From 2420018235cf74285c2df68dba1d9f9272ed26a4 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sat, 30 Sep 2023 01:14:36 +0000 Subject: [PATCH] etheroute-lon01: change setup of quadv --- ops/nixos/etheroute-lon01/default.nix | 52 +++++++++------------------ ops/nixos/lib/bgp.nix | 26 +++++++++----- 2 files changed, 34 insertions(+), 44 deletions(-) diff --git a/ops/nixos/etheroute-lon01/default.nix b/ops/nixos/etheroute-lon01/default.nix index 3387f2d289..da2f65c1af 100644 --- a/ops/nixos/etheroute-lon01/default.nix +++ b/ops/nixos/etheroute-lon01/default.nix @@ -116,6 +116,9 @@ # Accept from "trusted" quadv1 interface ip46tables -A lukegb-forward -i quadv1 -j lukegb-fwd-accept + # Accept to quadv1 interface if we're multipathing. + ip46tables -A lukegb-forward -o quadv1 -j lukegb-fwd-accept + # Accept from established/related connections. ip46tables -A lukegb-forward -m conntrack --ctstate ESTABLISHED,RELATED -j lukegb-fwd-accept @@ -158,26 +161,6 @@ }]; }; - systemd.network.netdevs.gsl1 = { - netdevConfig = { - Name = "gsl1"; - Kind = "vxlan"; - }; - - vxlanConfig = { - VNI = 242; - Remote = "203.57.82.5"; - Local = "103.141.25.50"; - DestinationPort = 4789; - }; - }; - systemd.network.networks."40-eno1".vxlan = [ "gsl1" ]; - systemd.network.networks.gsl1 = { - matchConfig.Name = "gsl1"; - address = [ "10.0.0.22/30" "2401:3bc0::4:16/126" ]; - }; - - services.openssh.hostKeys = [ { path = "/persist/etc/ssh/ssh_host_ed25519_key"; @@ -202,7 +185,6 @@ local = { routerID = "103.141.25.50"; }; - export.v4 = [ "92.118.31.0/24" ]; peering = { etheroute = { local = local // { @@ -218,20 +200,6 @@ }]; }; }; - gsl = { - local = local // { - v4 = "10.0.0.22"; - v6 = "2401:3bc0::4:16"; - }; - remote = { - asn = 137409; - export_community = 4002; - routers = [{ - v4 = "10.0.0.21"; - v6 = "2401:3bc0::4:15"; - }]; - }; - }; bgptoolscollector = { local = local // { v4 = "103.141.25.50"; @@ -250,6 +218,20 @@ prefix_limit.v6 = 0; }; }; + quadv = { + local = local // { + v4 = "169.254.111.0"; + }; + remote = { + asn = 197753; + export_community = 4099; + routers = [{ + v4 = "169.254.111.1"; + }]; + prefix_limit.v4 = 10; + prefix_limit.v6 = 10; + }; + }; }; }; }; diff --git a/ops/nixos/lib/bgp.nix b/ops/nixos/lib/bgp.nix index 27f4be7b5e..d20d29772c 100644 --- a/ops/nixos/lib/bgp.nix +++ b/ops/nixos/lib/bgp.nix @@ -16,6 +16,16 @@ let ${if ix.remote.must_be_next_hop then "if (bgp_path.first != ${toString ix.remote.asn}) then reject;" else "# no next-hop requirement"} ${lib.concatMapStringsSep "\n" (asn: "if (bgp_path ~ [= * ${toString asn} * =]) then reject;") ix.remote.drop_asns} if (bgp_path ~ [= * 16276 * =] && gw = 195.66.225.6) then gw = 195.66.224.220; # OVH must go via router 1; router 2 is bork. + ${lib.optionalString (ixName == "quadv") '' + bgp_ext_community.add((ro, 205479, 1000)); + bgp_ext_community.add((ro, 205479, 4000)); # etheroute + #bgp_ext_community.add((ro, 205479, 4002)); # gsl + + # Etheroute communities + bgp_community.add((3170, 63257)); # GTT Corero + bgp_community.add((64600, 3356)); # no Lumen + bgp_community.add((64600, 5459)); # no LINX peers (inc. RS) + ''} bgp_local_pref = ${toString ix.remote.bgp_local_pref}; accept; } @@ -33,6 +43,7 @@ let }; ''} + ${lib.optionalString (doesIPv6 ix) '' ipv6 table ${ixName}6; filter bgp_in_${ixName}6 prefix set allnet; @@ -57,8 +68,10 @@ let import ${if ix.remote.is_route_collector then "all" else "where ((ro, ${toString ix.local.asn}, ${toString ix.remote.export_community}) ~ bgp_ext_community)"}; export filter bgp_in_${ixName}6; }; + ''} '' + lib.concatImapStringsSep "\n" ( i: v: generateSnippetForRouter (args // { routerNum = i; router = v; }) ) ix.remote.routers; doesIPv4 = ix: (ix.local.v4 != null) || ix.v4onv6; + doesIPv6 = ix: (ix.local.v6 != null); enabledSnippet = { enabled ? true, ... }: "disabled ${if enabled then "off" else "on"};"; passwordSnippet = { password ? null, ... }: if password == null then "# no password" else "password \"${password}\";"; multihopSnippet = { multihop ? null, ... }: if multihop == null then "# not multihop" else "multihop ${toString multihop};"; @@ -83,6 +96,7 @@ let }; }; ''} + ${lib.optionalString (ix.local.v6 != null) '' protocol bgp ${ixName}${toString routerNum}_6 { ${enabledSnippet router} ${passwordSnippet router} @@ -108,6 +122,7 @@ let ${prefixLimitSnippet ix.remote.prefix_limit.v6} }; }; + ''} ''; inherit (lib) mkOption mkAfter types; @@ -143,7 +158,8 @@ in { default = null; }; v6 = mkOption { # lukegbgp.config.peering..local.v6 - type = str; + type = nullOr str; + default = null; }; }; }; @@ -325,14 +341,6 @@ in { protocol static export4 { ipv4 { import filter { - - if net = 92.118.31.0/24 then { - # bgp_path.prepend(197753); - bgp_ext_community.add((ro, 205479, 1000)); - bgp_ext_community.add((ro, 205479, 4002)); - accept; - } - bgp_ext_community.add((ro, 205479, 1000)); bgp_ext_community.add((ro, 205479, 2000)); bgp_ext_community.add((ro, 205479, 2001));