diff --git a/bird/bird.conf b/bird/bird.conf index 7e74b17..bf19ab2 100644 --- a/bird/bird.conf +++ b/bird/bird.conf @@ -13,8 +13,8 @@ protocol kernel { import none; export filter { if source = RTS_STATIC then reject; - if !is_bogon_prefix() then { - krt_prefsrc = LOCAL_V6_kernel; + if is_dn42_prefix() then { + krt_prefsrc = DN42_V6_kernel; accept; } reject; @@ -33,8 +33,8 @@ protocol kernel { krt_prefsrc = UNET_V4_kernel; accept; } - if !is_bogon_prefix() then { - krt_prefsrc = LOCAL_V4_kernel; + if is_dn42_prefix() then { + krt_prefsrc = DN42_V4_kernel; accept; } reject; diff --git a/bird/conf/aaa_ipconfig.conf b/bird/conf/aaa_ipconfig.conf new file mode 100644 index 0000000..0d6c8a6 --- /dev/null +++ b/bird/conf/aaa_ipconfig.conf @@ -0,0 +1,42 @@ +function is_self_net() { + return net ~ [ + 44.32.191.0/24 + ]; +} + + +function is_self_net_v6() { + return net ~ [ + 2406:840:e600::/44{44,48}, + 2a0f:1cc5:10::/44{44,48} + ]; +} + + +function unet_is_self_net() { + return net ~ [ + 10.188.6.0/23+, + 10.188.5.124/30, + 44.32.191.16/28, + 44.32.191.7/32 + ]; +} + +function unet_is_self_net_v6() { + return net ~ [ + 2406:840:e603::/48{48,56}, + 2406:840:e60e::/56 + ]; +} + +function dn42_is_self_net() { + return net ~ [ + 172.20.21.0/26+ + ]; +} + +function dn42_is_self_net_v6() { + return net ~ [ + fde8:936e:ee29::/48+ + ]; +} diff --git a/bird/conf/dn42.conf b/bird/conf/dn42.conf new file mode 100644 index 0000000..349163d --- /dev/null +++ b/bird/conf/dn42.conf @@ -0,0 +1,28 @@ +protocol static route_dn42_export_v4 { + route 172.20.21.0/26 reject; + + ipv4 { + table dn42v4; + import filter { + bgp_large_community.add((DN42_ASN,3,0));# 不允许导出到内核 + bgp_large_community.add((DN42_ASN,1,0));# 不允许传输到ibgp + bgp_large_community.add((DN42_ASN,200,0));# 传输到Ebgp + accept; + }; + export none; + }; +} + +protocol static route_dn42_export_v6 { + route fde8:936e:ee29::/48 reject; + ipv6 { + table dn42v6; + import filter { + bgp_large_community.add((DN42_ASN,3,0));# 不允许导出到内核 + bgp_large_community.add((DN42_ASN,1,0));# 不允许传输到ibgp + bgp_large_community.add((DN42_ASN,200,0));# 传输到Ebgp + accept; + }; + export none; + }; +} \ No newline at end of file diff --git a/bird/conf/inet_func.conf b/bird/conf/inet_func.conf deleted file mode 100644 index eee9599..0000000 --- a/bird/conf/inet_func.conf +++ /dev/null @@ -1,13 +0,0 @@ -function is_self_net() { - return net ~ [ - 44.32.191.0/24 - ]; -} - - -function is_self_net_v6() { - return net ~ [ - 2406:840:e600::/44{44,48}, - 2a0f:1cc5:10::/44{44,48} - ]; -} diff --git a/bird/conf/unet.conf b/bird/conf/unet.conf index 4fc6c90..0961ae1 100644 --- a/bird/conf/unet.conf +++ b/bird/conf/unet.conf @@ -1,13 +1,3 @@ - -function unet_is_self_net() { - return net ~ [ - 10.188.6.0/23+, - 10.188.5.124/30, - 44.32.191.16/28, - 44.32.191.7/32 - ]; -} - protocol static route_unet_export_v4 { route 10.188.6.0/23 reject; route 10.188.5.124/30 reject; @@ -25,14 +15,6 @@ protocol static route_unet_export_v4 { }; } - -function unet_is_self_net_v6() { - return net ~ [ - 2406:840:e603::/48{48,56}, - 2406:840:e60e::/56 - ]; -} - protocol static route_unet_export_v6 { route 2406:840:e603::/48 reject; route 2406:840:e60e::/56 reject; diff --git a/bird/function/dn42.conf b/bird/function/dn42.conf new file mode 100644 index 0000000..960b18f --- /dev/null +++ b/bird/function/dn42.conf @@ -0,0 +1,14 @@ +define DN42_PREFIXES_V4 = [ + 172.20.0.0/14+ +]; +define DN42_PREFIXES_V6 = [ + fd00::/8+ +]; + +function is_dn42_prefix() { + case net.type { + NET_IP4: return net ~ DN42_PREFIXES_V4; + NET_IP6: return net ~ DN42_PREFIXES_V6; + else: print "is_dn42_prefix: unexpected net.type ", net.type, " ", net; return false; + } +} \ No newline at end of file diff --git a/bird/function/tables.conf b/bird/function/tables.conf index d25a505..ce9c19d 100644 --- a/bird/function/tables.conf +++ b/bird/function/tables.conf @@ -1,6 +1,8 @@ ipv4 table inet4; ipv6 table inet6; -ipv4 table ospf4; -ipv6 table ospf6; +ipv4 table dn42v4; +ipv6 table dn42v6; ipv4 table unet4; -ipv6 table unet6; \ No newline at end of file +ipv6 table unet6; +ipv4 table ospf4; +ipv6 table ospf6; \ No newline at end of file diff --git a/bird/function/unet.conf b/bird/function/unet.conf index 5ca6a47..5a7515a 100644 --- a/bird/function/unet.conf +++ b/bird/function/unet.conf @@ -10,7 +10,7 @@ function unet_is_valid_network_v4() { function unet_is_valid_network_v4_anynet() { return net ~ [ 44.32.191.0/24+, - 172.20.0.0/14+ + 172.20.21.0/26+ ]; } @@ -23,6 +23,7 @@ function unet_is_valid_network_v4_allnet(){ function unet_is_voalid_net_v6(){ return net ~ [ 2406:840:e600::/44{44,64}, - 2a0f:1cc5:0010::/44{44,64} + 2a0f:1cc5:0010::/44{44,64}, + fde8:936e:ee29::/48{44,64} ]; } \ No newline at end of file diff --git a/bird/net/dn42.conf b/bird/net/dn42.conf new file mode 100644 index 0000000..fcaa521 --- /dev/null +++ b/bird/net/dn42.conf @@ -0,0 +1,17 @@ +protocol pipe dn42v4_sync { + table dn42v4; + peer table master4; + export filter { + if bgp_large_community ~ [(DN42_ASN, 3,*)] then reject; + accept; + }; +} + +protocol pipe dn42v6_sync { + table dn42v6; + peer table master6; + export filter { + if bgp_large_community ~ [(DN42_ASN, 3,*)] then reject; + accept; + }; +} \ No newline at end of file diff --git a/bird/net/inet.conf b/bird/net/inet.conf new file mode 100644 index 0000000..993723c --- /dev/null +++ b/bird/net/inet.conf @@ -0,0 +1,34 @@ +protocol kernel { + scan time 20; + kernel table 102; + ipv4 { + table inet4; + import none; + export filter { + if source = RTS_STATIC then reject; + if !is_bogon_prefix() then { + krt_prefsrc = LOCAL_V4_kernel; + accept; + } + reject; + }; + }; +}; + + +protocol kernel { + scan time 20; + kernel table 102; + ipv6 { + table inet6; + import none; + export filter { + if source = RTS_STATIC then reject; + if !is_bogon_prefix() then { + krt_prefsrc = LOCAL_V6_kernel; + accept; + } + reject; + }; + }; +}; \ No newline at end of file diff --git a/bird/net/inet4.conf b/bird/net/inet4.conf deleted file mode 100644 index 0350c92..0000000 --- a/bird/net/inet4.conf +++ /dev/null @@ -1,17 +0,0 @@ -protocol kernel { - scan time 20; - kernel table 102; - merge paths yes limit 4; - ipv4 { - table inet4; - import none; - export filter { - if source = RTS_STATIC then reject; - if !is_bogon_prefix() then { - krt_prefsrc = LOCAL_V4_kernel; - accept; - } - reject; - }; - }; -}; \ No newline at end of file diff --git a/bird/net/inet6.conf b/bird/net/inet6.conf deleted file mode 100644 index 9d00e1e..0000000 --- a/bird/net/inet6.conf +++ /dev/null @@ -1,9 +0,0 @@ -protocol pipe inet6_sync { - table inet6; - peer table master6; - export filter { - if bgp_large_community ~ [(LOCAL_ASN, 3,*)] then reject; - accept; - }; - import none; -} \ No newline at end of file diff --git a/bird/net/ospf.conf b/bird/net/ospf.conf index e178521..a9a208f 100644 --- a/bird/net/ospf.conf +++ b/bird/net/ospf.conf @@ -1,6 +1,6 @@ protocol pipe ospf4_sync { table ospf4; - peer table master4; + peer table unet4; export filter { if bgp_large_community ~ [(UNET_ASN, 3,*)] then reject; accept; @@ -10,7 +10,7 @@ protocol pipe ospf4_sync { protocol pipe ospf6_sync { table ospf6; - peer table master6; + peer table unet6; export filter { if bgp_large_community ~ [(UNET_ASN, 3,*)] then reject; accept; diff --git a/bird/net/unet.conf b/bird/net/unet.conf index 75fa550..a9e1883 100644 --- a/bird/net/unet.conf +++ b/bird/net/unet.conf @@ -1,18 +1,63 @@ +# 公网处理 +protocol pipe unet4_inet4_sync { + table unet4; + peer table inet4; + export filter { + if bgp_large_community ~ [(UNET_ASN, 3,*)] then reject; + if is_bogon_prefix() then reject; + bgp_path.empty; + accept; + }; + import none; +} + +protocol pipe unet6_inet6_sync { + table unet6; + peer table inet6; + export filter { + if bgp_large_community ~ [(UNET_ASN, 3,*)] then reject; + if is_bogon_prefix() then reject; + bgp_path.empty; + accept; + }; + import none; +} + + +# DN42处理 +protocol pipe unet4_dn42v4_sync { + table unet4; + peer table dn42v4; + export filter { + if bgp_large_community ~ [(UNET_ASN, 3,*)] then reject; + if !is_dn42_prefix() then reject; + bgp_path.empty; + accept; + }; + import none; +} + +protocol pipe unet6_dn42v6_sync { + table unet6; + peer table dn42v6; + export filter { + if bgp_large_community ~ [(UNET_ASN, 3,*)] then reject; + if !is_dn42_prefix() then reject; + bgp_path.empty; + accept; + }; + import none; +} + + +# 剩下的进入master (只有V4) protocol pipe unet4_sync { table unet4; peer table master4; export filter { if bgp_large_community ~ [(UNET_ASN, 3,*)] then reject; + if !unet_is_valid_network_v4() then reject; accept; }; import none; -} -protocol pipe unet6_sync { - table unet6; - peer table master6; - export filter { - if bgp_large_community ~ [(UNET_ASN, 3,*)] then reject; - accept; - }; - import none; } \ No newline at end of file diff --git a/bird/peers/dn42/ibgp.conf b/bird/peers/dn42/ibgp.conf new file mode 100644 index 0000000..7c9972a --- /dev/null +++ b/bird/peers/dn42/ibgp.conf @@ -0,0 +1,4 @@ +protocol bgp ibgp_unet_hk1 from dn42_ibgp { + source address fe80:15:3376:3::2:2; + neighbor fe80:15:3376:3::3:2%pccw1 as DN42_ASN; +} \ No newline at end of file diff --git a/bird/template/dn42.conf b/bird/template/dn42.conf new file mode 100644 index 0000000..e821d45 --- /dev/null +++ b/bird/template/dn42.conf @@ -0,0 +1,63 @@ +template bgp dn42_bgp_up { + graceful restart; + local as DN42_ASN; + ipv4 { + table dn42v4; + import filter { + if is_dn42_prefix() && !dn42_is_self_net() then accept; + reject; + }; + export filter { if is_dn42_prefix() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; }; + import limit 9000 action block; + }; + ipv6 { + table dn42v6; + import filter { + if is_dn42_prefix() && !dn42_is_self_net_v6() then accept; + reject; + }; + export filter { if is_dn42_prefix() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; }; + import limit 9000 action block; + }; +} + +template bgp dn42_ibgp { + graceful restart; + local as DN42_ASN; + med metric; + direct; + ipv4 { + table dn42v4; + next hop self; + gateway direct; + import filter { + if bgp_large_community ~ [(DN42_ASN, 1,*)] then reject; + if !is_dn42_prefix() then reject; + if dn42_is_self_net() then reject; + accept; + }; + export filter { + if bgp_large_community ~ [(DN42_ASN, 1,*)] then reject; + if !is_dn42_prefix() then reject; + if dn42_is_self_net() then reject; + accept; + }; + }; + ipv6 { + table dn42v6; + next hop self; + gateway direct; + import filter { + if bgp_large_community ~ [(DN42_ASN, 1,*)] then reject; + if !is_dn42_prefix() then reject; + if dn42_is_self_net_v6() then reject; + accept; + }; + export filter { + if bgp_large_community ~ [(DN42_ASN, 1,*)] then reject; + if !is_dn42_prefix() then reject; + if dn42_is_self_net_v6() then reject; + accept; + }; + }; +} \ No newline at end of file diff --git a/bird/template/include.conf b/bird/template/include.conf index 86d9008..be13aab 100644 --- a/bird/template/include.conf +++ b/bird/template/include.conf @@ -2,6 +2,8 @@ include "/etc/bird/template/inet.conf"; include "/etc/bird/template/inet_ixp.conf"; include "/etc/bird/peers/inet/*"; +include "/etc/bird/template/dn42.conf"; +include "/etc/bird/peers/dn42/*.conf"; include "/etc/bird/template/unet.conf"; include "/etc/bird/peers/unet/*.conf"; diff --git a/bird/template/inet.conf b/bird/template/inet.conf index 6c0c5a7..fc7893b 100644 --- a/bird/template/inet.conf +++ b/bird/template/inet.conf @@ -1,23 +1,88 @@ +filter filter_inet4_bgp_import { + if is_self_net() then reject; + if is_bogon_prefix() || (bgp_path.len > 100) then reject; + bgp_large_community.empty; + bgp_large_community.add((LOCAL_ASN,200,0)); + accept; +} + +filter filter_inet4_bgp_export { + if !is_self_net() then reject; + if is_bogon_prefix() || (bgp_path.len > 100) then reject; + if source != RTS_STATIC then reject; + if bgp_large_community !~ [(LOCAL_ASN, 200,0)] then reject; + bgp_large_community.empty; + accept; +} + +filter filter_inet6_bgp_import { + if is_self_net_v6() then reject; + if is_bogon_prefix() || (bgp_path.len > 100) then reject; + bgp_large_community.empty; + bgp_large_community.add((LOCAL_ASN,200,0));# 传输到Ebgp + accept; +} + +filter filter_inet6_bgp_export { + if !is_self_net_v6() then reject; + if is_bogon_prefix() || (bgp_path.len > 100) then reject; + if source != RTS_STATIC then reject; + if bgp_large_community !~ [(LOCAL_ASN, 200,0)] then reject; + bgp_large_community.empty; + accept; +} + +filter filter_inet4_ibgp_import { + if is_self_net() then reject; + if is_bogon_prefix() then reject; + if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject; + accept; +} + +filter filter_inet4_ibgp_export { + if is_self_net() then reject; + if is_bogon_prefix() then reject; + if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject; + accept; +} + +filter filter_inet6_ibgp_import { + if is_self_net_v6() then reject; + if is_bogon_prefix() then reject; + if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject; + accept; +} + +filter filter_inet6_ibgp_export { + if is_self_net_v6() then reject; + if is_bogon_prefix() then reject; + if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject; + accept; +} + + +template bgp tpl_inet_up { + graceful restart; + local as LOCAL_ASN; + ipv4 { + table inet4; + import filter_inet4_bgp_import; + export filter_inet4_bgp_export; + }; + ipv6 { + table inet6; + import filter_inet6_bgp_import; + export filter_inet6_bgp_export; + }; +} + template bgp tpl_inet4_up { graceful restart; local as LOCAL_ASN; ipv4 { table inet4; - import filter { - if is_self_net() then reject; - if is_bogon_prefix() || (bgp_path.len > 100) then reject; - bgp_large_community.empty; - bgp_large_community.add((LOCAL_ASN,200,0)); - accept; - }; - export filter { - if !is_self_net() then reject; - if is_bogon_prefix() || (bgp_path.len > 100) then reject; - if source != RTS_STATIC then reject; - if bgp_large_community !~ [(LOCAL_ASN, 200,0)] then reject; - bgp_large_community.empty; - accept; - }; + import filter_inet4_bgp_import; + export filter_inet4_bgp_export; }; } @@ -26,21 +91,29 @@ template bgp tpl_inet6_up { local as LOCAL_ASN; ipv6 { table inet6; - import filter { - if is_self_net_v6() then reject; - if is_bogon_prefix() || (bgp_path.len > 100) then reject; - bgp_large_community.empty; - bgp_large_community.add((LOCAL_ASN,200,0));# 传输到Ebgp - accept; - }; - export filter { - if !is_self_net_v6() then reject; - if is_bogon_prefix() || (bgp_path.len > 100) then reject; - if source != RTS_STATIC then reject; - if bgp_large_community !~ [(LOCAL_ASN, 200,0)] then reject; - bgp_large_community.empty; - accept; - }; + import filter_inet6_bgp_import; + export filter_inet6_bgp_export; + }; +} + +template bgp tpl_inet_ibgp { + graceful restart; + local as LOCAL_ASN; + med metric; + direct; + ipv4 { + table inet4; + next hop self; + gateway direct; + import filter_inet4_ibgp_import; + export filter_inet4_ibgp_export; + }; + ipv6 { + table inet6; + next hop self; + gateway direct; + import filter_inet6_ibgp_import; + export filter_inet6_ibgp_export; }; } @@ -53,18 +126,8 @@ template bgp tpl_inet4_ibgp { table inet4; next hop self; gateway direct; - import filter { - if is_self_net() then reject; - if is_bogon_prefix() then reject; - if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject; - accept; - }; - export filter { - if is_self_net() then reject; - if is_bogon_prefix() then reject; - if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject; - accept; - }; + import filter_inet4_ibgp_import; + export filter_inet4_ibgp_export; }; } @@ -77,17 +140,7 @@ template bgp tpl_inet6_ibgp { table inet6; next hop self; gateway direct; - import filter { - if is_self_net_v6() then reject; - if is_bogon_prefix() then reject; - if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject; - accept; - }; - export filter { - if is_self_net_v6() then reject; - if is_bogon_prefix() then reject; - if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject; - accept; - }; + import filter_inet6_ibgp_import; + export filter_inet6_ibgp_export; }; -} +} \ No newline at end of file diff --git a/bird/vars.conf b/bird/vars.conf index b041e01..0ad91d0 100644 --- a/bird/vars.conf +++ b/bird/vars.conf @@ -2,6 +2,10 @@ define LOCAL_ASN = 153376; define LOCAL_V4_kernel = 44.32.191.7; define LOCAL_V6_kernel = 2406:840:e603::1; +define DN42L_ASN = 4242423376; +define DN42_V4_kernel = 172.20.21.7; +define DN42_V6_kernel = fde8:936e:ee29:3000::1; + define UNET_ASN = 4218818801; define UNET_V4_kernel = 10.188.6.2; diff --git a/update.sh b/update.sh index 484b906..167a5db 100644 --- a/update.sh +++ b/update.sh @@ -2,16 +2,25 @@ cd git clone https://git.nia.ink/brnet/bird_config.git +rm -rf /etc/bird/net/ +mv ./bird_config/bird/net /etc/bird/ -rf + +rm -rf /etc/bird/function/ +mv ./bird_config/bird/function /etc/bird/ -rf + +rm -rf /etc/bird/template/ +mv ./bird_config/bird/template /etc/bird/ -rf +mv ./bird_config/bird/peers/dn42 /etc/bird/peers -rf + + rm -rf /etc/bird/bird.conf -mv bird_config/bird/bird.conf /etc/bird - - -rm -rf /etc/bird/template -mv bird_config/bird/template /etc/bird +mv ./bird_config/bird/bird.conf /etc/bird/ +mv ./bird_config/bird/conf/dn42.conf /etc/bird/conf +mv ./bird_config/bird/conf/aaa_ipconfig.conf /etc/bird/conf chmod -R 755 /etc/bird -echo "老规矩哈" +echo "剩下的文件可能需要手动更新,请手动更新后再行birdc c" cd rm -rf bird_config