This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Configure logging | |
#log "/var/log/bird-rtbh.log" all; | |
log syslog { debug, trace, info, remote, warning, error, auth, fatal, bug }; | |
define local_asn = 65001; | |
# Override router ID | |
router id 10.0.0.100; | |
# This pseudo-protocol performs synchronization between BIRD's routing | |
# tables and the kernel. If your kernel supports multiple routing tables | |
# (as Linux 2.2.x does), you can run multiple instances of the kernel | |
# protocol and synchronize different kernel tables with different BIRD tables. | |
protocol kernel { | |
learn; # Learn all alien routes from the kernel | |
persist; # Don't remove routes on bird shutdown | |
scan time 20; # Scan kernel routing table every 20 seconds | |
import none; # Default is import all | |
export none; # Default is export none | |
kernel table 5; # Kernel table to synchronize with (default: main) | |
} | |
table RTBH; | |
protocol kernel rtbh { | |
learn; | |
persist; | |
scan time 20; | |
import all; | |
export all; | |
table RTBH; | |
kernel table 100; # Kernel table to synchronize with (rtbh: 100) | |
} | |
# This pseudo-protocol watches all interface up/down events. | |
protocol device { | |
scan time 10; # Scan interfaces every 10 seconds | |
} | |
# Allow only /32 part of a specific prefix | |
# This function will only pass if the prefix is a /32 and part of the allowed_prefix list | |
function check_prefix() | |
prefix set allowed_prefix; | |
{ | |
allowed_prefix = [ 203.0.113.128/25+, 1.1.1.0/24+ ]; | |
if ! (net ~ allowed_prefix) then return false; | |
if net.len != 32 then return false; | |
return true; | |
} | |
#This Filter will be applied to BGP Export, it will check if check_prefix() is True and then set the Blackhole Community | |
filter EXPORT_BLACKHOLED_32 | |
{ | |
if ! (check_prefix()) then | |
reject; | |
bgp_community = -empty-; | |
bgp_community.add((local_asn,666)); | |
accept; | |
} | |
#Peer BGP Settings. We explicity select table RTBH, which makes this BGP Peer sync with the Kernel Table RTBH Only. | |
protocol bgp EDGE { | |
table RTBH; | |
description "Peer with Edge Router to announce /32 Prefixes to be Blackholed"; | |
local as local_asn; | |
neighbor 10.0.0.1 as local_asn; | |
import all; | |
export filter EXPORT_BLACKHOLED_32; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment