mark22k
/
dn42-router
mirror of https://codeberg.org/mark22k/dn42-router.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196
							
include "community_filters.conf";
include "crxn_filters.conf";

define DNET_BOGON_ASNS = [
    0,                      # RFC 7607
    23456,                  # RFC 4893 AS_TRANS
    64496..64511,           # RFC 5398 and documentation/example ASNs

    65535,                  # RFC 7300 Last 16 bit ASN
    65536..65551,           # RFC 5398 and documentation/example ASNs

    65552..76099,           # RFC IANA reserved ASNs
    76200..131071,          # Excluding 76100 To 76199

    4200000000..4201269999, # RFC 6996 Private ASNs
    4201280000..4242419999, # Excluding 4201270000 To 4201279999
    4242430000..4294967294, # Excluding 4242420000 To 4242429999

    4294967295              # RFC 7300 Last 32 bit ASN
];

define ASN_BLACKLIST = [
    {% set comma = joiner(",") %}
    {% for asn in dn42.asn_blacklist %}
    {{ comma() }}{{ asn }}
    {% endfor %}
];

function strip_too_many_communities() {
    if ( ( bgp_community.len + bgp_ext_community.len + bgp_large_community.len ) > 99 ) then {
        bgp_community.filter([(64511, *)]);
        bgp_ext_community.empty;
        bgp_large_community.filter([(DN42AS, *, *), (NEOAS, *, *)]);
    }
}

function reject_bogon_asns() {
    int set bogon_asns = DNET_BOGON_ASNS;

    if ( bgp_path ~ bogon_asns ) then {
        print "Reject: bogon AS_PATH ", net, " ", bgp_path;
        reject;
    }
}

function reject_long_aspaths()
{
    if ( bgp_path.len > {{ dn42.very_long_as_path }} ) then {
        print "Reject: Too long AS path: ", net, " ", bgp_path;
        reject;
    }
}

function honor_graceful_shutdown() {
  if (65535, 0) ~ bgp_community then {
    bgp_local_pref = 0;
  }
}

function is_blackholed() {
  return ((65535, 666) ~ bgp_community);
}

function reject_blacklisted()
int set blacklist;
{
    blacklist = ASN_BLACKLIST;

    if ( bgp_path ~ blacklist ) then {
        if ( bgp_path !~ [DN42AS, NEOAS] ) then
            print "Reject: Found blacklisted ASN ", bgp_path;
        reject;
    }
}

function delete_invalid_communities() {
    bgp_community.delete([(64511, 0)]);
    bgp_community.delete([(64511, 71..999)]);
    bgp_community.delete([(64511, 2000..65535)]);
}

function dn42_import_filter(int link_latency; int link_bandwidth; int link_crypto) {
    if (! is_valid_network()) then {
        print "Received invalid network: ", net, " ", bgp_path;
        reject;
    }
    if ( is_self_net() ) then reject;

    if net.type = NET_IP4 then {
        if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {
            # print "[dn42] ROA check failed for ", net, " - AS ", bgp_path;
            reject;
        }
    } else if net.type = NET_IP6 then {
        if (roa_check(dn42_roa_v6, net, bgp_path.last) != ROA_VALID) then {
            # print "[dn42] ROA check failed for ", net, " - AS ", bgp_path;
            reject;
        }
    } else {
        reject;
    }
    reject_long_aspaths();
    reject_blacklisted();
    reject_bogon_asns();
    strip_too_many_communities();
    delete_invalid_communities();
    update_flags(link_latency, link_bandwidth, link_crypto);

    unset(bgp_otc);

    if (bgp_path.len = 1) then
        bgp_local_pref = bgp_local_pref + 700;
    else if ( bgp_path.len > {{ dn42.long_as_path }} ) then
        bgp_local_pref = bgp_local_pref - 20;

    honor_graceful_shutdown();

    # Avoid netid hjacking
    del_netid();

    if ( is_neonetwork() ) then
        add_netid(4);
    else
        add_netid(1);

    accept;
}

function dn42_export_filter(int link_latency; int link_bandwidth; int link_crypto) {
    if ( ! is_valid_network() ) then reject;

    if ((has_netid(1) || has_netid(4) || has_netid(2)) || is_notsub_self_net() || is_blackholed()) then {
        update_geo_flags();
        update_flags(link_latency, link_bandwidth, link_crypto);

        if (has_netid(2) && is_crxn_net()) then
            crxn_bgp_include();

        del_netid();

        bgp_med = 0;
        bgp_med = bgp_med + ( ( 4 - ( link_crypto - 30 ) ) * 600 );
        bgp_med = bgp_med + ( ( 9 - ( link_bandwidth - 20 ) ) * 100);
        bgp_med = bgp_med + ( ( link_latency - 1) * 300);

        accept;
    }

    reject;
}

function dn42_ibgp_import(int link_latency; int link_bandwidth; int link_crypto; int link_connection) {
    if (! is_self_net() ) then {
        update_flags(link_latency, link_bandwidth, link_crypto);

        accept;
    }
    reject;
}

function dn42_ibgp_export(int link_latency; int link_bandwidth; int link_crypto; int link_connection) {
    if ( has_netid(2) ) then reject;
    if (! is_self_net() ) then {
        update_flags(link_latency, link_bandwidth, link_crypto);

        if (bgp_path.len = 1 && link_connection !~ [1, 2]) then {
            bgp_local_pref = bgp_local_pref - 200;
        }

        accept;
    }
    reject;
}

function collector_export_filter() {
    if ( ! is_valid_network() ) then reject;

    if ( (source ~ [RTS_STATIC, RTS_BABEL, RTS_BGP] && (has_netid(1) || has_netid(4) || has_netid(2))) || is_notsub_self_net()) then {
        update_geo_flags();

        # "||" is to the fact that babel does not transfer netids
        # maybe it need a bit reworking... transfering igp and crxn
        # over one babel is not the best idea ever...
        if (has_netid(2) || is_crxn_net()) then
            crxn_bgp_include();

        del_netid();

        accept;
    }

    reject;
}