summaryrefslogtreecommitdiff
path: root/roles/uvok_bird/templates
diff options
context:
space:
mode:
authoruvok cheetah2024-04-29 20:41:11 +0200
committeruvok cheetah2024-04-29 20:41:11 +0200
commit36ad3dd2871b9de8577406ed37e1050bd2d4009a (patch)
tree1fc7f563dc5fc97a56d66ad9f62490cda30caff6 /roles/uvok_bird/templates
parent90de89d1c66728e7d26bcecd5780a470da9fd565 (diff)
bird: Split clearnet files, use rsync
Diffstat (limited to 'roles/uvok_bird/templates')
-rw-r--r--roles/uvok_bird/templates/clearnet.conf.j2153
1 files changed, 2 insertions, 151 deletions
diff --git a/roles/uvok_bird/templates/clearnet.conf.j2 b/roles/uvok_bird/templates/clearnet.conf.j2
index 78b83b8..8f17d68 100644
--- a/roles/uvok_bird/templates/clearnet.conf.j2
+++ b/roles/uvok_bird/templates/clearnet.conf.j2
@@ -2,6 +2,8 @@
include "/etc/bird/clear_defines.conf";
include "/etc/bird/clear_functions.conf";
+include "/etc/bird/clear_rpki.conf";
+include "/etc/bird/clear_filters.conf";
define CLEARNET_PREFIP = {{ uvok_bird_opts.preferred_ip }};
@@ -10,157 +12,6 @@ ipv6 table t_myas_unfiltered;
ipv6 table t_myas_trs;
ipv6 table t_myas_babel;
-roa6 table clear_roa_v6;
-
-protocol rpki roa_clearnet1 {
- roa6 { table clear_roa_v6; };
- remote 10.2.0.1;
- port 8282;
- refresh 3600;
- retry 600;
- expire 7200;
-}
-
-protocol rpki roa_clearnet2 {
- roa6 { table clear_roa_v6; };
- remote 10.2.0.12;
- port 8282;
- refresh 3600;
- retry 600;
- expire 7200;
-}
-
-define BOGON_ASNS = [
- 0, # RFC 7607
- 23456, # RFC 4893 AS_TRANS
- 64496..64511, # RFC 5398 and documentation/example ASNs
- 64512..65534, # RFC 6996 Private ASNs
- 65535, # RFC 7300 Last 16 bit ASN
- 65536..65551, # RFC 5398 and documentation/example ASNs
- 65552..131071, # RFC IANA reserved ASNs
- 4200000000..4294967294, # RFC 6996 Private ASNs
- 4294967295 ]; # RFC 7300 Last 32 bit ASN
-
-define BOGON_PREFIXES = [ ::/0, # Default route
- ::/8+, # RFC 4291 IPv4-compatible, loopback, et al
- 0100::/64+, # RFC 6666 Discard-Only
- 2001:2::/48+, # RFC 5180 BMWG
- 2001:10::/28+, # RFC 4843 ORCHID
- 2001:db8::/32+, # RFC 3849 documentation
- 2002::/16+, # RFC 7526 6to4 anycast relay
- 3ffe::/16+, # RFC 3701 old 6bone
- fc00::/7+, # RFC 4193 unique local unicast
- fe80::/10+, # RFC 4291 link local unicast
- fec0::/10+, # RFC 3879 old site local unicast
- ff00::/8+ # RFC 4291 multicast
- ];
-
-# not supported (yet???)
-# -> bool {
-function is_default_route() {
- case net.type {
- NET_IP4: return net = 0.0.0.0/0;
- NET_IP6: return net = ::/0;
- else: return false;
- }
-}
-
-function accept_default_route() {
- if is_default_route() then accept;
-}
-
-function reject_bogon_asns()
-int set bogon_asns;
-{
- bogon_asns = BOGON_ASNS;
-
- if ( bgp_path ~ bogon_asns ) then {
- print "Reject: bogon AS_PATH: ", net, " ", bgp_path;
- clearnet_add_filter(FILTER_BOGON_ASN);
- }
-}
-
-function reject_bogon_prefixes()
-prefix set bogon_prefixes;
-{
- bogon_prefixes = BOGON_PREFIXES;
- if (net ~ bogon_prefixes) then {
- print "Reject: Bogon prefix: ", net, " ", bgp_path;
- clearnet_add_filter(FILTER_BOGON_PREFIX);
- }
-}
-
-define PROBLEM_PREFIXES = [
-];
-
-function reject_problem_prefixes()
-prefix set problem_prefixes;
-{
- problem_prefixes = PROBLEM_PREFIXES;
- if (net ~ problem_prefixes) then {
- print "Reject: Problematic prefix: ", net, " ", bgp_path;
- clearnet_add_filter(FILTER_PROBLEM_PREFIX);
- }
-}
-
-function reject_long_aspaths()
-{
- if ( bgp_path.len > 15 ) then {
- clearnet_add_filter(FILTER_LONG_ASPATH);
- }
-}
-
-function reject_small_prefixes()
-{
- if (net.len > 55 && net.type = NET_IP6) then {
- print "Reject: Too small prefix: ", net, " ", bgp_path;
- clearnet_add_filter(FILTER_SMALL_V6_PREFIX);
- }
-}
-
-function reject_roa_rpki()
-{
- if ( roa_check(clear_roa_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID ) then {
- clearnet_add_filter(FILTER_ROA_RPKI);
- }
-}
-
-function prefer_direct_neighbor()
-{
- if (bgp_path.len = 1) then
- bgp_local_pref = bgp_local_pref + 700;
-}
-
-
-function clearnet_common_import() {
- reject_bogon_asns();
- reject_bogon_prefixes();
- reject_long_aspaths();
- reject_small_prefixes();
- reject_problem_prefixes();
- reject_roa_rpki();
- prefer_direct_neighbor();
- honor_graceful_shutdown();
-}
-
-filter myas_export
-{
- if (proto = "myprefix") then {
- accept;
- }
- reject;
-}
-
-# route collector
-filter myas_f_rc
-{
-# export IXP routes after all
-# if ( clearnet_is_ixp() ) then reject;
- if (source = RTS_BGP) then accept;
- if (proto = "myprefix") then accept;
- reject;
-};
-
protocol static myprefix {
{% for prefix in uvok_bird_opts.clear_prefixes %}
route {{ prefix }} reject;