diff options
| -rw-r--r-- | tnet/files/knot/bird-tnet-pre.conf | 14 | ||||
| -rw-r--r-- | tnet/files/knot/bird-tnet.conf | 11 | ||||
| -rw-r--r-- | tnet/host_vars/knot/bird.yml | 1 | ||||
| -rw-r--r-- | tnet/host_vars/knot/wg.yml | 4 | ||||
| -rw-r--r-- | tnet/templates/bird-tnet-pre.conf.j2 | 14 | ||||
| -rw-r--r-- | tnet/templates/bird-tnet.conf.j2 | 10 |
6 files changed, 43 insertions, 11 deletions
diff --git a/tnet/files/knot/bird-tnet-pre.conf b/tnet/files/knot/bird-tnet-pre.conf index 7994dfe..ec31fa2 100644 --- a/tnet/files/knot/bird-tnet-pre.conf +++ b/tnet/files/knot/bird-tnet-pre.conf @@ -5,3 +5,17 @@ function is_tnet() # -> bool { return net ~ tnet && ! (net ~ tnet_router); } + +roa6 table dn42_roa; + +protocol static { + roa6 { table dn42_roa; }; + include "/etc/bird/dn42_roa_bird2_6.conf"; +}; + +function dn42_is_valid_network() # -> bool +{ + return net ~ [ + fd00::/8{44,64} # ULA address space as per RFC 4193 + ]; +} diff --git a/tnet/files/knot/bird-tnet.conf b/tnet/files/knot/bird-tnet.conf index bb76fe8..66189e1 100644 --- a/tnet/files/knot/bird-tnet.conf +++ b/tnet/files/knot/bird-tnet.conf @@ -50,14 +50,15 @@ protocol bgp tnet_node2 from tnet_tpl { protocol bgp routedbits_lon1 { local as 4242423538; - neighbor fe80::207 + neighbor fe80::207; neighbor as 4242420207; + interface "tnet-rtdbts_l1"; ipv6 { import filter { if dn42_is_valid_network() && !is_tnet() then { # Check when unknown or invalid according to ROA - if (roa_check(dn42_roa, net, bgp_path.last) == ROA_VALID) then { + if (roa_check(dn42_roa, net, bgp_path.last) = ROA_VALID) then { accept; } else { print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; @@ -66,13 +67,13 @@ protocol bgp routedbits_lon1 { } else { reject; } - } + }; export filter { if dn42_is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then { accept; } else { reject; } - } - } + }; + }; } diff --git a/tnet/host_vars/knot/bird.yml b/tnet/host_vars/knot/bird.yml index d995a46..b79e9e2 100644 --- a/tnet/host_vars/knot/bird.yml +++ b/tnet/host_vars/knot/bird.yml @@ -9,3 +9,4 @@ tnet_bird_peers: policy: dn42 as: 4242420207 address: fe80::207 + interface: tnet-rtdbts_l1 diff --git a/tnet/host_vars/knot/wg.yml b/tnet/host_vars/knot/wg.yml index 17601e3..8a92e53 100644 --- a/tnet/host_vars/knot/wg.yml +++ b/tnet/host_vars/knot/wg.yml @@ -28,5 +28,7 @@ tnet_wg: address: fe80:9dd8:abac:cf05:aea3:dc03:4c74:32da rtdbts_l1: port: 51009 - address: fe80:fc91:da95:dc6b:621b:7ccf:ff44:c42c + # address: fe80:fc91:da95:dc6b:621b:7ccf:ff44:c42c + address: fe80::621b:7ccf:ff44:c42c + # address: fe80:fc91:da95:dc6b:621b:7ccf:ff44:c42c/64 endpoint: router.lon1.routedbits.com:53538 diff --git a/tnet/templates/bird-tnet-pre.conf.j2 b/tnet/templates/bird-tnet-pre.conf.j2 index 7994dfe..ec31fa2 100644 --- a/tnet/templates/bird-tnet-pre.conf.j2 +++ b/tnet/templates/bird-tnet-pre.conf.j2 @@ -5,3 +5,17 @@ function is_tnet() # -> bool { return net ~ tnet && ! (net ~ tnet_router); } + +roa6 table dn42_roa; + +protocol static { + roa6 { table dn42_roa; }; + include "/etc/bird/dn42_roa_bird2_6.conf"; +}; + +function dn42_is_valid_network() # -> bool +{ + return net ~ [ + fd00::/8{44,64} # ULA address space as per RFC 4193 + ]; +} diff --git a/tnet/templates/bird-tnet.conf.j2 b/tnet/templates/bird-tnet.conf.j2 index b11bf0c..9797241 100644 --- a/tnet/templates/bird-tnet.conf.j2 +++ b/tnet/templates/bird-tnet.conf.j2 @@ -42,7 +42,7 @@ protocol bgp tnet_{{ p }} from tnet_tpl { {% elif policy == "dn42" %} protocol bgp {{ p }} { local as 4242423538; - neighbor {{ peer.address }} + neighbor {{ peer.address }}; neighbor as {{ peer.as }}; {% if peer.interface is defined %} interface "{{ peer.interface }}"; @@ -52,7 +52,7 @@ protocol bgp {{ p }} { import filter { if dn42_is_valid_network() && !is_tnet() then { # Check when unknown or invalid according to ROA - if (roa_check(dn42_roa, net, bgp_path.last) == ROA_VALID) then { + if (roa_check(dn42_roa, net, bgp_path.last) = ROA_VALID) then { accept; } else { print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; @@ -61,15 +61,15 @@ protocol bgp {{ p }} { } else { reject; } - } + }; export filter { if dn42_is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then { accept; } else { reject; } - } - } + }; + }; } {% endif %} {% endfor %} |