aboutsummaryrefslogtreecommitdiff
path: root/tnet
diff options
context:
space:
mode:
authorTrygve Laugstøl <trygvis@inamo.no>2024-07-18 21:51:07 +0200
committerTrygve Laugstøl <trygvis@inamo.no>2024-07-18 21:51:07 +0200
commit2ffcb38acc9e6925a0ae805370d71e257b27e1bb (patch)
tree732bfdfaad3446b0ecf53c99c570a6fb8f53c4b7 /tnet
parentb0beb22fac788c8a43d034caaea8b941b40b21a4 (diff)
downloadinfra-2ffcb38acc9e6925a0ae805370d71e257b27e1bb.tar.gz
infra-2ffcb38acc9e6925a0ae805370d71e257b27e1bb.tar.bz2
infra-2ffcb38acc9e6925a0ae805370d71e257b27e1bb.tar.xz
infra-2ffcb38acc9e6925a0ae805370d71e257b27e1bb.zip
Working routedbits
Diffstat (limited to 'tnet')
-rw-r--r--tnet/files/knot/bird-tnet-pre.conf14
-rw-r--r--tnet/files/knot/bird-tnet.conf11
-rw-r--r--tnet/host_vars/knot/bird.yml1
-rw-r--r--tnet/host_vars/knot/wg.yml4
-rw-r--r--tnet/templates/bird-tnet-pre.conf.j214
-rw-r--r--tnet/templates/bird-tnet.conf.j210
6 files changed, 43 insertions, 11 deletions
diff --git a/tnet/files/knot/bird-tnet-pre.conf b/tnet/files/knot/bird-tnet-pre.conf
index 7994dfe..ec31fa2 100644
--- a/tnet/files/knot/bird-tnet-pre.conf
+++ b/tnet/files/knot/bird-tnet-pre.conf
@@ -5,3 +5,17 @@ function is_tnet() # -> bool
{
return net ~ tnet && ! (net ~ tnet_router);
}
+
+roa6 table dn42_roa;
+
+protocol static {
+ roa6 { table dn42_roa; };
+ include "/etc/bird/dn42_roa_bird2_6.conf";
+};
+
+function dn42_is_valid_network() # -> bool
+{
+ return net ~ [
+ fd00::/8{44,64} # ULA address space as per RFC 4193
+ ];
+}
diff --git a/tnet/files/knot/bird-tnet.conf b/tnet/files/knot/bird-tnet.conf
index bb76fe8..66189e1 100644
--- a/tnet/files/knot/bird-tnet.conf
+++ b/tnet/files/knot/bird-tnet.conf
@@ -50,14 +50,15 @@ protocol bgp tnet_node2 from tnet_tpl {
protocol bgp routedbits_lon1 {
local as 4242423538;
- neighbor fe80::207
+ neighbor fe80::207;
neighbor as 4242420207;
+ interface "tnet-rtdbts_l1";
ipv6 {
import filter {
if dn42_is_valid_network() && !is_tnet() then {
# Check when unknown or invalid according to ROA
- if (roa_check(dn42_roa, net, bgp_path.last) == ROA_VALID) then {
+ if (roa_check(dn42_roa, net, bgp_path.last) = ROA_VALID) then {
accept;
} else {
print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
@@ -66,13 +67,13 @@ protocol bgp routedbits_lon1 {
} else {
reject;
}
- }
+ };
export filter {
if dn42_is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then {
accept;
} else {
reject;
}
- }
- }
+ };
+ };
}
diff --git a/tnet/host_vars/knot/bird.yml b/tnet/host_vars/knot/bird.yml
index d995a46..b79e9e2 100644
--- a/tnet/host_vars/knot/bird.yml
+++ b/tnet/host_vars/knot/bird.yml
@@ -9,3 +9,4 @@ tnet_bird_peers:
policy: dn42
as: 4242420207
address: fe80::207
+ interface: tnet-rtdbts_l1
diff --git a/tnet/host_vars/knot/wg.yml b/tnet/host_vars/knot/wg.yml
index 17601e3..8a92e53 100644
--- a/tnet/host_vars/knot/wg.yml
+++ b/tnet/host_vars/knot/wg.yml
@@ -28,5 +28,7 @@ tnet_wg:
address: fe80:9dd8:abac:cf05:aea3:dc03:4c74:32da
rtdbts_l1:
port: 51009
- address: fe80:fc91:da95:dc6b:621b:7ccf:ff44:c42c
+ # address: fe80:fc91:da95:dc6b:621b:7ccf:ff44:c42c
+ address: fe80::621b:7ccf:ff44:c42c
+ # address: fe80:fc91:da95:dc6b:621b:7ccf:ff44:c42c/64
endpoint: router.lon1.routedbits.com:53538
diff --git a/tnet/templates/bird-tnet-pre.conf.j2 b/tnet/templates/bird-tnet-pre.conf.j2
index 7994dfe..ec31fa2 100644
--- a/tnet/templates/bird-tnet-pre.conf.j2
+++ b/tnet/templates/bird-tnet-pre.conf.j2
@@ -5,3 +5,17 @@ function is_tnet() # -> bool
{
return net ~ tnet && ! (net ~ tnet_router);
}
+
+roa6 table dn42_roa;
+
+protocol static {
+ roa6 { table dn42_roa; };
+ include "/etc/bird/dn42_roa_bird2_6.conf";
+};
+
+function dn42_is_valid_network() # -> bool
+{
+ return net ~ [
+ fd00::/8{44,64} # ULA address space as per RFC 4193
+ ];
+}
diff --git a/tnet/templates/bird-tnet.conf.j2 b/tnet/templates/bird-tnet.conf.j2
index b11bf0c..9797241 100644
--- a/tnet/templates/bird-tnet.conf.j2
+++ b/tnet/templates/bird-tnet.conf.j2
@@ -42,7 +42,7 @@ protocol bgp tnet_{{ p }} from tnet_tpl {
{% elif policy == "dn42" %}
protocol bgp {{ p }} {
local as 4242423538;
- neighbor {{ peer.address }}
+ neighbor {{ peer.address }};
neighbor as {{ peer.as }};
{% if peer.interface is defined %}
interface "{{ peer.interface }}";
@@ -52,7 +52,7 @@ protocol bgp {{ p }} {
import filter {
if dn42_is_valid_network() && !is_tnet() then {
# Check when unknown or invalid according to ROA
- if (roa_check(dn42_roa, net, bgp_path.last) == ROA_VALID) then {
+ if (roa_check(dn42_roa, net, bgp_path.last) = ROA_VALID) then {
accept;
} else {
print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
@@ -61,15 +61,15 @@ protocol bgp {{ p }} {
} else {
reject;
}
- }
+ };
export filter {
if dn42_is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then {
accept;
} else {
reject;
}
- }
- }
+ };
+ };
}
{% endif %}
{% endfor %}