add enforce-first-as option

natesales · Jan 27, 2021 · 5647c14 · 5647c14
1 parent 71793b4
commit 5647c14
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 19 deletions.
diff --git a/README.md b/README.md
@@ -144,6 +144,7 @@ Peers with type `peer` or `downstream` reject any route with a Tier 1 ASN in pat
 | rr-client      | Enable route reflector client                                                                             |
 | bfd            | Enable BFD                                                                                                |
 | session-global | String to add to session global config                                                                    |
+| enforce-first-as | Reject routes that don't have the peer ASN as the first ASN in path                                     |
 <details>
 <summary>Remarks</summary>
 import-limit4 will default to 1M for upstreams & import-valid if not set and use peeringDB max-prefix limit for peer & downstream

diff --git a/parser.go b/parser.go
@@ -27,25 +27,26 @@ var release = "devel" // This is set by go build
 
 // Peer contains all information specific to a single peer network
 type Peer struct {
-	Asn           uint     `yaml:"asn" toml:"ASN" json:"asn"`
-	Type          string   `yaml:"type" toml:"Type" json:"type"`
-	Prepends      uint     `yaml:"prepends" toml:"Prepends" json:"prepends"`
-	LocalPref     uint     `yaml:"local-pref" toml:"LocalPref" json:"local-pref"`
-	Multihop      bool     `yaml:"multihop" toml:"Multihop" json:"multihop"`
-	Passive       bool     `yaml:"passive" toml:"Passive" json:"passive"`
-	Disabled      bool     `yaml:"disabled" toml:"Disabled" json:"disabled"`
-	Password      string   `yaml:"password" toml:"Password" json:"password"`
-	Port          uint16   `yaml:"port" toml:"Port" json:"port"`
-	PreImport     string   `yaml:"pre-import" toml:"PreImport" json:"pre-import"`
-	PreExport     string   `yaml:"pre-export" toml:"PreExport" json:"pre-export"`
-	NeighborIps   []string `yaml:"neighbors" toml:"Neighbors" json:"neighbors"`
-	ImportLimit4  uint     `yaml:"import-limit4" toml:"ImportLimit4" json:"import-limit4"`
-	ImportLimit6  uint     `yaml:"import-limit6" toml:"ImportLimit6" json:"import-limit6"`
-	SkipFilter    bool     `yaml:"skip-filter" toml:"SkipFilter" json:"skip-filter"`
-	RsClient      bool     `yaml:"rs-client" toml:"RSClient" json:"rs-client"`
-	RrClient      bool     `yaml:"rr-client" toml:"RRClient" json:"rr-client"`
-	Bfd           bool     `yaml:"bfd" toml:"BFD" json:"bfd"`
-	SessionGlobal string   `yaml:"session-global" toml:"SessionGlobal" json:"SessionGlobal"`
+	Asn            uint     `yaml:"asn" toml:"ASN" json:"asn"`
+	Type           string   `yaml:"type" toml:"Type" json:"type"`
+	Prepends       uint     `yaml:"prepends" toml:"Prepends" json:"prepends"`
+	LocalPref      uint     `yaml:"local-pref" toml:"LocalPref" json:"local-pref"`
+	Multihop       bool     `yaml:"multihop" toml:"Multihop" json:"multihop"`
+	Passive        bool     `yaml:"passive" toml:"Passive" json:"passive"`
+	Disabled       bool     `yaml:"disabled" toml:"Disabled" json:"disabled"`
+	Password       string   `yaml:"password" toml:"Password" json:"password"`
+	Port           uint16   `yaml:"port" toml:"Port" json:"port"`
+	PreImport      string   `yaml:"pre-import" toml:"PreImport" json:"pre-import"`
+	PreExport      string   `yaml:"pre-export" toml:"PreExport" json:"pre-export"`
+	NeighborIps    []string `yaml:"neighbors" toml:"Neighbors" json:"neighbors"`
+	ImportLimit4   uint     `yaml:"import-limit4" toml:"ImportLimit4" json:"import-limit4"`
+	ImportLimit6   uint     `yaml:"import-limit6" toml:"ImportLimit6" json:"import-limit6"`
+	SkipFilter     bool     `yaml:"skip-filter" toml:"SkipFilter" json:"skip-filter"`
+	RsClient       bool     `yaml:"rs-client" toml:"RSClient" json:"rs-client"`
+	RrClient       bool     `yaml:"rr-client" toml:"RRClient" json:"rr-client"`
+	Bfd            bool     `yaml:"bfd" toml:"BFD" json:"bfd"`
+	EnforceFirstAs bool     `yaml:"enforce-first-as" toml:"EnforceFirstAS" json:"enforce-first-as"`
+	SessionGlobal  string   `yaml:"session-global" toml:"SessionGlobal" json:"SessionGlobal"`
 
 	AsSet      string   `yaml:"-" toml:"-" json:"-"`
 	QueryTime  string   `yaml:"-" toml:"-" json:"-"`

diff --git a/templates/global.tmpl b/templates/global.tmpl
@@ -291,6 +291,10 @@ function reject_bogons() {
   }
 }
 
+function enforce_first_as(int peer_asn) {
+  if (bgp_path.first != peer_asn) then _reject("invalid first AS");
+}
+
 # ---- Peers ----
 
 include "manual*.conf";

diff --git a/templates/peer.tmpl b/templates/peer.tmpl
@@ -47,6 +47,7 @@ protocol bgp {{ $peer.Name }}v{{ $af }}_{{ $i }} {
         {{ if eq $peer.Asn $global.Asn }}next hop self;{{ end }}
         import filter {
             {{ if not $peer.SkipFilter }}reject_bogons();{{ end }}
+            {{ if $peer.EnforceFirstAs }}enforce_first_as({{ $peer.Asn }});{{ end }}
             strip_info_communities();
             bgp_local_pref = {{ $peer.LocalPref }};
             honor_graceful_shutdown();