From 6773c5e90dbb9a420366d759648b5898ad551838 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Thu, 22 Dec 2022 12:02:56 +0100 Subject: [PATCH] bird: cleanup + bogons filtering --- playbooks/bird.yml | 67 ++++++++---- roles/bird/templates/bird.conf.j2 | 174 ++++++++++++------------------ 2 files changed, 115 insertions(+), 126 deletions(-) diff --git a/playbooks/bird.yml b/playbooks/bird.yml index 6c3d300..09c10e6 100755 --- a/playbooks/bird.yml +++ b/playbooks/bird.yml @@ -71,6 +71,31 @@ - 138.195.144.0/20 - 192.159.121.0/24 - 2a0c:b641:2f0::/44 + martians: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 100.64.0.0/10 + - 127.0.0.0/8 + - 169.254.0.0/16 + - 192.0.0.0/24 + - 192.0.2.0/24 + - 198.18.0.0/15 + - 198.51.100.0/24 + - 203.0.113.0/24 + - 224.0.0.0/4 + - 240.0.0.0/4 + - ::/128 + - ::1/128 + - ::ffff:0:0/96 + - ::/96 + - 100::/64 + - 2001:10::/28 + - 2001:db8::/32 + - fc00::/7 + - fe80::/10 + - fec0::/10 + - ff00::/8 bird__router_id: "{{ bird__router_ids[inventory_hostname] }}" bird__bgp_sessions: - name: zayo @@ -85,13 +110,14 @@ - 2001:1b48:2:103::d7:1 as: "{{ bird__asn.zayo }}" import: - accept: all + - accept: true export: - accept: - - prefix: "{{ ['aurore', 'crans', 'viarezo'] - | map('extract', bird__orig_prefixes) - | flatten }}" - sub: true + - prefix: "{{ ['aurore', 'crans', 'viarezo'] + | map('extract', bird__orig_prefixes) + | flatten }}" + sub: true + accept: true + - accept: false - name: crans local: address: @@ -104,11 +130,12 @@ - 2a0c:700:28::1 as: "{{ bird__asn.crans }}" import: - accept: - - prefix: "{{ bird__orig_prefixes.crans }}" - sub: true + - prefix: "{{ bird__orig_prefixes.crans }}" + sub: true + accept: true + - accept: false export: - accept: all + - accept: true - name: viarezo local: address: @@ -121,17 +148,19 @@ - 2a0c:b641:2ff::5 as: "{{ bird__asn.viarezo }}" import: - local_pref: - - prefix: "{{ bird__orig_prefixes.viarezo }}" - sub: true - negate: true - pref: 50 - accept: all + - prefix: "{{ bird__orig_prefixes.martians }}" + accept: false + - prefix: "{{ bird__orig_prefixes.viarezo }}" + sub: true + negate: true + local_pref: 50 + - accept: true export: - as_prepend: - - prefix: "{{ bird__orig_prefixes.aurore }}" + - prefix: "{{ bird__orig_prefixes.aurore }}" + as_prepend: + asn: "{{ bird__asn.aurore }}" size: 3 - accept: all + - accept: true bird__static_unreachable: - 45.66.108.0/22 - 2a09:6840::/29 diff --git a/roles/bird/templates/bird.conf.j2 b/roles/bird/templates/bird.conf.j2 index da0c09c..a4ae065 100644 --- a/roles/bird/templates/bird.conf.j2 +++ b/roles/bird/templates/bird.conf.j2 @@ -59,10 +59,10 @@ protocol ospf v2 ospf4 { }; area 0 { -{% for network in bird__ospf_stub_networks | ansible.utils.ipv4 %} +{% for network in bird__ospf_stub_networks | ansible.utils.ipv4 %} stubnet {{ network }}; -{% endfor %} -{% for name, iface in bird__ospf_broadcast_interfaces.items() %} +{% endfor %} +{% for name, iface in bird__ospf_broadcast_interfaces.items() %} interface {{ name | enquote }} { type broadcast; hello {{ iface.hello | default(bird__ospf_hello) | int }}; @@ -72,12 +72,12 @@ protocol ospf v2 ospf4 { wait {{ iface.wait | default(bird__ospf_wait) | int }}; dead {{ iface.dead | default(bird__ospf_dead) | int }}; }; -{% endfor %} -{% for name in bird__ospf_stub_interfaces %} +{% endfor %} +{% for name in bird__ospf_stub_interfaces %} interface {{ name | enquote }} { stub; }; -{% endfor %} +{% endfor %} }; } @@ -92,10 +92,10 @@ protocol ospf v3 ospf6 { }; area 0 { -{% for network in bird__ospf_stub_networks | ansible.utils.ipv6 %} +{% for network in bird__ospf_stub_networks | ansible.utils.ipv6 %} stubnet {{ network }}; -{% endfor %} -{% for name, iface in bird__ospf_broadcast_interfaces.items() %} +{% endfor %} +{% for name, iface in bird__ospf_broadcast_interfaces.items() %} interface {{ name | enquote }} { type broadcast; hello {{ iface.hello | default(bird__ospf_hello) | int }}; @@ -105,8 +105,8 @@ protocol ospf v3 ospf6 { wait {{ iface.wait | default(bird__ospf_wait) | int }}; dead {{ iface.dead | default(bird__ospf_dead) | int }}; }; -{% endfor %} -{% for name in bird__ospf_stub_interfaces %} +{% endfor %} +{% for name in bird__ospf_stub_interfaces %} interface {{ name | enquote }} { stub; }; @@ -116,114 +116,74 @@ protocol ospf v3 ospf6 { } {% endif %} +{% macro bird_filter_function(filter, last) %} +{% if filter.as_prepend is defined %} +{% for _ in range(filter.as_prepend.size) %} +bgp_path.prepend({{ filter.as_prepend.asn }}); +{% endfor %} +{% endif %} +{% if filter.local_pref is defined %} +bgp_local_pref = {{ filter.local_pref }}; +{% endif %} +{% if filter.accept is defined %} +return {{ filter.accept | ternary("true", "false") }}; +{% endif %} +{% endmacro %} {% for session in bird__bgp_sessions %} -{% for local_address in session.local.address %} -{% - set version = - local_address - | ansible.utils.ipaddr(query="version") -%} -{% - set remote_address = - session.remote.address - | ansible.utils.ipaddr(version=version) - | first -%} +{% for version in [4, 6] %} +{% for direction in ["import", "export"] %} +function bgp{{ version }}_{{ direction }}_{{ session.name }}() { +{% for filter in session[direction] %} +{% if filter.prefix | default([]) %} +{% set op = + filter.negate + | default(False) + | ternary("!~", "~") %} +{% set networks = + filter.prefix + | default([]) + | ansible.utils.ipaddr(version=version) + | map("suffix", filter.sub + | default(False) + | ternary("+", "")) %} +{% if networks %} + if net {{ op }} [ {{ networks | join(", ") }} ] then { + {{ bird_filter_function(filter) | indent(8) }} + } +{% endif %} +{% else %} + {{ bird_filter_function(filter) | indent(4) }} +{% endif %} +{% endfor %} +} +{% endfor %} +{% endfor %} + +{% endfor %} + +{% for session in bird__bgp_sessions %} +{% for local_address in session.local.address %} +{% set version = + local_address + | ansible.utils.ipaddr(query="version") %} +{% set remote_address = + session.remote.address + | ansible.utils.ipaddr(version=version) + | first %} protocol bgp bgp{{ version }}_{{ session.name }} { local {{ local_address }} as {{ session.local.as }}; neighbor {{ remote_address }} as {{ session.remote.as }}; {{ "ipv4" if version == 4 else "ipv6" }} { - - import filter { -{% for pref in session.import.local_pref | default([]) %} -{% - set networks = - pref.prefix - | default([]) - | ansible.utils.ipaddr(version=version) - | map("suffix", pref.sub - | default(False) - | ternary("+", "")) -%} -{% set operator = pref.negate | default(False) | ternary("!~", "~") %} -{% if networks %} - if net {{ operator }} [ {{ networks | join(", ") }} ] then { - bgp_local_pref = {{ pref.pref | int }}; - } -{% endif %} -{% endfor %} -{% if session.import.accept == "all" %} - accept; -{% else %} -{% for accept in session.import.accept | default([]) %} -{% - set networks = - accept.prefix - | default([]) - | ansible.utils.ipaddr(version=version) - | map("suffix", accept.sub - | default(False) - | ternary("+", "")) -%} -{% set operator = accept.negate | default(False) | ternary("!~", "~") %} -{% if networks %} - if net {{ operator }} [ {{ networks | join(",") }} ] then accept; -{% endif %} -{% endfor %} - reject; -{% endif %} - }; - - export filter { -{% for prepend in session.export.as_prepend | default([]) %} -{% - set networks = - prepend.prefix - | default([]) - | ansible.utils.ipaddr(version=version) - | map("suffix", prepend.sub - | default(False) - | ternary("+", "")) -%} -{% set operator = prepend.negate | default(False) | ternary("!~", "~") %} -{% if networks %} - if net {{ operator }} [ {{ networks | join(", ") }} ] then { -{% for _ in range(prepend.size) %} - bgp_path.prepend({{ session.local.as }}); -{% endfor %} - } -{% endif %} -{% endfor %} -{% if session.export.accept == "all" %} - accept; -{% else %} -{% for accept in session.export.accept | default([]) %} -{% - set networks = - accept.prefix - | default([]) - | ansible.utils.ipaddr(version=version) - | map("suffix", accept.sub - | default(False) - | ternary("+", "")) -%} -{% set operator = accept.negate | default(False) | ternary("!~", "~") %} -{% if networks %} - if net {{ operator }} [ {{ networks | join(", ") }} ] then accept; -{% endif %} -{% endfor %} - reject; -{% endif %} - }; - + import where bgp{{ version }}_import_{{ session.name }}(); + export where bgp{{ version }}_export_{{ session.name }}(); }; } -{% endfor %} +{% endfor %} {% endfor %} {% if bird__radv_interfaces %}