bird: per-peer import filter rejects connected subnet

Without a filter, crt001's `network 2602:817:3000:A25::/64` gets
re-advertised to every peer on that subnet. bird installs the BGP /64
with metric 32, beating the kernel-connected route at 256, and all
inter-host VLAN-25 traffic hairpins through the gateway — losing PMTU
9000 and ~30x throughput. Broke Plex 2026-05-04: NFS to nas002 capped
at 7 MB/s, jumbo blackholed.

Add LocalSubnetV6/V4 (CIDR) to NodeBGP. Agent populates by masking the
peer's address to /64 (v6) or /24 (v4) — same fritzlab convention
already in localAddrSameSubnet. Render emits `import where net !=
<subnet>;` per BGP channel when set, falls back to `import all;`
otherwise so existing tests stay green.

Defence in depth: with the matching outbound route-map on crt001
(ROUTE_MAP_CLUSTER_OUT_V{4,6}) the agent now refuses the leak on its
own if the router filter ever drifts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

pkg/routing/bird/config_test.go

@@ -75,6 +75,89 @@ func TestRender_StableOutput(t *testing.T) {
 	}
 }
 
+func TestRender_LocalSubnetImportFilter(t *testing.T) {
+	out, err := Render(NodeBGP{
+		RouterID:      "172.25.25.104",
+		LocalASN:      65104,
+		Peers:         []Peer{{Family: "v6", Address: "2602:817:3000:a25::1", ASN: 65000}, {Family: "v4", Address: "172.25.25.1", ASN: 65000}},
+		CIDR6:         []string{"2602:817:3000:f004::/64"},
+		CIDR4:         []string{"172.25.214.0/24"},
+		LocalSubnetV6: "2602:817:3000:a25::/64",
+		LocalSubnetV4: "172.25.25.0/24",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	for _, want := range []string{
+		"import where net != 2602:817:3000:a25::/64;",
+		"import where net != 172.25.25.0/24;",
+	} {
+		if !strings.Contains(out, want) {
+			t.Errorf("missing %q in output:\n%s", want, out)
+		}
+	}
+	// Each BGP peer block should use the import filter, not import all.
+	// Slice out just the `protocol bgp ...` stanzas to avoid catching the
+	// kernel proto's legitimate `import all;`.
+	for _, marker := range []string{"protocol bgp upstream6_", "protocol bgp upstream4_"} {
+		idx := strings.Index(out, marker)
+		if idx < 0 {
+			continue
+		}
+		end := strings.Index(out[idx:], "\n}")
+		if end < 0 {
+			continue
+		}
+		stanza := out[idx : idx+end]
+		if strings.Contains(stanza, "import all;") {
+			t.Errorf("BGP stanza still has `import all;`:\n%s", stanza)
+		}
+	}
+}
+
+func TestRender_LocalSubnetEmpty_FallsBackToImportAll(t *testing.T) {
+	out, err := Render(NodeBGP{
+		RouterID: "10.0.0.1",
+		LocalASN: 65101,
+		Peers:    []Peer{{Family: "v6", Address: "2001:db8::1", ASN: 65000}},
+		CIDR6:    []string{"2001:db8:f001::/64"},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !strings.Contains(out, "import all;") {
+		t.Errorf("expected `import all;` when LocalSubnetV6 unset:\n%s", out)
+	}
+}
+
+func TestRender_LocalSubnetValidation(t *testing.T) {
+	cases := []struct {
+		name    string
+		v6, v4  string
+		wantErr string
+	}{
+		{name: "non-canonical v6", v6: "2602:817:3000:a25::1/64", wantErr: "non-zero host bits"},
+		{name: "non-canonical v4", v4: "172.25.25.1/24", wantErr: "non-zero host bits"},
+		{name: "v6 family mismatch", v6: "172.25.25.0/24", wantErr: "is IPv4"},
+		{name: "v4 family mismatch", v4: "2602:817:3000:a25::/64", wantErr: "is IPv6"},
+		{name: "garbage", v6: "not-a-cidr", wantErr: "not a valid CIDR"},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			_, err := Render(NodeBGP{
+				RouterID:      "10.0.0.1",
+				LocalASN:      65101,
+				Peers:         []Peer{{Family: "v6", Address: "2001:db8::1", ASN: 65000}},
+				LocalSubnetV6: tc.v6,
+				LocalSubnetV4: tc.v4,
+			})
+			if err == nil || !strings.Contains(err.Error(), tc.wantErr) {
+				t.Fatalf("want error containing %q, got %v", tc.wantErr, err)
+			}
+		})
+	}
+}
+
 func TestFamilyOf(t *testing.T) {
 	if FamilyOf("2001:db8::1") != "v6" {
 		t.Fatal("v6 detection broken")