API tools faq
paste
Advertisement
Guest User

Valve RS CFG

a guest
Apr 16th, 2020
43
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.53 KB | None | 0 0
raw download clone embed print report
  1. ########################################################################################
  2. ########################################################################################
  3. ###
  4. ### AS32590 - Valve Corporation - VLAN Interface #4
  5.  
  6. ipv4 table t_0004_as32590;
  7.  
  8.  
  9.  
  10. filter f_import_as32590
  11. prefix set allnet;
  12. ip set allips;
  13. int set allas;
  14. {
  15.  
  16.  
  17. # Filter small prefixes
  18. if ( net ~ [ 0.0.0.0/0{25,32} ] ) then {
  19. bgp_large_community.add( IXP_LC_FILTERED_PREFIX_LEN_TOO_LONG );
  20. accept;
  21. }
  22.  
  23.  
  24. if !(avoid_martians()) then {
  25. bgp_large_community.add( IXP_LC_FILTERED_BOGON );
  26. accept;
  27. }
  28.  
  29. # Belt and braces: must have at least one ASN in the path
  30. if( bgp_path.len < 1 ) then {
  31. bgp_large_community.add( IXP_LC_FILTERED_AS_PATH_TOO_SHORT );
  32. accept;
  33. }
  34.  
  35. # Peer ASN == route's first ASN?
  36. if (bgp_path.first != 32590 ) then {
  37. bgp_large_community.add( IXP_LC_FILTERED_FIRST_AS_NOT_PEER_AS );
  38. accept;
  39. }
  40.  
  41. # set of all IPs this ASN uses to peer with on this VLAN
  42. allips = [ 103.149.217.11 ];
  43.  
  44. # Prevent BGP NEXT_HOP Hijacking
  45. if !( from = bgp_next_hop ) then {
  46.  
  47. # need to differentiate between same ASN next hop or actual next hop hijacking
  48. if( bgp_next_hop ~ allips ) then {
  49. bgp_large_community.add( IXP_LC_INFO_SAME_AS_NEXT_HOP );
  50. } else {
  51. # looks like hijacking (intentional or not)
  52. bgp_large_community.add( IXP_LC_FILTERED_NEXT_HOP_NOT_PEER_IP );
  53. accept;
  54. }
  55. }
  56.  
  57.  
  58. # Filter Known Transit Networks
  59. if filter_has_transit_path() then accept;
  60.  
  61. # Belt and braces: no one needs an ASN path with > 64 hops, that's just broken
  62. if( bgp_path.len > 64 ) then {
  63. bgp_large_community.add( IXP_LC_FILTERED_AS_PATH_TOO_LONG );
  64. accept;
  65. }
  66.  
  67.  
  68.  
  69. allas = [ 32590
  70. ];
  71.  
  72.  
  73. # Ensure origin ASN is in the neighbors AS-SET
  74. if !(bgp_path.last_nonaggregated ~ allas) then {
  75. bgp_large_community.add( IXP_LC_FILTERED_IRRDB_ORIGIN_AS_FILTERED );
  76. accept;
  77. }
  78.  
  79.  
  80.  
  81. # Skipping RPKI check -> RPKI not enabled / configured correctly.
  82. bgp_large_community.add( IXP_LC_INFO_RPKI_NOT_CHECKED );
  83.  
  84.  
  85.  
  86.  
  87. allnet = [ 204.63.214.0/23{23,24}, 205.196.6.0/24, 208.64.200.0/24, 208.64.201.0/24,
  88. 208.64.202.0/24, 208.64.203.0/24, 45.121.184.0/22{22,24}, 45.121.184.0/23{23,24},
  89. 45.121.186.0/23{23,24}, 103.10.124.0/23{23,24}, 103.10.124.0/24, 103.10.125.0/24,
  90. 103.28.54.0/23{23,24}, 103.28.54.0/24, 103.28.55.0/24, 143.137.146.0/24,
  91. 146.66.152.0/21{21,24}, 146.66.152.0/23{23,24}, 146.66.154.0/24, 146.66.155.0/24,
  92. 146.66.156.0/23{23,24}, 146.66.158.0/23{23,24}, 153.254.86.0/24, 155.133.224.0/19{19,24},
  93. 155.133.224.0/23{23,24}, 155.133.226.0/24, 155.133.227.0/24, 155.133.228.0/23{23,24},
  94. 155.133.230.0/23{23,24}, 155.133.232.0/24, 155.133.233.0/24, 155.133.234.0/24,
  95. 155.133.235.0/24, 155.133.236.0/23{23,24}, 155.133.238.0/24, 155.133.239.0/24,
  96. 155.133.240.0/23{23,24}, 155.133.242.0/23{23,24}, 155.133.244.0/24, 155.133.245.0/24,
  97. 155.133.246.0/23{23,24}, 155.133.248.0/24, 155.133.249.0/24, 155.133.250.0/24,
  98. 155.133.251.0/24, 155.133.252.0/24, 155.133.253.0/24, 155.133.254.0/24,
  99. 155.133.255.0/24, 162.254.192.0/24, 162.254.193.0/24, 162.254.194.0/23{23,24},
  100. 162.254.196.0/24, 162.254.197.0/24, 162.254.198.0/24, 162.254.199.0/24,
  101. 185.25.180.0/23{23,24}, 185.25.182.0/24, 185.25.183.0/24, 190.216.121.0/24,
  102. 190.217.33.0/24, 192.69.96.0/22{22,24}, 205.185.194.0/24, 208.78.164.0/22{22,24}
  103. ];
  104.  
  105. if ! (net ~ allnet) then {
  106. bgp_large_community.add( IXP_LC_FILTERED_IRRDB_PREFIX_FILTERED );
  107. bgp_large_community.add( IXP_LC_INFO_IRRDB_FILTERED_LOOSE );
  108. accept;
  109. } else {
  110. bgp_large_community.add( IXP_LC_INFO_IRRDB_VALID );
  111. }
  112.  
  113.  
  114.  
  115. accept;
  116. }
  117.  
  118.  
  119. # The route server export filter exists as the export gateway on the BGP protocol.
  120. #
  121. # Remember that standard IXP community filtering has already happened on the
  122. # master -> bgp protocol pipe.
  123.  
  124. filter f_export_as32590{
  125.  
  126.  
  127.  
  128. # we should strip our own communities which we used for the looking glass
  129. bgp_large_community.delete( [( routeserverasn, *, * )] );
  130. bgp_community.delete( [( routeserverasn, * )] );
  131.  
  132. # default position is to accept:
  133. accept;
  134.  
  135. }
  136.  
  137.  
  138.  
  139.  
  140.  
  141.  
  142.  
  143. protocol pipe pp_0004_as32590 {
  144. description "Pipe for AS32590 - Valve Corporation - VLAN Interface 4";
  145. table master4;
  146. peer table t_0004_as32590;
  147. import filter f_export_to_master;
  148. export where ixp_community_filter(32590);
  149. }
  150.  
  151. protocol bgp pb_0004_as32590 from tb_rsclient {
  152. description "AS32590 - Valve Corporation";
  153. neighbor 103.149.217.11 as 32590;
  154. ipv4 {
  155. import limit 120 action restart;
  156. import filter f_import_as32590;
  157. table t_0004_as32590;
  158. export filter f_export_as32590;
  159. };
  160. interpret communities off; # enable rfc1997 well-known community pass through
  161.  
  162. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!