diff --git a/bird/bird.conf.tmpl b/bird/bird.conf.tmpl index 11a5a68..f988f41 100644 --- a/bird/bird.conf.tmpl +++ b/bird/bird.conf.tmpl @@ -59,8 +59,8 @@ protocol kernel { # Primary routing table scan time 10; # Scan kernel routing table every 10 seconds ipv4 { table lixonet; - import none; # Don't try to import any routes from the kernel - export all; # Export everything we are told to the kernel + import none; # Don't try to import any routes from the kernel + export filter kernel_export_filter; # Export everything we are told to the kernel }; }; @@ -86,10 +86,33 @@ function is_lixonet_router() return net ~ [ ${network_address}/${router_prefix:-24}+ ]; } -filter lixonet_route_filter +function is_own_route() +{ + return net ~ [ + {{ if len "${routes:-}" }}{{ range "$routes" | split "," }}{{.}}+;{{ end }}{{ end }} + ]; +} + +filter bgp_import_filter { # TODO: check RPKI here! + if source ~ [RTS_STATIC] then reject; # Reject our own routes if is_lixonet_router() then reject; # Reject poisons + if is_own_route() then reject; # Reject poisons + if is_lixonet_global() then accept; # Accept anything else + reject; # Reject anything else (non-Lixonet) +} + +filter bgp_export_filter +{ + if is_lixonet_router() then reject; # Reject poisons + if is_lixonet_global() then accept; # Accept anything else + reject; # Reject anything else (non-Lixonet) +} + +filter kernel_export_filter +{ + if is_own_route() then reject; # Reject poisons if is_lixonet_global() then accept; # Accept anything else reject; # Reject anything else (non-Lixonet) } @@ -131,8 +154,8 @@ template bgp lixonet_client { # Set filters for both exported (sent) and imported (received) BGP prefixes. # This is explicitly required per RFC 8212, at least on export. # See: https://gitlab.labs.nic.cz/labs/bird/commit/3831b619661d08d935fd78656732cd2f339ff811 - export filter lixonet_route_filter; - import filter lixonet_route_filter; + export filter bgp_export_filter; + import filter bgp_import_filter; }; };