ansible-ffibk/roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2

#
# {{ ansible_managed }}
#

# Variables
define icvpn_address = {{ icvpn_ipv4_transfer_net | ipaddr('net') | ipsubnet(24, 37) | ipaddr(magic) | ipaddr('address') }};

# ROA
roa table roa_icvpn {
    include "icvpn_ipv4_roa.con?";
}

# Routing Tables
table icvpn;

# Filters
filter icvpn_import_filter {
    if is_mwu_self_nets_loose() then reject;
    if is_chaosvpn() then accept;
    if roa_check(roa_icvpn) = ROA_VALID then {
        if is_freifunk() then accept;
        if is_dn42() then accept;
    } else {
        if roa_check(roa_icvpn) = ROA_UNKNOWN then {
            if is_dn42() then {
                print "ROA UNKNOWN for dn42 net, accepting: ", net, " ASN: ", bgp_path.last;
                accept;
            }
            if is_freifunk() then {
                print "ROA UNKNOWN for freifunk net, accepting: ", net, " ASN: ", bgp_path.last;
                accept;
            }
        }
        if roa_check(roa_icvpn) = ROA_INVALID then {
            if is_freifunk() then {
                print "ROA INVALID for freifunk net, accepting: ", net, " ASN: ", bgp_path.last;
                accept;
            }
        }
        reject;
    }
    reject;
}

# Protocols
protocol pipe {
    peer table icvpn;
    import none;
    export filter {
        if is_mwu_self_nets_loose() then reject;
        if is_freifunk() then accept;
        if is_chaosvpn() then accept;
        if is_dn42() then accept;
        reject;
    };
};

# Protocols
protocol kernel kernel_icvpn {
    table icvpn;
    scan time 30;
    import none;
    export filter {
        if is_mwu_self_nets_loose() then reject;
        krt_prefsrc = icvpn_address;
        accept;
    };
    kernel table ipt_icvpn;
};

# Templates
template bgp ebgp_icvpn {
    local icvpn_address as mwu_as;
    import keep filtered on;
    import filter icvpn_import_filter;
    export filter {
        if is_mwu_self_nets_strict() then accept;
        if source = RTS_BGP then {
            if is_freifunk() || is_dn42() then {
                accept;
            }
        }
        reject;
    };
    direct;
}

# Include ICVPN IPv4 peers
include "icvpn_ipv4_peers.con?";
Add role service-bird-icvpn; add python3-yaml package to server-basic role 2017-09-11 13:10:39 +02:00			`#`
			`# {{ ansible_managed }}`
			`#`

			`# Variables`
			`define icvpn_address = {{ icvpn_ipv4_transfer_net \| ipaddr('net') \| ipsubnet(24, 37) \| ipaddr(magic) \| ipaddr('address') }};`

			`# ROA`
			`roa table roa_icvpn {`
			`include "icvpn_ipv4_roa.con?";`
			`}`

Roles service-bird + service-bird-icvpn: Restructure bird configuration to exchange loopback addresses and announce the whole freifunk subnets instead the configured ones. 2018-10-31 20:58:56 +01:00			`# Routing Tables`
			`table icvpn;`

Add role service-bird-icvpn; add python3-yaml package to server-basic role 2017-09-11 13:10:39 +02:00			`# Filters`
			`filter icvpn_import_filter {`
Roles service-bird + service-bird-icvpn: Restructure bird configuration to exchange loopback addresses and announce the whole freifunk subnets instead the configured ones. 2018-10-31 20:58:56 +01:00			`if is_mwu_self_nets_loose() then reject;`
Add role service-bird-icvpn; add python3-yaml package to server-basic role 2017-09-11 13:10:39 +02:00			`if is_chaosvpn() then accept;`
			`if roa_check(roa_icvpn) = ROA_VALID then {`
			`if is_freifunk() then accept;`
			`if is_dn42() then accept;`
			`} else {`
			`if roa_check(roa_icvpn) = ROA_UNKNOWN then {`
			`if is_dn42() then {`
			`print "ROA UNKNOWN for dn42 net, accepting: ", net, " ASN: ", bgp_path.last;`
			`accept;`
			`}`
			`if is_freifunk() then {`
			`print "ROA UNKNOWN for freifunk net, accepting: ", net, " ASN: ", bgp_path.last;`
			`accept;`
			`}`
			`}`
			`if roa_check(roa_icvpn) = ROA_INVALID then {`
			`if is_freifunk() then {`
Role service-bird-icvpn: correct roa log messages 2018-01-02 10:45:09 +01:00			`print "ROA INVALID for freifunk net, accepting: ", net, " ASN: ", bgp_path.last;`
Add role service-bird-icvpn; add python3-yaml package to server-basic role 2017-09-11 13:10:39 +02:00			`accept;`
			`}`
			`}`
			`reject;`
			`}`
			`reject;`
			`}`

			`# Protocols`
Roles service-bird + service-bird-icvpn: Restructure bird configuration to exchange loopback addresses and announce the whole freifunk subnets instead the configured ones. 2018-10-31 20:58:56 +01:00			`protocol pipe {`
			`peer table icvpn;`
			`import none;`
			`export filter {`
			`if is_mwu_self_nets_loose() then reject;`
			`if is_freifunk() then accept;`
			`if is_chaosvpn() then accept;`
			`if is_dn42() then accept;`
			`reject;`
			`};`
			`};`

			`# Protocols`
			`protocol kernel kernel_icvpn {`
			`table icvpn;`
Add role service-bird-icvpn; add python3-yaml package to server-basic role 2017-09-11 13:10:39 +02:00			`scan time 30;`
			`import none;`
			`export filter {`
Roles service-bird + service-bird-icvpn: Restructure bird configuration to exchange loopback addresses and announce the whole freifunk subnets instead the configured ones. 2018-10-31 20:58:56 +01:00			`if is_mwu_self_nets_loose() then reject;`
Add role service-bird-icvpn; add python3-yaml package to server-basic role 2017-09-11 13:10:39 +02:00			`krt_prefsrc = icvpn_address;`
			`accept;`
			`};`
			`kernel table ipt_icvpn;`
			`};`

			`# Templates`
			`template bgp ebgp_icvpn {`
			`local icvpn_address as mwu_as;`
			`import keep filtered on;`
			`import filter icvpn_import_filter;`
			`export filter {`
Roles service-bird + service-bird-icvpn: Restructure bird configuration to exchange loopback addresses and announce the whole freifunk subnets instead the configured ones. 2018-10-31 20:58:56 +01:00			`if is_mwu_self_nets_strict() then accept;`
Add role service-bird-icvpn; add python3-yaml package to server-basic role 2017-09-11 13:10:39 +02:00			`if source = RTS_BGP then {`
			`if is_freifunk() \|\| is_dn42() then {`
			`accept;`
			`}`
			`}`
			`reject;`
			`};`
			`direct;`
			`}`

			`# Include ICVPN IPv4 peers`
			`include "icvpn_ipv4_peers.con?";`