From fa37598c3b306ebb77b2ee6ce6d4ad3e99727abd Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Wed, 31 Oct 2018 20:58:56 +0100 Subject: [PATCH] Roles service-bird + service-bird-icvpn: Restructure bird configuration to exchange loopback addresses and announce the whole freifunk subnets instead the configured ones. --- inventory/group_vars/all | 12 +++ .../templates/icvpn_ipv4.conf.j2 | 28 +++++-- .../templates/icvpn_ipv6.conf.j2 | 29 +++++--- roles/service-bird/README.md | 5 ++ roles/service-bird/templates/bird.conf.j2 | 73 +++++++++++++++++-- roles/service-bird/templates/bird6.conf.j2 | 72 ++++++++++++++++-- 6 files changed, 189 insertions(+), 30 deletions(-) diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 34b112b..3ec1c6d 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -7,6 +7,18 @@ internet_exit_tcp_mss_ipv6: 1220 icvpn_ipv4_transfer_net: 10.207.0.0/16 icvpn_ipv6_transfer_net: fec0::a:cf:0:0/96 + +ffmwu_loopback_net_ipv4: 10.37.255.0/24 +ffmwu_loopback_net_ipv6: fd37:b4dc:4b1e:ffff::/64 +ffmwu_anycast_ipv4: 10.37.255.255/32 +ffmwu_anycast_ipv6: fd37:b4dc:4b1e:ffff:ffff:ffff:ffff:ffff/128 + +ffmwu_internal_prefixes: + - ipv4: 10.37.0.0/16 + ipv6: fd37:b4dc:4b1e::/48 + - ipv4: 10.56.0.0/16 + ipv6: fd56:b4dc:4b1e::/48 + bgp_loopback_net: 10.37.0.0/18 bgp_ipv4_transfer_net: 10.37.0.0/18 bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64 diff --git a/roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2 b/roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2 index 90b2a2b..85a587d 100644 --- a/roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2 +++ b/roles/service-bird-icvpn/templates/icvpn_ipv4.conf.j2 @@ -10,9 +10,12 @@ roa table roa_icvpn { include "icvpn_ipv4_roa.con?"; } +# Routing Tables +table icvpn; + # Filters filter icvpn_import_filter { - if is_mwu_self_nets() then reject; + if is_mwu_self_nets_loose() then reject; if is_chaosvpn() then accept; if roa_check(roa_icvpn) = ROA_VALID then { if is_freifunk() then accept; @@ -40,12 +43,25 @@ filter icvpn_import_filter { } # Protocols -protocol kernel kernel_mwu { +protocol pipe { + peer table icvpn; + import none; + export filter { + if is_mwu_self_nets_loose() then reject; + if is_freifunk() then accept; + if is_chaosvpn() then accept; + if is_dn42() then accept; + reject; + }; +}; + +# Protocols +protocol kernel kernel_icvpn { + table icvpn; scan time 30; import none; export filter { - if is_mwu_self_nets() then - reject; + if is_mwu_self_nets_loose() then reject; krt_prefsrc = icvpn_address; accept; }; @@ -58,9 +74,7 @@ template bgp ebgp_icvpn { import keep filtered on; import filter icvpn_import_filter; export filter { - if is_mwu_self_nets() then { - accept; - } + if is_mwu_self_nets_strict() then accept; if source = RTS_BGP then { if is_freifunk() || is_dn42() then { accept; diff --git a/roles/service-bird-icvpn/templates/icvpn_ipv6.conf.j2 b/roles/service-bird-icvpn/templates/icvpn_ipv6.conf.j2 index 5bf2c49..6717d41 100644 --- a/roles/service-bird-icvpn/templates/icvpn_ipv6.conf.j2 +++ b/roles/service-bird-icvpn/templates/icvpn_ipv6.conf.j2 @@ -10,9 +10,12 @@ roa table roa_icvpn { include "icvpn_ipv6_roa.con?"; } +# Routing Tables +table icvpn; + # Filters filter icvpn_import_filter { - if is_mwu_self_nets() then reject; + if is_mwu_self_nets_loose() then reject; if roa_check(roa_icvpn) = ROA_VALID then { if is_ula() then accept; } else { @@ -34,12 +37,22 @@ filter icvpn_import_filter { } # Protocols -protocol kernel kernel_mwu { +protocol pipe { + peer table icvpn; + export filter { + if is_mwu_self_nets_loose() then reject; + if is_ula() then accept; + reject; + }; + import none; +}; + +protocol kernel kernel_icvpn { + table icvpn; scan time 30; import none; export filter { - if is_mwu_self_nets() then - reject; + if is_mwu_self_nets_loose() then reject; krt_prefsrc = icvpn_address; accept; }; @@ -52,12 +65,8 @@ template bgp ebgp_icvpn { import keep filtered on; import filter icvpn_import_filter; export filter { - if is_mwu_self_nets() then { - accept; - } - if source = RTS_BGP then { - accept; - } + if is_mwu_self_nets_strict() then accept; + if source = RTS_BGP then accept; reject; }; direct; diff --git a/roles/service-bird/README.md b/roles/service-bird/README.md index 6d45a03..6f78f03 100644 --- a/roles/service-bird/README.md +++ b/roles/service-bird/README.md @@ -12,10 +12,15 @@ Im iBGP peeren wir mangels separatem Transfernetz (im Moment) im Mainzer Mesh Ne ## Benötigte Variablen - Variable `bgp_loopback_net` # IPv4-Range des Mainzer Meshes, hieraus werden die Loopback Adressen gewählt. +- Variable `ffmwu_loopback_net_ipv4` # IPv4-Subnetz für Loopback-Adressen +- Variable `ffmwu_loopback_net_ipv6` # IPv6-Subnetz für Loopback-Adressen +- Variable `ffmwu_anycast_ipv4` # Anycast IPv4-Adresse +- Variable `ffmwu_anycast_ipv6` # Anycast IPv6-Adresse - Variable `bgp_ipv4_transfer_net` # IPv4-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird. - Variable `bgp_ipv6_transfer_net` # IPv6-Range des Mainzer Meshes, das aktuell als Transfernetz benutzt wird. - Variable `bgp_as_private_mwu` # Private ASN von Freifunk MWU - Liste `bgp_groups` # List von Hostgruppen zu denen eine Verbindung aufgebaut werden soll +- Liste `ffmwu_internal_prefixes` - Dictionary `bgp_mwu_servers` ``` diff --git a/roles/service-bird/templates/bird.conf.j2 b/roles/service-bird/templates/bird.conf.j2 index 3991bcb..6494123 100644 --- a/roles/service-bird/templates/bird.conf.j2 +++ b/roles/service-bird/templates/bird.conf.j2 @@ -36,14 +36,34 @@ function is_chaosvpn() { ]; } -function is_mwu_self_nets() { +function is_mwu_self_nets_loose() { return net ~ [ -{% for mesh in meshes %} - {{ mesh.ipv4_network | ipaddr('net') }}+{{ "," if not loop.last else "" }} +{% for prefix in ffmwu_internal_prefixes %} + {{ prefix.ipv4 | ipaddr('net') }}+{{ "," if not loop.last else "" }} {% endfor %} ]; } +function is_mwu_self_nets_strict() { + return net ~ [ +{% for prefix in ffmwu_internal_prefixes %} + {{ prefix.ipv4 | ipaddr('net') }}{{ "," if not loop.last else "" }} +{% endfor %} + ]; +} + +function is_mwu_loopback() { + return net ~ [ + {{ ffmwu_loopback_net_ipv4 }}+ + ]; +} + +function is_mwu_anycast() { + return net ~ [ + {{ ffmwu_anycast_ipv4 }} + ]; +} + # Protocols protocol device { scan time 30; @@ -53,15 +73,56 @@ protocol direct mwu_subnets { {% for mesh in meshes %} interface "{{ mesh.id }}br"; {% endfor %} - import where is_mwu_self_nets(); + import where is_mwu_self_nets_loose(); +}; + +protocol direct mwu_loopback { + interface "loopback"; + import where is_mwu_loopback(); +}; + +{% if ffmwu_server_type == "gateway" %} +protocol direct mwu_anycast { + interface "anycast"; + import where is_mwu_anycast(); +}; +{% endif %} + +protocol static { +{% for prefix in ffmwu_internal_prefixes %} + route {{ prefix.ipv4 }} reject; +{% endfor %} +}; + +protocol kernel kernel_mwu { + scan time 30; + import none; + export filter { + if is_mwu_anycast() then reject; + if is_mwu_loopback() then accept; + reject; + }; + kernel table ipt_mwu; }; # Templates template bgp ibgp_mwu { local mwu_address as mwu_as; import keep filtered on; - import all; - export where source = RTS_BGP; + import filter { + if is_mwu_anycast() then reject; + if is_mwu_self_nets_loose() then accept; + if is_freifunk() then accept; + if is_chaosvpn() then accept; + if is_dn42() then accept; + reject; + }; + export filter { + if is_mwu_anycast() then reject; + if is_mwu_self_nets_loose() then accept; + if source = RTS_BGP then accept; + reject; + }; direct; gateway direct; }; diff --git a/roles/service-bird/templates/bird6.conf.j2 b/roles/service-bird/templates/bird6.conf.j2 index 19d7aba..61f7692 100644 --- a/roles/service-bird/templates/bird6.conf.j2 +++ b/roles/service-bird/templates/bird6.conf.j2 @@ -24,15 +24,34 @@ function is_ula() { ]; } -function is_mwu_self_nets() { +function is_mwu_self_nets_loose() { return net ~ [ -{% for mesh in meshes %} -{% for ula in mesh.ipv6_ula %} - {{ ula | ipaddr('net') }}+{{ "," if not loop.last else "" }}{% endfor %}{{ "," if not loop.last else "" }} +{% for prefix in ffmwu_internal_prefixes %} + {{ prefix.ipv6 | ipaddr('net') }}+{{ "," if not loop.last else "" }} {% endfor %} ]; } +function is_mwu_self_nets_strict() { + return net ~ [ +{% for prefix in ffmwu_internal_prefixes %} + {{ prefix.ipv6 | ipaddr('net') }}{{ "," if not loop.last else "" }} +{% endfor %} + ]; +} + +function is_mwu_loopback() { + return net ~ [ + {{ ffmwu_loopback_net_ipv6 }}+ + ]; +}; + +function is_mwu_anycast() { + return net ~ [ + {{ ffmwu_anycast_ipv6 }}+ + ]; +}; + # Protocols protocol device { scan time 30; @@ -42,15 +61,54 @@ protocol direct mwu_subnets { {% for mesh in meshes %} interface "{{ mesh.id }}br"; {% endfor %} - import where is_mwu_self_nets(); + import where is_mwu_self_nets_loose(); +}; + +protocol direct mwu_loopback { + interface "loopback"; + import where is_mwu_loopback(); +}; + +{% if ffmwu_server_type == "gateway" %} +protocol direct mwu_anycast { + interface "anycast"; + import where is_mwu_anycast(); +}; +{% endif %} + +protocol static { +{% for prefix in ffmwu_internal_prefixes %} + route {{ prefix.ipv6 }} reject; +{% endfor %} +}; + +protocol kernel kernel_mwu { + scan time 30; + import none; + export filter { + if is_mwu_anycast() then reject; + if is_mwu_loopback() then accept; + reject; + }; + kernel table ipt_mwu; }; # Templates template bgp ibgp_mwu { local mwu_address as mwu_as; import keep filtered on; - import all; - export where source = RTS_BGP; + import filter { + if is_mwu_anycast() then reject; + if is_mwu_self_nets_loose() then accept; + if is_ula() then accept; + reject; + }; + export filter { + if is_mwu_anycast() then reject; + if is_mwu_self_nets_loose() then accept; + if source = RTS_BGP then accept; + reject; + }; direct; gateway direct; };