Fix: error priority in bird.conf

util/constant.conf

@@ -0,0 +1,43 @@
+define BOGON_ASNS = [
+    0,                      # RFC 7607
+    23456,                  # RFC 4893 AS_TRANS
+    64496..64511,           # RFC 5398 and documentation/example ASNs
+    64512..65534,           # RFC 6996 Private ASNs
+    65535,                  # RFC 7300 Last 16 bit ASN
+    65536..65551,           # RFC 5398 and documentation/example ASNs
+    65552..131071,          # RFC IANA reserved ASNs
+    4200000000..4294967294, # RFC 6996 Private ASNs
+    4294967295              # RFC 7300 Last 32 bit ASN
+];
+define BOGON_PREFIXES_V4 = [
+    0.0.0.0/8+,             # RFC 1122 'this' network
+    10.0.0.0/8+,            # RFC 1918 private space
+    100.64.0.0/10+,         # RFC 6598 Carrier grade nat space
+    127.0.0.0/8+,           # RFC 1122 localhost
+    169.254.0.0/16+,        # RFC 3927 link local
+    172.16.0.0/12+,         # RFC 1918 private space
+    192.0.2.0/24+,          # RFC 5737 TEST-NET-1
+    192.88.99.0/24+,        # RFC 7526 deprecated 6to4 relay anycast. If you wish to allow this, change `24+` to `24{25,32}`(no more specific)
+    192.168.0.0/16+,        # RFC 1918 private space
+    198.18.0.0/15+,         # RFC 2544 benchmarking
+    198.51.100.0/24+,       # RFC 5737 TEST-NET-2
+    203.0.113.0/24+,        # RFC 5737 TEST-NET-3
+    224.0.0.0/4+,           # multicast
+    240.0.0.0/4+            # reserved
+];
+define BOGON_PREFIXES_V6 = [
+    ::/8+,                  # RFC 4291 IPv4-compatible, loopback, et al
+    0064:ff9b::/96+,        # RFC 6052 IPv4/IPv6 Translation
+    0064:ff9b:1::/48+,      # RFC 8215 Local-Use IPv4/IPv6 Translation
+    0100::/64+,             # RFC 6666 Discard-Only
+    2001::/32{33,128},      # RFC 4380 Teredo, no more specific
+    2001:2::/48+,           # RFC 5180 BMWG
+    2001:10::/28+,          # RFC 4843 ORCHID
+    2001:db8::/32+,         # RFC 3849 documentation
+    2002::/16+,             # RFC 7526 deprecated 6to4 relay anycast. If you wish to allow this, change `16+` to `16{17,128}`(no more specific)
+    3ffe::/16+, 5f00::/8+,  # RFC 3701 old 6bone
+    fc00::/7+,              # RFC 4193 unique local unicast
+    fe80::/10+,             # RFC 4291 link local unicast
+    fec0::/10+,             # RFC 3879 old site local unicast
+    ff00::/8+               # RFC 4291 multicast
+];

util/rpki.conf

@@ -0,0 +1,26 @@
+roa6 table pub_roa6;
+roa4 table pub_roa4;
+
+protocol rpki pub_rpki {
+    roa4 {
+        table pub_roa4;
+    };
+    roa6 {
+        table pub_roa6;
+    };
+    remote "172.65.0.2" port 8282;
+    retry keep 5;
+    refresh keep 30;
+    expire 600;
+    transport tcp;
+}
+
+function is_rpki_invalid() {
+    if (net.type = NET_IP4 && roa_check(pub_roa4, net, bgp_path.last) = ROA_INVALID ) then {
+        return true;
+    } else if (net.type = NET_IP6 && roa_check(pub_roa6, net, bgp_path.last) = ROA_INVALID) then {
+        return true;
+    } else {
+        return false;
+    }
+}

util/util.conf

@@ -0,0 +1,33 @@
+function pub_is_invalid_net_length(){
+    case net.type {
+        NET_IP4: return net.len > 24;
+        NET_IP6: return net.len > 48;
+        else: print "pub_is_valid_net_length: unexpected net.type ", net.type, " ", net; return false;
+    }
+}
+
+function is_bogon_prefix() {
+    case net.type {
+        NET_IP4: return net ~ BOGON_PREFIXES_V4;
+        NET_IP6: return net ~ BOGON_PREFIXES_V6;
+        else: print "is_bogon_prefix: unexpected net.type ", net.type, " ", net; return false;
+    }
+}
+
+function is_bogon_asn() {
+    if bgp_path ~ BOGON_ASNS then return true;
+    return false;
+}
+
+function is_downstream_asn() {
+    if bgp_path.last ~ DOWNSTREAM_ASN then return true;
+    return false;
+}
+
+function is_valid() {
+    if pub_is_invalid_net_length() then return false;
+    if is_bogon_prefix() then return false;
+    if is_bogon_asn() then return false;
+    if is_rpki_invalid() then return false;
+    return true;
+}