summaryrefslogtreecommitdiff
path: root/roles
diff options
context:
space:
mode:
authoruvok cheetah2024-07-08 19:54:35 +0200
committeruvok cheetah2024-07-08 19:54:35 +0200
commit6c511d92e56de5be3f673dcce0212ec7b08d810a (patch)
tree00682a69b85918e6e7db71b585caac7fc97b3050 /roles
parent0bae88327bbaf4dff552f34b3f53d27d8358c5fd (diff)
Add default blackhole
Diffstat (limited to 'roles')
-rw-r--r--roles/uvok_bird/templates/clearnet.conf.j226
1 files changed, 24 insertions, 2 deletions
diff --git a/roles/uvok_bird/templates/clearnet.conf.j2 b/roles/uvok_bird/templates/clearnet.conf.j2
index 6962f72..a27bada 100644
--- a/roles/uvok_bird/templates/clearnet.conf.j2
+++ b/roles/uvok_bird/templates/clearnet.conf.j2
@@ -8,23 +8,32 @@ include "/etc/bird/clear_filters.conf";
define CLEARNET_PREFIP = {{ uvok_bird_opts.preferred_ip }};
# trs=transit
+ipv6 table t_myas_prefixes;
ipv6 table t_myas_unfiltered;
ipv6 table t_myas_trs;
ipv6 table t_myas_babel;
+# have it in a separate table, so I can easily pipe it.
protocol static myprefix {
{% for prefix in uvok_bird_opts.clear_prefixes %}
route {{ prefix }} reject;
{% endfor %};
ipv6 {
- # needs to be in unfiltered - because that's where I'm exporting from
- table t_myas_unfiltered;
+ table t_myas_prefixes;
import all;
export none;
};
}
+# pipe t_myas_prefixes => t_myas_unfiltered
+protocol pipe {
+ table t_myas_prefixes;
+ peer table t_myas_unfiltered;
+ import none;
+ export all;
+}
+
# blackhole everything else - activates RPKI filter!
protocol static default6 {
route ::/0 reject;
@@ -145,6 +154,14 @@ protocol pipe {
};
}
+# pipe my prefixes into babel so I have non-existing hosts covered
+protocol pipe {
+ table t_myas_prefixes;
+ peer table t_myas_babel;
+ import none;
+ export all;
+}
+
# BGP *internal* table
protocol kernel p_myas_i {
# scan time 20;
@@ -154,6 +171,11 @@ protocol kernel p_myas_i {
table t_myas_babel;
import none;
export filter {
+ # put own unreachable route into kernel table
+ if (proto = "myprefix") then {
+ accept;
+ }
+
if (source != RTS_BABEL) then {
print "SHOULD NOT HAPPEN: export babel to kernel: ", net, " from", source;
reject;