From b52a90d7bd8ee7813af964333bc3aac8a73cc69f Mon Sep 17 00:00:00 2001
From: root <root@ix.hessnet.dk>
Date: Sat, 8 Sep 2018 08:23:51 +0000
Subject: [PATCH] initial commit

---
 bird.conf    | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 bird6.conf   | 57 +++++++++++++++++++++++++++++++++
 envvars      |  3 ++
 local4.conf  | 21 +++++++++++++
 local6.conf  | 14 +++++++++
 peers4/filip |  3 ++
 peers6/filip |  3 ++
 7 files changed, 190 insertions(+)
 create mode 100644 bird.conf
 create mode 100644 bird6.conf
 create mode 100644 envvars
 create mode 100644 local4.conf
 create mode 100644 local6.conf
 create mode 100644 peers4/filip
 create mode 100644 peers6/filip

diff --git a/bird.conf b/bird.conf
new file mode 100644
index 0000000..b454ed7
--- /dev/null
+++ b/bird.conf
@@ -0,0 +1,89 @@
+protocol device {
+	scan time 10;
+}
+
+protocol static {
+	route 172.20.170.192/28 reject;
+	import all;
+	export none;
+}
+
+include "/etc/bird/local4.conf";
+
+# filter helpers
+#################
+
+##include "/etc/bird/filter4.conf";
+
+protocol kernel {
+	scan time 20;
+	metric 64;	# Use explicit kernel route metric to avoid collisions
+			# with non-BIRD routes in the kernel routing table
+	import none;
+	#export all;	# Actually insert routes into the kernel routing table
+	export filter {
+		if source = RTS_STATIC then reject;
+		krt_prefsrc = OWNIP;
+		accept;
+	};
+}
+
+filter filter_OSPF {
+	if net = 172.20.170.192/28 then accept;
+        else reject;
+};
+
+protocol ospf {
+        import all;
+        export all; 
+
+        area 0 {
+                interface "wg-ospf-triton" {
+                        cost 10;
+			type pointopoint;
+                        hello 5; retransmit 2; wait 10; dead 20;
+                        authentication cryptographic; password "R5fg2d66hTuP";
+		};
+
+                interface "wg-ospf-mail" {
+                        cost 10;
+			type pointopoint;
+                        hello 5; retransmit 2; wait 10; dead 20;
+                        authentication cryptographic; password "R5fg2d66hTuP";
+		};
+
+                interface "lo" {
+                        stub;
+                };
+        };
+}
+
+template bgp dnpeers {
+	local as OWNAS;
+	# metric is the number of hops between us and the peer
+	path metric 1;
+	# this lines allows debugging filter rules
+	# filtered routes can be looked up in birdc using the "show route filtered" command
+	import keep filtered;
+	import filter {
+		# accept every subnet, except our own advertised subnet
+		# filtering is important, because some guys try to advertise routes like 0.0.0.0
+		if is_valid_network() && !is_self_net() then {
+			accept;
+		}
+		reject;
+	};
+
+	export filter {
+		# here we export the whole net
+		if is_valid_network() then {
+			accept;
+		}
+		reject;
+	};
+
+	import limit 1000 action block;
+	#source address 172.20.170.192;
+};
+
+include "/etc/bird/peers4/*";
diff --git a/bird6.conf b/bird6.conf
new file mode 100644
index 0000000..667971a
--- /dev/null
+++ b/bird6.conf
@@ -0,0 +1,57 @@
+protocol device {
+	scan time 10;
+}
+
+# local configuration
+######################
+
+include "/etc/bird/local6.conf";
+
+# filter helpers
+#################
+
+##include "/etc/bird/filter6.conf";
+
+protocol kernel {
+	metric 64;	# Use explicit kernel route metric to avoid collisions
+			# with non-BIRD routes in the kernel routing table
+	scan time 20;
+	import none;
+#	export all;	# Actually insert routes into the kernel routing table
+	export filter {
+		if source = RTS_STATIC then reject;
+		krt_prefsrc = OWNIP;
+		accept;
+	};
+}
+
+# static routes
+################
+
+protocol static {
+	route fd62:77fb:94bf::/48 reject;
+	import all;
+	export none;
+}
+
+template bgp dnpeers {
+	local as 4242423934;
+	path metric 1;
+	import keep filtered;
+	import filter {
+		if is_valid_network() && !is_self_net() then {
+			accept;
+		}
+		reject;
+	};
+
+	export filter {
+		if is_valid_network() then {
+			accept;
+		}
+		reject;
+	};
+	import limit 1000 action block;
+}
+
+include "/etc/bird/peers6/*";
diff --git a/envvars b/envvars
new file mode 100644
index 0000000..9ca9baa
--- /dev/null
+++ b/envvars
@@ -0,0 +1,3 @@
+BIRD_RUN_USER=bird
+BIRD_RUN_GROUP=bird
+#BIRD_ARGS=
diff --git a/local4.conf b/local4.conf
new file mode 100644
index 0000000..75c1741
--- /dev/null
+++ b/local4.conf
@@ -0,0 +1,21 @@
+router id 172.20.170.192;
+
+define OWNAS =  4242423934;
+define OWNIP = 172.20.170.192;
+
+function is_self_net() {
+  return net ~ [172.20.170.192/28+];
+}
+
+function is_valid_network() {
+  return net ~ [
+    172.20.0.0/14{21,29}, # dn42
+    172.20.0.0/24{28,32}, # dn42 Anycast
+    172.21.0.0/24{28,32}, # dn42 Anycast
+    172.22.0.0/24{28,32}, # dn42 Anycast
+    172.23.0.0/24{28,32}, # dn42 Anycast
+    172.31.0.0/16+,       # ChaosVPN
+    10.100.0.0/14+,       # ChaosVPN
+    10.0.0.0/8{15,24}     # Freifunk.net
+  ];
+}
diff --git a/local6.conf b/local6.conf
new file mode 100644
index 0000000..01163c5
--- /dev/null
+++ b/local6.conf
@@ -0,0 +1,14 @@
+router id 172.20.170.192;
+
+define OWNAS = 4242423934;
+define OWNIP = fd62:77fb:94bf::;
+
+function is_self_net() {
+  return net ~ [fd62:77fb:94bf::/48+];
+}
+
+function is_valid_network() {
+  return net ~ [
+    fd00::/8{44,64} # ULA address space as per RFC 4193
+  ];
+}
diff --git a/peers4/filip b/peers4/filip
new file mode 100644
index 0000000..6c691a2
--- /dev/null
+++ b/peers4/filip
@@ -0,0 +1,3 @@
+protocol bgp filip from dnpeers {
+	neighbor 172.19.2.1 as 4242421404;
+};
diff --git a/peers6/filip b/peers6/filip
new file mode 100644
index 0000000..c48e5c3
--- /dev/null
+++ b/peers6/filip
@@ -0,0 +1,3 @@
+protocol bgp filip from dnpeers {
+  neighbor fe80::feec:daff:fe46:d60e % 'wg-bgp-filip' as 4242421404;
+};