From 99dddff8625388641b9dd84b0e87a55f5c13bc82 Mon Sep 17 00:00:00 2001 From: Niklas Yann Wettengel Date: Wed, 24 Jan 2018 03:27:03 +0100 Subject: ffrl uplink and fastd split --- roles/setup_ffrl_tunnel/handlers/main.yml | 9 ++ roles/setup_ffrl_tunnel/tasks/main.yml | 36 +++++++ roles/setup_ffrl_tunnel/templates/bird.conf | 160 ++++++++++++++++++++++++++++ roles/setup_ffrl_tunnel/templates/netctl | 14 +++ 4 files changed, 219 insertions(+) create mode 100644 roles/setup_ffrl_tunnel/handlers/main.yml create mode 100644 roles/setup_ffrl_tunnel/tasks/main.yml create mode 100644 roles/setup_ffrl_tunnel/templates/bird.conf create mode 100644 roles/setup_ffrl_tunnel/templates/netctl (limited to 'roles/setup_ffrl_tunnel') diff --git a/roles/setup_ffrl_tunnel/handlers/main.yml b/roles/setup_ffrl_tunnel/handlers/main.yml new file mode 100644 index 0000000..df37d30 --- /dev/null +++ b/roles/setup_ffrl_tunnel/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: reenable netctl + command: netctl reenable {{ item.name }} + with_items: "{{ ffrl_peers }}" + +- name: reload bird + systemd: + name: bird.service + state: reloaded diff --git a/roles/setup_ffrl_tunnel/tasks/main.yml b/roles/setup_ffrl_tunnel/tasks/main.yml new file mode 100644 index 0000000..e22787f --- /dev/null +++ b/roles/setup_ffrl_tunnel/tasks/main.yml @@ -0,0 +1,36 @@ +--- +- name: create netctl config + template: + src: netctl + dest: /etc/netctl/{{ item.name }} + with_items: "{{ ffrl_peers }}" + notify: reenable netctl + +- name: enable netctl config + command: netctl enable {{ item.name }} + args: + creates: /etc/systemd/system/netctl@{{ item.name }}.service + with_items: "{{ ffrl_peers }}" + +- name: start netctl config + systemd: + name: netctl@{{ item.name }}.service + state: started + with_items: "{{ ffrl_peers }}" + +- name: install bird + pacman: + name: bird + state: present + +- name: create bird config + template: + src: bird.conf + dest: /etc/bird.conf + notify: reload bird + +- name: start and enable bird + systemd: + name: bird.service + state: started + enabled: yes diff --git a/roles/setup_ffrl_tunnel/templates/bird.conf b/roles/setup_ffrl_tunnel/templates/bird.conf new file mode 100644 index 0000000..df242a6 --- /dev/null +++ b/roles/setup_ffrl_tunnel/templates/bird.conf @@ -0,0 +1,160 @@ +timeformat protocol iso long; + +log "bird.log" all; +# debug protocols all; + +define ffrl_nat_address = {{ ffrl_ip4 }}; + +define ffmyk_as = 65032; # private AS of ffmyk +define ffrl_as = 201701; # public AS of rheinland + +router id ffrl_nat_address; + +ipv4 table ffrl4; +ipv6 table ffrl6; + +function is_default4() { + return net ~ [ + 0.0.0.0/0 + ]; +} + +function is_default6() { + return net ~ [ + ::/0 + ]; +} + +function is_ffrl_nat4() { + return net ~ [ + {{ ffrl_ip4 }}/32 + ]; +} + +function is_ffrl_public_nets6() { + return net ~ [ + 2a03:2260:1016::/48{48,56} + ]; +} + +function is_ffrl_tunnel_nets4() { + return net ~ [ + 100.64.0.0/10 + ]; +} + +function is_ffrl_tunnel_nets6() { + return net ~ [ + 2a03:2260:0::/48 + ]; +} + +# BGP Import Filter für Rheinland +filter ebgp_ffrl_import_filter4 { + if is_default4() then accept; + reject; +} + +# BGP Export Filter für Rheinland +filter ebgp_ffrl_export_filter4 { + if is_ffrl_nat4() then accept; + reject; +} + +filter ebgp_ffrl_import_filter6 { + if is_default6() then accept; + reject; +} + +filter ebgp_ffrl_export_filter6 { + if is_ffrl_public_nets6() then accept; + reject; +} + +protocol device { + scan time 10; +} + +# IP-NAT-Adresse legen wir in die interne BIRD Routing Table +protocol static ffrl_uplink_hostroute4 { + ipv4 { table ffrl4; }; + route {{ ffrl_ip4 }}/32 reject; +} + +protocol static ffrl_public_routes6 { + ipv6 { table ffrl6; }; + route 2a03:2260:1016::/48 reject; +} + +# Wir legen die Transfernetze in die interne BIRD Routing Table +#protocol direct { +# ipv4; +# table ffrl4; +# interface {% for peer in ffrl_peers %}"{{ peer.name }}", {% endfor %}; +# import where is_ffrl_tunnel_nets4(); +#} + +# Wir exportieren über Rheinland gelernte Routen in die Kernel Table 47 (ffrl) +protocol kernel kernel_ffrl4 { + scan time 30; + ipv4 { + import none; + export filter { + krt_prefsrc = ffrl_nat_address; + accept; + }; + table ffrl4; + }; + kernel table 42; +}; + +protocol kernel kernel_ffrl6 { + scan time 30; + ipv6 { + import none; + export filter { + if is_default6() then accept; + reject; + }; + table ffrl6; + }; + kernel table 42; +}; + +# BGP Template für Rheinland Peerings +template bgp ffrl_uplink4 { + local as ffmyk_as; + ipv4 { + table ffrl4; + import keep filtered; + import filter ebgp_ffrl_import_filter4; + export filter ebgp_ffrl_export_filter4; + next hop self; + }; + direct; +}; + +template bgp ffrl_uplink6 { + local as ffmyk_as; + ipv6 { + table ffrl6; + import keep filtered; + import filter ebgp_ffrl_import_filter6; + export filter ebgp_ffrl_export_filter6; + next hop self; + }; + direct; +}; + +{% for peer in ffrl_peers %} +protocol bgp ffrl_{{ peer.name }}4 from ffrl_uplink4 { + source address {{ peer.ip4 }}; + neighbor {{ peer.peer_ip4 }} as 201701; +}; + +protocol bgp ffrl_{{ peer.name }}6 from ffrl_uplink6 { + source address {{ peer.ip6 }}; + neighbor {{ peer.peer_ip6 }} as 201701; +} + +{% endfor %} diff --git a/roles/setup_ffrl_tunnel/templates/netctl b/roles/setup_ffrl_tunnel/templates/netctl new file mode 100644 index 0000000..98e8af4 --- /dev/null +++ b/roles/setup_ffrl_tunnel/templates/netctl @@ -0,0 +1,14 @@ +Connection=tunnel +Interface={{ item.name }} + +Mode=gre +Local={{ ansible_default_ipv4.address }} +Remote={{ item.remote }} + +ExecUpPost="/usr/bin/ip link set dev {{ item.name }} mtu 1400; /usr/bin/ip tunnel change {{ item.name }} ttl 64" + +IP=static +Address=('{{ item.ip4 }}/31' '{{ ffrl_ip4 }}/32') + +IP6=static +Address6=('{{ item.ip6 }}/64') -- cgit v1.2.3-54-g00ecf