You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1074 lines
37 KiB
Django/Jinja

/* -=-=-=-=-=-=-=-=-=-=-=-=-=- INTERFACES -=-=-=-=-=-=-=-=-=-=-=-=-=- */
{% macro interface_ip_ospf(iface_name) %}
{% if salt['pillar.get']('interfaces:'+iface_name+':ip:ospf') %}
ospf {
{% if salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:cost',None) != None %}cost {{ salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:cost') }}{% endif %}
{% if salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:passive') %}
{% else %}
network {{ salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:network') }}
dead-interval {{ salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:dead-interval',40) }}
hello-interval {{ salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:hello-interval',10) }}
priority {{ salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:priority',1) }}
retransmit-interval {{ salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:retransmit-interval',5) }}
transmit-delay {{ salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:transmit-delay',1) }}
{% endif %}
}
{% endif %}
{% endmacro %}
{% macro interface_ipv6_ospfv3(iface_name) %}
{% if salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3') %}
ospfv3 {
{% if salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:cost',None) != None %}cost {{ salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:cost') }}{% endif %}
instance-id {{ salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:instance-id',0) }}
{% if salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:passive') %}
passive
{% else %}
dead-interval {{ salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:dead-interval',40) }}
hello-interval {{ salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:hello-interval',10) }}
priority {{ salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:priority',1) }}
retransmit-interval {{ salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:retransmit-interval',5) }}
transmit-delay {{ salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:transmit-delay',1) }}
{% endif %}
}
{% endif %}
{% endmacro %}
interfaces {
{% for iface_name, iface_data in pillar['netbox']['interfaces'].items() %}{% if iface_data['mgmt_only'] %}
{% elif iface_name == 'lo' %}
loopback lo {
description "{{ iface_data['description'].replace('"','\\"') or "-" }}{% if iface_data['connected_endpoint'] and iface_data['connected_endpoint']['connection_status']['value'] %} ({% if iface_data['connected_endpoint']['device'] %}{{ iface_data['connected_endpoint']['name'] }} @ {{ iface_data['connected_endpoint']['device']['display_name'] }}{% endif %}){% endif %}"
{% for address in iface_data['addresses'] %}
address {{ address['address'] }}
{% endfor %}
{% if salt['pillar.get']('interfaces:'+iface_name+':ip') %}
ip {
{{ interface_ip_ospf(iface_name) }}
}
{% endif %}
{% if salt['pillar.get']('interfaces:'+iface_name+':ipv6') %}
ipv6 {
{{ interface_ipv6_ospfv3(iface_name) }}
}
{% endif %}
}
{% elif iface_data.get('type',{}).get('label','') != 'Virtual' %}
ethernet {{ iface_name }} {
description "{{ iface_data['description'].replace('"','\\"') or "-" }}{% if iface_data['connected_endpoint'] and iface_data['connected_endpoint']['connection_status']['value'] %} ({% if iface_data['connected_endpoint']['device'] %}{{ iface_data['connected_endpoint']['name'] }} @ {{ iface_data['connected_endpoint']['device']['display_name'] }}{% endif %}){% endif %}"
{% for address in iface_data['addresses'] %}
address {{ address['address'] }}
{% endfor %}
{% if iface_data['mac_address'] %}hw-id {{ iface_data['mac_address'].lower() }}{% endif %}
duplex auto
policy {
}
smp-affinity auto
speed auto
{% if not iface_data['enabled'] %}disable{% endif %}
{% if iface_data['lag'] %}bond-group {{ iface_data['lag']['name'] }}{% endif %}
{% for tagged_vlan in iface_data['tagged_vlans'] %}
{% set subiface_data = salt['pillar.get']('netbox:interfaces:%s.%d'%(iface_name,tagged_vlan['vid']),{'description':'','addresses':[],'enabled':False}) %}
vif {{ tagged_vlan['vid'] }} {
description "{{ tagged_vlan['name'].replace('"','\\"') or "-" }} => {{ subiface_data['description'].replace('"','\\"') or "-" }}"
{% for address in subiface_data['addresses'] %}
address {{ address['address'] }}
{% endfor %}
{% if not subiface_data['enabled'] %}disable{% endif %}
{% if salt['pillar.get']('interfaces:'+iface_name+"."+("%d"%tagged_vlan['vid'])+':ip') %}
ip {
{{ interface_ip_ospf(iface_name+"."+("%d"%tagged_vlan['vid'])) }}
}
{% endif %}
{% if salt['pillar.get']('interfaces:'+iface_name+"."+("%d"%tagged_vlan['vid'])+':ipv6') %}
ipv6 {
dup-addr-detect-transmits 1
{{ interface_ipv6_ospfv3(iface_name+"."+("%d"%tagged_vlan['vid'])) }}
}
{% endif %}
}
{% endfor %}
{% for subiface_name, subiface_data in pillar['netbox']['interfaces'].items() %}{% if subiface_data.get('form_factor',{}).get('label','') == 'Virtual' and subiface_name.startswith( iface_name + "." ) %}
{% endif %}{% endfor %}
{% if salt['pillar.get']('interfaces:'+iface_name+':ip') %}
ip {
{{ interface_ip_ospf(iface_name) }}
}
{% endif %}
{% if salt['pillar.get']('interfaces:'+iface_name+':ipv6') %}
ipv6 {
dup-addr-detect-transmits 1
{{ interface_ipv6_ospfv3(iface_name) }}
}
{% endif %}
}
{% endif %}{% endfor %}
}
/* -=-=-=-=-=-=-=-=-=-=-=-=-=- PROTOCOLS -=-=-=-=-=-=-=-=-=-=-=-=-=- */
protocols {
/* -=-=-=-=-=-=-=-=-=-=-=-=-=- RPKI -=-=-=-=-=-=-=-=-=-=-=-=-=- */
rpki {
{% for cache_name,cache_data in salt['pillar.get']('protocols:rpki:cache',{}).items() %}
cache {{ cache_name }} {
address {{ cache_data[ 'address' ] }}
port {{ cache_data.get('port',3233) }}
}
{% endfor %}
}
/* -=-=-=-=-=-=-=-=-=-=-=-=-=- OSPF -=-=-=-=-=-=-=-=-=-=-=-=-=- */
ospf {
parameters {
router-id {{ salt['pillar.get']('protocols:ospf:parameters:router-id') }}
abr-type {{ salt['pillar.get']('protocols:ospf:parameters:abr-type','cisco') }}
}
{% if 'default-information' in salt['pillar.get']('protocols:ospf') %}
default-information {
{% if 'originate' in salt['pillar.get']('protocols:ospf:default-information') %}
originate {
{% if salt['pillar.get']('protocols:ospf:default-information:originate:metric',None) %}metric {{ salt['pillar.get']('protocols:ospf:default-information:originate:metric') }}{% endif %}
{% if salt['pillar.get']('protocols:ospf:default-information:originate:metric-type',None) %}metric-type {{ salt['pillar.get']('protocols:ospf:default-information:originate:metric-type') }}{% endif %}
}
{% endif %}
}
{% endif %}
{% for iface_name, iface_data in pillar['netbox']['interfaces'].items() %}{% if salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:passive') %}
passive-interface {{ iface_name }}
{% endif %}{% endfor %}
{% for area_name, area_data in pillar['protocols']['ospf']['area'].items() %}
area {{ area_name }} {
{% for network, network_data in area_data['networks'].items() %}
network {{ network }}
{% endfor %}
}
{% endfor %}
}
ospfv3 {
parameters {
router-id {{ salt['pillar.get']('protocols:ospfv3:parameters:router-id') }}
}
{% for area_name, area_data in pillar['protocols']['ospfv3']['area'].items() %}
area {{ area_name }} {
{% for range, range_data in area_data.get('range',{}).items() %}
range {{ range }} {
}
{% endfor %}
{% for interface, interface_data in area_data.get('interface',{}).items() %}
interface {{ interface }}
{% endfor %}
}
{% endfor %}
}
/* -=-=-=-=-=-=-=-=-=-=-=-=-=- STATIC -=-=-=-=-=-=-=-=-=-=-=-=-=- */
static {
{% for iface_name, iface_data in pillar['netbox']['interfaces'].items() %}
{% for address in iface_data['addresses'] %}
{% if address['address'].endswith("/32") and address.get('description','')|is_ipv4(options='public') %}
interface-route {{ address['description'] }} {
next-hop-interface {{ iface_name }}
}
{% endif %}
{% if address['address'].endswith("/128") and address.get('description','')|is_ipv6(options='public') %}
interface-route6 {{ address['description'] }} {
next-hop-interface {{ iface_name }}
}
{% endif %}
{% endfor %}
{% endfor %}
{% for route_name, route_data in pillar['protocols']['static']['route'].items() %}
route {{ route_name }} {
{% for nexthop, nexthop_data in route_data.get('next-hop',{}).items() %}
next-hop {{ nexthop }} {
}
{% endfor %}
{% if route_data.get('blackhole',None) %}
blackhole {
distance {{ route_data['blackhole'].get('distance',254) }}
}
{% endif %}
}
{% endfor %}
{% for route_name, route_data in pillar['protocols']['static']['route6'].items() %}
route6 {{ route_name }} {
{% for nexthop, nexthop_data in route_data.get('next-hop',{}).items() %}
next-hop {{ nexthop }} {
}
{% endfor %}
{% if route_data.get('blackhole',None) %}
blackhole {
distance {{ route_data['blackhole'].get('distance',254) }}
}
{% endif %}
}
{% endfor %}
}
/* -=-=-=-=-=-=-=-=-=-=-=-=-=- BGP -=-=-=-=-=-=-=-=-=-=-=-=-=- */
{% for bgp_as, as_data in salt['pillar.get']('protocols:bgp',{}).items() %}
bgp {{ bgp_as }} {
parameters {
router-id {{ as_data['parameters']['router-id'] }}
}
{% if as_data.get('address-family',None) %}
address-family {
{% if as_data['address-family'].get('ipv4-unicast',None) %}
ipv4-unicast {
redistribute {
{% for redistribute, redist_data in as_data['address-family']['ipv4-unicast'].get('redistribute',{}).items() %}
{{ redistribute }} {
{% if 'route-map' in redist_data %}route-map {{ redist_data['route-map'] }}{% endif %}
}
{% endfor %}
}
{% for network, network_data in as_data['address-family']['ipv4-unicast'].get('network',{}).items() %}
network {{ network }} {
{% if 'route-map' in network_data %}route-map {{ network_data['route-map'] }}{% endif %}
}
{% endfor %}
}
{% endif %}
{% if as_data['address-family'].get('ipv6-unicast',None) %}
ipv6-unicast {
redistribute {
{% for redistribute, redist_data in as_data['address-family']['ipv6-unicast'].get('redistribute',{}).items() %}
{{ redistribute }} {
{% if 'route-map' in redist_data %}route-map {{ redist_data['route-map'] }}{% endif %}
}
{% endfor %}
}
{% for network, network_data in as_data['address-family']['ipv6-unicast'].get('network',{}).items() %}
network {{ network }} {
{% if 'route-map' in network_data %}route-map {{ network_data['route-map'] }}{% endif %}
}
{% endfor %}
}
{% endif %}
}
{% endif %}
{% for neighbor, neighbor_data in as_data.get('neighbor',{}).items() %}
neighbor {{ neighbor }} {
remote-as {{ neighbor_data['remote-as'] }}
{% if 'password' in neighbor_data %}password {{ neighbor_data['password'] }}{% endif %}
{% if 'update-source' in neighbor_data %}update-source {{ neighbor_data['update-source'] }}{% endif %}
{% if 'ebgp-multihop' in neighbor_data %}ebgp-multihop {{ neighbor_data['ebgp-multihop'] }}{% endif %}
{% if 'address-family' in neighbor_data %}
address-family {
{% if 'ipv4-unicast' in neighbor_data['address-family'] %}
ipv4-unicast {
{% if neighbor_data['address-family']['ipv4-unicast'].get('route-reflector-client',False) %}route-reflector-client{% endif %}
{% if neighbor_data['address-family']['ipv4-unicast'].get('route-server-client',False) %}route-server-client{% endif %}
{% if 'prefix-list' in neighbor_data['address-family']['ipv4-unicast'] %}
prefix-list {
{% if 'export' in neighbor_data['address-family']['ipv4-unicast']['prefix-list'] %}export {{ neighbor_data['address-family']['ipv4-unicast']['prefix-list']['export'] }}{% endif %}
{% if 'import' in neighbor_data['address-family']['ipv4-unicast']['prefix-list'] %}import {{ neighbor_data['address-family']['ipv4-unicast']['prefix-list']['import'] }}{% endif %}
}
{% endif %}
{% if 'route-map' in neighbor_data['address-family']['ipv4-unicast'] %}
route-map {
{% if 'export' in neighbor_data['address-family']['ipv4-unicast']['route-map'] %}export {{ neighbor_data['address-family']['ipv4-unicast']['route-map']['export'] }}{% endif %}
{% if 'import' in neighbor_data['address-family']['ipv4-unicast']['route-map'] %}import {{ neighbor_data['address-family']['ipv4-unicast']['route-map']['import'] }}{% endif %}
}
{% endif %}
{% if 'soft-reconfiguration' in neighbor_data['address-family']['ipv4-unicast'] %}
soft-reconfiguration {
{% for softreconf in neighbor_data['address-family']['ipv4-unicast']['soft-reconfiguration'] %}
{{ softreconf }}
{% endfor %}
}
{% endif %}
{% if 'allowas-in' in neighbor_data['address-family']['ipv4-unicast'] %}
allowas-in {
{# neighbor_data['address-family']['ipv4-unicast']['allowas-in'] #}
}
{% endif %}
{% if neighbor_data['address-family']['ipv4-unicast'].get('nexthop-self',False) %}
nexthop-self
{% endif %}
{% if neighbor_data['address-family']['ipv4-unicast'].get('maximum-prefix',None) != None %}
maximum-prefix {{ neighbor_data['address-family']['ipv4-unicast'].get('maximum-prefix',None) }}
{% endif %}
}
{% endif %}
{% if 'ipv6-unicast' in neighbor_data['address-family'] %}
ipv6-unicast {
{% if neighbor_data['address-family']['ipv6-unicast'].get('route-reflector-client',False) %}route-reflector-client{% endif %}
{% if neighbor_data['address-family']['ipv6-unicast'].get('route-server-client',False) %}route-server-client{% endif %}
{% if 'prefix-list' in neighbor_data['address-family']['ipv6-unicast'] %}
prefix-list {
{% if 'export' in neighbor_data['address-family']['ipv6-unicast']['prefix-list'] %}export {{ neighbor_data['address-family']['ipv6-unicast']['prefix-list']['export'] }}{% endif %}
{% if 'import' in neighbor_data['address-family']['ipv6-unicast']['prefix-list'] %}import {{ neighbor_data['address-family']['ipv6-unicast']['prefix-list']['import'] }}{% endif %}
}
{% endif %}
{% if 'route-map' in neighbor_data['address-family']['ipv6-unicast'] %}
route-map {
{% if 'export' in neighbor_data['address-family']['ipv6-unicast']['route-map'] %}export {{ neighbor_data['address-family']['ipv6-unicast']['route-map']['export'] }}{% endif %}
{% if 'import' in neighbor_data['address-family']['ipv6-unicast']['route-map'] %}import {{ neighbor_data['address-family']['ipv6-unicast']['route-map']['import'] }}{% endif %}
}
{% endif %}
{% if 'soft-reconfiguration' in neighbor_data['address-family']['ipv6-unicast'] %}
soft-reconfiguration {
{% for softreconf in neighbor_data['address-family']['ipv6-unicast']['soft-reconfiguration'] %}
{{ softreconf }}
{% endfor %}
}
{% endif %}
{% if 'allowas-in' in neighbor_data['address-family']['ipv6-unicast'] %}
allowas-in {
{# neighbor_data['address-family']['ipv6-unicast']['allowas-in'] #}
}
{% endif %}
{% if neighbor_data['address-family']['ipv6-unicast'].get('nexthop-self',False) %}
nexthop-self
{% endif %}
{% if neighbor_data['address-family']['ipv6-unicast'].get('maximum-prefix',None) != None %}
maximum-prefix {{ neighbor_data['address-family']['ipv6-unicast'].get('maximum-prefix',None) }}
{% endif %}
}
{% endif %}
}
{% endif %}
}
{% endfor %}
}
{% endfor %}
}
/* -=-=-=-=-=-=-=-=-=-=-=-=-=- POLICY -=-=-=-=-=-=-=-=-=-=-=-=-=- */
policy {
prefix-list hphr-NO-IPv4 {
rule 1 {
prefix 0.0.0.0/0
le 32
action deny
}
}
prefix-list hphr-ALL-IPv4 {
rule 1 {
prefix 0.0.0.0/0
le 32
action permit
}
}
prefix-list hphr-DEFAULT-IPv4 {
rule 1 {
prefix 0.0.0.0/0
action permit
}
rule 2 {
prefix 0.0.0.0/0
le 32
action deny
}
}
prefix-list hphr-DFZ-IPv4 {
rule 100 {
prefix 192.168.0.0/16
description "RFC1918"
le 32
action deny
}
rule 101 {
prefix 172.16.0.0/12
description "RFC1918"
le 32
action deny
}
rule 102 {
prefix 10.0.0.0/8
description "RFC1918"
le 32
action deny
}
rule 103 {
prefix 169.254.0.0/16
description "link-local"
le 32
action deny
}
rule 104 {
prefix 100.64.0.0/10
description "CGNAT"
le 32
action deny
}
rule 105 {
prefix 127.0.0.0/8
description "loopback"
le 32
action deny
}
rule 106 {
prefix 192.0.0.0/24
description "IETF protocol assignments"
le 32
action deny
}
rule 107 {
prefix 192.0.2.0/24
description "TEST-NET-1"
le 32
action deny
}
rule 108 {
prefix 198.18.0.0/15
description "Network interconnect device benchmark testing"
le 32
action deny
}
rule 109 {
prefix 198.51.100.0/24
description "TEST-NET-2"
le 32
action deny
}
rule 110 {
prefix 203.0.113.0/24
description "TEST-NET-3"
le 32
action deny
}
rule 111 {
prefix 224.0.0.0/4
description "multicast"
le 32
action deny
}
rule 112 {
prefix 240.0.0.0/4
description "reserved"
le 32
action deny
}
rule 1000 {
prefix 0.0.0.0/0
le 24
action permit
}
rule 65535 {
prefix 0.0.0.0/0
le 32
action deny
}
}
prefix-list hphr-DFZ-DEFAULT-IPv4 {
rule 10 {
prefix 0.0.0.0/0
action permit
}
rule 100 {
prefix 192.168.0.0/16
description "RFC1918"
le 32
action deny
}
rule 101 {
prefix 172.16.0.0/12
description "RFC1918"
le 32
action deny
}
rule 102 {
prefix 10.0.0.0/8
description "RFC1918"
le 32
action deny
}
rule 103 {
prefix 169.254.0.0/16
description "link-local"
le 32
action deny
}
rule 104 {
prefix 100.64.0.0/10
description "CGNAT"
le 32
action deny
}
rule 105 {
prefix 127.0.0.0/8
description "loopback"
le 32
action deny
}
rule 106 {
prefix 192.0.0.0/24
description "IETF protocol assignments"
le 32
action deny
}
rule 107 {
prefix 192.0.2.0/24
description "TEST-NET-1"
le 32
action deny
}
rule 108 {
prefix 198.18.0.0/15
description "Network interconnect device benchmark testing"
le 32
action deny
}
rule 109 {
prefix 198.51.100.0/24
description "TEST-NET-2"
le 32
action deny
}
rule 110 {
prefix 203.0.113.0/24
description "TEST-NET-3"
le 32
action deny
}
rule 111 {
prefix 224.0.0.0/4
description "multicast"
le 32
action deny
}
rule 112 {
prefix 240.0.0.0/4
description "reserved"
le 32
action deny
}
rule 1000 {
prefix 0.0.0.0/0
le 24
action permit
}
rule 65535 {
prefix 0.0.0.0/0
le 32
action deny
}
}
prefix-list6 hphr-NO-IPv6 {
rule 1 {
prefix ::/0
le 128
action deny
}
}
prefix-list6 hphr-ALL-IPv6 {
rule 1 {
prefix ::/0
le 128
action permit
}
}
prefix-list6 hphr-DEFAULT-IPv6 {
rule 1 {
prefix ::/0
action permit
}
rule 2 {
prefix ::/0
le 128
action deny
}
}
prefix-list6 hphr-DFZ-IPv6 {
rule 100 {
prefix ::/128
description "not self"
action deny
}
rule 101 {
prefix ::1/128
description "self"
action deny
}
rule 102 {
prefix ::ffff:0:0/96
description "IPv4-mapped"
le 128
action deny
}
rule 103 {
prefix ::/96
description "IPv4-compatible"
le 128
action deny
}
rule 104 {
prefix 100::/64
description "RTBH addresses"
le 128
action deny
}
rule 105 {
prefix 2001:10::/28
description "ORCHID addresses"
le 128
action deny
}
rule 106 {
prefix 2001:db8::/32
description "documentation prefix"
le 128
action deny
}
rule 107 {
prefix fc00::/7
description "ULA address"
le 128
action deny
}
rule 108 {
prefix fe80::/10
description "link-local"
le 128
action deny
}
rule 109 {
prefix fec0::/10
description "site-local"
le 128
action deny
}
rule 110 {
prefix ff0e::/16
description "global multicast"
le 64
action permit
}
rule 111 {
prefix ff00::/8
description "multicast"
le 128
action deny
}
rule 1000 {
prefix ::/0
le 64
action permit
}
}
prefix-list6 hphr-DFZ-DEFAULT-IPv6 {
rule 10 {
prefix ::/0
action permit
}
rule 100 {
prefix ::/128
description "not self"
action deny
}
rule 101 {
prefix ::1/128
description "self"
action deny
}
rule 102 {
prefix ::ffff:0:0/96
description "IPv4-mapped"
le 128
action deny
}
rule 103 {
prefix ::/96
description "IPv4-compatible"
le 128
action deny
}
rule 104 {
prefix 100::/64
description "RTBH addresses"
le 128
action deny
}
rule 105 {
prefix 2001:10::/28
description "ORCHID addresses"
le 128
action deny
}
rule 106 {
prefix 2001:db8::/32
description "documentation prefix"
le 128
action deny
}
rule 107 {
prefix fc00::/7
description "ULA address"
le 128
action deny
}
rule 108 {
prefix fe80::/10
description "link-local"
le 128
action deny
}
rule 109 {
prefix fec0::/10
description "site-local"
le 128
action deny
}
rule 110 {
prefix ff0e::/16
description "global multicast"
le 64
action permit
}
rule 111 {
prefix ff00::/8
description "multicast"
le 128
action deny
}
rule 1000 {
prefix ::/0
le 64
action permit
}
}
prefix-list hphr-BLACKHOLE-IPv4 {
rule 1 {
prefix 0.0.0.0/0
ge 32
le 32
action permit
}
}
prefix-list6 hphr-BLACKHOLE-IPv6 {
rule 1 {
prefix ::/0
ge 64
le 128
action permit
}
}
route-map hphr-BLACKHOLE-IPv4 {
rule 1 {
match {
ip {
address {
prefix-list hphr-BLACKHOLE-IPv4
}
}
}
action permit
set {
ip-next-hop {{ salt['pillar.get']('protocols:static:blackhole:IPv4') }}
}
}
}
route-map hphr-BLACKHOLE-IPv6 {
rule 1 {
match {
ipv6 {
address {
prefix-list hphr-BLACKHOLE-IPv6
}
}
}
action permit
set {
ipv6-next-hop {
global {{ salt['pillar.get']('protocols:static:blackhole:IPv6') }}
}
}
}
}
{% include "route-map/self.j2" %}
{% for community_list_name, cm_data in pillar['policy']['community-list'].items() %}
community-list {{ community_list_name }} {
{% for group in cm_data %}
rule {{ loop.index }} {
regex "{{ group['community'] }}"
action permit
}
{% endfor %}
}
{% endfor %}
{% for route_map_name, af_pg in pillar['policy']['route-map'].items() %}{% for af, prefix_groups in af_pg.items() %}
route-map {{ route_map_name }}-{{ af }} {
{% for group in prefix_groups %}
rule {{ loop.index }} {
match {
{% if 'match-prefix-list' in group %}
{% if af=="IPv4" %}ip{% elif af=="IPv6" %}ipv6{% endif %} {
address {
prefix-list {{ group['match-prefix-list'] }}
}
}
{% endif %}
{% if 'match-community' in group %}
community {
community-list {{ group['match-community'] }}
}
{% endif %}
{% if 'match-rpki' in group %}
rpki {{ group['match-rpki'] }}
{% endif %}
}
action {{ group.get('action','permit') }}
{% if 'on-match' in group %}
on-match {
{{ group['on-match'] }}
}
{% endif %}
{% if 'continue' in group %}
continue {% if group['continue'] == 'next' %}{{ loop.index+1 }}{% else %}{{ group['continue'] }}{% endif %}
{% endif %}
set {
{% if 'set-community' in group %}community {{ group['set-community'] }}{% endif %}
{% if 'set-local-preference' in group %}local-preference {{ group['set-local-preference'] }}{% endif %}
}
}
{% endfor %}
}
{% endfor %}{% endfor %}
{% for prefix_list_name, prefix_data in salt['pillar.get']("policy:prefix-list",{}).items() %}
prefix-list {{ prefix_list_name }} {
{% if 'bgpq3' in prefix_data %}
{% set jsonblob = salt['cmd.run']('/tmp/bgpq3 -A -4 -j ' + prefix_data["bgpq3"]["IPv4"], env={'BIND_ADDR':pillar['loopback']['IPv4'], 'BIND_ADDR6':pillar['loopback']['IPv6'], 'LD_PRELOAD':'/tmp/bind.so'})|load_json %}
{% for prefix in jsonblob.NN %}
rule {{ loop.index }} {
action permit
prefix {{ prefix['prefix'] }}
{% if prefix.get('less-equal',None) != None %}le {{ prefix['less-equal'] }}{% endif %}
{% if prefix.get('greater-equal',None) != None %}ge {{ prefix['greater-equal'] }}{% endif %}
}
{% endfor %}
{% elif 'static' in prefix_data %}
{% for prefix in prefix_data['static']['prefixes'] %}
rule {{ loop.index }} {
{% if prefix.get('description',None) != None %}description '{{ prefix['description'].replace("'","\\'") }}'{% endif %}
action permit
prefix {{ prefix['prefix'] }}
{% if prefix.get('less-equal',None) != None %}le {{ prefix['less-equal'] }}{% endif %}
{% if prefix.get('greater-equal',None) != None %}ge {{ prefix['greater-equal'] }}{% endif %}
}
{% endfor %}
{% endif %}
rule 65535 {
prefix 0.0.0.0/0
le 32
action deny
}
}
{% endfor %}
{% for prefix_list_name, prefix_data in salt['pillar.get']("policy:prefix-list",{}).items() %}
prefix-list6 {{ prefix_list_name }} {
{% if 'bgpq3' in prefix_data %}
{% set jsonblob = salt['cmd.run']('/tmp/bgpq3 -A -6 -j ' + prefix_data["bgpq3"]["IPv6"], env={'BIND_ADDR':pillar['loopback']['IPv4'], 'BIND_ADDR6':pillar['loopback']['IPv6'], 'LD_PRELOAD':'/tmp/bind.so'})|load_json %}
{% for prefix in jsonblob.NN %}
rule {{ loop.index }} {
action permit
prefix {{ prefix['prefix'] }}
{% if prefix.get('less-equal',None) != None %}le {{ prefix['less-equal'] }}{% endif %}
{% if prefix.get('greater-equal',None) != None %}ge {{ prefix['greater-equal'] }}{% endif %}
}
{% endfor %}
{% elif 'static' in prefix_data %}
{% for prefix in prefix_data['static']['prefixes'] %}
{% if prefix.get('description',None) != None %}description '{{ prefix['description'].replace("'","\\'") }}'{% endif %}
rule {{ loop.index }} {
action permit
prefix {{ prefix['prefix'] }}
{% if prefix.get('less-equal',None) != None %}le {{ prefix['less-equal'] }}{% endif %}
{% if prefix.get('greater-equal',None) != None %}ge {{ prefix['greater-equal'] }}{% endif %}
}
{% endfor %}
{% endif %}
rule 65535 {
prefix ::/0
le 128
action deny
}
}
{% endfor %}
}
/* -=-=-=-=-=-=-=-=-=-=-=-=-=- SERVICE -=-=-=-=-=-=-=-=-=-=-=-=-=- */
service {
lldp {
{% for iface_name, iface_data in salt['pillar.get']('service:lldp:interface',{}).items() %}
interface {{ iface_name }} {
}
{% endfor %}
management-address {{ pillar['service']['lldp']['management-address'] }}
}
salt-minion {
id {{ grains['fqdn'] }}
master {{ pillar['service']['salt-minion']['master'] }}
}
snmp {
{% for cty_name, cty_data in salt['pillar.get']('service:snmp:community',{}).items() %}
community {{ cty_name }} {
}
{% endfor %}
trap-source {{ pillar['service']['snmp']['trap-source'] }}
listen-address {{ pillar['service']['snmp']['trap-source'] }}
{% for trap_target, trap_data in salt['pillar.get']('service:snmp:trap-target',{}).items() %}
trap-target {{ trap_target }} {
}
{% endfor %}
}
ssh {
listen-address {{ pillar['service']['ssh']['listen-address'] }}
ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
key-exchange curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
mac hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
}
}
/* -=-=-=-=-=-=-=-=-=-=-=-=-=- SYSTEM -=-=-=-=-=-=-=-=-=-=-=-=-=- */
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 9600
}
}
flow-accounting {
{% for iface_name, iface_data in pillar['netbox']['interfaces'].items() %}{% if salt['pillar.get']('interfaces:'+iface_name+':netflow') %}
interface {{ iface_name }}
{% endif %}{% endfor %}
netflow {
sampling-rate {{ pillar['netflow']['sampling-rate']}}
{% for server in pillar['netflow']['servers'] %}
server {{ server.split(":")[0] }} {
port {{ server.split(":")[1] }}
}
{% endfor %}
version 9
}
}
host-name {{ grains['fqdn'] }}
ip {
multipath {
layer4-hashing
}
}
ipv6 {
multipath {
layer4-hashing
}
}
login {
user vyos {
authentication {
encrypted-password $6$fXZ3cwEft1XFJTH$twZmVheX0PEi21KqQfv/zvKhuXVc1UwVVXI3Y7KCXYk0osil3QmJqmAYgNQyNqGUROydxp7R6yiPe4N06QnBH1
plaintext-password ""
}
level admin
}
}
{% for nameserver in pillar['nameservers'] %}
name-server {{ nameserver }}
{% endfor %}
ntp {
{% for ntp_server, ntp_data in pillar['ntp'].items() %}
server {{ ntp_server }} {
}
{% endfor %}
}
options {
ctrl-alt-del-action ignore
reboot-on-panic true
beep-if-fully-booted
}
sysctl {
all net.ipv4.conf.all.rp_filter {
value 2
}
all net.ipv4.conf.default.rp_filter {
value 2
}
{% for sysctl, value in salt['pillar.get']('system:sysctl:custom', {}).items() %}
custom {{ sysctl }} {
value {{ value }}
}
{% endfor %}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack-sync@1:conntrack@1:dhcp-relay@2:dhcp-server@5:firewall@5:ipsec@5:l2tp@1:mdns@1:nat@4:ntp@1:pptp@1:qos@1:quagga@3:ssh@1:system@11:vrrp@2:vyos-accel-ppp@1:wanloadbalance@3:webgui@1:webproxy@1:webproxy@2:zone-policy@1" === */
/* Release version: 1.2.0-rolling+201904240337 */