diff --git a/bird/bird.conf b/bird/bird.conf index 0ac909f..ea0ec3b 100644 --- a/bird/bird.conf +++ b/bird/bird.conf @@ -40,4 +40,5 @@ protocol kernel { }; }; -include "/etc/bird/net/*.conf"; \ No newline at end of file +include "/etc/bird/net/*.conf"; +include "/etc/bird/template/*.conf"; \ No newline at end of file diff --git a/bird/function/inet.conf b/bird/function/inet.conf deleted file mode 100644 index c194811..0000000 --- a/bird/function/inet.conf +++ /dev/null @@ -1,22 +0,0 @@ -ipv4 table inet4; -ipv6 table inet6; - -protocol pipe inet6_sync { - table inet6; - peer table master6; - import none; - export filter { - if bgp_large_community ~ [(LOCAL_ASN, 3,*)] then reject; - accept; - }; -} - -protocol pipe inet4_sync { - table inet4; - peer table master4; - import none; - export filter { - if bgp_large_community ~ [(LOCAL_ASN, 3,*)] then reject; - accept; - }; -} \ No newline at end of file diff --git a/bird/function/unet.conf b/bird/function/unet.conf index 5b86884..dce1c18 100644 --- a/bird/function/unet.conf +++ b/bird/function/unet.conf @@ -1,6 +1,3 @@ -ipv4 table unet4; -ipv6 table unet6; - function unet_is_valid_network_v4() { return net ~ [ 10.50.0.0/16+, @@ -28,21 +25,4 @@ function unet_is_voalid_net_v6(){ 2406:840:e600::/44{44,64}, 2a0f:1cc5:0010::/44{44,64} ]; -} - -protocol pipe unet4_sync { - table unet4; - peer table master4; - export filter { - if bgp_large_community ~ [(UNET_ASN, 3,*)] then reject; - accept; - }; -} -protocol pipe unet6_sync { - table unet6; - peer table master6; - export filter { - if bgp_large_community ~ [(UNET_ASN, 3,*)] then reject; - accept; - }; -} +} \ No newline at end of file diff --git a/bird/net/inet4.conf b/bird/net/inet4.conf new file mode 100644 index 0000000..b0c6d33 --- /dev/null +++ b/bird/net/inet4.conf @@ -0,0 +1,18 @@ +ipv4 table inet4; + +protocol kernel { + scan time 20; + kernel table 103; + ipv4 { + table inet4; + import none; + export filter { + if source = RTS_STATIC then reject; + if !is_bogon_prefix() then { + krt_prefsrc = LOCAL_V4_kernel; + accept; + } + reject; + }; + }; +}; \ No newline at end of file diff --git a/bird/net/inet6.conf b/bird/net/inet6.conf new file mode 100644 index 0000000..bb2c17f --- /dev/null +++ b/bird/net/inet6.conf @@ -0,0 +1,11 @@ +ipv6 table inet6; + +protocol pipe inet6_sync { + table inet6; + peer table master6; + import none; + export filter { + if bgp_large_community ~ [(LOCAL_ASN, 3,*)] then reject; + accept; + }; +} \ No newline at end of file diff --git a/bird/net/ospf.conf.disable b/bird/net/ospf.conf similarity index 100% rename from bird/net/ospf.conf.disable rename to bird/net/ospf.conf diff --git a/bird/net/unet.conf b/bird/net/unet.conf index fee9d3c..ad11fad 100644 --- a/bird/net/unet.conf +++ b/bird/net/unet.conf @@ -1,106 +1,19 @@ -template bgp unet_bgp_up0 { - graceful restart; - local as UNET_ASN; - ipv4 { - table unet4; - import filter { - if !unet_is_valid_network_v4_allnet() then reject; - if unet_is_self_net() then reject; - bgp_large_community.empty; - bgp_large_community.add((UNET_ASN,200,0));# 传输到Ebgp - accept; - }; - export filter { - if !unet_is_valid_network_v4_allnet() then reject; - if source !~ [RTS_STATIC, RTS_BGP] then reject; - if bgp_large_community !~ [(UNET_ASN, 200,0)] then reject; - bgp_large_community.empty; - accept; - }; - import limit 9000 action block; - }; - ipv6 { - table unet6; - import filter { - if !unet_is_voalid_net_v6() then reject; - if unet_is_self_net_v6() then reject; - bgp_large_community.empty; - bgp_large_community.add((UNET_ASN,200,0));# 传输到Ebgp - accept; - }; - export filter { - if !unet_is_voalid_net_v6() then reject; - if source !~ [RTS_STATIC, RTS_BGP] then reject; - if bgp_large_community !~ [(UNET_ASN, 200,0)] then reject; - bgp_large_community.empty; - accept; - }; - import limit 9000 action block; +ipv4 table unet4; +ipv6 table unet6; + +protocol pipe unet4_sync { + table unet4; + peer table master4; + export filter { + if bgp_large_community ~ [(UNET_ASN, 3,*)] then reject; + accept; }; } - -template bgp unet_bgp_up1 { - graceful restart; - local as UNET_ASN; - ipv4 { - table unet4; - import filter { - if !unet_is_valid_network_v4() then reject; - if unet_is_self_net() then reject; - bgp_large_community.empty; - bgp_large_community.add((UNET_ASN,200,0));# 传输到Ebgp - accept; - }; - export filter { - if !unet_is_valid_network_v4() then reject; - if source !~ [RTS_STATIC, RTS_BGP] then reject; - if bgp_large_community !~ [(UNET_ASN, 200,0)] then reject; - bgp_large_community.empty; - accept; - }; - import limit 9000 action block; +protocol pipe unet6_sync { + table unet6; + peer table master6; + export filter { + if bgp_large_community ~ [(UNET_ASN, 3,*)] then reject; + accept; }; -} - -template bgp unet_ibgp { - graceful restart; - local as UNET_ASN; - med metric; - direct; - ipv4 { - table unet4; - next hop self; - gateway direct; - import filter { - if bgp_large_community ~ [(UNET_ASN, 1,*)] then reject; - if !unet_is_valid_network_v4_allnet() then reject; - if unet_is_self_net() then reject; - accept; - }; - export filter { - if bgp_large_community ~ [(UNET_ASN, 1,*)] then reject; - if !unet_is_valid_network_v4_allnet() then reject; - if unet_is_self_net() then reject; - accept; - }; - }; - ipv6 { - table unet6; - next hop self; - gateway direct; - import filter { - if bgp_large_community ~ [(UNET_ASN, 1,*)] then reject; - if !unet_is_voalid_net_v6() then reject; - if unet_is_self_net_v6() then reject; - accept; - }; - export filter { - if bgp_large_community ~ [(UNET_ASN, 1,*)] then reject; - if !unet_is_voalid_net_v6() then reject; - if unet_is_self_net_v6() then reject; - accept; - }; - }; -} - -include "/etc/bird/peers/unet/*.conf"; \ No newline at end of file +} \ No newline at end of file diff --git a/bird/net/inet.conf b/bird/template/inet.conf similarity index 95% rename from bird/net/inet.conf rename to bird/template/inet.conf index 976f67e..82eb92b 100644 --- a/bird/net/inet.conf +++ b/bird/template/inet.conf @@ -6,6 +6,7 @@ template bgp tpl_inet4_up { import filter { if is_self_net() then reject; if is_bogon_prefix() || (bgp_path.len > 100) then reject; + if net ~ [0.0.0.0/0] then reject; # 不导入默认路由 bgp_large_community.empty; bgp_large_community.add((LOCAL_ASN,200,0));# 传输到Ebgp accept; @@ -29,6 +30,7 @@ template bgp tpl_inet6_up { import filter { if is_self_net_v6() then reject; if is_bogon_prefix() || (bgp_path.len > 100) then reject; + if net ~ [::/0] then reject; # 不导入默认路由 bgp_large_community.empty; bgp_large_community.add((LOCAL_ASN,200,0));# 传输到Ebgp accept; diff --git a/bird/template/unet.conf b/bird/template/unet.conf new file mode 100644 index 0000000..fee9d3c --- /dev/null +++ b/bird/template/unet.conf @@ -0,0 +1,106 @@ +template bgp unet_bgp_up0 { + graceful restart; + local as UNET_ASN; + ipv4 { + table unet4; + import filter { + if !unet_is_valid_network_v4_allnet() then reject; + if unet_is_self_net() then reject; + bgp_large_community.empty; + bgp_large_community.add((UNET_ASN,200,0));# 传输到Ebgp + accept; + }; + export filter { + if !unet_is_valid_network_v4_allnet() then reject; + if source !~ [RTS_STATIC, RTS_BGP] then reject; + if bgp_large_community !~ [(UNET_ASN, 200,0)] then reject; + bgp_large_community.empty; + accept; + }; + import limit 9000 action block; + }; + ipv6 { + table unet6; + import filter { + if !unet_is_voalid_net_v6() then reject; + if unet_is_self_net_v6() then reject; + bgp_large_community.empty; + bgp_large_community.add((UNET_ASN,200,0));# 传输到Ebgp + accept; + }; + export filter { + if !unet_is_voalid_net_v6() then reject; + if source !~ [RTS_STATIC, RTS_BGP] then reject; + if bgp_large_community !~ [(UNET_ASN, 200,0)] then reject; + bgp_large_community.empty; + accept; + }; + import limit 9000 action block; + }; +} + +template bgp unet_bgp_up1 { + graceful restart; + local as UNET_ASN; + ipv4 { + table unet4; + import filter { + if !unet_is_valid_network_v4() then reject; + if unet_is_self_net() then reject; + bgp_large_community.empty; + bgp_large_community.add((UNET_ASN,200,0));# 传输到Ebgp + accept; + }; + export filter { + if !unet_is_valid_network_v4() then reject; + if source !~ [RTS_STATIC, RTS_BGP] then reject; + if bgp_large_community !~ [(UNET_ASN, 200,0)] then reject; + bgp_large_community.empty; + accept; + }; + import limit 9000 action block; + }; +} + +template bgp unet_ibgp { + graceful restart; + local as UNET_ASN; + med metric; + direct; + ipv4 { + table unet4; + next hop self; + gateway direct; + import filter { + if bgp_large_community ~ [(UNET_ASN, 1,*)] then reject; + if !unet_is_valid_network_v4_allnet() then reject; + if unet_is_self_net() then reject; + accept; + }; + export filter { + if bgp_large_community ~ [(UNET_ASN, 1,*)] then reject; + if !unet_is_valid_network_v4_allnet() then reject; + if unet_is_self_net() then reject; + accept; + }; + }; + ipv6 { + table unet6; + next hop self; + gateway direct; + import filter { + if bgp_large_community ~ [(UNET_ASN, 1,*)] then reject; + if !unet_is_voalid_net_v6() then reject; + if unet_is_self_net_v6() then reject; + accept; + }; + export filter { + if bgp_large_community ~ [(UNET_ASN, 1,*)] then reject; + if !unet_is_voalid_net_v6() then reject; + if unet_is_self_net_v6() then reject; + accept; + }; + }; +} + +include "/etc/bird/peers/unet/*.conf"; \ No newline at end of file diff --git a/update.sh b/update.sh index fd73686..a20fb67 100644 --- a/update.sh +++ b/update.sh @@ -1,15 +1,19 @@ #!/bin/bash -rm /etc/bird/net/inet.conf -curl https://git.nia.ink/brnet/bird_config/raw/branch/master/bird/net/inet.conf > /etc/bird/net/inet.conf +cd +git clone https://git.nia.ink/brnet/bird_config.git +mv /etc/bird /etc/bird.old +mv bird_config/bird /etc/ +rm -rf /etc/bird/peers +cp /etc/bird.old/peers /etc/bird/ +rm -rf /etc/bird/conf +cp /etc/bird.old/conf /etc/bird/ +rm /etc/bird/vars.conf +cp /etc/bird.old/vars.conf /etc/bird/vars.conf.dis chmod -R 755 /etc/bird -echo "请更新peers/inet的全部配置信息,再birdc c" -echo "内网V4:tpl_inet4_ibgp" -echo "内网V6:tpl_inet6_ibgp" -echo "外网V4:tpl_inet4_up" -echo "外网V6:tpl_inet6_up" +echo "请务必检查配置文件,修改vars文件名,并重新启动bird" cd rm update.sh \ No newline at end of file