From ab2efe5df36904d0a0be39df151a0c4d684d9ff6 Mon Sep 17 00:00:00 2001 From: kaba Date: Tue, 20 Dec 2016 16:59:03 +0100 Subject: [PATCH] not runnable yet! --- roles/ffmwu-bird/read.me | 6 + roles/ffmwu-bird/tasks/main.yml | 48 +++++ roles/ffmwu-bird/templates/bird.conf | 258 +++++++++++++++++++++++++++ 3 files changed, 312 insertions(+) create mode 100644 roles/ffmwu-bird/read.me create mode 100644 roles/ffmwu-bird/tasks/main.yml create mode 100644 roles/ffmwu-bird/templates/bird.conf diff --git a/roles/ffmwu-bird/read.me b/roles/ffmwu-bird/read.me new file mode 100644 index 0000000..5f42885 --- /dev/null +++ b/roles/ffmwu-bird/read.me @@ -0,0 +1,6 @@ +The ffmwu-bird role sets up the bird config for gates or other meshing +servers (distinction made by group membership). It will ensure empty +include files for ICVPN integration; integration itself to be configured +by different role. bird package should be installed elsewhere. + +Relies on host_var "ffrl_exit_conf" and ... . diff --git a/roles/ffmwu-bird/tasks/main.yml b/roles/ffmwu-bird/tasks/main.yml new file mode 100644 index 0000000..be1ba94 --- /dev/null +++ b/roles/ffmwu-bird/tasks/main.yml @@ -0,0 +1,48 @@ +--- + +- name: standardise dir ownership + file: + path: /etc/bird + state: directory + owner: admin + group: bird + mode: 0750 + become: yes + +- name: standardise file ownerships + file: + path: "{{b_item}}" + state: touch + owner: admin + group: bird + mode: 0750 + become: yes + with_items: + - /etc/bird/bird.conf + - /etc/bird/mwu_peers_v4.inc + - /etc/bird/ffrl_peers_v4.inc + - /etc/bird/icvpn_peers_v4.inc + - /etc/bird/icvpn_roa_v4.inc + - /etc/bird/bird6.conf + - /etc/bird/icvpn_peers_v6.inc + - /etc/bird/icvpn_roa_v6.inc + - /etc/bird/mwu_peers_v6.inc + - /etc/bird/ffrl_peers_v6.inc + loop_control: + loop_var: b_item + +- name: template out bird.confs + template: + backup: yes + dest: /etc/bird/{{b_item}} + src: "{{b_item}}" + #validate !!! + with_items: + - bird.conf + - bird6.conf + loop_control: + loop_var: b_item + +# FIXME: construct mwu includes + +# FIXME: construct ffrl includes diff --git a/roles/ffmwu-bird/templates/bird.conf b/roles/ffmwu-bird/templates/bird.conf new file mode 100644 index 0000000..5c4b518 --- /dev/null +++ b/roles/ffmwu-bird/templates/bird.conf @@ -0,0 +1,258 @@ +timeformat protocol iso long; + +# local addresses +{% if 'gates' in group_names %} +define local_addr_ffrl = {{hostvar}}185.66.195.38; +define local_addr_icvpn = {{hostvar}}10.207.37.161; # ingwer = mwu161 +define local_addr_mwu = 10.37.0.{{mwu server id}}; +{% else %} +define local_addr_mwu = 10.37.1.{{mwu server id}}; +{% endif %} + +# AS +define mwu_as = 65037; # private AS of mwu +{% if 'gates' in group_names %} +define ffrl_as = 201701; # public AS of rheinland +{% endif %} + +{% if 'gates' in group_names %} +router id local_addr_ffrl; + +table ffrl; # BGP Peerings FFRL + +# ROA +roa table roa_icvpn { + include "ebgp_roa_v4.inc"; +} +{% else %} +router id local_addr_mwu; +{% endif %} + +# functions +function is_default() { + return net ~ [ + 0.0.0.0/0 + ]; +} + +function is_freifunk() { + return net ~ [ + 10.0.0.0/8{16,24} + ]; +} + +function is_dn42() { + return net ~ [ + 172.20.0.0/14{20,28} + ]; +} + +function is_chaosvpn() { + return net ~ [ + 172.31.0.0/16+ + ]; +} + +function is_mwu_self_nets() { + return net ~ [ + 10.56.0.0/16+, + 10.37.0.0/16+ + ]; +} + +function is_wi_self_net() { + return net ~ [ + 10.56.0.0/16+ + ]; +} + +function is_mz_self_net() { + return net ~ [ + 10.37.0.0/16+ + ]; +} + +{% if 'gates' in group_names %} +function is_local_addr_ffrl() { + return net ~ [ + {{hostvar}}185.66.195.38/32 + ]; +} + +function is_ffrl_tunnel_nets() { + return net ~ [ + {{hostvar}}100.64.2.234/31, + {{hostvar}}100.64.2.236/31, + {{hostvar}}100.64.2.238/31, + {{hostvar}}100.64.2.240/31, + {{hostvar}}100.64.1.112/31, + {{hostvar}}100.64.1.114/31 + ]; +} +{% endif %} + +# filters +{% if 'gates' in group_names %} +filter ebgp_icvpn_import_filter { + if is_mwu_self_nets() then reject; + if is_chaosvpn() then accept; + if roa_check(roa_icvpn) = ROA_VALID then { + if is_freifunk() then accept; + if is_dn42() then accept; + } else { + if roa_check(roa_icvpn) = ROA_UNKNOWN then { + if is_dn42() then { +# print "ROA UNKNOWN for dn42 net, accepting: ", net, " ASN: ", bgp_path.last; + accept; + } + if is_freifunk() then { +# print "ROA UNKNOWN for freifunk net, accepting: ", net, " ASN: ", bgp_path.last; + accept; + } + } + if roa_check(roa_icvpn) = ROA_INVALID then { + if is_freifunk() then { +# print "ROA INVALID for freifunk net, accept: ", net, " ASN: ", bgp_path.last; + accept; + } + } + reject; + } + reject; +} + +filter ebgp_ffrl_import_filter { + if is_default() then accept; + reject; +} + +filter ebgp_ffrl_export_filter { + if is_local_addr_ffrl() then accept; + reject; +} +{% else %} +# sanity check: don't allow critical overrides +filter ebgp_icvpn_import_filter { + if is_mwu_self_nets() then reject; + if is_default() then reject; + if is_freifunk() then accept; + if is_dn42() then accept; + if is_chaosvpn() then accept; + reject; +} +{% endif %} + +# protocols +# necessary to inform bird about devices +protocol device { + scan time 30; +}; + +protocol kernel kernel_mwu { + scan time 30; + import none; + export filter { + if is_mwu_self_nets() then + reject; + krt_prefsrc = local_addr_icvpn; + accept; + }; + kernel table ipt_icvpn; +}; + +{% if 'gates' in group_names %} +# learn about directly connected community subnets +protocol direct mwu_subnets { + interface "mzBR"; + interface "wiBR"; + import where is_mwu_self_nets(); +}; + +protocol static ffrl_uplink_hostroute { + table ffrl; + route 185.66.195.38/32 reject; +} + +protocol direct ffrl_tunnels { + table ffrl; + interface "ffrl-*"; + import where is_ffrl_tunnel_nets(); +} + +protocol kernel kernel_ffrl { + scan time 30; + import none; + export filter { + krt_prefsrc = local_addr_ffrl; + accept; + }; + table ffrl; + kernel table ipt_ffinetexit; +}; +{% endif %} + +# Templates +# templates for iBGP +{% if 'gates' in group_names %} +template bgp bgp_ibgp_mwu { + local local_addr_mwu as mwu_as; + import keep filtered on; + import all; # EXPERIMENT !!!!! + export where source = RTS_BGP; + direct; + gateway direct; +}; +{% else %} +template bgp bgp_ibgp_mwu { + local local_addr_mwu as mwu_as; + import filter ebgp_icvpn_import_filter; + export none; + direct; + gateway direct; +}; +{% endif %} + +{% if 'gates' in group_names %} +# templates for eBGP +template bgp ebgp_ic { + local local_addr_icvpn as mwu_as; + import keep filtered on; + import filter ebgp_icvpn_import_filter; + export filter { + if is_mwu_self_nets() then { # own nets + accept; + } + if source = RTS_BGP then { + if is_freifunk() || is_dn42() then { + accept; + } + } + reject; + }; + direct; +}; + +template bgp ffrl_uplink { + table ffrl; + local as mwu_as; + import keep filtered; + import filter ebgp_ffrl_import_filter; + export filter ebgp_ffrl_export_filter; + next hop self; + direct; +}; +{% endif %} + +# P E E R I N G S +# iBGP +include "mwu_peers_v4.inc"; + +{% if 'gates' in group_names %} +# P E E R I N G S +# eBGP FFRL exit +include "ffrl_peers_v4.inc"; + +# P E E R I N G S +# eBGP ICVPN +include "icvpn_peers_v4.inc"; +{% endif %}