freifunk/ansible-ffibk
9
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Revert "Roles service-bird + service-bird-icvpn:"

Browse source 
This reverts commit a8693377a4.
This commit is contained in:
Julian Labus 2018-11-05 15:43:10 +01:00
parent 19da17b6e1
commit dbc7895854
No known key found for this signature in database
GPG key ID: 8AF209F2C6B3572A
6 changed files with 30 additions and 189 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
inventory/group_vars/all
View file

@ -7,18 +7,6 @@ internet_exit_tcp_mss_ipv6: 1220
icvpn_ipv4_transfer_net: 10.207.0.0/16 icvpn_ipv4_transfer_net: 10.207.0.0/16
icvpn_ipv6_transfer_net: fec0::a:cf:0:0/96 icvpn_ipv6_transfer_net: fec0::a:cf:0:0/96
ffmwu_loopback_net_ipv4: 10.37.255.0/24
ffmwu_loopback_net_ipv6: fd37:b4dc:4b1e:ffff::/64
ffmwu_anycast_ipv4: 10.37.255.255/32
ffmwu_anycast_ipv6: fd37:b4dc:4b1e:ffff:ffff:ffff:ffff:ffff/128
ffmwu_internal_prefixes:
- ipv4: 10.37.0.0/16
ipv6: fd37:b4dc:4b1e::/48
- ipv4: 10.56.0.0/16
ipv6: fd56:b4dc:4b1e::/48
bgp_loopback_net: 10.37.0.0/18 bgp_loopback_net: 10.37.0.0/18
bgp_ipv4_transfer_net: 10.37.0.0/18 bgp_ipv4_transfer_net: 10.37.0.0/18
bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64 bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64

28
roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2
View file

@ -10,12 +10,9 @@ roa table roa_icvpn {
include "icvpn_ipv4_roa.con?"; include "icvpn_ipv4_roa.con?";
} }
# Routing Tables
table icvpn;
# Filters # Filters
filter icvpn_import_filter { filter icvpn_import_filter {
if is_mwu_self_nets_loose() then reject; if is_mwu_self_nets() then reject;
if is_chaosvpn() then accept; if is_chaosvpn() then accept;
if roa_check(roa_icvpn) = ROA_VALID then { if roa_check(roa_icvpn) = ROA_VALID then {
if is_freifunk() then accept; if is_freifunk() then accept;
@ -43,25 +40,12 @@ filter icvpn_import_filter {
} }
# Protocols # Protocols
protocol pipe { protocol kernel kernel_mwu {
peer table icvpn;
import none;
export filter {
if is_mwu_self_nets_loose() then reject;
if is_freifunk() then accept;
if is_chaosvpn() then accept;
if is_dn42() then accept;
reject;
};
};
# Protocols
protocol kernel kernel_icvpn {
table icvpn;
scan time 30; scan time 30;
import none; import none;
export filter { export filter {
if is_mwu_self_nets_loose() then reject; if is_mwu_self_nets() then
reject;
krt_prefsrc = icvpn_address; krt_prefsrc = icvpn_address;
accept; accept;
}; };
@ -74,7 +58,9 @@ template bgp ebgp_icvpn {
import keep filtered on; import keep filtered on;
import filter icvpn_import_filter; import filter icvpn_import_filter;
export filter { export filter {
if is_mwu_self_nets_strict() then accept; if is_mwu_self_nets() then {
accept;
}
if source = RTS_BGP then { if source = RTS_BGP then {
if is_freifunk() || is_dn42() then { if is_freifunk() || is_dn42() then {
accept; accept;

29
roles/service-bird-icvpn/templates/icvpn_ipv6.conf.j2
View file

@ -10,12 +10,9 @@ roa table roa_icvpn {
include "icvpn_ipv6_roa.con?"; include "icvpn_ipv6_roa.con?";
} }
# Routing Tables
table icvpn;
# Filters # Filters
filter icvpn_import_filter { filter icvpn_import_filter {
if is_mwu_self_nets_loose() then reject; if is_mwu_self_nets() then reject;
if roa_check(roa_icvpn) = ROA_VALID then { if roa_check(roa_icvpn) = ROA_VALID then {
if is_ula() then accept; if is_ula() then accept;
} else { } else {
@ -37,22 +34,12 @@ filter icvpn_import_filter {
} }
# Protocols # Protocols
protocol pipe { protocol kernel kernel_mwu {
peer table icvpn;
export filter {
if is_mwu_self_nets_loose() then reject;
if is_ula() then accept;
reject;
};
import none;
};
protocol kernel kernel_icvpn {
table icvpn;
scan time 30; scan time 30;
import none; import none;
export filter { export filter {
if is_mwu_self_nets_loose() then reject; if is_mwu_self_nets() then
reject;
krt_prefsrc = icvpn_address; krt_prefsrc = icvpn_address;
accept; accept;
}; };
@ -65,8 +52,12 @@ template bgp ebgp_icvpn {
import keep filtered on; import keep filtered on;
import filter icvpn_import_filter; import filter icvpn_import_filter;
export filter { export filter {
if is_mwu_self_nets_strict() then accept; if is_mwu_self_nets() then {
if source = RTS_BGP then accept; accept;
}
if source = RTS_BGP then {
accept;
}
reject; reject;
}; };
direct; direct;

5
roles/service-bird/README.md
View file

@ -12,15 +12,10 @@ Im iBGP peeren wir mangels separatem Transfernetz (im Moment) im Mainzer Mesh Ne
## Benötigte Variablen ## Benötigte Variablen
- Variable `bgp_loopback_net` # IPv4-Range des Mainzer Meshes, hieraus werden die Loopback Adressen gewählt. - Variable `bgp_loopback_net` # IPv4-Range des Mainzer Meshes, hieraus werden die Loopback Adressen gewählt.
- Variable `ffmwu_loopback_net_ipv4` # IPv4-Subnetz für Loopback-Adressen
- Variable `ffmwu_loopback_net_ipv6` # IPv6-Subnetz für Loopback-Adressen
- Variable `ffmwu_anycast_ipv4` # Anycast IPv4-Adresse
- Variable `ffmwu_anycast_ipv6` # Anycast IPv6-Adresse
- Variable `bgp_ipv4_transfer_net` # IPv4-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird. - Variable `bgp_ipv4_transfer_net` # IPv4-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird.
- Variable `bgp_ipv6_transfer_net` # IPv6-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird. - Variable `bgp_ipv6_transfer_net` # IPv6-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird.
- Variable `bgp_as_private_mwu` # Private ASN von Freifunk MWU - Variable `bgp_as_private_mwu` # Private ASN von Freifunk MWU
- Liste `bgp_groups` # List von Hostgruppen zu denen eine Verbindung aufgebaut werden soll - Liste `bgp_groups` # List von Hostgruppen zu denen eine Verbindung aufgebaut werden soll
- Liste `ffmwu_internal_prefixes`
- Dictionary `bgp_mwu_servers` - Dictionary `bgp_mwu_servers`
``` ```

73
roles/service-bird/templates/bird.conf.j2
View file

@ -36,34 +36,14 @@ function is_chaosvpn() {
]; ];
} }
function is_mwu_self_nets_loose() { function is_mwu_self_nets() {
return net ~ [ return net ~ [
{% for prefix in ffmwu_internal_prefixes %} {% for mesh in meshes %}
{{ prefix.ipv4 | ipaddr('net') }}+{{ "," if not loop.last else "" }} {{ mesh.ipv4_network | ipaddr('net') }}+{{ "," if not loop.last else "" }}
{% endfor %} {% endfor %}
]; ];
} }
function is_mwu_self_nets_strict() {
return net ~ [
{% for prefix in ffmwu_internal_prefixes %}
{{ prefix.ipv4 | ipaddr('net') }}{{ "," if not loop.last else "" }}
{% endfor %}
];
}
function is_mwu_loopback() {
return net ~ [
{{ ffmwu_loopback_net_ipv4 }}+
];
}
function is_mwu_anycast() {
return net ~ [
{{ ffmwu_anycast_ipv4 }}
];
}
# Protocols # Protocols
protocol device { protocol device {
scan time 30; scan time 30;
@ -73,56 +53,15 @@ protocol direct mwu_subnets {
{% for mesh in meshes %} {% for mesh in meshes %}
interface "{{ mesh.id }}br"; interface "{{ mesh.id }}br";
{% endfor %} {% endfor %}
import where is_mwu_self_nets_loose(); import where is_mwu_self_nets();
};
protocol direct mwu_loopback {
interface "loopback";
import where is_mwu_loopback();
};
{% if ffmwu_server_type == "gateway" %}
protocol direct mwu_anycast {
interface "anycast";
import where is_mwu_anycast();
};
{% endif %}
protocol static {
{% for prefix in ffmwu_internal_prefixes %}
route {{ prefix.ipv4 }} reject;
{% endfor %}
};
protocol kernel kernel_mwu {
scan time 30;
import none;
export filter {
if is_mwu_anycast() then reject;
if is_mwu_loopback() then accept;
reject;
};
kernel table ipt_mwu;
}; };
# Templates # Templates
template bgp ibgp_mwu { template bgp ibgp_mwu {
local mwu_address as mwu_as; local mwu_address as mwu_as;
import keep filtered on; import keep filtered on;
import filter { import all;
if is_mwu_anycast() then reject; export where source = RTS_BGP;
if is_mwu_self_nets_loose() then accept;
if is_freifunk() then accept;
if is_chaosvpn() then accept;
if is_dn42() then accept;
reject;
};
export filter {
if is_mwu_anycast() then reject;
if is_mwu_self_nets_loose() then accept;
if source = RTS_BGP then accept;
reject;
};
direct; direct;
gateway direct; gateway direct;
}; };

72
roles/service-bird/templates/bird6.conf.j2
View file

@ -24,34 +24,15 @@ function is_ula() {
]; ];
} }
function is_mwu_self_nets_loose() { function is_mwu_self_nets() {
return net ~ [ return net ~ [
{% for prefix in ffmwu_internal_prefixes %} {% for mesh in meshes %}
{{ prefix.ipv6 | ipaddr('net') }}+{{ "," if not loop.last else "" }} {% for ula in mesh.ipv6_ula %}
{{ ula | ipaddr('net') }}+{{ "," if not loop.last else "" }}{% endfor %}{{ "," if not loop.last else "" }}
{% endfor %} {% endfor %}
]; ];
} }
function is_mwu_self_nets_strict() {
return net ~ [
{% for prefix in ffmwu_internal_prefixes %}
{{ prefix.ipv6 | ipaddr('net') }}{{ "," if not loop.last else "" }}
{% endfor %}
];
}
function is_mwu_loopback() {
return net ~ [
{{ ffmwu_loopback_net_ipv6 }}+
];
};
function is_mwu_anycast() {
return net ~ [
{{ ffmwu_anycast_ipv6 }}+
];
};
# Protocols # Protocols
protocol device { protocol device {
scan time 30; scan time 30;
@ -61,54 +42,15 @@ protocol direct mwu_subnets {
{% for mesh in meshes %} {% for mesh in meshes %}
interface "{{ mesh.id }}br"; interface "{{ mesh.id }}br";
{% endfor %} {% endfor %}
import where is_mwu_self_nets_loose(); import where is_mwu_self_nets();
};
protocol direct mwu_loopback {
interface "loopback";
import where is_mwu_loopback();
};
{% if ffmwu_server_type == "gateway" %}
protocol direct mwu_anycast {
interface "anycast";
import where is_mwu_anycast();
};
{% endif %}
protocol static {
{% for prefix in ffmwu_internal_prefixes %}
route {{ prefix.ipv6 }} reject;
{% endfor %}
};
protocol kernel kernel_mwu {
scan time 30;
import none;
export filter {
if is_mwu_anycast() then reject;
if is_mwu_loopback() then accept;
reject;
};
kernel table ipt_mwu;
}; };
# Templates # Templates
template bgp ibgp_mwu { template bgp ibgp_mwu {
local mwu_address as mwu_as; local mwu_address as mwu_as;
import keep filtered on; import keep filtered on;
import filter { import all;
if is_mwu_anycast() then reject; export where source = RTS_BGP;
if is_mwu_self_nets_loose() then accept;
if is_ula() then accept;
reject;
};
export filter {
if is_mwu_anycast() then reject;
if is_mwu_self_nets_loose() then accept;
if source = RTS_BGP then accept;
reject;
};
direct; direct;
gateway direct; gateway direct;
}; };