From 354051d0970b948cf5c78ef57a90f2a23753b578 Mon Sep 17 00:00:00 2001
From: Karl Grube <karl@hudlergrube.com>
Date: Thu, 26 Oct 2023 12:59:51 +0200
Subject: [PATCH] functional trusted_peers

---
 defaults/main.yml        |  2 ++
 templates/frr_conf.j2    | 18 ++++++++++++++++++
 templates/int_rtr.nft.j2 |  2 +-
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 7b44103..0c2fb58 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -8,3 +8,5 @@ dc4_ranges: []
 
 anycast_ranges: []
 anycast4_ranges: []
+
+trusted_peers: []
diff --git a/templates/frr_conf.j2 b/templates/frr_conf.j2
index e8c62c5..ae1e3f0 100644
--- a/templates/frr_conf.j2
+++ b/templates/frr_conf.j2
@@ -15,9 +15,22 @@ router bgp {{bgp_asn}}
 {% endfor %}
  neighbor outside peer-group
  neighbor outside remote-as external
+ neighbor trusted-peers peer-group
+ neighbor trusted-peers remote-as internal
+ neighbor trusted-peers bfd
+{% for neighbor in trusted_peers %}
+{%   if (neighbor|ansible.utils.ipv6) or (neighbor|ansible.utils.ipv4) %}
+ neighbor {{ neighbor }} peer-group trusted-peers
+{%   else %}
+ neighbor {{ neighbor }} interface peer-group trusted-peers
+{%   endif %}
+{% endfor %}
 !
  address-family ipv4 unicast
   network 0.0.0.0/0
+  neighbor trusted-peers activate
+  neighbor trusted-peers prefix-list all out
+  neighbor trusted-peers prefix-list all in
 {% for neighbor in internet_connections %}
 {%   for ip in neighbor.peer_ips %}
 {%     if ip|ansible.utils.ipv4 %}
@@ -30,6 +43,9 @@ router bgp {{bgp_asn}}
 !
  address-family ipv6 unicast
   network ::/0
+  neighbor trusted-peers activate
+  neighbor trusted-peers prefix-list all out
+  neighbor trusted-peers prefix-list all in
 {% for neighbor in internet_connections %}
 {%   for ip in neighbor.peer_ips %}
 {%     if ip|ansible.utils.ipv6 %}
@@ -128,3 +144,5 @@ ip prefix-list my-networks seq {{(loop.index|int)*10}} permit {{range}}
 ip prefix-list my-networks seq {{(loop.index|int)*10+10}} deny any
 {%   endif %}
 {% endfor %}
+ip prefix-list all seq 10 permit any
+ipv6 prefix-list all seq 10 permit any
diff --git a/templates/int_rtr.nft.j2 b/templates/int_rtr.nft.j2
index c15e929..45b41c4 100644
--- a/templates/int_rtr.nft.j2
+++ b/templates/int_rtr.nft.j2
@@ -44,7 +44,7 @@ table inet filter {
 			iif == lo accept
 			tcp dport ssh accept
 {% for range in dc_ranges %}
-			ip{% if range|ansible.utils.ipv6%}6{% endif %} saddr {{range}} tcp dport ssh accept
+			ip{% if range|ansible.utils.ipv6%}6{% endif %} saddr {{range}} accept
 {% endfor %}
 {% for neighbor in internet_connections %}
 {%   for ip in neighbor.peer_ips %}
-- 
GitLab