From ec1905f1bde36d10019ff23f39f1b2d941f6b919 Mon Sep 17 00:00:00 2001 From: Marek Isalski Date: Sat, 18 May 2019 10:33:49 +0100 Subject: [PATCH] now doing BCP38 --- bcp38.ipset.j2 | 30 +++++++++++++++++++++++++++--- bcp38.iptables.v4 | 2 ++ bcp38.iptables.v6 | 2 ++ hphr.sls | 5 +++++ postconfig.sh | 9 +++++++++ 5 files changed, 45 insertions(+), 3 deletions(-) diff --git a/bcp38.ipset.j2 b/bcp38.ipset.j2 index 0adfd5e..3146fd8 100644 --- a/bcp38.ipset.j2 +++ b/bcp38.ipset.j2 @@ -1,3 +1,27 @@ -create foo hash:net,iface family inet hashsize 1024 maxelem 65536 -add foo 0.0.0.0/0,eth0 -add foo 0.0.0.0/0,lo +create tmp-bcp38-cone-oface-v4 hash:net,iface family inet hashsize 1024 maxelem 65536 +{% for iface, iface_data in salt["pillar.get"]("interfaces").items() %}{% if iface_data.get("bcp38",None) %}{% set jsonblob = salt["cmd.run"]("/tmp/bgpq3 -A -4 -j " + iface_data["bcp38"]["source"]["bgpq3"]["IPv4"], env={"BIND_ADDR":pillar["loopback"]["IPv4"], "BIND_ADDR6":pillar["loopback"]["IPv6"], "LD_PRELOAD":"/tmp/bind.so"})|load_json %}{% for prefix in jsonblob.NN|groupby("prefix") %} +add tmp-bcp38-cone-oface-v4 {{ prefix.grouper }},{{ iface }} +{% endfor %}{% endif %}{% endfor %} +swap tmp-bcp38-cone-oface-v4 bcp38-cone-oface-v4 +destroy tmp-bcp38-cone-oface-v4 + +create tmp-bcp38-else-oface-v4 hash:net,iface family inet hashsize 1024 maxelem 65536 +{% for iface, iface_data in salt["pillar.get"]("interfaces").items() %}{% if iface_data.get("bcp38",None) %} +add tmp-bcp38-else-oface-v4 0.0.0.0/0,{{ iface }} +{% endif %}{% endfor %} +swap tmp-bcp38-else-oface-v4 bcp38-else-oface-v4 +destroy tmp-bcp38-else-oface-v4 + +create tmp-bcp38-cone-oface-v6 hash:net,iface family inet6 hashsize 1024 maxelem 65536 +{% for iface, iface_data in salt["pillar.get"]("interfaces").items() %}{% if iface_data.get("bcp38",None) %}{% set jsonblob = salt["cmd.run"]("/tmp/bgpq3 -A -6 -j " + iface_data["bcp38"]["source"]["bgpq3"]["IPv6"], env={"BIND_ADDR":pillar["loopback"]["IPv4"], "BIND_ADDR6":pillar["loopback"]["IPv6"], "LD_PRELOAD":"/tmp/bind.so"})|load_json %}{% for prefix in jsonblob.NN|groupby("prefix") %} +add tmp-bcp38-cone-oface-v6 {{ prefix.grouper }},{{ iface }} +{% endfor %}{% endif %}{% endfor %} +swap tmp-bcp38-cone-oface-v6 bcp38-cone-oface-v6 +destroy tmp-bcp38-cone-oface-v6 + +create tmp-bcp38-else-oface-v6 hash:net,iface family inet6 hashsize 1024 maxelem 65536 +{% for iface, iface_data in salt["pillar.get"]("interfaces").items() %}{% if iface_data.get("bcp38",None) %} +add tmp-bcp38-else-oface-v6 ::/0,{{ iface }} +{% endif %}{% endfor %} +swap tmp-bcp38-else-oface-v6 bcp38-else-oface-v6 +destroy tmp-bcp38-else-oface-v6 diff --git a/bcp38.iptables.v4 b/bcp38.iptables.v4 index e161430..a9c8edd 100644 --- a/bcp38.iptables.v4 +++ b/bcp38.iptables.v4 @@ -1,6 +1,8 @@ *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] +-A FORWARD -m set --match-set bcp38-cone-oface-v4 src,dst -j ACCEPT +-A FORWARD -m set --match-set bcp38-else-oface-v4 src,dst -j DROP :OUTPUT ACCEPT [0:0] COMMIT diff --git a/bcp38.iptables.v6 b/bcp38.iptables.v6 index e161430..c045bc6 100644 --- a/bcp38.iptables.v6 +++ b/bcp38.iptables.v6 @@ -1,6 +1,8 @@ *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] +-A FORWARD -m set --match-set bcp38-cone-oface-v6 src,dst -j ACCEPT +-A FORWARD -m set --match-set bcp38-else-oface-v6 src,dst -j DROP :OUTPUT ACCEPT [0:0] COMMIT diff --git a/hphr.sls b/hphr.sls index f2026de..22a4db7 100644 --- a/hphr.sls +++ b/hphr.sls @@ -39,12 +39,17 @@ configure: - template: jinja - source: salt://bcp38.ipset.j2 +chmod /config/scripts/vyos-postconfig-bootup.script: + cmd.run: + - name: sudo chmod 760 /config/scripts/vyos-postconfig-bootup.script + /config/scripts/vyos-postconfig-bootup.script: file.managed: - template: jinja - source: salt://postconfig.sh - mode: 760 - require: + - cmd: chmod /config/scripts/vyos-postconfig-bootup.script - file: /config/hphr.rules.v4 - file: /config/hphr.rules.v6 - file: /config/hphr.ipset diff --git a/postconfig.sh b/postconfig.sh index 9fe0f72..ecb0b50 100644 --- a/postconfig.sh +++ b/postconfig.sh @@ -1,6 +1,15 @@ #!/bin/sh +ipset destroy tmp-bcp38-cone-oface-v4 2> /dev/null || /bin/true +ipset destroy tmp-bcp38-else-oface-v4 2> /dev/null || /bin/true +ipset destroy tmp-bcp38-cone-oface-v6 2> /dev/null || /bin/true +ipset destroy tmp-bcp38-else-oface-v6 2> /dev/null || /bin/true +ipset create bcp38-cone-oface-v4 hash:net,iface family inet hashsize 1024 maxelem 65536 2> /dev/null || /bin/true +ipset create bcp38-else-oface-v4 hash:net,iface family inet hashsize 1024 maxelem 65536 2> /dev/null || /bin/true +ipset create bcp38-cone-oface-v6 hash:net,iface family inet6 hashsize 1024 maxelem 65536 2> /dev/null || /bin/true +ipset create bcp38-else-oface-v6 hash:net,iface family inet6 hashsize 1024 maxelem 65536 2> /dev/null || /bin/true ipset restore < /config/hphr.ipset + iptables-restore /config/hphr.rules.v4 ip6tables-restore /config/hphr.rules.v6 echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter