summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authoruvok cheetah2024-04-29 20:41:11 +0200
committeruvok cheetah2024-04-29 20:41:11 +0200
commit36ad3dd2871b9de8577406ed37e1050bd2d4009a (patch)
tree1fc7f563dc5fc97a56d66ad9f62490cda30caff6
parent90de89d1c66728e7d26bcecd5780a470da9fd565 (diff)
bird: Split clearnet files, use rsync
-rw-r--r--roles/uvok_bird/files/clear_filters.conf136
-rw-r--r--roles/uvok_bird/files/clear_rpki.conf21
-rw-r--r--roles/uvok_bird/tasks/main.yml20
-rw-r--r--roles/uvok_bird/templates/clearnet.conf.j2153
4 files changed, 171 insertions, 159 deletions
diff --git a/roles/uvok_bird/files/clear_filters.conf b/roles/uvok_bird/files/clear_filters.conf
new file mode 100644
index 0000000..f78ba9e
--- /dev/null
+++ b/roles/uvok_bird/files/clear_filters.conf
@@ -0,0 +1,136 @@
+# managed by Ansible
+
+## IMPORT FILTERS
+
+define BOGON_ASNS = [
+ 0, # RFC 7607
+ 23456, # RFC 4893 AS_TRANS
+ 64496..64511, # RFC 5398 and documentation/example ASNs
+ 64512..65534, # RFC 6996 Private ASNs
+ 65535, # RFC 7300 Last 16 bit ASN
+ 65536..65551, # RFC 5398 and documentation/example ASNs
+ 65552..131071, # RFC IANA reserved ASNs
+ 4200000000..4294967294, # RFC 6996 Private ASNs
+ 4294967295 ]; # RFC 7300 Last 32 bit ASN
+
+define BOGON_PREFIXES = [ ::/0, # Default route
+ ::/8+, # RFC 4291 IPv4-compatible, loopback, et al
+ 0100::/64+, # RFC 6666 Discard-Only
+ 2001:2::/48+, # RFC 5180 BMWG
+ 2001:10::/28+, # RFC 4843 ORCHID
+ 2001:db8::/32+, # RFC 3849 documentation
+ 2002::/16+, # RFC 7526 6to4 anycast relay
+ 3ffe::/16+, # RFC 3701 old 6bone
+ fc00::/7+, # RFC 4193 unique local unicast
+ fe80::/10+, # RFC 4291 link local unicast
+ fec0::/10+, # RFC 3879 old site local unicast
+ ff00::/8+ # RFC 4291 multicast
+];
+
+# not supported (yet???)
+# -> bool {
+function is_default_route() {
+ case net.type {
+ NET_IP4: return net = 0.0.0.0/0;
+ NET_IP6: return net = ::/0;
+ else: return false;
+ }
+}
+
+function accept_default_route() {
+ if is_default_route() then accept;
+}
+
+function reject_bogon_asns()
+int set bogon_asns;
+{
+ bogon_asns = BOGON_ASNS;
+
+ if ( bgp_path ~ bogon_asns ) then {
+ print "Reject: bogon AS_PATH: ", net, " ", bgp_path;
+ clearnet_add_filter(FILTER_BOGON_ASN);
+ }
+}
+
+function reject_bogon_prefixes()
+prefix set bogon_prefixes;
+{
+ bogon_prefixes = BOGON_PREFIXES;
+ if (net ~ bogon_prefixes) then {
+ print "Reject: Bogon prefix: ", net, " ", bgp_path;
+ clearnet_add_filter(FILTER_BOGON_PREFIX);
+ }
+}
+
+define PROBLEM_PREFIXES = [
+];
+
+function reject_problem_prefixes()
+prefix set problem_prefixes;
+{
+ problem_prefixes = PROBLEM_PREFIXES;
+ if (net ~ problem_prefixes) then {
+ print "Reject: Problematic prefix: ", net, " ", bgp_path;
+ clearnet_add_filter(FILTER_PROBLEM_PREFIX);
+ }
+}
+
+function reject_long_aspaths()
+{
+ if ( bgp_path.len > 15 ) then {
+ clearnet_add_filter(FILTER_LONG_ASPATH);
+ }
+}
+
+function reject_small_prefixes()
+{
+ if (net.len > 55 && net.type = NET_IP6) then {
+ print "Reject: Too small prefix: ", net, " ", bgp_path;
+ clearnet_add_filter(FILTER_SMALL_V6_PREFIX);
+ }
+}
+
+function reject_roa_rpki()
+{
+ if ( roa_check(clear_roa_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID ) then {
+ clearnet_add_filter(FILTER_ROA_RPKI);
+ }
+}
+
+function prefer_direct_neighbor()
+{
+ if (bgp_path.len = 1) then
+ bgp_local_pref = bgp_local_pref + 700;
+}
+
+
+function clearnet_common_import() {
+ reject_bogon_asns();
+ reject_bogon_prefixes();
+ reject_long_aspaths();
+ reject_small_prefixes();
+ reject_problem_prefixes();
+ reject_roa_rpki();
+ prefer_direct_neighbor();
+ honor_graceful_shutdown();
+}
+
+## EXPORT FILTERS
+
+filter myas_export
+{
+ if (proto = "myprefix") then {
+ accept;
+ }
+ reject;
+}
+
+# route collector
+filter myas_f_rc
+{
+# export IXP routes after all
+# if ( clearnet_is_ixp() ) then reject;
+ if (source = RTS_BGP) then accept;
+ if (proto = "myprefix") then accept;
+ reject;
+};
diff --git a/roles/uvok_bird/files/clear_rpki.conf b/roles/uvok_bird/files/clear_rpki.conf
new file mode 100644
index 0000000..d034889
--- /dev/null
+++ b/roles/uvok_bird/files/clear_rpki.conf
@@ -0,0 +1,21 @@
+# managed by Ansible
+
+roa6 table clear_roa_v6;
+
+protocol rpki roa_clearnet1 {
+ roa6 { table clear_roa_v6; };
+ remote 10.2.0.1;
+ port 8282;
+ refresh 3600;
+ retry 600;
+ expire 7200;
+}
+
+protocol rpki roa_clearnet2 {
+ roa6 { table clear_roa_v6; };
+ remote 10.2.0.12;
+ port 8282;
+ refresh 3600;
+ retry 600;
+ expire 7200;
+}
diff --git a/roles/uvok_bird/tasks/main.yml b/roles/uvok_bird/tasks/main.yml
index 2918f48..942ad06 100644
--- a/roles/uvok_bird/tasks/main.yml
+++ b/roles/uvok_bird/tasks/main.yml
@@ -55,14 +55,18 @@
- { src: 'clear_defines.conf.j2', dest: '{{ uvok_bird_opts.config_dir }}/clear_defines.conf' }
notify: configure bird
- name: Copy remaining clearnet files
- copy:
- src: files/{{ item }}
- dest: '{{ uvok_bird_opts.config_dir }}/{{ item }}'
- mode: '0640'
- owner: 'bird'
- group: 'bird'
- loop:
- - "clear_functions.conf"
+ ansible.posix.synchronize:
+ src: 'files/'
+ dest: '{{ uvok_bird_opts.config_dir }}'
+ recursive: true
+ archive: false
+ compress: false
+ rsync_opts:
+ - '--chown=bird:bird'
+ - '--chmod=0640'
+ - '--include=*/'
+ - '--include=clear*.conf'
+ - '--exclude=*'
when:
- uvok_bird_opts.clearnet
notify: configure bird
diff --git a/roles/uvok_bird/templates/clearnet.conf.j2 b/roles/uvok_bird/templates/clearnet.conf.j2
index 78b83b8..8f17d68 100644
--- a/roles/uvok_bird/templates/clearnet.conf.j2
+++ b/roles/uvok_bird/templates/clearnet.conf.j2
@@ -2,6 +2,8 @@
include "/etc/bird/clear_defines.conf";
include "/etc/bird/clear_functions.conf";
+include "/etc/bird/clear_rpki.conf";
+include "/etc/bird/clear_filters.conf";
define CLEARNET_PREFIP = {{ uvok_bird_opts.preferred_ip }};
@@ -10,157 +12,6 @@ ipv6 table t_myas_unfiltered;
ipv6 table t_myas_trs;
ipv6 table t_myas_babel;
-roa6 table clear_roa_v6;
-
-protocol rpki roa_clearnet1 {
- roa6 { table clear_roa_v6; };
- remote 10.2.0.1;
- port 8282;
- refresh 3600;
- retry 600;
- expire 7200;
-}
-
-protocol rpki roa_clearnet2 {
- roa6 { table clear_roa_v6; };
- remote 10.2.0.12;
- port 8282;
- refresh 3600;
- retry 600;
- expire 7200;
-}
-
-define BOGON_ASNS = [
- 0, # RFC 7607
- 23456, # RFC 4893 AS_TRANS
- 64496..64511, # RFC 5398 and documentation/example ASNs
- 64512..65534, # RFC 6996 Private ASNs
- 65535, # RFC 7300 Last 16 bit ASN
- 65536..65551, # RFC 5398 and documentation/example ASNs
- 65552..131071, # RFC IANA reserved ASNs
- 4200000000..4294967294, # RFC 6996 Private ASNs
- 4294967295 ]; # RFC 7300 Last 32 bit ASN
-
-define BOGON_PREFIXES = [ ::/0, # Default route
- ::/8+, # RFC 4291 IPv4-compatible, loopback, et al
- 0100::/64+, # RFC 6666 Discard-Only
- 2001:2::/48+, # RFC 5180 BMWG
- 2001:10::/28+, # RFC 4843 ORCHID
- 2001:db8::/32+, # RFC 3849 documentation
- 2002::/16+, # RFC 7526 6to4 anycast relay
- 3ffe::/16+, # RFC 3701 old 6bone
- fc00::/7+, # RFC 4193 unique local unicast
- fe80::/10+, # RFC 4291 link local unicast
- fec0::/10+, # RFC 3879 old site local unicast
- ff00::/8+ # RFC 4291 multicast
- ];
-
-# not supported (yet???)
-# -> bool {
-function is_default_route() {
- case net.type {
- NET_IP4: return net = 0.0.0.0/0;
- NET_IP6: return net = ::/0;
- else: return false;
- }
-}
-
-function accept_default_route() {
- if is_default_route() then accept;
-}
-
-function reject_bogon_asns()
-int set bogon_asns;
-{
- bogon_asns = BOGON_ASNS;
-
- if ( bgp_path ~ bogon_asns ) then {
- print "Reject: bogon AS_PATH: ", net, " ", bgp_path;
- clearnet_add_filter(FILTER_BOGON_ASN);
- }
-}
-
-function reject_bogon_prefixes()
-prefix set bogon_prefixes;
-{
- bogon_prefixes = BOGON_PREFIXES;
- if (net ~ bogon_prefixes) then {
- print "Reject: Bogon prefix: ", net, " ", bgp_path;
- clearnet_add_filter(FILTER_BOGON_PREFIX);
- }
-}
-
-define PROBLEM_PREFIXES = [
-];
-
-function reject_problem_prefixes()
-prefix set problem_prefixes;
-{
- problem_prefixes = PROBLEM_PREFIXES;
- if (net ~ problem_prefixes) then {
- print "Reject: Problematic prefix: ", net, " ", bgp_path;
- clearnet_add_filter(FILTER_PROBLEM_PREFIX);
- }
-}
-
-function reject_long_aspaths()
-{
- if ( bgp_path.len > 15 ) then {
- clearnet_add_filter(FILTER_LONG_ASPATH);
- }
-}
-
-function reject_small_prefixes()
-{
- if (net.len > 55 && net.type = NET_IP6) then {
- print "Reject: Too small prefix: ", net, " ", bgp_path;
- clearnet_add_filter(FILTER_SMALL_V6_PREFIX);
- }
-}
-
-function reject_roa_rpki()
-{
- if ( roa_check(clear_roa_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID ) then {
- clearnet_add_filter(FILTER_ROA_RPKI);
- }
-}
-
-function prefer_direct_neighbor()
-{
- if (bgp_path.len = 1) then
- bgp_local_pref = bgp_local_pref + 700;
-}
-
-
-function clearnet_common_import() {
- reject_bogon_asns();
- reject_bogon_prefixes();
- reject_long_aspaths();
- reject_small_prefixes();
- reject_problem_prefixes();
- reject_roa_rpki();
- prefer_direct_neighbor();
- honor_graceful_shutdown();
-}
-
-filter myas_export
-{
- if (proto = "myprefix") then {
- accept;
- }
- reject;
-}
-
-# route collector
-filter myas_f_rc
-{
-# export IXP routes after all
-# if ( clearnet_is_ixp() ) then reject;
- if (source = RTS_BGP) then accept;
- if (proto = "myprefix") then accept;
- reject;
-};
-
protocol static myprefix {
{% for prefix in uvok_bird_opts.clear_prefixes %}
route {{ prefix }} reject;