From 6c511d92e56de5be3f673dcce0212ec7b08d810a Mon Sep 17 00:00:00 2001 From: uvok cheetah Date: Mon, 8 Jul 2024 19:54:35 +0200 Subject: Add default blackhole --- roles/uvok_bird/templates/clearnet.conf.j2 | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/roles/uvok_bird/templates/clearnet.conf.j2 b/roles/uvok_bird/templates/clearnet.conf.j2 index 6962f72..a27bada 100644 --- a/roles/uvok_bird/templates/clearnet.conf.j2 +++ b/roles/uvok_bird/templates/clearnet.conf.j2 @@ -8,23 +8,32 @@ include "/etc/bird/clear_filters.conf"; define CLEARNET_PREFIP = {{ uvok_bird_opts.preferred_ip }}; # trs=transit +ipv6 table t_myas_prefixes; ipv6 table t_myas_unfiltered; ipv6 table t_myas_trs; ipv6 table t_myas_babel; +# have it in a separate table, so I can easily pipe it. protocol static myprefix { {% for prefix in uvok_bird_opts.clear_prefixes %} route {{ prefix }} reject; {% endfor %}; ipv6 { - # needs to be in unfiltered - because that's where I'm exporting from - table t_myas_unfiltered; + table t_myas_prefixes; import all; export none; }; } +# pipe t_myas_prefixes => t_myas_unfiltered +protocol pipe { + table t_myas_prefixes; + peer table t_myas_unfiltered; + import none; + export all; +} + # blackhole everything else - activates RPKI filter! protocol static default6 { route ::/0 reject; @@ -145,6 +154,14 @@ protocol pipe { }; } +# pipe my prefixes into babel so I have non-existing hosts covered +protocol pipe { + table t_myas_prefixes; + peer table t_myas_babel; + import none; + export all; +} + # BGP *internal* table protocol kernel p_myas_i { # scan time 20; @@ -154,6 +171,11 @@ protocol kernel p_myas_i { table t_myas_babel; import none; export filter { + # put own unreachable route into kernel table + if (proto = "myprefix") then { + accept; + } + if (source != RTS_BABEL) then { print "SHOULD NOT HAPPEN: export babel to kernel: ", net, " from", source; reject; -- cgit v1.2.3