Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ########################################################################################
- ########################################################################################
- ###
- ### AS32590 - Valve Corporation - VLAN Interface #4
- ipv4 table t_0004_as32590;
- filter f_import_as32590
- prefix set allnet;
- ip set allips;
- int set allas;
- {
- # Filter small prefixes
- if ( net ~ [ 0.0.0.0/0{25,32} ] ) then {
- bgp_large_community.add( IXP_LC_FILTERED_PREFIX_LEN_TOO_LONG );
- accept;
- }
- if !(avoid_martians()) then {
- bgp_large_community.add( IXP_LC_FILTERED_BOGON );
- accept;
- }
- # Belt and braces: must have at least one ASN in the path
- if( bgp_path.len < 1 ) then {
- bgp_large_community.add( IXP_LC_FILTERED_AS_PATH_TOO_SHORT );
- accept;
- }
- # Peer ASN == route's first ASN?
- if (bgp_path.first != 32590 ) then {
- bgp_large_community.add( IXP_LC_FILTERED_FIRST_AS_NOT_PEER_AS );
- accept;
- }
- # set of all IPs this ASN uses to peer with on this VLAN
- allips = [ 103.149.217.11 ];
- # Prevent BGP NEXT_HOP Hijacking
- if !( from = bgp_next_hop ) then {
- # need to differentiate between same ASN next hop or actual next hop hijacking
- if( bgp_next_hop ~ allips ) then {
- bgp_large_community.add( IXP_LC_INFO_SAME_AS_NEXT_HOP );
- } else {
- # looks like hijacking (intentional or not)
- bgp_large_community.add( IXP_LC_FILTERED_NEXT_HOP_NOT_PEER_IP );
- accept;
- }
- }
- # Filter Known Transit Networks
- if filter_has_transit_path() then accept;
- # Belt and braces: no one needs an ASN path with > 64 hops, that's just broken
- if( bgp_path.len > 64 ) then {
- bgp_large_community.add( IXP_LC_FILTERED_AS_PATH_TOO_LONG );
- accept;
- }
- allas = [ 32590
- ];
- # Ensure origin ASN is in the neighbors AS-SET
- if !(bgp_path.last_nonaggregated ~ allas) then {
- bgp_large_community.add( IXP_LC_FILTERED_IRRDB_ORIGIN_AS_FILTERED );
- accept;
- }
- # Skipping RPKI check -> RPKI not enabled / configured correctly.
- bgp_large_community.add( IXP_LC_INFO_RPKI_NOT_CHECKED );
- allnet = [ 204.63.214.0/23{23,24}, 205.196.6.0/24, 208.64.200.0/24, 208.64.201.0/24,
- 208.64.202.0/24, 208.64.203.0/24, 45.121.184.0/22{22,24}, 45.121.184.0/23{23,24},
- 45.121.186.0/23{23,24}, 103.10.124.0/23{23,24}, 103.10.124.0/24, 103.10.125.0/24,
- 103.28.54.0/23{23,24}, 103.28.54.0/24, 103.28.55.0/24, 143.137.146.0/24,
- 146.66.152.0/21{21,24}, 146.66.152.0/23{23,24}, 146.66.154.0/24, 146.66.155.0/24,
- 146.66.156.0/23{23,24}, 146.66.158.0/23{23,24}, 153.254.86.0/24, 155.133.224.0/19{19,24},
- 155.133.224.0/23{23,24}, 155.133.226.0/24, 155.133.227.0/24, 155.133.228.0/23{23,24},
- 155.133.230.0/23{23,24}, 155.133.232.0/24, 155.133.233.0/24, 155.133.234.0/24,
- 155.133.235.0/24, 155.133.236.0/23{23,24}, 155.133.238.0/24, 155.133.239.0/24,
- 155.133.240.0/23{23,24}, 155.133.242.0/23{23,24}, 155.133.244.0/24, 155.133.245.0/24,
- 155.133.246.0/23{23,24}, 155.133.248.0/24, 155.133.249.0/24, 155.133.250.0/24,
- 155.133.251.0/24, 155.133.252.0/24, 155.133.253.0/24, 155.133.254.0/24,
- 155.133.255.0/24, 162.254.192.0/24, 162.254.193.0/24, 162.254.194.0/23{23,24},
- 162.254.196.0/24, 162.254.197.0/24, 162.254.198.0/24, 162.254.199.0/24,
- 185.25.180.0/23{23,24}, 185.25.182.0/24, 185.25.183.0/24, 190.216.121.0/24,
- 190.217.33.0/24, 192.69.96.0/22{22,24}, 205.185.194.0/24, 208.78.164.0/22{22,24}
- ];
- if ! (net ~ allnet) then {
- bgp_large_community.add( IXP_LC_FILTERED_IRRDB_PREFIX_FILTERED );
- bgp_large_community.add( IXP_LC_INFO_IRRDB_FILTERED_LOOSE );
- accept;
- } else {
- bgp_large_community.add( IXP_LC_INFO_IRRDB_VALID );
- }
- accept;
- }
- # The route server export filter exists as the export gateway on the BGP protocol.
- #
- # Remember that standard IXP community filtering has already happened on the
- # master -> bgp protocol pipe.
- filter f_export_as32590{
- # we should strip our own communities which we used for the looking glass
- bgp_large_community.delete( [( routeserverasn, *, * )] );
- bgp_community.delete( [( routeserverasn, * )] );
- # default position is to accept:
- accept;
- }
- protocol pipe pp_0004_as32590 {
- description "Pipe for AS32590 - Valve Corporation - VLAN Interface 4";
- table master4;
- peer table t_0004_as32590;
- import filter f_export_to_master;
- export where ixp_community_filter(32590);
- }
- protocol bgp pb_0004_as32590 from tb_rsclient {
- description "AS32590 - Valve Corporation";
- neighbor 103.149.217.11 as 32590;
- ipv4 {
- import limit 120 action restart;
- import filter f_import_as32590;
- table t_0004_as32590;
- export filter f_export_as32590;
- };
- interpret communities off; # enable rfc1997 well-known community pass through
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement