Roles service-bird + service-bird-icvpn:

Restructure bird configuration to exchange loopback addresses and announce the whole freifunk subnets instead the configured ones.
2018-10-31 20:58:56 +01:00 · 2018-10-31 20:58:56 +01:00 · fa37598c3b
commit fa37598c3b
parent 678312c7fc
6 changed files with 189 additions and 30 deletions
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@ -7,6 +7,18 @@ internet_exit_tcp_mss_ipv6: 1220

 icvpn_ipv4_transfer_net: 10.207.0.0/16
 icvpn_ipv6_transfer_net: fec0::a:cf:0:0/96
+
+ffmwu_loopback_net_ipv4: 10.37.255.0/24
+ffmwu_loopback_net_ipv6: fd37:b4dc:4b1e:ffff::/64
+ffmwu_anycast_ipv4: 10.37.255.255/32
+ffmwu_anycast_ipv6: fd37:b4dc:4b1e:ffff:ffff:ffff:ffff:ffff/128
+
+ffmwu_internal_prefixes:
+  - ipv4: 10.37.0.0/16
+    ipv6: fd37:b4dc:4b1e::/48
+  - ipv4: 10.56.0.0/16
+    ipv6: fd56:b4dc:4b1e::/48
+
 bgp_loopback_net: 10.37.0.0/18
 bgp_ipv4_transfer_net: 10.37.0.0/18
 bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64
--- a/roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2
+++ b/roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2
@ -10,9 +10,12 @@ roa table roa_icvpn {
    include "icvpn_ipv4_roa.con?";
 }

+# Routing Tables
+table icvpn;
+
 # Filters
 filter icvpn_import_filter {
-    if is_mwu_self_nets() then reject;
+    if is_mwu_self_nets_loose() then reject;
    if is_chaosvpn() then accept;
    if roa_check(roa_icvpn) = ROA_VALID then {
        if is_freifunk() then accept;
@ -40,12 +43,25 @@ filter icvpn_import_filter {
 }

 # Protocols
-protocol kernel kernel_mwu {
+protocol pipe {
+    peer table icvpn;
+    import none;
+    export filter {
+        if is_mwu_self_nets_loose() then reject;
+        if is_freifunk() then accept;
+        if is_chaosvpn() then accept;
+        if is_dn42() then accept;
+        reject;
+    };
+};
+
+# Protocols
+protocol kernel kernel_icvpn {
+    table icvpn;
    scan time 30;
    import none;
    export filter {
-        if is_mwu_self_nets() then
-            reject;
+        if is_mwu_self_nets_loose() then reject;
        krt_prefsrc = icvpn_address;
        accept;
    };
@ -58,9 +74,7 @@ template bgp ebgp_icvpn {
    import keep filtered on;
    import filter icvpn_import_filter;
    export filter {
-        if is_mwu_self_nets() then {
-            accept;
-        }
+        if is_mwu_self_nets_strict() then accept;
        if source = RTS_BGP then {
            if is_freifunk() || is_dn42() then {
                accept;
--- a/roles/service-bird-icvpn/templates/icvpn_ipv6.conf.j2
+++ b/roles/service-bird-icvpn/templates/icvpn_ipv6.conf.j2
@ -10,9 +10,12 @@ roa table roa_icvpn {
    include "icvpn_ipv6_roa.con?";
 }

+# Routing Tables
+table icvpn;
+
 # Filters
 filter icvpn_import_filter {
-    if is_mwu_self_nets() then reject;
+    if is_mwu_self_nets_loose() then reject;
    if roa_check(roa_icvpn) = ROA_VALID then {
        if is_ula() then accept;
    } else {
@ -34,12 +37,22 @@ filter icvpn_import_filter {
 }

 # Protocols
-protocol kernel kernel_mwu {
+protocol pipe {
+    peer table icvpn;
+    export filter {
+        if is_mwu_self_nets_loose() then reject;
+        if is_ula() then accept;
+        reject;
+    };
+    import none;
+};
+
+protocol kernel kernel_icvpn {
+    table icvpn;
    scan time 30;
    import none;
    export filter {
-        if is_mwu_self_nets() then
-            reject;
+        if is_mwu_self_nets_loose() then reject;
        krt_prefsrc = icvpn_address;
        accept;
    };
@ -52,12 +65,8 @@ template bgp ebgp_icvpn {
    import keep filtered on;
    import filter icvpn_import_filter;
    export filter {
-        if is_mwu_self_nets() then {
-            accept;
-        }
-        if source = RTS_BGP then {
-            accept;
-        }
+        if is_mwu_self_nets_strict() then accept;
+        if source = RTS_BGP then accept;
        reject;
    };
    direct;
--- a/roles/service-bird/README.md
+++ b/roles/service-bird/README.md
@ -12,10 +12,15 @@ Im iBGP peeren wir mangels separatem Transfernetz (im Moment) im Mainzer Mesh Ne
 ## Benötigte Variablen

 - Variable `bgp_loopback_net` # IPv4-Range des Mainzer Meshes, hieraus werden die Loopback Adressen gewählt.
+- Variable `ffmwu_loopback_net_ipv4` # IPv4-Subnetz für Loopback-Adressen
+- Variable `ffmwu_loopback_net_ipv6` # IPv6-Subnetz für Loopback-Adressen
+- Variable `ffmwu_anycast_ipv4` # Anycast IPv4-Adresse
+- Variable `ffmwu_anycast_ipv6` # Anycast IPv6-Adresse
 - Variable `bgp_ipv4_transfer_net` # IPv4-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird.
 - Variable `bgp_ipv6_transfer_net` # IPv6-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird.
 - Variable `bgp_as_private_mwu` # Private ASN von Freifunk MWU
 - Liste `bgp_groups` # List von Hostgruppen zu denen eine Verbindung aufgebaut werden soll
+- Liste `ffmwu_internal_prefixes`
 - Dictionary `bgp_mwu_servers`

 ```
--- a/roles/service-bird/templates/bird.conf.j2
+++ b/roles/service-bird/templates/bird.conf.j2
@ -36,14 +36,34 @@ function is_chaosvpn() {
    ];
 }

-function is_mwu_self_nets() {
+function is_mwu_self_nets_loose() {
    return net ~ [
-{% for mesh in meshes %}
-        {{ mesh.ipv4_network | ipaddr('net') }}+{{ "," if not loop.last else "" }}
+{% for prefix in ffmwu_internal_prefixes %}
+        {{ prefix.ipv4 | ipaddr('net') }}+{{ "," if not loop.last else "" }}
 {% endfor %}
    ];
 }

+function is_mwu_self_nets_strict() {
+    return net ~ [
+{% for prefix in ffmwu_internal_prefixes %}
+        {{ prefix.ipv4 | ipaddr('net') }}{{ "," if not loop.last else "" }}
+{% endfor %}
+    ];
+}
+
+function is_mwu_loopback() {
+    return net ~ [
+        {{ ffmwu_loopback_net_ipv4 }}+
+    ];
+}
+
+function is_mwu_anycast() {
+    return net ~ [
+        {{ ffmwu_anycast_ipv4 }}
+    ];
+}
+
 # Protocols
 protocol device {
    scan time 30;
@ -53,15 +73,56 @@ protocol direct mwu_subnets {
 {% for mesh in meshes %}
    interface "{{ mesh.id }}br";
 {% endfor %}
-    import where is_mwu_self_nets();
+    import where is_mwu_self_nets_loose();
+};
+
+protocol direct mwu_loopback {
+    interface "loopback";
+    import where is_mwu_loopback();
+};
+
+{% if ffmwu_server_type == "gateway" %}
+protocol direct mwu_anycast {
+    interface "anycast";
+    import where is_mwu_anycast();
+};
+{% endif %}
+
+protocol static {
+{% for prefix in ffmwu_internal_prefixes %}
+    route {{ prefix.ipv4 }} reject;
+{% endfor %}
+};
+
+protocol kernel kernel_mwu {
+    scan time 30;
+    import none;
+    export filter {
+        if is_mwu_anycast() then reject;
+        if is_mwu_loopback() then accept;
+        reject;
+    };
+    kernel table ipt_mwu;
 };

 # Templates
 template bgp ibgp_mwu {
    local mwu_address as mwu_as;
    import keep filtered on;
-    import all;
-    export where source = RTS_BGP;
+    import filter {
+        if is_mwu_anycast() then reject;
+        if is_mwu_self_nets_loose() then accept;
+        if is_freifunk() then accept;
+        if is_chaosvpn() then accept;
+        if is_dn42() then accept;
+        reject;
+    };
+    export filter {
+        if is_mwu_anycast() then reject;
+        if is_mwu_self_nets_loose() then accept;
+        if source = RTS_BGP then accept;
+        reject;
+    };
    direct;
    gateway direct;
 };
--- a/roles/service-bird/templates/bird6.conf.j2
+++ b/roles/service-bird/templates/bird6.conf.j2
@ -24,15 +24,34 @@ function is_ula() {
    ];
 }

-function is_mwu_self_nets() {
+function is_mwu_self_nets_loose() {
    return net ~ [
-{% for mesh in meshes %}
-{% for ula in mesh.ipv6_ula %}
-        {{ ula | ipaddr('net') }}+{{ "," if not loop.last else "" }}{% endfor %}{{ "," if not loop.last else "" }}
+{% for prefix in ffmwu_internal_prefixes %}
+        {{ prefix.ipv6 | ipaddr('net') }}+{{ "," if not loop.last else "" }}
 {% endfor %}
    ];
 }

+function is_mwu_self_nets_strict() {
+    return net ~ [
+{% for prefix in ffmwu_internal_prefixes %}
+        {{ prefix.ipv6 | ipaddr('net') }}{{ "," if not loop.last else "" }}
+{% endfor %}
+    ];
+}
+
+function is_mwu_loopback() {
+    return net ~ [
+        {{ ffmwu_loopback_net_ipv6 }}+
+    ];
+};
+
+function is_mwu_anycast() {
+    return net ~ [
+        {{ ffmwu_anycast_ipv6 }}+
+    ];
+};
+
 # Protocols
 protocol device {
    scan time 30;
@ -42,15 +61,54 @@ protocol direct mwu_subnets {
 {% for mesh in meshes %}
    interface "{{ mesh.id }}br";
 {% endfor %}
-    import where is_mwu_self_nets();
+    import where is_mwu_self_nets_loose();
+};
+
+protocol direct mwu_loopback {
+    interface "loopback";
+    import where is_mwu_loopback();
+};
+
+{% if ffmwu_server_type == "gateway" %}
+protocol direct mwu_anycast {
+    interface "anycast";
+    import where is_mwu_anycast();
+};
+{% endif %}
+
+protocol static {
+{% for prefix in ffmwu_internal_prefixes %}
+    route {{ prefix.ipv6 }} reject;
+{% endfor %}
+};
+
+protocol kernel kernel_mwu {
+    scan time 30;
+    import none;
+    export filter {
+        if is_mwu_anycast() then reject;
+        if is_mwu_loopback() then accept;
+        reject;
+    };
+    kernel table ipt_mwu;
 };

 # Templates
 template bgp ibgp_mwu {
    local mwu_address as mwu_as;
    import keep filtered on;
-    import all;
-    export where source = RTS_BGP;
+    import filter {
+        if is_mwu_anycast() then reject;
+        if is_mwu_self_nets_loose() then accept;
+        if is_ula() then accept;
+        reject;
+    };
+    export filter {
+        if is_mwu_anycast() then reject;
+        if is_mwu_self_nets_loose() then accept;
+        if source = RTS_BGP then accept;
+        reject;
+    };
    direct;
    gateway direct;
 };