FAELIX/hphr
FAELIX/hphr
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

making prefix filters programmatically

Browse Source
This commit is contained in:
Marek Isalski 2019-05-14 07:42:33 +01:00
parent a6fbfb43c1
commit 7c99c98792
5 changed files with 467 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
bgpq3-linux-amd64 Executable file
View File

Binary file not shown.

7
hphr.sls
View File

@ -1,7 +1,14 @@
/tmp/bgpq3:
file.managed:
- source: salt://bgpq3-linux-amd64
- mode: 700
/config/config.new: /config/config.new:
file.managed: file.managed:
- template: jinja - template: jinja
- source: salt://vyos.conf.j2 - source: salt://vyos.conf.j2
- require:
- file: /tmp/bgpq3
configure: configure:
cmd.script: cmd.script:

19
make-routes Executable file
View File

@ -0,0 +1,19 @@
#!/bin/bash
./bgpq3-linux-amd64 -A -4 -j AS-FAELIX | sed 's_\\/_/_g' > routes/auto-AS-FAELIX.json4
./bgpq3-linux-amd64 -A -6 -j AS-FAELIX | sed 's_\\/_/_g' > routes/auto-AS-FAELIX.json6
./bgpq3-linux-amd64 -A -4 -j RS-AS41495-UK | sed 's_\\/_/_g' > routes/auto-AS41495-UK.json4
./bgpq3-linux-amd64 -A -6 -j RS-AS41495-UK | sed 's_\\/_/_g' > routes/auto-AS41495-UK.json6
./bgpq3-linux-amd64 -A -4 -j RS-AS41495-CH | sed 's_\\/_/_g' > routes/auto-AS41495-CH.json4
./bgpq3-linux-amd64 -A -6 -j RS-AS41495-CH | sed 's_\\/_/_g' > routes/auto-AS41495-CH.json6
./bgpq3-linux-amd64 -A -4 -j RS-AS41495-TEST | sed 's_\\/_/_g' > routes/TEST-EQUINIXIX-OUT.json4
./bgpq3-linux-amd64 -A -6 -j RS-AS41495-TEST | sed 's_\\/_/_g' > routes/TEST-EQUINIXIX-OUT.json6
./bgpq3-linux-amd64 -A -4 -j AS-APPLE | sed 's_\\/_/_g' > routes/auto-AS-APPLE.json4
./bgpq3-linux-amd64 -A -6 -j AS-APPLE | sed 's_\\/_/_g' > routes/auto-AS-APPLE.json6
./bgpq3-linux-amd64 -A -4 -j AS-CLOUDFLARE | sed 's_\\/_/_g' > routes/auto-AS-CLOUDFLARE.json4
./bgpq3-linux-amd64 -A -6 -j AS-CLOUDFLARE | sed 's_\\/_/_g' > routes/auto-AS-CLOUDFLARE.json6
./bgpq3-linux-amd64 -A -4 -j AS-EXA | sed 's_\\/_/_g' > routes/auto-AS-EXA.json4
./bgpq3-linux-amd64 -A -6 -j AS-EXA | sed 's_\\/_/_g' > routes/auto-AS-EXA.json6
./bgpq3-linux-amd64 -A -4 -j AS-MICROSOFT | sed 's_\\/_/_g' > routes/auto-AS-MICROSOFT.json4
./bgpq3-linux-amd64 -A -6 -j AS-MICROSOFT | sed 's_\\/_/_g' > routes/auto-AS-MICROSOFT.json6

1
top.sls
View File

@ -2,3 +2,4 @@ hphr:
hphr: hphr:
- match: nodegroup - match: nodegroup
- hphr - hphr
# - test

451
vyos.conf.j2
View File

@ -102,6 +102,15 @@ interfaces {
protocols { protocols {
/* -=-=-=-=-=-=-=-=-=-=-=-=-=- RPKI -=-=-=-=-=-=-=-=-=-=-=-=-=- */
rpki {
cache routinator {
address 185.134.197.5
port 3323
}
}
/* -=-=-=-=-=-=-=-=-=-=-=-=-=- OSPF -=-=-=-=-=-=-=-=-=-=-=-=-=- */ /* -=-=-=-=-=-=-=-=-=-=-=-=-=- OSPF -=-=-=-=-=-=-=-=-=-=-=-=-=- */
ospf { ospf {
@ -255,28 +264,447 @@ protocols {
/* -=-=-=-=-=-=-=-=-=-=-=-=-=- POLICY -=-=-=-=-=-=-=-=-=-=-=-=-=- */ /* -=-=-=-=-=-=-=-=-=-=-=-=-=- POLICY -=-=-=-=-=-=-=-=-=-=-=-=-=- */
policy { policy {
prefix-list TEST-EQUINIXIX-OUT {
prefix-list static-NO-IPv4 {
rule 1 { rule 1 {
action permit
prefix 46.227.204.0/24
}
rule 2 {
action deny
le 32
prefix 0.0.0.0/0 prefix 0.0.0.0/0
le 32
action deny
} }
} }
prefix-list6 TEST-EQUINIXIX-OUT {
prefix-list static-ALL-IPv4 {
rule 1 { rule 1 {
prefix 0.0.0.0/0
le 32
action permit
}
}
prefix-list static-DEFAULT-IPv4 {
rule 1 {
prefix 0.0.0.0/0
action permit action permit
prefix 2a01:9e00:1234::/48
} }
rule 2 { rule 2 {
prefix 0.0.0.0/0
le 32
action deny action deny
le 128
prefix ::/0
} }
} }
prefix-list static-DFZ-IPv4 {
rule 100 {
prefix 192.168.0.0/16
description "RFC1918"
le 32
action deny
}
rule 101 {
prefix 172.16.0.0/12
description "RFC1918"
le 32
action deny
}
rule 102 {
prefix 10.0.0.0/8
description "RFC1918"
le 32
action deny
}
rule 103 {
prefix 169.254.0.0/16
description "link-local"
le 32
action deny
}
rule 104 {
prefix 100.64.0.0/10
description "CGNAT"
le 32
action deny
}
rule 105 {
prefix 127.0.0.0/8
description "loopback"
le 32
action deny
}
rule 106 {
prefix 192.0.0.0/24
description "IETF protocol assignments"
le 32
action deny
}
rule 107 {
prefix 192.0.2.0/24
description "TEST-NET-1"
le 32
action deny
}
rule 108 {
prefix 198.18.0.0/15
description "Network interconnect device benchmark testing"
le 32
action deny
}
rule 109 {
prefix 198.51.100.0/24
description "TEST-NET-2"
le 32
action deny
}
rule 110 {
prefix 203.0.113.0/24
description "TEST-NET-3"
le 32
action deny
}
rule 111 {
prefix 224.0.0.0/4
description "multicast"
le 32
action deny
}
rule 112 {
prefix 240.0.0.0/4
description "reserved"
le 32
action deny
}
rule 1000 {
prefix 0.0.0.0/0
le 24
action permit
}
rule 65535 {
prefix 0.0.0.0/0
le 32
action deny
}
}
prefix-list static-DFZ-DEFAULT-IPv4 {
rule 10 {
prefix 0.0.0.0/0
action permit
}
rule 100 {
prefix 192.168.0.0/16
description "RFC1918"
le 32
action deny
}
rule 101 {
prefix 172.16.0.0/12
description "RFC1918"
le 32
action deny
}
rule 102 {
prefix 10.0.0.0/8
description "RFC1918"
le 32
action deny
}
rule 103 {
prefix 169.254.0.0/16
description "link-local"
le 32
action deny
}
rule 104 {
prefix 100.64.0.0/10
description "CGNAT"
le 32
action deny
}
rule 105 {
prefix 127.0.0.0/8
description "loopback"
le 32
action deny
}
rule 106 {
prefix 192.0.0.0/24
description "IETF protocol assignments"
le 32
action deny
}
rule 107 {
prefix 192.0.2.0/24
description "TEST-NET-1"
le 32
action deny
}
rule 108 {
prefix 198.18.0.0/15
description "Network interconnect device benchmark testing"
le 32
action deny
}
rule 109 {
prefix 198.51.100.0/24
description "TEST-NET-2"
le 32
action deny
}
rule 110 {
prefix 203.0.113.0/24
description "TEST-NET-3"
le 32
action deny
}
rule 111 {
prefix 224.0.0.0/4
description "multicast"
le 32
action deny
}
rule 112 {
prefix 240.0.0.0/4
description "reserved"
le 32
action deny
}
rule 1000 {
prefix 0.0.0.0/0
le 24
action permit
}
rule 65535 {
prefix 0.0.0.0/0
le 32
action deny
}
}
prefix-list6 static-NO-IPv6 {
rule 1 {
prefix ::/0
le 128
action deny
}
}
prefix-list6 static-ALL-IPv6 {
rule 1 {
prefix ::/0
le 128
action permit
}
}
prefix-list6 static-DEFAULT-IPv6 {
rule 1 {
prefix ::/0
action permit
}
rule 2 {
prefix ::/0
le 128
action deny
}
}
prefix-list6 static-DFZ-IPv6 {
rule 100 {
prefix ::/128
description "not self"
action deny
}
rule 101 {
prefix ::1/128
description "self"
action deny
}
rule 102 {
prefix ::ffff:0:0/96
description "IPv4-mapped"
le 128
action deny
}
rule 103 {
prefix ::/96
description "IPv4-compatible"
le 128
action deny
}
rule 104 {
prefix 100::/64
description "RTBH addresses"
le 128
action deny
}
rule 105 {
prefix 2001:10::/28
description "ORCHID addresses"
le 128
action deny
}
rule 106 {
prefix 2001:db8::/32
description "documentation prefix"
le 128
action deny
}
rule 107 {
prefix fc00::/7
description "ULA address"
le 128
action deny
}
rule 108 {
prefix fe80::/10
description "link-local"
le 128
action deny
}
rule 109 {
prefix fec0::/10
description "site-local"
le 128
action deny
}
rule 110 {
prefix ff0e::/16
description "global multicast"
le 64
action permit
}
rule 111 {
prefix ff00::/8
description "multicast"
le 128
action deny
}
rule 1000 {
prefix ::/0
le 64
action permit
}
}
prefix-list6 static-DFZ-DEFAULT-IPv6 {
rule 10 {
prefix ::/0
action permit
}
rule 100 {
prefix ::/128
description "not self"
action deny
}
rule 101 {
prefix ::1/128
description "self"
action deny
}
rule 102 {
prefix ::ffff:0:0/96
description "IPv4-mapped"
le 128
action deny
}
rule 103 {
prefix ::/96
description "IPv4-compatible"
le 128
action deny
}
rule 104 {
prefix 100::/64
description "RTBH addresses"
le 128
action deny
}
rule 105 {
prefix 2001:10::/28
description "ORCHID addresses"
le 128
action deny
}
rule 106 {
prefix 2001:db8::/32
description "documentation prefix"
le 128
action deny
}
rule 107 {
prefix fc00::/7
description "ULA address"
le 128
action deny
}
rule 108 {
prefix fe80::/10
description "link-local"
le 128
action deny
}
rule 109 {
prefix fec0::/10
description "site-local"
le 128
action deny
}
rule 110 {
prefix ff0e::/16
description "global multicast"
le 64
action permit
}
rule 111 {
prefix ff00::/8
description "multicast"
le 128
action deny
}
rule 1000 {
prefix ::/0
le 64
action permit
}
}
{% for prefix_list_name, bgpq3_query in salt['pillar.get']("policy:prefix-list",{}).items() %}
prefix-list {{ prefix_list_name }} {
{% import_yaml ("routes/" + prefix_list_name + ".json4") as jsonblob %}
{% for prefix in jsonblob.NN %}
rule {{ loop.index }} {
action permit
prefix {{ prefix['prefix'] }}
{% if prefix.get('less-equal',None) != None %}le {{ prefix['less-equal'] }}{% endif %}
{% if prefix.get('greater-equal',None) != None %}ge {{ prefix['greater-equal'] }}{% endif %}
}
{% endfor %}
rule 65535 {
prefix 0.0.0.0/0
le 32
action deny
}
}
{% endfor %}
{% for prefix_list_name, bgpq3_query in salt['pillar.get']("policy:prefix-list",{}).items() %}
prefix-list6 {{ prefix_list_name }} {
{% import_yaml ("routes/" + prefix_list_name + ".json6") as jsonblob %}
{% for prefix in jsonblob.NN %}
rule {{ loop.index }} {
action permit
prefix {{ prefix['prefix'] }}
{% if prefix.get('less-equal',None) != None %}le {{ prefix['less-equal'] }}{% endif %}
{% if prefix.get('greater-equal',None) != None %}ge {{ prefix['greater-equal'] }}{% endif %}
}
{% endfor %}
rule 65535 {
prefix ::/0
le 128
action deny
}
}
{% endfor %}
} }
/* -=-=-=-=-=-=-=-=-=-=-=-=-=- SERVICE -=-=-=-=-=-=-=-=-=-=-=-=-=- */ /* -=-=-=-=-=-=-=-=-=-=-=-=-=- SERVICE -=-=-=-=-=-=-=-=-=-=-=-=-=- */
@ -299,6 +727,7 @@ service {
} }
{% endfor %} {% endfor %}
trap-source {{ pillar['service']['snmp']['trap-source'] }} trap-source {{ pillar['service']['snmp']['trap-source'] }}
listen-address {{ pillar['service']['snmp']['trap-source'] }}
{% for trap_target, trap_data in salt['pillar.get']('service:snmp:trap-target',{}).items() %} {% for trap_target, trap_data in salt['pillar.get']('service:snmp:trap-target',{}).items() %}
trap-target {{ trap_target }} { trap-target {{ trap_target }} {
} }