# # {{ ansible_managed }} # # Variables define icvpn_address = {{ icvpn_ipv4_transfer_net | ipaddr('net') | ipsubnet(24, 37) | ipaddr(magic) | ipaddr('address') }}; # ROA roa table roa_icvpn { include "icvpn_ipv4_roa.con?"; } # Routing Tables table icvpn; # Filters filter icvpn_import_filter { if is_mwu_self_nets_loose() then reject; if is_chaosvpn() then accept; if roa_check(roa_icvpn) = ROA_VALID then { if is_freifunk() then accept; if is_dn42() then accept; } else { if roa_check(roa_icvpn) = ROA_UNKNOWN then { if is_dn42() then { print "ROA UNKNOWN for dn42 net, accepting: ", net, " ASN: ", bgp_path.last; accept; } if is_freifunk() then { print "ROA UNKNOWN for freifunk net, accepting: ", net, " ASN: ", bgp_path.last; accept; } } if roa_check(roa_icvpn) = ROA_INVALID then { if is_freifunk() then { print "ROA INVALID for freifunk net, accepting: ", net, " ASN: ", bgp_path.last; accept; } } reject; } reject; } # Protocols protocol pipe { peer table icvpn; import none; export filter { if is_mwu_self_nets_loose() then reject; if is_freifunk() then accept; if is_chaosvpn() then accept; if is_dn42() then accept; reject; }; }; # Protocols protocol kernel kernel_icvpn { table icvpn; scan time 30; import none; export filter { if is_mwu_self_nets_loose() then reject; krt_prefsrc = icvpn_address; accept; }; kernel table ipt_icvpn; }; # Templates template bgp ebgp_icvpn { local icvpn_address as mwu_as; import keep filtered on; import filter icvpn_import_filter; export filter { if is_mwu_self_nets_strict() then accept; if source = RTS_BGP then { if is_freifunk() || is_dn42() then { accept; } } reject; }; direct; } # Include ICVPN IPv4 peers include "icvpn_ipv4_peers.con?";