# ---- Parameters ----

timeformat base iso long;
timeformat log iso long;
timeformat protocol iso long;
timeformat route iso long;

log syslog all;

define ASN = 60767;
router id 45.95.204.2;

include "variables.conf";
include "functions.conf";

# ---- Protocols ---- #
protocol device {};

protocol direct {
  ipv4 {
    import all;
  };
  ipv6 {
    import all;
  };
}

protocol kernel {
  scan time 10;
  ipv4 {
    export filter {
      if (proto = "explstatic4") then accept;
      if source = RTS_STATIC && proto != "static4" then {
        accept;
      } else if source = RTS_BGP then {
        krt_prefsrc = 45.95.204.2;
        accept;
      }
      reject;
    };
  };
}

protocol kernel {
  scan time 10;
  ipv6 {
    export filter {
      if (proto = "explstatic6") then accept;
      if source = RTS_STATIC && proto != "static6" then {
        accept;
      } else if source = RTS_BGP then {
        krt_prefsrc = 2a0e:3940:1000::2;
        accept;
      }
      reject;
    };
  };
}

protocol static static4 {
  ipv4;
  route 45.95.204.0/24 reject {
    preference = 10;
  };
}

protocol static static6 {
  ipv6;
  route 2a0e:3940:1000::/36 reject {
    preference = 10;
  };
  route 2a0e:3940:2000::/36 reject {
    preference = 10;
  };
}

protocol static localstatic4 {
  ipv4;
  route 45.95.204.0/24 via "ens19";
  route 10.10.20.0/24 via 10.10.10.254;
}

protocol static localstatic6 {
  ipv6;
  route 2a0e:3940:1000::/36 via "ens19";
  route 2a0e:3940:2000::/36 via "ens19";
}

# ---- RPKI ----
roa4 table rpki4;
roa6 table rpki6;

protocol rpki {
  roa4 { table rpki4; };
  roa6 { table rpki6; };

  transport tcp;
  remote "127.0.0.1" port 8282;
  #remote "rtr.rpki.cloudflare.com" port 8282;

  retry keep 90;
  refresh keep 900;
  expire keep 172800;
}
function reject_rpki_invalid() {
  if (net.type = NET_IP4) then {
    if (roa_check(rpki4, net, bgp_path.last_nonaggregated) = ROA_INVALID) then _reject("RPKI invalid");
  }

  if (net.type = NET_IP6) then {
    if (roa_check(rpki6, net, bgp_path.last_nonaggregated) = ROA_INVALID) then _reject("RPKI invalid");
  }
}

function force_rpki_strict() {
  if (net.type = NET_IP4) then {
    if (roa_check(rpki4, net, bgp_path.last_nonaggregated) != ROA_VALID) then _reject("RPKI != ROA_VALID");
  }

  if (net.type = NET_IP6) then {
    if (roa_check(rpki6, net, bgp_path.last_nonaggregated) != ROA_VALID) then _reject("RPKI != ROA_VALID");
  }
}

# ---- Peers ---- #

protocol bgp ibgp_4 {
    local as ASN;
    neighbor 10.10.10.1 as 60767;
    description "internal v4";
    allow local as ASN;
    direct;

    ipv4 {
        next hop self;
        import table on;
        import all;
        export all;
    };
}

protocol bgp ibgp_6 {
    local as ASN;
    neighbor 2a0e:3940:dead::1 as 60767;
    description "internal v6";
    allow local as ASN;
    direct;

    ipv6 {
        next hop self;
        import table on;
        import all;
        export all;
    };
}