save

bird/bird.conf

@@ -18,6 +18,18 @@ protocol kernel kernel_main4 {
     };
 };
 
+protocol kernel kernel_main6 {
+    scan time 20;
+    ipv6 {
+        import none;
+        export filter {
+            if bgp_large_community ~ [(UNET_ASN, 10,6)] then accept;
+            reject;
+        };
+    };
+};
+
+
 protocol kernel kernel_t102v4 {
     scan time 20;
     kernel table 102;

bird/filter/dn42_downstream.conf

@@ -0,0 +1,18 @@
+# 下游过滤器
+# 政策：发全表，只收下游和关联下游的
+
+# 下游-发表控制器
+function function_dn42_downstream_export() {
+    if !is_dn42_prefix() || (bgp_path.len > 20) then return false;
+    # 硬性限制，没有1000,0的，不放
+    if bgp_large_community !~ [(DN42_ASN, 1000,0)] then return false;     
+    return true;
+}
+
+
+# 下游-收表控制器
+# 注意，配置下游时候，一定要注意手打一个 300 0 ，不然发不出去
+function function_dn42_downstream_import() {
+    if !is_dn42_prefix() || (bgp_path.len > 20) then return false;
+    return true;
+}

bird/filter/dn42_ibgp.conf

@@ -0,0 +1,13 @@
+function function_dn42_ibgp_import() {
+    if is_dn42_self_net() then return false;
+    if !is_dn42_prefix() then return false;
+    if bgp_large_community ~ [(DN42_ASN, 1,*)] then return false;
+    return true;
+}
+
+function function_dn42_ibgp_export() {
+    if is_dn42_self_net() then return false;
+    if !is_dn42_prefix() then return false;
+    if bgp_large_community ~ [(DN42_ASN, 1,*)] then return false;
+    return true;
+}

bird/filter/dn42_import.conf

@@ -0,0 +1,10 @@
+# 对上游接收过滤器
+# 政策：全网照单接受
+
+function function_dn42_bgp_import_from_upstream() {
+    if is_dn42_self_net() then return false;
+    if !is_dn42_prefix() || (bgp_path.len > 20) then return false;
+    # 允许转发给下游
+    bgp_large_community.add((DN42_ASN,1000,0));
+    return true;
+}

bird/filter/dn42_upstream0.conf

@@ -0,0 +1,34 @@
+# 普通上游（发布控制器）
+# 政策：只发自己的
+
+function function_dn42_bgp_export_to_upstream0() {
+    if !is_dn42_self_net() then return false;
+    if !is_dn42_prefix() then return false;
+    if source != RTS_STATIC then return false;
+    # 100禁止性过滤
+    if bgp_large_community ~ [(DN42_ASN, 100, 100)] then return false;
+    if bgp_large_community ~ [(DN42_ASN, 100, 200)] then return false;
+    if bgp_large_community ~ [(DN42_ASN, 200, 201)] then return false;
+
+    # 前置过滤：允许自己的段子-所有上游和普通上游
+    if bgp_large_community ~ [(DN42_ASN, 200, 0)] then return true;
+    if bgp_large_community ~ [(DN42_ASN, 200, 1)] then return true;
+    if bgp_large_community ~ [(DN42_ASN, 200, 2)] then return false;
+    return false;
+}
+
+
+function function_dn42_control_bgp_upstream0(int peer_asn){
+    # 1.禁止带有 201 0 (禁止一切外发)的发出去
+    if bgp_large_community ~ [(DN42_ASN, 201, 0)] then return false;
+    # 2.禁止带有 201 peer asn (禁止向某一外发)的发出去
+    if bgp_large_community ~ [(DN42_ASN, 201, peer_asn)] then return false;
+
+    # 3.不带202,0(允许全体外发)，但是带有202,peer asn（允许单一外发）的，放
+    if (bgp_large_community !~ [(DN42_ASN, 202, 0)]) then {
+        if bgp_large_community ~ [(DN42_ASN, 202, peer_asn)] then return true;
+    }
+    # 4.带有202,0（允许一切外发）的，放
+    if bgp_large_community ~ [(DN42_ASN, 202, 0)] then return true;
+    return false;
+}

bird/filter/dn42_upstream1.conf

@@ -0,0 +1,47 @@
+# 能带下游的上游（发布控制器）
+# 政策：发自己的+下游的
+
+function function_dn42_bgp_export_to_upstream1() {
+    if source !~ [RTS_STATIC, RTS_BGP] then return false;
+    if !is_dn42_prefix() then return false;
+    # 100禁止性过滤
+    if bgp_large_community ~ [(DN42_ASN, 100, 100)] then return false;
+    if bgp_large_community ~ [(DN42_ASN, 100, 200)] then return false;
+    if bgp_large_community ~ [(DN42_ASN, 200, 202)] then return false;
+    if source =RTS_STATIC then {
+        # 静态路由，允许 200，[0 2]
+        if bgp_large_community ~ [(DN42_ASN, 200, 0)] then return true;
+        if bgp_large_community ~ [(DN42_ASN, 200, 2)] then return true;
+        if bgp_large_community ~ [(DN42_ASN, 200, 1)] then return false;
+    }
+    if source = RTS_BGP then {
+        # BGP路由，允许 300，0
+        if bgp_large_community ~ [(DN42_ASN, 300, 0)] then return true;
+    }
+    return false;
+}
+
+
+function function_inet_control_bgp_upstream1(int peer_asn){
+    # 1.禁止带有 201 0 (禁止一切外发)  301 0（禁止下游段子转发）的发出去
+    if bgp_large_community ~ [(DN42_ASN, 201, 0)] then return false;
+    if bgp_large_community ~ [(DN42_ASN, 301, 0)] then return false;
+    # 2.禁止带有 201 peer asn (禁止向某一外发) 301 peer asn（禁止向某一外发下游）的发出去
+    if bgp_large_community ~ [(DN42_ASN, 201, peer_asn)] then return false;
+    if bgp_large_community ~ [(DN42_ASN, 301, peer_asn)] then return false;
+
+
+    # 3.不带202,0(允许全体外发)，但是带有202,peer asn 放
+    if (bgp_large_community !~ [(DN42_ASN, 202, 0)]) then {
+        if bgp_large_community ~ [(DN42_ASN, 202, peer_asn)] then return true;
+    }
+    # 不带302 0，但是有302 peer asn的，放
+    if (bgp_large_community !~ [(DN42_ASN, 302, 0)]) then {
+        if bgp_large_community ~ [(DN42_ASN, 302, peer_asn)] then return true;
+    }
+
+    # 4.带有202,0（允许一切外发）和302 0的，放
+    if bgp_large_community ~ [(DN42_ASN, 202, 0)] then return true;
+    if bgp_large_community ~ [(DN42_ASN, 302, 0)] then return true;
+    return false;
+}

bird/filter/inet_downstream.conf

@@ -3,7 +3,7 @@
 
 # 下游-发表控制器
 function function_inet6_downstream_export() {
-    if is_bogon_prefix() || (bgp_path.len > 20) then reject;
+    if is_bogon_prefix() || (bgp_path.len > 20) then return false;
     # 硬性限制，没有1000,0的，不放
     if bgp_large_community !~ [(LOCAL_ASN, 1000,0)] then return false;     
     return true;

bird/filter/inet_ibgp.conf

@@ -1,27 +1,33 @@
-function function_inet4_ibgp_import() {
+function function_inet_ibgp_import() {
     if is_self_net() then return false;
     if is_bogon_prefix() then return false;
-    if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject;
+    if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then return false;
+    return true;
+}
+
+function function_inet_ibgp_export() {
+    if is_self_net() then return false;
+    if is_bogon_prefix() then return false;
+    if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then return false;
+    return true;
+}
+
+function function_inet4_ibgp_import() {
+    if !function_inet_ibgp_import() then return false;
     return true;
 }
 
 function function_inet4_ibgp_export() {
-    if is_self_net() then return false;
-    if is_bogon_prefix() then return false;
-    if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject;
+    if !function_inet_ibgp_export() then return false;
     return true;
 }
 
 function function_inet6_ibgp_import() {
-    if is_self_net() then reject;
-    if is_bogon_prefix() then reject;
-    if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject;
+    if !function_inet_ibgp_import() then return false;
     return true;
 }
 
 function function_inet6_ibgp_export() {
-    if is_self_net() then reject;
-    if is_bogon_prefix() then reject;
-    if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject;
+    if !function_inet_ibgp_export() then return false;
     return true;
 }

bird/function/unet.conf

@@ -21,6 +21,6 @@ function is_unet_self_net() {
     case net.type {
         NET_IP4: return net ~ is_unet_self_IPv4;
         NET_IP6: return net ~ is_unet_self_IPv6;
-        else: print "is_dn42_prefix: unexpected net.type ", net.type, " ", net; return false;
+        else: print "is_unet_prefix: unexpected net.type ", net.type, " ", net; return false;
     }
 }

bird/net/dn42.conf

@@ -1,12 +1,12 @@
 protocol pipe dn42v4_sync {
   table dn42v4;
-  peer table t102v4;
+  peer table master4;
   export filter {
     if bgp_large_community ~ [(DN42_ASN, 3,*)] then reject;
     if !is_dn42_prefix() then reject;
     bgp_community.empty;
     bgp_large_community.empty;
-    bgp_large_community.add((UNET_ASN,10,10204));
+    bgp_large_community.add((UNET_ASN,10,4));
     krt_prefsrc = DN42_V4_kernel;
     accept;
     };
@@ -15,13 +15,13 @@ protocol pipe dn42v4_sync {
 
 protocol pipe dn42v6_sync {
   table dn42v6;
-  peer table t102v6;
+  peer table master6;
   export filter {
     if bgp_large_community ~ [(DN42_ASN, 3,*)] then reject;
     if !is_dn42_prefix() then reject;
     bgp_community.empty;
     bgp_large_community.empty;
-    bgp_large_community.add((UNET_ASN,10,10206));
+    bgp_large_community.add((UNET_ASN,10,6));
     krt_prefsrc = DN42_V6_kernel;
     accept;
     };

bird/template/dn42.conf

@@ -6,7 +6,6 @@ template bgp dn42_bgp_up {
         import filter {
           if !is_dn42_prefix() then reject;
           if is_dn42_self_net() then reject;
-          bgp_large_community.add((DN42_ASN,200,0));# 传输到Ebgp
           accept;
         };
         export filter { 
@@ -23,7 +22,6 @@ template bgp dn42_bgp_up {
         import filter {
           if !is_dn42_prefix() then reject;
           if is_dn42_self_net() then reject;
-          bgp_large_community.add((DN42_ASN,200,0));# 传输到Ebgp
           accept;
         };
         export filter { 

bird/template/dn42_new.conf

@@ -0,0 +1,67 @@
+template bgp dn42_up0_new {
+    graceful restart;
+    local as LOCAL_ASN;
+    ipv4 {
+        table dn42v4;
+        import filter {if !function_dn42_bgp_import_from_upstream() then reject; accept; };
+        export filter {if !function_dn42_bgp_export_to_upstream0() then reject; accept; };
+    };
+    ipv6 {
+        table dn42v6;
+        import filter {if !function_dn42_bgp_import_from_upstream() then reject; accept; };
+        export filter {if !function_dn42_bgp_export_to_upstream0() then reject; accept; };
+    };
+}
+
+template bgp dn42_up1_new {
+    graceful restart;
+    local as LOCAL_ASN;
+    ipv4 {
+        table dn42v4;
+        import filter {if !function_dn42_bgp_import_from_upstream() then reject; accept; };
+        export filter {if !function_dn42_bgp_export_to_upstream1() then reject; accept; };
+    };
+    ipv6 {
+        table dn42v6;
+        import filter {if !function_dn42_bgp_import_from_upstream() then reject; accept; };
+        export filter {if !function_dn42_bgp_export_to_upstream1() then reject; accept; };
+    };
+}
+
+template bgp dn42_ibgp_new {
+    graceful restart;
+    local as LOCAL_ASN;
+    med metric;
+    direct;
+    ipv4 {
+        table dn42v4;
+        next hop self;
+        gateway direct;
+        import filter {if !function_dn42_ibgp_import() then reject; accept; };
+        export filter {if !function_dn42_ibgp_export() then reject; accept; };
+    };
+    ipv6 {
+        table dn42v6;
+        next hop self;
+        gateway direct;
+        import filter {if !function_dn42_ibgp_import() then reject; accept; };
+        export filter {if !function_dn42_ibgp_export() then reject; accept; };
+    };
+}
+
+
+template bgp dn42_ibgp_mp_new {
+    graceful restart;
+    local as LOCAL_ASN;
+    med metric;
+    ipv4 {
+        table dn42v4;
+        import filter {if !function_dn42_ibgp_import() then reject; accept; };
+        export filter {if !function_dn42_ibgp_export() then reject; accept; };
+    };
+    ipv6 {
+        table dn42v6;
+        import filter {if !function_dn42_ibgp_import() then reject; accept; };
+        export filter {if !function_dn42_ibgp_export() then reject; accept; };
+    };
+}

update.sh

@@ -6,17 +6,17 @@ git clone https://git.nia.ink/brnet/bird_config.git
 rm /etc/bird/bird.conf
 mv ./bird_config/bird/bird.conf /etc/bird/bird.conf
 
+rm /etc/bird/filter/*.conf
+mv ./bird_config/bird/filter/*.conf /etc/bird/filter/
+
+rm /etc/bird/function/unet.conf
+mv ./bird_config/bird/function/unet.conf /etc/bird/function/unet.conf
+
 rm /etc/bird/net/dn42.conf
 mv ./bird_config/bird/net/dn42.conf /etc/bird/net/dn42.conf
 
-rm /etc/bird/net/inet.conf
-mv ./bird_config/bird/net/inet.conf /etc/bird/net/inet.conf
-
-rm /etc/bird/net/unet.conf
-mv ./bird_config/bird/net/unet.conf /etc/bird/net/unet.conf
-
-rm /etc/bird/function/tables.conf
-mv ./bird_config/bird/function/tables.conf /etc/bird/function/tables.conf
+rm /etc/bird/template/*.conf
+mv ./bird_config/bird/template/*.conf /etc/bird/template/
 
 birdc c
 cd