FAELIX/hphr
FAELIX/hphr
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

now doing BCP38

Browse Source
This commit is contained in:
Marek Isalski 2019-05-18 10:33:49 +01:00
parent ac521117b0
commit ec1905f1bd
5 changed files with 45 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
bcp38.ipset.j2
View File

@ -1,3 +1,27 @@
create foo hash:net,iface family inet hashsize 1024 maxelem 65536 create tmp-bcp38-cone-oface-v4 hash:net,iface family inet hashsize 1024 maxelem 65536
add foo 0.0.0.0/0,eth0 {% for iface, iface_data in salt["pillar.get"]("interfaces").items() %}{% if iface_data.get("bcp38",None) %}{% set jsonblob = salt["cmd.run"]("/tmp/bgpq3 -A -4 -j " + iface_data["bcp38"]["source"]["bgpq3"]["IPv4"], env={"BIND_ADDR":pillar["loopback"]["IPv4"], "BIND_ADDR6":pillar["loopback"]["IPv6"], "LD_PRELOAD":"/tmp/bind.so"})|load_json %}{% for prefix in jsonblob.NN|groupby("prefix") %}
add foo 0.0.0.0/0,lo add tmp-bcp38-cone-oface-v4 {{ prefix.grouper }},{{ iface }}
{% endfor %}{% endif %}{% endfor %}
swap tmp-bcp38-cone-oface-v4 bcp38-cone-oface-v4
destroy tmp-bcp38-cone-oface-v4
create tmp-bcp38-else-oface-v4 hash:net,iface family inet hashsize 1024 maxelem 65536
{% for iface, iface_data in salt["pillar.get"]("interfaces").items() %}{% if iface_data.get("bcp38",None) %}
add tmp-bcp38-else-oface-v4 0.0.0.0/0,{{ iface }}
{% endif %}{% endfor %}
swap tmp-bcp38-else-oface-v4 bcp38-else-oface-v4
destroy tmp-bcp38-else-oface-v4
create tmp-bcp38-cone-oface-v6 hash:net,iface family inet6 hashsize 1024 maxelem 65536
{% for iface, iface_data in salt["pillar.get"]("interfaces").items() %}{% if iface_data.get("bcp38",None) %}{% set jsonblob = salt["cmd.run"]("/tmp/bgpq3 -A -6 -j " + iface_data["bcp38"]["source"]["bgpq3"]["IPv6"], env={"BIND_ADDR":pillar["loopback"]["IPv4"], "BIND_ADDR6":pillar["loopback"]["IPv6"], "LD_PRELOAD":"/tmp/bind.so"})|load_json %}{% for prefix in jsonblob.NN|groupby("prefix") %}
add tmp-bcp38-cone-oface-v6 {{ prefix.grouper }},{{ iface }}
{% endfor %}{% endif %}{% endfor %}
swap tmp-bcp38-cone-oface-v6 bcp38-cone-oface-v6
destroy tmp-bcp38-cone-oface-v6
create tmp-bcp38-else-oface-v6 hash:net,iface family inet6 hashsize 1024 maxelem 65536
{% for iface, iface_data in salt["pillar.get"]("interfaces").items() %}{% if iface_data.get("bcp38",None) %}
add tmp-bcp38-else-oface-v6 ::/0,{{ iface }}
{% endif %}{% endfor %}
swap tmp-bcp38-else-oface-v6 bcp38-else-oface-v6
destroy tmp-bcp38-else-oface-v6

2
bcp38.iptables.v4
View File

@ -1,6 +1,8 @@
*filter *filter
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0] :FORWARD ACCEPT [0:0]
-A FORWARD -m set --match-set bcp38-cone-oface-v4 src,dst -j ACCEPT
-A FORWARD -m set --match-set bcp38-else-oface-v4 src,dst -j DROP
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
COMMIT COMMIT

2
bcp38.iptables.v6
View File

@ -1,6 +1,8 @@
*filter *filter
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0] :FORWARD ACCEPT [0:0]
-A FORWARD -m set --match-set bcp38-cone-oface-v6 src,dst -j ACCEPT
-A FORWARD -m set --match-set bcp38-else-oface-v6 src,dst -j DROP
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
COMMIT COMMIT

5
hphr.sls
View File

@ -39,12 +39,17 @@ configure:
- template: jinja - template: jinja
- source: salt://bcp38.ipset.j2 - source: salt://bcp38.ipset.j2
chmod /config/scripts/vyos-postconfig-bootup.script:
cmd.run:
- name: sudo chmod 760 /config/scripts/vyos-postconfig-bootup.script
/config/scripts/vyos-postconfig-bootup.script: /config/scripts/vyos-postconfig-bootup.script:
file.managed: file.managed:
- template: jinja - template: jinja
- source: salt://postconfig.sh - source: salt://postconfig.sh
- mode: 760 - mode: 760
- require: - require:
- cmd: chmod /config/scripts/vyos-postconfig-bootup.script
- file: /config/hphr.rules.v4 - file: /config/hphr.rules.v4
- file: /config/hphr.rules.v6 - file: /config/hphr.rules.v6
- file: /config/hphr.ipset - file: /config/hphr.ipset

9
postconfig.sh
View File

@ -1,6 +1,15 @@
#!/bin/sh #!/bin/sh
ipset destroy tmp-bcp38-cone-oface-v4 2> /dev/null || /bin/true
ipset destroy tmp-bcp38-else-oface-v4 2> /dev/null || /bin/true
ipset destroy tmp-bcp38-cone-oface-v6 2> /dev/null || /bin/true
ipset destroy tmp-bcp38-else-oface-v6 2> /dev/null || /bin/true
ipset create bcp38-cone-oface-v4 hash:net,iface family inet hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
ipset create bcp38-else-oface-v4 hash:net,iface family inet hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
ipset create bcp38-cone-oface-v6 hash:net,iface family inet6 hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
ipset create bcp38-else-oface-v6 hash:net,iface family inet6 hashsize 1024 maxelem 65536 2> /dev/null || /bin/true
ipset restore < /config/hphr.ipset ipset restore < /config/hphr.ipset
iptables-restore /config/hphr.rules.v4 iptables-restore /config/hphr.rules.v4
ip6tables-restore /config/hphr.rules.v6 ip6tables-restore /config/hphr.rules.v6
echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter