{{ "policy-options"|progress }} { {# prefix-list V6 { 2001:db9::/32; } prefix-list V4 { 192.0.2.0/24; } #} policy-statement EXPORT-PROTECT-reject { term 10 { from as-path-group NEVER-TO-UPSTREAM-OR-PEERS; then reject; } } route-filter-list BOGONS-IPv4 { 0.0.0.0/8 orlonger; 10.0.0.0/8 orlonger; 100.64.0.0/10 orlonger; 127.0.0.0/8 orlonger; 169.254.0.0/16 orlonger; 172.16.0.0/12 orlonger; 192.0.0.0/24 orlonger; 192.0.2.0/24 orlonger; 192.168.0.0/16 orlonger; 198.18.0.0/15 orlonger; 198.51.100.0/24 orlonger; 203.0.113.0/24 orlonger; 224.0.0.0/4 orlonger; 240.0.0.0/4 orlonger; } route-filter-list BOGONS-IPv6 { ::/128 exact; ::1/128 exact; ::ffff:0:0/96 orlonger; ::/96 orlonger; 100::/64 orlonger; 2001:10::/28 orlonger; 2001:db8::/32 orlonger; fc00::/7 orlonger; fe80::/10 orlonger; fec0::/10 orlonger; ff00::/8 orlonger; } route-filter-list DFZ-IPv4 { 0.0.0.0/0 prefix-length-range /8-/24; } route-filter-list DFZ-IPv6 { ::/0 prefix-length-range /20-/48; } policy-statement BOGONS-reject { term 24 { from { family inet; route-filter-list BOGONS-IPv4; } then reject; } term 26 { from { family inet6; route-filter-list BOGONS-IPv6; } then reject; } } policy-statement DEFAULT-accept { term 14 { from { family inet; route-filter 0.0.0.0/0 exact; } then accept; } term 16 { from { family inet6; route-filter ::/0 exact; } then accept; } } policy-statement DFZ-accept { term 14 { from { family inet; route-filter 0.0.0.0/0 exact; } then accept; } term 16 { from { family inet6; route-filter ::/0 exact; } then accept; } } policy-statement IBGP-import-IPv4 { then accept; } policy-statement IBGP-import-IPv6 { then accept; } policy-statement IBGP-export-IPv4 { term 10 { from { protocol [ direct static ]; } then { local-preference add 900; next-hop self; accept; } } term 25 { from { protocol bgp; route-type external; } then { next-hop self; accept; } } term 29 { from { protocol bgp; community COMMUNITY-AS59811-BLACKHOLE; route-type external; } then { next-hop 193.162.44.0; accept; } } term 30 { from { protocol bgp; route-type external; } then { next-hop self; accept; } } term 40 { from protocol bgp; then accept; } then reject; } policy-statement IBGP-export-IPv6 { term 10 { from { protocol [ direct static ]; } then { local-preference add 900; next-hop self; accept; } } term 25 { from { protocol bgp; route-type external; } then { next-hop self; accept; } } term 29 { from { protocol bgp; community COMMUNITY-AS59811-BLACKHOLE; route-type external; } then { next-hop 2a10:f0c0::; accept; } } term 30 { from { protocol bgp; route-type external; } then { next-hop self; accept; } } term 40 { from protocol bgp; then accept; } then reject; } policy-statement LOAD-BALANCING { then { load-balance per-packet; } } policy-statement CONDITIONAL-DEFAULT-IPv4 { term 10 { from { protocol bgp; route-filter 198.41.0.0/24 exact; /* a.root-servers.net */ route-filter 192.228.79.0/24 exact; /* b.root-servers.net */ route-filter 192.33.4.0/24 exact; /* c.root-servers.net */ route-filter 128.8.0.0/16 exact; /* d.root-servers.net */ route-filter 192.203.230.0/24 exact; /* e.root-servers.net */ route-filter 192.5.5.0/24 exact; /* f.root-servers.net */ route-filter 192.112.36.0/24 exact; /* g.root-servers.net */ route-filter 128.63.0.0/16 exact; /* h.root-servers.net */ route-filter 192.36.148.0/24 exact; /* i.root-servers.net */ route-filter 192.58.128.0/24 exact; /* j.root-servers.net */ route-filter 193.0.14.0/24 exact; /* k.root-servers.net */ route-filter 198.32.64.0/24 exact; /* l.root-servers.net */ route-filter 202.12.27.0/24 exact; /* m.root-servers.net */ } then accept; } then reject; } policy-statement CONDITIONAL-DEFAULT-IPv6 { term 10 { from { protocol bgp; route-filter 2001:503:ba3e::/48 exact; /* a.root-servers.net */ route-filter 2001:500:2f::/48 exact; /* b.root-servers.net */ route-filter 2001:500:1::/48 exact; /* c.root-servers.net */ route-filter 2001:500:2d::/48 exact; /* d.root-servers.net */ route-filter 2001:500:a8::/48 exact; /* e.root-servers.net */ route-filter 2001:500:2f::/48 exact; /* f.root-servers.net */ route-filter 2001:500:12::/48 exact; /* g.root-servers.net */ route-filter 2001:500:1::/48 exact; /* h.root-servers.net */ route-filter 2001:7fe::/33 exact; /* i.root-servers.net */ route-filter 2001:503:c27::/48 exact; /* j.root-servers.net */ route-filter 2001:7fd::/48 exact; /* k.root-servers.net */ route-filter 2001:500:9f::/48 exact; /* l.root-servers.net */ route-filter 2001:dc3::/32 exact; /* m.root-servers.net */ } then accept; } then reject; } policy-statement LINX-LON1-IPv4-IN { term 4 { from { family inet; route-filter 0.0.0.0/0 prefix-length-range /0-/7; route-filter 0.0.0.0/0 prefix-length-range /25-/32; } then reject; } term 6 { from as-path-group LINX-LON1-ASPATH-DEPREFER; then { metric 10; local-preference 400; accept; } } term 10 { then { metric 10; local-preference 500; accept; } } then reject; } policy-statement LINX-LON1-IPv4-OUT { term 5 { from { family inet; route-filter 0.0.0.0/0 prefix-length-range /0-/7; route-filter 0.0.0.0/0 prefix-length-range /25-/32; } then reject; } then reject; } policy-statement LINX-LON1-IPv6-IN { term 4 { from { family inet6; route-filter ::/0 prefix-length-range /0-/16; route-filter ::/0 prefix-length-range /49-/128; } then reject; } term 6 { from as-path-group LINX-LON1-ASPATH-DEPREFER; then { metric 10; local-preference 400; accept; } } term 10 { then { metric 10; local-preference 500; accept; } } then reject; } policy-statement LINX-LON1-IPv6-OUT { term 5 { from { family inet6; route-filter ::/0 prefix-length-range /0-/16; route-filter ::/0 prefix-length-range /25-/32; } then reject; } then reject; } policy-statement UPSTREAM-export-IPv4 { term 1 { from { community COMMUNITY-ORIGIN-AS59811; } then accept; } then reject; } policy-statement UPSTREAM-import-IPv4 { term 1 { from { family inet; route-filter 0.0.0.0/0 prefix-length-range /8-/24; } then { accept; /* XXX this needs to go! */ } } then reject; } policy-statement UPSTREAM-export-IPv6 { term 1 { from { community COMMUNITY-ORIGIN-AS59811; } then accept; } then reject; } policy-statement UPSTREAM-import-IPv6 { term 1 { from { family inet6; route-filter ::/0 prefix-length-range /16-/48; } then { accept; /* XXX this needs to go! */ } } then reject; } policy-statement PEER-export-IPv4 { term 1 { from { community COMMUNITY-ORIGIN-AS59811; } then accept; } then reject; } policy-statement PEER-import-IPv4 { term 1 { from { family inet; route-filter 0.0.0.0/0 prefix-length-range /8-/24; } then { community delete COMMUNITY-AS59811-STAR; accept; /* XXX this needs to go! */ } } then reject; } policy-statement PEER-export-IPv6 { term 1 { from { community COMMUNITY-ORIGIN-AS59811; } then accept; } then reject; } policy-statement PEER-import-IPv6 { term 1 { from { family inet6; route-filter ::/0 prefix-length-range /16-/48; } then { community delete COMMUNITY-AS59811-STAR; accept; /* XXX this needs to go! */ } } then reject; } {% for community in ''|get_bgp_communities %} community {{ community.slug }} members {% if " " in community.value %}[ {{ community.value }} ]{% else %}{{ community.value }}{% endif %};{% endfor %} as-path-group NEVER-TO-UPSTREAM-OR-PEERS { as-path TIER1-IN-PATH ".* (7018|3320|3257|6830|3356|2914|5511|3491|1239|6453|6762|1299|12956|701|6461) .*"; as-path TIER2-IN-PATH ".* (4134|4809|7473|174|7922|6939|9002|1273|2828|4637) .*"; } as-path-group LINX-LON1-ASPATH-DEPREFER { as-path FAELIX-DEPREFER "41495 .*"; } {% for asn in asns_requiring_prefixes|unique %} {% set prefixes = asn|get_prefixes_for_asn %} policy-statement AS{{ asn }}-import-IPv4 { term 1 { from { family inet; {% for prefix in prefixes['ipv4'] %} route-filter {{ prefix['prefix'] }} {% if prefix['exact'] %}exact{% else %}upto /{{ prefix['less-equal'] }}{% endif %}; {% endfor %} } then accept; } then reject; } policy-statement AS{{ asn }}-import-IPv6 { term 1 { from { family inet6; {% for prefix in prefixes['ipv6'] %} route-filter {{ prefix['prefix'] }} {% if prefix['exact'] %}exact{% else %}upto /{{ prefix['less-equal'] }}{% endif %}; {% endfor %} } then accept; } then reject; } {% endfor %} }