From 8c8d48733f739535c110f7c9d9acf74d36565aea Mon Sep 17 00:00:00 2001 From: graffen Date: Sun, 11 Nov 2018 19:23:42 +0000 Subject: [PATCH] Got ROA filtering etc. under control --- bgp4.conf | 11 ++++++----- bgp6.conf | 15 ++++++++------- bird.conf | 5 +++++ bird6.conf | 5 +++++ community_filters.conf | 5 +++++ filter4.conf | 20 -------------------- filter6.conf | 7 +++++-- 7 files changed, 34 insertions(+), 34 deletions(-) diff --git a/bgp4.conf b/bgp4.conf index 3d9a9d8..2292c84 100644 --- a/bgp4.conf +++ b/bgp4.conf @@ -3,12 +3,13 @@ template bgp dn42peer { table T_BGP; path metric 1; import keep filtered; - import where dn42peer_import_policy(); + import filter { + print "WARNING!! no community import filter set, all routes will be rejected"; + reject; + }; export filter { - if is_valid_network() then { - accept; - } - reject; + print "WARNING!! no community import filter set, all routes will be rejected"; + reject; }; }; diff --git a/bgp6.conf b/bgp6.conf index 6b1c498..b9fc502 100644 --- a/bgp6.conf +++ b/bgp6.conf @@ -3,13 +3,14 @@ template bgp dn42peer { table T_BGP; path metric 1; import keep filtered on; - import where dn42peer_import_policy(); - export filter { - if is_valid_network() then { - accept; - } - reject; - }; + import filter { + print "WARNING!! no community import filter set, all routes will be rejected"; + reject; + }; + export filter { + print "WARNING!! no community import filter set, all routes will be rejected"; + reject; + }; }; template bgp ibgppeer { diff --git a/bird.conf b/bird.conf index 5c5c5e3..b2c3f67 100644 --- a/bird.conf +++ b/bird.conf @@ -1,5 +1,10 @@ log "/var/log/bird.log" { debug, trace, info, remote, warning, error, auth, fatal, bug }; +timeformat base iso long; +timeformat log iso long; +timeformat protocol iso long; +timeformat route iso long; + table T_BGP; table T_OSPF; diff --git a/bird6.conf b/bird6.conf index b394f41..995fcfa 100644 --- a/bird6.conf +++ b/bird6.conf @@ -1,5 +1,10 @@ log "/var/log/bird6.log" { debug, trace, info, remote, warning, error, auth, fatal, bug }; +timeformat base iso long; +timeformat log iso long; +timeformat protocol iso long; +timeformat route iso long; + table T_BGP; table T_OSPF; diff --git a/community_filters.conf b/community_filters.conf index 8594aa7..c86ed11 100644 --- a/community_filters.conf +++ b/community_filters.conf @@ -50,6 +50,11 @@ int dn42_crypto; # which means, these must included before this file function dn42_import_filter(int link_latency; int link_bandwidth; int link_crypto) { + if (roa_check(dn42_roa, net, bgp_path.last) = ROA_INVALID) then { + print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; + reject; + } + if is_valid_network() && !is_self_net() then { update_flags(link_latency, link_bandwidth, link_crypto); accept; diff --git a/filter4.conf b/filter4.conf index 1ce7a1d..86be2c8 100644 --- a/filter4.conf +++ b/filter4.conf @@ -18,23 +18,3 @@ function is_valid_network() { roa table dn42_roa { include "/var/lib/bird/bird_roa_dn42.conf"; }; - -function check_roa() { - if (roa_check(dn42_roa, net, bgp_path.last) = ROA_INVALID) then { - print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; - return false; - } - return true; -} - -function import_filter_networks() { - if is_valid_network() && !is_self_net() then { - return true; - } - return false; -} - -function dn42peer_import_policy() { - if(!check_roa()) then return false; - if(!import_filter_networks()) then return false; -} \ No newline at end of file diff --git a/filter6.conf b/filter6.conf index 1630403..a6dbaf8 100644 --- a/filter6.conf +++ b/filter6.conf @@ -28,6 +28,9 @@ function import_filter_networks() { } function dn42peer_import_policy() { - if(!check_roa()) then return false; + if (roa_check(dn42_roa, net, bgp_path.last) = ROA_INVALID) then { + print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; + reject; + } if(!import_filter_networks()) then return false; -} \ No newline at end of file +}