Update bird/bird.conf.tmpl

bird/bird.conf.tmpl

@@ -4,13 +4,14 @@
 # this configuration file that should be persisted should be committed to Git.
 # For BIRD 2.0 configuration reference, see:
 #   https://bird.network.cz/?get_doc&f=bird.html&v=20
-
+# For a great example configuration file, see:
+#   https://fossies.org/linux/bird/doc/bird.conf.example
 
 # Global variables
-# https://bird.network.cz/?get_doc&v=20&f=bird-3.html#ss3.2
+# See: https://bird.network.cz/?get_doc&v=20&f=bird-3.html#ss3.2
 
-log stderr all;         # Using docker; defer logging to stderr
+log stderr all;         # Using docker; defer logging to stderr (to Docker logs)
-debug protocols all;    # Enable debugging
+debug protocols all;    # Enable debugging (this should be switched off in prod)
 router id ${address};
 
 # Device
@@ -43,12 +44,54 @@ protocol kernel {               # Primary routing table
     };
 }
 
+# Filters
+# Define a series of filters for Lixonet routing policies:
+#  - Cannot advertise a route which is in the router subnet: typically 172.x.0.0/24
+# See: https://gitlab.labs.nic.cz/labs/bird/wikis/BGP_filtering
+
+# Returns TRUE if the given tested network is within the global network prefix for
+# Lixonet.  Used to filter networks outside of this range as they are not within
+# the global mesh network.
+function net_lixonet_global()
+{
+    return net ~ [ ${address:-172.30.0.0}/${global_prefix:16} ];
+}
+
+# Returns TRUE if the given tested network is within the router network prefix for
+# Lixonet.  Used to filter these routes from BGP as Tinc statically assigns them
+# for us.  Helps prevent a security vulnerability of hijacking another router.
+function net_lixonet_router()
+{
+    return net ~ [ ${address:-172.30.0.0}/${router_prefix:16} ];
+}
+
+filter lixonet_import
+{
+    # TODO: check RPKI here!
+    if net_lixonet_router() then reject; # Reject poisons
+    if net_lixonet_global() then accept; # Accept anything else
+    reject; # Reject anything else (non-Lixonet)
+}
+
+filter lixonet_export
+{
+    if net_lixonet_global() then accept; # Accept anything in LXN
+    reject; # Reject anything else (non-Lixonet)
+}
+
 # BGP (primary Lixonet routing protocol)
-# Define a template to use when connecting to other BGP clients on the EE network
+# This is a template to use when connecting to other BGP clients on the EE network
+# This template is applied to ALL neighbors, so consider these global settings that
+# apply to all neighbors.  See "Neighbors" section of this configuration for
+# individual neighbor configurations where per-neighbor configurations (such as their
+# ASN) are applied.
 template bgp lixonet_client {
-    local as ${asn};                # Local AS advertised to peers, read from lixonet.conf.
+    local as ${asn};                # Local AS advertised to peers, read from lixonet.conf
-    source address ${address};      # What local address we use for the TCP connection
+
-    path metric 1;		            # Prefer routes with shorter paths (like Cisco does)
+    source address ${address};      # What local IP address we use for any outbound TCP
+                                    #  connections on port 179
+
+    path metric 1;		            # 1 = Prefer routes with shorter paths (like Cisco does)
 
     # BGP channels
     # See: Channel configuration (BIRD BGP configuration) and the table shown there.
@@ -68,6 +111,10 @@ template bgp lixonet_client {
         # Thank-you, BIRD <3 - mane and nurd
         aigp originate;
     };
+
+    # Set filters for both exported (sent) and imported (received) BGP prefixes.
+    export lixonet_export;
+    import lixonet_import;
 };
 
 # Neighbors