From dbc7895854e6d6fc87ff08f805dad4b46a688636 Mon Sep 17 00:00:00 2001 From: Julian Labus Date: Mon, 5 Nov 2018 15:43:10 +0100 Subject: [PATCH] Revert "Roles service-bird + service-bird-icvpn:" This reverts commit a8693377a4cb28dfef418355240b8fb2fab21c27. --- inventory/group_vars/all | 12 --- .../templates/icvpn_ipv4.conf.j2 | 28 ++----- .../templates/icvpn_ipv6.conf.j2 | 29 +++----- roles/service-bird/README.md | 5 -- roles/service-bird/templates/bird.conf.j2 | 73 ++----------------- roles/service-bird/templates/bird6.conf.j2 | 72 ++---------------- 6 files changed, 30 insertions(+), 189 deletions(-) diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 3ec1c6d..34b112b 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -7,18 +7,6 @@ internet_exit_tcp_mss_ipv6: 1220 icvpn_ipv4_transfer_net: 10.207.0.0/16 icvpn_ipv6_transfer_net: fec0::a:cf:0:0/96 - -ffmwu_loopback_net_ipv4: 10.37.255.0/24 -ffmwu_loopback_net_ipv6: fd37:b4dc:4b1e:ffff::/64 -ffmwu_anycast_ipv4: 10.37.255.255/32 -ffmwu_anycast_ipv6: fd37:b4dc:4b1e:ffff:ffff:ffff:ffff:ffff/128 - -ffmwu_internal_prefixes: - - ipv4: 10.37.0.0/16 - ipv6: fd37:b4dc:4b1e::/48 - - ipv4: 10.56.0.0/16 - ipv6: fd56:b4dc:4b1e::/48 - bgp_loopback_net: 10.37.0.0/18 bgp_ipv4_transfer_net: 10.37.0.0/18 bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64 diff --git a/roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2 b/roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2 index 85a587d..90b2a2b 100644 --- a/roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2 +++ b/roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2 @@ -10,12 +10,9 @@ roa table roa_icvpn { include "icvpn_ipv4_roa.con?"; } -# Routing Tables -table icvpn; - # Filters filter icvpn_import_filter { - if is_mwu_self_nets_loose() then reject; + if is_mwu_self_nets() then reject; if is_chaosvpn() then accept; if roa_check(roa_icvpn) = ROA_VALID then { if is_freifunk() then accept; @@ -43,25 +40,12 @@ filter icvpn_import_filter { } # Protocols -protocol pipe { - peer table icvpn; - import none; - export filter { - if is_mwu_self_nets_loose() then reject; - if is_freifunk() then accept; - if is_chaosvpn() then accept; - if is_dn42() then accept; - reject; - }; -}; - -# Protocols -protocol kernel kernel_icvpn { - table icvpn; +protocol kernel kernel_mwu { scan time 30; import none; export filter { - if is_mwu_self_nets_loose() then reject; + if is_mwu_self_nets() then + reject; krt_prefsrc = icvpn_address; accept; }; @@ -74,7 +58,9 @@ template bgp ebgp_icvpn { import keep filtered on; import filter icvpn_import_filter; export filter { - if is_mwu_self_nets_strict() then accept; + if is_mwu_self_nets() then { + accept; + } if source = RTS_BGP then { if is_freifunk() || is_dn42() then { accept; diff --git a/roles/service-bird-icvpn/templates/icvpn_ipv6.conf.j2 b/roles/service-bird-icvpn/templates/icvpn_ipv6.conf.j2 index 6717d41..5bf2c49 100644 --- a/roles/service-bird-icvpn/templates/icvpn_ipv6.conf.j2 +++ b/roles/service-bird-icvpn/templates/icvpn_ipv6.conf.j2 @@ -10,12 +10,9 @@ roa table roa_icvpn { include "icvpn_ipv6_roa.con?"; } -# Routing Tables -table icvpn; - # Filters filter icvpn_import_filter { - if is_mwu_self_nets_loose() then reject; + if is_mwu_self_nets() then reject; if roa_check(roa_icvpn) = ROA_VALID then { if is_ula() then accept; } else { @@ -37,22 +34,12 @@ filter icvpn_import_filter { } # Protocols -protocol pipe { - peer table icvpn; - export filter { - if is_mwu_self_nets_loose() then reject; - if is_ula() then accept; - reject; - }; - import none; -}; - -protocol kernel kernel_icvpn { - table icvpn; +protocol kernel kernel_mwu { scan time 30; import none; export filter { - if is_mwu_self_nets_loose() then reject; + if is_mwu_self_nets() then + reject; krt_prefsrc = icvpn_address; accept; }; @@ -65,8 +52,12 @@ template bgp ebgp_icvpn { import keep filtered on; import filter icvpn_import_filter; export filter { - if is_mwu_self_nets_strict() then accept; - if source = RTS_BGP then accept; + if is_mwu_self_nets() then { + accept; + } + if source = RTS_BGP then { + accept; + } reject; }; direct; diff --git a/roles/service-bird/README.md b/roles/service-bird/README.md index 6f78f03..6d45a03 100644 --- a/roles/service-bird/README.md +++ b/roles/service-bird/README.md @@ -12,15 +12,10 @@ Im iBGP peeren wir mangels separatem Transfernetz (im Moment) im Mainzer Mesh Ne ## Benötigte Variablen - Variable `bgp_loopback_net` # IPv4-Range des Mainzer Meshes, hieraus werden die Loopback Adressen gewählt. -- Variable `ffmwu_loopback_net_ipv4` # IPv4-Subnetz für Loopback-Adressen -- Variable `ffmwu_loopback_net_ipv6` # IPv6-Subnetz für Loopback-Adressen -- Variable `ffmwu_anycast_ipv4` # Anycast IPv4-Adresse -- Variable `ffmwu_anycast_ipv6` # Anycast IPv6-Adresse - Variable `bgp_ipv4_transfer_net` # IPv4-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird. - Variable `bgp_ipv6_transfer_net` # IPv6-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird. - Variable `bgp_as_private_mwu` # Private ASN von Freifunk MWU - Liste `bgp_groups` # List von Hostgruppen zu denen eine Verbindung aufgebaut werden soll -- Liste `ffmwu_internal_prefixes` - Dictionary `bgp_mwu_servers` ``` diff --git a/roles/service-bird/templates/bird.conf.j2 b/roles/service-bird/templates/bird.conf.j2 index 6494123..3991bcb 100644 --- a/roles/service-bird/templates/bird.conf.j2 +++ b/roles/service-bird/templates/bird.conf.j2 @@ -36,34 +36,14 @@ function is_chaosvpn() { ]; } -function is_mwu_self_nets_loose() { +function is_mwu_self_nets() { return net ~ [ -{% for prefix in ffmwu_internal_prefixes %} - {{ prefix.ipv4 | ipaddr('net') }}+{{ "," if not loop.last else "" }} +{% for mesh in meshes %} + {{ mesh.ipv4_network | ipaddr('net') }}+{{ "," if not loop.last else "" }} {% endfor %} ]; } -function is_mwu_self_nets_strict() { - return net ~ [ -{% for prefix in ffmwu_internal_prefixes %} - {{ prefix.ipv4 | ipaddr('net') }}{{ "," if not loop.last else "" }} -{% endfor %} - ]; -} - -function is_mwu_loopback() { - return net ~ [ - {{ ffmwu_loopback_net_ipv4 }}+ - ]; -} - -function is_mwu_anycast() { - return net ~ [ - {{ ffmwu_anycast_ipv4 }} - ]; -} - # Protocols protocol device { scan time 30; @@ -73,56 +53,15 @@ protocol direct mwu_subnets { {% for mesh in meshes %} interface "{{ mesh.id }}br"; {% endfor %} - import where is_mwu_self_nets_loose(); -}; - -protocol direct mwu_loopback { - interface "loopback"; - import where is_mwu_loopback(); -}; - -{% if ffmwu_server_type == "gateway" %} -protocol direct mwu_anycast { - interface "anycast"; - import where is_mwu_anycast(); -}; -{% endif %} - -protocol static { -{% for prefix in ffmwu_internal_prefixes %} - route {{ prefix.ipv4 }} reject; -{% endfor %} -}; - -protocol kernel kernel_mwu { - scan time 30; - import none; - export filter { - if is_mwu_anycast() then reject; - if is_mwu_loopback() then accept; - reject; - }; - kernel table ipt_mwu; + import where is_mwu_self_nets(); }; # Templates template bgp ibgp_mwu { local mwu_address as mwu_as; import keep filtered on; - import filter { - if is_mwu_anycast() then reject; - if is_mwu_self_nets_loose() then accept; - if is_freifunk() then accept; - if is_chaosvpn() then accept; - if is_dn42() then accept; - reject; - }; - export filter { - if is_mwu_anycast() then reject; - if is_mwu_self_nets_loose() then accept; - if source = RTS_BGP then accept; - reject; - }; + import all; + export where source = RTS_BGP; direct; gateway direct; }; diff --git a/roles/service-bird/templates/bird6.conf.j2 b/roles/service-bird/templates/bird6.conf.j2 index 61f7692..19d7aba 100644 --- a/roles/service-bird/templates/bird6.conf.j2 +++ b/roles/service-bird/templates/bird6.conf.j2 @@ -24,34 +24,15 @@ function is_ula() { ]; } -function is_mwu_self_nets_loose() { +function is_mwu_self_nets() { return net ~ [ -{% for prefix in ffmwu_internal_prefixes %} - {{ prefix.ipv6 | ipaddr('net') }}+{{ "," if not loop.last else "" }} +{% for mesh in meshes %} +{% for ula in mesh.ipv6_ula %} + {{ ula | ipaddr('net') }}+{{ "," if not loop.last else "" }}{% endfor %}{{ "," if not loop.last else "" }} {% endfor %} ]; } -function is_mwu_self_nets_strict() { - return net ~ [ -{% for prefix in ffmwu_internal_prefixes %} - {{ prefix.ipv6 | ipaddr('net') }}{{ "," if not loop.last else "" }} -{% endfor %} - ]; -} - -function is_mwu_loopback() { - return net ~ [ - {{ ffmwu_loopback_net_ipv6 }}+ - ]; -}; - -function is_mwu_anycast() { - return net ~ [ - {{ ffmwu_anycast_ipv6 }}+ - ]; -}; - # Protocols protocol device { scan time 30; @@ -61,54 +42,15 @@ protocol direct mwu_subnets { {% for mesh in meshes %} interface "{{ mesh.id }}br"; {% endfor %} - import where is_mwu_self_nets_loose(); -}; - -protocol direct mwu_loopback { - interface "loopback"; - import where is_mwu_loopback(); -}; - -{% if ffmwu_server_type == "gateway" %} -protocol direct mwu_anycast { - interface "anycast"; - import where is_mwu_anycast(); -}; -{% endif %} - -protocol static { -{% for prefix in ffmwu_internal_prefixes %} - route {{ prefix.ipv6 }} reject; -{% endfor %} -}; - -protocol kernel kernel_mwu { - scan time 30; - import none; - export filter { - if is_mwu_anycast() then reject; - if is_mwu_loopback() then accept; - reject; - }; - kernel table ipt_mwu; + import where is_mwu_self_nets(); }; # Templates template bgp ibgp_mwu { local mwu_address as mwu_as; import keep filtered on; - import filter { - if is_mwu_anycast() then reject; - if is_mwu_self_nets_loose() then accept; - if is_ula() then accept; - reject; - }; - export filter { - if is_mwu_anycast() then reject; - if is_mwu_self_nets_loose() then accept; - if source = RTS_BGP then accept; - reject; - }; + import all; + export where source = RTS_BGP; direct; gateway direct; };