-
Notifications
You must be signed in to change notification settings - Fork 1
/
defs6.conf
73 lines (65 loc) · 1.37 KB
/
defs6.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
table peers;
log syslog all;
roa table dn42_roa {
include "/var/lib/bird/bird6_roa_dn42.conf";
};
function is_valid_network() {
return net ~ [
fd00::/8{44,64} # ULA address space as per RFC 4193
];
}
function is_self_net() {
return net ~ [fd42:a:b::/48+];
}
template bgp dn42_peers {
table peers;
igp table master;
local as 64719;
path metric 1;
import keep filtered;
import filter {
if (roa_check(dn42_roa, net, bgp_path.last) = ROA_INVALID) then {
print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
reject;
}
if is_valid_network() && !is_self_net() then {
accept;
}
reject;
};
export filter {
if is_valid_network() then {
accept;
}
reject;
};
import limit 1000 action block;
};
template bgp exchanges {
table peers;
igp table master;
local as 64719;
path metric 1;
import keep filtered;
import filter {
if (roa_check(dn42_roa, net, bgp_path.last) = ROA_INVALID) then {
print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
reject;
}
if is_valid_network() && !is_self_net() then {
accept;
}
reject;
};
export filter {
if is_valid_network() && is_self_net() then {
accept;
}
reject;
};
import limit 10000 action block;
};
timeformat base iso long;
timeformat log iso long;
timeformat protocol iso long;
timeformat route iso long;