lixonet-ee/bird/bird.conf.tmpl

# Lixonet BIRD configuration
# This is a templated file that automatically generates values at configuration time
# If you edit this file, it will be overwritten. Changes to the general structure of
# this configuration file that should be persisted should be committed to Git.
# For BIRD 2.0 configuration reference, see:
#   https://bird.network.cz/?get_doc&f=bird.html&v=20
# For a great example configuration file, see:
#   https://fossies.org/linux/bird/doc/bird.conf.example

# Global variables
# See: https://bird.network.cz/?get_doc&v=20&f=bird-3.html#ss3.2

log stderr all;         # Using docker; defer logging to stderr (to Docker logs)
debug protocols all;    # Enable debugging (this should be switched off in prod)
router id ${address};

# Custom routing tables
# See: https://bird.network.cz/?get_doc&v=20&f=bird-2.html (recommend; BIRD is neat)
ipv4 table lixonet;

# Filters
# Define a series of filters for Lixonet routing policies:
#  - Cannot advertise a route which is in the router subnet: typically 172.x.0.0/24
# See: https://gitlab.labs.nic.cz/labs/bird/wikis/BGP_filtering
# For syntax docs, see: https://bird.network.cz/?get_doc&v=16&f=bird-5.html

# Returns TRUE if the given tested network is within the global network prefix for
# Lixonet.  Used to filter networks outside of this range as they are not within
# the global mesh network.
function is_lixonet_global()
{
    return net ~ [ ${network_address}/${global_prefix:-16}+ ];
}

# Returns TRUE if the given tested network is within the router network prefix for
# Lixonet.  Used to filter these routes from BGP as Tinc statically assigns them
# for us.  Helps prevent a security vulnerability of hijacking another router.
function is_lixonet_router()
{
    return net ~ [ ${network_address}/${router_prefix:-24}+ ];
}

function is_own_route()
{
    {{ if len "${routes:-}" }}{{ range "$routes" | split "," }}if net ~ [ {{.}}+ ] then return true;{{ end }}
    {{ end }}
    return false;
}

filter bgp_import_filter
{
    # TODO: check RPKI here!
    if source ~ [RTS_STATIC] then reject; # Reject our own routes
    if is_lixonet_router() then reject; # Reject poisons
    if is_own_route() then reject; # Reject poisons
    if is_lixonet_global() then accept; # Accept anything else
    reject; # Reject anything else (non-Lixonet)
}

filter bgp_export_filter
{
    if is_lixonet_router() then reject; # Reject poisons
    if is_lixonet_global() then accept; # Accept anything else
    reject; # Reject anything else (non-Lixonet)
}

filter kernel_export_filter
{
    if is_own_route() then reject; # Reject poisons
    if is_lixonet_global() then accept; # Accept anything else
    reject; # Reject anything else (non-Lixonet)
}

# Static routes
# Define propagated routes here from the lixonet.conf "routes" variable
# Attached to the above "lixonet" routing table; "provide" these routes into it
# See how dn42 does it; we're very similar: https://dn42.net/howto/Bird
protocol static {
    ipv4 {
        table lixonet;
        import all;
        export none;
    };

    # Announced networks
    {{ if len "${routes:-}" }}{{ range "$routes" | split "," }}route {{.}} reject;{{ end }}{{ end }}
};

# Device
# See: https://bird.network.cz/?get_doc&v=20&f=bird-6.html#ss6.4
# This controls which interfaces BGP, etc. will bind to for communication
# This prevents BGP from listening on eth0/off-network
protocol device {
    scan time 10;       # Scan the interfaces often
    interface "lixonet" {
        preferred ${address};
    };
};

# Direct (unnecessary for Lixonet)
# See: https://bird.network.cz/?get_doc&v=20&f=bird-6.html#ss6.5
# Disable automatically generating direct routes to all network interfaces.
protocol direct {
    disabled;               # Disable by default
};

# Kernel routing table
# See: https://bird.network.cz/?get_doc&v=20&f=bird.html#toc6.6
protocol kernel {               # Primary routing table
    learn;                  # Learn alien routes from the kernel
    persist;                # Don't remove routes on bird shutdown
    scan time 10;           # Scan kernel routing table every 10 seconds
    ipv4 {
        table lixonet;
        import none;                        # Don't try to import any routes from the kernel
        export filter kernel_export_filter; # Export everything we are told to the kernel
    };
};

# BGP (primary Lixonet routing protocol)
# This is a template to use when connecting to other BGP clients on the EE network
# This template is applied to ALL neighbors, so consider these global settings that
# apply to all neighbors.  See "Neighbors" section of this configuration for
# individual neighbor configurations where per-neighbor configurations (such as their
# ASN) are applied.
template bgp lixonet_client {
    local as ${asn};                # Local AS advertised to peers, read from lixonet.conf

    source address ${address};      # What local IP address we use for any outbound TCP
                                    #  connections on port 179

    path metric ${bgp_path_metric:-1}; # 1 = Prefer routes with shorter paths (like Cisco does)

    # BGP channels
    # See: Channel configuration (BIRD BGP configuration) and the table shown there.

    # BGP IPv4 channel settings
    ipv4 {
        table lixonet;

        # Always advertise our own local address as a next hop, even in cases where the
        # current Next Hop attribute should be used unchanged.
        # Reason: tinc NEEDS this, otherwise Layer3 inter-routing on the mesh will be broken
        next hop self ebgp;

        # aigp (see: http://www.rfc-editor.org/info/rfc7311)
        # Lixonet default: originate AIGP
        # This not only allows AIGP attribute propagation, but also new AIGP attributes are
        # automatically attached to non-BGP routes with valid IGP metric (e.g. ospf_metric1)
        # as they are exported to the BGP session.
        # Thank-you, BIRD <3 - mane and nurd
        aigp ${bgp_aigp:-originate};

        # Set filters for both exported (sent) and imported (received) BGP prefixes.
        # This is explicitly required per RFC 8212, at least on export.
        # See: https://gitlab.labs.nic.cz/labs/bird/commit/3831b619661d08d935fd78656732cd2f339ff811
        export filter bgp_export_filter;
        import filter bgp_import_filter;
    };
};

# Neighbors

{{ range files "bird/neighbors" }} {{ if ne . "${name}" }}
protocol bgp {{ . }} from lixonet_client {
    description "Lixonet BGP link from ${address} (ASN: ${asn}) to {{ . }}";
    {{ file (print "bird/neighbors/" .) }}
}; {{ end }} {{ end }}