fa37598c3b
Restructure bird configuration to exchange loopback addresses and announce the whole freifunk subnets instead the configured ones.
90 lines
2.1 KiB
Django/Jinja
90 lines
2.1 KiB
Django/Jinja
#
|
|
# {{ ansible_managed }}
|
|
#
|
|
|
|
# Variables
|
|
define icvpn_address = {{ icvpn_ipv4_transfer_net | ipaddr('net') | ipsubnet(24, 37) | ipaddr(magic) | ipaddr('address') }};
|
|
|
|
# ROA
|
|
roa table roa_icvpn {
|
|
include "icvpn_ipv4_roa.con?";
|
|
}
|
|
|
|
# Routing Tables
|
|
table icvpn;
|
|
|
|
# Filters
|
|
filter icvpn_import_filter {
|
|
if is_mwu_self_nets_loose() then reject;
|
|
if is_chaosvpn() then accept;
|
|
if roa_check(roa_icvpn) = ROA_VALID then {
|
|
if is_freifunk() then accept;
|
|
if is_dn42() then accept;
|
|
} else {
|
|
if roa_check(roa_icvpn) = ROA_UNKNOWN then {
|
|
if is_dn42() then {
|
|
print "ROA UNKNOWN for dn42 net, accepting: ", net, " ASN: ", bgp_path.last;
|
|
accept;
|
|
}
|
|
if is_freifunk() then {
|
|
print "ROA UNKNOWN for freifunk net, accepting: ", net, " ASN: ", bgp_path.last;
|
|
accept;
|
|
}
|
|
}
|
|
if roa_check(roa_icvpn) = ROA_INVALID then {
|
|
if is_freifunk() then {
|
|
print "ROA INVALID for freifunk net, accepting: ", net, " ASN: ", bgp_path.last;
|
|
accept;
|
|
}
|
|
}
|
|
reject;
|
|
}
|
|
reject;
|
|
}
|
|
|
|
# Protocols
|
|
protocol pipe {
|
|
peer table icvpn;
|
|
import none;
|
|
export filter {
|
|
if is_mwu_self_nets_loose() then reject;
|
|
if is_freifunk() then accept;
|
|
if is_chaosvpn() then accept;
|
|
if is_dn42() then accept;
|
|
reject;
|
|
};
|
|
};
|
|
|
|
# Protocols
|
|
protocol kernel kernel_icvpn {
|
|
table icvpn;
|
|
scan time 30;
|
|
import none;
|
|
export filter {
|
|
if is_mwu_self_nets_loose() then reject;
|
|
krt_prefsrc = icvpn_address;
|
|
accept;
|
|
};
|
|
kernel table ipt_icvpn;
|
|
};
|
|
|
|
# Templates
|
|
template bgp ebgp_icvpn {
|
|
local icvpn_address as mwu_as;
|
|
import keep filtered on;
|
|
import filter icvpn_import_filter;
|
|
export filter {
|
|
if is_mwu_self_nets_strict() then accept;
|
|
if source = RTS_BGP then {
|
|
if is_freifunk() || is_dn42() then {
|
|
accept;
|
|
}
|
|
}
|
|
reject;
|
|
};
|
|
direct;
|
|
}
|
|
|
|
# Include ICVPN IPv4 peers
|
|
include "icvpn_ipv4_peers.con?";
|