Skip to content

Commit

Permalink
bird: add option to use vrf
Browse files Browse the repository at this point in the history
  • Loading branch information
@felbinger
felbinger committed Nov 20, 2024
1 parent febea78 commit 0f65107
Show file tree
Hide file tree
Showing 3 changed files with 57 additions and 13 deletions.
53 changes: 42 additions & 11 deletions modules/bird2.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

let
cfg = config.networking.dn42;
useVrf = cfg.vrf.name != null && cfg.vrf.table != null;
in
{
config = lib.mkIf cfg.enable {
Expand Down Expand Up @@ -35,8 +36,12 @@ in
return net ~ [${builtins.concatStringsSep ", " cfg.nets.v6}];
}
roa4 table dnroa4;
roa6 table dnroa6;
${lib.optionalString useVrf ''
ipv4 table ${cfg.vrf.name}_4;
ipv6 table ${cfg.vrf.name}_6;
''}
roa4 table dnroa_4;
roa6 table dnroa_6;
include "${../resources/community_filter.conf}";
include "${../resources/filters.conf}";
Expand All @@ -62,8 +67,8 @@ in
protocols = {

rpki.roa_dn42 = lib.mkIf config.networking.dn42.stayrtr.enable ''
roa4 { table dnroa4; };
roa6 { table dnroa6; };
roa4 { table dnroa_4; };
roa6 { table dnroa_6; };
remote 127.0.0.1;
port 8082;
refresh 600;
Expand All @@ -73,22 +78,28 @@ in

static = {
static_roa_4 = lib.mkIf config.networking.dn42.roagen.enable ''
roa4 { table dnroa4; };
roa4 { table dnroa_4; };
include "${config.networking.dn42.roagen.outputDir}/dn42-roa4.conf";
'';
static_roa_6 = lib.mkIf config.networking.dn42.roagen.enable ''
roa6 { table dnroa6; };
roa6 { table dnroa_6; };
include "${config.networking.dn42.roagen.outputDir}/dn42-roa6.conf";
'';
static_4 = ''
ipv4;
${lib.optionalString useVrf "vrf \"${cfg.vrf.name}\";"}
ipv4 {
${lib.optionalString useVrf "table ${cfg.vrf.name}_4;"}
};
${lib.concatMapStrings (net: ''
route ${net} unreachable;
'') cfg.nets.v4}
'';
static_6 = ''
ipv6;
${lib.optionalString useVrf "vrf \"${cfg.vrf.name}\";"}
ipv6 {
${lib.optionalString useVrf "table ${cfg.vrf.name}_6;"}
};
${lib.concatMapStrings (net: ''
route ${net} unreachable;
Expand All @@ -102,9 +113,15 @@ in

kernel = {
kernel_4 = ''
${lib.optionalString useVrf ''
vrf "${cfg.vrf.name}";
kernel table ${toString cfg.vrf.table};
''}
scan time 20;
ipv4 {
${lib.optionalString useVrf "table ${cfg.vrf.name}_4;"}
import none;
export filter {
if source = RTS_STATIC then reject;
Expand All @@ -115,9 +132,15 @@ in
'';

kernel_6 = ''
${lib.optionalString useVrf ''
vrf "${cfg.vrf.name}";
kernel table ${toString cfg.vrf.table};
''}
scan time 20;
ipv6 {
${lib.optionalString useVrf "table ${cfg.vrf.name}_6;"}
import none;
export filter {
if source = RTS_STATIC then reject;
Expand All @@ -133,10 +156,12 @@ in
(name: conf:
{
"${name}_4 from dn42_peer" = lib.mkIf (!conf.extendedNextHop) ''
${lib.optionalString useVrf "vrf \"${cfg.vrf.name}\";"}
neighbor ${conf.addr.v4} as ${builtins.toString conf.as};
source address ${conf.srcAddr.v4};
ipv4 {
${lib.optionalString useVrf "table ${cfg.vrf.name}_4;"}
import limit 9000 action block;
import table on;
import where dn_import_filter4(${toString conf.latency}, ${toString conf.bandwidth}, ${toString conf.crypto});
Expand All @@ -145,10 +170,15 @@ in
'';

"${name}_6 from dn42_peer" = ''
${lib.optionalString useVrf "vrf \"${cfg.vrf.name}\";"}
neighbor ${conf.addr.v6}%'${conf.interface}' as ${builtins.toString conf.as};
source address ${conf.srcAddr.v6};
${lib.optionalString conf.extendedNextHop ''
enable extended messages on;
ipv4 {
${lib.optionalString useVrf "table ${cfg.vrf.name}_4;"}
import limit 9000 action block;
import table on;
Expand All @@ -159,27 +189,27 @@ in
''}
ipv6 {
${lib.optionalString useVrf "table ${cfg.vrf.name}_6;"}
import limit 9000 action block;
import table on;
import where dn_import_filter6(${toString conf.latency}, ${toString conf.bandwidth}, ${toString conf.crypto});
export where dn_export_filter6(${toString conf.latency}, ${toString conf.bandwidth}, ${toString conf.crypto}, ${lib.boolToString conf.transit});
};
neighbor ${conf.addr.v6}%'${conf.interface}' as ${builtins.toString conf.as};
source address ${conf.srcAddr.v6};
'';
})
cfg.peers)
++ [{
"collector_6 from dn42_peer" = ''
${lib.optionalString useVrf "vrf \"${cfg.vrf.name}\";"}
neighbor fd42:4242:2601:ac12::1 as 4242422602;
source address ${cfg.addr.v6};
# enable multihop as the collector is not locally connected
multihop;
ipv4 {
${lib.optionalString useVrf "table ${cfg.vrf.name}_4;"}
# export all available paths to the collector
add paths tx;
Expand All @@ -189,6 +219,7 @@ in
};
ipv6 {
${lib.optionalString useVrf "table ${cfg.vrf.name}_6;"}
# export all available paths to the collector
add paths tx;
Expand Down
13 changes: 13 additions & 0 deletions modules/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,5 +130,18 @@ in
};
});
};

vrf = {
name = lib.mkOption {
type = lib.types.strMatching "^[A-Za-z0-9_]+$";
default = "vrf0";
description = "Name of the vrf to use. May differ from the kernel vrf name.";
};
table = lib.mkOption {
type = with lib.types; nullOr int;
default = null;
description = "Kernel routing table number to use.";
};
};
};
}
4 changes: 2 additions & 2 deletions resources/filters.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,14 +24,14 @@ function kernel_export() {
}

function reject_invalid_roa4() {
if (roa_check(dnroa4, net, bgp_path.last) != ROA_VALID) then {
if (roa_check(dnroa_4, net, bgp_path.last) != ROA_VALID) then {
print "Reject: ROA failed|", net, "|", bgp_path;
reject;
}
}

function reject_invalid_roa6() {
if (roa_check(dnroa6, net, bgp_path.last) != ROA_VALID) then {
if (roa_check(dnroa_6, net, bgp_path.last) != ROA_VALID) then {
print "Reject: ROA failed|", net, "|", bgp_path;
reject;
}
Expand Down

0 comments on commit 0f65107

Please sign in to comment.