EOX GitLab Instance
Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
I
internet router role
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Package Registry
Container Registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Service Desk
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
ansible-public
internet router role
Commits
a743db4a
Commit
a743db4a
authored
1 year ago
by
Karl Grube
Browse files
Options
Downloads
Patches
Plain Diff
functional int_rtr (without exporting routes yet)
parent
e0d8f8fb
No related branches found
Branches containing commit
No related tags found
No related merge requests found
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
defaults/main.yml
+3
-0
3 additions, 0 deletions
defaults/main.yml
templates/frr_conf.j2
+108
-2
108 additions, 2 deletions
templates/frr_conf.j2
templates/int_rtr.nft.j2
+6
-1
6 additions, 1 deletion
templates/int_rtr.nft.j2
with
117 additions
and
3 deletions
defaults/main.yml
+
3
−
0
View file @
a743db4a
...
...
@@ -2,3 +2,6 @@
allow_default_ipv4
:
False
allow_default_ipv6
:
False
dc_ranges
:
[]
dc4_ranges
:
[]
This diff is collapsed.
Click to expand it.
templates/frr_conf.j2
+
108
−
2
View file @
a743db4a
hostname {{ansible_hostname}}
log syslog informational
router bgp {{bgp_asn}}
{% if router_id is defined %}
bgp router-id {{router_id}}
{% endif %}
bgp bestpath as-path multipath-relax
bgp bestpath compare-routerid
no bgp network import-check
neighbor internet peer-group
no bgp default ipv4-unicast
{% for neighbor in internet_connections %}
{% for ip in neighbor.peer_ips %}
neighbor {{ip}} remote-as {{neighbor.asn}}
{% endfor %}
{% endfor %}
neighbor outside peer-group
neighbor outside remote-as external
!
address-family ipv4 unicast
network 0.0.0.0/0
{% for neighbor in internet_connections %}
{% for ip in neighbor.peer_ips %}
{% if ip|ansible.utils.ipv4 %}
neighbor {{ip}} activate
neighbor {{ip}} prefix-list internet in
{% endif %}
{% endfor %}
{% endfor %}
!
address-family ipv6 unicast
network ::/0
{% for neighbor in internet_connections %}
{% for ip in neighbor.peer_ips %}
{% if ip|ansible.utils.ipv6 %}
neighbor {{ip}} activate
neighbor {{ip}} prefix-list internet in
{% endif %}
{% endfor %}
{% endfor %}
!
{% if allow_default_ipv6 == True %}
ipv6 prefix-list internet seq 5 permit ::/0
{% endif %}
ipv6 prefix-list internet seq 10 deny ::/128 le 128
ipv6 prefix-list internet seq 20 deny ::1/128 le 128
ipv6 prefix-list internet seq 30 deny ::ffff:0:0/96 le 128
ipv6 prefix-list internet seq 40 deny ::/96 le 128
ipv6 prefix-list internet seq 50 deny 100::/64 le 128
ipv6 prefix-list internet seq 60 deny 2001:10::/28 le 128
ipv6 prefix-list internet seq 70 deny 2001:db8::/32 le 128
ipv6 prefix-list internet seq 80 deny fc00::/7 le 128
ipv6 prefix-list internet seq 90 deny fe80::/10 le 128
ipv6 prefix-list internet seq 100 deny fec0::/10 le 128
ipv6 prefix-list internet seq 110 deny ff00::/8 le 128
ipv6 prefix-list internet seq 130 deny 2002::/24 le 128
ipv6 prefix-list internet seq 140 deny 2002:a00::/24 le 128
ipv6 prefix-list internet seq 150 deny 2002:7f00::/24 le 128
ipv6 prefix-list internet seq 160 deny 2002:a9fe::/32 le 128
ipv6 prefix-list internet seq 170 deny 2002:ac10::/28 le 128
ipv6 prefix-list internet seq 180 deny 2002:c000::/40 le 128
ipv6 prefix-list internet seq 190 deny 2002:c000:200::/40 le 128
ipv6 prefix-list internet seq 200 deny 2002:c0a8::/32 le 128
ipv6 prefix-list internet seq 210 deny 2002:c612::/31 le 128
ipv6 prefix-list internet seq 220 deny 2002:c633:6400::/40 le 128
ipv6 prefix-list internet seq 230 deny 2002:cb00:7100::/40 le 128
ipv6 prefix-list internet seq 240 deny 2002:e000::/20 le 128
ipv6 prefix-list internet seq 250 deny 2002:f000::/20 le 128
ipv6 prefix-list internet seq 260 deny 2002:ffff:ffff::/48 le 128
ipv6 prefix-list internet seq 270 deny 2001::/40 le 128
ipv6 prefix-list internet seq 280 deny 2001:0:a00::/40 le 128
ipv6 prefix-list internet seq 290 deny 2001:0:7f00::/40 le 128
ipv6 prefix-list internet seq 300 deny 2001:0:a9fe::/48 le 128
ipv6 prefix-list internet seq 310 deny 2001:0:ac10::/44 le 128
ipv6 prefix-list internet seq 320 deny 2001:0:c000::/56 le 128
ipv6 prefix-list internet seq 330 deny 2001:0:c000:200::/56 le 128
ipv6 prefix-list internet seq 340 deny 2001:0:c0a8::/48 le 128
ipv6 prefix-list internet seq 350 deny 2001:0:c612::/47 le 128
ipv6 prefix-list internet seq 360 deny 2001:0:c633:6400::/56 le 128
ipv6 prefix-list internet seq 370 deny 2001:0:cb00:7100::/56 le 128
ipv6 prefix-list internet seq 380 deny 2001:0:e000::/36 le 128
ipv6 prefix-list internet seq 390 deny 2001:0:f000::/36 le 128
ipv6 prefix-list internet seq 400 deny 2001:0:ffff:ffff::/64 le 128
{% for prefix in dc_ranges%}
ipv6 prefix-list internet seq {{(loop.index|int)*10+400}} deny {{prefix|regex_replace('ge.*','')|regex_replace('le.*','')}} le 128
{% if loop.last %}
ipv6 prefix-list internet seq {{(loop.index|int)*10+410}} permit any
{% endif %}
{% endfor %}
{% if allow_default_ipv4 == True %}
ip prefix-list internet seq 5 permit 0.0.0.0/0
{% endif %}
ip prefix-list internet seq 10 deny 0.0.0.0/8 le 32
ip prefix-list internet seq 20 deny 10.0.0.0/8 le 32
ip prefix-list internet seq 30 deny 100.64.0.0/10 le 32
ip prefix-list internet seq 40 deny 127.0.0.0/8 le 32
ip prefix-list internet seq 50 deny 127.0.53.53/32
ip prefix-list internet seq 60 deny 169.254.0.0/16 le 32
ip prefix-list internet seq 70 deny 172.16.0.0/12 le 32
ip prefix-list internet seq 80 deny 192.0.0.0/24 le 32
ip prefix-list internet seq 90 deny 192.0.2.0/24 le 32
ip prefix-list internet seq 100 deny 192.168.0.0/16 le 32
ip prefix-list internet seq 110 deny 198.18.0.0/15 le 32
ip prefix-list internet seq 120 deny 198.51.100.0/24 le 32
ip prefix-list internet seq 130 deny 203.0.113.0/24 le 32
ip prefix-list internet seq 140 deny 224.0.0.0/4 le 32
ip prefix-list internet seq 150 deny 240.0.0.0/4 le 32
ip prefix-list internet seq 160 deny 255.255.255.255/32 le 32
{% for prefix in dc4_ranges%}
ip prefix-list internet seq {{(loop.index|int)*10+160}} deny {{prefix|regex_replace('ge.*','')|regex_replace('le.*','')}} le 32
{% if loop.last %}
ip prefix-list internet seq {{(loop.index|int)*10+170}} permit any
{% endif %}
{% endfor %}
This diff is collapsed.
Click to expand it.
templates/int_rtr.nft.j2
+
6
−
1
View file @
a743db4a
...
...
@@ -28,7 +28,7 @@ table inet filter {
jump f2ban
}
chain internet_peers {
{% for range in dc_ranges %}
{% for range in
(
dc_ranges
+ dc4_ranges)
%}
ip{% if range is search(':') %}6{% endif %} saddr {{range|regex_replace('ge.*','')|regex_replace('le.*','')}} drop
{% endfor %}
}
...
...
@@ -45,6 +45,11 @@ table inet filter {
tcp dport ssh accept
{% for range in dc_ranges %}
ip{% if range|ansible.utils.ipv6%}6{% endif %} saddr {{range}} tcp dport ssh accept
{% endfor %}
{% for neighbor in internet_connections %}
{% for ip in neighbor.peer_ips %}
ip{% if ip|ansible.utils.ipv6%}6{% endif %} saddr {{ip}} tcp dport bgp accept
{% endfor %}
{% endfor %}
}
chain forward {
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
