protocol device {
};

function is_self_net() {
  return net ~ OWNNETS;
};

function is_valid_network() {
  return net ~ [
    172.16.0.0/12+,
    192.168.0.0/16+,
    10.0.0.0/8+,
    100.64.0.0/10+,
    2000::/3+,
    fd00::/8+
  ];
};

protocol kernel {
  ipv4 {
    import none;
    export filter {
      if source = RTS_STATIC && proto != "vpnras_v4" && proto != "hack_v4" then reject;
      krt_prefsrc = OWNIP4;
      accept;
    };
  };
};

protocol kernel {
  ipv6 {
    import none;
    export filter {
      if source = RTS_STATIC && proto != "vpnras_v6" && proto != "hack_v6" then reject;
      krt_prefsrc = OWNIP6;
      accept;
    };
  };
};

template bgp v4peers {
  local as OWNAS;

  ipv4 {
    # this lines allows debugging filter rules
    # filtered routes can be looked up in birdc using the "show route filtered" command
    import keep filtered;
    import filter {
      # accept every subnet, except our own advertised subnet
      # filtering is important, because some guys try to advertise routes like 0.0.0.0
      if is_valid_network() && !is_self_net() then {
        accept;
      }
      reject;
    };
    export filter {
      if is_valid_network() then {
        accept;
      }
      reject;
    };
    import limit 1000 action block;
  };
};

template bgp v6peers {
  local as OWNAS;

  ipv6 {
    # this lines allows debugging filter rules
    # filtered routes can be looked up in birdc using the "show route filtered" command
    import keep filtered;
    import filter {
      # accept every subnet, except our own advertised subnet
      # filtering is important, because some guys try to advertise routes like 0.0.0.0
      if is_valid_network() && !is_self_net() then {
        accept;
      }
      reject;
    };
    export filter {
      if is_valid_network() then {
        accept;
      }
      reject;
    };
    import limit 1000 action block;
  };
};