bird example config

Signed-off-by: Alarig Le Lay <alelay@scaleway.com>
This commit is contained in:
Alarig Le Lay 2024-10-17 15:26:37 +02:00
parent 63123b3d66
commit 9e9ad27fff
No known key found for this signature in database
GPG key ID: 948D6BC249D8EBFF

208
bird.conf Normal file
View file

@ -0,0 +1,208 @@
# Configure logging
#log syslog { warning, error, fatal, bug };
log syslog all;
# Turn on global debugging of all protocols
#debug protocols all;
debug protocols { states };
# Override router ID and store ASN
router id 193.34.197.192;
define myasn = 47214;
#####################
# GENERAL PROTOCOLS #
#####################
# This pseudo-protocol watches all interface up/down events.
protocol device {
# Scan interfaces every 5 seconds
scan time 5;
}
protocol bfd {
interface "ens19" {
passive on;
};
}
roa4 table r4;
roa6 table r6;
protocol rpki rpki_alarig {
remote "msi.no.swordarmor.fr";
roa4 { table r4; };
roa6 { table r6; };
}
protocol rpki rpki_cf {
remote "rtr.rpki.cloudflare.com";
port 8282;
roa4 { table r4; };
roa6 { table r6; };
}
###############
# BGP FILTERS #
###############
include "/etc/bird/check_import.conf";
function check_ipv4(int peeras; ip nexthop)
prefix set martians;
prefix set our_prefixes;
{
check_import(peeras, nexthop);
martians = [
10.0.0.0/8+, 100.64.0.0/10+, 127.0.0.0/8+, 169.254.0.0/16+,
172.16.0.0/12+, 192.0.0.0/24+, 192.0.2.0/24+, 192.168.0.0/16+,
198.18.0.0/15+, 198.51.100.0/24+, 203.0.113.0/24+,
224.0.0.0/4+, 240.0.0.0/4+, 255.255.255.255/32
];
# Avoid reserved networks
if net ~ martians then return false;
# Avoid too short and too long prefixes
if (net.len < 8) || (net.len > 24) then return false;
# Avoid 0.0.0.0/X (default route + 0.0.0.0/8)
if net.ip = 0.0.0.0 then return false;
# Remove our prefixes. Only us can announce them
# Remove also our interconnection prefixes. We are directly connected.
if net ~ [ 185.1.89.0/24+ ] then return false;
# scrub Origin Validation State Extended Community
bgp_ext_community.delete((unknown 0x4300, 0, 0));
bgp_ext_community.delete((unknown 0x4300, 0, 1));
bgp_ext_community.delete((unknown 0x4300, 0, 2));
# set RPKI Origin Validation State Extended Community
case roa_check(r4, net, bgp_path.last_nonaggregated) {
ROA_VALID:
# add rfc8097 marker to routes for which a valid
# matching ROA exists
bgp_ext_community.add((unknown 0x4300, 0, 0));
ROA_INVALID:
bgp_ext_community.add((unknown 0x4300, 0, 2));
return false;
else:
# add rfc8097 marker to routes for which no covering
# ROA exists
bgp_ext_community.add((unknown 0x4300, 0, 1));
}
return true;
};
function check_ipv6(int peeras; ip nexthop)
prefix set martians;
prefix set our_prefixes;
{
check_import(peeras, nexthop);
martians = [ ::1/128, ::/128, ::ffff:0:0/96+, 100::/64+,
2001:db8::/32+, 2001::/23, 2001:2::/48+, 2001:10::/28+, 2002::/17+,
fc00::/7, fe80::/10, ff00::/8+, 3FFE::/16+, 5F00::/8+
];
# Avoid reserved networks
if net ~ martians then return false;
# Avoid too short and too long prefixes
if (net.len < 16) || (net.len > 48) then return false;
# Avoid bogons. IANA didn't allocate outside of 2000::/3
# but there are already announces there
if ! (net.ip ~ 2000::/3) then return false;
# Avoid 0.0.0.0/X (default route + 0.0.0.0/8)
if net.ip = ::/0 then return false;
# Remove our prefixes. Only us can announce them
# Remove also our interconnection prefixes. We are directly connected.
if net ~ 2001:7f8:b1::/48 then return false;
# scrub Origin Validation State Extended Community
bgp_ext_community.delete((unknown 0x4300, 0, 0));
bgp_ext_community.delete((unknown 0x4300, 0, 1));
bgp_ext_community.delete((unknown 0x4300, 0, 2));
# set RPKI Origin Validation State Extended Community
case roa_check(r6, net, bgp_path.last_nonaggregated) {
ROA_VALID:
# add rfc8097 marker to routes for which a valid
# matching ROA exists
bgp_ext_community.add((unknown 0x4300, 0, 0));
ROA_INVALID:
bgp_ext_community.add((unknown 0x4300, 0, 2));
return false;
else:
# add rfc8097 marker to routes for which no covering
# ROA exists
bgp_ext_community.add((unknown 0x4300, 0, 1));
}
return true;
};
#############
# Templates #
#############
template bgp PEERS_IPv4 {
local as myasn;
rs client;
passive;
local role rs_server;
#bfd on;
prefer older;
ipv4 {
import table on;
export table on;
rpki reload;
add paths tx;
import keep filtered;
import all;
export all;
import limit 100 action block;
receive limit 1000 action disable;
};
}
template bgp PEERS_IPv6 {
local as myasn;
rs client;
passive;
local role rs_server;
#bfd on;
prefer older;
ipv6 {
import table on;
export table on;
rpki reload;
add paths tx;
import keep filtered;
import all;
export all;
import limit 100 action block;
receive limit 1000 action disable;
};
}
#########
# PEERS #
#########
include "/etc/bird/google.conf";
include "/etc/bird/functions/*.conf";
include "/etc/bird/peers/*.conf";