diff --git a/bgp4.conf b/bgp4.conf index 1d1271e..92b944d 100644 --- a/bgp4.conf +++ b/bgp4.conf @@ -5,8 +5,14 @@ template bgp dnpeers { # metric is the number of hops between us and the peer path metric 1; - import all; - export all; + import where dnpeers_import_policy(); + export filter { + # here we export the whole net + if is_valid_network() then { + accept; + } + reject; + }; }; template bgp iBGP_Peer { @@ -30,32 +36,10 @@ template pipe iBGP_Pipe { export all; } -roa table dn42_roa { - include "/var/lib/bird/bird_roa_dn42.conf"; -}; - protocol pipe { table master; peer table T_BGP; - import filter { - if (roa_check(dn42_roa, net, bgp_path.last) = ROA_INVALID) then { - print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; - reject; - } - - # accept every subnet, except our own advertised subnet - # filtering is important, because some guys try to advertise routes like 0.0.0$ - if is_valid_network() && !is_self_net() then { - accept; - } - reject; - }; - - export filter { - # here we export the whole net - if is_valid_network() then { - accept; - } - reject; + import all; + export all; }; }; diff --git a/filter4.conf b/filter4.conf index e229132..3ee3d36 100644 --- a/filter4.conf +++ b/filter4.conf @@ -15,3 +15,26 @@ function is_valid_network() { ]; } +roa table dn42_roa { + include "/var/lib/bird/bird_roa_dn42.conf"; +}; + +function check_roa() { + if (roa_check(dn42_roa, net, bgp_path.last) = ROA_INVALID) then { + print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; + return false; + } + return true: +} + +function import_filter_networks() { + if is_valid_network() && !is_self_net() then { + return true; + } + return false; +} + +function dnpeers_import_policy() { + if(!check_roa()) return false; + if(!import_filter_networks()) return false: +} \ No newline at end of file