From ee42d5bfea63483df8b7d2bcfdf8a9964fdfeefa Mon Sep 17 00:00:00 2001
From: graffen <gr@ffen.dk>
Date: Sat, 6 Oct 2018 22:39:50 +0000
Subject: [PATCH] Add ROA

---
 bgp4.conf |  9 +++++++++
 bgp6.conf | 11 ++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/bgp4.conf b/bgp4.conf
index e44a358..5a396a5 100644
--- a/bgp4.conf
+++ b/bgp4.conf
@@ -34,10 +34,19 @@ template pipe iBGP_Pipe {
 	export all;
 }
 
+roa table dn42_roa {
+    include "/var/lib/bird/bird_roa_dn42.conf";
+};
+
 protocol pipe {
 	table master;
         peer table T_BGP4;
         import filter {
+		if (roa_check(dn42_roa, net, bgp_path.last) = ROA_INVALID) then {
+			print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
+			reject;
+		}
+		
                 # accept every subnet, except our own advertised subnet
                 # filtering is important, because some guys try to advertise routes like 0.0.0$
                 if is_valid_network() && !is_self_net() then {
diff --git a/bgp6.conf b/bgp6.conf
index df3d9e0..bededf5 100644
--- a/bgp6.conf
+++ b/bgp6.conf
@@ -34,11 +34,20 @@ template pipe iBGP_Pipe {
 	export all;
 }
 
+roa table dn42_roa6 {
+    include "/var/lib/bird/bird6_roa_dn42.conf";
+};
+
 protocol pipe {
 	table master;
         peer table T_BGP6;
         import filter {
-                # accept every subnet, except our own advertised subnet
+                
+		if (roa_check(dn42_roa6, net, bgp_path.last) = ROA_INVALID) then {
+			print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
+			reject;
+		}
+		# accept every subnet, except our own advertised subnet
                 # filtering is important, because some guys try to advertise routes like 0.0.0$
                 if is_valid_network() && !is_self_net() then {
                         accept;