change 4.0

2026-04-14 12:16:31 +08:00
parent 0b3d5d7d00
commit 6f634771cb
13 changed files with 234 additions and 84 deletions
--- a/bird/filter/inet_downstream.conf
+++ b/bird/filter/inet_downstream.conf
@@ -1,15 +1,18 @@
-# 下游-收表控制器
+# 下游过滤器
-function function_inet6_downstream_import() {
+# 政策：发全表，只收下游和关联下游的
    if is_bogon_prefix() || (bgp_path.len > 100) then return false;
    bgp_large_community.add((LOCAL_ASN,200,0));
    return true;
 }
 # 下游-发表控制器
 function function_inet6_downstream_export() {
-    # 过滤掉begon和过长的段子（太长了下游受不了）
+    if is_bogon_prefix() || (bgp_path.len > 20) then reject;
-    if is_bogon_prefix() || (bgp_path.len > 100) then reject;
+    # 硬性限制，没有1000,0的，不放
-    # BGP发出底线防控
+    if bgp_large_community !~ [(LOCAL_ASN, 1000,0)] then return false;     
-    if bgp_large_community !~ [(LOCAL_ASN, 200,0)] then return false;     
+    return true;
 }
 # 下游-收表控制器
 # 注意，配置下游时候，一定要注意手打一个 300 0 ，不然发不出去
 function function_inet6_downstream_import() {
    if is_bogon_prefix() || (bgp_path.len > 20) then return false;
    return true;
 }
--- a/bird/filter/inet_filter.conf
+++ b/bird/filter/inet_filter.conf
@@ -1,29 +0,0 @@
 function function_inet4_bgp_import() {
    if is_self_net() then return false;
    if is_bogon_prefix() || (bgp_path.len > 100) then return false;
    bgp_large_community.add((LOCAL_ASN,200,0));
    return true;
 }
 function function_inet4_bgp_export() {
    if !is_self_net() then return false;
    if is_bogon_prefix() || (bgp_path.len > 100) then reject;
    if source != RTS_STATIC then reject;
    if bgp_large_community !~ [(LOCAL_ASN, 200,0)] then return false;     
    return true;
 }
 function function_inet6_bgp_import() {
    if is_self_net() then return false;
    if is_bogon_prefix() || (bgp_path.len > 100) then return false;
    bgp_large_community.add((LOCAL_ASN,200,0));
    return true;
 }
 function function_inet6_bgp_export() {
    if !is_self_net() then return false;
    if is_bogon_prefix() || (bgp_path.len > 100) then reject;
    if source != RTS_STATIC then reject;
    if bgp_large_community !~ [(LOCAL_ASN, 200,0)] then return false;     
    return true;
 }
--- a/bird/filter/inet_import.conf
+++ b/bird/filter/inet_import.conf
@@ -0,0 +1,10 @@
 # 对上游接收过滤器
 # 政策：全网照单接受
 function function_inet_bgp_import_from_upstream() {
    if is_self_net() then return false;
    if is_bogon_prefix() || (bgp_path.len > 20) then return false;
    # 允许转发给下游
    bgp_large_community.add((LOCAL_ASN,1000,0));
    return true;
 }
--- a/bird/filter/inet_upstream0.conf
+++ b/bird/filter/inet_upstream0.conf
@@ -0,0 +1,34 @@
 # 普通上游（发布控制器）
 # 政策：只发自己的
 function function_inet_bgp_export_to_upstream0() {
    if !is_self_net() then return false;
    if is_bogon_prefix() then return false;
    if source != RTS_STATIC then return false;
    # 100禁止性过滤
    if bgp_large_community ~ [(LOCAL_ASN, 100, 100)] then return false;
    if bgp_large_community ~ [(LOCAL_ASN, 100, 200)] then return false;
    if bgp_large_community ~ [(LOCAL_ASN, 200, 201)] then return false;
    # 前置过滤：允许自己的段子-所有上游和普通上游
    if bgp_large_community ~ [(LOCAL_ASN, 200, 0)] then return true;
    if bgp_large_community ~ [(LOCAL_ASN, 200, 1)] then return true;
    if bgp_large_community ~ [(LOCAL_ASN, 200, 2)] then return false;
    return false;
 }
 function function_inet_control_bgp_upstream0(int peer_asn){
    # 1.禁止带有 201 0 (禁止一切外发)的发出去
    if bgp_large_community ~ [(LOCAL_ASN, 201, 0)] then return false;
    # 2.禁止带有 201 peer asn (禁止向某一外发)的发出去
    if bgp_large_community ~ [(LOCAL_ASN, 201, peer_asn)] then return false;
    # 3.不带202,0(允许全体外发)，但是带有202,peer asn（允许单一外发）的，放
    if (bgp_large_community !~ [(LOCAL_ASN, 202, 0)]) then {
        if bgp_large_community ~ [(LOCAL_ASN, 202, peer_asn)] then return true;
    }
    # 4.带有202,0（允许一切外发）的，放
    if bgp_large_community ~ [(LOCAL_ASN, 202, 0)] then return true;
    return false;
 }
--- a/bird/filter/inet_upstream1.conf
+++ b/bird/filter/inet_upstream1.conf
@@ -0,0 +1,48 @@
 # 能带下游的上游（发布控制器）
 # 政策：发自己的+下游的
 function function_inet_bgp_export_to_upstream1() {
    if source !~ [RTS_STATIC, RTS_BGP] then return false;
    if is_bogon_prefix() then return false;
    if bgp_large_community !~ [(LOCAL_ASN, 200, 0)] then return false;
    # 100禁止性过滤
    if bgp_large_community ~ [(LOCAL_ASN, 100, 100)] then return false;
    if bgp_large_community ~ [(LOCAL_ASN, 100, 200)] then return false;
    if bgp_large_community ~ [(LOCAL_ASN, 200, 202)] then return false;
    if source == RTS_STATIC then {
        # 静态路由，允许 200，[0 2]
        if bgp_large_community ~ [(LOCAL_ASN, 200, 0)] then return true;
        if bgp_large_community ~ [(LOCAL_ASN, 200, 2)] then return true;
        if bgp_large_community ~ [(LOCAL_ASN, 200, 1)] then return false;
    };
    if source == RTS_BGP then {
        # BGP路由，允许 300，0
        if bgp_large_community ~ [(LOCAL_ASN, 300, 0)] then return true;
    }
    return false;
 }
 function function_inet_control_bgp_upstream1(int peer_asn){
    # 1.禁止带有 201 0 (禁止一切外发)  301 0（禁止下游段子转发）的发出去
    if bgp_large_community ~ [(LOCAL_ASN, 201, 0)] then return false;
    if bgp_large_community ~ [(LOCAL_ASN, 301, 0)] then return false;
    # 2.禁止带有 201 peer asn (禁止向某一外发) 301 peer asn（禁止向某一外发下游）的发出去
    if bgp_large_community ~ [(LOCAL_ASN, 201, peer_asn)] then return false;
    if bgp_large_community ~ [(LOCAL_ASN, 301, peer_asn)] then return false;
    # 3.不带202,0(允许全体外发)，但是带有202,peer asn 放
    if (bgp_large_community !~ [(LOCAL_ASN, 202, 0)]) then {
        if bgp_large_community ~ [(LOCAL_ASN, 202, peer_asn)] then return true;
    }
    # 不带302 0，但是有302 peer asn的，放
    if (bgp_large_community !~ [(LOCAL_ASN, 302, 0)]) then {
        if bgp_large_community ~ [(LOCAL_ASN, 302, peer_asn)] then return true;
    }
    # 4.带有202,0（允许一切外发）和302 0的，放
    if bgp_large_community ~ [(LOCAL_ASN, 202, 0)] then return true;
    if bgp_large_community ~ [(LOCAL_ASN, 302, 0)] then return true;
    return false;
 }
--- a/bird/function/dn42.conf
+++ b/bird/function/dn42.conf
@@ -15,8 +15,8 @@ function is_dn42_prefix() {
 function is_dn42_self_net() {
    case net.type {
-        NET_IP4: return net ~ IS_SELF_NET_dn42v4;
+        NET_IP4: return net ~ is_dn42_self_IPv4;
-        NET_IP6: return net ~ IS_SELF_NET_dn42v6;
+        NET_IP6: return net ~ is_dn42_self_IPv6;
        else: print "is_dn42_prefix: unexpected net.type ", net.type, " ", net; return false;
    }
 }
--- a/bird/function/inet.conf
+++ b/bird/function/inet.conf
@@ -1,7 +1,7 @@
 function is_self_net() {
    case net.type {
-        NET_IP4: return net ~ IS_SELF_NET_inet4;
+        NET_IP4: return net ~ is_inet_self_IPv4;
-        NET_IP6: return net ~ IS_SELF_NET_inet6;
+        NET_IP6: return net ~ is_inet_self_IPv6;
        else: print "is_dn42_prefix: unexpected net.type ", net.type, " ", net; return false;
    }
 }
--- a/bird/function/unet.conf
+++ b/bird/function/unet.conf
@@ -15,4 +15,12 @@ function unet_is_voalid_net_v6(){
  if is_self_net() then return true;
  if is_dn42_self_net() then return true;
  return false;
-}
+}
 function is_unet_self_net() {
    case net.type {
        NET_IP4: return net ~ is_unet_self_IPv4;
        NET_IP6: return net ~ is_unet_self_IPv6;
        else: print "is_dn42_prefix: unexpected net.type ", net.type, " ", net; return false;
    }
 }
--- a/bird/template/inet.conf
+++ b/bird/template/inet.conf
@@ -3,13 +3,13 @@ template bgp tpl_inet_up {
    local as LOCAL_ASN;
    ipv4 {
        table inet4;
-        import filter {if !function_inet4_bgp_import() then reject; accept; };
+        import filter {if !function_inet_bgp_import_from_upstream() then reject; accept; };
-        export filter {if !function_inet4_bgp_export() then reject; accept; };
+        export filter {if !function_inet_bgp_export_to_upstream0() then reject; accept; };
    };
    ipv6 {
        table inet6;
-        import filter {if !function_inet6_bgp_import() then reject; accept; };
+        import filter {if !function_inet_bgp_import_from_upstream() then reject; accept; };
-        export filter {if !function_inet6_bgp_export() then reject; accept; };
+        export filter {if !function_inet_bgp_export_to_upstream0() then reject; accept; };
    };
 }
@@ -18,8 +18,8 @@ template bgp tpl_inet4_up {
    local as LOCAL_ASN;
    ipv4 {
        table inet4;
-        import filter {if !function_inet4_bgp_import() then reject; accept; };
+        import filter {if !function_inet_bgp_import_from_upstream() then reject; accept; };
-        export filter {if !function_inet4_bgp_export() then reject; accept; };
+        export filter {if !function_inet_bgp_export_to_upstream0() then reject; accept; };
    };
 }
@@ -28,8 +28,8 @@ template bgp tpl_inet6_up {
    local as LOCAL_ASN;
    ipv6 {
        table inet6;
-        import filter {if !function_inet6_bgp_import() then reject; accept; };
+        import filter {if !function_inet_bgp_import_from_upstream() then reject; accept; };
-        export filter {if !function_inet6_bgp_export() then reject; accept; };
+        export filter {if !function_inet_bgp_export_to_upstream0() then reject; accept; };
    };
 }
--- a/bird/template/unet.conf
+++ b/bird/template/unet.conf
@@ -5,7 +5,7 @@ template bgp unet_bgp_up0 {
        table unet4;
        import filter {
          if !unet_is_valid_network_v4_allnet() then reject;
-          if unet_is_self_net() then reject;
+          if is_unet_self_net() then reject;
          bgp_large_community.add((UNET_ASN,200,0));
          accept;
        };
@@ -21,7 +21,7 @@ template bgp unet_bgp_up0 {
        table unet6;
        import filter {
          if !unet_is_voalid_net_v6() then reject;
-          if unet_is_self_net_v6() then reject;
+          if is_unet_self_net() then reject;
          bgp_large_community.add((UNET_ASN,200,0));
          accept;
        };
@@ -42,7 +42,7 @@ template bgp unet_bgp_up1 {
        table unet4;
        import filter {
          if !unet_is_valid_network_v4() then reject;
-          if unet_is_self_net() then reject;
+          if is_unet_self_net() then reject;
          bgp_large_community.add((UNET_ASN,200,0));
          accept;
        };
@@ -68,13 +68,13 @@ template bgp unet_ibgp {
        import filter { 
            if bgp_large_community ~ [(UNET_ASN, 1,*)] then reject;
            if !unet_is_valid_network_v4_allnet() then reject;
-            if unet_is_self_net() then reject;
+            if is_unet_self_net() then reject;
            accept; 
        };
        export filter { 
            if bgp_large_community ~ [(UNET_ASN, 1,*)] then reject;
            if !unet_is_valid_network_v4_allnet() then reject;
-            if unet_is_self_net() then reject;
+            if is_unet_self_net() then reject;
            accept;
            };
    };
@@ -85,13 +85,13 @@ template bgp unet_ibgp {
        import filter { 
            if bgp_large_community ~ [(UNET_ASN, 1,*)] then reject;
            if !unet_is_voalid_net_v6() then reject;
-            if unet_is_self_net_v6() then reject;
+            if is_unet_self_net() then reject;
            accept; 
        };
        export filter { 
            if bgp_large_community ~ [(UNET_ASN, 1,*)] then reject;
            if !unet_is_voalid_net_v6() then reject;
-            if unet_is_self_net_v6() then reject;
+            if is_unet_self_net() then reject;
            accept;
            };
    };
--- a/bird/whitelist/downmyip.sh
+++ b/bird/whitelist/downmyip.sh
@@ -0,0 +1,93 @@
 #!/bin/bash
 # downmyip - 自动从 /etc/bird/vars.conf 读取ASN并下载ROA配置
 # 配置文件路径
 VARS_CONF="/etc/bird/vars.conf"
 BASE_URL="https://ntwkapi.noc.zhuantou.com.cn/brnet/roa/api.php?as="
 # 颜色输出
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 NC='\033[0m'
 get_asn() {
    grep "^define $1_ASN" "$VARS_CONF" | awk -F'[=; ]' '{print $5}'
 }
 # 函数：下载配置
 download_roa() {
    local asn="$1"
    local filename="/etc/bird/whitelist/$2"
    if [ -z "$asn" ]; then
        echo -e "${YELLOW}⏭️  $filename 未配置ASN，跳过下载${NC}"
        return
    fi
    echo -e "${YELLOW}📥 正在下载 $filename (ASN: $asn)${NC}"
    if wget -q -O "$filename" "${BASE_URL}${asn}"; then
        echo -e "${GREEN}✅ $filename 下载成功${NC}"
    else
        echo -e "${RED}❌ $filename 下载失败${NC}"
    fi
 }
 # 函数：创建软链接
 create_symlink() {
    local script_path=$(realpath "$0")
    local link_path="/usr/local/bin/downmyip"
    if [ -L "$link_path" ] || [ -f "$link_path" ]; then
        echo -e "${YELLOW}🔗 软链接已存在${NC}"
        return
    fi
    echo -e "${YELLOW}🔗 创建全局命令：downmyip${NC}"
    if ln -s "$script_path" "$link_path"; then
        echo -e "${GREEN}✅ 软链接创建完成！${NC}"
    else
        echo -e "${RED}❌ 请用sudo运行脚本以创建软链接${NC}"
    fi
 }
 # ===================== 主逻辑 =====================
 clear
 echo -e "${YELLOW}===== downmyip - 自动下载ROA配置 =====${NC}"
 # 1. 检查vars.conf是否存在
 if [ ! -f "$VARS_CONF" ]; then
    echo -e "${RED}❌ 配置文件不存在：$VARS_CONF${NC}"
    exit 1
 fi
 # 2. 读取三个ASN
 INET_ASN=$(get_asn "LOCAL")
 DN42_ASN=$(get_asn "DN42")
 UNET_ASN=$(get_asn "UNET")
 echo -e "${GREEN}📄 从vars.conf读取ASN：${NC}"
 [ -n "$INET_ASN" ] && echo "公网ASN：$INET_ASN" || echo "公网ASN：未配置"
 [ -n "$DN42_ASN" ] && echo "DN42 ASN：$DN42_ASN" || echo "DN42 ASN：未配置"
 [ -n "$UNET_ASN" ] && echo "内网ASN：$UNET_ASN" || echo "内网ASN：未配置"
 echo
 # 3. 依次下载（不存在则跳过）
 download_roa "$INET_ASN" "inet.conf"
 download_roa "$DN42_ASN" "dn42.conf"
 download_roa "$UNET_ASN" "unet.conf"
 echo
 # 4. 重载BIRD配置
 echo -e "${YELLOW}🔄 执行：birdc c${NC}"
 if command -v birdc &>/dev/null; then
    birdc c
    echo -e "${GREEN}✅ BIRD重载完成${NC}"
 else
    echo -e "${RED}❌ 未找到birdc命令${NC}"
 fi
 # 5. 创建全局软链接
 create_symlink
 echo -e "\n${GREEN}===== 全部执行完毕 =====${NC}"
--- a/bird/whitelist/ipconfig.conf
+++ b/bird/whitelist/ipconfig.conf
@@ -1,15 +0,0 @@
 function unet_is_self_net() {
  return net ~ [
    10.188.6.0/23+,
    10.188.5.124/30,
    44.32.191.16/28,
    44.32.191.7/32
  ];
 }
 function unet_is_self_net_v6() {
  return net ~ [
    2406:840:e603::/48{48,56},
    2406:840:e60e::/56
    ];
 }
--- a/update.sh
+++ b/update.sh
@@ -3,26 +3,24 @@
 cd 
 git clone https://git.nia.ink/brnet/bird_config.git
 cp /etc/bird/ /etc/bird.old/ -r
 rm /etc/bird/filter -rf
 mv ./bird_config/bird/filter /etc/bird/filter
-rm /etc/bird/function -rf
+rm /etc/bird/whitelist -rf
-mv ./bird_config/bird/function /etc/bird/function
+mv ./bird_config/bird/whitelist /etc/bird/whitelist
 rm /etc/bird/template -rf
 mv ./bird_config/bird/template /etc/bird/template
-mv /etc/bird/whitelist/ipconfig.conf /etc/bird/whitelist/ipconfig.conf.bak
+rm /etc/bird/function -rf
-rm /etc/bird/whitelist/*.conf -rf
+mv ./bird_config/bird/function /etc/bird/function
 mv /etc/bird/whitelist/ipconfig.conf.bak /etc/bird/whitelist/ipconfig.conf
 wget https://noc.zhuantou.com.cn/api/network.php?s=inet6-bird-function -O /etc/bird/whitelist/mynet_ipv6.conf
 wget https://noc.zhuantou.com.cn/api/network.php?s=inet4-bird-function -O /etc/bird/whitelist/mynet_ipv4.conf
 wget https://noc.zhuantou.com.cn/api/network.php?s=dn42-bird-function -O /etc/bird/whitelist/mynet_dn42.conf
 chmod -R 755 /etc/bird
 chmod +x /etc/bird/whitelist/downmyip.sh
-birdc c
+# birdc c
 cd 
 rm -rf bird_config