diff options
Diffstat (limited to 'roles/uvok_bird/files')
-rw-r--r-- | roles/uvok_bird/files/clear_filters.conf | 136 | ||||
-rw-r--r-- | roles/uvok_bird/files/clear_rpki.conf | 21 |
2 files changed, 157 insertions, 0 deletions
diff --git a/roles/uvok_bird/files/clear_filters.conf b/roles/uvok_bird/files/clear_filters.conf new file mode 100644 index 0000000..f78ba9e --- /dev/null +++ b/roles/uvok_bird/files/clear_filters.conf @@ -0,0 +1,136 @@ +# managed by Ansible + +## IMPORT FILTERS + +define BOGON_ASNS = [ + 0, # RFC 7607 + 23456, # RFC 4893 AS_TRANS + 64496..64511, # RFC 5398 and documentation/example ASNs + 64512..65534, # RFC 6996 Private ASNs + 65535, # RFC 7300 Last 16 bit ASN + 65536..65551, # RFC 5398 and documentation/example ASNs + 65552..131071, # RFC IANA reserved ASNs + 4200000000..4294967294, # RFC 6996 Private ASNs + 4294967295 ]; # RFC 7300 Last 32 bit ASN + +define BOGON_PREFIXES = [ ::/0, # Default route + ::/8+, # RFC 4291 IPv4-compatible, loopback, et al + 0100::/64+, # RFC 6666 Discard-Only + 2001:2::/48+, # RFC 5180 BMWG + 2001:10::/28+, # RFC 4843 ORCHID + 2001:db8::/32+, # RFC 3849 documentation + 2002::/16+, # RFC 7526 6to4 anycast relay + 3ffe::/16+, # RFC 3701 old 6bone + fc00::/7+, # RFC 4193 unique local unicast + fe80::/10+, # RFC 4291 link local unicast + fec0::/10+, # RFC 3879 old site local unicast + ff00::/8+ # RFC 4291 multicast +]; + +# not supported (yet???) +# -> bool { +function is_default_route() { + case net.type { + NET_IP4: return net = 0.0.0.0/0; + NET_IP6: return net = ::/0; + else: return false; + } +} + +function accept_default_route() { + if is_default_route() then accept; +} + +function reject_bogon_asns() +int set bogon_asns; +{ + bogon_asns = BOGON_ASNS; + + if ( bgp_path ~ bogon_asns ) then { + print "Reject: bogon AS_PATH: ", net, " ", bgp_path; + clearnet_add_filter(FILTER_BOGON_ASN); + } +} + +function reject_bogon_prefixes() +prefix set bogon_prefixes; +{ + bogon_prefixes = BOGON_PREFIXES; + if (net ~ bogon_prefixes) then { + print "Reject: Bogon prefix: ", net, " ", bgp_path; + clearnet_add_filter(FILTER_BOGON_PREFIX); + } +} + +define PROBLEM_PREFIXES = [ +]; + +function reject_problem_prefixes() +prefix set problem_prefixes; +{ + problem_prefixes = PROBLEM_PREFIXES; + if (net ~ problem_prefixes) then { + print "Reject: Problematic prefix: ", net, " ", bgp_path; + clearnet_add_filter(FILTER_PROBLEM_PREFIX); + } +} + +function reject_long_aspaths() +{ + if ( bgp_path.len > 15 ) then { + clearnet_add_filter(FILTER_LONG_ASPATH); + } +} + +function reject_small_prefixes() +{ + if (net.len > 55 && net.type = NET_IP6) then { + print "Reject: Too small prefix: ", net, " ", bgp_path; + clearnet_add_filter(FILTER_SMALL_V6_PREFIX); + } +} + +function reject_roa_rpki() +{ + if ( roa_check(clear_roa_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID ) then { + clearnet_add_filter(FILTER_ROA_RPKI); + } +} + +function prefer_direct_neighbor() +{ + if (bgp_path.len = 1) then + bgp_local_pref = bgp_local_pref + 700; +} + + +function clearnet_common_import() { + reject_bogon_asns(); + reject_bogon_prefixes(); + reject_long_aspaths(); + reject_small_prefixes(); + reject_problem_prefixes(); + reject_roa_rpki(); + prefer_direct_neighbor(); + honor_graceful_shutdown(); +} + +## EXPORT FILTERS + +filter myas_export +{ + if (proto = "myprefix") then { + accept; + } + reject; +} + +# route collector +filter myas_f_rc +{ +# export IXP routes after all +# if ( clearnet_is_ixp() ) then reject; + if (source = RTS_BGP) then accept; + if (proto = "myprefix") then accept; + reject; +}; diff --git a/roles/uvok_bird/files/clear_rpki.conf b/roles/uvok_bird/files/clear_rpki.conf new file mode 100644 index 0000000..d034889 --- /dev/null +++ b/roles/uvok_bird/files/clear_rpki.conf @@ -0,0 +1,21 @@ +# managed by Ansible + +roa6 table clear_roa_v6; + +protocol rpki roa_clearnet1 { + roa6 { table clear_roa_v6; }; + remote 10.2.0.1; + port 8282; + refresh 3600; + retry 600; + expire 7200; +} + +protocol rpki roa_clearnet2 { + roa6 { table clear_roa_v6; }; + remote 10.2.0.12; + port 8282; + refresh 3600; + retry 600; + expire 7200; +} |