#
# {{ ansible_managed }}
#

# Variables
define icvpn_address = {{ icvpn_ipv4_transfer_net | ipaddr('net') | ipsubnet(24, 37) | ipaddr(magic) | ipaddr('address') }};

# ROA
roa table roa_icvpn {
    include "icvpn_ipv4_roa.con?";
}

# Routing Tables
table icvpn;

# Filters
filter icvpn_import_filter {
    if is_mwu_self_nets_loose() then reject;
    if is_chaosvpn() then accept;
    if roa_check(roa_icvpn) = ROA_VALID then {
        if is_freifunk() then accept;
        if is_dn42() then accept;
    } else {
        if roa_check(roa_icvpn) = ROA_UNKNOWN then {
            if is_dn42() then {
                print "ROA UNKNOWN for dn42 net, accepting: ", net, " ASN: ", bgp_path.last;
                accept;
            }
            if is_freifunk() then {
                print "ROA UNKNOWN for freifunk net, accepting: ", net, " ASN: ", bgp_path.last;
                accept;
            }
        }
        if roa_check(roa_icvpn) = ROA_INVALID then {
            if is_freifunk() then {
                print "ROA INVALID for freifunk net, accepting: ", net, " ASN: ", bgp_path.last;
                accept;
            }
        }
        reject;
    }
    reject;
}

# Protocols
protocol pipe {
    peer table icvpn;
    import none;
    export filter {
        if is_mwu_self_nets_loose() then reject;
        if is_freifunk() then accept;
        if is_chaosvpn() then accept;
        if is_dn42() then accept;
        reject;
    };
};

# Protocols
protocol kernel kernel_icvpn {
    table icvpn;
    scan time 30;
    import none;
    export filter {
        if is_mwu_self_nets_loose() then reject;
        krt_prefsrc = icvpn_address;
        accept;
    };
    kernel table ipt_icvpn;
};

# Templates
template bgp ebgp_icvpn {
    local icvpn_address as mwu_as;
    import keep filtered on;
    import filter icvpn_import_filter;
    export filter {
        if is_mwu_self_nets_strict() then accept;
        if source = RTS_BGP then {
            if is_freifunk() || is_dn42() then {
                accept;
            }
        }
        reject;
    };
    direct;
}

# Include ICVPN IPv4 peers
include "icvpn_ipv4_peers.con?";