From dddb9217acd58384326e5c4f9aca9303569e1fbc Mon Sep 17 00:00:00 2001
From: Jesper Hess Nielsen <jesper@graffen.dk>
Date: Sat, 13 Oct 2018 20:56:18 +0200
Subject: [PATCH] Create generic filters for IPv6

---
 bgp4.conf    |  3 ---
 bgp6.conf    | 42 +++++++++---------------------------------
 filter6.conf | 23 +++++++++++++++++++++++
 3 files changed, 32 insertions(+), 36 deletions(-)

diff --git a/bgp4.conf b/bgp4.conf
index 45763ef..067764d 100644
--- a/bgp4.conf
+++ b/bgp4.conf
@@ -1,8 +1,6 @@
 template bgp dnpeers {
         local as OWNAS;
         table T_BGP;
-
-        # metric is the number of hops between us and the peer
         path metric 1;
         import keep filtered;
         import where dnpeers_import_policy();
@@ -29,7 +27,6 @@ template bgp iBGP_Peer {
 }
 
 template pipe iBGP_Pipe {
-	# table name will come from peer definition
 	peer table master;
 	import all;
 	export all;
diff --git a/bgp6.conf b/bgp6.conf
index 85c7f2a..7f85351 100644
--- a/bgp6.conf
+++ b/bgp6.conf
@@ -1,16 +1,15 @@
 template bgp dnpeers {
         local as OWNAS;
         table T_BGP;
-
-        # metric is the number of hops between us and the peer
         path metric 1;
-
-        # this line allows debugging filter rules
-        # filtered routes can be looked up in birdc using the "show route filtered" command
 	import keep filtered on;
-
-        import all;
-        export all;
+        import where dnpeers_import_policy();
+        export filter {
+                if is_valid_network() then {
+                        accept;
+                }
+                reject;
+        };
 };
 
 template bgp iBGP_Peer {
@@ -28,38 +27,15 @@ template bgp iBGP_Peer {
 }
 
 template pipe iBGP_Pipe {
-	# table name will come from peer definition
 	peer table master;
 	import all;
 	export all;
 }
 
-roa table dn42_roa6 {
-    include "/var/lib/bird/bird6_roa_dn42.conf";
-};
 
 protocol pipe {
 	table master;
         peer table T_BGP;
-        import filter {
-                
-		if (roa_check(dn42_roa6, net, bgp_path.last) = ROA_INVALID) then {
-			print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
-			reject;
-		}
-		# accept every subnet, except our own advertised subnet
-                # filtering is important, because some guys try to advertise routes like 0.0.0$
-                if is_valid_network() && !is_self_net() then {
-                        accept;
-                }
-                reject;
-        };
-
-        export filter {
-                # here we export the whole net
-                if is_valid_network() then {
-                        accept;
-                }
-                reject;
-        };
+        import all;
+        export all;
 };
diff --git a/filter6.conf b/filter6.conf
index c7a61d0..cd28212 100644
--- a/filter6.conf
+++ b/filter6.conf
@@ -8,3 +8,26 @@ function is_valid_network() {
   ];
 }
 
+roa table dn42_roa {
+    include "/var/lib/bird/bird6_roa_dn42.conf";
+};
+
+function check_roa() {
+  if (roa_check(dn42_roa, net, bgp_path.last) = ROA_INVALID) then {
+    print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
+    return false;
+  }
+  return true;
+}
+
+function import_filter_networks() {
+  if is_valid_network() && !is_self_net() then {
+    return true;
+  }
+  return false;
+}
+
+function dnpeers_import_policy() {
+  if(!check_roa()) then return false;
+  if(!import_filter_networks()) then return false;
+}
\ No newline at end of file