189 lines
4.4 KiB
Plaintext
189 lines
4.4 KiB
Plaintext
function is_valid_network4() -> bool{
|
|
return net ~ [
|
|
172.20.0.0/14{21,29}, # dn42
|
|
172.20.0.0/24{28,32}, # dn42 Anycast
|
|
172.21.0.0/24{28,32}, # dn42 Anycast
|
|
172.22.0.0/24{28,32}, # dn42 Anycast
|
|
172.23.0.0/24{28,32}, # dn42 Anycast
|
|
172.31.0.0/16+, # ChaosVPN
|
|
10.100.0.0/14+, # ChaosVPN
|
|
10.127.0.0/16{16,32}, # neonetwork
|
|
10.0.0.0/8{15,24} # Freifunk.net
|
|
];
|
|
}
|
|
|
|
function is_valid_network6() -> bool {
|
|
return net ~ [
|
|
fd00::/8{44,64}
|
|
];
|
|
}
|
|
|
|
function kernel_export() {
|
|
krt_prefsrc = OWNIP;
|
|
accept;
|
|
}
|
|
|
|
function reject_invalid_roa4() {
|
|
if (roa_check(dnroa4, net, bgp_path.last) != ROA_VALID) then {
|
|
print "Reject: ROA failed|", net, "|", bgp_path;
|
|
reject;
|
|
}
|
|
}
|
|
|
|
function reject_invalid_roa6() {
|
|
if (roa_check(dnroa6, net, bgp_path.last) != ROA_VALID) then {
|
|
print "Reject: ROA failed|", net, "|", bgp_path;
|
|
reject;
|
|
}
|
|
}
|
|
|
|
function reject_default_route4() {
|
|
if (net = 0.0.0.0/0) then
|
|
reject;
|
|
}
|
|
|
|
function reject_default_route6() {
|
|
if (net = fd00::/8 || net = ::/0) then
|
|
reject;
|
|
}
|
|
|
|
function reject_blacklisted()
|
|
int set blacklist;
|
|
{
|
|
blacklist = ASN_BLACKLIST;
|
|
|
|
if ( bgp_path ~ blacklist ) then {
|
|
print "Reject: blacklisted ASN|", bgp_path;
|
|
reject;
|
|
}
|
|
}
|
|
|
|
function honor_graceful_shutdown() {
|
|
if (65535, 0) ~ bgp_community then {
|
|
bgp_local_pref = 0;
|
|
}
|
|
}
|
|
|
|
function update_bgp_med(int link_latency; int link_bandwidth; int link_crypto) {
|
|
bgp_med = 0;
|
|
bgp_med = bgp_med + ( ( 4 - ( link_crypto - 30 ) ) * 600 );
|
|
bgp_med = bgp_med + ( ( 9 - ( link_bandwidth - 20 ) ) * 100);
|
|
bgp_med = bgp_med + ( ( link_latency - 1) * 300);
|
|
}
|
|
|
|
function dn_import_filter4(int link_latency; int link_bandwidth; int link_crypto) {
|
|
if ( net.type != NET_IP4 ) then {
|
|
print "Reject: non-IPv4 on IPv4 Channel|", net, "|", bgp_path;
|
|
reject;
|
|
}
|
|
|
|
if ( ! is_valid_network4() ) then {
|
|
print "Reject: invalid network|", net, "|", bgp_path;
|
|
reject;
|
|
}
|
|
|
|
if ( is_self_net4() ) then {
|
|
print "Reject: export our network|", net, "|", bgp_path.first;
|
|
reject;
|
|
}
|
|
|
|
if ( bgp_path.len > 25 ) then {
|
|
print "Reject: AS path too long|", net, "|", bgp_path;
|
|
reject;
|
|
}
|
|
|
|
reject_blacklisted();
|
|
reject_invalid_roa4();
|
|
reject_default_route4();
|
|
|
|
if (bgp_path.len = 1) then
|
|
bgp_local_pref = bgp_local_pref + 500;
|
|
|
|
update_flags(link_latency, link_bandwidth, link_crypto);
|
|
|
|
accept;
|
|
}
|
|
|
|
function dn_import_filter6(int link_latency; int link_bandwidth; int link_crypto) {
|
|
if ( net.type != NET_IP6 ) then {
|
|
print "Reject: non-IPv6 on IPv6 Channel|", net, "|", bgp_path;
|
|
reject;
|
|
}
|
|
|
|
if ( ! is_valid_network6() ) then {
|
|
print "Reject: invalid network|", net, "|", bgp_path;
|
|
reject;
|
|
}
|
|
|
|
if ( is_self_net6() ) then {
|
|
print "Reject: export our network|", net, "|", bgp_path.first;
|
|
reject;
|
|
}
|
|
|
|
if ( bgp_path.len > 25 ) then {
|
|
print "Reject: AS path too long|", net, "|", bgp_path;
|
|
reject;
|
|
}
|
|
|
|
reject_blacklisted();
|
|
reject_invalid_roa6();
|
|
reject_default_route6();
|
|
|
|
if (bgp_path.len = 1) then
|
|
bgp_local_pref = bgp_local_pref + 500;
|
|
|
|
update_flags(link_latency, link_bandwidth, link_crypto);
|
|
|
|
accept;
|
|
}
|
|
|
|
function dn_export_filter4(int link_latency; int link_bandwidth; int link_crypto; bool transit) {
|
|
if (source !~ [RTS_STATIC, RTS_BGP]) then
|
|
reject;
|
|
|
|
if (!transit && bgp_path.last != bgp_path.first) then
|
|
reject;
|
|
|
|
reject_default_route4();
|
|
|
|
update_flags(link_latency, link_bandwidth, link_crypto);
|
|
update_region4();
|
|
|
|
update_bgp_med(link_latency, link_bandwidth, link_crypto);
|
|
|
|
accept;
|
|
}
|
|
|
|
function dn_export_filter6(int link_latency; int link_bandwidth; int link_crypto; bool transit) {
|
|
if (source !~ [RTS_STATIC, RTS_BGP]) then
|
|
reject;
|
|
|
|
if (!transit && bgp_path.last != bgp_path.first) then
|
|
reject;
|
|
|
|
reject_default_route6();
|
|
|
|
update_flags(link_latency, link_bandwidth, link_crypto);
|
|
update_region6();
|
|
|
|
update_bgp_med(link_latency, link_bandwidth, link_crypto);
|
|
|
|
accept;
|
|
}
|
|
|
|
function dn_export_collector4() {
|
|
if (source !~ [RTS_STATIC, RTS_BGP] || !is_valid_network4()) then
|
|
reject;
|
|
|
|
update_region4();
|
|
accept;
|
|
}
|
|
|
|
function dn_export_collector6() {
|
|
if (source !~ [RTS_STATIC, RTS_BGP] || !is_valid_network6()) then
|
|
reject;
|
|
|
|
update_region6();
|
|
accept;
|
|
}
|