-
Notifications
You must be signed in to change notification settings - Fork 1
/
defs4.conf
82 lines (74 loc) · 1.61 KB
/
defs4.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
table peers;
log syslog all;
roa table dn42_roa {
include "/var/lib/bird/bird_roa_dn42.conf";
};
function is_valid_network() {
return net ~ [
172.20.0.0/14{21,29}, # dn42
172.20.0.0/24{28,32}, # dn42 Anycast
172.21.0.0/24{28,32}, # dn42 Anycast
172.22.0.0/24{28,32}, # dn42 Anycast
172.23.0.0/24{28,32}, # dn42 Anycast
172.31.0.0/16+, # ChaosVPN
10.100.0.0/14+, # ChaosVPN
10.0.0.0/8{15,24} # Freifunk.net
];
}
function is_self_net() {
return net ~ [
172.22.119.0/25+
];
}
template bgp dn42_peers {
table peers;
igp table master;
local as 64719;
path metric 1;
import keep filtered;
import filter {
if (roa_check(dn42_roa, net, bgp_path.last) = ROA_INVALID) then {
print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
reject;
}
if is_valid_network() && !is_self_net() then {
accept;
}
reject;
};
export filter {
if is_valid_network() then {
accept;
}
reject;
};
import limit 1000 action block;
};
template bgp exchanges {
table peers;
igp table master;
local as 64719;
path metric 1;
import keep filtered;
import filter {
if (roa_check(dn42_roa, net, bgp_path.last) = ROA_INVALID) then {
print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
reject;
}
if is_valid_network() && !is_self_net() then {
accept;
}
reject;
};
export filter {
if is_valid_network() && is_self_net() then {
accept;
}
reject;
};
import limit 10000 action block;
};
timeformat base iso long;
timeformat log iso long;
timeformat protocol iso long;
timeformat route iso long;