now doing BCP38

bcp38.ipset.j2

@@ -1,3 +1,27 @@
-create foo hash:net,iface family inet hashsize 1024 maxelem 65536
-add foo 0.0.0.0/0,eth0
-add foo 0.0.0.0/0,lo
+create tmp-bcp38-cone-oface-v4 hash:net,iface family inet hashsize 1024 maxelem 65536
+{% for iface, iface_data in salt["pillar.get"]("interfaces").items() %}{% if iface_data.get("bcp38",None) %}{% set jsonblob = salt["cmd.run"]("/tmp/bgpq3 -A -4 -j " + iface_data["bcp38"]["source"]["bgpq3"]["IPv4"], env={"BIND_ADDR":pillar["loopback"]["IPv4"], "BIND_ADDR6":pillar["loopback"]["IPv6"], "LD_PRELOAD":"/tmp/bind.so"})|load_json %}{% for prefix in jsonblob.NN|groupby("prefix") %}
+add tmp-bcp38-cone-oface-v4 {{ prefix.grouper }},{{ iface }}
+{% endfor %}{% endif %}{% endfor %}
+swap tmp-bcp38-cone-oface-v4 bcp38-cone-oface-v4
+destroy tmp-bcp38-cone-oface-v4
+
+create tmp-bcp38-else-oface-v4 hash:net,iface family inet hashsize 1024 maxelem 65536
+{% for iface, iface_data in salt["pillar.get"]("interfaces").items() %}{% if iface_data.get("bcp38",None) %}
+add tmp-bcp38-else-oface-v4 0.0.0.0/0,{{ iface }}
+{% endif %}{% endfor %}
+swap tmp-bcp38-else-oface-v4 bcp38-else-oface-v4
+destroy tmp-bcp38-else-oface-v4
+
+create tmp-bcp38-cone-oface-v6 hash:net,iface family inet6 hashsize 1024 maxelem 65536
+{% for iface, iface_data in salt["pillar.get"]("interfaces").items() %}{% if iface_data.get("bcp38",None) %}{% set jsonblob = salt["cmd.run"]("/tmp/bgpq3 -A -6 -j " + iface_data["bcp38"]["source"]["bgpq3"]["IPv6"], env={"BIND_ADDR":pillar["loopback"]["IPv4"], "BIND_ADDR6":pillar["loopback"]["IPv6"], "LD_PRELOAD":"/tmp/bind.so"})|load_json %}{% for prefix in jsonblob.NN|groupby("prefix") %}
+add tmp-bcp38-cone-oface-v6 {{ prefix.grouper }},{{ iface }}
+{% endfor %}{% endif %}{% endfor %}
+swap tmp-bcp38-cone-oface-v6 bcp38-cone-oface-v6
+destroy tmp-bcp38-cone-oface-v6
+
+create tmp-bcp38-else-oface-v6 hash:net,iface family inet6 hashsize 1024 maxelem 65536
+{% for iface, iface_data in salt["pillar.get"]("interfaces").items() %}{% if iface_data.get("bcp38",None) %}
+add tmp-bcp38-else-oface-v6 ::/0,{{ iface }}
+{% endif %}{% endfor %}
+swap tmp-bcp38-else-oface-v6 bcp38-else-oface-v6
+destroy tmp-bcp38-else-oface-v6

bcp38.iptables.v4

@@ -1,6 +1,8 @@
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
+-A FORWARD -m set --match-set bcp38-cone-oface-v4 src,dst -j ACCEPT
+-A FORWARD -m set --match-set bcp38-else-oface-v4 src,dst -j DROP
 :OUTPUT ACCEPT [0:0]
 COMMIT
 

bcp38.iptables.v6

@@ -1,6 +1,8 @@
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
+-A FORWARD -m set --match-set bcp38-cone-oface-v6 src,dst -j ACCEPT
+-A FORWARD -m set --match-set bcp38-else-oface-v6 src,dst -j DROP
 :OUTPUT ACCEPT [0:0]
 COMMIT
 

hphr.sls

@@ -39,12 +39,17 @@ configure:
     - template: jinja
     - source: salt://bcp38.ipset.j2
 
+chmod /config/scripts/vyos-postconfig-bootup.script:
+  cmd.run:
+    - name: sudo chmod 760 /config/scripts/vyos-postconfig-bootup.script
+
 /config/scripts/vyos-postconfig-bootup.script:
   file.managed:
     - template: jinja
     - source: salt://postconfig.sh
     - mode: 760
     - require:
+      - cmd: chmod /config/scripts/vyos-postconfig-bootup.script
       - file: /config/hphr.rules.v4
       - file: /config/hphr.rules.v6
       - file: /config/hphr.ipset

postconfig.sh

@@ -1,6 +1,15 @@
 #!/bin/sh
 
+ipset destroy tmp-bcp38-cone-oface-v4 2> /dev/null || /bin/true
+ipset destroy tmp-bcp38-else-oface-v4 2> /dev/null || /bin/true
+ipset destroy tmp-bcp38-cone-oface-v6 2> /dev/null || /bin/true
+ipset destroy tmp-bcp38-else-oface-v6 2> /dev/null || /bin/true
+ipset create bcp38-cone-oface-v4 hash:net,iface family inet hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
+ipset create bcp38-else-oface-v4 hash:net,iface family inet hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
+ipset create bcp38-cone-oface-v6 hash:net,iface family inet6 hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
+ipset create bcp38-else-oface-v6 hash:net,iface family inet6 hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
 ipset restore < /config/hphr.ipset
+
 iptables-restore /config/hphr.rules.v4
 ip6tables-restore /config/hphr.rules.v6
 echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter