# {{ ansible_managed }} include "/etc/bird/clear_defines.conf"; include "/etc/bird/clear_functions.conf"; include "/etc/bird/clear_rpki.conf"; include "/etc/bird/clear_filters.conf"; define CLEARNET_PREFIP = {{ uvok_bird_opts.preferred_ip }}; # trs=transit ipv6 table t_myas_prefixes; ipv6 table t_myas_unfiltered; ipv6 table t_myas_trs; ipv6 table t_myas_babel; # have it in a separate table, so I can easily pipe it. protocol static myprefix { {% for prefix in uvok_bird_opts.clear_prefixes %} route {{ prefix }} reject; {% endfor %}; ipv6 { table t_myas_prefixes; import all; export none; }; } # pipe t_myas_prefixes => t_myas_unfiltered protocol pipe { table t_myas_prefixes; peer table t_myas_unfiltered; import none; export all; } # blackhole everything else - activates RPKI filter! protocol static default6 { route ::/0 reject; ipv6 { preference 10; table t_myas_trs; import all; export none; }; } protocol direct { ipv6 { table t_myas_babel; }; interface "myas_int"; }; template bgp pt_clearnet { debug { states }; local as CLEARNET_ASN; {% if uvok_bird_opts.strict_bind %} strict bind on; {%- endif %} graceful restart on; long lived graceful restart on; prefer older on; # Neighbor as must be first route as enforce first as on; # faster updates enable extended messages on; # defaults anyway enable route refresh on; interpret communities on; direct; # higher better default bgp_local_pref 100; # my value - lower better default bgp_med 100; ipv6 { # start by importing into the unfiltered table table t_myas_unfiltered; # for inspection who's evil import keep filtered; # for RPKI / ROA import table on; import filter { clearnet_import_transit(); clearnet_common_import(); accept; }; export filter myas_export; }; } # route collector template bgp pt_rc from pt_clearnet { multihop; # yes, use unfiltered table for export ipv6 { add paths tx; import none; export filter myas_f_rc; }; } {% if uvok_bird_opts.babel_if_names %} protocol babel p_myas_babel { ipv6 { table t_myas_babel; import filter { {% if uvok_bird_opts.babel_accept_default %} # accept also default route {% else %} if is_default_route() then reject; {% endif %} accept; }; export where source ~ [RTS_DEVICE, RTS_BABEL, RTS_STATIC]; }; {% for babif in uvok_bird_opts.babel_if_names %} interface "{{ babif }}" { # needs newer bird2 type tunnel; }; {% endfor %} } {% endif %} # pipe babel table => bgp table for next-hop resolution? protocol pipe { table t_myas_babel; peer table t_myas_trs; import none; export where source ~ [RTS_BABEL]; } # EXPORT FROM unfilteed TO filtered trs table protocol pipe { table t_myas_unfiltered; peer table t_myas_trs; import none; export filter { if ( bgp_large_community ~ [(CLEARNET_ASN, LC_FILTERED, *)] ) then { reject; } accept; }; } # pipe my prefixes into babel so I have non-existing hosts covered protocol pipe { table t_myas_prefixes; peer table t_myas_babel; import none; export all; } # BGP *internal* table protocol kernel p_myas_i { scan time 60; kernel table 150; ipv6 { table t_myas_babel; import none; export filter { # put own unreachable route into kernel table if (proto = "myprefix") then { accept; } if (source != RTS_BABEL) then { print "SHOULD NOT HAPPEN: export babel to kernel: ", net, " from", source; reject; } # DO NOT PUT DEFAULT ROUTE INTO TABLE 150!! # This will completely replace *the default route for non-my-AS-traffic* !!! # will be copied into "BGP table" anyway. if is_default_route() then reject; accept; }; }; }; protocol kernel pk_myas_out { kernel table 100; ipv6 { table t_myas_trs; import none; export filter { krt_prefsrc = CLEARNET_PREFIP; if (source = RTS_BGP) then { accept; } # static default route if (source = RTS_STATIC) then { accept; } {% if uvok_bird_opts.babel_accept_default %} # add babel default route if is_default_route() then accept; {% endif %} reject; }; }; }; include "/etc/bird/clear_peers/*.conf";