From a743db4adb6eddb6eef0d1cb9bd5f5ea62fdbcf6 Mon Sep 17 00:00:00 2001
From: Karl Grube <karl@hudlergrube.com>
Date: Wed, 25 Oct 2023 17:30:30 +0200
Subject: [PATCH] functional int_rtr (without exporting routes yet)

---
 defaults/main.yml        |   3 ++
 templates/frr_conf.j2    | 110 ++++++++++++++++++++++++++++++++++++++-
 templates/int_rtr.nft.j2 |   7 ++-
 3 files changed, 117 insertions(+), 3 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 16eaff6..ae13054 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -2,3 +2,6 @@
 
 allow_default_ipv4: False
 allow_default_ipv6: False
+
+dc_ranges: []
+dc4_ranges: []
diff --git a/templates/frr_conf.j2 b/templates/frr_conf.j2
index 51f3533..50caede 100644
--- a/templates/frr_conf.j2
+++ b/templates/frr_conf.j2
@@ -1,10 +1,116 @@
 hostname {{ansible_hostname}}
 log syslog informational
 router bgp {{bgp_asn}}
+{% if router_id is defined %}
+ bgp router-id {{router_id}}
+{% endif %}
  bgp bestpath as-path multipath-relax
  bgp bestpath compare-routerid
  no bgp network import-check
- neighbor internet peer-group
+ no bgp default ipv4-unicast
+{% for neighbor in internet_connections %}
+{%  for ip in neighbor.peer_ips %}
+ neighbor {{ip}} remote-as {{neighbor.asn}}
+{%  endfor %}
+{% endfor %}
  neighbor outside peer-group
  neighbor outside remote-as external
- 
+!
+ address-family ipv4 unicast
+  network 0.0.0.0/0
+{% for neighbor in internet_connections %}
+{%   for ip in neighbor.peer_ips %}
+{%     if ip|ansible.utils.ipv4 %}
+  neighbor {{ip}} activate
+  neighbor {{ip}} prefix-list internet in
+{%     endif %}
+{%   endfor %}
+{% endfor %}
+!
+ address-family ipv6 unicast
+  network ::/0
+{% for neighbor in internet_connections %}
+{%   for ip in neighbor.peer_ips %}
+{%     if ip|ansible.utils.ipv6 %}
+  neighbor {{ip}} activate
+  neighbor {{ip}} prefix-list internet in
+{%     endif %}
+{%   endfor %}
+{% endfor %}
+!
+
+{% if allow_default_ipv6 == True %}
+ipv6 prefix-list internet seq 5 permit ::/0
+{% endif %}
+ipv6 prefix-list internet seq 10 deny ::/128 le 128
+ipv6 prefix-list internet seq 20 deny ::1/128 le 128
+ipv6 prefix-list internet seq 30 deny ::ffff:0:0/96 le 128
+ipv6 prefix-list internet seq 40 deny ::/96 le 128
+ipv6 prefix-list internet seq 50 deny 100::/64 le 128
+ipv6 prefix-list internet seq 60 deny 2001:10::/28 le 128
+ipv6 prefix-list internet seq 70 deny 2001:db8::/32 le 128
+ipv6 prefix-list internet seq 80 deny fc00::/7 le 128
+ipv6 prefix-list internet seq 90 deny fe80::/10 le 128
+ipv6 prefix-list internet seq 100 deny fec0::/10 le 128
+ipv6 prefix-list internet seq 110 deny ff00::/8 le 128
+ipv6 prefix-list internet seq 130 deny 2002::/24 le 128
+ipv6 prefix-list internet seq 140 deny 2002:a00::/24 le 128
+ipv6 prefix-list internet seq 150 deny 2002:7f00::/24 le 128
+ipv6 prefix-list internet seq 160 deny 2002:a9fe::/32 le 128
+ipv6 prefix-list internet seq 170 deny 2002:ac10::/28 le 128
+ipv6 prefix-list internet seq 180 deny 2002:c000::/40 le 128
+ipv6 prefix-list internet seq 190 deny 2002:c000:200::/40 le 128
+ipv6 prefix-list internet seq 200 deny 2002:c0a8::/32 le 128
+ipv6 prefix-list internet seq 210 deny 2002:c612::/31 le 128
+ipv6 prefix-list internet seq 220 deny 2002:c633:6400::/40 le 128
+ipv6 prefix-list internet seq 230 deny 2002:cb00:7100::/40 le 128
+ipv6 prefix-list internet seq 240 deny 2002:e000::/20 le 128
+ipv6 prefix-list internet seq 250 deny 2002:f000::/20 le 128
+ipv6 prefix-list internet seq 260 deny 2002:ffff:ffff::/48 le 128
+ipv6 prefix-list internet seq 270 deny 2001::/40 le 128
+ipv6 prefix-list internet seq 280 deny 2001:0:a00::/40 le 128
+ipv6 prefix-list internet seq 290 deny 2001:0:7f00::/40 le 128
+ipv6 prefix-list internet seq 300 deny 2001:0:a9fe::/48 le 128
+ipv6 prefix-list internet seq 310 deny 2001:0:ac10::/44 le 128
+ipv6 prefix-list internet seq 320 deny 2001:0:c000::/56 le 128
+ipv6 prefix-list internet seq 330 deny 2001:0:c000:200::/56 le 128
+ipv6 prefix-list internet seq 340 deny 2001:0:c0a8::/48 le 128
+ipv6 prefix-list internet seq 350 deny 2001:0:c612::/47 le 128
+ipv6 prefix-list internet seq 360 deny 2001:0:c633:6400::/56 le 128
+ipv6 prefix-list internet seq 370 deny 2001:0:cb00:7100::/56 le 128
+ipv6 prefix-list internet seq 380 deny 2001:0:e000::/36 le 128
+ipv6 prefix-list internet seq 390 deny 2001:0:f000::/36 le 128
+ipv6 prefix-list internet seq 400 deny 2001:0:ffff:ffff::/64 le 128
+{% for prefix in dc_ranges%}
+ipv6 prefix-list internet seq {{(loop.index|int)*10+400}} deny {{prefix|regex_replace('ge.*','')|regex_replace('le.*','')}} le 128
+{%   if loop.last %}
+ipv6 prefix-list internet seq {{(loop.index|int)*10+410}} permit any
+{%   endif %}
+{% endfor %}
+
+{% if allow_default_ipv4 == True %}
+ip prefix-list internet seq 5 permit 0.0.0.0/0
+{% endif %}
+ip prefix-list internet seq 10 deny 0.0.0.0/8 le 32
+ip prefix-list internet seq 20 deny 10.0.0.0/8 le 32
+ip prefix-list internet seq 30 deny 100.64.0.0/10 le 32
+ip prefix-list internet seq 40 deny 127.0.0.0/8 le 32
+ip prefix-list internet seq 50 deny 127.0.53.53/32
+ip prefix-list internet seq 60 deny 169.254.0.0/16 le 32
+ip prefix-list internet seq 70 deny 172.16.0.0/12 le 32
+ip prefix-list internet seq 80 deny 192.0.0.0/24 le 32
+ip prefix-list internet seq 90 deny 192.0.2.0/24 le 32
+ip prefix-list internet seq 100 deny 192.168.0.0/16 le 32
+ip prefix-list internet seq 110 deny 198.18.0.0/15 le 32
+ip prefix-list internet seq 120 deny 198.51.100.0/24 le 32
+ip prefix-list internet seq 130 deny 203.0.113.0/24 le 32
+ip prefix-list internet seq 140 deny 224.0.0.0/4 le 32
+ip prefix-list internet seq 150 deny 240.0.0.0/4 le 32
+ip prefix-list internet seq 160 deny 255.255.255.255/32 le 32
+{% for prefix in dc4_ranges%}
+ip prefix-list internet seq {{(loop.index|int)*10+160}} deny {{prefix|regex_replace('ge.*','')|regex_replace('le.*','')}} le 32 
+{%   if loop.last %}
+ip prefix-list internet seq {{(loop.index|int)*10+170}} permit any
+{%   endif %}
+{% endfor %}
+
diff --git a/templates/int_rtr.nft.j2 b/templates/int_rtr.nft.j2
index 0210bd7..c15e929 100644
--- a/templates/int_rtr.nft.j2
+++ b/templates/int_rtr.nft.j2
@@ -28,7 +28,7 @@ table inet filter {
 		jump f2ban
 	}
 	chain internet_peers {
-{% for range in dc_ranges %}
+{% for range in (dc_ranges + dc4_ranges) %}
 	ip{% if range is search(':') %}6{% endif %} saddr {{range|regex_replace('ge.*','')|regex_replace('le.*','')}} drop
 {% endfor %}
 	}
@@ -45,6 +45,11 @@ table inet filter {
 			tcp dport ssh accept
 {% for range in dc_ranges %}
 			ip{% if range|ansible.utils.ipv6%}6{% endif %} saddr {{range}} tcp dport ssh accept
+{% endfor %}
+{% for neighbor in internet_connections %}
+{%   for ip in neighbor.peer_ips %}
+			ip{% if ip|ansible.utils.ipv6%}6{% endif %} saddr {{ip}} tcp dport bgp accept
+{%   endfor %}
 {% endfor %}
 	}
 	chain forward {
-- 
GitLab