supporting limited neighbors...

3aba3aa0 · Karl Grube · ad3a9a92 · 3aba3aa0 · 3aba3aa0
Commit 3aba3aa0 authored 7 months ago by Karl Grube
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -6,6 +6,8 @@ allow_default_ipv6: False
 firewall4s: []
 nat_neighbors: []

+limited_firewalls: []
+
 dc_ranges: []
 dc4_ranges: []


--- a/templates/frr_conf.j2
+++ b/templates/frr_conf.j2
@@ -47,6 +47,17 @@ router bgp {{bgp_asn}}
 neighbor {{ neighbor }} interface peer-group nat
 {%   endif %}
 {% endfor %}
+{% for neighbor in limited_firewalls %}
+ neighbor {{neighbor.name}} peer-group
+ neighbor {{neighbor.name}} remote-as external
+ neighbor {{neighbor.name}} bfd
+{%   for ip in neighbor.ips|default([]) %}
+ neighbor {{ ip }} peer-group {{neighbor.name}}
+{%   endfor %}
+{%   for interface in neighbor.interfaces|default([]) %}
+ neighbor {{ interface }} interface peer-group {{neighbor.name}}
+{%   endfor %}
+{% endfor %}
 !
 address-family ipv4 unicast
 {% for range in dc4_ranges %}
@@ -93,6 +104,15 @@ router bgp {{bgp_asn}}
 {%     endif %}
 {%   endfor %}
 {% endfor %}
+{% for neighbor in limited_firewalls %}
+  neighbor {{neighbor.name}} activate
+{%   if neighbor.export_all is defined and neighbor.export_all == True %}
+  neighbor {{neighbor.name}} prefix-list all out
+{%   else %}
+  neighbor {{neighbor.name}} prefix-list {{neighbor.name}}_out out
+{%   endif %}
+  neighbor {{neighbor.name}} prefix-list {{neighbor.name}}_in in
+{% endfor %}
 !
 ipv6 prefix-list none seq 10 deny any
 {% if allow_default_ipv6 == True %}
@@ -202,6 +222,22 @@ ip prefix-list my-networks seq {{(loop.index|int)*10+10}} deny any
 {% endfor %}
 ip prefix-list all seq 10 permit any
 ipv6 prefix-list all seq 10 permit any
+{% for neighbor in limited_firewalls %}
+{%   for prefix_out in neighbor.out|default([]) %}
+ipv6 prefix-list {{neighbor.name}}_out seq {{(loop.index|int)*10}} permit {{prefix_out}}
+{%     if loop.last %}
+ipv6 prefix-list {{neighbor.name}}_out seq {{(loop.index|int)*10+10}} deny any
+{%     endif %}
+{%   endfor %}
+{% endfor %}
+{% for neighbor in limited_firewalls %}
+{%   for prefix_in in neighbor.in|default([]) %}
+ipv6 prefix-list {{neighbor.name}}_in seq {{(loop.index|int)*10}} permit {{prefix_in}}
+{%     if loop.last %}
+ipv6 prefix-list {{neighbor.name}}_in seq {{(loop.index|int)*10+10}} deny any
+{%     endif %}
+{%   endfor %}
+{% endfor %}
 !
 route-map reject_local_origin deny 10
 match as-path {{bgp_asn}}