update filters

move templates to separate directory
add Cymru fullbogon community
2020-05-03 00:33:40 +02:00 · 2020-05-03 00:32:37 +02:00 · 2020-05-03 00:32:11 +02:00 · 2020-05-03 00:28:15 +02:00 · 2020-05-03 00:25:49 +02:00 · 2020-05-03 00:24:18 +02:00
25 changed files with 400 additions and 306 deletions
--- a/bird.conf
+++ b/bird.conf
@ -12,8 +12,8 @@ include "/etc/bird/constants.conf";
 include "/etc/bird/passwords.conf";
 include "/etc/bird/communities.conf";
 include "/etc/bird/tables.conf";
-include "/etc/bird/rpki.conf";
 include "/etc/bird/filters/*.conf";
+include "/etc/bird/templates/*.conf";
 include "/etc/bird/protocols/*.conf";

 protocol device {
--- a/communities.conf
+++ b/communities.conf
@ -1,3 +1,5 @@
+define cymru_fullbogons		= (65332, 888);
+
 # Well-known: https://www.iana.org/assignments/bgp-well-known-communities/bgp-well-known-communities.xhtml
 define wk_graceful_shutdown	= (0xffff, 0x0000); # RFC8326
 define wk_accept_own		= (0xffff, 0x0001); # RFC7611
--- a/filters/common.conf
+++ b/filters/common.conf
@ -163,30 +163,41 @@ function is_default_v6() {


 function is_bogon_ebgp_v4() {
-	if net.len > 24 then # RFC7454
+	if net.len > 24 then { # RFC7454
+		bgp_large_community.add(filtered_import_prefix_too_long);
 		return true;
+	}

-	if is_martian_v4() then
+	if is_martian_v4() then {
 		return true;
+	}

-	if is_peering_lan_v4() then
+	if is_peering_lan_v4() then {
 		return true;
+	}

-	if bgp_path.first != my_ripe_asn then
+	if bgp_path.first != my_ripe_asn then {
 		return true;
+	}

-	if bgp_path.len > 32 then
+	if bgp_path.len > 32 then {
+		bgp_large_community.add(filtered_import_as_path_too_long);
 		return true;
+	}

-	if net.len < 8 then # RFC7454
+	if net.len < 8 then { # RFC7454
+		bgp_large_community.add(filtered_import_prefix_too_short);
 		return true;
+	}

 	return false;
 }

 function is_bogon_ebgp_v6() {
-	if net.len > 48 then # RFC7454
+	if net.len > 48 then { # RFC7454
+		bgp_large_community.add(filtered_import_prefix_too_long);
 		return true;
+	}

 	if is_martian_v6() then
 		return true;
@ -197,14 +208,20 @@ function is_bogon_ebgp_v6() {
 	#if is_bogon_asn() then
 	#	return true;

-	if bgp_path.first != my_ripe_asn then
+	if bgp_path.first != my_ripe_asn then {
+		bgp_large_community.add(filtered_import_first_as_not_peer);
 		return true;
+	}

-	if bgp_path.len > 32 then
+	if bgp_path.len > 32 then {
+		bgp_large_community.add(filtered_import_as_path_too_long);
 		return true;
+	}

-	if net.len < 19 then # RFC7454
+	if net.len < 19 then { # RFC7454
+		bgp_large_community.add(filtered_import_prefix_too_short);
 		return true;
+	}

 	return false;
 }
--- a/filters/dn42.conf
+++ b/filters/dn42.conf
@ -9,56 +9,70 @@ function is_dn42() {
 	];
 }

-filter dn42_import_v4
-	bool rej;
+function dn42_import_v4()
+	bool ok;
 {
-	accept;
-
-	rej = false;
+	ok = true;

 	if ! is_dn42() then
-		rej = true;
+		ok = false;

-	if is_rpki_invalid_dn42_v6() then
-		rej = true;
+	     if roa_check(roa_dn42_v4, net, bgp_path.last_nonaggregated) = ROA_VALID then
+		bgp_large_community.add(informational_rpki_valid);
+	else if roa_check(roa_dn42_v4, net, bgp_path.last_nonaggregated) = ROA_UNKNOWN then
+		bgp_large_community.add(informational_rpki_unknown);
+	else if roa_check(roa_dn42_v4, net, bgp_path.last_nonaggregated) = ROA_INVALID then {
+		print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last, " from ", proto;
+		bgp_large_community.add(informational_rpki_invalid);
+		ok = false;
+	}
+	else
+		bgp_large_community.add(informational_rpki_not_checked);

-	# We delay the final decission until all communities are added
-	if rej then
-		reject;
-
-	accept;
+	return ok;
 }

-filter dn42_import_v6
-	bool rej;
+function dn42_import_v6()
+	bool ok;
 {
-	accept;
-
-	rej = false;
+	ok = true;

 	if ! is_dn42() then
-		rej = true;
+		ok = false;

-	if is_rpki_invalid_dn42_v6() then
-		rej = true;
+	     if roa_check(roa_dn42_v6, net, bgp_path.last_nonaggregated) = ROA_VALID then
+		bgp_large_community.add(informational_rpki_valid);
+	else if roa_check(roa_dn42_v6, net, bgp_path.last_nonaggregated) = ROA_UNKNOWN then
+		bgp_large_community.add(informational_rpki_unknown);
+	else if roa_check(roa_dn42_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID then {
+		print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last, " from ", proto;
+		bgp_large_community.add(informational_rpki_invalid);
+		ok = false;
+	}
+	else
+		bgp_large_community.add(informational_rpki_not_checked);

-	# We delay the final decission until all communities are added
-	if rej then
-		reject;
-
-	accept;
+	return ok;
 }

-filter dn42_export_v4 {
+function dn42_export_v4()
+	bool ok;
+{
+	ok = true;
+
 	if ! is_mine_dn42() then
-		reject;
+		ok = false;

-	accept;
+	return ok;
 }

-filter dn42_export_v6 {
+function dn42_export_v6()
+	bool ok;
+{
+	ok = true;
+
 	if ! is_mine_dn42() then
-		reject;
+		ok = false;

-	accept;
+	return ok;
 }
--- a/filters/ebgp.conf
+++ b/filters/ebgp.conf
@ -1,40 +1,59 @@
-filter ebgp_import_v4 {
-	reject;
+function ebgp_import_v4()
+	bool ok;
+{
+	ok = false;
+
+	return ok;
 }

-filter ebgp_import_v6
-	bool rej;
+function ebgp_import_v6()
+	bool ok;
 {
-	rej = false;
+	ok = true;

 	# Make sure we dont use peering IPs for originating traffic
 	krt_prefsrc = 2a09:11c0:200::14;

-	if is_rpki_invalid_v6() then
-		rej = true;
+
+	     if roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_VALID then
+		bgp_large_community.add(informational_rpki_valid);
+	else if roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_UNKNOWN then
+		bgp_large_community.add(informational_rpki_unknown);
+	else if roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID then {
+		print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last, " from ", proto;
+		bgp_large_community.add(informational_rpki_invalid);
+		ok = false;
+	}
+	else
+		bgp_large_community.add(informational_rpki_not_checked);

 	if net.len > 48 then {
-		filter_reason(filtered_import_prefix_too_long);
-		rej = true;
+		bgp_large_community.add(filtered_import_prefix_too_long);
+		ok = false;
 	}

 	if bgp_path.len > 64 then {
-		filter_reason(filtered_import_as_path_too_long);
-		rej = true;
+		bgp_large_community.add(filtered_import_as_path_too_long);
+		ok = false;
 	}

-	# We delay the final decission until all communities are added
-	if rej then reject; else accept;
+	return ok;
 }

-filter ebgp_export_v4 {
-	reject;
-}
-
-filter ebgp_export_v6
-	prefix set mynets;
+function ebgp_export_v4()
+	bool ok;
 {
-	if is_mine_ripe() then accept;
-
-	reject;
+	# I dont have ane IPv4 prefixes :(
+	return false;
+}
+
+function ebgp_export_v6()
+	bool ok;
+{
+	ok = true;
+
+	if ! is_mine_ripe() then
+		ok = false;
+
+	return ok;
 }
--- a/filters/ibgp.conf
+++ b/filters/ibgp.conf
@ -1,23 +1,43 @@
-filter ibgp_export_v4 {
+function ibgp_export_v4()
+	bool ok;
+{
+	ok = true;
+
 	if net.len = 32 then
-		reject;
+		ok = false;

-	accept;
+	return ok;
 }

-filter ibgp_export_v6 {
+function ibgp_export_v6()
+	bool ok;
+{
+	ok = true;
+
 	if net.len = 128 then
-		reject;
+		ok = false;

-	accept;
+	return ok;
 }

-filter ibgp_import_v4 {
-	if net = 0.0.0.0/0 then reject;
+function ibgp_import_v4()
+	bool ok;
+{
+	ok = true;

-	accept;
+	if net = 0.0.0.0/0 then
+		ok = false;
+
+	return ok;
 }

-filter ibgp_import_v6 {
-	accept;
+function ibgp_import_v6()
+	bool ok;
+{
+	ok = true;
+
+	if ! is_mine() then
+		ok = false;
+
+	return ok;
 }
--- a/protocols/4ixp.conf
+++ b/protocols/4ixp.conf
@ -1,13 +1,19 @@
-template bgp ixp_ch {
-	local 2001:7f8:d0:4b42::45 as my_ripe_asn;
+template bgp ixp_ch from ebgp_peer_v6 {
+	local 2001:7f8:d0:4b42::45;
 	neighbor as 35708;

 	ipv6 {
-		table ebgp_v6;
+		export filter {
+			bgp_path = prepend(bgp_path, my_ripe_asn);
+			bgp_path = prepend(bgp_path, my_ripe_asn);
+			bgp_path = prepend(bgp_path, my_ripe_asn);
+			bgp_path = prepend(bgp_path, my_ripe_asn);

-		#import keep filtered;
-		import filter ebgp_import_v6;
-		export filter ebgp_export_v6;
+			if ebgp_export_v6() then
+				accept;
+			else
+				reject;
+		};
 	};
 }

--- a/protocols/decix.conf
+++ b/protocols/decix.conf
@ -1,35 +1,17 @@
-
-template bgp decix {
-	local as my_ripe_asn;
-
-	graceful restart on;
+template bgp decix_v4 from ebgp_peer_v4 {
+	ipv4 {
+		preference 120;
+	};
 }

-template bgp decix_v6 from decix {
+template bgp decix_v6 from ebgp_peer_v6 {
 	ipv6 {
-		table ebgp_v6;
-
-		import keep filtered;
 		import limit 50000;

-		import filter ebgp_import_v6;
-		export filter ebgp_export_v6;
+		preference 120;
 	};
 }

-template bgp decix_v4 from decix {
-	ipv4 {
-		table ebgp_v4;
-
-		import keep filtered;
-		import limit 200000;
-
-		import filter ebgp_import_v4;
-		export filter ebgp_export_v4;
-	};
-}
-
-
 ### IPv4
 template bgp decix_fra_v4 from decix_v4 {
 	neighbor as 6695;
@ -59,17 +41,24 @@ template bgp decix_muc_v4 from decix_v4 {
 template bgp decix_fra_v6 from decix_v6 {
 	local 2001:7f8::3:2afd:0:1;
 	neighbor as 6695;
+
+	ipv6 {
+		preference 140;
+	};
 }

 template bgp decix_dus_v6 from decix_v6 {
+	local 2001:7f8:9e:0:3:2afd:0:1;
 	neighbor as 56890;
 }

 template bgp decix_ham_v6 from decix_v6 {
+	local 2001:7f8:3d:0:3:2afd:0:1;
 	neighbor as 43252;
 }

 template bgp decix_muc_v6 from decix_v6 {
+	local 2001:7f8:44:0:3:2afd:0:1;
 	neighbor as 47228;
 }

@ -137,7 +126,7 @@ protocol bgp decix_dus_rs1_v4 from decix_dus_v4 {
 protocol bgp decix_dus_rs2_v4 from decix_dus_v4 {
 	description "DE-CIX Düsseldorf RS2 (v4)";

-	neighbor 185.1.58.252;
+	neighbor 185.1.58.253;
 }

 protocol bgp decix_dus_rs1_v6 from decix_dus_v6 {
@ -149,7 +138,7 @@ protocol bgp decix_dus_rs1_v6 from decix_dus_v6 {
 protocol bgp decix_dus_rs2_v6 from decix_dus_v6 {
 	description "DE-CIX Düsseldorf RS2 (v6)";

-	neighbor 2001:7f8:9e::de3a:fc:1;
+	neighbor 2001:7f8:9e::de3a:fd:1;
 }

 # München
@ -177,3 +166,20 @@ protocol bgp decix_muc_rs2_v6 from decix_muc_v6 {
 	neighbor 2001:7f8:44::b87c:0:2;
 }

+protocol bgp decix_fra_he_v6 from decix_fra_v6 {
+	description "DE-CIX Frankfurt: Hurricane Electric (v6)";
+
+	neighbor 2001:7f8::1b1b:0:1 as 6939;
+}
+
+protocol bgp decix_muc_facebook_1_v6 from decix_muc_v6 {
+	description "DE-CIX Frankurt: Facebook /1";
+
+	neighbor 2001:7f8:44::80a6:0:1 as 32934;
+}
+
+protocol bgp decix_muc_facebook_2_v6 from decix_muc_v6 {
+	description "DE-CIX Frankurt: Facebook /1";
+
+	neighbor 2001:7f8:44::80a6:0:2 as 32934;
+}
--- a/protocols/dn42.conf
+++ b/protocols/dn42.conf
@ -1,4 +1,3 @@
-# ROA tables
 protocol static static_roa_dn42_v4 {
 	roa4 {
 		table roa_dn42_v4;
@ -15,49 +14,4 @@ protocol static static_roa_dn42_v6 {
 	include "/var/lib/bird/bird_roa_dn42_v6.conf";
 }

-# Template
-template bgp dn42_peer {
-	local as my_dn42_asn;
-
-	graceful restart on;
-}
-
-template bgp dn42_peer_v46 from dn42_peer {
-	ipv4 {
-		table dn42_v4;
-
-		import keep filtered;
-		import filter dn42_import_v4;
-		export filter dn42_export_v4;
-	};
-
-	ipv6 {
-		table dn42_v6;
-
-		import keep filtered;
-		import filter dn42_import_v6;
-		export filter dn42_export_v6;
-	};
-}
-
-template bgp dn42_peer_v4 from dn42_peer {
-	ipv4 {
-		table dn42_v4;
-
-		import keep filtered;
-		import filter dn42_import_v4;
-		export filter dn42_export_v4;
-	};
-}
-
-template bgp dn42_peer_v6 from dn42_peer {
-	ipv6 {
-		table dn42_v6;
-
-		import keep filtered;
-		import filter dn42_import_v6;
-		export filter dn42_export_v6;
-	};
-}
-
 include "/etc/bird/protocols/dn42/*.conf";
--- a/protocols/dn42/burble.conf
+++ b/protocols/dn42/burble.conf
@ -0,0 +1,6 @@
+protocol bgp dn42_burble from dn42_peer_v46 {
+	description "dn42: burble";
+
+	local fd42:4dd0:ff00::3;
+	neighbor fd42:4242:2601:23::1 as 4242422601;
+}
--- a/protocols/dn42/grc.conf
+++ b/protocols/dn42/grc.conf
@ -1,5 +1,10 @@
-protocol bgp dn42_grc {
-	description "dn42: Global Route Collector (burble)";
+ipv4 table dn42_grc_v4;
+ipv6 table dn42_grc_v6;
+
+protocol bgp dn42_grc_export {
+	disabled yes;
+
+	description "dn42: Global Route Collector Export (burble)";
 	local fd42:4dd0:ff00::1 as my_dn42_asn;
 	neighbor fd42:4242:2601:ac12::1 as 4242422602;

@ -23,3 +28,52 @@ protocol bgp dn42_grc {
 		import none;
 	};
 }
+
+protocol bgp dn42_grc_import {
+	description "dn42: Global Route Collector Import (burble)";
+
+	local fd42:4dd0:ff00::1:1 as my_dn42_asn;
+	neighbor fd42:4242:2601:ac12::1 as 4242422602;
+
+	# mrtdump all;
+	multihop;
+
+	ipv4 {
+		add paths rx;
+		table dn42_grc_v4;
+
+		export none;
+		import all;
+	};
+
+	ipv6 {
+		add paths rx;
+		table dn42_grc_v6;
+
+		export none;
+		import all;
+	};
+}
+
+protocol bgp dn42_grc_peer {
+	description "dn42: Global Route Collector Peer";
+
+	local 2a09:11c0:200::14 as my_dn42_asn;
+	neighbor range 2a09:11c0:200::/48 internal;
+
+        ipv4 {
+		add paths tx;
+		table dn42_grc_v4;
+
+		export all;
+		import none;
+	};
+
+	ipv6 {
+		add paths tx;
+		table dn42_grc_v6;
+
+		export all;
+		import none;
+	};
+}
--- a/protocols/dn42/grc_mrtdump.conf
+++ b/protocols/dn42/grc_mrtdump.conf
@ -0,0 +1 @@
+mrtdump "/mnt/mrt/bird/today/msgs_dn42_grc_2020-05-02.mrt";
--- a/protocols/evix.conf
+++ b/protocols/evix.conf
@ -1,15 +1,5 @@
-template bgp evix {
-	local 2602:fed2:fff:ffff::233 as my_ripe_asn;
-
-	ipv6 {
-		table ebgp_v6;
-
-		import keep filtered;
-		import all;
-		export filter ebgp_export_v6;
-	};
-
-	graceful restart on;
+template bgp evix from ebgp_peer_v6 {
+	local 2602:fed2:fff:ffff::233;
 }

 protocol bgp evix_rs1 from evix {
--- a/protocols/ibgp.conf
+++ b/protocols/ibgp.conf
@ -6,15 +6,15 @@ template bgp rr_clients {

 	ipv4 {
 		import keep filtered;
-		import filter ibgp_import_v4;
-		export filter ibgp_export_v4;
+		import where ibgp_import_v4();
+		export where ibgp_export_v4();
 		next hop self;
 	};

 	ipv6 {
 		import keep filtered;
-		import filter ibgp_import_v6;
-		export filter ibgp_export_v6;
+		import where ibgp_import_v6();
+		export where ibgp_export_v6();
 		next hop self;
 	};
 }
--- a/protocols/kleyrex.conf
+++ b/protocols/kleyrex.conf
@ -1,13 +1,9 @@
-template bgp kleyrex_fra {
-	local 2001:7f8:33::A120:7613:1 as my_ripe_asn;
+template bgp kleyrex_fra from ebgp_peer_v6 {
+	local 2001:7f8:33::A120:7613:1;
 	neighbor as 31142;

 	ipv6 {
-		table ebgp_v6;
-
-		#import keep filtered;
-		import all;
-		export filter ebgp_export_v6;
+		preference 120;
 	};

 	graceful restart on;
@ -34,6 +30,10 @@ protocol bgp kleyrex_fra_rs3 from kleyrex_fra {
 protocol bgp kleyrex_fra_42b4 from kleyrex_fra {
 	description "KleyRex FRA 42b4";

+	ipv6 {
+		preference 50;
+	};
+
 	neighbor 2001:7f8:33::a106:474:1 as 60474;
 }

--- a/protocols/layerbridge.conf
+++ b/protocols/layerbridge.conf
@ -1,18 +0,0 @@
-include "/var/lib/bird/hetnix_v6.conf";
-
-protocol bgp tb_lb1 {
-	description "LayerBridge / Hetnix";
-
-	local fc00:0:6::2 as my_ripe_asn;
-	neighbor fc00:0:6::1 as 3280;
-
-	ipv6 {
-		table ebgp_v6;
-
-		import keep filtered;
-		import filter ebgp_import_v6;
-		export filter ebgp_export_v6;
-	};
-
-	multihop 10;
-}
--- a/protocols/locix.conf
+++ b/protocols/locix.conf
@ -1,43 +1,42 @@
-template bgp locix_fra {
-	local 2a07:1c44:61f0::a520:7613:1 as my_ripe_asn;
+template bgp locix_fra_v6 from ebgp_peer_v6 {
+	local 2001:7f8:f2:e1:0:a520:7613:1;
 	neighbor as 202409;

 	ipv6 {
-		table ebgp_v6;
-
-		#import keep filtered;
-		import all;
-		export filter ebgp_export_v6;
+		preference 110;
 	};

 	graceful restart on;
 }

-protocol bgp locix_fra_rs1 from locix_fra {
-	description "LocIX FRA RS1";
+protocol bgp locix_fra_rs1 from locix_fra_v6 {
+	description "LocIX Frankfurt RS1";

-	neighbor 2a07:1c44:61f0::babe:1;
+	neighbor 2001:7f8:f2:e1::babe:1;
 }

-protocol bgp locix_fra_rs2 from locix_fra {
-	description "LocIX FRA RS2";
+protocol bgp locix_fra_rs2 from locix_fra_v6 {
+	description "LocIX Frankfurt RS2";

-	neighbor 2a07:1c44:61f0::dead:1;
+	neighbor 2001:7f8:f2:e1::dead:1;
 }

-protocol bgp locix_fra_rs3 from locix_fra {
-	description "LocIX FRA RS3";
+protocol bgp locix_fra_rs3 from locix_fra_v6 {
+	description "LocIX Frankfurt RS3";

-	neighbor 2a07:1c44:61f0::be5a;
+	neighbor 2001:7f8:f2:e1::be5a;
 }

-protocol bgp locix_fra_ifog from locix_fra {
-	description "LocIX FRA iFog";
+protocol bgp locix_fra_ifog from locix_fra_v6 {
+	description "LocIX Frankfurt iFog";

-	neighbor 2a07:1c44:61f0::a120:4927:1 as 34927;
-
-	ipv6 {
-		preference 80;
-	};
+	neighbor 2001:7f8:f2:e1:0:a120:4927:1 as 34927;
 }

+protocol bgp locix_fra_as112 from locix_fra_v6 {
+	description "LocIX Frankfurt: AS112";
+
+	neighbor 2001:7f8:f2:e1::112 as	112;
+
+	disabled yes;
+}
--- a/protocols/meerfarbig.conf
+++ b/protocols/meerfarbig.conf
@ -1,15 +1,6 @@
-protocol bgp meerfarbig {
+protocol bgp meerfarbig from ebgp_peer_v6 {
 	description "meerfarbig";

-	local 2a00:f820:457::2 as my_ripe_asn;
+	local 2a00:f820:457::2;
 	neighbor 2a00:f820:457::1 as 34549;
-
-	ipv6 {
-		table ebgp_v6;
-
-		import keep filtered;
-		import filter ebgp_import_v6;
-		export filter ebgp_export_v6;
-		next hop self;
-	};
 }
--- a/protocols/mrt.conf
+++ b/protocols/mrt.conf
@ -0,0 +1,10 @@
+protocol mrt {
+	description "MRT Dumper";
+
+	table "dn42_grc_*";
+        where source = RTS_BGP;
+        filename "/mnt/mrt/bird/today/rib_%N_%F_%T.mrt";
+        period 300;
+
+	disabled yes;
+}
--- a/protocols/rpki.conf
+++ b/protocols/rpki.conf
@ -0,0 +1,11 @@
+protocol rpki {
+	roa6 {
+		table roa_v6;
+	};
+
+	remote "10.43.141.166" port 3323;
+
+	retry keep 90;
+	refresh keep 900;
+	expire keep 172800;
+}
--- a/protocols/static.conf
+++ b/protocols/static.conf
@ -27,8 +27,8 @@ protocol static static_v4 {
 		reject;

 	# Marienstrasse
-	route 192.168.178.0/24
-		via 172.23.156.9;
+	#route 192.168.178.0/24
+	#	via 172.23.156.9;

 	route 0.0.0.0/0
 		via 31.47.232.65;
--- a/protocols/tunnelbroker_net.conf
+++ b/protocols/tunnelbroker_net.conf
@ -1,17 +1,20 @@
-protocol bgp tb_he1 {
+protocol bgp tb_he1 from ebgp_peer_v6 {
 	description "tunnelserver.net (Hurricane Electric)";

-	local 2001:470:12:1ab::2 as my_ripe_asn;
+	local 2001:470:12:1ab::2;
 	neighbor 2001:470:12:1ab::1 as 6939;

 	ipv6 {
-		table ebgp_v6;
 		preference 80;

-		import keep filtered;
-		import filter ebgp_import_v6;
-		export filter ebgp_export_v6;
-	};
+		export filter {
+			bgp_path = prepend(bgp_path, my_ripe_asn);
+			bgp_path = prepend(bgp_path, my_ripe_asn);

-	multihop 10;
+			if ebgp_export_v6() then
+				accept;
+			else
+				reject;
+		};
+	};
 }
--- a/rpki.conf
+++ b/rpki.conf
@ -1,65 +0,0 @@
-protocol rpki {
-	roa6 {
-		table roa_v6;
-	};
-
-	remote "10.43.141.166" port 3323;
-
-	retry keep 90;
-	refresh keep 900;
-	expire keep 172800;
-}
-
-function filter_reason(lc rsn) {
-	bgp_large_community.add(rsn);
-}
-
-# RPKI tests
-function is_rpki_invalid_v6() {
-	     if roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_VALID then
-		bgp_large_community.add(informational_rpki_valid);
-	else if roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_UNKNOWN then
-		bgp_large_community.add(informational_rpki_unknown);
-	else if roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID then {
-		print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last;
-		bgp_large_community.add(informational_rpki_invalid);
-		return true;
-	}
-	else
-		bgp_large_community.add(informational_rpki_not_checked);
-
-	return false;
-}
-
-function is_rpki_invalid_dn42_v4() {
-	     if roa_check(roa_dn42_v4, net, bgp_path.last_nonaggregated) = ROA_VALID then
-		bgp_large_community.add(informational_rpki_valid);
-	else if roa_check(roa_dn42_v4, net, bgp_path.last_nonaggregated) = ROA_UNKNOWN then
-		bgp_large_community.add(informational_rpki_unknown);
-	else if roa_check(roa_dn42_v4, net, bgp_path.last_nonaggregated) = ROA_INVALID then {
-		print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last;
-		bgp_large_community.add(informational_rpki_invalid);
-		return true;
-	}
-	else
-		bgp_large_community.add(informational_rpki_not_checked);
-
-	return false;
-}
-
-function is_rpki_invalid_dn42_v6() {
-	     if roa_check(roa_dn42_v6, net, bgp_path.last_nonaggregated) = ROA_VALID then
-		bgp_large_community.add(informational_rpki_valid);
-	else if roa_check(roa_dn42_v6, net, bgp_path.last_nonaggregated) = ROA_UNKNOWN then
-		bgp_large_community.add(informational_rpki_unknown);
-	else if roa_check(roa_dn42_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID then {
-		print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last;
-		bgp_large_community.add(informational_rpki_invalid);
-		return true;
-	}
-	else
-		bgp_large_community.add(informational_rpki_not_checked);
-
-	return false;
-}
-
--- a/templates/dn42.conf
+++ b/templates/dn42.conf
@ -0,0 +1,44 @@
+template bgp dn42_peer {
+	local as my_dn42_asn;
+
+	graceful restart on;
+}
+
+template bgp dn42_peer_v46 from dn42_peer {
+	ipv4 {
+		table dn42_v4;
+
+		import keep filtered;
+		import where dn42_import_v4();
+		export where dn42_export_v4();
+	};
+
+	ipv6 {
+		table dn42_v6;
+
+		import keep filtered;
+		import where dn42_import_v6();
+		export where dn42_export_v6();
+	};
+}
+
+template bgp dn42_peer_v4 from dn42_peer {
+	ipv4 {
+		table dn42_v4;
+
+		import keep filtered;
+		import where dn42_import_v4();
+		export where dn42_export_v4();
+	};
+}
+
+template bgp dn42_peer_v6 from dn42_peer {
+	ipv6 {
+		table dn42_v6;
+
+		import keep filtered;
+		import where dn42_import_v6();
+		export where dn42_export_v6();
+	};
+}
+
--- a/templates/ebgp.conf
+++ b/templates/ebgp.conf
@ -0,0 +1,30 @@
+template bgp ebgp_peer {
+	local as my_ripe_asn;
+
+	graceful restart on;
+}
+
+template bgp ebgp_peer_v6 from ebgp_peer {
+	ipv6 {
+		table ebgp_v6;
+
+		import keep filtered;
+		import limit 100000;
+
+		import where ebgp_import_v6();
+		export where ebgp_export_v6();
+	};
+}
+
+template bgp ebgp_peer_v4 from ebgp_peer {
+	ipv4 {
+		table ebgp_v4;
+
+		import keep filtered;
+		import limit 200000;
+
+		import where ebgp_import_v4();
+		export where ebgp_export_v4();
+	};
+}
+
Author	SHA1	Message	Date
Steffen Vogel	fea8e680ea	update filters	2020-05-03 00:33:40 +02:00
Steffen Vogel	2809a0d026	move templates to separate directory	2020-05-03 00:32:37 +02:00
Steffen Vogel	7f8628e7ee	add Cymru fullbogon community	2020-05-03 00:32:11 +02:00
Steffen Vogel	a618c3ed13	remove session: Layerbridge / Hetnix	2020-05-03 00:28:15 +02:00
Steffen Vogel	c9cf5f0b68	move RPKI to protocols	2020-05-03 00:25:49 +02:00
Steffen Vogel	33fb6a5dbf	add MRT dumps	2020-05-03 00:24:18 +02:00
Steffen Vogel	c4fdc5eef9	add new session: dn42_burble	2020-05-03 00:23:51 +02:00
				`@ -0,0 +1 @@`
				`mrtdump "/mnt/mrt/bird/today/msgs_dn42_grc_2020-05-02.mrt";`