now doing BCP38

master
Marek Isalski 6 years ago
parent ac521117b0
commit ec1905f1bd

@ -1,3 +1,27 @@
create foo hash:net,iface family inet hashsize 1024 maxelem 65536
add foo 0.0.0.0/0,eth0
add foo 0.0.0.0/0,lo
create tmp-bcp38-cone-oface-v4 hash:net,iface family inet hashsize 1024 maxelem 65536
{% for iface, iface_data in salt["pillar.get"]("interfaces").items() %}{% if iface_data.get("bcp38",None) %}{% set jsonblob = salt["cmd.run"]("/tmp/bgpq3 -A -4 -j " + iface_data["bcp38"]["source"]["bgpq3"]["IPv4"], env={"BIND_ADDR":pillar["loopback"]["IPv4"], "BIND_ADDR6":pillar["loopback"]["IPv6"], "LD_PRELOAD":"/tmp/bind.so"})|load_json %}{% for prefix in jsonblob.NN|groupby("prefix") %}
add tmp-bcp38-cone-oface-v4 {{ prefix.grouper }},{{ iface }}
{% endfor %}{% endif %}{% endfor %}
swap tmp-bcp38-cone-oface-v4 bcp38-cone-oface-v4
destroy tmp-bcp38-cone-oface-v4
create tmp-bcp38-else-oface-v4 hash:net,iface family inet hashsize 1024 maxelem 65536
{% for iface, iface_data in salt["pillar.get"]("interfaces").items() %}{% if iface_data.get("bcp38",None) %}
add tmp-bcp38-else-oface-v4 0.0.0.0/0,{{ iface }}
{% endif %}{% endfor %}
swap tmp-bcp38-else-oface-v4 bcp38-else-oface-v4
destroy tmp-bcp38-else-oface-v4
create tmp-bcp38-cone-oface-v6 hash:net,iface family inet6 hashsize 1024 maxelem 65536
{% for iface, iface_data in salt["pillar.get"]("interfaces").items() %}{% if iface_data.get("bcp38",None) %}{% set jsonblob = salt["cmd.run"]("/tmp/bgpq3 -A -6 -j " + iface_data["bcp38"]["source"]["bgpq3"]["IPv6"], env={"BIND_ADDR":pillar["loopback"]["IPv4"], "BIND_ADDR6":pillar["loopback"]["IPv6"], "LD_PRELOAD":"/tmp/bind.so"})|load_json %}{% for prefix in jsonblob.NN|groupby("prefix") %}
add tmp-bcp38-cone-oface-v6 {{ prefix.grouper }},{{ iface }}
{% endfor %}{% endif %}{% endfor %}
swap tmp-bcp38-cone-oface-v6 bcp38-cone-oface-v6
destroy tmp-bcp38-cone-oface-v6
create tmp-bcp38-else-oface-v6 hash:net,iface family inet6 hashsize 1024 maxelem 65536
{% for iface, iface_data in salt["pillar.get"]("interfaces").items() %}{% if iface_data.get("bcp38",None) %}
add tmp-bcp38-else-oface-v6 ::/0,{{ iface }}
{% endif %}{% endfor %}
swap tmp-bcp38-else-oface-v6 bcp38-else-oface-v6
destroy tmp-bcp38-else-oface-v6

@ -1,6 +1,8 @@
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-A FORWARD -m set --match-set bcp38-cone-oface-v4 src,dst -j ACCEPT
-A FORWARD -m set --match-set bcp38-else-oface-v4 src,dst -j DROP
:OUTPUT ACCEPT [0:0]
COMMIT

@ -1,6 +1,8 @@
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-A FORWARD -m set --match-set bcp38-cone-oface-v6 src,dst -j ACCEPT
-A FORWARD -m set --match-set bcp38-else-oface-v6 src,dst -j DROP
:OUTPUT ACCEPT [0:0]
COMMIT

@ -39,12 +39,17 @@ configure:
- template: jinja
- source: salt://bcp38.ipset.j2
chmod /config/scripts/vyos-postconfig-bootup.script:
cmd.run:
- name: sudo chmod 760 /config/scripts/vyos-postconfig-bootup.script
/config/scripts/vyos-postconfig-bootup.script:
file.managed:
- template: jinja
- source: salt://postconfig.sh
- mode: 760
- require:
- cmd: chmod /config/scripts/vyos-postconfig-bootup.script
- file: /config/hphr.rules.v4
- file: /config/hphr.rules.v6
- file: /config/hphr.ipset

@ -1,6 +1,15 @@
#!/bin/sh
ipset destroy tmp-bcp38-cone-oface-v4 2> /dev/null || /bin/true
ipset destroy tmp-bcp38-else-oface-v4 2> /dev/null || /bin/true
ipset destroy tmp-bcp38-cone-oface-v6 2> /dev/null || /bin/true
ipset destroy tmp-bcp38-else-oface-v6 2> /dev/null || /bin/true
ipset create bcp38-cone-oface-v4 hash:net,iface family inet hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
ipset create bcp38-else-oface-v4 hash:net,iface family inet hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
ipset create bcp38-cone-oface-v6 hash:net,iface family inet6 hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
ipset create bcp38-else-oface-v6 hash:net,iface family inet6 hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
ipset restore < /config/hphr.ipset
iptables-restore /config/hphr.rules.v4
ip6tables-restore /config/hphr.rules.v6
echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter

Loading…
Cancel
Save