Home Explore Help
Register Sign In
FreifunkHochstift
/
ffho-salt-public
2
0
Fork 2
Files Issues 0 Pull Requests 0
Browse Source

Install unreachable routes for bogon networks on border routers only.

Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm 7 years ago
parent
fe4fec50d4
commit
564e41fe29
3 changed files with 38 additions and 27 deletions
Split View Show Diff Stats
  1. 0 18
      bird/bird.conf
  2. 0 9
      bird/bird6.conf
  3. 38 0
      bird/init.sls

+ 0 - 18
bird/bird.conf
View File 

@@ -51,24 +51,6 @@ protocol kernel {
 
 }
 
 
 
-# Add unreachable routes for RFC1918, RFC 6598, APIPA so we don't route
 
-# anything private into the internet + null route some bogons.
 
-protocol static bogon_unreach {
 
-	route 0.0.0.0/8		unreachable;	# Host-Subnet
 
-	route 10.0.0.0/8	unreachable;	# RFC 1918
 
-	route 100.64.0.0/10 	unreachable;	# RFC 6598
 
-	route 169.254.0.0/16	unreachable;	# APIPA
 
-	route 172.16.0.0/12 	unreachable;	# RFC 1918
 
-	route 192.0.0.0/24	unreachable;	# IANA RESERVED
 
-	route 192.0.2.0/24	unreachable;	# TEST-NET-1
 
-	route 192.168.0.0/16	unreachable;	# RFC 1918
 
-	route 198.18.0.0/15	unreachable;	# BENCHMARK
 
-	route 198.51.100.0/24	unreachable;	# TEST-NET-2
 
-	route 203.0.113.0/24	unreachable;	# TEST-NET-3
 
-	route 224.0.0.0/3	unreachable;	# MCast + Class E
 
-}
 
-
 
-
 
 #
 
 # Load additiional configuration (IGP, FFRL, ICVPN, 'n stuff)
 
 include "/etc/bird/ff-policy.conf";

+ 0 - 9
bird/bird6.conf
View File 

@@ -58,15 +58,6 @@ protocol kernel {
 
 	device routes yes;
 
 }
 
 
-# Add unreachable routes for any prefix we don't want to route to
 
-# the internet.
 
-protocol static bogon_unreach {
 
-	route ::/96         unreachable; # RFC 4291
 
-	route 2001:db8::/32 unreachable; # Documentation
 
-	route fec0::/10     unreachable; # Site Local
 
-	route fc00::/7      unreachable; # ULA
 
-}
 
-
 
 
 #
 
 # Load additiional configuration (IGP, FFRL, ICVPN, 'n stuff)

+ 38 - 0
bird/init.sls
View File 

@@ -256,4 +256,42 @@ python-ipcalc:
 
       - pkg: python-ipcalc
 
     - require_in:
 
       - service: bird6
 
+
 
+
 
+/etc/bird/bird.d/bogon_unreach.conf:
 
+  file.managed:
 
+    - source: salt://bird/bogon_unreach.conf
 
+    - template: jinja
 
+      proto: v4
 
+    - watch_in:
 
+      - cmd: bird-configure
 
+    - require:
 
+      - file: /etc/bird/bird.d
 
+    - require_in:
 
+      - service: bird
 
+
 
+/etc/bird/bird6.d/bogon_unreach.conf:
 
+  file.managed:
 
+    - source: salt://bird/bogon_unreach.conf
 
+    - template: jinja
 
+      proto: v6
 
+    - watch_in:
 
+      - cmd: bird6-configure
 
+    - require:
 
+      - file: /etc/bird/bird6.d
 
+    - require_in:
 
+      - service: bird6
 
+
 
+{% else %}
 
+/etc/bird/bird.d/ffrl.conf:
 
+  file.absent
 
+
 
+/etc/bird/bird6.d/ffrl.conf:
 
+  file.absent
 
+
 
+/etc/bird/bird.d/bogon_unreach.conf:
 
+  file.absent
 
+
 
+/etc/bird/bird6.d/bogon_unreach.conf:
 
+  file.absent
 
 {% endif %}