xref: /openbsd/regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain1.conf (revision aed89967)

# built by ARouteServer
AS 999
router-id 192.0.2.2

fib-update no
log updates

nexthop qualify via default

rde evaluate all

INTCOMM_PREF_OK_ROA="soo 65535:1"
INTCOMM_ROUTE_OK_WL="soo 65535:2"

INTCOMM_ORIGIN_OK="soo 65535:4"
INTCOMM_ORIGIN_KO="soo 65535:5"
INTCOMM_PREFIX_OK="soo 65535:6"
INTCOMM_PREFIX_KO="soo 65535:7"
INTCOMM_IRR_REJECT="soo 65535:8"

INTCOMM_RPKI_UNKNOWN="soo 65535:9"
INTCOMM_RPKI_INVALID="soo 65535:10"
INTCOMM_RPKI_VALID="soo 65535:11"

INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13"

INTCOMM_NO_EXPORT="soo 65535:65281"
INTCOMM_NO_ADVERTISE="soo 65535:65282"

# ---------------------------------------------------------
# IRRDB

# AS2, used by client AS2_1
# no origin ASNs found for AS2
# no prefixes found for AS2

# AS-AS1, AS-AS1_CUSTOMERS, used by client AS1_1
as-set "AS_SET_AS_AS1_AS_AS1_CUSTOMERS_asns" {
    1 101 103 104
}
prefix-set "AS_SET_AS_AS1_AS_AS1_CUSTOMERS_prefixes" {
    1.0.0.0/8 prefixlen 8 - 32
    128.0.0.0/7 prefixlen 7 - 32
    101.0.0.0/16 prefixlen 16 - 32
    103.0.0.0/16 prefixlen 16 - 32
}

# AS-AS2, AS-AS2_CUSTOMERS, used by client AS2_1
as-set "AS_SET_AS_AS2_AS_AS2_CUSTOMERS_asns" {
    2 101 103
}
prefix-set "AS_SET_AS_AS2_AS_AS2_CUSTOMERS_prefixes" {
    2.0.0.0/16 prefixlen 16 - 32
    101.0.0.0/16 prefixlen 16 - 32
    103.0.0.0/16 prefixlen 16 - 32
}

# AS1, used by client AS1_1
# no origin ASNs found for AS1
# no prefixes found for AS1

# WHITE_LIST_AS1_1, used by client AS1_1 white list
as-set "AS_SET_WHITE_LIST_AS1_1_asns" {
    1011
}
prefix-set "AS_SET_WHITE_LIST_AS1_1_prefixes" {
    11.1.0.0/16 prefixlen 16 - 32
}

# ---------------------------------------------------------
# ROAs source


roa-set {
    2.0.3.0/24 source-as 2
    2.0.4.0/24 source-as 0
}

# ---------------------------------------------------------
# MEMBERS

group "clients" {
	transparent-as yes
	rde evaluate all

	neighbor 192.0.2.11 {
		remote-as 1
		descr "AS1_1 client"
	}

	neighbor 192.0.2.21 {
		remote-as 2
		descr "AS2_1 client"
	}

	neighbor 192.0.2.31 {
		remote-as 3
		descr "AS3_1 client"
	}

	neighbor 192.0.2.41 {
		remote-as 4
		descr "AS4_1 client"
	}
}

# ---------------------------------------------------------
# FILTERS

# NO_ADVERTISE usage notes.
# The NO_ADVERTISE well-know community is used here to handle
# filters that span over multiple steps. At first it is added
# to any route, then it is removed as filters conditions are
# satisfied. Finally, if it is still present, it means that
# the route should be discarded.




prefix-set "global_black_list_pref" {
    192.0.2.0/24 prefixlen 24 - 32
    2.0.7.0/24 prefixlen 24 - 32
}

prefix-set "bogons" {
    0.0.0.0/0
    0.0.0.0/8 prefixlen 8 - 32
    10.0.0.0/8 prefixlen 8 - 32
    127.0.0.0/8 prefixlen 8 - 32
    169.254.0.0/16 prefixlen 16 - 32
    172.16.0.0/12 prefixlen 12 - 32
    192.0.2.0/24 prefixlen 24 - 32
    192.88.99.0/24 prefixlen 24 - 32
    192.168.0.0/16 prefixlen 16 - 32
    198.18.0.0/15 prefixlen 15 - 32
    198.51.100.0/24 prefixlen 24 - 32
    203.0.113.0/24 prefixlen 24 - 32
    224.0.0.0/3 prefixlen 3 - 32
    100.64.0.0/10 prefixlen 10 - 32
    ::/0
    ::/8 prefixlen 8 - 128
    64:ff9b::/96 prefixlen 96 - 128
    100::/8 prefixlen 8 - 128
    200::/7 prefixlen 7 - 128
    400::/6 prefixlen 6 - 128
    800::/5 prefixlen 5 - 128
    1000::/4 prefixlen 4 - 128
    2001::/33 prefixlen 33 - 128
    2001:0:8000::/33 prefixlen 33 - 128
    2001:2::/48 prefixlen 48 - 128
    2001:3::/32 prefixlen 32 - 128
    2001:10::/28 prefixlen 28 - 128
    2001:20::/28 prefixlen 28 - 128
    2001:db8::/32 prefixlen 32 - 128
    2002::/16 prefixlen 16 - 128
    3ffe::/16 prefixlen 16 - 128
    4000::/3 prefixlen 3 - 128
    5f00::/8 prefixlen 8 - 128
    6000::/3 prefixlen 3 - 128
    8000::/3 prefixlen 3 - 128
    a000::/3 prefixlen 3 - 128
    c000::/3 prefixlen 3 - 128
    e000::/4 prefixlen 4 - 128
    f000::/5 prefixlen 5 - 128
    f800::/6 prefixlen 6 - 128
    fc00::/7 prefixlen 7 - 128
    fe80::/10 prefixlen 10 - 128
    fec0::/10 prefixlen 10 - 128
    ff00::/8 prefixlen 8 - 128

}

# never via route-servers ASNs
as-set "neverviarouteserver" {
	666, 777
}

# =====================================================================================
# Global rules.

# This part of configuration is processed at the beginning of the filters.
# The rules defined in this part are applied to all the clients, and not on a
# client-by-client basis (see the 'match from group clients'), so only global policies
# can be implemented here, that is no client-level configuration are allowed.



# Scrub communities from inbound routes
# origin_not_present_in_as_set
match from group clients set community delete 65530:0
match from group clients set large-community delete 999:65530:0

# origin_present_in_as_set
match from group clients set community delete 65530:1
match from group clients set large-community delete 999:65530:1

# prefix_validated_via_arin_whois_db_dump
match from group clients set community delete 65530:3
match from group clients set large-community delete 999:65530:3

# prefix_validated_via_rpki_roas
match from group clients set community delete 65530:2
match from group clients set large-community delete 999:65530:2

# reject_cause
match from group clients set community delete 65520:*

# rejected_route_announced_by
match from group clients set community delete 65524:*
match from group clients set ext-community delete rt 65524:*

# rpki_bgp_origin_validation_not_performed
match from group clients set community delete 65530:4
match from group clients set large-community delete 999:65530:4


# Scrub internal communities from inbound routes
match from group clients set {
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}



# The main goal of this block is to enrich routes received from clients by attaching to them
# internal informational communities which are used later by the rest of the filter rules.

# Internal communities used for RFC1997 well-known communities handling

# Transform NO_EXPORT into $INTCOMM_NO_EXPORT
match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT }

# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE
match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE }


# ---------------------------------------------------------
# RPKI-based Origin Validation

# Add $INTCOMM_RPKI_UNKNOWN, $INTCOMM_RPKI_INVALID and $INTCOMM_RPKI_VALID
# ext community on the basis of ovs.
match from group clients ovs not-found set {
    ext-community $INTCOMM_RPKI_UNKNOWN
    ext-community ovs not-found

}
match from group clients ovs valid set {
    ext-community $INTCOMM_RPKI_VALID
    ext-community ovs valid

}
match from group clients ovs invalid set {
    ext-community $INTCOMM_RPKI_INVALID
    ext-community ovs invalid

}


# ---------------------------------------------------------
# RPKI ROAs used as route objects.

# Add the $INTCOMM_PREF_OK_ROA ext community to routes whose
# origin ASN has a ROA for the announced prefix.
# It will be used later during IRRDB validation in
# case the origin ASN is authorized by a client's
# AS-SET but the prefix is not.

# Since RPKI-based Origin Validation is already performed above,
# use the origin validation state to identify valid routes.
match from group clients ovs valid set ext-community $INTCOMM_PREF_OK_ROA


# Set the 'rejected_route_announced_by' community for all the clients.
# It will be removed later if the route is not invalid
match from 192.0.2.11 set community 65524:1
match from 192.0.2.11 set ext-community rt 65524:1

match from 192.0.2.21 set community 65524:2
match from 192.0.2.21 set ext-community rt 65524:2

match from 192.0.2.31 set community 65524:3
match from 192.0.2.31 set ext-community rt 65524:3

match from 192.0.2.41 set community 65524:4
match from 192.0.2.41 set ext-community rt 65524:4


# AS_PATH: length
# Reject inbound routes when 'from group clients max-as-len 6' - reject code: 1
allow quick from group clients max-as-len 6 set {
	localpref 1
	community 65520:0
	community 65520:1
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# Prefix: global blacklist
# Reject inbound routes when 'from group clients prefix-set global_black_list_pref' - reject code: 3
allow quick from group clients prefix-set global_black_list_pref set {
	localpref 1
	community 65520:0
	community 65520:3
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# Prefix: bogon
# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2
allow quick from group clients prefix-set bogons set {
	localpref 1
	community 65520:0
	community 65520:2
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}




# =====================================================================================
# Per client rules.


# ---------------------------------------------
# client AS1_1, inbound



# NEXT_HOP
match from 192.0.2.11 set community NO_ADVERTISE
match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE
# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5
allow quick from 192.0.2.11 community NO_ADVERTISE set {
	localpref 1
	community 65520:0
	community 65520:5
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# AS_PATH: invalid ASNs
# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7
allow quick from 192.0.2.11 AS 23456 set {
	localpref 1
	community 65520:0
	community 65520:7
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}

# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7
allow quick from 192.0.2.11 AS 64496 - 131071 set {
	localpref 1
	community 65520:0
	community 65520:7
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}

# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7
allow quick from 192.0.2.11 AS 4200000000 - 4294967295 set {
	localpref 1
	community 65520:0
	community 65520:7
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# AS_PATH: transit-free ASNs
# Reject inbound routes when 'from 192.0.2.11 AS { 3, 174 }' - reject code: 8
allow quick from 192.0.2.11 AS { 3, 174 } set {
	localpref 1
	community 65520:0
	community 65520:8
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# AS_PATH: never via route-servers ASNs
# Reject inbound routes when 'from 192.0.2.11 AS as-set neverviarouteserver' - reject code: 15
allow quick from 192.0.2.11 AS as-set neverviarouteserver set {
	localpref 1
	community 65520:0
	community 65520:15
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# client's white list
# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which
# are validated by a client's white list entry.
# It will be used later during IRRDB validation in
# case the route is not authorized by a client's
# AS-SET.
match from 192.0.2.11 prefix 11.3.0.0/16 source-as 1011 set ext-community $INTCOMM_ROUTE_OK_WL	# None
match from 192.0.2.11 prefix 11.4.0.0/16 prefixlen 16 - 32 set ext-community $INTCOMM_ROUTE_OK_WL	# None

match from 192.0.2.11 set ext-community $INTCOMM_IRR_REJECT

# AS_PATH: check origin via AS-SET
# IRRDB filters for AS1_1, AS1: asns
# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object
match from 192.0.2.11 set ext-community $INTCOMM_ORIGIN_KO
# verifying if object is authorized by AS-SETs
match from 192.0.2.11 source-as as-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_asns set {
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community $INTCOMM_ORIGIN_OK
} # AS_AS1_AS_AS1_CUSTOMERS
# AS-SET AS1 referenced but empty.
match from 192.0.2.11 source-as as-set AS_SET_WHITE_LIST_AS1_1_asns set {
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community $INTCOMM_ORIGIN_OK
} # WHITE_LIST_AS1_1


# Prefix: check prefix via AS-SET
# IRRDB filters for AS1_1, AS1: prefixes
# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object
match from 192.0.2.11 set ext-community $INTCOMM_PREFIX_KO
# verifying if object is authorized by AS-SETs
match from 192.0.2.11 prefix-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_prefixes set {
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community $INTCOMM_PREFIX_OK
} # AS_AS1_AS_AS1_CUSTOMERS
# AS-SET AS1 referenced but empty.
match from 192.0.2.11 prefix-set AS_SET_WHITE_LIST_AS1_1_prefixes set {
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community $INTCOMM_PREFIX_OK
} # WHITE_LIST_AS1_1


# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK)
match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT

# route authorized by a client's white list?
match from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT

# enforcing: origin ASN
# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9
allow quick from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set {
	localpref 1
	community 65520:0
	community 65520:9
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}

# enforcing: prefix
# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12
allow quick from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set {
	localpref 1
	community 65520:0
	community 65520:12
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# Blackhole request?
match from 192.0.2.11 set community delete 65524:1
match from 192.0.2.11 set ext-community delete rt 65524:1


# Remove internal communities before accepting the route
match from 192.0.2.11 community BLACKHOLE set {
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}
allow from 192.0.2.11 community 65534:0 set {
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}
allow from 192.0.2.11 large-community 65534:0:0 set {
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# Add the rpki_bgp_origin_validation_not_performed community
match from 192.0.2.11 community BLACKHOLE set community 65530:4
match from 192.0.2.11 community BLACKHOLE set large-community 999:65530:4

match from 192.0.2.11 community 65534:0 set { community 65530:4 large-community 999:65530:4}
match from 192.0.2.11 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4}


allow quick from 192.0.2.11 community BLACKHOLE
allow quick from 192.0.2.11 community 65534:0
allow quick from 192.0.2.11 large-community 65534:0:0


match from 192.0.2.11 set community 65524:1
match from 192.0.2.11 set ext-community rt 65524:1


# RPKI-based Origin Validation
# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14
allow quick from 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID set {
	localpref 1
	community 65520:0
	community 65520:14
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# Prefix: length
# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13
allow quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 set {
	localpref 1
	community 65520:0
	community 65520:13
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# Graceful shutdown
match from 192.0.2.11 community GRACEFUL_SHUTDOWN set localpref 5

# Remove internal communities before accepting the route
match from 192.0.2.11 set {
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}

match from 192.0.2.11 set community delete 65524:1
match from 192.0.2.11 set ext-community delete rt 65524:1



allow quick from 192.0.2.11



# ---------------------------------------------
# client AS1_1, outbound

deny quick to 192.0.2.11 community 65520:0



# Blackhole request?
# Configured policy: rewrite-next-hop
match to 192.0.2.11 community 65534:0 set community BLACKHOLE
match to 192.0.2.11 large-community 65534:0:0 set community BLACKHOLE

match to 192.0.2.11 community BLACKHOLE set community NO_EXPORT
match to 192.0.2.11 community BLACKHOLE set nexthop 192.0.2.66


# RPKI-based Origin Validation
# Do not announce INVALID to clients
deny quick to 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID

# NO_EXPORT and NO_ADVERTISE communities
# add_noexport_to_any
match to 192.0.2.11 community 65507:999 set community NO_EXPORT
match to 192.0.2.11 ext-community rt 65507:999 set community NO_EXPORT
match to 192.0.2.11 large-community 999:65507:999 set community NO_EXPORT

# add_noadvertise_to_any
match to 192.0.2.11 community 65508:999 set community NO_ADVERTISE
match to 192.0.2.11 ext-community rt 65508:999 set community NO_ADVERTISE
match to 192.0.2.11 large-community 999:65508:999 set community NO_ADVERTISE

# add_noexport_to_peer
match to 192.0.2.11 community 65509:1 set community NO_EXPORT
match to 192.0.2.11 ext-community rt 65509:1 set community NO_EXPORT
match to 192.0.2.11 large-community 999:65509:1 set community NO_EXPORT

# add_noadvertise_to_peer
match to 192.0.2.11 community 65510:1 set community NO_ADVERTISE
match to 192.0.2.11 ext-community rt 65510:1 set community NO_ADVERTISE
match to 192.0.2.11 large-community 999:65510:1 set community NO_ADVERTISE


# BGP control communities
allow to 192.0.2.11

# do_not_announce_to_any
deny to 192.0.2.11 community 0:999
deny to 192.0.2.11 ext-community rt 0:999
deny to 192.0.2.11 large-community 999:0:999

# do_not_announce_to_peer
deny quick to 192.0.2.11 community 0:1
deny quick to 192.0.2.11 ext-community rt 0:1
deny quick to 192.0.2.11 large-community 999:0:1

# announce_to_peer
allow to 192.0.2.11 community 65501:1
allow to 192.0.2.11 ext-community rt 65501:1
allow to 192.0.2.11 large-community 999:65501:1


# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities
# for prepending can be processed. As soon as one prepending action is performed,
# this internal community is removed, so that further actions are not processed.
match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS

# prepend_once_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:1 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:1 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:1 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}

# prepend_twice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:1 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:1 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:1 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}

# prepend_thrice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:1 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:1 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:1 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}


# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}

# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}

# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}



# ---------------------------------------------
# client AS2_1, inbound



# NEXT_HOP
match from 192.0.2.21 set community NO_ADVERTISE
match from 192.0.2.21 nexthop 192.0.2.21 set community delete NO_ADVERTISE
match from 192.0.2.21 nexthop 192.0.2.22 set community delete NO_ADVERTISE
# Reject inbound routes when 'from 192.0.2.21 community NO_ADVERTISE' - reject code: 5
allow quick from 192.0.2.21 community NO_ADVERTISE set {
	localpref 1
	community 65520:0
	community 65520:5
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# AS_PATH: invalid ASNs
# Reject inbound routes when 'from 192.0.2.21 AS 23456' - reject code: 7
allow quick from 192.0.2.21 AS 23456 set {
	localpref 1
	community 65520:0
	community 65520:7
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}

# Reject inbound routes when 'from 192.0.2.21 AS 64496 - 131071' - reject code: 7
allow quick from 192.0.2.21 AS 64496 - 131071 set {
	localpref 1
	community 65520:0
	community 65520:7
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}

# Reject inbound routes when 'from 192.0.2.21 AS 4200000000 - 4294967295' - reject code: 7
allow quick from 192.0.2.21 AS 4200000000 - 4294967295 set {
	localpref 1
	community 65520:0
	community 65520:7
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# AS_PATH: transit-free ASNs
# Reject inbound routes when 'from 192.0.2.21 AS { 3, 174 }' - reject code: 8
allow quick from 192.0.2.21 AS { 3, 174 } set {
	localpref 1
	community 65520:0
	community 65520:8
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# AS_PATH: never via route-servers ASNs
# Reject inbound routes when 'from 192.0.2.21 AS as-set neverviarouteserver' - reject code: 15
allow quick from 192.0.2.21 AS as-set neverviarouteserver set {
	localpref 1
	community 65520:0
	community 65520:15
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}



match from 192.0.2.21 set ext-community $INTCOMM_IRR_REJECT

# AS_PATH: check origin via AS-SET
# IRRDB filters for AS2_1, AS2: asns
# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object
match from 192.0.2.21 set ext-community $INTCOMM_ORIGIN_KO
# verifying if object is authorized by AS-SETs
# AS-SET AS2 referenced but empty.
match from 192.0.2.21 source-as as-set AS_SET_AS_AS2_AS_AS2_CUSTOMERS_asns set {
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community $INTCOMM_ORIGIN_OK
} # AS_AS2_AS_AS2_CUSTOMERS


# Prefix: check prefix via AS-SET
# IRRDB filters for AS2_1, AS2: prefixes
# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object
match from 192.0.2.21 set ext-community $INTCOMM_PREFIX_KO
# verifying if object is authorized by AS-SETs
# AS-SET AS2 referenced but empty.
match from 192.0.2.21 prefix-set AS_SET_AS_AS2_AS_AS2_CUSTOMERS_prefixes set {
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community $INTCOMM_PREFIX_OK
} # AS_AS2_AS_AS2_CUSTOMERS


# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK)
match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT

# enforcing: origin ASN
# Reject inbound routes when 'from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9
allow quick from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set {
	localpref 1
	community 65520:0
	community 65520:9
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}

# enforcing: prefix
# Reject inbound routes when 'from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12
allow quick from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set {
	localpref 1
	community 65520:0
	community 65520:12
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# Blackhole request?
match from 192.0.2.21 set community delete 65524:2
match from 192.0.2.21 set ext-community delete rt 65524:2


# Remove internal communities before accepting the route
match from 192.0.2.21 community BLACKHOLE set {
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}
allow from 192.0.2.21 community 65534:0 set {
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}
allow from 192.0.2.21 large-community 65534:0:0 set {
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# Add the rpki_bgp_origin_validation_not_performed community
match from 192.0.2.21 community BLACKHOLE set community 65530:4
match from 192.0.2.21 community BLACKHOLE set large-community 999:65530:4

match from 192.0.2.21 community 65534:0 set { community 65530:4 large-community 999:65530:4}
match from 192.0.2.21 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4}


allow quick from 192.0.2.21 community BLACKHOLE
allow quick from 192.0.2.21 community 65534:0
allow quick from 192.0.2.21 large-community 65534:0:0


match from 192.0.2.21 set community 65524:2
match from 192.0.2.21 set ext-community rt 65524:2


# RPKI-based Origin Validation
# Reject inbound routes when 'from 192.0.2.21 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14
allow quick from 192.0.2.21 ext-community $INTCOMM_RPKI_INVALID set {
	localpref 1
	community 65520:0
	community 65520:14
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# Prefix: length
# Reject inbound routes when 'from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13
allow quick from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24 set {
	localpref 1
	community 65520:0
	community 65520:13
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# Graceful shutdown
match from 192.0.2.21 community GRACEFUL_SHUTDOWN set community delete GRACEFUL_SHUTDOWN

# Remove internal communities before accepting the route
match from 192.0.2.21 set {
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}

match from 192.0.2.21 set community delete 65524:2
match from 192.0.2.21 set ext-community delete rt 65524:2



allow quick from 192.0.2.21



# ---------------------------------------------
# client AS2_1, outbound

deny quick to 192.0.2.21 community 65520:0



# Blackhole request?
# Configured policy: rewrite-next-hop
match to 192.0.2.21 community 65534:0 set community BLACKHOLE
match to 192.0.2.21 large-community 65534:0:0 set community BLACKHOLE

match to 192.0.2.21 community BLACKHOLE set community NO_EXPORT
match to 192.0.2.21 community BLACKHOLE set nexthop 192.0.2.66


# RPKI-based Origin Validation
# Do not announce INVALID to clients
deny quick to 192.0.2.21 ext-community $INTCOMM_RPKI_INVALID

# NO_EXPORT and NO_ADVERTISE communities
# add_noexport_to_any
match to 192.0.2.21 community 65507:999 set community NO_EXPORT
match to 192.0.2.21 ext-community rt 65507:999 set community NO_EXPORT
match to 192.0.2.21 large-community 999:65507:999 set community NO_EXPORT

# add_noadvertise_to_any
match to 192.0.2.21 community 65508:999 set community NO_ADVERTISE
match to 192.0.2.21 ext-community rt 65508:999 set community NO_ADVERTISE
match to 192.0.2.21 large-community 999:65508:999 set community NO_ADVERTISE

# add_noexport_to_peer
match to 192.0.2.21 community 65509:2 set community NO_EXPORT
match to 192.0.2.21 ext-community rt 65509:2 set community NO_EXPORT
match to 192.0.2.21 large-community 999:65509:2 set community NO_EXPORT

# add_noadvertise_to_peer
match to 192.0.2.21 community 65510:2 set community NO_ADVERTISE
match to 192.0.2.21 ext-community rt 65510:2 set community NO_ADVERTISE
match to 192.0.2.21 large-community 999:65510:2 set community NO_ADVERTISE


# BGP control communities
allow to 192.0.2.21

# do_not_announce_to_any
deny to 192.0.2.21 community 0:999
deny to 192.0.2.21 ext-community rt 0:999
deny to 192.0.2.21 large-community 999:0:999

# do_not_announce_to_peer
deny quick to 192.0.2.21 community 0:2
deny quick to 192.0.2.21 ext-community rt 0:2
deny quick to 192.0.2.21 large-community 999:0:2

# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities
# for prepending can be processed. As soon as one prepending action is performed,
# this internal community is removed, so that further actions are not processed.
match to 192.0.2.21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS

# prepend_once_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:2 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:2 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:2 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}

# prepend_twice_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:2 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:2 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:2 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}

# prepend_thrice_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:2 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:2 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:2 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}


# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}

# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}

# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}



# ---------------------------------------------
# client AS3_1, inbound



# NEXT_HOP
match from 192.0.2.31 set community NO_ADVERTISE
match from 192.0.2.31 nexthop 192.0.2.31 set community delete NO_ADVERTISE
# Reject inbound routes when 'from 192.0.2.31 community NO_ADVERTISE' - reject code: 5
allow quick from 192.0.2.31 community NO_ADVERTISE set {
	localpref 1
	community 65520:0
	community 65520:5
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# AS_PATH: invalid ASNs
# Reject inbound routes when 'from 192.0.2.31 AS 23456' - reject code: 7
allow quick from 192.0.2.31 AS 23456 set {
	localpref 1
	community 65520:0
	community 65520:7
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}

# Reject inbound routes when 'from 192.0.2.31 AS 64496 - 131071' - reject code: 7
allow quick from 192.0.2.31 AS 64496 - 131071 set {
	localpref 1
	community 65520:0
	community 65520:7
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}

# Reject inbound routes when 'from 192.0.2.31 AS 4200000000 - 4294967295' - reject code: 7
allow quick from 192.0.2.31 AS 4200000000 - 4294967295 set {
	localpref 1
	community 65520:0
	community 65520:7
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# AS_PATH: transit-free ASNs
# Reject inbound routes when 'from 192.0.2.31 AS { 174 }' - reject code: 8
allow quick from 192.0.2.31 AS { 174 } set {
	localpref 1
	community 65520:0
	community 65520:8
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# AS_PATH: never via route-servers ASNs
# Reject inbound routes when 'from 192.0.2.31 AS as-set neverviarouteserver' - reject code: 15
allow quick from 192.0.2.31 AS as-set neverviarouteserver set {
	localpref 1
	community 65520:0
	community 65520:15
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}





# Prefix: client's blacklist
prefix-set "client_AS3_1_black_list_pref_ipv4" {
    3.0.1.0/24 prefixlen 24 - 32

}
# Reject inbound routes when 'from 192.0.2.31 prefix-set client_AS3_1_black_list_pref_ipv4' - reject code: 11
allow quick from 192.0.2.31 prefix-set client_AS3_1_black_list_pref_ipv4 set {
	localpref 1
	community 65520:0
	community 65520:11
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}




# Blackhole request?
match from 192.0.2.31 set community delete 65524:3
match from 192.0.2.31 set ext-community delete rt 65524:3


# Remove internal communities before accepting the route
match from 192.0.2.31 community BLACKHOLE set {
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}
allow from 192.0.2.31 community 65534:0 set {
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}
allow from 192.0.2.31 large-community 65534:0:0 set {
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# Add the rpki_bgp_origin_validation_not_performed community
match from 192.0.2.31 community BLACKHOLE set community 65530:4
match from 192.0.2.31 community BLACKHOLE set large-community 999:65530:4

match from 192.0.2.31 community 65534:0 set { community 65530:4 large-community 999:65530:4}
match from 192.0.2.31 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4}


allow quick from 192.0.2.31 community BLACKHOLE
allow quick from 192.0.2.31 community 65534:0
allow quick from 192.0.2.31 large-community 65534:0:0


match from 192.0.2.31 set community 65524:3
match from 192.0.2.31 set ext-community rt 65524:3


# RPKI-based Origin Validation
# Reject inbound routes when 'from 192.0.2.31 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14
allow quick from 192.0.2.31 ext-community $INTCOMM_RPKI_INVALID set {
	localpref 1
	community 65520:0
	community 65520:14
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# Prefix: length
# Reject inbound routes when 'from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13
allow quick from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24 set {
	localpref 1
	community 65520:0
	community 65520:13
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# Graceful shutdown
match from 192.0.2.31 community GRACEFUL_SHUTDOWN set localpref 5

# Remove internal communities before accepting the route
match from 192.0.2.31 set {
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}

match from 192.0.2.31 set community delete 65524:3
match from 192.0.2.31 set ext-community delete rt 65524:3



allow quick from 192.0.2.31



# ---------------------------------------------
# client AS3_1, outbound

deny quick to 192.0.2.31 community 65520:0



# Blackhole request?
# Configured policy: rewrite-next-hop
match to 192.0.2.31 community 65534:0 set community BLACKHOLE
match to 192.0.2.31 large-community 65534:0:0 set community BLACKHOLE

match to 192.0.2.31 community BLACKHOLE set community NO_EXPORT
match to 192.0.2.31 community BLACKHOLE set nexthop 192.0.2.66


# RPKI-based Origin Validation
# Do not announce INVALID to clients
deny quick to 192.0.2.31 ext-community $INTCOMM_RPKI_INVALID

# NO_EXPORT and NO_ADVERTISE communities
# add_noexport_to_any
match to 192.0.2.31 community 65507:999 set community NO_EXPORT
match to 192.0.2.31 ext-community rt 65507:999 set community NO_EXPORT
match to 192.0.2.31 large-community 999:65507:999 set community NO_EXPORT

# add_noadvertise_to_any
match to 192.0.2.31 community 65508:999 set community NO_ADVERTISE
match to 192.0.2.31 ext-community rt 65508:999 set community NO_ADVERTISE
match to 192.0.2.31 large-community 999:65508:999 set community NO_ADVERTISE

# add_noexport_to_peer
match to 192.0.2.31 community 65509:3 set community NO_EXPORT
match to 192.0.2.31 ext-community rt 65509:3 set community NO_EXPORT
match to 192.0.2.31 large-community 999:65509:3 set community NO_EXPORT

# add_noadvertise_to_peer
match to 192.0.2.31 community 65510:3 set community NO_ADVERTISE
match to 192.0.2.31 ext-community rt 65510:3 set community NO_ADVERTISE
match to 192.0.2.31 large-community 999:65510:3 set community NO_ADVERTISE


# BGP control communities
allow to 192.0.2.31

# do_not_announce_to_any
deny to 192.0.2.31 community 0:999
deny to 192.0.2.31 ext-community rt 0:999
deny to 192.0.2.31 large-community 999:0:999

# do_not_announce_to_peer
deny quick to 192.0.2.31 community 0:3
deny quick to 192.0.2.31 ext-community rt 0:3
deny quick to 192.0.2.31 large-community 999:0:3

# announce_to_peer
allow to 192.0.2.31 community 65501:3
allow to 192.0.2.31 ext-community rt 65501:3
allow to 192.0.2.31 large-community 999:65501:3


# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities
# for prepending can be processed. As soon as one prepending action is performed,
# this internal community is removed, so that further actions are not processed.
match to 192.0.2.31 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS

# prepend_once_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:3 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:3 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:3 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}

# prepend_twice_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:3 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:3 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:3 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}

# prepend_thrice_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:3 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:3 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:3 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}


# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}

# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}

# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}



# ---------------------------------------------
# client AS4_1, inbound



# NEXT_HOP
match from 192.0.2.41 set community NO_ADVERTISE
match from 192.0.2.41 nexthop 192.0.2.41 set community delete NO_ADVERTISE
# Reject inbound routes when 'from 192.0.2.41 community NO_ADVERTISE' - reject code: 5
allow quick from 192.0.2.41 community NO_ADVERTISE set {
	localpref 1
	community 65520:0
	community 65520:5
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# AS_PATH: invalid ASNs
# Reject inbound routes when 'from 192.0.2.41 AS 23456' - reject code: 7
allow quick from 192.0.2.41 AS 23456 set {
	localpref 1
	community 65520:0
	community 65520:7
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}

# Reject inbound routes when 'from 192.0.2.41 AS 64496 - 131071' - reject code: 7
allow quick from 192.0.2.41 AS 64496 - 131071 set {
	localpref 1
	community 65520:0
	community 65520:7
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}

# Reject inbound routes when 'from 192.0.2.41 AS 4200000000 - 4294967295' - reject code: 7
allow quick from 192.0.2.41 AS 4200000000 - 4294967295 set {
	localpref 1
	community 65520:0
	community 65520:7
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# AS_PATH: transit-free ASNs
# Reject inbound routes when 'from 192.0.2.41 AS { 3, 174 }' - reject code: 8
allow quick from 192.0.2.41 AS { 3, 174 } set {
	localpref 1
	community 65520:0
	community 65520:8
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# AS_PATH: never via route-servers ASNs
# Reject inbound routes when 'from 192.0.2.41 AS as-set neverviarouteserver' - reject code: 15
allow quick from 192.0.2.41 AS as-set neverviarouteserver set {
	localpref 1
	community 65520:0
	community 65520:15
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}








# Blackhole request?
match from 192.0.2.41 set community delete 65524:4
match from 192.0.2.41 set ext-community delete rt 65524:4


# Remove internal communities before accepting the route
match from 192.0.2.41 community BLACKHOLE set {
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}
allow from 192.0.2.41 community 65534:0 set {
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}
allow from 192.0.2.41 large-community 65534:0:0 set {
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# Add the rpki_bgp_origin_validation_not_performed community
match from 192.0.2.41 community BLACKHOLE set community 65530:4
match from 192.0.2.41 community BLACKHOLE set large-community 999:65530:4

match from 192.0.2.41 community 65534:0 set { community 65530:4 large-community 999:65530:4}
match from 192.0.2.41 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4}


allow quick from 192.0.2.41 community BLACKHOLE
allow quick from 192.0.2.41 community 65534:0
allow quick from 192.0.2.41 large-community 65534:0:0


match from 192.0.2.41 set community 65524:4
match from 192.0.2.41 set ext-community rt 65524:4


# RPKI-based Origin Validation
# Reject inbound routes when 'from 192.0.2.41 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14
allow quick from 192.0.2.41 ext-community $INTCOMM_RPKI_INVALID set {
	localpref 1
	community 65520:0
	community 65520:14
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# Prefix: length
# Reject inbound routes when 'from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13
allow quick from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24 set {
	localpref 1
	community 65520:0
	community 65520:13
	community delete NO_ADVERTISE
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}


# Graceful shutdown
match from 192.0.2.41 community GRACEFUL_SHUTDOWN set localpref 5

# Remove internal communities before accepting the route
match from 192.0.2.41 set {
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}

match from 192.0.2.41 set community delete 65524:4
match from 192.0.2.41 set ext-community delete rt 65524:4



allow quick from 192.0.2.41



# ---------------------------------------------
# client AS4_1, outbound

deny quick to 192.0.2.41 community 65520:0



# Blackhole request?
# Configured policy: rewrite-next-hop
match to 192.0.2.41 community 65534:0 set community BLACKHOLE
match to 192.0.2.41 large-community 65534:0:0 set community BLACKHOLE

match to 192.0.2.41 community BLACKHOLE set community NO_EXPORT
match to 192.0.2.41 community BLACKHOLE set nexthop 192.0.2.66


# RPKI-based Origin Validation
# Do not announce INVALID to clients
deny quick to 192.0.2.41 ext-community $INTCOMM_RPKI_INVALID

# NO_EXPORT and NO_ADVERTISE communities
# add_noexport_to_any
match to 192.0.2.41 community 65507:999 set community NO_EXPORT
match to 192.0.2.41 ext-community rt 65507:999 set community NO_EXPORT
match to 192.0.2.41 large-community 999:65507:999 set community NO_EXPORT

# add_noadvertise_to_any
match to 192.0.2.41 community 65508:999 set community NO_ADVERTISE
match to 192.0.2.41 ext-community rt 65508:999 set community NO_ADVERTISE
match to 192.0.2.41 large-community 999:65508:999 set community NO_ADVERTISE

# add_noexport_to_peer
match to 192.0.2.41 community 65509:4 set community NO_EXPORT
match to 192.0.2.41 ext-community rt 65509:4 set community NO_EXPORT
match to 192.0.2.41 large-community 999:65509:4 set community NO_EXPORT

# add_noadvertise_to_peer
match to 192.0.2.41 community 65510:4 set community NO_ADVERTISE
match to 192.0.2.41 ext-community rt 65510:4 set community NO_ADVERTISE
match to 192.0.2.41 large-community 999:65510:4 set community NO_ADVERTISE


# BGP control communities
allow to 192.0.2.41

# do_not_announce_to_any
deny to 192.0.2.41 community 0:999
deny to 192.0.2.41 ext-community rt 0:999
deny to 192.0.2.41 large-community 999:0:999

# do_not_announce_to_peer
deny quick to 192.0.2.41 community 0:4
deny quick to 192.0.2.41 ext-community rt 0:4
deny quick to 192.0.2.41 large-community 999:0:4


# announce_to_peer
allow to 192.0.2.41 community 65501:4
allow to 192.0.2.41 ext-community rt 65501:4
allow to 192.0.2.41 large-community 999:65501:4


# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities
# for prepending can be processed. As soon as one prepending action is performed,
# this internal community is removed, so that further actions are not processed.
match to 192.0.2.41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS

# prepend_once_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:4 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:4 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:4 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}

# prepend_twice_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:4 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:4 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:4 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}

# prepend_thrice_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:4 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:4 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:4 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}


# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set {
	prepend-neighbor 1
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}

# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set {
	prepend-neighbor 2
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}

# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}
match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set {
	prepend-neighbor 3
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
}



# Scrub communities from outbound routes
# add_noadvertise_to_any
match to group clients set community delete 65508:999
match to group clients set ext-community delete rt 65508:999
match to group clients set large-community delete 999:65508:999

# add_noadvertise_to_peer
match to group clients set community delete 65510:*
match to group clients set ext-community delete rt 65510:*
match to group clients set large-community delete 999:65510:*

# add_noexport_to_any
match to group clients set community delete 65507:999
match to group clients set ext-community delete rt 65507:999
match to group clients set large-community delete 999:65507:999

# add_noexport_to_peer
match to group clients set community delete 65509:*
match to group clients set ext-community delete rt 65509:*
match to group clients set large-community delete 999:65509:*

# announce_to_peer
match to group clients set community delete 65501:*
match to group clients set ext-community delete rt 65501:*
match to group clients set large-community delete 999:65501:*

# blackholing
match to group clients set community delete 65534:0
match to group clients set large-community delete 65534:0:0

# do_not_announce_to_any
match to group clients set community delete 0:999
match to group clients set ext-community delete rt 0:999
match to group clients set large-community delete 999:0:999

# do_not_announce_to_peer
match to group clients set community delete 0:*
match to group clients set ext-community delete rt 0:*
match to group clients set large-community delete 999:0:*

# prepend_once_to_any
match to group clients set community delete 65521:65521
match to group clients set ext-community delete rt 65521:65521
match to group clients set large-community delete 999:65521:65521

# prepend_once_to_peer
match to group clients set community delete 65521:*
match to group clients set ext-community delete rt 65521:*
match to group clients set large-community delete 999:65521:*

# prepend_thrice_to_any
match to group clients set community delete 65523:65523
match to group clients set ext-community delete rt 65523:65523
match to group clients set large-community delete 999:65523:65523

# prepend_thrice_to_peer
match to group clients set community delete 65523:*
match to group clients set ext-community delete rt 65523:*
match to group clients set large-community delete 999:65523:*

# prepend_twice_to_any
match to group clients set community delete 65522:65522
match to group clients set ext-community delete rt 65522:65522
match to group clients set large-community delete 999:65522:65522

# prepend_twice_to_peer
match to group clients set community delete 65522:*
match to group clients set ext-community delete rt 65522:*
match to group clients set large-community delete 999:65522:*

# reject_cause
match to group clients set community delete 65520:*

# rejected_route_announced_by
match to group clients set community delete 65524:*
match to group clients set ext-community delete rt 65524:*


# Scrub prepending communities
match to group clients set {
	community delete 65521:65521
	ext-community delete rt 65521:65521
	large-community delete 999:65521:65521

}
match to group clients set {
	community delete 65521:*
	ext-community delete rt 65521:*
	large-community delete 999:65521:*

}
match to group clients set {
	community delete 64537:*
	ext-community delete rt 64537:*
	large-community delete 999:64537:*

}
match to group clients set {
	community delete 64534:*
	ext-community delete rt 64534:*
	large-community delete 999:64534:*

}
match to group clients set {
	community delete 65523:65523
	ext-community delete rt 65523:65523
	large-community delete 999:65523:65523

}
match to group clients set {
	community delete 65523:*
	ext-community delete rt 65523:*
	large-community delete 999:65523:*

}
match to group clients set {
	community delete 64539:*
	ext-community delete rt 64539:*
	large-community delete 999:64539:*

}
match to group clients set {
	community delete 64536:*
	ext-community delete rt 64536:*
	large-community delete 999:64536:*

}
match to group clients set {
	community delete 65522:65522
	ext-community delete rt 65522:65522
	large-community delete 999:65522:65522

}
match to group clients set {
	community delete 65522:*
	ext-community delete rt 65522:*
	large-community delete 999:65522:*

}
match to group clients set {
	community delete 64538:*
	ext-community delete rt 64538:*
	large-community delete 999:64538:*

}
match to group clients set {
	community delete 64535:*
	ext-community delete rt 64535:*
	large-community delete 999:64535:*

}


# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy
match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT
match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE

# Remove internal communities before announcing the route
match to group clients set {
	ext-community delete $INTCOMM_PREF_OK_ROA
	ext-community delete $INTCOMM_ROUTE_OK_WL
	ext-community delete $INTCOMM_ORIGIN_OK
	ext-community delete $INTCOMM_ORIGIN_KO
	ext-community delete $INTCOMM_PREFIX_OK
	ext-community delete $INTCOMM_PREFIX_KO
	ext-community delete $INTCOMM_IRR_REJECT
	ext-community delete $INTCOMM_RPKI_UNKNOWN
	ext-community delete $INTCOMM_RPKI_INVALID
	ext-community delete $INTCOMM_RPKI_VALID
	ext-community delete $INTCOMM_NO_EXPORT
	ext-community delete $INTCOMM_NO_ADVERTISE
	ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS

}