Skip to content

Commit 4e7c758

Browse files
sorahsorah
authored
Merge pull request #196 from ruby-no-kai/inside-outside2
plat: explicit static route filter using community
2 parents c20299f + c3d6694 commit 4e7c758

File tree

1 file changed

+34
-15
lines changed
  • itamae/roles/plat/templates/etc/bird/bird.conf.d

1 file changed

+34
-15
lines changed

itamae/roles/plat/templates/etc/bird/bird.conf.d/plat.conf

Lines changed: 34 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,15 @@ ipv6 table bgp6;
77
ipv4 table kernel_tun_siit4;
88
ipv6 table kernel_tun_siit6;
99

10+
define C_SELF = 65026;
11+
define C_CTL_PREVENT_KERNEL = 10006;
12+
define C_CTL_ALLOW_OUTSIDE = 10011;
13+
define C_CTL_ALLOW_INSIDE = 10012;
14+
15+
function filter_bgp_community() {
16+
bgp_community.delete([(C_SELF, 10000..29999)]);
17+
}
18+
1019
protocol direct {
1120
ipv4 {
1221
table bgp4;
@@ -57,8 +66,12 @@ protocol static {
5766
table static4;
5867
};
5968

60-
route <%= node.dig(:plat, :nat64).fetch(:outer_private) %>/32 via "tun-siit";
61-
route <%= node.dig(:plat, :nat64).fetch(:outer_public) %>/32 via "tun-siit";
69+
route <%= node.dig(:plat, :nat64).fetch(:outer_private) %>/32 via "tun-siit" {
70+
bgp_community.add((C_SELF,C_CTL_ALLOW_OUTSIDE));
71+
};
72+
route <%= node.dig(:plat, :nat64).fetch(:outer_public) %>/32 via "tun-siit" {
73+
bgp_community.add((C_SELF,C_CTL_ALLOW_OUTSIDE));
74+
};
6275
}
6376
# protocol static static_bgp4 {
6477
# ipv4 {
@@ -91,10 +104,12 @@ protocol static static_bgp6 {
91104
igp table bgp6;
92105
# Prevent propagation to always have blackhole route for pref64n and related prefixes in kernel tun-siit table
93106
route 2001:df0:8500:ca6d::/64 recursive 192.0.0.0 {
94-
bgp_community.add((65026,6));
107+
bgp_community.add((C_SELF,C_CTL_ALLOW_INSIDE));
108+
bgp_community.add((C_SELF,C_CTL_PREVENT_KERNEL));
95109
};
96110
route 2001:df0:8500:ca64::/64 recursive 192.0.0.0 {
97-
bgp_community.add((65026,6));
111+
bgp_community.add((C_SELF,C_CTL_ALLOW_INSIDE));
112+
bgp_community.add((C_SELF,C_CTL_PREVENT_KERNEL));
98113
};
99114
}
100115
# protocol pipe static2bgp6 {
@@ -106,7 +121,7 @@ protocol static static_bgp6 {
106121

107122

108123
filter prevent_kernel_installation {
109-
if (defined(bgp_community)) then if ((65026,6) ~ bgp_community) then reject;
124+
if (defined(bgp_community)) then if ((C_SELF,C_CTL_PREVENT_KERNEL) ~ bgp_community) then reject;
110125
accept;
111126
}
112127

@@ -143,20 +158,26 @@ protocol bgp bgp_outside {
143158

144159
ipv4 {
145160
table bgp4;
146-
import all;
161+
import filter {
162+
filter_bgp_community();
163+
accept;
164+
};
147165
export filter {
148166
if dest = RTD_UNREACHABLE then reject; # static recursive route can be RTD_UNREACHABLE when unresolvable
167+
if (defined(bgp_community)) then if ((C_SELF,C_CTL_ALLOW_OUTSIDE) ~ bgp_community) then accept;
149168
if proto = "direct1" then accept;
150-
if net = <%= node.dig(:plat, :nat64).fetch(:outer_public) %>/32 then accept;
151-
if net = <%= node.dig(:plat, :nat64).fetch(:outer_private) %>/32 then accept;
152169
reject;
153170
};
154171
};
155172
ipv6 {
156173
table bgp6;
157-
import all;
174+
import filter {
175+
filter_bgp_community();
176+
accept;
177+
};
158178
export filter {
159179
if dest = RTD_UNREACHABLE then reject; # static recursive route can be RTD_UNREACHABLE when unresolvable
180+
if (defined(bgp_community)) then if ((C_SELF,C_CTL_ALLOW_OUTSIDE) ~ bgp_community) then accept;
160181
if proto = "direct1" then accept;
161182
reject;
162183
};
@@ -172,30 +193,28 @@ protocol bgp bgp_inside {
172193
ipv4 {
173194
table bgp4;
174195
import filter {
196+
filter_bgp_community();
175197
if bgp_path ~ [= * <%= inside.fetch(:peer_as) %> =] then accept; # accept only direct path
176198
reject;
177199
};
178200
export filter {
179201
if dest = RTD_UNREACHABLE then reject; # static recursive route can be RTD_UNREACHABLE when unresolvable
202+
if (defined(bgp_community)) then if ((C_SELF,C_CTL_ALLOW_INSIDE) ~ bgp_community) then accept;
180203
if proto = "direct1" then accept;
181-
if net !~ [10.33.0.0/16+] then reject;
182-
if proto = "static1" then accept;
183-
if proto = "static_bgp4" then accept;
184204
reject;
185205
};
186206
};
187207
ipv6 {
188208
table bgp6;
189209
import filter {
210+
filter_bgp_community();
190211
if bgp_path ~ [= * <%= inside.fetch(:peer_as) %> =] then accept; # accept only direct path
191212
reject;
192213
};
193214
export filter {
194215
if dest = RTD_UNREACHABLE then reject; # static recursive route can be RTD_UNREACHABLE when unresolvable
216+
if (defined(bgp_community)) then if ((C_SELF,C_CTL_ALLOW_INSIDE) ~ bgp_community) then accept;
195217
if proto = "direct1" then accept;
196-
if net !~ [2001:df0:8500:ca00::/56{56,64}] then reject;
197-
if proto = "static1" then accept;
198-
if proto = "static_bgp6" then accept;
199218
};
200219
};
201220
}

0 commit comments

Comments
 (0)