function is_valid_network4() -> bool{ return net ~ [ 172.20.0.0/14{21,29}, # dn42 172.20.0.0/24{28,32}, # dn42 Anycast 172.21.0.0/24{28,32}, # dn42 Anycast 172.22.0.0/24{28,32}, # dn42 Anycast 172.23.0.0/24{28,32}, # dn42 Anycast 172.31.0.0/16+, # ChaosVPN 10.100.0.0/14+, # ChaosVPN 10.127.0.0/16{16,32}, # neonetwork 10.0.0.0/8{15,24} # Freifunk.net ]; } function is_valid_network6() -> bool { return net ~ [ fd00::/8{44,64} ]; } function kernel_export() { krt_prefsrc = OWNIP; accept; } function reject_invalid_roa4() { if (roa_check(dnroa4, net, bgp_path.last) != ROA_VALID) then { print "Reject: ROA failed|", net, "|", bgp_path; reject; } } function reject_invalid_roa6() { if (roa_check(dnroa6, net, bgp_path.last) != ROA_VALID) then { print "Reject: ROA failed|", net, "|", bgp_path; reject; } } function reject_default_route4() { if (net = 0.0.0.0/0) then reject; } function reject_default_route6() { if (net = fd00::/8 || net = ::/0) then reject; } function reject_blacklisted() int set blacklist; { blacklist = ASN_BLACKLIST; if ( bgp_path ~ blacklist ) then { print "Reject: blacklisted ASN|", bgp_path; reject; } } function honor_graceful_shutdown() { if (65535, 0) ~ bgp_community then { bgp_local_pref = 0; } } function update_bgp_med(int link_latency; int link_bandwidth; int link_crypto) { bgp_med = 0; bgp_med = bgp_med + ( ( 4 - ( link_crypto - 30 ) ) * 600 ); bgp_med = bgp_med + ( ( 9 - ( link_bandwidth - 20 ) ) * 100); bgp_med = bgp_med + ( ( link_latency - 1) * 300); } function dn_import_filter4(int link_latency; int link_bandwidth; int link_crypto) { if ( net.type != NET_IP4 ) then { print "Reject: non-IPv4 on IPv4 Channel|", net, "|", bgp_path; reject; } if ( ! is_valid_network4() ) then { print "Reject: invalid network|", net, "|", bgp_path; reject; } if ( is_self_net4() ) then { print "Reject: export our network|", net, "|", bgp_path.first; reject; } if ( bgp_path.len > 25 ) then { print "Reject: AS path too long|", net, "|", bgp_path; reject; } reject_blacklisted(); reject_invalid_roa4(); reject_default_route4(); if (bgp_path.len = 1) then bgp_local_pref = bgp_local_pref + 500; update_flags(link_latency, link_bandwidth, link_crypto); accept; } function dn_import_filter6(int link_latency; int link_bandwidth; int link_crypto) { if ( net.type != NET_IP6 ) then { print "Reject: non-IPv6 on IPv6 Channel|", net, "|", bgp_path; reject; } if ( ! is_valid_network6() ) then { print "Reject: invalid network|", net, "|", bgp_path; reject; } if ( is_self_net6() ) then { print "Reject: export our network|", net, "|", bgp_path.first; reject; } if ( bgp_path.len > 25 ) then { print "Reject: AS path too long|", net, "|", bgp_path; reject; } reject_blacklisted(); reject_invalid_roa6(); reject_default_route6(); if (bgp_path.len = 1) then bgp_local_pref = bgp_local_pref + 500; update_flags(link_latency, link_bandwidth, link_crypto); accept; } function dn_export_filter4(int link_latency; int link_bandwidth; int link_crypto; bool transit) { if (source !~ [RTS_STATIC, RTS_BGP]) then reject; if (!transit && bgp_path.last != bgp_path.first) then reject; reject_default_route4(); update_flags(link_latency, link_bandwidth, link_crypto); update_region4(); update_bgp_med(link_latency, link_bandwidth, link_crypto); accept; } function dn_export_filter6(int link_latency; int link_bandwidth; int link_crypto; bool transit) { if (source !~ [RTS_STATIC, RTS_BGP]) then reject; if (!transit && bgp_path.last != bgp_path.first) then reject; reject_default_route6(); update_flags(link_latency, link_bandwidth, link_crypto); update_region6(); update_bgp_med(link_latency, link_bandwidth, link_crypto); accept; } function dn_export_collector4() { if (source !~ [RTS_STATIC, RTS_BGP] || !is_valid_network4()) then reject; update_region4(); accept; } function dn_export_collector6() { if (source !~ [RTS_STATIC, RTS_BGP] || !is_valid_network6()) then reject; update_region6(); accept; }