Home Explore Help
Register Sign In
FreifunkHochstift
/
ffho-salt-public
2
0
Fork 2
Files Issues 0 Pull Requests 0
Tree: 40755b33a6
Branches Tags
ffho-salt-pu...
/
bird
/
ff-policy.conf

ff-policy.conf 4.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166 
  1. #
    2. 

  2. # FFHO Routing Policy
    3. 

  3. #
    4. 

  4. {%- set node_roles = salt['pillar.get']('nodes:' ~ grains['id'] ~ ':roles', []) %}
    5. 

  5. {%- set node_sites = salt['pillar.get']('nodes:' ~ grains['id'] ~ ':sites', []) %}
    6. 

  6. {%- set sites = salt['pillar.get']('sites', {}) %}
    7. 

  7. {%- set te = salt['pillar.get']('te', {}) %}
    8. 

  8. 

  9. 

  10. ################################################################################
    11. 

  11. #                              Static Filters                                  #
    12. 

  12. ################################################################################
    13. 

  13. 

  14. filter external_IPs_to_learn {
    15. 

  15. 	if net ~ [
    16. 

  16. {%- if proto == 'v4' %}
    17. 

  17. 		80.70.181.59/32,	# mail.ffho.net
    18. 

  18. 		80.70.181.60/32,	# dns-auth.ffho.net
    19. 

  19. 		80.70.181.61/32		# fe01.ffho.net
    20. 

  20. {%- else %}
    21. 

  21. 		2a02:450:1:0::/64	# Vega VM Subnet
    22. 

  22. {%- endif %}
    23. 

  23. 	] then accept;
    24. 

  24. 

  25. 	reject;
    26. 

  26. };
    27. 

  27. 

  28. filter own_prefixes {
    29. 

  29. 	if net ~ [
    30. 

  30. {%- if proto == 'v4' %}
    31. 

  31. 		10.132.0.0/16,
    32. 

  32. 		172.30.0.0/16{24,24}
    33. 

  33. {%- else %}
    34. 

  34. 		fdca:ffee:ff12::/48,
    35. 

  35. 		2a03:2260:2342::/48
    36. 

  36. {%- endif %}
    37. 

  37. 	] then accept;
    38. 

  38. 

  39. 	reject;
    40. 

  40. };
    41. 

  41. 

  42. 

  43. ################################################################################
    44. 

  44. #               iBGP routing policy (Communities + Filter) + TE                #
    45. 

  45. ################################################################################
    46. 

  46. 

  47. {%- for site in node_sites %}
    48. 

  48.   {%- set site_config = sites.get (site) %}
    49. 

  49.   {%- set community = 'SITE_' ~ site|upper|replace('-', '') ~ '_ROUTE' %}
    50. 

  50.   {%- set community_id = site_config.get ('site_no')|int + 100 %}
    51. 

  51. define {{ community }} = (65132,{{ community_id }});
    52. 

  52. {%- endfor %}
    53. 

  53. 

  54. # Prefixes longer that site prefix leaving a gateway as TE prefixes.
    55. 

  55. # They are for TE core -> gateway only and must not be imported on other gateways.
    56. 

  56. define GATEWAY_TE_ROUTE = (65132,300);
    57. 

  57. 

  58. # All our prefixes learned in the external VRF and redistributed into the
    59. 

  59. # internal network
    60. 

  60. define EXTERNAL_ROUTE = (65132,1023);
    61. 

  61. 

  62. # TE routes only to be exported by specific border routers
    63. 

  63. define EXPORT_RESTRICT       = (65132, 100);
    64. 

  64. define EXPORT_ONLY_AT_CR01   = (65132, 101);
    65. 

  65. define EXPORT_ONLY_AT_CR02   = (65132, 102);
    66. 

  66. define EXPORT_ONLY_AT_CR03   = (65132, 103);
    67. 

  67. define EXPORT_ONLY_AT_CR04   = (65132, 104);
    68. 

  68. define EXPORT_ONLY_AT_BBR_KT = (65132, 197);
    69. 

  69. 

  70. # Anycasted prefix
    71. 

  71. define ANYCAST_PREFIX = (65132,999);
    72. 

  72. 

  73. # To be placed in /etc/bird/ff_killswitch.conf
    74. 

  74. define SITE_LEGACY_ONLINE = 1;
    75. 

  75. define SITE_PADCTY_ONLINE = 1;
    76. 

  76. define SITE_PADUML_ONLINE = 1;
    77. 

  77. define DRAINED = 0;
    78. 

  78. 

  79. 

  80. {%- if 'batman_gw' in node_roles %}
    81. 

  81. function tag_site_routes ()
    82. 

  82. {
    83. 

  83.   {%- for site in node_sites %}
    84. 

  84.     {%- set site_config = sites.get (site) %}
    85. 

  85.     {%- set prefix = site_config.get ('prefix_' ~ proto) %}
    86. 

  86.     {%- set prefix_mask_te = prefix.split ('/')[1]|int + 1 %}
    87. 

  87.     {%- set community = 'SITE_' ~ site|upper|replace('-', '') ~ '_ROUTE' %}
    88. 

  88. 	# {{ site_config.get ('name', site) }}
    89. 

  89. 	if net ~ [ {{ prefix }}+ ] then {
    90. 

  90. 		bgp_community.add ({{ community }});
    91. 

  91. 	}
    92. 

  92. 

  93.   {#-
    94. 

  94.    # Tag all routes for prefixes longer than site prefix leaving a gateway
    95. 

  95.    # as TE prefixes. They are for TE core -> gateway only and must not be
    96. 

  96.    # imported on other gateways.
    97. 

  97.    #}
    98. 

  98.     {%- if proto == 'v4' %}
    99. 

  99. 	if net ~ [ {{ prefix ~ '{' ~ prefix_mask_te ~ ',32}' }} ] then {
    100. 

  100. 		bgp_community.add (GATEWAY_TE_ROUTE);
    101. 

  101. 	}
    102. 

  102.     {%- endif %}
    103. 

  103.   {% endfor %}
    104. 

  104. }
    105. 

  105. {%- endif %}
    106. 

  106. 

  107. 

  108. filter ibgp_in {
    109. 

  109. {#- Don't import other gateways TE prefixes here #}
    110. 

  110. {%- if 'batman_gw' in node_roles %}
    111. 

  111.         if (GATEWAY_TE_ROUTE ~ bgp_community) then {
    112. 

  112.                 reject;
    113. 

  113.         }
    114. 

  114. {%- endif %}
    115. 

  115. 

  116.         accept;
    117. 

  117. }
    118. 

  118. 

  119. 

  120. filter ibgp_out {
    121. 

  121. 	# Don't redistribute OSPF into iBGP
    122. 

  122. 	if "IGP" = proto then
    123. 

  123. 		reject;
    124. 

  124. 

  125. 	# Don't redistribute v6 LO IP
    126. 

  126. 	if "lo_v6" = proto then
    127. 

  127. 		reject;
    128. 

  128. 

  129. 	# Don't redistribute null routes for bogon prefixes
    130. 

  130. 	if "bogon_unreach" = proto then
    131. 

  131. 		reject;
    132. 

  132. 

  133. 	# Don't redistribute TE prefixes for FFRL
    134. 

  134. 	if "ffrl_te" = proto then
    135. 

  135. 		reject;
    136. 

  136. 

  137. 	# Don't redistribute anything IF we are drained
    138. 

  138. 	if 1 = DRAINED then
    139. 

  139. 		reject;
    140. 

  140. 

  141. {%- if 'batman_gw' in node_roles %}
    142. 

  142. 	tag_site_routes ();
    143. 

  143. {%- endif %}
    144. 

  144. 

  145. 	accept;
    146. 

  146. }
    147. 

  147. 

  148. 

  149. # Traffic engineering routes
    150. 

  150. protocol static ffho_te {
    151. 

  151. 	preference 23;
    152. 

  152. 

  153. {% set prefixes = salt['ffho_net.get_te_prefixes'](te, grains['id'], proto) %}
    154. 

  154. {% for prefix in prefixes|sort %}
    155. 

  155.   {%- set config = prefixes.get (prefix) %}
    156. 

  156.   {%- if 'desc' in config %}
    157. 

  157. 	# {{ config.get ('desc') }}
    158. 

  158.   {%- endif %}
    159. 

  159. 	route {{ prefix }} unreachable {
    160. 

  160.   {%- for community in config.get ('communities', []) %}
    161. 

  161. 		bgp_community.add ({{ community }});
    162. 

  162.   {%- endfor %}
    163. 

  163. 	};
    164. 

  164. {%- endfor %}
    165. 

  165. 

  166. }
    167.