Skip to content

Commit c20299f

Browse files
sorahsorah
authored
Merge pull request #195 from ruby-no-kai/inside-outside
plat: respect routes from outside interface
2 parents 72627ea + 7e6870f commit c20299f

File tree

1 file changed

+20
-10
lines changed
  • itamae/roles/plat/templates/etc/bird/bird.conf.d

1 file changed

+20
-10
lines changed

itamae/roles/plat/templates/etc/bird/bird.conf.d/plat.conf

Lines changed: 20 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ protocol direct {
1414
ipv6 {
1515
table bgp6;
1616
};
17+
interface "-me0", "<%= node.dig(:plat, :interfaces).fetch(:outside).fetch(:name) %>", "<%= node.dig(:plat, :interfaces).fetch(:inside).fetch(:name) %>", "lo";
1718
}
1819

1920
protocol kernel kernel_bgp4 {
@@ -142,21 +143,23 @@ protocol bgp bgp_outside {
142143

143144
ipv4 {
144145
table bgp4;
145-
import filter {
146-
if net = 0.0.0.0/0 then accept;
147-
reject;
148-
};
146+
import all;
149147
export filter {
150148
if dest = RTD_UNREACHABLE then reject; # static recursive route can be RTD_UNREACHABLE when unresolvable
149+
if proto = "direct1" then accept;
151150
if net = <%= node.dig(:plat, :nat64).fetch(:outer_public) %>/32 then accept;
152151
if net = <%= node.dig(:plat, :nat64).fetch(:outer_private) %>/32 then accept;
153152
reject;
154153
};
155154
};
156155
ipv6 {
157156
table bgp6;
158-
import none;
159-
export none;
157+
import all;
158+
export filter {
159+
if dest = RTD_UNREACHABLE then reject; # static recursive route can be RTD_UNREACHABLE when unresolvable
160+
if proto = "direct1" then accept;
161+
reject;
162+
};
160163
};
161164
}
162165

@@ -169,23 +172,30 @@ protocol bgp bgp_inside {
169172
ipv4 {
170173
table bgp4;
171174
import filter {
172-
if net ~ [10.33.0.0/16+] then accept;
175+
if bgp_path ~ [= * <%= inside.fetch(:peer_as) %> =] then accept; # accept only direct path
173176
reject;
174177
};
175178
export filter {
176179
if dest = RTD_UNREACHABLE then reject; # static recursive route can be RTD_UNREACHABLE when unresolvable
177-
if net ~ [10.33.0.0/16+] then accept;
180+
if proto = "direct1" then accept;
181+
if net !~ [10.33.0.0/16+] then reject;
182+
if proto = "static1" then accept;
183+
if proto = "static_bgp4" then accept;
178184
reject;
179185
};
180186
};
181187
ipv6 {
182188
table bgp6;
183189
import filter {
184-
if net ~ [2001:df0:8500:ca00::/56+] then accept;
190+
if bgp_path ~ [= * <%= inside.fetch(:peer_as) %> =] then accept; # accept only direct path
191+
reject;
185192
};
186193
export filter {
187194
if dest = RTD_UNREACHABLE then reject; # static recursive route can be RTD_UNREACHABLE when unresolvable
188-
if net ~ [2001:df0:8500:ca00::/56{56,64}] then accept;
195+
if proto = "direct1" then accept;
196+
if net !~ [2001:df0:8500:ca00::/56{56,64}] then reject;
197+
if proto = "static1" then accept;
198+
if proto = "static_bgp6" then accept;
189199
};
190200
};
191201
}

0 commit comments

Comments
 (0)