summaryrefslogtreecommitdiff
path: root/roles/uvok_bird/files
diff options
context:
space:
mode:
authoruvok cheetah2024-04-29 20:41:11 +0200
committeruvok cheetah2024-04-29 20:41:11 +0200
commit36ad3dd2871b9de8577406ed37e1050bd2d4009a (patch)
tree1fc7f563dc5fc97a56d66ad9f62490cda30caff6 /roles/uvok_bird/files
parent90de89d1c66728e7d26bcecd5780a470da9fd565 (diff)
bird: Split clearnet files, use rsync
Diffstat (limited to 'roles/uvok_bird/files')
-rw-r--r--roles/uvok_bird/files/clear_filters.conf136
-rw-r--r--roles/uvok_bird/files/clear_rpki.conf21
2 files changed, 157 insertions, 0 deletions
diff --git a/roles/uvok_bird/files/clear_filters.conf b/roles/uvok_bird/files/clear_filters.conf
new file mode 100644
index 0000000..f78ba9e
--- /dev/null
+++ b/roles/uvok_bird/files/clear_filters.conf
@@ -0,0 +1,136 @@
+# managed by Ansible
+
+## IMPORT FILTERS
+
+define BOGON_ASNS = [
+ 0, # RFC 7607
+ 23456, # RFC 4893 AS_TRANS
+ 64496..64511, # RFC 5398 and documentation/example ASNs
+ 64512..65534, # RFC 6996 Private ASNs
+ 65535, # RFC 7300 Last 16 bit ASN
+ 65536..65551, # RFC 5398 and documentation/example ASNs
+ 65552..131071, # RFC IANA reserved ASNs
+ 4200000000..4294967294, # RFC 6996 Private ASNs
+ 4294967295 ]; # RFC 7300 Last 32 bit ASN
+
+define BOGON_PREFIXES = [ ::/0, # Default route
+ ::/8+, # RFC 4291 IPv4-compatible, loopback, et al
+ 0100::/64+, # RFC 6666 Discard-Only
+ 2001:2::/48+, # RFC 5180 BMWG
+ 2001:10::/28+, # RFC 4843 ORCHID
+ 2001:db8::/32+, # RFC 3849 documentation
+ 2002::/16+, # RFC 7526 6to4 anycast relay
+ 3ffe::/16+, # RFC 3701 old 6bone
+ fc00::/7+, # RFC 4193 unique local unicast
+ fe80::/10+, # RFC 4291 link local unicast
+ fec0::/10+, # RFC 3879 old site local unicast
+ ff00::/8+ # RFC 4291 multicast
+];
+
+# not supported (yet???)
+# -> bool {
+function is_default_route() {
+ case net.type {
+ NET_IP4: return net = 0.0.0.0/0;
+ NET_IP6: return net = ::/0;
+ else: return false;
+ }
+}
+
+function accept_default_route() {
+ if is_default_route() then accept;
+}
+
+function reject_bogon_asns()
+int set bogon_asns;
+{
+ bogon_asns = BOGON_ASNS;
+
+ if ( bgp_path ~ bogon_asns ) then {
+ print "Reject: bogon AS_PATH: ", net, " ", bgp_path;
+ clearnet_add_filter(FILTER_BOGON_ASN);
+ }
+}
+
+function reject_bogon_prefixes()
+prefix set bogon_prefixes;
+{
+ bogon_prefixes = BOGON_PREFIXES;
+ if (net ~ bogon_prefixes) then {
+ print "Reject: Bogon prefix: ", net, " ", bgp_path;
+ clearnet_add_filter(FILTER_BOGON_PREFIX);
+ }
+}
+
+define PROBLEM_PREFIXES = [
+];
+
+function reject_problem_prefixes()
+prefix set problem_prefixes;
+{
+ problem_prefixes = PROBLEM_PREFIXES;
+ if (net ~ problem_prefixes) then {
+ print "Reject: Problematic prefix: ", net, " ", bgp_path;
+ clearnet_add_filter(FILTER_PROBLEM_PREFIX);
+ }
+}
+
+function reject_long_aspaths()
+{
+ if ( bgp_path.len > 15 ) then {
+ clearnet_add_filter(FILTER_LONG_ASPATH);
+ }
+}
+
+function reject_small_prefixes()
+{
+ if (net.len > 55 && net.type = NET_IP6) then {
+ print "Reject: Too small prefix: ", net, " ", bgp_path;
+ clearnet_add_filter(FILTER_SMALL_V6_PREFIX);
+ }
+}
+
+function reject_roa_rpki()
+{
+ if ( roa_check(clear_roa_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID ) then {
+ clearnet_add_filter(FILTER_ROA_RPKI);
+ }
+}
+
+function prefer_direct_neighbor()
+{
+ if (bgp_path.len = 1) then
+ bgp_local_pref = bgp_local_pref + 700;
+}
+
+
+function clearnet_common_import() {
+ reject_bogon_asns();
+ reject_bogon_prefixes();
+ reject_long_aspaths();
+ reject_small_prefixes();
+ reject_problem_prefixes();
+ reject_roa_rpki();
+ prefer_direct_neighbor();
+ honor_graceful_shutdown();
+}
+
+## EXPORT FILTERS
+
+filter myas_export
+{
+ if (proto = "myprefix") then {
+ accept;
+ }
+ reject;
+}
+
+# route collector
+filter myas_f_rc
+{
+# export IXP routes after all
+# if ( clearnet_is_ixp() ) then reject;
+ if (source = RTS_BGP) then accept;
+ if (proto = "myprefix") then accept;
+ reject;
+};
diff --git a/roles/uvok_bird/files/clear_rpki.conf b/roles/uvok_bird/files/clear_rpki.conf
new file mode 100644
index 0000000..d034889
--- /dev/null
+++ b/roles/uvok_bird/files/clear_rpki.conf
@@ -0,0 +1,21 @@
+# managed by Ansible
+
+roa6 table clear_roa_v6;
+
+protocol rpki roa_clearnet1 {
+ roa6 { table clear_roa_v6; };
+ remote 10.2.0.1;
+ port 8282;
+ refresh 3600;
+ retry 600;
+ expire 7200;
+}
+
+protocol rpki roa_clearnet2 {
+ roa6 { table clear_roa_v6; };
+ remote 10.2.0.12;
+ port 8282;
+ refresh 3600;
+ retry 600;
+ expire 7200;
+}