Differences

This shows you the differences between two versions of the page.

--- doc:filters [2012/04/26 08:36] – Benjamin Collet
+++ doc:filters [2016/04/17 07:50] – [BGP Filter] Benjamin Collet
@@ Line 5: / Line 5: @@
   * It is also recommended that you don't advertise IPv4 prefixes longer than 28 bits and IPv6 prefixes longer than 60 bits. Of course there are exceptions:
     * Non-RFC1918 addresses reachable via GLaNET.
-    * GLaNET services addresses (192.168.248.0/22 and ''fd00:6b64:f3b0::/48'').
+    * GLaNET services addresses (/32s from 192.168.248.0/22 and /128s from ''fd00:6b64:f3b0::/48'').
 ===== Example prefix lists =====
 ==== IPv4 ====
+=== Cisco/Quagga ===
 <code>
 ip prefix-list glanet-in description BGP IPv4 import filter
-! Deny default route
+! Deny default route and too large prefixes
-ip prefix-list glanet-in seq 10 deny 0.0.0.0/0
+ip prefix-list glanet-in seq 10 deny 0.0.0.0/0 le 7
 ! Deny prefixes with high risk of collision within GLaNET range
 ip prefix-list glanet-in seq 20 deny 192.168.0.0/22 le 32
@@ Line 25: / Line 26: @@
 ! Deny shared address space
 ip prefix-list glanet-in seq 40 deny 100.64.0.0/10 le 32
+! Deny link-local
+ip prefix-list glanet-in seq 50 deny 169.254.0.0/16 le 32
+! Deny multicast
+ip prefix-list glanet-in seq 60 deny 224.0.0.0/4 le 32
+! Deny former class E
+ip prefix-list glanet-in seq 70 deny 240.0.0.0/4 le 32
 ! Allow everything
 ip prefix-list glanet-in seq 1000 permit 0.0.0.0/0 le 32
+</code>
+=== BIRD ===
+<code>
+function net_martian()
+{
+  return net ~ [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/22+,
+.168.8.0/22+, 192.168.100.0/22+, 192.168.200.0/22+,
+.168.252.0/22+, 10.0.0.0/8+, 100.64.0.0/10+,
+.16.0.0/12+, 224.0.0.0/4+, 240.0.0.0/4+, 0.0.0.0/32-,
+.0.0.0/0{0,7} ];
+}
+filter martians {
+  if net_martian() then
+    reject;
+  else
+    accept;
+}
+</code>
+=== Juniper ===
+<code>
+policy-options {
+    prefix-list bogons {
+        /* Non-GLaNET RFC1918 prefix */
+.0.0.0/8;
+        /* Shared address space */
+.64.0.0/10;
+        /* Link local */
+.254.0.0/16;
+        /* Non-GLaNET RFC1918 prefix */
+.16.0.0/12;
+        /* High risk of collision within GLaNET */
+.168.0.0/22;
+        /* High risk of collision within GLaNET */
+.168.8.0/22;
+        /* High risk of collision within GLaNET */
+.168.100.0/22;
+        /* High risk of collision within GLaNET */
+.168.200.0/22;
+        /* High risk of collision within GLaNET */
+.168.252.0/22;
+        /* Multicast */
+.0.0.0/4;
+        /* Former class E */
+.0.0.0/4;
+    }
+    policy-statement bgp-import-generic {
+        term set-default {
+            then default-action accept;
+        }
+        term default-route {
+            from {
+                route-filter 0.0.0.0/0 upto /7 reject;
+            }
+        }
+        term bogons {
+            from {
+                prefix-list-filter bogons orlonger;
+            }
+            then reject;
+        }
+    }
+}
 </code>
 ==== IPv6 ====
+=== Cisco/Quagga ===
 <code>
-! Deny default route
+! Deny default route and too large prefixes
-ipv6 prefix-list glanet6-in deny 0::/0
+ipv6 prefix-list glanet6-in deny 0::/0 le 15
 ! Deny 6bone prefix (not used anymore)
 ipv6 prefix-list glanet6-in deny 3ffe::/16 le 128
@@ Line 46: / Line 120: @@
 ipv6 prefix-list glanet6-in deny 0000::/8 le 128
 ! Deny multicast prefixes
-ipv6 prefix-list glanet6-in deny fe00::/9 le 128
 ipv6 prefix-list glanet6-in deny ff00::/8 le 128
-! Permit everything else
+! Permit everything else but small prefixes
-ipv6 prefix-list glanet6-in permit 0::/0 le 128
+ipv6 prefix-list glanet6-in permit 0::/0 le 64
+</code>
+=== BIRD ===
+<code>
+function net_martian()
+{
+  return net ~ [ 3ffe::/16+, 2001:db8::/32+, 2001::/33+, 2002::/17+, 0000::/8+,
+                 fe00::/8+,  ::/128-, ::/0{0,15}, ::/0{65,128} ];
+}
+filter martians {
+  if net_martian() then
+    reject;
+  else
+    accept;
+}
 </code>