FAELIX/hphr
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

bind ssh to VRF; console on ttyS0 and ttyS1; exec environment

Browse Source
This commit is contained in:
Marek Isalski
2021-04-24 15:04:01 +01:00
parent f82403aec1
commit 9a619f1048
1 changed files with 31 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
vyos.conf.j2
View File

@ -1,3 +1,14 @@
{% set env_exec = {} %}
{% if pillar.get('loopback',{}).get('IPv4',None) %}
{% do env_exec.update({'BIND_ADDR':pillar['loopback']['IPv4']}) %}
{% endif %}
{% if pillar.get('loopback',{}).get('IPv6',None) %}
{% do env_exec.update({'BIND_ADDR6':pillar['loopback']['IPv6']}) %}
{% endif %}
{% if env_exec %}
{% do env_exec.update({'LD_PRELOAD':'/tmp/bind.so'}) %}
{% endif %}
{% macro interface_ip_ospf(iface_name) %} {% macro interface_ip_ospf(iface_name) %}
{% if salt['pillar.get']('interfaces:'+iface_name+':ip:ospf') %} {% if salt['pillar.get']('interfaces:'+iface_name+':ip:ospf') %}
ospf { ospf {
@ -166,7 +177,7 @@ interfaces {
{% for iface_name, iface_data in pillar['netbox']['interfaces'].items() %}{% if iface_data['mgmt_only'] %} {% for iface_name, iface_data in pillar['netbox']['interfaces'].items() %}{% if iface_data['mgmt_only'] %}
{% elif iface_name == 'lo' %} {% elif iface_name == 'lo' %}
loopback lo { loopback lo {
description "{{ iface_data['description'].replace('"','\\"') or "-" }}{% if iface_data['connected_endpoint'] and iface_data['connected_endpoint']['connection_status']['value'] %} ({% if iface_data['connected_endpoint']['device'] %}{{ iface_data['connected_endpoint']['name'] }} @ {{ iface_data['connected_endpoint']['device']['display_name'] }}{% endif %}){% endif %}" description "{{ iface_data['description'].replace('"','\\"') or "-" }}{% if iface_data['connected_endpoint'] and iface_data['connected_endpoint']['device'] %} ({% if iface_data['connected_endpoint']['device'] %}{{ iface_data['connected_endpoint']['name'] }} @ {{ iface_data['connected_endpoint']['device']['display_name'] }}{% endif %}){% endif %}"
{% for address in iface_data['addresses'] %} {% for address in iface_data['addresses'] %}
address {{ address['address'] }} address {{ address['address'] }}
{% endfor %} {% endfor %}
@ -183,7 +194,7 @@ interfaces {
} }
{% elif iface_data.get('type',{}).get('label','') != 'Virtual' %} {% elif iface_data.get('type',{}).get('label','') != 'Virtual' %}
ethernet {{ iface_name }} { ethernet {{ iface_name }} {
description "{{ iface_data['description'].replace('"','\\"') or "-" }}{% if iface_data['connected_endpoint'] and iface_data['connected_endpoint']['connection_status']['value'] %} ({% if iface_data['connected_endpoint']['device'] %}{{ iface_data['connected_endpoint']['name'] }} @ {{ iface_data['connected_endpoint']['device']['display_name'] }}{% endif %}){% endif %}" description "{{ iface_data['description'].replace('"','\\"') or "-" }}{% if iface_data['connected_endpoint'] and iface_data['connected_endpoint']['device'] %} ({% if iface_data['connected_endpoint']['device'] %}{{ iface_data['connected_endpoint']['name'] }} @ {{ iface_data['connected_endpoint']['device']['display_name'] }}{% endif %}){% endif %}"
{% if 'vrf' in salt['pillar.get']('interfaces:'+iface_name,{}) %}vrf {{ salt['pillar.get']('interfaces:'+iface_name+':vrf') }}{% endif %} {% if 'vrf' in salt['pillar.get']('interfaces:'+iface_name,{}) %}vrf {{ salt['pillar.get']('interfaces:'+iface_name+':vrf') }}{% endif %}
{% for address in iface_data['addresses'] %} {% for address in iface_data['addresses'] %}
address {{ address['address'] }} address {{ address['address'] }}
@ -196,6 +207,7 @@ interfaces {
speed auto speed auto
{% if not iface_data['enabled'] %}disable{% endif %} {% if not iface_data['enabled'] %}disable{% endif %}
{% if iface_data['lag'] %}bond-group {{ iface_data['lag']['name'] }}{% endif %} {% if iface_data['lag'] %}bond-group {{ iface_data['lag']['name'] }}{% endif %}
{% if iface_data.get('mtu',None) %}mtu {{ iface_data.get('mtu',1500) }}{% endif %}
{% for tagged_vlan in iface_data['tagged_vlans'] %} {% for tagged_vlan in iface_data['tagged_vlans'] %}
{% set subiface_data = salt['pillar.get']('netbox:interfaces:%s.%d'%(iface_name,tagged_vlan['vid']),{'description':'','addresses':[],'enabled':False}) %} {% set subiface_data = salt['pillar.get']('netbox:interfaces:%s.%d'%(iface_name,tagged_vlan['vid']),{'description':'','addresses':[],'enabled':False}) %}
@ -206,6 +218,7 @@ interfaces {
address {{ address['address'] }} address {{ address['address'] }}
{% endfor %} {% endfor %}
{% if not subiface_data['enabled'] %}disable{% endif %} {% if not subiface_data['enabled'] %}disable{% endif %}
{% if subiface_data.get('mtu',None) or iface_data.get('mtu',None) %}mtu {{ subiface_data.get('mtu',iface_data.get('mtu',1500)) }}{% endif %}
{% if salt['pillar.get']('interfaces:'+iface_name+"."+("%d"%tagged_vlan['vid'])+':ip') %} {% if salt['pillar.get']('interfaces:'+iface_name+"."+("%d"%tagged_vlan['vid'])+':ip') %}
ip { ip {
@ -361,7 +374,7 @@ protocols {
{% endfor %} {% endfor %}
} }
{% for vrf_name, vrf_data in pillar['protocols']['vrf'].items() %} {% for vrf_name, vrf_data in salt['pillar.get']('protocols:vrf',{}).items() %}
{% if 'static' in vrf_data %} {% if 'static' in vrf_data %}
vrf {{ vrf_name }} { vrf {{ vrf_name }} {
static { static {
@ -1349,7 +1362,7 @@ policy {
{% for prefix_list_name, prefix_data in salt['pillar.get']("policy:prefix-list",{}).items() %} {% for prefix_list_name, prefix_data in salt['pillar.get']("policy:prefix-list",{}).items() %}
prefix-list {{ prefix_list_name }} { prefix-list {{ prefix_list_name }} {
{% if 'bgpq3' in prefix_data %} {% if 'bgpq3' in prefix_data %}
{% set jsonblob = salt['cmd.run']('/tmp/bgpq3 -A -4 -j ' + prefix_data["bgpq3"]["IPv4"], env={'BIND_ADDR':pillar['loopback']['IPv4'], 'BIND_ADDR6':pillar['loopback']['IPv6'], 'LD_PRELOAD':'/tmp/bind.so'})|load_json %} {% set jsonblob = salt['cmd.run']('/tmp/bgpq3 -m 24 -R 24 -A -4 -j ' + prefix_data["bgpq3"]["IPv4"], env=env_exec)|load_json %}
{% for prefix in jsonblob.NN %} {% for prefix in jsonblob.NN %}
rule {{ loop.index }} { rule {{ loop.index }} {
action permit action permit
@ -1363,7 +1376,7 @@ policy {
} }
{% endfor %} {% endfor %}
{% elif 'static' in prefix_data %} {% elif 'static' in prefix_data %}
{% for prefix in prefix_data['static']['prefixes'] %} {% for prefix in prefix_data['static']['prefixes'] %}{% if "." in prefix %}
rule {{ loop.index }} { rule {{ loop.index }} {
{% if prefix.get('description',None) != None %}description '{{ prefix['description'].replace("'","\\'") }}'{% endif %} {% if prefix.get('description',None) != None %}description '{{ prefix['description'].replace("'","\\'") }}'{% endif %}
action permit action permit
@ -1371,7 +1384,7 @@ policy {
{% if prefix.get('less-equal',None) != None %}le {{ prefix['less-equal'] }}{% endif %} {% if prefix.get('less-equal',None) != None %}le {{ prefix['less-equal'] }}{% endif %}
{% if prefix.get('greater-equal',None) != None %}ge {{ prefix['greater-equal'] }}{% endif %} {% if prefix.get('greater-equal',None) != None %}ge {{ prefix['greater-equal'] }}{% endif %}
} }
{% endfor %} {% endif %}{% endfor %}
{% endif %} {% endif %}
rule 65535 { rule 65535 {
prefix 0.0.0.0/0 prefix 0.0.0.0/0
@ -1384,14 +1397,13 @@ policy {
{% for prefix_list_name, prefix_data in peeringdb_prefixlist_4.items() %} {% for prefix_list_name, prefix_data in peeringdb_prefixlist_4.items() %}
prefix-list {{ prefix_list_name }} { prefix-list {{ prefix_list_name }} {
{% if prefix_data['as-set'] %} {% if prefix_data['as-set'] %}
{% set jsonblob = salt['cmd.run']('/tmp/bgpq3 -m 24 -R 24 -A -4 -S ' + prefix_data["sources"] + ' -j ' + prefix_data["as-set"], env={'BIND_ADDR':pillar['loopback']['IPv4'], 'BIND_ADDR6':pillar['loopback']['IPv6'], 'LD_PRELOAD':'/tmp/bind.so'})|load_json %} {% set jsonblob = salt['cmd.run']('/tmp/bgpq3 -m 24 -R 24 -A -4 -S ' + prefix_data["sources"] + ' -j ' + prefix_data["as-set"], env=env_exec)|load_json %}
{#% set jsonblob = salt['cmd.run']('/tmp/bgpq3 -A -4 -j ' + prefix_data["as-set"], env={'BIND_ADDR':pillar['loopback']['IPv4'], 'BIND_ADDR6':pillar['loopback']['IPv6'], 'LD_PRELOAD':'/tmp/bind.so'})|load_json %#}
{% for prefix in jsonblob.NN %} {% for prefix in jsonblob.NN %}
rule {{ loop.index }} { rule {{ loop.index }} {
action permit action permit
prefix {{ prefix['prefix'] }} prefix {{ prefix['prefix'] }}
{% if prefix.get('less-equal',None) != None %}le {{ prefix['less-equal'] }}{% endif %} {% if prefix.get('less-equal',None) != None %}le {{ prefix['less-equal'] }}{% endif %}
{% if prefix.get('greater-equal',None) != None %}ge {{ prefix['greater-equal'] }}{% endif %} {#% if prefix.get('greater-equal',None) != None %}ge {{ prefix['greater-equal'] }}{% endif %#}
} }
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@ -1406,7 +1418,7 @@ policy {
{% for prefix_list_name, prefix_data in salt['pillar.get']("policy:prefix-list",{}).items() %} {% for prefix_list_name, prefix_data in salt['pillar.get']("policy:prefix-list",{}).items() %}
prefix-list6 {{ prefix_list_name }} { prefix-list6 {{ prefix_list_name }} {
{% if 'bgpq3' in prefix_data %} {% if 'bgpq3' in prefix_data %}
{% set jsonblob = salt['cmd.run']('/tmp/bgpq3 -m 64 -A -6 -j ' + prefix_data["bgpq3"]["IPv6"], env={'BIND_ADDR':pillar['loopback']['IPv4'], 'BIND_ADDR6':pillar['loopback']['IPv6'], 'LD_PRELOAD':'/tmp/bind.so'})|load_json %} {% set jsonblob = salt['cmd.run']('/tmp/bgpq3 -m 48 -R 48 -A -6 -j ' + prefix_data["bgpq3"]["IPv6"], env=env_exec)|load_json %}
{% for prefix in jsonblob.NN %} {% for prefix in jsonblob.NN %}
rule {{ loop.index }} { rule {{ loop.index }} {
action permit action permit
@ -1415,12 +1427,12 @@ policy {
le 128 le 128
{% else %} {% else %}
{% if prefix.get('less-equal',None) != None %}le {{ prefix['less-equal'] }}{% endif %} {% if prefix.get('less-equal',None) != None %}le {{ prefix['less-equal'] }}{% endif %}
{% if prefix.get('greater-equal',None) != None %}ge {{ prefix['greater-equal'] }}{% endif %} {#% if prefix.get('greater-equal',None) != None %}ge {{ prefix['greater-equal'] }}{% endif %#}
{% endif %} {% endif %}
} }
{% endfor %} {% endfor %}
{% elif 'static' in prefix_data %} {% elif 'static' in prefix_data %}
{% for prefix in prefix_data['static']['prefixes'] %} {% for prefix in prefix_data['static']['prefixes'] %}{% if ":" in prefix %}
{% if prefix.get('description',None) != None %}description '{{ prefix['description'].replace("'","\\'") }}'{% endif %} {% if prefix.get('description',None) != None %}description '{{ prefix['description'].replace("'","\\'") }}'{% endif %}
rule {{ loop.index }} { rule {{ loop.index }} {
action permit action permit
@ -1428,7 +1440,7 @@ policy {
{% if prefix.get('less-equal',None) != None %}le {{ prefix['less-equal'] }}{% endif %} {% if prefix.get('less-equal',None) != None %}le {{ prefix['less-equal'] }}{% endif %}
{% if prefix.get('greater-equal',None) != None %}ge {{ prefix['greater-equal'] }}{% endif %} {% if prefix.get('greater-equal',None) != None %}ge {{ prefix['greater-equal'] }}{% endif %}
} }
{% endfor %} {% endif %}{% endfor %}
{% endif %} {% endif %}
rule 65535 { rule 65535 {
prefix ::/0 prefix ::/0
@ -1441,9 +1453,7 @@ policy {
{% for prefix_list_name, prefix_data in peeringdb_prefixlist_6.items() %} {% for prefix_list_name, prefix_data in peeringdb_prefixlist_6.items() %}
prefix-list6 {{ prefix_list_name }} { prefix-list6 {{ prefix_list_name }} {
{% if prefix_data['as-set'] %} {% if prefix_data['as-set'] %}
{% set jsonblob = salt['cmd.run']('/tmp/bgpq3 -A -6 -S ' + prefix_data["sources"] + ' -j ' + prefix_data["as-set"], env={'BIND_ADDR':pillar['loopback']['IPv4'], 'BIND_ADDR6':pillar['loopback']['IPv6'], 'LD_PRELOAD':'/tmp/bind.so'})|load_json %} {% set jsonblob = salt['cmd.run']('/tmp/bgpq3 -m 48 -R 48 -A -6 -S ' + prefix_data["sources"] + ' -j ' + prefix_data["as-set"], env=env_exec)|load_json %}
{#% set jsonblob = salt['cmd.run']('/tmp/bgpq3 -A -6 -j ' + prefix_data["as-set"], env={'BIND_ADDR':pillar['loopback']['IPv4'], 'BIND_ADDR6':pillar['loopback']['IPv6'], 'LD_PRELOAD':'/tmp/bind.so'})|load_json %#}
/* {{ '/tmp/bgpq3 -A -4 -j ' + prefix_data["as-set"] }} */
{% for prefix in jsonblob.NN %} {% for prefix in jsonblob.NN %}
rule {{ loop.index }} { rule {{ loop.index }} {
action permit action permit
@ -1492,7 +1502,7 @@ service {
} }
ssh { ssh {
listen-address {{ pillar['service']['ssh']['listen-address'] }} listen-address {{ pillar['service']['ssh']['listen-address'] }}
{% if salt['pillar.get']('service:snmp:vrf') %}vrf {{ salt['pillar.get']('service:snmp:vrf') }}{% endif %} {% if salt['pillar.get']('service:ssh:vrf') %}vrf {{ salt['pillar.get']('service:ssh:vrf') }}{% endif %}
ciphers chacha20-poly1305@openssh.com ciphers chacha20-poly1305@openssh.com
ciphers aes256-gcm@openssh.com ciphers aes256-gcm@openssh.com
ciphers aes128-gcm@openssh.com ciphers aes128-gcm@openssh.com
@ -1522,7 +1532,10 @@ system {
console { console {
device ttyS0 { device ttyS0 {
speed 9600 speed 115200
}
device ttyS1 {
speed 115200
} }
} }