diff --git a/nix/nixos-module/container/bird.nix b/nix/nixos-module/container/bird.nix
index 528a62b..5d7f328 100644
--- a/nix/nixos-module/container/bird.nix
+++ b/nix/nixos-module/container/bird.nix
@@ -44,7 +44,19 @@ in
             ''
             else ''
               export all;
-            ''}
+              import filter {
+                ${lib.concatMapStrings (net:
+                  lib.optionalString (
+                    config.site.net.${net}.subnet4 or null != null
+                  ) ''
+                    if net ~ [ ${config.site.net.${net}.subnet4} ] then {
+                      # Learn route of local network ${net}
+                      accept;
+                    }
+                  '') (builtins.attrNames hostConf.interfaces)}
+              ''}
+              reject;
+            };
         };
       }
       protocol kernel K6 {
@@ -59,6 +71,18 @@ in
             ''
             else ''
               export all;
+              import filter {
+                ${lib.concatMapStrings (net:
+                  lib.optionalString (
+                    config.site.net.${net}.subnet4 or null != null
+                  ) ''
+                    if net ~ [ ${config.site.net.${net}.subnet4} ] then {
+                      # Learn route of local network ${net}
+                      accept;
+                    }
+                  '') (builtins.attrNames hostConf.interfaces)}
+                reject;
+              };
             ''}
         };
       }
@@ -138,9 +162,7 @@ in
           ${builtins.concatStringsSep "\n" (
               builtins.attrValues (
                 builtins.mapAttrs (net: _:
-                  # Enable OSPF only on networks with a secret. Others
-                  # are treated as a stubnet whose routes to
-                  # advertise.
+                  # Enable OSPF only on networks with a secret.
                   if config.site.net ? "${net}" && config.site.net.${net}.ospf.secret != null
                   then ''
                     interface "${net}" {
@@ -151,11 +173,6 @@ in
                       password "${config.site.net.${net}.ospf.secret}";
                     };
                   ''
-                  else if config.site.net ? "${net}" && config.site.net.${net}.subnet4 != null
-                  then ''
-                    # Advertise route of network ${net}
-                    stubnet ${config.site.net.${net}.subnet4} {};
-                  ''
                   else ""
                 ) hostConf.interfaces
               )
@@ -255,9 +272,7 @@ in
           ${builtins.concatStringsSep "\n" (
               builtins.attrValues (
                 builtins.mapAttrs (net: _:
-                  # Enable OSPF only on networks with a secret. Others
-                  # are treated as a stubnet whose routes to
-                  # advertise.
+                  # Enable OSPF only on networks with a secret.
                   if config.site.net.${net}.ospf.secret != null
                   then ''
                     interface "${net}" {
@@ -268,12 +283,7 @@ in
                       password "${config.site.net.${net}.ospf.secret}";
                     };
                   ''
-                  else builtins.concatStringsSep "\n" (
-                    map (subnet6: ''
-                      # Advertise route of network ${net}
-                      stubnet ${subnet6} {};
-                    '') (builtins.attrValues config.site.net.${net}.subnets6)
-                  )
+                  else ""
                 ) hostConf.physicalInterfaces
               )
           )}