commit c454b5f16e250887862d703af65de8a8063abbab Author: gaoyuheng Date: Fri Apr 25 12:39:32 2025 +0800 add any things diff --git a/bird/bird.conf b/bird/bird.conf new file mode 100644 index 0000000..95b4eec --- /dev/null +++ b/bird/bird.conf @@ -0,0 +1,51 @@ +include "/etc/bird/vars.conf"; +include "/etc/bird/function/*.conf"; +include "/etc/bird/conf/*.conf"; + +protocol device { + scan time 10; +} + +protocol kernel { + scan time 20; + ipv6 { + import none; + export filter { + if source = RTS_STATIC then reject; + if dn42_is_valid_network_v6() then { + krt_prefsrc = DN42_V6_kernel; + accept; + } + if !is_bogon_prefix() then { + krt_prefsrc = LOCAL_V6_kernel; + accept; + } + reject; + }; + }; +}; + +protocol kernel { + scan time 20; + ipv4 { + import none; + export filter { + if source = RTS_STATIC then reject; + if unet_is_valid_network_v4_unet() then { + krt_prefsrc = UNET_V4_kernel; + accept; + } + if dn42_is_valid_network() then { + krt_prefsrc = DN42_V4_kernel; + accept; + } + if !is_bogon_prefix() then { + krt_prefsrc = LOCAL_V4_kernel; + accept; + } + reject; + }; + }; +}; + +include "/etc/bird/net/*.conf"; \ No newline at end of file diff --git a/bird/conf/mynet.conf b/bird/conf/mynet.conf new file mode 100644 index 0000000..a115890 --- /dev/null +++ b/bird/conf/mynet.conf @@ -0,0 +1,133 @@ +function is_self_net() { + return net ~ [ + 44.32.191.0/24 + ]; +} + +protocol static route_int_export_v4 { + route 44.32.191.0/24 reject; + ipv4 { + table inet4; + import filter { + bgp_large_community.add((LOCAL_ASN,3,0)); + bgp_large_community.add((LOCAL_ASN,1,0)); + bgp_large_community.add((LOCAL_ASN,200,0)); + accept; + }; + export none; + }; +} + +function is_self_net_v6() { + return net ~ [ + 2406:840:e600::/44{44,48}, + 2a14:7580:9600::/40{40,48} + ]; +} + +protocol static route_int_export_v6 { + route 2406:840:e600::/48 reject; + route 2406:840:e601::/48 reject; + route 2406:840:e608::/46 reject; + route 2a14:7580:9600::/47 reject; + route 2a14:7580:9603::/48 reject; + route 2a14:7580:9604::/48 reject; + ipv6 { + table inet6; + import filter { + bgp_large_community.add((LOCAL_ASN,3,0)); + bgp_large_community.add((LOCAL_ASN,1,0)); + bgp_large_community.add((LOCAL_ASN,200,0)); + accept; + }; + export none; + }; +} + + +function dn42_is_self_net() { + return net ~ [ + 172.20.21.0/26+ + ]; +} + +protocol static route_dn42_export_v4 { + route 172.20.21.0/26 reject; + ipv4 { + table dn42v4; + import filter { + bgp_large_community.add((DN42_ASN,3,0));# 不允许导出到内核 + bgp_large_community.add((DN42_ASN,1,0));# 不允许传输到ibgp + bgp_large_community.add((DN42_ASN,200,0));# 传输到Ebgp + accept; + }; + export none; + }; +} + +function dn42_is_self_net_v6() { + return net ~ [ + fde8:936e:ee29::/48+ + ]; +} + +protocol static route_dn42_export_v6 { + route fde8:936e:ee29::/48 reject; + ipv6 { + table dn42v6; + import filter { + bgp_large_community.add((DN42_ASN,3,0));# 不允许导出到内核 + bgp_large_community.add((DN42_ASN,1,0));# 不允许传输到ibgp + bgp_large_community.add((DN42_ASN,200,0));# 传输到Ebgp + accept; + }; + export none; + }; +} + +function unet_is_self_net() { + return net ~ [ + 10.188.2.0/23+, + 10.188.11.0/24, + 172.20.21.0/29 + ]; +} + +protocol static route_unet_export_v4 { + route 10.188.2.0/23 reject; + route 10.188.11.0/24 reject; + route 172.20.21.0/29 reject; + ipv4 { + table unet4; + import filter { + bgp_large_community.add((UNET_ASN,3,0));# 不允许导出到内核 + bgp_large_community.add((UNET_ASN,1,0));# 不允许传输到ibgp + bgp_large_community.add((UNET_ASN,200,0));# 传输到Ebgp + accept; + }; + export none; + }; +} + + +function unet_is_self_net_v6() { + return net ~ [ + 2406:840:e601::/48{48,56}, + fde8:936e:ee29:1000::/56 + ]; +} + +protocol static route_unet_export_v6 { + route 2406:840:e601::/48 reject; + route fde8:936e:ee29:1000::/56 reject; + ipv6 { + table unet6; + import filter { + bgp_large_community.add((UNET_ASN,3,0));# 不允许导出到内核 + bgp_large_community.add((UNET_ASN,1,0));# 不允许传输到ibgp + bgp_large_community.add((UNET_ASN,200,0));# 传输到Ebgp + accept; + }; + export none; + }; +} diff --git a/bird/envvars b/bird/envvars new file mode 100644 index 0000000..9ca9baa --- /dev/null +++ b/bird/envvars @@ -0,0 +1,3 @@ +BIRD_RUN_USER=bird +BIRD_RUN_GROUP=bird +#BIRD_ARGS= diff --git a/bird/function/begon.conf b/bird/function/begon.conf new file mode 100644 index 0000000..21bd891 --- /dev/null +++ b/bird/function/begon.conf @@ -0,0 +1,66 @@ +# 网络长度判断 +function net_len_too_long(){ + case net.type { + NET_IP4: return net.len > 24; + NET_IP6: return net.len > 48; + else: print "net_len_too_long: unexpected net.type ", net.type, " ", net; return false; + } +} + +# Bogon +define BOGON_ASNS = [ + 0, # RFC 7607 + 23456, # RFC 4893 AS_TRANS + 64496..64511, # RFC 5398 and documentation/example ASNs + 64512..65534, # RFC 6996 Private ASNs + 65535, # RFC 7300 Last 16 bit ASN + 65536..65551, # RFC 5398 and documentation/example ASNs + 65552..131071, # RFC IANA reserved ASNs + 4200000000..4294967294, # RFC 6996 Private ASNs + 4294967295 # RFC 7300 Last 32 bit ASN +]; +define BOGON_PREFIXES_V4 = [ + 0.0.0.0/8+, # RFC 1122 'this' network + 10.0.0.0/8+, # RFC 1918 private space + 100.64.0.0/10+, # RFC 6598 Carrier grade nat space + 127.0.0.0/8+, # RFC 1122 localhost + 169.254.0.0/16+, # RFC 3927 link local + 172.16.0.0/12+, # RFC 1918 private space + 192.0.2.0/24+, # RFC 5737 TEST-NET-1 + 192.88.99.0/24+, # RFC 7526 deprecated 6to4 relay anycast. If you wish to allow this, change `24+` to `24{25,32}`(no more specific) + 192.168.0.0/16+, # RFC 1918 private space + 198.18.0.0/15+, # RFC 2544 benchmarking + 198.51.100.0/24+, # RFC 5737 TEST-NET-2 + 203.0.113.0/24+, # RFC 5737 TEST-NET-3 + 224.0.0.0/4+, # multicast + 240.0.0.0/4+ # reserved +]; +define BOGON_PREFIXES_V6 = [ + ::/8+, # RFC 4291 IPv4-compatible, loopback, et al + 0064:ff9b::/96+, # RFC 6052 IPv4/IPv6 Translation + 0064:ff9b:1::/48+, # RFC 8215 Local-Use IPv4/IPv6 Translation + 0100::/64+, # RFC 6666 Discard-Only + 2001::/32{33,128}, # RFC 4380 Teredo, no more specific + 2001:2::/48+, # RFC 5180 BMWG + 2001:10::/28+, # RFC 4843 ORCHID + 2001:db8::/32+, # RFC 3849 documentation + 2002::/16+, # RFC 7526 deprecated 6to4 relay anycast. If you wish to allow this, change `16+` to `16{17,128}`(no more specific) + 3ffe::/16+, 5f00::/8+, # RFC 3701 old 6bone + fc00::/7+, # RFC 4193 unique local unicast + fe80::/10+, # RFC 4291 link local unicast + fec0::/10+, # RFC 3879 old site local unicast + ff00::/8+ # RFC 4291 multicast +]; + +function is_bogon_prefix() { + case net.type { + NET_IP4: return net ~ BOGON_PREFIXES_V4; + NET_IP6: return net ~ BOGON_PREFIXES_V6; + else: print "is_bogon_prefix: unexpected net.type ", net.type, " ", net; return false; + } +} + +function is_bogon_asn() { + if bgp_path ~ BOGON_ASNS then return true; + return false; +} \ No newline at end of file diff --git a/bird/function/network.conf b/bird/function/network.conf new file mode 100644 index 0000000..5b3d9a3 --- /dev/null +++ b/bird/function/network.conf @@ -0,0 +1,48 @@ +function dn42_is_valid_network() { + return net ~ [ + 172.20.0.0/14+, + 10.100.0.0/14+, + 172.31.0.0/16+, + 10.127.0.0/16+ + ]; +} + +function dn42_is_valid_network_v6() { + return net ~ [ + fd00::/8{32,64} + ]; +} + +function unet_is_valid_network_v4_unet() { + return net ~ [ + 10.50.0.0/16+, + 10.21.0.0/16+, + 10.188.0.0/16+ + ]; +} + +function unet_is_valid_network_v4_anynet() { + return net ~ [ + 172.20.21.0/26+, + 44.32.191.0/24+ + ]; +} + +function unet_is_voalid_net_v4(){ + if !unet_is_valid_network_v4_anynet() && !unet_is_valid_network_v4_unet() then return false; + return true; +} + + +function unet_is_voalid_net_v6_anynet(){ + return net ~ [ + 2406:840:e600::/44{44,56}, + 2a14:7580:9600::/40{45,56}, + fde8:936e:ee29::/48{48,56} + ]; +} + +function unet_is_voalid_net_v6(){ + if !unet_is_voalid_net_v6_anynet() then return false; + return true; +} \ No newline at end of file diff --git a/bird/function/tables.conf b/bird/function/tables.conf new file mode 100644 index 0000000..35547eb --- /dev/null +++ b/bird/function/tables.conf @@ -0,0 +1,83 @@ +ipv4 table inet4; +ipv6 table inet6; +ipv4 table unet4; +ipv6 table unet6; +ipv4 table dn42v4; +ipv6 table dn42v6; +ipv4 table ospf4; +ipv6 table ospf6; + +protocol pipe inet6_sync { + table inet6; + peer table master6; + import none; + export filter { + if bgp_large_community ~ [(LOCAL_ASN, 3,*)] then reject; + accept; + }; +} + +protocol pipe inet4_sync { + table inet4; + peer table master4; + import none; + export filter { + if bgp_large_community ~ [(LOCAL_ASN, 3,*)] then reject; + accept; + }; +} + +protocol pipe dn42v4_sync { + table dn42v4; + peer table master4; + import none; + export filter { + if bgp_large_community ~ [(DN42_ASN, 3,*)] then reject; + accept; + }; +} + +protocol pipe dn42v6_sync { + table dn42v6; + peer table master6; + import none; + export filter { + if bgp_large_community ~ [(DN42_ASN, 3,*)] then reject; + accept; + }; +} + +protocol pipe unet4_sync { + table unet4; + peer table master4; + export filter { + if bgp_large_community ~ [(UNET_ASN, 3,*)] then reject; + accept; + }; +} +protocol pipe unet6_sync { + table unet6; + peer table master6; + export filter { + if bgp_large_community ~ [(UNET_ASN, 3,*)] then reject; + accept; + }; +} + +protocol pipe pipe_ospf4_sync { + table ospf4; + peer table master4; + export filter { + if bgp_large_community ~ [(UNET_ASN, 3,*)] then reject; + accept; + }; +} + +protocol pipe ospf6_sync { + table ospf6; + peer table master6; + export filter { + if bgp_large_community ~ [(UNET_ASN, 3,*)] then reject; + accept; + }; +} \ No newline at end of file diff --git a/bird/net/dn42.conf b/bird/net/dn42.conf new file mode 100644 index 0000000..032e301 --- /dev/null +++ b/bird/net/dn42.conf @@ -0,0 +1,69 @@ +template bgp dn42_peers { + local as DN42_ASN; + path metric 1; + + ipv4 { + table dn42v4; + import filter { + if dn42_is_valid_network() && !dn42_is_self_net() then accept; + reject; + }; + + export filter { + if dn42_is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; + }; + import limit 9000 action block; + }; + ipv6 { + table dn42v6; + import filter { + if dn42_is_valid_network_v6() && !dn42_is_self_net_v6() then accept; + reject; + }; + export filter { if dn42_is_valid_network_v6() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; }; + import limit 9000 action block; + }; +} + + +template bgp dn42_ibgp { + graceful restart; + local as DN42_ASN; + med metric; + direct; + ipv4 { + table dn42v4; + next hop self; + gateway direct; + import filter { + if bgp_large_community ~ [(DN42_ASN, 1,*)] then reject; + if !dn42_is_valid_network() then reject; + if dn42_is_self_net() then reject; + accept; + }; + export filter { + if bgp_large_community ~ [(DN42_ASN, 1,*)] then reject; + if !dn42_is_valid_network() then reject; + if dn42_is_self_net() then reject; + accept; + }; + }; + ipv6 { + table dn42v6; + next hop self; + gateway direct; + import filter { + if bgp_large_community ~ [(DN42_ASN, 1,*)] then reject; + if !dn42_is_valid_network_v6() then reject; + if dn42_is_self_net_v6() then reject; + accept; + }; + export filter { + if bgp_large_community ~ [(DN42_ASN, 1,*)] then reject; + if !dn42_is_valid_network_v6() then reject; + if dn42_is_self_net_v6() then reject; + accept; + }; + }; +} +include "/etc/bird/peers/dn42/*.conf"; \ No newline at end of file diff --git a/bird/net/inet.conf b/bird/net/inet.conf new file mode 100644 index 0000000..733c9fa --- /dev/null +++ b/bird/net/inet.conf @@ -0,0 +1,78 @@ +template bgp tpl_bgp_up { + graceful restart; + local as LOCAL_ASN; + ipv4 { + table inet4; + import filter { + if is_self_net() then reject; + if is_bogon_prefix() || (bgp_path.len > 100) then reject; + accept; + }; + export filter { + if !is_self_net() then reject; + if is_bogon_prefix() || (bgp_path.len > 100) then reject; + if source != RTS_STATIC then reject; + if bgp_large_community !~ [(LOCAL_ASN, 200,0)] then reject; + bgp_large_community.empty; + accept; + }; + }; + ipv6 { + table inet6; + import filter { + if is_self_net_v6() then reject; + if is_bogon_prefix() || (bgp_path.len > 100) then reject; + accept; + }; + export filter { + if !is_self_net_v6() then reject; + if is_bogon_prefix() || (bgp_path.len > 100) then reject; + if source != RTS_STATIC then reject; + if bgp_large_community !~ [(LOCAL_ASN, 200,0)] then reject; + bgp_large_community.empty; + accept; + }; + }; +} + +template bgp tpl_ibgp { + graceful restart; + local as LOCAL_ASN; + med metric; + direct; + ipv4 { + table inet4; + next hop self; + gateway direct; + import filter { + if is_self_net() then reject; + if is_bogon_prefix() then reject; + if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject; + accept; + }; + export filter { + if is_self_net() then reject; + if is_bogon_prefix() then reject; + if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject; + accept; + }; + }; + ipv6 { + table inet6; + next hop self; + gateway direct; + import filter { + if is_self_net_v6() then reject; + if is_bogon_prefix() then reject; + if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject; + accept; + }; + export filter { + if is_self_net_v6() then reject; + if is_bogon_prefix() then reject; + if bgp_large_community ~ [(LOCAL_ASN, 1,*)] then reject; + accept; + }; + }; +} +include "/etc/bird/peers/inet/*"; \ No newline at end of file diff --git a/bird/net/ospf.conf b/bird/net/ospf.conf new file mode 100644 index 0000000..93e110c --- /dev/null +++ b/bird/net/ospf.conf @@ -0,0 +1 @@ +include "/etc/bird/peers/ospf/*.conf"; diff --git a/bird/net/unet.conf b/bird/net/unet.conf new file mode 100644 index 0000000..6de5bde --- /dev/null +++ b/bird/net/unet.conf @@ -0,0 +1,65 @@ +template bgp unet_bgp_up { + graceful restart; + local as UNET_ASN; + ipv4 { + table unet4; + import filter { + if unet_is_voalid_net_v4() && !unet_is_self_net() then accept; + reject; + }; + export filter { if unet_is_voalid_net_v4() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; }; + import limit 9000 action block; + }; + ipv6 { + table unet6; + import filter { + if unet_is_voalid_net_v6() && !unet_is_self_net_v6() then accept; + reject; + }; + export filter { if unet_is_voalid_net_v6() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; }; + import limit 9000 action block; + }; +} + +template bgp unet_ibgp { + graceful restart; + local as UNET_ASN; + med metric; + direct; + ipv4 { + table unet4; + next hop self; + gateway direct; + import filter { + if bgp_large_community ~ [(UNET_ASN, 1,*)] then reject; + if !unet_is_voalid_net_v4() then reject; + if unet_is_self_net() then reject; + accept; + }; + export filter { + if bgp_large_community ~ [(UNET_ASN, 1,*)] then reject; + if !unet_is_voalid_net_v4() then reject; + if unet_is_self_net() then reject; + accept; + }; + }; + ipv6 { + table unet6; + next hop self; + gateway direct; + import filter { + if bgp_large_community ~ [(UNET_ASN, 1,*)] then reject; + if !unet_is_voalid_net_v6() then reject; + if unet_is_self_net_v6() then reject; + accept; + }; + export filter { + if bgp_large_community ~ [(UNET_ASN, 1,*)] then reject; + if !unet_is_voalid_net_v6() then reject; + if unet_is_self_net_v6() then reject; + accept; + }; + }; +} + +include "/etc/bird/peers/unet/*.conf"; \ No newline at end of file diff --git a/bird/peers/dn42/ibgp.conf b/bird/peers/dn42/ibgp.conf new file mode 100644 index 0000000..5d009ff --- /dev/null +++ b/bird/peers/dn42/ibgp.conf @@ -0,0 +1,4 @@ +protocol bgp dn42_ibgp_hk1 from dn42_ibgp { + source address 172.20.21.6; + neighbor 172.20.21.4 as DN42_ASN; +} \ No newline at end of file diff --git a/bird/peers/inet/bgp_zxix.conf b/bird/peers/inet/bgp_zxix.conf new file mode 100644 index 0000000..b48bb26 --- /dev/null +++ b/bird/peers/inet/bgp_zxix.conf @@ -0,0 +1,8 @@ +protocol bgp int_bgp_zxix_rs1 from tpl_bgp_up { + neighbor 2406:840:1f:1000::1 as 140961; +} + +protocol bgp int_bgp_zxix_140915_v6 from tpl_bgp_up { + source address 2406:840:1f:1000:0:15:3376:1; + neighbor 2406:840:1f:1000:0:14:915:2 as 140915; +} \ No newline at end of file diff --git a/bird/peers/inet/bgpexchange_jp.conf b/bird/peers/inet/bgpexchange_jp.conf new file mode 100644 index 0000000..57dc755 --- /dev/null +++ b/bird/peers/inet/bgpexchange_jp.conf @@ -0,0 +1,4 @@ +protocol bgp int_bgp_exchange_jp1 from tpl_bgp_up { + source address 2a0e:8f01:1000:9::10b; + neighbor 2a0e:8f01:1000:9::1 as 24381; +} \ No newline at end of file diff --git a/bird/peers/inet/ibgp.conf b/bird/peers/inet/ibgp.conf new file mode 100644 index 0000000..0171c30 --- /dev/null +++ b/bird/peers/inet/ibgp.conf @@ -0,0 +1,4 @@ +protocol bgp int_ibgp_hk1 from tpl_ibgp { + source address fe80:15:3376:3::2:1; + neighbor fe80:15:3376:3::3:1%pccw1 as LOCAL_ASN; +} \ No newline at end of file diff --git a/bird/peers/ospf/ospf_ipv4.conf b/bird/peers/ospf/ospf_ipv4.conf new file mode 100644 index 0000000..773fa74 --- /dev/null +++ b/bird/peers/ospf/ospf_ipv4.conf @@ -0,0 +1,32 @@ +protocol ospf v3 ospf_ipv4 { + ipv4 { + table ospf4; + import all; + export filter { + if bgp_large_community !~ [(UNET_ASN, 301,0)] then reject; + accept; + }; + import limit 1000 action block; + }; + area 0 { + interface "pccw1" { + cost 5; + password "114514"; + }; + + }; +} + + +protocol static route_ospf_export_v4 { + route 10.188.3.0/24 reject; + ipv4 { + table ospf4; + import filter { + bgp_large_community.add((UNET_ASN,301,0));# 允许导出至OSPF + bgp_large_community.add((UNET_ASN,3,0));# 不允许导出到内核 + accept; + }; + export none; + }; +} \ No newline at end of file diff --git a/bird/peers/ospf/ospf_ipv6.conf b/bird/peers/ospf/ospf_ipv6.conf new file mode 100644 index 0000000..f01e591 --- /dev/null +++ b/bird/peers/ospf/ospf_ipv6.conf @@ -0,0 +1,33 @@ +protocol ospf v3 ospf_ipv6 { + ipv6 { + table ospf6; + import all; + export filter { + if bgp_large_community !~ [(UNET_ASN, 301,0)] then reject; + accept; + }; + import limit 1000 action block; + }; + area 0 { + interface "pccw1" { + cost 5; + }; + }; +} + +protocol static route_ospf_export_v6 { + route 2406:840:e601:1::/64 reject; + route 2406:840:e601:3::/64 reject; + route 2406:840:e601:4::/63 reject; + route 2406:840:e601:2000::/51 reject; + + ipv6 { + table ospf6; + import filter { + bgp_large_community.add((UNET_ASN,301,0));# 允许导出至OSPF + bgp_large_community.add((UNET_ASN,3,0));# 不允许导出到内核 + accept; + }; + export none; + }; +} \ No newline at end of file diff --git a/bird/peers/unet/ibgp.conf b/bird/peers/unet/ibgp.conf new file mode 100644 index 0000000..f02aa48 --- /dev/null +++ b/bird/peers/unet/ibgp.conf @@ -0,0 +1,4 @@ +protocol bgp unet_ibgp_hk1 from unet_ibgp { + source address fe80:15:3376:3::2:2; + neighbor fe80:15:3376:3::3:2%pccw1 as UNET_ASN; +} \ No newline at end of file diff --git a/bird/vars.conf b/bird/vars.conf new file mode 100644 index 0000000..c9872f4 --- /dev/null +++ b/bird/vars.conf @@ -0,0 +1,12 @@ +define LOCAL_ASN = 153376; +define LOCAL_V4_kernel = 10.188.2.3; +define LOCAL_V6_kernel = 2406:840:e601:1::1; + +define DN42_ASN = 4242423376; +define DN42_V4_kernel = 172.20.21.6; +define DN42_V6_kernel = fde8:936e:ee29:1000::3; + +define UNET_ASN = 4218818804; +define UNET_V4_kernel = 10.188.2.3; + +router id 154.37.212.38; \ No newline at end of file