1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
# managed by Ansible
## IMPORT FILTERS
define BOGON_ASNS = [
0, # RFC 7607
23456, # RFC 4893 AS_TRANS
64496..64511, # RFC 5398 and documentation/example ASNs
64512..65534, # RFC 6996 Private ASNs
65535, # RFC 7300 Last 16 bit ASN
65536..65551, # RFC 5398 and documentation/example ASNs
65552..131071, # RFC IANA reserved ASNs
4200000000..4294967294, # RFC 6996 Private ASNs
4294967295 ]; # RFC 7300 Last 32 bit ASN
define BOGON_PREFIXES = [ ::/0, # Default route
::/8+, # RFC 4291 IPv4-compatible, loopback, et al
0100::/64+, # RFC 6666 Discard-Only
2001:2::/48+, # RFC 5180 BMWG
2001:10::/28+, # RFC 4843 ORCHID
2001:db8::/32+, # RFC 3849 documentation
2002::/16+, # RFC 7526 6to4 anycast relay
3ffe::/16+, # RFC 3701 old 6bone
fc00::/7+, # RFC 4193 unique local unicast
fe80::/10+, # RFC 4291 link local unicast
fec0::/10+, # RFC 3879 old site local unicast
ff00::/8+ # RFC 4291 multicast
];
# not supported (yet???)
# -> bool {
function is_default_route() {
case net.type {
NET_IP4: return net = 0.0.0.0/0;
NET_IP6: return net = ::/0;
else: return false;
}
}
function accept_default_route() {
if is_default_route() then accept;
}
function reject_bogon_asns()
int set bogon_asns;
{
bogon_asns = BOGON_ASNS;
if ( bgp_path ~ bogon_asns ) then {
print "Reject: bogon AS_PATH: ", net, " ", bgp_path;
clearnet_add_filter(FILTER_BOGON_ASN);
}
}
function reject_bogon_prefixes()
prefix set bogon_prefixes;
{
bogon_prefixes = BOGON_PREFIXES;
if (net ~ bogon_prefixes) then {
print "Reject: Bogon prefix: ", net, " ", bgp_path;
clearnet_add_filter(FILTER_BOGON_PREFIX);
}
}
define PROBLEM_PREFIXES = [
];
function reject_problem_prefixes()
prefix set problem_prefixes;
{
problem_prefixes = PROBLEM_PREFIXES;
if (net ~ problem_prefixes) then {
print "Reject: Problematic prefix: ", net, " ", bgp_path;
clearnet_add_filter(FILTER_PROBLEM_PREFIX);
}
}
function reject_long_aspaths()
{
if ( bgp_path.len > 15 ) then {
clearnet_add_filter(FILTER_LONG_ASPATH);
}
}
function reject_small_prefixes()
{
if (net.len > 55 && net.type = NET_IP6) then {
print "Reject: Too small prefix: ", net, " ", bgp_path;
clearnet_add_filter(FILTER_SMALL_V6_PREFIX);
}
}
function reject_roa_rpki()
{
if ( roa_check(clear_roa_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID ) then {
clearnet_add_filter(FILTER_ROA_RPKI);
}
}
function prefer_direct_neighbor()
{
if (bgp_path.len = 1) then
bgp_local_pref = bgp_local_pref + 700;
}
function clearnet_common_import() {
reject_bogon_asns();
reject_bogon_prefixes();
reject_long_aspaths();
reject_small_prefixes();
reject_problem_prefixes();
reject_roa_rpki();
prefer_direct_neighbor();
honor_graceful_shutdown();
}
## EXPORT FILTERS
filter myas_export
{
if (proto = "myprefix") then {
accept;
}
reject;
}
# route collector
filter myas_f_rc
{
# export IXP routes after all
# if ( clearnet_is_ixp() ) then reject;
if (source = RTS_BGP) then accept;
if (proto = "myprefix") then accept;
reject;
};
|