-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathbird.conf
113 lines (107 loc) · 2.5 KB
/
bird.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# refer: https://wiki.dn42.us/howto/Bird2
define MYAS = 4242420817;
define MYIP4 = CONFNET4;
define MYIP6 = CONFNET6;
define MYNET4 = 172.23.3.0/25;
define MYNET6 = fdef:1926:817::/48;
define MYNETSET4 = [172.23.3.0/25+];
define MYNETSET6 = [fdef:1926:817::/48+];
function isValid4() {
return net ~ [
172.31.0.0/16+, # ChaosVPN
10.100.0.0/14+, # ChaosVPN
10.127.0.0/16{16,32}, # neonetwork
10.0.0.0/8{15,24}, # Freifunk.net
172.20.0.0/24{28,32}, # dn42 Anycast
172.21.0.0/24{28,32}, # dn42 Anycast
172.22.0.0/24{28,32}, # dn42 Anycast
172.23.0.0/24{28,32}, # dn42 Anycast
172.20.0.0/14{21,29} # dn42
];
}
function isValid6() {
return net ~ [
fd00::/8{44,64} # ULA address space as per RFC 4193
];
}
router id MYIP4;
protocol device { scan time 10; }
roa4 table roa4_dn42
roa6 table roa6_dn42
protocol static _roa4 {
roa4 { table roa4_dn42; };
include "/etc/bird/roa4_dn42.conf";
}
protocol static _roa6 {
roa6 { table roa6_dn42; };
include "/etc/bird/roa6_dn42.conf";
}
protocol static { ipv4; route MYNET4 unreachable; }
protocol static { ipv6; route MYNET6 unreachable; }
protocol kernel {
scan time 20;
learn;
ipv4 {
import where net ~ [172.20.0.0/14+];
export filter {
if source = RTS_STATIC then reject;
krt_prefsrc = MYIP4;
accept;
};
};
}
protocol kernel {
scan time 20;
learn;
ipv6 {
import where net ~ [fd00::/8+];
export filter {
if source = RTS_STATIC then reject;
krt_prefsrc = MYIP6;
accept;
};
};
}
template bgp intern {
local as MYAS;
multihop;
ipv4 {
next hop self ebgp;
import where isValid4();
export where isValid4() && source = RTS_BGP;
};
ipv6 {
next hop self ebgp;
import where isValid6();
export where isValid6() && source = RTS_BGP;
};
}
template bgp dn42 {
local as MYAS;
multihop;
ipv4 {
import filter {
if isValid4() && net !~ MYNETSET4 then {
if (roa_check(roa4_dn42, net, bgp_path.last) != ROA_VALID) then {
print "[DN42] ROA failed for ", net, " AS", bgp_path.last;
reject;
} else accept;
} else reject;
};
export where isValid4() && source ~ [RTS_BGP, RTS_STATIC];
import limit 1000 action block;
};
ipv6 {
import filter {
if isValid6() && net !~ MYNETSET6 then {
if (roa_check(roa6_dn42, net, bgp_path.last) != ROA_VALID) then {
print "[DN42] ROA failed for ", net, " AS", bgp_path.last;
reject;
} else accept;
} else reject;
};
export where isValid6() && source ~ [RTS_BGP, RTS_STATIC];
import limit 1000 action block;
};
}
include "/etc/bird/peers/*";