brnet/bird_config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add any things

Browse Source
This commit is contained in:
gaoyuheng
2025-04-25 12:39:32 +08:00
commit c454b5f16e
18 changed files with 698 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
bird/bird.conf Normal file
View File

@@ -0,0 +1,51 @@
include "/etc/bird/vars.conf";
include "/etc/bird/function/*.conf";
include "/etc/bird/conf/*.conf";
protocol device {
scan time 10;
}
protocol kernel {
scan time 20;
ipv6 {
import none;
export filter {
if source = RTS_STATIC then reject;
if dn42_is_valid_network_v6() then {
krt_prefsrc = DN42_V6_kernel;
accept;
}
if !is_bogon_prefix() then {
krt_prefsrc = LOCAL_V6_kernel;
accept;
}
reject;
};
};
};
protocol kernel {
scan time 20;
ipv4 {
import none;
export filter {
if source = RTS_STATIC then reject;
if unet_is_valid_network_v4_unet() then {
krt_prefsrc = UNET_V4_kernel;
accept;
}
if dn42_is_valid_network() then {
krt_prefsrc = DN42_V4_kernel;
accept;
}
if !is_bogon_prefix() then {
krt_prefsrc = LOCAL_V4_kernel;
accept;
}
reject;
};
};
};
include "/etc/bird/net/*.conf";

133
bird/conf/mynet.conf Normal file
View File

@@ -0,0 +1,133 @@
function is_self_net() {
return net ~ [
44.32.191.0/24
];
}
protocol static route_int_export_v4 {
route 44.32.191.0/24 reject;
ipv4 {
table inet4;
import filter {
bgp_large_community.add((LOCAL_ASN,3,0));
bgp_large_community.add((LOCAL_ASN,1,0));
bgp_large_community.add((LOCAL_ASN,200,0));
accept;
};
export none;
};
}
function is_self_net_v6() {
return net ~ [
2406:840:e600::/44{44,48},
2a14:7580:9600::/40{40,48}
];
}
protocol static route_int_export_v6 {
route 2406:840:e600::/48 reject;
route 2406:840:e601::/48 reject;
route 2406:840:e608::/46 reject;
route 2a14:7580:9600::/47 reject;
route 2a14:7580:9603::/48 reject;
route 2a14:7580:9604::/48 reject;
ipv6 {
table inet6;
import filter {
bgp_large_community.add((LOCAL_ASN,3,0));
bgp_large_community.add((LOCAL_ASN,1,0));
bgp_large_community.add((LOCAL_ASN,200,0));
accept;
};
export none;
};
}
function dn42_is_self_net() {
return net ~ [
172.20.21.0/26+
];
}
protocol static route_dn42_export_v4 {
route 172.20.21.0/26 reject;
ipv4 {
table dn42v4;
import filter {
bgp_large_community.add((DN42_ASN,3,0));# 不允许导出到内核
bgp_large_community.add((DN42_ASN,1,0));# 不允许传输到ibgp
bgp_large_community.add((DN42_ASN,200,0));# 传输到Ebgp
accept;
};
export none;
};
}
function dn42_is_self_net_v6() {
return net ~ [
fde8:936e:ee29::/48+
];
}
protocol static route_dn42_export_v6 {
route fde8:936e:ee29::/48 reject;
ipv6 {
table dn42v6;
import filter {
bgp_large_community.add((DN42_ASN,3,0));# 不允许导出到内核
bgp_large_community.add((DN42_ASN,1,0));# 不允许传输到ibgp
bgp_large_community.add((DN42_ASN,200,0));# 传输到Ebgp
accept;
};
export none;
};
}
function unet_is_self_net() {
return net ~ [
10.188.2.0/23+,
10.188.11.0/24,
172.20.21.0/29
];
}
protocol static route_unet_export_v4 {
route 10.188.2.0/23 reject;
route 10.188.11.0/24 reject;
route 172.20.21.0/29 reject;
ipv4 {
table unet4;
import filter {
bgp_large_community.add((UNET_ASN,3,0));# 不允许导出到内核
bgp_large_community.add((UNET_ASN,1,0));# 不允许传输到ibgp
bgp_large_community.add((UNET_ASN,200,0));# 传输到Ebgp
accept;
};
export none;
};
}
function unet_is_self_net_v6() {
return net ~ [
2406:840:e601::/48{48,56},
fde8:936e:ee29:1000::/56
];
}
protocol static route_unet_export_v6 {
route 2406:840:e601::/48 reject;
route fde8:936e:ee29:1000::/56 reject;
ipv6 {
table unet6;
import filter {
bgp_large_community.add((UNET_ASN,3,0));# 不允许导出到内核
bgp_large_community.add((UNET_ASN,1,0));# 不允许传输到ibgp
bgp_large_community.add((UNET_ASN,200,0));# 传输到Ebgp
accept;
};
export none;
};
}

3
bird/envvars Normal file
View File

@@ -0,0 +1,3 @@
BIRD_RUN_USER=bird
BIRD_RUN_GROUP=bird
#BIRD_ARGS=

66
bird/function/begon.conf Normal file
View File

@@ -0,0 +1,66 @@
# 网络长度判断
function net_len_too_long(){
case net.type {
NET_IP4: return net.len > 24;
NET_IP6: return net.len > 48;
else: print "net_len_too_long: unexpected net.type ", net.type, " ", net; return false;
}
}
# Bogon
define BOGON_ASNS = [
0, # RFC 7607
23456, # RFC 4893 AS_TRANS
64496..64511, # RFC 5398 and documentation/example ASNs
64512..65534, # RFC 6996 Private ASNs
65535, # RFC 7300 Last 16 bit ASN
65536..65551, # RFC 5398 and documentation/example ASNs
65552..131071, # RFC IANA reserved ASNs
4200000000..4294967294, # RFC 6996 Private ASNs
4294967295 # RFC 7300 Last 32 bit ASN
];
define BOGON_PREFIXES_V4 = [
0.0.0.0/8+, # RFC 1122 'this' network
10.0.0.0/8+, # RFC 1918 private space
100.64.0.0/10+, # RFC 6598 Carrier grade nat space
127.0.0.0/8+, # RFC 1122 localhost
169.254.0.0/16+, # RFC 3927 link local
172.16.0.0/12+, # RFC 1918 private space
192.0.2.0/24+, # RFC 5737 TEST-NET-1
192.88.99.0/24+, # RFC 7526 deprecated 6to4 relay anycast. If you wish to allow this, change `24+` to `24{25,32}`(no more specific)
192.168.0.0/16+, # RFC 1918 private space
198.18.0.0/15+, # RFC 2544 benchmarking
198.51.100.0/24+, # RFC 5737 TEST-NET-2
203.0.113.0/24+, # RFC 5737 TEST-NET-3
224.0.0.0/4+, # multicast
240.0.0.0/4+ # reserved
];
define BOGON_PREFIXES_V6 = [
::/8+, # RFC 4291 IPv4-compatible, loopback, et al
0064:ff9b::/96+, # RFC 6052 IPv4/IPv6 Translation
0064:ff9b:1::/48+, # RFC 8215 Local-Use IPv4/IPv6 Translation
0100::/64+, # RFC 6666 Discard-Only
2001::/32{33,128}, # RFC 4380 Teredo, no more specific
2001:2::/48+, # RFC 5180 BMWG
2001:10::/28+, # RFC 4843 ORCHID
2001:db8::/32+, # RFC 3849 documentation
2002::/16+, # RFC 7526 deprecated 6to4 relay anycast. If you wish to allow this, change `16+` to `16{17,128}`(no more specific)
3ffe::/16+, 5f00::/8+, # RFC 3701 old 6bone
fc00::/7+, # RFC 4193 unique local unicast
fe80::/10+, # RFC 4291 link local unicast
fec0::/10+, # RFC 3879 old site local unicast
ff00::/8+ # RFC 4291 multicast
];
function is_bogon_prefix() {
case net.type {
NET_IP4: return net ~ BOGON_PREFIXES_V4;
NET_IP6: return net ~ BOGON_PREFIXES_V6;
else: print "is_bogon_prefix: unexpected net.type ", net.type, " ", net; return false;
}
}
function is_bogon_asn() {
if bgp_path ~ BOGON_ASNS then return true;
return false;
}

48
bird/function/network.conf Normal file
View File

@@ -0,0 +1,48 @@
function dn42_is_valid_network() {
return net ~ [
172.20.0.0/14+,
10.100.0.0/14+,
172.31.0.0/16+,
10.127.0.0/16+
];
}
function dn42_is_valid_network_v6() {
return net ~ [
fd00::/8{32,64}
];
}
function unet_is_valid_network_v4_unet() {
return net ~ [
10.50.0.0/16+,
10.21.0.0/16+,
10.188.0.0/16+
];
}
function unet_is_valid_network_v4_anynet() {
return net ~ [
172.20.21.0/26+,
44.32.191.0/24+
];
}
function unet_is_voalid_net_v4(){
if !unet_is_valid_network_v4_anynet() && !unet_is_valid_network_v4_unet() then return false;
return true;
}
function unet_is_voalid_net_v6_anynet(){
return net ~ [
2406:840:e600::/44{44,56},
2a14:7580:9600::/40{45,56},
fde8:936e:ee29::/48{48,56}
];
}
function unet_is_voalid_net_v6(){
if !unet_is_voalid_net_v6_anynet() then return false;
return true;
}

83
bird/function/tables.conf Normal file
View File

@@ -0,0 +1,83 @@
ipv4 table inet4;
ipv6 table inet6;
ipv4 table unet4;
ipv6 table unet6;
ipv4 table dn42v4;
ipv6 table dn42v6;
ipv4 table ospf4;
ipv6 table ospf6;
protocol pipe inet6_sync {
table inet6;
peer table master6;
import none;
export filter {
if bgp_large_community ~ [(LOCAL_ASN, 3,*)] then reject;
accept;
};
}
protocol pipe inet4_sync {
table inet4;
peer table master4;
import none;
export filter {
if bgp_large_community ~ [(LOCAL_ASN, 3,*)] then reject;
accept;
};
}
protocol pipe dn42v4_sync {
table dn42v4;
peer table master4;
import none;
export filter {
if bgp_large_community ~ [(DN42_ASN, 3,*)] then reject;
accept;
};
}
protocol pipe dn42v6_sync {
table dn42v6;
peer table master6;
import none;
export filter {
if bgp_large_community ~ [(DN42_ASN, 3,*)] then reject;
accept;
};
}
protocol pipe unet4_sync {
table unet4;
peer table master4;
export filter {
if bgp_large_community ~ [(UNET_ASN, 3,*)] then reject;
accept;
};
}
protocol pipe unet6_sync {
table unet6;
peer table master6;
export filter {
if bgp_large_community ~ [(UNET_ASN, 3,*)] then reject;
accept;
};
}
protocol pipe pipe_ospf4_sync {
table ospf4;
peer table master4;
export filter {
if bgp_large_community ~ [(UNET_ASN, 3,*)] then reject;
accept;
};
}
protocol pipe ospf6_sync {
table ospf6;
peer table master6;
export filter {
if bgp_large_community ~ [(UNET_ASN, 3,*)] then reject;
accept;
};
}

69
bird/net/dn42.conf Normal file
View File

@@ -0,0 +1,69 @@
template bgp dn42_peers {
local as DN42_ASN;
path metric 1;
ipv4 {
table dn42v4;
import filter {
if dn42_is_valid_network() && !dn42_is_self_net() then accept;
reject;
};
export filter {
if dn42_is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject;
};
import limit 9000 action block;
};
ipv6 {
table dn42v6;
import filter {
if dn42_is_valid_network_v6() && !dn42_is_self_net_v6() then accept;
reject;
};
export filter { if dn42_is_valid_network_v6() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; };
import limit 9000 action block;
};
}
template bgp dn42_ibgp {
graceful restart;
local as DN42_ASN;
med metric;
direct;
ipv4 {
table dn42v4;
next hop self;
gateway direct;
import filter {
if bgp_large_community ~ [(DN42_ASN, 1,*)] then reject;
if !dn42_is_valid_network() then reject;
if dn42_is_self_net() then reject;
accept;
};
export filter {
if bgp_large_community ~ [(DN42_ASN, 1,*)] then reject;
if !dn42_is_valid_network() then reject;
if dn42_is_self_net() then reject;
accept;
};
};
ipv6 {
table dn42v6;
next hop self;
gateway direct;
import filter {
if bgp_large_community ~ [(DN42_ASN, 1,*)] then reject;
if !dn42_is_valid_network_v6() then reject;
if dn42_is_self_net_v6() then reject;
accept;
};
export filter {
if bgp_large_community ~ [(DN42_ASN, 1,*)] then reject;
if !dn42_is_valid_network_v6() then reject;
if dn42_is_self_net_v6() then reject;
accept;
};
};
}
include "/etc/bird/peers/dn42/*.conf";

78
bird/net/inet.conf Normal file
View File

@@ -0,0 +1,78 @@
template bgp tpl_bgp_up {
graceful restart;
local as LOCAL_ASN;
ipv4 {
table inet4;
import filter {
if is_self_net() then reject;
if is_bogon_prefix() || (bgp_path.len > 100) then reject;
accept;
};
export filter {
if !is_self_net() then reject;
if is_bogon_prefix() || (bgp_path.len > 100) then reject;
if source != RTS_STATIC then reject;
if bgp_large_community !~ [(LOCAL_ASN, 200,0)] then reject;
bgp_large_community.empty;
accept;
};
};
ipv6 {
table inet6;
import filter {
if is_self_net_v6() then reject;
if is_bogon_prefix() || (bgp_path.len > 100) then reject;
accept;
};
export filter {
if !is_self_net_v6() then reject;
if is_bogon_prefix() || (bgp_path.len > 100) then reject;
if source != RTS_STATIC then reject;
if bgp_large_community !~ [(LOCAL_ASN, 200,0)] then reject;
bgp_large_community.empty;
accept;
};
};
}
template bgp tpl_ibgp {
graceful restart;
local as LOCAL_ASN;
med metric;
direct;
ipv4 {
table inet4;
next hop self;
gateway direct;
import filter {
if is_self_net() then reject;
if is_bogon_prefix() then reject;
if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject;
accept;
};
export filter {
if is_self_net() then reject;
if is_bogon_prefix() then reject;
if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject;
accept;
};
};
ipv6 {
table inet6;
next hop self;
gateway direct;
import filter {
if is_self_net_v6() then reject;
if is_bogon_prefix() then reject;
if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject;
accept;
};
export filter {
if is_self_net_v6() then reject;
if is_bogon_prefix() then reject;
if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject;
accept;
};
};
}
include "/etc/bird/peers/inet/*";

1
bird/net/ospf.conf Normal file
View File

@@ -0,0 +1 @@
include "/etc/bird/peers/ospf/*.conf";

65
bird/net/unet.conf Normal file
View File

@@ -0,0 +1,65 @@
template bgp unet_bgp_up {
graceful restart;
local as UNET_ASN;
ipv4 {
table unet4;
import filter {
if unet_is_voalid_net_v4() && !unet_is_self_net() then accept;
reject;
};
export filter { if unet_is_voalid_net_v4() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; };
import limit 9000 action block;
};
ipv6 {
table unet6;
import filter {
if unet_is_voalid_net_v6() && !unet_is_self_net_v6() then accept;
reject;
};
export filter { if unet_is_voalid_net_v6() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; };
import limit 9000 action block;
};
}
template bgp unet_ibgp {
graceful restart;
local as UNET_ASN;
med metric;
direct;
ipv4 {
table unet4;
next hop self;
gateway direct;
import filter {
if bgp_large_community ~ [(UNET_ASN, 1,*)] then reject;
if !unet_is_voalid_net_v4() then reject;
if unet_is_self_net() then reject;
accept;
};
export filter {
if bgp_large_community ~ [(UNET_ASN, 1,*)] then reject;
if !unet_is_voalid_net_v4() then reject;
if unet_is_self_net() then reject;
accept;
};
};
ipv6 {
table unet6;
next hop self;
gateway direct;
import filter {
if bgp_large_community ~ [(UNET_ASN, 1,*)] then reject;
if !unet_is_voalid_net_v6() then reject;
if unet_is_self_net_v6() then reject;
accept;
};
export filter {
if bgp_large_community ~ [(UNET_ASN, 1,*)] then reject;
if !unet_is_voalid_net_v6() then reject;
if unet_is_self_net_v6() then reject;
accept;
};
};
}
include "/etc/bird/peers/unet/*.conf";

4
bird/peers/dn42/ibgp.conf Normal file
View File

@@ -0,0 +1,4 @@
protocol bgp dn42_ibgp_hk1 from dn42_ibgp {
source address 172.20.21.6;
neighbor 172.20.21.4 as DN42_ASN;
}

8
bird/peers/inet/bgp_zxix.conf Normal file
View File

@@ -0,0 +1,8 @@
protocol bgp int_bgp_zxix_rs1 from tpl_bgp_up {
neighbor 2406:840:1f:1000::1 as 140961;
}
protocol bgp int_bgp_zxix_140915_v6 from tpl_bgp_up {
source address 2406:840:1f:1000:0:15:3376:1;
neighbor 2406:840:1f:1000:0:14:915:2 as 140915;
}

4
bird/peers/inet/bgpexchange_jp.conf Normal file
View File

@@ -0,0 +1,4 @@
protocol bgp int_bgp_exchange_jp1 from tpl_bgp_up {
source address 2a0e:8f01:1000:9::10b;
neighbor 2a0e:8f01:1000:9::1 as 24381;
}

4
bird/peers/inet/ibgp.conf Normal file
View File

@@ -0,0 +1,4 @@
protocol bgp int_ibgp_hk1 from tpl_ibgp {
source address fe80:15:3376:3::2:1;
neighbor fe80:15:3376:3::3:1%pccw1 as LOCAL_ASN;
}

32
bird/peers/ospf/ospf_ipv4.conf Normal file
View File

@@ -0,0 +1,32 @@
protocol ospf v3 ospf_ipv4 {
ipv4 {
table ospf4;
import all;
export filter {
if bgp_large_community !~ [(UNET_ASN, 301,0)] then reject;
accept;
};
import limit 1000 action block;
};
area 0 {
interface "pccw1" {
cost 5;
password "114514";
};
};
}
protocol static route_ospf_export_v4 {
route 10.188.3.0/24 reject;
ipv4 {
table ospf4;
import filter {
bgp_large_community.add((UNET_ASN,301,0));# 允许导出至OSPF
bgp_large_community.add((UNET_ASN,3,0));# 不允许导出到内核
accept;
};
export none;
};
}

33
bird/peers/ospf/ospf_ipv6.conf Normal file
View File

@@ -0,0 +1,33 @@
protocol ospf v3 ospf_ipv6 {
ipv6 {
table ospf6;
import all;
export filter {
if bgp_large_community !~ [(UNET_ASN, 301,0)] then reject;
accept;
};
import limit 1000 action block;
};
area 0 {
interface "pccw1" {
cost 5;
};
};
}
protocol static route_ospf_export_v6 {
route 2406:840:e601:1::/64 reject;
route 2406:840:e601:3::/64 reject;
route 2406:840:e601:4::/63 reject;
route 2406:840:e601:2000::/51 reject;
ipv6 {
table ospf6;
import filter {
bgp_large_community.add((UNET_ASN,301,0));# 允许导出至OSPF
bgp_large_community.add((UNET_ASN,3,0));# 不允许导出到内核
accept;
};
export none;
};
}

4
bird/peers/unet/ibgp.conf Normal file
View File

@@ -0,0 +1,4 @@
protocol bgp unet_ibgp_hk1 from unet_ibgp {
source address fe80:15:3376:3::2:2;
neighbor fe80:15:3376:3::3:2%pccw1 as UNET_ASN;
}

12
bird/vars.conf Normal file
View File

@@ -0,0 +1,12 @@
define LOCAL_ASN = 153376;
define LOCAL_V4_kernel = 10.188.2.3;
define LOCAL_V6_kernel = 2406:840:e601:1::1;
define DN42_ASN = 4242423376;
define DN42_V4_kernel = 172.20.21.6;
define DN42_V6_kernel = fde8:936e:ee29:1000::3;
define UNET_ASN = 4218818804;
define UNET_V4_kernel = 10.188.2.3;
router id 154.37.212.38;