From 28294a3e591d3e765166ee9cc97b2f0db361d36d Mon Sep 17 00:00:00 2001 From: gaoyuheng Date: Sat, 23 May 2026 15:09:44 +0800 Subject: [PATCH] save --- bird/bird.conf | 12 ++++++ bird/filter/dn42_downstream.conf | 18 +++++++++ bird/filter/dn42_ibgp.conf | 13 +++++++ bird/filter/dn42_import.conf | 10 +++++ bird/filter/dn42_upstream0.conf | 34 ++++++++++++++++ bird/filter/dn42_upstream1.conf | 47 ++++++++++++++++++++++ bird/filter/inet_downstream.conf | 2 +- bird/filter/inet_ibgp.conf | 28 +++++++------ bird/function/unet.conf | 2 +- bird/net/dn42.conf | 8 ++-- bird/template/dn42.conf | 2 - bird/template/dn42_new.conf | 67 ++++++++++++++++++++++++++++++++ update.sh | 16 ++++---- 13 files changed, 232 insertions(+), 27 deletions(-) create mode 100644 bird/filter/dn42_downstream.conf create mode 100644 bird/filter/dn42_ibgp.conf create mode 100644 bird/filter/dn42_import.conf create mode 100644 bird/filter/dn42_upstream0.conf create mode 100644 bird/filter/dn42_upstream1.conf create mode 100644 bird/template/dn42_new.conf diff --git a/bird/bird.conf b/bird/bird.conf index d28d6d2..7cbd70e 100644 --- a/bird/bird.conf +++ b/bird/bird.conf @@ -18,6 +18,18 @@ protocol kernel kernel_main4 { }; }; +protocol kernel kernel_main6 { + scan time 20; + ipv6 { + import none; + export filter { + if bgp_large_community ~ [(UNET_ASN, 10,6)] then accept; + reject; + }; + }; +}; + + protocol kernel kernel_t102v4 { scan time 20; kernel table 102; diff --git a/bird/filter/dn42_downstream.conf b/bird/filter/dn42_downstream.conf new file mode 100644 index 0000000..55db7a1 --- /dev/null +++ b/bird/filter/dn42_downstream.conf @@ -0,0 +1,18 @@ +# 下游过滤器 +# 政策:发全表,只收下游和关联下游的 + +# 下游-发表控制器 +function function_dn42_downstream_export() { + if !is_dn42_prefix() || (bgp_path.len > 20) then return false; + # 硬性限制,没有1000,0的,不放 + if bgp_large_community !~ [(DN42_ASN, 1000,0)] then return false; + return true; +} + + +# 下游-收表控制器 +# 注意,配置下游时候,一定要注意手打一个 300 0 ,不然发不出去 +function function_dn42_downstream_import() { + if !is_dn42_prefix() || (bgp_path.len > 20) then return false; + return true; +} \ No newline at end of file diff --git a/bird/filter/dn42_ibgp.conf b/bird/filter/dn42_ibgp.conf new file mode 100644 index 0000000..b6fd5e5 --- /dev/null +++ b/bird/filter/dn42_ibgp.conf @@ -0,0 +1,13 @@ +function function_dn42_ibgp_import() { + if is_dn42_self_net() then return false; + if !is_dn42_prefix() then return false; + if bgp_large_community ~ [(DN42_ASN, 1,*)] then return false; + return true; +} + +function function_dn42_ibgp_export() { + if is_dn42_self_net() then return false; + if !is_dn42_prefix() then return false; + if bgp_large_community ~ [(DN42_ASN, 1,*)] then return false; + return true; +} \ No newline at end of file diff --git a/bird/filter/dn42_import.conf b/bird/filter/dn42_import.conf new file mode 100644 index 0000000..a2ef4d4 --- /dev/null +++ b/bird/filter/dn42_import.conf @@ -0,0 +1,10 @@ +# 对上游接收过滤器 +# 政策:全网照单接受 + +function function_dn42_bgp_import_from_upstream() { + if is_dn42_self_net() then return false; + if !is_dn42_prefix() || (bgp_path.len > 20) then return false; + # 允许转发给下游 + bgp_large_community.add((DN42_ASN,1000,0)); + return true; +} \ No newline at end of file diff --git a/bird/filter/dn42_upstream0.conf b/bird/filter/dn42_upstream0.conf new file mode 100644 index 0000000..88d8acf --- /dev/null +++ b/bird/filter/dn42_upstream0.conf @@ -0,0 +1,34 @@ +# 普通上游(发布控制器) +# 政策:只发自己的 + +function function_dn42_bgp_export_to_upstream0() { + if !is_dn42_self_net() then return false; + if !is_dn42_prefix() then return false; + if source != RTS_STATIC then return false; + # 100禁止性过滤 + if bgp_large_community ~ [(DN42_ASN, 100, 100)] then return false; + if bgp_large_community ~ [(DN42_ASN, 100, 200)] then return false; + if bgp_large_community ~ [(DN42_ASN, 200, 201)] then return false; + + # 前置过滤:允许自己的段子-所有上游和普通上游 + if bgp_large_community ~ [(DN42_ASN, 200, 0)] then return true; + if bgp_large_community ~ [(DN42_ASN, 200, 1)] then return true; + if bgp_large_community ~ [(DN42_ASN, 200, 2)] then return false; + return false; +} + + +function function_dn42_control_bgp_upstream0(int peer_asn){ + # 1.禁止带有 201 0 (禁止一切外发)的发出去 + if bgp_large_community ~ [(DN42_ASN, 201, 0)] then return false; + # 2.禁止带有 201 peer asn (禁止向某一外发)的发出去 + if bgp_large_community ~ [(DN42_ASN, 201, peer_asn)] then return false; + + # 3.不带202,0(允许全体外发),但是带有202,peer asn(允许单一外发)的,放 + if (bgp_large_community !~ [(DN42_ASN, 202, 0)]) then { + if bgp_large_community ~ [(DN42_ASN, 202, peer_asn)] then return true; + } + # 4.带有202,0(允许一切外发)的,放 + if bgp_large_community ~ [(DN42_ASN, 202, 0)] then return true; + return false; +} \ No newline at end of file diff --git a/bird/filter/dn42_upstream1.conf b/bird/filter/dn42_upstream1.conf new file mode 100644 index 0000000..dd7cf22 --- /dev/null +++ b/bird/filter/dn42_upstream1.conf @@ -0,0 +1,47 @@ +# 能带下游的上游(发布控制器) +# 政策:发自己的+下游的 + +function function_dn42_bgp_export_to_upstream1() { + if source !~ [RTS_STATIC, RTS_BGP] then return false; + if !is_dn42_prefix() then return false; + # 100禁止性过滤 + if bgp_large_community ~ [(DN42_ASN, 100, 100)] then return false; + if bgp_large_community ~ [(DN42_ASN, 100, 200)] then return false; + if bgp_large_community ~ [(DN42_ASN, 200, 202)] then return false; + if source =RTS_STATIC then { + # 静态路由,允许 200,[0 2] + if bgp_large_community ~ [(DN42_ASN, 200, 0)] then return true; + if bgp_large_community ~ [(DN42_ASN, 200, 2)] then return true; + if bgp_large_community ~ [(DN42_ASN, 200, 1)] then return false; + } + if source = RTS_BGP then { + # BGP路由,允许 300,0 + if bgp_large_community ~ [(DN42_ASN, 300, 0)] then return true; + } + return false; +} + + +function function_inet_control_bgp_upstream1(int peer_asn){ + # 1.禁止带有 201 0 (禁止一切外发) 301 0(禁止下游段子转发)的发出去 + if bgp_large_community ~ [(DN42_ASN, 201, 0)] then return false; + if bgp_large_community ~ [(DN42_ASN, 301, 0)] then return false; + # 2.禁止带有 201 peer asn (禁止向某一外发) 301 peer asn(禁止向某一外发下游)的发出去 + if bgp_large_community ~ [(DN42_ASN, 201, peer_asn)] then return false; + if bgp_large_community ~ [(DN42_ASN, 301, peer_asn)] then return false; + + + # 3.不带202,0(允许全体外发),但是带有202,peer asn 放 + if (bgp_large_community !~ [(DN42_ASN, 202, 0)]) then { + if bgp_large_community ~ [(DN42_ASN, 202, peer_asn)] then return true; + } + # 不带302 0,但是有302 peer asn的,放 + if (bgp_large_community !~ [(DN42_ASN, 302, 0)]) then { + if bgp_large_community ~ [(DN42_ASN, 302, peer_asn)] then return true; + } + + # 4.带有202,0(允许一切外发)和302 0的,放 + if bgp_large_community ~ [(DN42_ASN, 202, 0)] then return true; + if bgp_large_community ~ [(DN42_ASN, 302, 0)] then return true; + return false; +} \ No newline at end of file diff --git a/bird/filter/inet_downstream.conf b/bird/filter/inet_downstream.conf index 5fc28bb..fd85cc7 100644 --- a/bird/filter/inet_downstream.conf +++ b/bird/filter/inet_downstream.conf @@ -3,7 +3,7 @@ # 下游-发表控制器 function function_inet6_downstream_export() { - if is_bogon_prefix() || (bgp_path.len > 20) then reject; + if is_bogon_prefix() || (bgp_path.len > 20) then return false; # 硬性限制,没有1000,0的,不放 if bgp_large_community !~ [(LOCAL_ASN, 1000,0)] then return false; return true; diff --git a/bird/filter/inet_ibgp.conf b/bird/filter/inet_ibgp.conf index e700b24..4d725ca 100644 --- a/bird/filter/inet_ibgp.conf +++ b/bird/filter/inet_ibgp.conf @@ -1,27 +1,33 @@ -function function_inet4_ibgp_import() { +function function_inet_ibgp_import() { if is_self_net() then return false; if is_bogon_prefix() then return false; - if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject; + if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then return false; + return true; +} + +function function_inet_ibgp_export() { + if is_self_net() then return false; + if is_bogon_prefix() then return false; + if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then return false; + return true; +} + +function function_inet4_ibgp_import() { + if !function_inet_ibgp_import() then return false; return true; } function function_inet4_ibgp_export() { - if is_self_net() then return false; - if is_bogon_prefix() then return false; - if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject; + if !function_inet_ibgp_export() then return false; return true; } function function_inet6_ibgp_import() { - if is_self_net() then reject; - if is_bogon_prefix() then reject; - if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject; + if !function_inet_ibgp_import() then return false; return true; } function function_inet6_ibgp_export() { - if is_self_net() then reject; - if is_bogon_prefix() then reject; - if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject; + if !function_inet_ibgp_export() then return false; return true; } \ No newline at end of file diff --git a/bird/function/unet.conf b/bird/function/unet.conf index 721fa2d..99485c2 100644 --- a/bird/function/unet.conf +++ b/bird/function/unet.conf @@ -21,6 +21,6 @@ function is_unet_self_net() { case net.type { NET_IP4: return net ~ is_unet_self_IPv4; NET_IP6: return net ~ is_unet_self_IPv6; - else: print "is_dn42_prefix: unexpected net.type ", net.type, " ", net; return false; + else: print "is_unet_prefix: unexpected net.type ", net.type, " ", net; return false; } } diff --git a/bird/net/dn42.conf b/bird/net/dn42.conf index 1d247b3..45d0609 100644 --- a/bird/net/dn42.conf +++ b/bird/net/dn42.conf @@ -1,12 +1,12 @@ protocol pipe dn42v4_sync { table dn42v4; - peer table t102v4; + peer table master4; export filter { if bgp_large_community ~ [(DN42_ASN, 3,*)] then reject; if !is_dn42_prefix() then reject; bgp_community.empty; bgp_large_community.empty; - bgp_large_community.add((UNET_ASN,10,10204)); + bgp_large_community.add((UNET_ASN,10,4)); krt_prefsrc = DN42_V4_kernel; accept; }; @@ -15,13 +15,13 @@ protocol pipe dn42v4_sync { protocol pipe dn42v6_sync { table dn42v6; - peer table t102v6; + peer table master6; export filter { if bgp_large_community ~ [(DN42_ASN, 3,*)] then reject; if !is_dn42_prefix() then reject; bgp_community.empty; bgp_large_community.empty; - bgp_large_community.add((UNET_ASN,10,10206)); + bgp_large_community.add((UNET_ASN,10,6)); krt_prefsrc = DN42_V6_kernel; accept; }; diff --git a/bird/template/dn42.conf b/bird/template/dn42.conf index f9ab282..1db8e48 100644 --- a/bird/template/dn42.conf +++ b/bird/template/dn42.conf @@ -6,7 +6,6 @@ template bgp dn42_bgp_up { import filter { if !is_dn42_prefix() then reject; if is_dn42_self_net() then reject; - bgp_large_community.add((DN42_ASN,200,0));# 传输到Ebgp accept; }; export filter { @@ -23,7 +22,6 @@ template bgp dn42_bgp_up { import filter { if !is_dn42_prefix() then reject; if is_dn42_self_net() then reject; - bgp_large_community.add((DN42_ASN,200,0));# 传输到Ebgp accept; }; export filter { diff --git a/bird/template/dn42_new.conf b/bird/template/dn42_new.conf new file mode 100644 index 0000000..dd442e2 --- /dev/null +++ b/bird/template/dn42_new.conf @@ -0,0 +1,67 @@ +template bgp dn42_up0_new { + graceful restart; + local as LOCAL_ASN; + ipv4 { + table dn42v4; + import filter {if !function_dn42_bgp_import_from_upstream() then reject; accept; }; + export filter {if !function_dn42_bgp_export_to_upstream0() then reject; accept; }; + }; + ipv6 { + table dn42v6; + import filter {if !function_dn42_bgp_import_from_upstream() then reject; accept; }; + export filter {if !function_dn42_bgp_export_to_upstream0() then reject; accept; }; + }; +} + +template bgp dn42_up1_new { + graceful restart; + local as LOCAL_ASN; + ipv4 { + table dn42v4; + import filter {if !function_dn42_bgp_import_from_upstream() then reject; accept; }; + export filter {if !function_dn42_bgp_export_to_upstream1() then reject; accept; }; + }; + ipv6 { + table dn42v6; + import filter {if !function_dn42_bgp_import_from_upstream() then reject; accept; }; + export filter {if !function_dn42_bgp_export_to_upstream1() then reject; accept; }; + }; +} + +template bgp dn42_ibgp_new { + graceful restart; + local as LOCAL_ASN; + med metric; + direct; + ipv4 { + table dn42v4; + next hop self; + gateway direct; + import filter {if !function_dn42_ibgp_import() then reject; accept; }; + export filter {if !function_dn42_ibgp_export() then reject; accept; }; + }; + ipv6 { + table dn42v6; + next hop self; + gateway direct; + import filter {if !function_dn42_ibgp_import() then reject; accept; }; + export filter {if !function_dn42_ibgp_export() then reject; accept; }; + }; +} + + +template bgp dn42_ibgp_mp_new { + graceful restart; + local as LOCAL_ASN; + med metric; + ipv4 { + table dn42v4; + import filter {if !function_dn42_ibgp_import() then reject; accept; }; + export filter {if !function_dn42_ibgp_export() then reject; accept; }; + }; + ipv6 { + table dn42v6; + import filter {if !function_dn42_ibgp_import() then reject; accept; }; + export filter {if !function_dn42_ibgp_export() then reject; accept; }; + }; +} \ No newline at end of file diff --git a/update.sh b/update.sh index 6914808..958347b 100644 --- a/update.sh +++ b/update.sh @@ -6,17 +6,17 @@ git clone https://git.nia.ink/brnet/bird_config.git rm /etc/bird/bird.conf mv ./bird_config/bird/bird.conf /etc/bird/bird.conf +rm /etc/bird/filter/*.conf +mv ./bird_config/bird/filter/*.conf /etc/bird/filter/ + +rm /etc/bird/function/unet.conf +mv ./bird_config/bird/function/unet.conf /etc/bird/function/unet.conf + rm /etc/bird/net/dn42.conf mv ./bird_config/bird/net/dn42.conf /etc/bird/net/dn42.conf -rm /etc/bird/net/inet.conf -mv ./bird_config/bird/net/inet.conf /etc/bird/net/inet.conf - -rm /etc/bird/net/unet.conf -mv ./bird_config/bird/net/unet.conf /etc/bird/net/unet.conf - -rm /etc/bird/function/tables.conf -mv ./bird_config/bird/function/tables.conf /etc/bird/function/tables.conf +rm /etc/bird/template/*.conf +mv ./bird_config/bird/template/*.conf /etc/bird/template/ birdc c cd