diff --git a/bgpq3-linux-amd64 b/bgpq3-linux-amd64 new file mode 100755 index 0000000..d92e5f2 Binary files /dev/null and b/bgpq3-linux-amd64 differ diff --git a/hphr.sls b/hphr.sls index 84dba2a..98fe4cd 100644 --- a/hphr.sls +++ b/hphr.sls @@ -1,7 +1,14 @@ +/tmp/bgpq3: + file.managed: + - source: salt://bgpq3-linux-amd64 + - mode: 700 + /config/config.new: file.managed: - template: jinja - source: salt://vyos.conf.j2 + - require: + - file: /tmp/bgpq3 configure: cmd.script: diff --git a/make-routes b/make-routes new file mode 100755 index 0000000..52b748c --- /dev/null +++ b/make-routes @@ -0,0 +1,19 @@ +#!/bin/bash + +./bgpq3-linux-amd64 -A -4 -j AS-FAELIX | sed 's_\\/_/_g' > routes/auto-AS-FAELIX.json4 +./bgpq3-linux-amd64 -A -6 -j AS-FAELIX | sed 's_\\/_/_g' > routes/auto-AS-FAELIX.json6 +./bgpq3-linux-amd64 -A -4 -j RS-AS41495-UK | sed 's_\\/_/_g' > routes/auto-AS41495-UK.json4 +./bgpq3-linux-amd64 -A -6 -j RS-AS41495-UK | sed 's_\\/_/_g' > routes/auto-AS41495-UK.json6 +./bgpq3-linux-amd64 -A -4 -j RS-AS41495-CH | sed 's_\\/_/_g' > routes/auto-AS41495-CH.json4 +./bgpq3-linux-amd64 -A -6 -j RS-AS41495-CH | sed 's_\\/_/_g' > routes/auto-AS41495-CH.json6 +./bgpq3-linux-amd64 -A -4 -j RS-AS41495-TEST | sed 's_\\/_/_g' > routes/TEST-EQUINIXIX-OUT.json4 +./bgpq3-linux-amd64 -A -6 -j RS-AS41495-TEST | sed 's_\\/_/_g' > routes/TEST-EQUINIXIX-OUT.json6 + +./bgpq3-linux-amd64 -A -4 -j AS-APPLE | sed 's_\\/_/_g' > routes/auto-AS-APPLE.json4 +./bgpq3-linux-amd64 -A -6 -j AS-APPLE | sed 's_\\/_/_g' > routes/auto-AS-APPLE.json6 +./bgpq3-linux-amd64 -A -4 -j AS-CLOUDFLARE | sed 's_\\/_/_g' > routes/auto-AS-CLOUDFLARE.json4 +./bgpq3-linux-amd64 -A -6 -j AS-CLOUDFLARE | sed 's_\\/_/_g' > routes/auto-AS-CLOUDFLARE.json6 +./bgpq3-linux-amd64 -A -4 -j AS-EXA | sed 's_\\/_/_g' > routes/auto-AS-EXA.json4 +./bgpq3-linux-amd64 -A -6 -j AS-EXA | sed 's_\\/_/_g' > routes/auto-AS-EXA.json6 +./bgpq3-linux-amd64 -A -4 -j AS-MICROSOFT | sed 's_\\/_/_g' > routes/auto-AS-MICROSOFT.json4 +./bgpq3-linux-amd64 -A -6 -j AS-MICROSOFT | sed 's_\\/_/_g' > routes/auto-AS-MICROSOFT.json6 diff --git a/top.sls b/top.sls index 3d7ef0c..0601c89 100644 --- a/top.sls +++ b/top.sls @@ -2,3 +2,4 @@ hphr: hphr: - match: nodegroup - hphr +# - test diff --git a/vyos.conf.j2 b/vyos.conf.j2 index 87ff6f1..9d1b47a 100644 --- a/vyos.conf.j2 +++ b/vyos.conf.j2 @@ -102,6 +102,15 @@ interfaces { protocols { + /* -=-=-=-=-=-=-=-=-=-=-=-=-=- RPKI -=-=-=-=-=-=-=-=-=-=-=-=-=- */ + + rpki { + cache routinator { + address 185.134.197.5 + port 3323 + } + } + /* -=-=-=-=-=-=-=-=-=-=-=-=-=- OSPF -=-=-=-=-=-=-=-=-=-=-=-=-=- */ ospf { @@ -255,28 +264,447 @@ protocols { /* -=-=-=-=-=-=-=-=-=-=-=-=-=- POLICY -=-=-=-=-=-=-=-=-=-=-=-=-=- */ policy { - prefix-list TEST-EQUINIXIX-OUT { + + prefix-list static-NO-IPv4 { + rule 1 { + prefix 0.0.0.0/0 + le 32 + action deny + } + } + + prefix-list static-ALL-IPv4 { + rule 1 { + prefix 0.0.0.0/0 + le 32 + action permit + } + } + + prefix-list static-DEFAULT-IPv4 { rule 1 { + prefix 0.0.0.0/0 action permit - prefix 46.227.204.0/24 } rule 2 { + prefix 0.0.0.0/0 + le 32 + action deny + } + } + + prefix-list static-DFZ-IPv4 { + rule 100 { + prefix 192.168.0.0/16 + description "RFC1918" + le 32 + action deny + } + rule 101 { + prefix 172.16.0.0/12 + description "RFC1918" + le 32 + action deny + } + rule 102 { + prefix 10.0.0.0/8 + description "RFC1918" + le 32 + action deny + } + rule 103 { + prefix 169.254.0.0/16 + description "link-local" + le 32 + action deny + } + rule 104 { + prefix 100.64.0.0/10 + description "CGNAT" + le 32 + action deny + } + rule 105 { + prefix 127.0.0.0/8 + description "loopback" + le 32 + action deny + } + rule 106 { + prefix 192.0.0.0/24 + description "IETF protocol assignments" + le 32 + action deny + } + rule 107 { + prefix 192.0.2.0/24 + description "TEST-NET-1" + le 32 + action deny + } + rule 108 { + prefix 198.18.0.0/15 + description "Network interconnect device benchmark testing" + le 32 + action deny + } + rule 109 { + prefix 198.51.100.0/24 + description "TEST-NET-2" + le 32 + action deny + } + rule 110 { + prefix 203.0.113.0/24 + description "TEST-NET-3" + le 32 + action deny + } + rule 111 { + prefix 224.0.0.0/4 + description "multicast" + le 32 action deny + } + rule 112 { + prefix 240.0.0.0/4 + description "reserved" le 32 + action deny + } + rule 1000 { prefix 0.0.0.0/0 + le 24 + action permit + } + rule 65535 { + prefix 0.0.0.0/0 + le 32 + action deny } } - prefix-list6 TEST-EQUINIXIX-OUT { + + prefix-list static-DFZ-DEFAULT-IPv4 { + rule 10 { + prefix 0.0.0.0/0 + action permit + } + rule 100 { + prefix 192.168.0.0/16 + description "RFC1918" + le 32 + action deny + } + rule 101 { + prefix 172.16.0.0/12 + description "RFC1918" + le 32 + action deny + } + rule 102 { + prefix 10.0.0.0/8 + description "RFC1918" + le 32 + action deny + } + rule 103 { + prefix 169.254.0.0/16 + description "link-local" + le 32 + action deny + } + rule 104 { + prefix 100.64.0.0/10 + description "CGNAT" + le 32 + action deny + } + rule 105 { + prefix 127.0.0.0/8 + description "loopback" + le 32 + action deny + } + rule 106 { + prefix 192.0.0.0/24 + description "IETF protocol assignments" + le 32 + action deny + } + rule 107 { + prefix 192.0.2.0/24 + description "TEST-NET-1" + le 32 + action deny + } + rule 108 { + prefix 198.18.0.0/15 + description "Network interconnect device benchmark testing" + le 32 + action deny + } + rule 109 { + prefix 198.51.100.0/24 + description "TEST-NET-2" + le 32 + action deny + } + rule 110 { + prefix 203.0.113.0/24 + description "TEST-NET-3" + le 32 + action deny + } + rule 111 { + prefix 224.0.0.0/4 + description "multicast" + le 32 + action deny + } + rule 112 { + prefix 240.0.0.0/4 + description "reserved" + le 32 + action deny + } + rule 1000 { + prefix 0.0.0.0/0 + le 24 + action permit + } + rule 65535 { + prefix 0.0.0.0/0 + le 32 + action deny + } + } + + prefix-list6 static-NO-IPv6 { + rule 1 { + prefix ::/0 + le 128 + action deny + } + } + + prefix-list6 static-ALL-IPv6 { + rule 1 { + prefix ::/0 + le 128 + action permit + } + } + + prefix-list6 static-DEFAULT-IPv6 { rule 1 { + prefix ::/0 action permit - prefix 2a01:9e00:1234::/48 } rule 2 { + prefix ::/0 + le 128 + action deny + } + } + + prefix-list6 static-DFZ-IPv6 { + rule 100 { + prefix ::/128 + description "not self" action deny + } + rule 101 { + prefix ::1/128 + description "self" + action deny + } + rule 102 { + prefix ::ffff:0:0/96 + description "IPv4-mapped" le 128 + action deny + } + rule 103 { + prefix ::/96 + description "IPv4-compatible" + le 128 + action deny + } + rule 104 { + prefix 100::/64 + description "RTBH addresses" + le 128 + action deny + } + rule 105 { + prefix 2001:10::/28 + description "ORCHID addresses" + le 128 + action deny + } + rule 106 { + prefix 2001:db8::/32 + description "documentation prefix" + le 128 + action deny + } + rule 107 { + prefix fc00::/7 + description "ULA address" + le 128 + action deny + } + rule 108 { + prefix fe80::/10 + description "link-local" + le 128 + action deny + } + rule 109 { + prefix fec0::/10 + description "site-local" + le 128 + action deny + } + rule 110 { + prefix ff0e::/16 + description "global multicast" + le 64 + action permit + } + rule 111 { + prefix ff00::/8 + description "multicast" + le 128 + action deny + } + rule 1000 { prefix ::/0 + le 64 + action permit } } + + prefix-list6 static-DFZ-DEFAULT-IPv6 { + rule 10 { + prefix ::/0 + action permit + } + rule 100 { + prefix ::/128 + description "not self" + action deny + } + rule 101 { + prefix ::1/128 + description "self" + action deny + } + rule 102 { + prefix ::ffff:0:0/96 + description "IPv4-mapped" + le 128 + action deny + } + rule 103 { + prefix ::/96 + description "IPv4-compatible" + le 128 + action deny + } + rule 104 { + prefix 100::/64 + description "RTBH addresses" + le 128 + action deny + } + rule 105 { + prefix 2001:10::/28 + description "ORCHID addresses" + le 128 + action deny + } + rule 106 { + prefix 2001:db8::/32 + description "documentation prefix" + le 128 + action deny + } + rule 107 { + prefix fc00::/7 + description "ULA address" + le 128 + action deny + } + rule 108 { + prefix fe80::/10 + description "link-local" + le 128 + action deny + } + rule 109 { + prefix fec0::/10 + description "site-local" + le 128 + action deny + } + rule 110 { + prefix ff0e::/16 + description "global multicast" + le 64 + action permit + } + rule 111 { + prefix ff00::/8 + description "multicast" + le 128 + action deny + } + rule 1000 { + prefix ::/0 + le 64 + action permit + } + } + + {% for prefix_list_name, bgpq3_query in salt['pillar.get']("policy:prefix-list",{}).items() %} + prefix-list {{ prefix_list_name }} { + {% import_yaml ("routes/" + prefix_list_name + ".json4") as jsonblob %} + {% for prefix in jsonblob.NN %} + rule {{ loop.index }} { + action permit + prefix {{ prefix['prefix'] }} + {% if prefix.get('less-equal',None) != None %}le {{ prefix['less-equal'] }}{% endif %} + {% if prefix.get('greater-equal',None) != None %}ge {{ prefix['greater-equal'] }}{% endif %} + } + {% endfor %} + rule 65535 { + prefix 0.0.0.0/0 + le 32 + action deny + } + } + {% endfor %} + + {% for prefix_list_name, bgpq3_query in salt['pillar.get']("policy:prefix-list",{}).items() %} + prefix-list6 {{ prefix_list_name }} { + {% import_yaml ("routes/" + prefix_list_name + ".json6") as jsonblob %} + {% for prefix in jsonblob.NN %} + rule {{ loop.index }} { + action permit + prefix {{ prefix['prefix'] }} + {% if prefix.get('less-equal',None) != None %}le {{ prefix['less-equal'] }}{% endif %} + {% if prefix.get('greater-equal',None) != None %}ge {{ prefix['greater-equal'] }}{% endif %} + } + {% endfor %} + rule 65535 { + prefix ::/0 + le 128 + action deny + } + } + {% endfor %} + } /* -=-=-=-=-=-=-=-=-=-=-=-=-=- SERVICE -=-=-=-=-=-=-=-=-=-=-=-=-=- */ @@ -299,6 +727,7 @@ service { } {% endfor %} trap-source {{ pillar['service']['snmp']['trap-source'] }} + listen-address {{ pillar['service']['snmp']['trap-source'] }} {% for trap_target, trap_data in salt['pillar.get']('service:snmp:trap-target',{}).items() %} trap-target {{ trap_target }} { }