blob: 2f7f9acab8f6ed76a0eb3ccf37e77f666120ea8c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
protocol device {
};
function is_self_net() {
return net ~ OWNNETS;
};
function is_valid_network() {
return net ~ [
172.16.0.0/12+,
192.168.0.0/16+,
10.0.0.0/8+,
100.64.0.0/10+,
2000::/3+,
fd00::/8+
];
};
protocol kernel {
ipv4 {
import none;
export filter {
if source = RTS_STATIC && proto != "vpnras_v4" && proto != "hack_v4" then reject;
krt_prefsrc = OWNIP4;
accept;
};
};
};
protocol kernel {
ipv6 {
import none;
export filter {
if source = RTS_STATIC && proto != "vpnras_v6" && proto != "hack_v6" then reject;
krt_prefsrc = OWNIP6;
accept;
};
};
};
template bgp v4peers {
local as OWNAS;
ipv4 {
# this lines allows debugging filter rules
# filtered routes can be looked up in birdc using the "show route filtered" command
import keep filtered;
import filter {
# accept every subnet, except our own advertised subnet
# filtering is important, because some guys try to advertise routes like 0.0.0.0
if is_valid_network() && !is_self_net() then {
accept;
}
reject;
};
export filter {
if is_valid_network() then {
accept;
}
reject;
};
import limit 1000 action block;
};
};
template bgp v6peers {
local as OWNAS;
ipv6 {
# this lines allows debugging filter rules
# filtered routes can be looked up in birdc using the "show route filtered" command
import keep filtered;
import filter {
# accept every subnet, except our own advertised subnet
# filtering is important, because some guys try to advertise routes like 0.0.0.0
if is_valid_network() && !is_self_net() then {
accept;
}
reject;
};
export filter {
if is_valid_network() then {
accept;
}
reject;
};
import limit 1000 action block;
};
};
|
