|
@@ -7,17 +7,19 @@
|
|
|
{%- set admin_access = salt['pillar.get']('firewall:admin_access') %}
|
|
|
{%- set ssh = salt['pillar.get']("firewall:ssh") %}
|
|
|
{%- set services = salt['pillar.get']('nodes:' ~ grains['id'] ~ ':services', []) %}
|
|
|
-{#- TODO: Get RR IPs from netbox #}
|
|
|
-{%- set bgp = { 4: { '10.132.255.1' : 'cr01.in.ffho.net',
|
|
|
- '10.132.255.2' : 'cr02.in.ffho.net',
|
|
|
- '10.132.255.3' : 'cr03.in.ffho.net', },
|
|
|
- 6: { '2a03:2260:2342:ffff::1' : 'cr01.in.ffho.net',
|
|
|
- '2a03:2260:2342:ffff::2' : 'cr02.in.ffho.net',
|
|
|
- '2a03:2260:2342:ffff::3' : 'cr03.in.ffho.net', }} %}
|
|
|
|
|
|
flush ruleset
|
|
|
|
|
|
table ip filter {
|
|
|
+ set ibgp-peers {
|
|
|
+ type ipv4_addr
|
|
|
+ elements = {
|
|
|
+ 10.132.255.1, # cr01.in.ffho.net
|
|
|
+ 10.132.255.2, # cr02.in.ffho.net
|
|
|
+ 10.132.255.3, # cr03.in.ffho.net
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
chain input {
|
|
|
type filter hook input priority 0; policy drop;
|
|
|
iifname "lo" counter accept
|
|
@@ -50,10 +52,8 @@ table ip filter {
|
|
|
|
|
|
{%- if 'router' in roles %}
|
|
|
chain bgp {
|
|
|
- {%- for ip in bgp[4].keys()|sort %}
|
|
|
- {%- set comment = bgp[4][ip] %}
|
|
|
- ip saddr {{ ip }} counter accept comment "{{ comment }}"
|
|
|
- {%- endfor %}
|
|
|
+ ip saddr @ibgp-peers counter accept comment "iBGP peers"
|
|
|
+ # TODO: Add external BGP peers, if any
|
|
|
}
|
|
|
{%- endif %}
|
|
|
|
|
@@ -83,6 +83,15 @@ table ip filter {
|
|
|
}
|
|
|
|
|
|
table ip6 filter {
|
|
|
+ set ibgp-peers {
|
|
|
+ type ipv6_addr
|
|
|
+ elements = {
|
|
|
+ 2a03:2260:2342:ffff::1, # cr01.in.ffho.net
|
|
|
+ 2a03:2260:2342:ffff::2, # cr02.in.ffho.net
|
|
|
+ 2a03:2260:2342:ffff::3, # cr03.in.ffho.net
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
chain input {
|
|
|
type filter hook input priority 0; policy drop;
|
|
|
iifname "lo" counter accept
|
|
@@ -116,10 +125,8 @@ table ip6 filter {
|
|
|
|
|
|
{%- if 'router' in roles %}
|
|
|
chain bgp {
|
|
|
- {%- for ip in bgp[6].keys()|sort %}
|
|
|
- {%- set comment = bgp[6][ip] %}
|
|
|
- ip6 saddr {{ ip }} counter accept comment "{{ comment }}"
|
|
|
- {%- endfor %}
|
|
|
+ ip6 saddr @ibgp-peers counter accept comment "iBGP peers"
|
|
|
+ # TODO: Add external BGP peers, if any
|
|
|
}
|
|
|
{%- endif %}
|
|
|
|