freifunk/puppet-ff_gw
0
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

refactor bird6.conf for policy routing

Browse source 
Berlin1 is allowed to send us default routes now
This commit is contained in:
ohrensessel 2014-08-19 11:14:54 +02:00
parent ba5030ffce
commit 4291261c6b
2 changed files with 112 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
data/peering.yaml
View file

@ -251,7 +251,7 @@ ic_peerings_v6:
ip: fec0::a:cf:0:19 ip: fec0::a:cf:0:19
as: 65025 as: 65025
Berlin1: Berlin1:
template: peers template: upstream
ip: fec0::a:cf:0:5 ip: fec0::a:cf:0:5
as: 44194 as: 44194
Bielefeld1: Bielefeld1:

157
templates/etc/bird/bird6.conf.erb
View file

@ -1,63 +1,119 @@
# managed by puppet table ibgp; # internal BGP peerings
# table ebgp; # external (icvpn) BGP peerings
# the ff ip of the gateway table freifunk; # kernel table 42 for routing from ff network
define ownas = <%= @ff_as %>;
router id <%= @own_ipv4 %>; router id <%= @own_ipv4 %>;
# routing tables ### functions ###
table ffhh;
# filter to check ulas # own networks
function is_ula() { function is_self_net() {
return (net ~ [ fc00::/7{48,64} ]); return net ~ [ fd51:2bb2:fd0d::/48+,
2001:bf7:180::/44+,
2001:bf7:190::/44+,
2001:bf7:200::/44+,
2001:bf7:210::/44+,
2001:bf7:220::/44+,
2001:bf7:230::/44+];
} }
function is_self() { # freifunk ip ranges in general
return (proto = "static_ffhh"); function is_freifunk() {
return net ~ [ fc00::/7{48,64},
2001:bf7::/32+];
} }
filter ffhh_internal_export { function is_default() {
if (proto = "local_ffhh") then accept; return net ~ [ ::0/0 ];
if (source != RTS_BGP) then reject;
if (is_ula() && proto != "static_ffhh") then accept;
else reject;
} }
# don't use kernel's routes for bird, but export bird's routes to kernel ### kernel ###
protocol kernel {
scan time 20; # Scan kernel routing table every 20 seconds # synchronize from bird to main kernel routing table
import none; # Default is import all # nothing in the other direction
# (do not sync a default route we received to the main routing table
# as this might collide with the normal default route of the host)
protocol kernel k_mast {
scan time 10;
import none;
export where !is_default();
};
# synchronize from birds freifunk table to kernel routing table 42
# nothing in the other direction
protocol kernel k_frei {
scan time 10;
table freifunk;
kernel table 42;
import none;
export all; export all;
} };
# This pseudo-protocol watches all interface up/down events. # this pseudo-protocol watches all interface up/down events
protocol device { protocol device {
scan time 10; # Scan interfaces every 10 seconds scan time 10;
}
# define our routes
protocol static static_ffhh {
table ffhh;
# reject route if announced from external
route fd51:2bb2:fd0d::/48 reject;
}; };
protocol static local_ffhh { ### pipes ###
table ffhh;
route fd51:2bb2:fd0d::/64 via "br-ffhh";
};
protocol pipe pipe_ffhh { # sync nothing from main routing table to ebgp
peer table ffhh; # sync routes (not own network) from ebgp to main routing table
import all; protocol pipe p_maintbl {
peer table ebgp;
import where !is_self_net();
export none; export none;
}; };
# template for internal routing # sync routes (not own network) from ebgp to ibgp
template bgp locals { # sync routes (all) from ibgp to ebgp
table ffhh; protocol pipe p_ibgptbl {
local as 65112; table ebgp;
source address <%= @own_ipv6 %>; peer table ibgp;
import all; import all;
export where !is_self_net();
};
# sync routes (freifunk and default routes we got) from ibgp to freifunk
# sync nothing from freifunk to ibgp
protocol pipe p_freitbl {
table ibgp;
peer table freifunk;
import none;
export where is_freifunk() || is_default();
};
### static routes ###
protocol static static_ffhh {
route fd51:2bb2:fd0d::/48 reject;
route 2001:bf7:180::/44 reject;
route 2001:bf7:190::/44 reject;
route 2001:bf7:200::/44 reject;
route 2001:bf7:210::/44 reject;
route 2001:bf7:220::/44 reject;
route 2001:bf7:230::/44 reject;
table ebgp;
};
protocol static local_ffhh {
route fd51:2bb2:fd0d::/64 via "br-ffhh";
route 2001:bf7:180::/64 via "br-ffhh";
table freifunk;
};
### templates ###
# template for same city freifunk gateways
template bgp locals {
table ibgp;
local as ownas;
source address <%= @own_ipv6 %>;
import filter {
preference = 99;
accept;
};
export where source = RTS_BGP; export where source = RTS_BGP;
direct; direct;
next hop self; next hop self;
@ -70,13 +126,21 @@ protocol bgp <%= key %> from <%= hash["template"] %> {
<% end -%><% end -%> <% end -%><% end -%>
<% if @gw_do_ic_peering -%> <% if @gw_do_ic_peering -%>
# icvpn template for hamburg03 # template for icvpn gateways of other cities
template bgp peers { template bgp peers {
local as 65112; table ebgp;
local as ownas;
source address <%= @ic_vpn_ip6 %>; source address <%= @ic_vpn_ip6 %>;
table ffhh; # ignore routes for our own network
import where is_ula(); import where is_freifunk() && !is_self_net();
export where is_self() || (source = RTS_BGP); export where is_freifunk() || (source = RTS_BGP);
route limit 10000;
};
# template for upstream gateways
template bgp upstream from peers {
# accept freifunk networks and default route
import where (is_freifunk() || is_default()) && !is_self_net();
}; };
<% @ic_peerings_v6.each_pair do |key, hash| -%><% if hash["ip"] != @own_ipv6 -%> <% @ic_peerings_v6.each_pair do |key, hash| -%><% if hash["ip"] != @own_ipv6 -%>
@ -85,3 +149,4 @@ protocol bgp <%= key %> from <%= hash["template"] %> {
}; };
<% end -%><% end -%> <% end -%><% end -%>
<% end -%> <% end -%>