aurore/ansible
aurore/ansible
11
2
Fork 0
Code Issues 1 Pull requests 13 Releases Wiki Activity

bird: cleanup + bogons filtering

Browse source
This commit is contained in:
jeltz 2022-12-22 12:02:56 +01:00
parent cc82841560
commit 6773c5e90d
Signed by: jeltz
GPG key ID: 800882B66C0C3326
2 changed files with 115 additions and 126 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

67
playbooks/bird.yml
View file

@ -71,6 +71,31 @@
- 138.195.144.0/20 - 138.195.144.0/20
- 192.159.121.0/24 - 192.159.121.0/24
- 2a0c:b641:2f0::/44 - 2a0c:b641:2f0::/44
martians:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 100.64.0.0/10
- 127.0.0.0/8
- 169.254.0.0/16
- 192.0.0.0/24
- 192.0.2.0/24
- 198.18.0.0/15
- 198.51.100.0/24
- 203.0.113.0/24
- 224.0.0.0/4
- 240.0.0.0/4
- ::/128
- ::1/128
- ::ffff:0:0/96
- ::/96
- 100::/64
- 2001:10::/28
- 2001:db8::/32
- fc00::/7
- fe80::/10
- fec0::/10
- ff00::/8
bird__router_id: "{{ bird__router_ids[inventory_hostname] }}" bird__router_id: "{{ bird__router_ids[inventory_hostname] }}"
bird__bgp_sessions: bird__bgp_sessions:
- name: zayo - name: zayo
@ -85,13 +110,14 @@
- 2001:1b48:2:103::d7:1 - 2001:1b48:2:103::d7:1
as: "{{ bird__asn.zayo }}" as: "{{ bird__asn.zayo }}"
import: import:
accept: all - accept: true
export: export:
accept: - prefix: "{{ ['aurore', 'crans', 'viarezo']
- prefix: "{{ ['aurore', 'crans', 'viarezo'] | map('extract', bird__orig_prefixes)
| map('extract', bird__orig_prefixes) | flatten }}"
| flatten }}" sub: true
sub: true accept: true
- accept: false
- name: crans - name: crans
local: local:
address: address:
@ -104,11 +130,12 @@
- 2a0c:700:28::1 - 2a0c:700:28::1
as: "{{ bird__asn.crans }}" as: "{{ bird__asn.crans }}"
import: import:
accept: - prefix: "{{ bird__orig_prefixes.crans }}"
- prefix: "{{ bird__orig_prefixes.crans }}" sub: true
sub: true accept: true
- accept: false
export: export:
accept: all - accept: true
- name: viarezo - name: viarezo
local: local:
address: address:
@ -121,17 +148,19 @@
- 2a0c:b641:2ff::5 - 2a0c:b641:2ff::5
as: "{{ bird__asn.viarezo }}" as: "{{ bird__asn.viarezo }}"
import: import:
local_pref: - prefix: "{{ bird__orig_prefixes.martians }}"
- prefix: "{{ bird__orig_prefixes.viarezo }}" accept: false
sub: true - prefix: "{{ bird__orig_prefixes.viarezo }}"
negate: true sub: true
pref: 50 negate: true
accept: all local_pref: 50
- accept: true
export: export:
as_prepend: - prefix: "{{ bird__orig_prefixes.aurore }}"
- prefix: "{{ bird__orig_prefixes.aurore }}" as_prepend:
asn: "{{ bird__asn.aurore }}"
size: 3 size: 3
accept: all - accept: true
bird__static_unreachable: bird__static_unreachable:
- 45.66.108.0/22 - 45.66.108.0/22
- 2a09:6840::/29 - 2a09:6840::/29

174
roles/bird/templates/bird.conf.j2
View file

@ -59,10 +59,10 @@ protocol ospf v2 ospf4 {
}; };
area 0 { area 0 {
{% for network in bird__ospf_stub_networks | ansible.utils.ipv4 %} {% for network in bird__ospf_stub_networks | ansible.utils.ipv4 %}
stubnet {{ network }}; stubnet {{ network }};
{% endfor %} {% endfor %}
{% for name, iface in bird__ospf_broadcast_interfaces.items() %} {% for name, iface in bird__ospf_broadcast_interfaces.items() %}
interface {{ name | enquote }} { interface {{ name | enquote }} {
type broadcast; type broadcast;
hello {{ iface.hello | default(bird__ospf_hello) | int }}; hello {{ iface.hello | default(bird__ospf_hello) | int }};
@ -72,12 +72,12 @@ protocol ospf v2 ospf4 {
wait {{ iface.wait | default(bird__ospf_wait) | int }}; wait {{ iface.wait | default(bird__ospf_wait) | int }};
dead {{ iface.dead | default(bird__ospf_dead) | int }}; dead {{ iface.dead | default(bird__ospf_dead) | int }};
}; };
{% endfor %} {% endfor %}
{% for name in bird__ospf_stub_interfaces %} {% for name in bird__ospf_stub_interfaces %}
interface {{ name | enquote }} { interface {{ name | enquote }} {
stub; stub;
}; };
{% endfor %} {% endfor %}
}; };
} }
@ -92,10 +92,10 @@ protocol ospf v3 ospf6 {
}; };
area 0 { area 0 {
{% for network in bird__ospf_stub_networks | ansible.utils.ipv6 %} {% for network in bird__ospf_stub_networks | ansible.utils.ipv6 %}
stubnet {{ network }}; stubnet {{ network }};
{% endfor %} {% endfor %}
{% for name, iface in bird__ospf_broadcast_interfaces.items() %} {% for name, iface in bird__ospf_broadcast_interfaces.items() %}
interface {{ name | enquote }} { interface {{ name | enquote }} {
type broadcast; type broadcast;
hello {{ iface.hello | default(bird__ospf_hello) | int }}; hello {{ iface.hello | default(bird__ospf_hello) | int }};
@ -105,8 +105,8 @@ protocol ospf v3 ospf6 {
wait {{ iface.wait | default(bird__ospf_wait) | int }}; wait {{ iface.wait | default(bird__ospf_wait) | int }};
dead {{ iface.dead | default(bird__ospf_dead) | int }}; dead {{ iface.dead | default(bird__ospf_dead) | int }};
}; };
{% endfor %} {% endfor %}
{% for name in bird__ospf_stub_interfaces %} {% for name in bird__ospf_stub_interfaces %}
interface {{ name | enquote }} { interface {{ name | enquote }} {
stub; stub;
}; };
@ -116,114 +116,74 @@ protocol ospf v3 ospf6 {
} }
{% endif %} {% endif %}
{% macro bird_filter_function(filter, last) %}
{% if filter.as_prepend is defined %}
{% for _ in range(filter.as_prepend.size) %}
bgp_path.prepend({{ filter.as_prepend.asn }});
{% endfor %}
{% endif %}
{% if filter.local_pref is defined %}
bgp_local_pref = {{ filter.local_pref }};
{% endif %}
{% if filter.accept is defined %}
return {{ filter.accept | ternary("true", "false") }};
{% endif %}
{% endmacro %}
{% for session in bird__bgp_sessions %} {% for session in bird__bgp_sessions %}
{% for local_address in session.local.address %} {% for version in [4, 6] %}
{% {% for direction in ["import", "export"] %}
set version = function bgp{{ version }}_{{ direction }}_{{ session.name }}() {
local_address {% for filter in session[direction] %}
| ansible.utils.ipaddr(query="version") {% if filter.prefix | default([]) %}
%} {% set op =
{% filter.negate
set remote_address = | default(False)
session.remote.address | ternary("!~", "~") %}
| ansible.utils.ipaddr(version=version) {% set networks =
| first filter.prefix
%} | default([])
| ansible.utils.ipaddr(version=version)
| map("suffix", filter.sub
| default(False)
| ternary("+", "")) %}
{% if networks %}
if net {{ op }} [ {{ networks | join(", ") }} ] then {
{{ bird_filter_function(filter) | indent(8) }}
}
{% endif %}
{% else %}
{{ bird_filter_function(filter) | indent(4) }}
{% endif %}
{% endfor %}
}
{% endfor %}
{% endfor %}
{% endfor %}
{% for session in bird__bgp_sessions %}
{% for local_address in session.local.address %}
{% set version =
local_address
| ansible.utils.ipaddr(query="version") %}
{% set remote_address =
session.remote.address
| ansible.utils.ipaddr(version=version)
| first %}
protocol bgp bgp{{ version }}_{{ session.name }} { protocol bgp bgp{{ version }}_{{ session.name }} {
local {{ local_address }} as {{ session.local.as }}; local {{ local_address }} as {{ session.local.as }};
neighbor {{ remote_address }} as {{ session.remote.as }}; neighbor {{ remote_address }} as {{ session.remote.as }};
{{ "ipv4" if version == 4 else "ipv6" }} { {{ "ipv4" if version == 4 else "ipv6" }} {
import where bgp{{ version }}_import_{{ session.name }}();
import filter { export where bgp{{ version }}_export_{{ session.name }}();
{% for pref in session.import.local_pref | default([]) %}
{%
set networks =
pref.prefix
| default([])
| ansible.utils.ipaddr(version=version)
| map("suffix", pref.sub
| default(False)
| ternary("+", ""))
%}
{% set operator = pref.negate | default(False) | ternary("!~", "~") %}
{% if networks %}
if net {{ operator }} [ {{ networks | join(", ") }} ] then {
bgp_local_pref = {{ pref.pref | int }};
}
{% endif %}
{% endfor %}
{% if session.import.accept == "all" %}
accept;
{% else %}
{% for accept in session.import.accept | default([]) %}
{%
set networks =
accept.prefix
| default([])
| ansible.utils.ipaddr(version=version)
| map("suffix", accept.sub
| default(False)
| ternary("+", ""))
%}
{% set operator = accept.negate | default(False) | ternary("!~", "~") %}
{% if networks %}
if net {{ operator }} [ {{ networks | join(",") }} ] then accept;
{% endif %}
{% endfor %}
reject;
{% endif %}
};
export filter {
{% for prepend in session.export.as_prepend | default([]) %}
{%
set networks =
prepend.prefix
| default([])
| ansible.utils.ipaddr(version=version)
| map("suffix", prepend.sub
| default(False)
| ternary("+", ""))
%}
{% set operator = prepend.negate | default(False) | ternary("!~", "~") %}
{% if networks %}
if net {{ operator }} [ {{ networks | join(", ") }} ] then {
{% for _ in range(prepend.size) %}
bgp_path.prepend({{ session.local.as }});
{% endfor %}
}
{% endif %}
{% endfor %}
{% if session.export.accept == "all" %}
accept;
{% else %}
{% for accept in session.export.accept | default([]) %}
{%
set networks =
accept.prefix
| default([])
| ansible.utils.ipaddr(version=version)
| map("suffix", accept.sub
| default(False)
| ternary("+", ""))
%}
{% set operator = accept.negate | default(False) | ternary("!~", "~") %}
{% if networks %}
if net {{ operator }} [ {{ networks | join(", ") }} ] then accept;
{% endif %}
{% endfor %}
reject;
{% endif %}
};
}; };
} }
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
{% if bird__radv_interfaces %} {% if bird__radv_interfaces %}