FAELIX/hphr
FAELIX/hphr
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

add BGP control plane filtering

Browse Source
This commit is contained in:
Marek Isalski 2019-10-01 14:43:57 +01:00
parent df5e80366e
commit b9c5154ec3
4 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
bcp38.ipset.j2
View File

@ -25,3 +25,21 @@ add tmp-bcp38-else-oface-v6 ::/0,{{ iface }}
{% endif %}{% endfor %}
swap tmp-bcp38-else-oface-v6 bcp38-else-oface-v6
destroy tmp-bcp38-else-oface-v6
{% if salt["pillar.get"]("control-plane-protection:bgp:IPv4",None) != None %}
create tmp-control-plane-bgp-v4 hash:net family inet hashsize 1024 maxelem 65536
{% for subnet in salt["pillar.get"]("control-plane-protection:bgp:IPv4",[]) %}
add tmp-control-plane-bgp-v4 {{ subnet }}
{% endfor %}
swap tmp-control-plane-bgp-v4 control-plane-bgp-v4
destroy tmp-control-plane-bgp-v4
{% endif %}
{% if salt["pillar.get"]("control-plane-protection:bgp:IPv6",None) != None %}
create tmp-control-plane-bgp-v6 hash:net family inet6 hashsize 1024 maxelem 65536
{% for subnet in salt["pillar.get"]("control-plane-protection:bgp:IPv6",[]) %}
add tmp-control-plane-bgp-v6 {{ subnet }}
{% endfor %}
swap tmp-control-plane-bgp-v6 control-plane-bgp-v6
destroy tmp-control-plane-bgp-v6
{% endif %}

4
bcp38.iptables.v4
View File

@ -1,5 +1,9 @@
*filter
:INPUT ACCEPT [0:0]
{% if salt["pillar.get"]("control-plane-protection:bgp:IPv4",None) != None %}
-A INPUT -p tcp --dport 179 -m set --match-set control-plane-bgp-v4 src -j ACCEPT
-A INPUT -p tcp --dport 179 -m tcp -j REJECT --reject-with tcp-reset
{% endif %}
:FORWARD ACCEPT [0:0]
-A FORWARD -m set --match-set bcp38-cone-oface-v4 src,dst -j ACCEPT
-A FORWARD -m set --match-set bcp38-else-oface-v4 src,dst -j DROP

4
bcp38.iptables.v6
View File

@ -1,5 +1,9 @@
*filter
:INPUT ACCEPT [0:0]
{% if salt["pillar.get"]("control-plane-protection:bgp:IPv6",None) != None %}
-A INPUT -p tcp --dport 179 -m set --match-set control-plane-bgp-v6 src -j ACCEPT
-A INPUT -p tcp --dport 179 -m tcp -j REJECT --reject-with tcp-reset
{% endif %}
:FORWARD ACCEPT [0:0]
-A FORWARD -m set --match-set bcp38-cone-oface-v6 src,dst -j ACCEPT
-A FORWARD -m set --match-set bcp38-else-oface-v6 src,dst -j DROP

6
postconfig.sh
View File

@ -8,6 +8,12 @@ ipset create bcp38-cone-oface-v4 hash:net,iface family inet hashsize 1024 maxele
ipset create bcp38-else-oface-v4 hash:net,iface family inet hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
ipset create bcp38-cone-oface-v6 hash:net,iface family inet6 hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
ipset create bcp38-else-oface-v6 hash:net,iface family inet6 hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
ipset destroy tmp-control-plane-bgp-v4 2> /dev/null || /bin/true
ipset destroy tmp-control-plane-bgp-v6 2> /dev/null || /bin/true
ipset create control-plane-bgp-v4 hash:net family inet hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
ipset create control-plane-bgp-v6 hash:net family inet6 hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
ipset restore < /config/hphr.ipset
iptables-restore /config/hphr.rules.v4