diff --git a/vyos.conf.j2 b/vyos.conf.j2 index 1545874..01a74c5 100644 --- a/vyos.conf.j2 +++ b/vyos.conf.j2 @@ -228,7 +228,9 @@ protocols { bgp {{ bgp_as }} { parameters { router-id {{ as_data['parameters']['router-id'] }} - default no-ipv4-unicast + default { + no-ipv4-unicast + } } {% if as_data.get('address-family',None) %} address-family { @@ -481,6 +483,97 @@ policy { } } + prefix-list hphr-DFZ-LONG-IPv4 { + rule 100 { + prefix 192.168.0.0/16 + description "RFC1918" + le 32 + action deny + } + rule 101 { + prefix 172.16.0.0/12 + description "RFC1918" + le 32 + action deny + } + rule 102 { + prefix 10.0.0.0/8 + description "RFC1918" + le 32 + action deny + } + rule 103 { + prefix 169.254.0.0/16 + description "link-local" + le 32 + action deny + } + rule 104 { + prefix 100.64.0.0/10 + description "CGNAT" + le 32 + action deny + } + rule 105 { + prefix 127.0.0.0/8 + description "loopback" + le 32 + action deny + } + rule 106 { + prefix 192.0.0.0/24 + description "IETF protocol assignments" + le 32 + action deny + } + rule 107 { + prefix 192.0.2.0/24 + description "TEST-NET-1" + le 32 + action deny + } + rule 108 { + prefix 198.18.0.0/15 + description "Network interconnect device benchmark testing" + le 32 + action deny + } + rule 109 { + prefix 198.51.100.0/24 + description "TEST-NET-2" + le 32 + action deny + } + rule 110 { + prefix 203.0.113.0/24 + description "TEST-NET-3" + le 32 + action deny + } + rule 111 { + prefix 224.0.0.0/4 + description "multicast" + le 32 + action deny + } + rule 112 { + prefix 240.0.0.0/4 + description "reserved" + le 32 + action deny + } + rule 1000 { + prefix 0.0.0.0/0 + le 32 + action permit + } + rule 65535 { + prefix 0.0.0.0/0 + le 32 + action deny + } + } + prefix-list hphr-DFZ-DEFAULT-IPv4 { rule 10 { prefix 0.0.0.0/0 @@ -576,6 +669,101 @@ policy { } } + prefix-list hphr-DFZ-DEFAULT-LONG-IPv4 { + rule 10 { + prefix 0.0.0.0/0 + action permit + } + rule 100 { + prefix 192.168.0.0/16 + description "RFC1918" + le 32 + action deny + } + rule 101 { + prefix 172.16.0.0/12 + description "RFC1918" + le 32 + action deny + } + rule 102 { + prefix 10.0.0.0/8 + description "RFC1918" + le 32 + action deny + } + rule 103 { + prefix 169.254.0.0/16 + description "link-local" + le 32 + action deny + } + rule 104 { + prefix 100.64.0.0/10 + description "CGNAT" + le 32 + action deny + } + rule 105 { + prefix 127.0.0.0/8 + description "loopback" + le 32 + action deny + } + rule 106 { + prefix 192.0.0.0/24 + description "IETF protocol assignments" + le 32 + action deny + } + rule 107 { + prefix 192.0.2.0/24 + description "TEST-NET-1" + le 32 + action deny + } + rule 108 { + prefix 198.18.0.0/15 + description "Network interconnect device benchmark testing" + le 32 + action deny + } + rule 109 { + prefix 198.51.100.0/24 + description "TEST-NET-2" + le 32 + action deny + } + rule 110 { + prefix 203.0.113.0/24 + description "TEST-NET-3" + le 32 + action deny + } + rule 111 { + prefix 224.0.0.0/4 + description "multicast" + le 32 + action deny + } + rule 112 { + prefix 240.0.0.0/4 + description "reserved" + le 32 + action deny + } + rule 1000 { + prefix 0.0.0.0/0 + le 32 + action permit + } + rule 65535 { + prefix 0.0.0.0/0 + le 32 + action deny + } + } + prefix-list6 hphr-NO-IPv6 { rule 1 { prefix ::/0 @@ -682,6 +870,84 @@ policy { } } + prefix-list6 hphr-DFZ-LONG-IPv6 { + rule 100 { + prefix ::/128 + description "not self" + action deny + } + rule 101 { + prefix ::1/128 + description "self" + action deny + } + rule 102 { + prefix ::ffff:0:0/96 + description "IPv4-mapped" + le 128 + action deny + } + rule 103 { + prefix ::/96 + description "IPv4-compatible" + le 128 + action deny + } + rule 104 { + prefix 100::/64 + description "RTBH addresses" + le 128 + action deny + } + rule 105 { + prefix 2001:10::/28 + description "ORCHID addresses" + le 128 + action deny + } + rule 106 { + prefix 2001:db8::/32 + description "documentation prefix" + le 128 + action deny + } + rule 107 { + prefix fc00::/7 + description "ULA address" + le 128 + action deny + } + rule 108 { + prefix fe80::/10 + description "link-local" + le 128 + action deny + } + rule 109 { + prefix fec0::/10 + description "site-local" + le 128 + action deny + } + rule 110 { + prefix ff0e::/16 + description "global multicast" + le 64 + action permit + } + rule 111 { + prefix ff00::/8 + description "multicast" + le 128 + action deny + } + rule 1000 { + prefix ::/0 + le 128 + action permit + } + } + prefix-list6 hphr-DFZ-DEFAULT-IPv6 { rule 10 { prefix ::/0 @@ -764,6 +1030,88 @@ policy { } } + prefix-list6 hphr-DFZ-DEFAULT-LONG-IPv6 { + rule 10 { + prefix ::/0 + action permit + } + rule 100 { + prefix ::/128 + description "not self" + action deny + } + rule 101 { + prefix ::1/128 + description "self" + action deny + } + rule 102 { + prefix ::ffff:0:0/96 + description "IPv4-mapped" + le 128 + action deny + } + rule 103 { + prefix ::/96 + description "IPv4-compatible" + le 128 + action deny + } + rule 104 { + prefix 100::/64 + description "RTBH addresses" + le 128 + action deny + } + rule 105 { + prefix 2001:10::/28 + description "ORCHID addresses" + le 128 + action deny + } + rule 106 { + prefix 2001:db8::/32 + description "documentation prefix" + le 128 + action deny + } + rule 107 { + prefix fc00::/7 + description "ULA address" + le 128 + action deny + } + rule 108 { + prefix fe80::/10 + description "link-local" + le 128 + action deny + } + rule 109 { + prefix fec0::/10 + description "site-local" + le 128 + action deny + } + rule 110 { + prefix ff0e::/16 + description "global multicast" + le 64 + action permit + } + rule 111 { + prefix ff00::/8 + description "multicast" + le 128 + action deny + } + rule 1000 { + prefix ::/0 + le 128 + action permit + } + } + prefix-list hphr-BLACKHOLE-IPv4 { rule 1 { prefix 0.0.0.0/0