table ibgp; # internal BGP peerings table ebgp; # external (icvpn) BGP peerings table freifunk; # kernel table 42 for routing from ff network define ownas = <%= @ff_as %>; router id <%= @own_ipv4 %>; ### functions ### # own network function is_self_net() { return (net ~ [<%= @ff_net %>+]); } # freifunk ip ranges in general function is_freifunk() { return net ~ [ 10.0.0.0/8+, 104.0.0.0/8+ ]; } # dn42 ip ranges function is_dn42() { return net ~ [ 172.22.0.0/15+, 195.160.168.0/23+, 91.204.4.0/22+, 193.43.220.0/23+, 87.106.29.254/32, 85.25.246.16/28+, 46.4.248.192/27+, 94.45.224.0/19+, 195.191.196.0/23+, 80.244.241.224/27+, 46.19.90.48/28+, 46.19.90.96/28+, 178.63.170.40/32, 188.40.34.241/32, 195.16.84.40/29+, 37.1.89.160/29+, 178.33.32.123/32+, 37.1.89.160/29+, 185.28.77.16/29+, 185.28.77.192/27+, 192.175.48.0/24+ ]; } # chaosvpn ranges function is_chaos() { return net ~ [ 10.4.0.0/16+, 10.32.0.0/16+, 10.42.16.0/20+, # legacy 10.100.0.0/14+, 10.104.0.0/14+, 172.31.0.0/16+, 83.133.178.0/23+, 172.26.0.0/15+, 176.9.52.58/32+, 193.103.159.0/24+, 193.103.160.0/23+, 212.12.50.208/29+, 213.238.61.128/26+ ]; } ### kernel ### # synchronize from bird to main kernel routing table # nothing in the other direction protocol kernel k_mast { scan time 10; import none; export filter { krt_prefsrc = <%= @own_ipv4 %>; accept; }; }; # synchronize from birds freifunk table to kernel routing table 42 # nothing in the other direction protocol kernel k_frei { scan time 10; table freifunk; kernel table 42; import none; export filter { krt_prefsrc = <%= @own_ipv4 %>; accept; }; }; # this pseudo-protocol watches all interface up/down events protocol device { scan time 10; }; ### pipes ### # sync nothing from main routing table to ebgp # sync routes (not own network) from ebgp to main routing table protocol pipe p_maintbl { peer table ebgp; import where !is_self_net(); export none; }; # sync routes (not own network) from ebgp to ibgp # sync routes (all) from ibgp to ebgp protocol pipe p_ibgptbl { table ebgp; peer table ibgp; import all; export where !is_self_net(); }; # sync routes (freifunk, dn42 and chaosvpn) from ibgp to freifunk # sync nothing from freifunk to ibgp protocol pipe p_freitbl { table ibgp; peer table freifunk; import none; export where (is_freifunk() || is_dn42() || is_chaos()); }; ### static routes ### # if no openvpn is running, reject everything we do not have a route for protocol static unreachable_default { route 0.0.0.0/0 reject; table freifunk; }; protocol static static_ffhh { route <%= @ff_net %> reject; table ebgp; }; # in hamburg we use a /18 from our /16 in the mesh # create a route for that in freifunk table protocol static local_ffhh { route <%= @ff_mesh_net %> via "br-ffhh"; table freifunk; }; ### templates ### # template for same city freifunk gateways template bgp locals { table ibgp; local as ownas; import filter { preference = 99; accept; }; export where source = RTS_BGP; direct; next hop self; }; ### local gateways ### <% @peerings_v4.each_pair do |key, hash| -%><% if hash["ip"] != @own_ipv4 -%> protocol bgp <%= key %> from <%= hash["template"] %> { neighbor <%= hash["ip"] %> as ownas; }; <% end -%><% end -%> <% if @gw_do_ic_peering -%> ### icvpn peerings ### # template for icvpn gateways of other cities template bgp peers { table ebgp; local as ownas; # ignore routes for our own network import where ((is_freifunk() || is_dn42()) && !is_chaos() && !is_self_net()); export where ((is_freifunk() || is_dn42()) && !is_chaos()); route limit 10000; }; <% @ic_peerings_v4.each_pair do |key, hash| -%><% if hash["ip"] != @own_ipv4 -%> protocol bgp <%= key %> from <%= hash["template"] %> { neighbor <%= hash["ip"] %> as <%= hash["as"] %>; }; <% end -%><% end -%> <% end -%> # this is for local peerings not managed by puppet include "*.peering"