertions, 2 deletions

diff --git a/roles/uvok_bird/templates/clearnet.conf.j2 b/roles/uvok_bird/templates/clearnet.conf.j2
index 6962f72..a27bada 100644
--- a/roles/uvok_bird/templates/clearnet.conf.j2
+++ b/roles/uvok_bird/templates/clearnet.conf.j2
@@ -8,23 +8,32 @@ include "/etc/bird/clear_filters.conf";
 define CLEARNET_PREFIP = {{ uvok_bird_opts.preferred_ip }};
 
 # trs=transit
+ipv6 table t_myas_prefixes;
 ipv6 table t_myas_unfiltered;
 ipv6 table t_myas_trs;
 ipv6 table t_myas_babel;
 
+# have it in a separate table, so I can easily pipe it.
 protocol static myprefix {
 {% for prefix in uvok_bird_opts.clear_prefixes %}
     route {{ prefix }} reject;
 {% endfor %};
 
     ipv6 {
-        # needs to be in unfiltered - because that's where I'm exporting from
-        table t_myas_unfiltered;
+        table t_myas_prefixes;
         import all;
         export none;
     };
 }
 
+# pipe t_myas_prefixes => t_myas_unfiltered
+protocol pipe {
+    table t_myas_prefixes;
+    peer table t_myas_unfiltered;
+    import none;
+    export all;
+}
+
 # blackhole everything else - activates RPKI filter!
 protocol static default6 {
     route ::/0 reject;
@@ -145,6 +154,14 @@ protocol pipe {
     };
 }
 
+# pipe my prefixes into babel so I have non-existing hosts covered
+protocol pipe {
+    table t_myas_prefixes;
+    peer table t_myas_babel;
+    import none;
+    export all;
+}
+
 # BGP *internal* table
 protocol kernel p_myas_i {
 #    scan time 20;
@@ -154,6 +171,11 @@ protocol kernel p_myas_i {
         table t_myas_babel;
         import none;
         export filter {
+            # put own unreachable route into kernel table
+            if (proto = "myprefix") then {
+                accept;
+            }
+
             if (source != RTS_BABEL) then {
                 print "SHOULD NOT HAPPEN: export babel to kernel: ", net, " from", source;
                 reject;