################################################################################ # Internet table # ################################################################################ {%- set ifaces = salt['pillar.get']('nodes:' ~ grains['id'] ~ ':ifaces', {}) %} {%- set have_vrf_external = [] %} {%- for iface, iface_config in ifaces.items () %} {%- if iface_config.get ('vrf', '') == 'vrf_external' %} {%- do have_vrf_external.append (True) %} {%- break %} {%- endif %} {%- endfor %} {%- if True not in have_vrf_external %} # # No vrf_external configured on this node. Nothing to do. # {%- else %} table t_external; protocol kernel k_external { scan time 20; learn; import none; export all; table t_external; kernel table 1023; } # Add unreachable routes for RFC1918, RFC 6598, APIPA so we don't route # anything private into the internet + null route some bogons. protocol static bogon_unreach_ext { table t_external; {%- if proto == 'v4' %} route 0.0.0.0/8 unreachable; # Host-Subnet route 10.0.0.0/8 unreachable; # RFC 1918 route 100.64.0.0/10 unreachable; # RFC 6598 route 169.254.0.0/16 unreachable; # APIPA route 172.16.0.0/12 unreachable; # RFC 1918 route 192.0.0.0/24 unreachable; # IANA RESERVED route 192.0.2.0/24 unreachable; # TEST-NET-1 route 192.168.0.0/16 unreachable; # RFC 1918 route 198.18.0.0/15 unreachable; # BENCHMARK route 198.51.100.0/24 unreachable; # TEST-NET-2 route 203.0.113.0/24 unreachable; # TEST-NET-3 route 224.0.0.0/3 unreachable; # MCast + Class E {%- else %} route ::/96 unreachable; # RFC 4291 route 2001:db8::/32 unreachable; # Documentation route fec0::/10 unreachable; # Site Local route fc00::/7 unreachable; # ULA {%- endif %} } {%- endif %} {#- vrf_external exists #}