Notes:
  Flow is:
    packet > ingress int FW > SCU > ingress forw FW > DCU > egress forw FW > egress int FW
    This means:
      - you cannot match on SCU/DCU at all in ingress iface
      - you can do SCU matches in ingress forwarding fw filter, but not DCU
      - you can do SCU and DSU matches in egress forwarding filter and egress iface filter
      - egress iface filter requires that egress is IP tagged (trinity allows mpls)
      - if egress forw FW filter is used, interface filter groups cannot be used

  All config is standard, except:
      - ORIGIN-DOMESTIC, ORIGIN-REGION communities are variable (no manual work, as templates are cc aware)
      - BLACKHOLE-DESTINATION-(NOT-)LOCAL communities are per router (likely manual work)
      - no changes in FW, and policy-statements between routers

  Filter is per router, not per interface (and certainly not per source interface) but if we want stuff like GGC/Akamai to work, we must explicitly exclude our own PA networks from being filtered. 'NOT-LOCAL' cannot override 'FULL', as 'FULL' needs to also blackhole in-PE traffic, which means the next-hop has already been set to null/discard.

  
  There is one full source based blackhole available and five destination based.
       1. full
       2. external (as3292 works + customers (except transits in peer boxes)
       3. like 2, but domestic peering/transit works
       4. like 2, but local region (i.e. nordic) peering/transit works (Asked by PM)
       5. per router (positive or negative, as many as customer wants to blackhole)


Config:

Core:
    accounting {
        source-class-usage {
            output;
        }
        destination-class-usage;
    }


Inet Border:
        accounting {
            source-class-usage {
                input;
            }
            destination-class-usage;
        }


RIB->FIB export:
export BLACKHOLE-COMMUNITY_TO_CLASS

forwarding-options family inet filter output:
output BLACKHOLE-DEFAULT

FW:
term SOURCE-FULL {
    from {
        source-class BLACKHOLE-SOURCE-FULL;
    }
    then {
        count SOURCE-FULL;
        discard;
    }
}
term DESTINATION-FULL {
    from {
        destination-class BLACKHOLE-DESTINATION-FULL;
    }
    then {
        count DESTINATION-FULL;
        discard;
    }
}
term DESTINATION-NOT-LOCAL {
    from {
         destination-class BLACKHOLE-DESTINATION-NOT-LOCAL;
    }
    then {
        count DESTINATION-NOT-LOCAL;
        accept;
    }
}
term DESTINATION-LOCAL {
    from {
        destination-class BLACKHOLE-DESTINATION-LOCAL;
        source-prefix-list {
            NETWORKS-AS3292_ORIGIN except;
        }
    }
    then {
        count DESTINATION-LOCAL;
        discard;
    }
}
term DESTINATION-OUTSIDE-REGION {
    from {
        destination-class BLACKHOLE-DESTINATION-OUTSIDE-REGION;
        source-prefix-list {
            NETWORKS-AS3292_ORIGIN except;
        }
    }
    then {
        count DESTINATION-OUTSIDE-REGION;
        discard;
    }                                   
}
term DESTINATION-FOREIGN {
    from {
        destination-class BLACKHOLE-DESTINATION-FOREIGN;
        source-prefix-list {
            NETWORKS-AS3292_ORIGIN except;
        }
    }
    then {
        count DESTINATION-FOREIGN;
        discard;
    }                                   
}
term DESTINATION-EXTERNAL {
    from {
        destination-class BLACKHOLE-DESTINATION-EXTERNAL;
        source-prefix-list {
            NETWORKS-AS3292_ORIGIN except;
        }
    }
    then {
        count DESTINATION-EXTERNAL;
        discard;
    }
}
term ACCEPT {
    then accept;
}



policies
BLACKHOLE-COMMUNITY_TO_CLASS:
term SOURCE-FULL {
    from community BLACKHOLE-SOURCE-FULL;
    then source-class BLACKHOLE-SOURCE-FULL;
}
term DESTINATION-FULL {
    from community BLACKHOLE-DESTINATION-FULL;
    then destination-class BLACKHOLE-DESTINATION-FULL;
}
term DESTINATION-EXTERNAL {
    from community BLACKHOLE-DESTINATION-EXTERNAL;
    then destination-class BLACKHOLE-DESTINATION-EXTERNAL;
}
term DESTINATION-FOREIGN {
    from policy BLACKHOLE-DESTINATION-FOREIGN;
    then destination-class BLACKHOLE-DESTINATION-FOREIGN;
}
term DESTINATION-OUTSIDE-REGION {
    from policy BLACKHOLE-DESTINATION-OUTSIDE-REGION;
    then destination-class BLACKHOLE-DESTINATION-OUTSIDE-REGION;
}
term DESTINATION-LOCAL {
    from community BLACKHOLE-DESTINATION-LOCAL;
    then destination-class BLACKHOLE-DESTINATION-LOCAL;
}
term DESTINATION-NOT-LOCAL {
    from community BLACKHOLE-DESTINATION-NOT-LOCAL;
    then destination-class BLACKHOLE-DESTINATION-NOT-LOCAL;
}



BLACKHOLE-DESTINATION-FOREIGN:
term DOMESTIC {
    from community ORIGIN-DOMESTIC;
    then reject;
}
term BLACKHOLE {
    from community BLACKHOLE-DESTINATION-FOREIGN;
    then accept;
}
term REJECT {
    then reject;
}

BLACKHOLE-DESTINATION-OUTSIDE-REGION:
term REGION {
    from community ORIGIN-REGION;
    then reject;
}
term BLACKHOLE {
    from community BLACKHOLE-DESTINATION-OUTSIDE-REGION;
    then accept;
}
term REJECT {
    then reject;
}



  - While adding another RIB->FIB policy + egress forw filter, we might as well
    match to community which sets MPLS-TC1 DCU. Then on egress forw filter
    traffic matching this DCU gets set as class BE_IN. This enables some traffic to
    get symmetric 1 classfication, instead of always being 1 out and 0 in.
    Protecting interesting Internet traffic during congestiong.