From 36ad3dd2871b9de8577406ed37e1050bd2d4009a Mon Sep 17 00:00:00 2001 From: uvok cheetah Date: Mon, 29 Apr 2024 20:41:11 +0200 Subject: bird: Split clearnet files, use rsync --- roles/uvok_bird/files/clear_filters.conf | 136 +++++++++++++++++++++++++ roles/uvok_bird/files/clear_rpki.conf | 21 ++++ roles/uvok_bird/tasks/main.yml | 20 ++-- roles/uvok_bird/templates/clearnet.conf.j2 | 153 +---------------------------- 4 files changed, 171 insertions(+), 159 deletions(-) create mode 100644 roles/uvok_bird/files/clear_filters.conf create mode 100644 roles/uvok_bird/files/clear_rpki.conf diff --git a/roles/uvok_bird/files/clear_filters.conf b/roles/uvok_bird/files/clear_filters.conf new file mode 100644 index 0000000..f78ba9e --- /dev/null +++ b/roles/uvok_bird/files/clear_filters.conf @@ -0,0 +1,136 @@ +# managed by Ansible + +## IMPORT FILTERS + +define BOGON_ASNS = [ + 0, # RFC 7607 + 23456, # RFC 4893 AS_TRANS + 64496..64511, # RFC 5398 and documentation/example ASNs + 64512..65534, # RFC 6996 Private ASNs + 65535, # RFC 7300 Last 16 bit ASN + 65536..65551, # RFC 5398 and documentation/example ASNs + 65552..131071, # RFC IANA reserved ASNs + 4200000000..4294967294, # RFC 6996 Private ASNs + 4294967295 ]; # RFC 7300 Last 32 bit ASN + +define BOGON_PREFIXES = [ ::/0, # Default route + ::/8+, # RFC 4291 IPv4-compatible, loopback, et al + 0100::/64+, # RFC 6666 Discard-Only + 2001:2::/48+, # RFC 5180 BMWG + 2001:10::/28+, # RFC 4843 ORCHID + 2001:db8::/32+, # RFC 3849 documentation + 2002::/16+, # RFC 7526 6to4 anycast relay + 3ffe::/16+, # RFC 3701 old 6bone + fc00::/7+, # RFC 4193 unique local unicast + fe80::/10+, # RFC 4291 link local unicast + fec0::/10+, # RFC 3879 old site local unicast + ff00::/8+ # RFC 4291 multicast +]; + +# not supported (yet???) +# -> bool { +function is_default_route() { + case net.type { + NET_IP4: return net = 0.0.0.0/0; + NET_IP6: return net = ::/0; + else: return false; + } +} + +function accept_default_route() { + if is_default_route() then accept; +} + +function reject_bogon_asns() +int set bogon_asns; +{ + bogon_asns = BOGON_ASNS; + + if ( bgp_path ~ bogon_asns ) then { + print "Reject: bogon AS_PATH: ", net, " ", bgp_path; + clearnet_add_filter(FILTER_BOGON_ASN); + } +} + +function reject_bogon_prefixes() +prefix set bogon_prefixes; +{ + bogon_prefixes = BOGON_PREFIXES; + if (net ~ bogon_prefixes) then { + print "Reject: Bogon prefix: ", net, " ", bgp_path; + clearnet_add_filter(FILTER_BOGON_PREFIX); + } +} + +define PROBLEM_PREFIXES = [ +]; + +function reject_problem_prefixes() +prefix set problem_prefixes; +{ + problem_prefixes = PROBLEM_PREFIXES; + if (net ~ problem_prefixes) then { + print "Reject: Problematic prefix: ", net, " ", bgp_path; + clearnet_add_filter(FILTER_PROBLEM_PREFIX); + } +} + +function reject_long_aspaths() +{ + if ( bgp_path.len > 15 ) then { + clearnet_add_filter(FILTER_LONG_ASPATH); + } +} + +function reject_small_prefixes() +{ + if (net.len > 55 && net.type = NET_IP6) then { + print "Reject: Too small prefix: ", net, " ", bgp_path; + clearnet_add_filter(FILTER_SMALL_V6_PREFIX); + } +} + +function reject_roa_rpki() +{ + if ( roa_check(clear_roa_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID ) then { + clearnet_add_filter(FILTER_ROA_RPKI); + } +} + +function prefer_direct_neighbor() +{ + if (bgp_path.len = 1) then + bgp_local_pref = bgp_local_pref + 700; +} + + +function clearnet_common_import() { + reject_bogon_asns(); + reject_bogon_prefixes(); + reject_long_aspaths(); + reject_small_prefixes(); + reject_problem_prefixes(); + reject_roa_rpki(); + prefer_direct_neighbor(); + honor_graceful_shutdown(); +} + +## EXPORT FILTERS + +filter myas_export +{ + if (proto = "myprefix") then { + accept; + } + reject; +} + +# route collector +filter myas_f_rc +{ +# export IXP routes after all +# if ( clearnet_is_ixp() ) then reject; + if (source = RTS_BGP) then accept; + if (proto = "myprefix") then accept; + reject; +}; diff --git a/roles/uvok_bird/files/clear_rpki.conf b/roles/uvok_bird/files/clear_rpki.conf new file mode 100644 index 0000000..d034889 --- /dev/null +++ b/roles/uvok_bird/files/clear_rpki.conf @@ -0,0 +1,21 @@ +# managed by Ansible + +roa6 table clear_roa_v6; + +protocol rpki roa_clearnet1 { + roa6 { table clear_roa_v6; }; + remote 10.2.0.1; + port 8282; + refresh 3600; + retry 600; + expire 7200; +} + +protocol rpki roa_clearnet2 { + roa6 { table clear_roa_v6; }; + remote 10.2.0.12; + port 8282; + refresh 3600; + retry 600; + expire 7200; +} diff --git a/roles/uvok_bird/tasks/main.yml b/roles/uvok_bird/tasks/main.yml index 2918f48..942ad06 100644 --- a/roles/uvok_bird/tasks/main.yml +++ b/roles/uvok_bird/tasks/main.yml @@ -55,14 +55,18 @@ - { src: 'clear_defines.conf.j2', dest: '{{ uvok_bird_opts.config_dir }}/clear_defines.conf' } notify: configure bird - name: Copy remaining clearnet files - copy: - src: files/{{ item }} - dest: '{{ uvok_bird_opts.config_dir }}/{{ item }}' - mode: '0640' - owner: 'bird' - group: 'bird' - loop: - - "clear_functions.conf" + ansible.posix.synchronize: + src: 'files/' + dest: '{{ uvok_bird_opts.config_dir }}' + recursive: true + archive: false + compress: false + rsync_opts: + - '--chown=bird:bird' + - '--chmod=0640' + - '--include=*/' + - '--include=clear*.conf' + - '--exclude=*' when: - uvok_bird_opts.clearnet notify: configure bird diff --git a/roles/uvok_bird/templates/clearnet.conf.j2 b/roles/uvok_bird/templates/clearnet.conf.j2 index 78b83b8..8f17d68 100644 --- a/roles/uvok_bird/templates/clearnet.conf.j2 +++ b/roles/uvok_bird/templates/clearnet.conf.j2 @@ -2,6 +2,8 @@ include "/etc/bird/clear_defines.conf"; include "/etc/bird/clear_functions.conf"; +include "/etc/bird/clear_rpki.conf"; +include "/etc/bird/clear_filters.conf"; define CLEARNET_PREFIP = {{ uvok_bird_opts.preferred_ip }}; @@ -10,157 +12,6 @@ ipv6 table t_myas_unfiltered; ipv6 table t_myas_trs; ipv6 table t_myas_babel; -roa6 table clear_roa_v6; - -protocol rpki roa_clearnet1 { - roa6 { table clear_roa_v6; }; - remote 10.2.0.1; - port 8282; - refresh 3600; - retry 600; - expire 7200; -} - -protocol rpki roa_clearnet2 { - roa6 { table clear_roa_v6; }; - remote 10.2.0.12; - port 8282; - refresh 3600; - retry 600; - expire 7200; -} - -define BOGON_ASNS = [ - 0, # RFC 7607 - 23456, # RFC 4893 AS_TRANS - 64496..64511, # RFC 5398 and documentation/example ASNs - 64512..65534, # RFC 6996 Private ASNs - 65535, # RFC 7300 Last 16 bit ASN - 65536..65551, # RFC 5398 and documentation/example ASNs - 65552..131071, # RFC IANA reserved ASNs - 4200000000..4294967294, # RFC 6996 Private ASNs - 4294967295 ]; # RFC 7300 Last 32 bit ASN - -define BOGON_PREFIXES = [ ::/0, # Default route - ::/8+, # RFC 4291 IPv4-compatible, loopback, et al - 0100::/64+, # RFC 6666 Discard-Only - 2001:2::/48+, # RFC 5180 BMWG - 2001:10::/28+, # RFC 4843 ORCHID - 2001:db8::/32+, # RFC 3849 documentation - 2002::/16+, # RFC 7526 6to4 anycast relay - 3ffe::/16+, # RFC 3701 old 6bone - fc00::/7+, # RFC 4193 unique local unicast - fe80::/10+, # RFC 4291 link local unicast - fec0::/10+, # RFC 3879 old site local unicast - ff00::/8+ # RFC 4291 multicast - ]; - -# not supported (yet???) -# -> bool { -function is_default_route() { - case net.type { - NET_IP4: return net = 0.0.0.0/0; - NET_IP6: return net = ::/0; - else: return false; - } -} - -function accept_default_route() { - if is_default_route() then accept; -} - -function reject_bogon_asns() -int set bogon_asns; -{ - bogon_asns = BOGON_ASNS; - - if ( bgp_path ~ bogon_asns ) then { - print "Reject: bogon AS_PATH: ", net, " ", bgp_path; - clearnet_add_filter(FILTER_BOGON_ASN); - } -} - -function reject_bogon_prefixes() -prefix set bogon_prefixes; -{ - bogon_prefixes = BOGON_PREFIXES; - if (net ~ bogon_prefixes) then { - print "Reject: Bogon prefix: ", net, " ", bgp_path; - clearnet_add_filter(FILTER_BOGON_PREFIX); - } -} - -define PROBLEM_PREFIXES = [ -]; - -function reject_problem_prefixes() -prefix set problem_prefixes; -{ - problem_prefixes = PROBLEM_PREFIXES; - if (net ~ problem_prefixes) then { - print "Reject: Problematic prefix: ", net, " ", bgp_path; - clearnet_add_filter(FILTER_PROBLEM_PREFIX); - } -} - -function reject_long_aspaths() -{ - if ( bgp_path.len > 15 ) then { - clearnet_add_filter(FILTER_LONG_ASPATH); - } -} - -function reject_small_prefixes() -{ - if (net.len > 55 && net.type = NET_IP6) then { - print "Reject: Too small prefix: ", net, " ", bgp_path; - clearnet_add_filter(FILTER_SMALL_V6_PREFIX); - } -} - -function reject_roa_rpki() -{ - if ( roa_check(clear_roa_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID ) then { - clearnet_add_filter(FILTER_ROA_RPKI); - } -} - -function prefer_direct_neighbor() -{ - if (bgp_path.len = 1) then - bgp_local_pref = bgp_local_pref + 700; -} - - -function clearnet_common_import() { - reject_bogon_asns(); - reject_bogon_prefixes(); - reject_long_aspaths(); - reject_small_prefixes(); - reject_problem_prefixes(); - reject_roa_rpki(); - prefer_direct_neighbor(); - honor_graceful_shutdown(); -} - -filter myas_export -{ - if (proto = "myprefix") then { - accept; - } - reject; -} - -# route collector -filter myas_f_rc -{ -# export IXP routes after all -# if ( clearnet_is_ixp() ) then reject; - if (source = RTS_BGP) then accept; - if (proto = "myprefix") then accept; - reject; -}; - protocol static myprefix { {% for prefix in uvok_bird_opts.clear_prefixes %} route {{ prefix }} reject; -- cgit v1.2.3