From 3aba3aa09280807c41e03f66c6894c90cbffd0e0 Mon Sep 17 00:00:00 2001
From: Karl Grube <karl@hudlergrube.com>
Date: Fri, 9 Aug 2024 15:48:59 +0200
Subject: [PATCH] supporting limited neighbors...

---
 defaults/main.yml     |  2 ++
 templates/frr_conf.j2 | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index f2ce726..ed9f27f 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -6,6 +6,8 @@ allow_default_ipv6: False
 firewall4s: []
 nat_neighbors: []
 
+limited_firewalls: []
+
 dc_ranges: []
 dc4_ranges: []
 
diff --git a/templates/frr_conf.j2 b/templates/frr_conf.j2
index 71d956d..760e6df 100644
--- a/templates/frr_conf.j2
+++ b/templates/frr_conf.j2
@@ -47,6 +47,17 @@ router bgp {{bgp_asn}}
  neighbor {{ neighbor }} interface peer-group nat
 {%   endif %}
 {% endfor %}
+{% for neighbor in limited_firewalls %}
+ neighbor {{neighbor.name}} peer-group
+ neighbor {{neighbor.name}} remote-as external
+ neighbor {{neighbor.name}} bfd
+{%   for ip in neighbor.ips|default([]) %}
+ neighbor {{ ip }} peer-group {{neighbor.name}}
+{%   endfor %}
+{%   for interface in neighbor.interfaces|default([]) %}
+ neighbor {{ interface }} interface peer-group {{neighbor.name}}
+{%   endfor %}
+{% endfor %}
 !
  address-family ipv4 unicast
 {% for range in dc4_ranges %}
@@ -93,6 +104,15 @@ router bgp {{bgp_asn}}
 {%     endif %}
 {%   endfor %}
 {% endfor %}
+{% for neighbor in limited_firewalls %}
+  neighbor {{neighbor.name}} activate
+{%   if neighbor.export_all is defined and neighbor.export_all == True %}
+  neighbor {{neighbor.name}} prefix-list all out
+{%   else %}
+  neighbor {{neighbor.name}} prefix-list {{neighbor.name}}_out out
+{%   endif %}
+  neighbor {{neighbor.name}} prefix-list {{neighbor.name}}_in in
+{% endfor %}
 !
 ipv6 prefix-list none seq 10 deny any
 {% if allow_default_ipv6 == True %}
@@ -202,6 +222,22 @@ ip prefix-list my-networks seq {{(loop.index|int)*10+10}} deny any
 {% endfor %}
 ip prefix-list all seq 10 permit any
 ipv6 prefix-list all seq 10 permit any
+{% for neighbor in limited_firewalls %}
+{%   for prefix_out in neighbor.out|default([]) %}
+ipv6 prefix-list {{neighbor.name}}_out seq {{(loop.index|int)*10}} permit {{prefix_out}}
+{%     if loop.last %}
+ipv6 prefix-list {{neighbor.name}}_out seq {{(loop.index|int)*10+10}} deny any
+{%     endif %}
+{%   endfor %}
+{% endfor %}
+{% for neighbor in limited_firewalls %}
+{%   for prefix_in in neighbor.in|default([]) %}
+ipv6 prefix-list {{neighbor.name}}_in seq {{(loop.index|int)*10}} permit {{prefix_in}}
+{%     if loop.last %}
+ipv6 prefix-list {{neighbor.name}}_in seq {{(loop.index|int)*10+10}} deny any
+{%     endif %}
+{%   endfor %}
+{% endfor %}
 !
 route-map reject_local_origin deny 10
  match as-path {{bgp_asn}}
-- 
GitLab