Changes in ba5eb7c: add bgp filter update script

				howto/Bird.md
			
          @@ -25,56 +25,7 @@ protocol static {

           # filter helpers

           #################

          -function is_freifunk() {

          -  return net ~ [ 10.0.0.0/8+ ];

          -}

          -

          -function is_dn42()     {

          -  # based on data/filter.txt in the monoton repo:

          -  # - https://sour.is/git/dn42/registry.git/plain/data/filter.txt

          -  return net ~ [

          -    37.1.89.128/27+,      # siska

          -    37.1.89.192/26+,      # siska

          -    46.4.248.192/27+,     # welterde

          -    46.19.90.48/28+,      # planet cyborg

          -    46.19.90.96/28+,      # planet cyborg

          -    80.244.241.224/27+,   # jchome service network

          -    85.25.246.16/28+,     # Leon Weber

          -    87.106.29.254/32,     # wintix

          -    91.204.4.0/22+,       # free.de via ctdo

          -    94.45.224.0/19+,      # ccc event network

          -    172.22.0.43/32,       # Whois Anycast

          -    172.22.0.53/32,       # Dns Anycast

          -    172.22.0.94/32,       # TOR Anycast

          -    172.22.0.0/15{15,30}, # official subnet for dn42

          -    172.23.0.0/16{15,30}, # official subnet for dn42

          -    178.63.170.40/32,     # jomat

          -    188.40.34.241/32,     # jomat

          -    192.175.48.0/24+,     # AS112-prefix for reverse-dns

          -    193.43.220.0/23+,     # durchdieluft via ctdo

          -    195.160.168.0/23+,    # ctdo

          -    195.191.196.0/23+     # ichdasich pi-space

          -  ];

          -}

          -

          -function is_chaosvpn() {

          -  return net ~ [

          -    10.4.0.0/16+,        # Allocated for ChaosVPN. Ready for distribution, currently not used

          -    10.32.0.0/16+,       # Allocated for ChaosVPN. Ready for distribution, currently not used

          -    10.42.16.0/20+,      # legacy

          -    10.100.0.0/14+,      # us hackerspaces range

          -    10.104.0.0/14+,      # Warzone, currently not used

          -    172.31.0.0/16+,      # In use by European hackerspaces

          -    83.133.178.0/23+,    # kapsel - CCC Munich

          -    172.26.0.0/15+,      # KBU Freifunk

          -    176.9.52.58/32+,     # haegar_vlad

          -    178.33.2.240/28+,    # o_g

          -    193.103.159.0/24+,   # haegar_vlad

          -    193.103.160.0/23+,   # haegar_vlad

          -    212.12.50.208/29+,   # ccchh

          -    213.238.61.128/26+   # mc.fly

          -  ];

          -}

          +include "/etc/bird/filter4.conf";

           # local configuration

           ######################

          @@ -117,14 +68,14 @@ template bgp dnpeers {

             import filter {

               # accept every subnet, except our own advertised subnet

               # filtering is important, because some guys try to advertise routes like 0.0.0.0

          -    if (is_dn42() || is_freifunk() || is_chaosvpn()) && !is_self_net() then {

          +    if is_valid_network() && !is_self_net() then {

                 accept;

               }

               reject;

             };

             export filter {

               # here we export the whole net

          -    if is_dn42() || is_freifunk() || is_chaosvpn() then {

          +    if is_valid_network() then {

                 accept;

               }

               reject;

          @@ -149,6 +100,45 @@ function is_self_net() {

           }

           ```

          +Generate the filter list from the monotone repository

          +

          +```

          +cd net.dn42.registry

          +ruby utils/bgp-filter.rb < data/filter.txt > /etc/bird/filter4.conf

          +```

          +

          +example filter list:

          +

          +```

          +# /etc/bird/filter4.conf

          +function is_valid_network() {

          +  return net ~ [

          +    172.22.0.0/15{22,28}, # dn42 main net0

          +    172.22.0.43/32{32,32}, # Whois Anycast

          +    172.22.0.53/32{32,32}, # DNS Anycast

          +    172.22.0.94/32{32,32}, # TOR Anycast

          +    192.175.48.0/24{24,32}, # AS112-prefix for reverse-dns

          +    10.0.0.0/8{12,28}, # freifunk/chaosvpn

          +    172.31.0.0/16{22,28}, # chaosvpn

          +    100.64.0.0/10{12,28}, # iana private range

          +    195.160.168.0/23{23,28}, # ctdo

          +    91.204.4.0/22{22,28}, # free.de via ctdo

          +    193.43.220.0/23{23,28}, # durchdieluft via ctdo

          +    83.133.178.0/23{23,28}, # muccc kapsel

          +    87.106.29.254/32{32,32}, # wintix (please don' announce /32)

          +    85.25.246.16/28{28,32}, # leon

          +    46.4.248.192/27{27,32}, # welterde

          +    94.45.224.0/19{19,28}, # ccc event network

          +    151.217.0.0/16{16,28}, # ccc event network 2

          +    195.191.196.0/23{23,29}, # ichdasich pi space

          +    80.244.241.224/27{27,32}, # jchome service network

          +    188.40.34.241/32{32,32},

          +    37.1.89.192/26{26,28}, # siska

          +    87.98.246.19/32{32,32}

          +  ];

          +}

          +```

          +

           ```

           # /etc/bird/peers4/<PEER_NAME>

           protocol bgp <PEER_NAME> from dnpeers {

...	...	@@ -25,56 +25,7 @@ protocol static {
25	25	# filter helpers
26	26	#################
27	27
28		-function is_freifunk() {
29		- return net ~ [ 10.0.0.0/8+ ];
30		-}
31		-
32		-function is_dn42() {
33		- # based on data/filter.txt in the monoton repo:
34		- # - https://sour.is/git/dn42/registry.git/plain/data/filter.txt
35		- return net ~ [
36		- 37.1.89.128/27+, # siska
37		- 37.1.89.192/26+, # siska
38		- 46.4.248.192/27+, # welterde
39		- 46.19.90.48/28+, # planet cyborg
40		- 46.19.90.96/28+, # planet cyborg
41		- 80.244.241.224/27+, # jchome service network
42		- 85.25.246.16/28+, # Leon Weber
43		- 87.106.29.254/32, # wintix
44		- 91.204.4.0/22+, # free.de via ctdo
45		- 94.45.224.0/19+, # ccc event network
46		- 172.22.0.43/32, # Whois Anycast
47		- 172.22.0.53/32, # Dns Anycast
48		- 172.22.0.94/32, # TOR Anycast
49		- 172.22.0.0/15{15,30}, # official subnet for dn42
50		- 172.23.0.0/16{15,30}, # official subnet for dn42
51		- 178.63.170.40/32, # jomat
52		- 188.40.34.241/32, # jomat
53		- 192.175.48.0/24+, # AS112-prefix for reverse-dns
54		- 193.43.220.0/23+, # durchdieluft via ctdo
55		- 195.160.168.0/23+, # ctdo
56		- 195.191.196.0/23+ # ichdasich pi-space
57		- ];
58		-}
59		-
60		-function is_chaosvpn() {
61		- return net ~ [
62		- 10.4.0.0/16+, # Allocated for ChaosVPN. Ready for distribution, currently not used
63		- 10.32.0.0/16+, # Allocated for ChaosVPN. Ready for distribution, currently not used
64		- 10.42.16.0/20+, # legacy
65		- 10.100.0.0/14+, # us hackerspaces range
66		- 10.104.0.0/14+, # Warzone, currently not used
67		- 172.31.0.0/16+, # In use by European hackerspaces
68		- 83.133.178.0/23+, # kapsel - CCC Munich
69		- 172.26.0.0/15+, # KBU Freifunk
70		- 176.9.52.58/32+, # haegar_vlad
71		- 178.33.2.240/28+, # o_g
72		- 193.103.159.0/24+, # haegar_vlad
73		- 193.103.160.0/23+, # haegar_vlad
74		- 212.12.50.208/29+, # ccchh
75		- 213.238.61.128/26+ # mc.fly
76		- ];
77		-}
	28	+include "/etc/bird/filter4.conf";
78	29
79	30	# local configuration
80	31	######################
...	...	@@ -117,14 +68,14 @@ template bgp dnpeers {
117	68	import filter {
118	69	# accept every subnet, except our own advertised subnet
119	70	# filtering is important, because some guys try to advertise routes like 0.0.0.0
120		- if (is_dn42() \|\| is_freifunk() \|\| is_chaosvpn()) && !is_self_net() then {
	71	+ if is_valid_network() && !is_self_net() then {
121	72	accept;
122	73	}
123	74	reject;
124	75	};
125	76	export filter {
126	77	# here we export the whole net
127		- if is_dn42() \|\| is_freifunk() \|\| is_chaosvpn() then {
	78	+ if is_valid_network() then {
128	79	accept;
129	80	}
130	81	reject;
...	...	@@ -149,6 +100,45 @@ function is_self_net() {
149	100	}
150	101	```
151	102
	103	+Generate the filter list from the monotone repository
	104	+
	105	+```
	106	+cd net.dn42.registry
	107	+ruby utils/bgp-filter.rb < data/filter.txt > /etc/bird/filter4.conf
	108	+```
	109	+
	110	+example filter list:
	111	+
	112	+```
	113	+# /etc/bird/filter4.conf
	114	+function is_valid_network() {
	115	+ return net ~ [
	116	+ 172.22.0.0/15{22,28}, # dn42 main net0
	117	+ 172.22.0.43/32{32,32}, # Whois Anycast
	118	+ 172.22.0.53/32{32,32}, # DNS Anycast
	119	+ 172.22.0.94/32{32,32}, # TOR Anycast
	120	+ 192.175.48.0/24{24,32}, # AS112-prefix for reverse-dns
	121	+ 10.0.0.0/8{12,28}, # freifunk/chaosvpn
	122	+ 172.31.0.0/16{22,28}, # chaosvpn
	123	+ 100.64.0.0/10{12,28}, # iana private range
	124	+ 195.160.168.0/23{23,28}, # ctdo
	125	+ 91.204.4.0/22{22,28}, # free.de via ctdo
	126	+ 193.43.220.0/23{23,28}, # durchdieluft via ctdo
	127	+ 83.133.178.0/23{23,28}, # muccc kapsel
	128	+ 87.106.29.254/32{32,32}, # wintix (please don' announce /32)
	129	+ 85.25.246.16/28{28,32}, # leon
	130	+ 46.4.248.192/27{27,32}, # welterde
	131	+ 94.45.224.0/19{19,28}, # ccc event network
	132	+ 151.217.0.0/16{16,28}, # ccc event network 2
	133	+ 195.191.196.0/23{23,29}, # ichdasich pi space
	134	+ 80.244.241.224/27{27,32}, # jchome service network
	135	+ 188.40.34.241/32{32,32},
	136	+ 37.1.89.192/26{26,28}, # siska
	137	+ 87.98.246.19/32{32,32}
	138	+ ];
	139	+}
	140	+```
	141	+
152	142	```
153	143	# /etc/bird/peers4/<PEER_NAME>
154	144	protocol bgp <PEER_NAME> from dnpeers {