From cfc00d2ccfcab88c1dbae2f1602018122a511884 Mon Sep 17 00:00:00 2001 From: Thomas Liske Date: Tue, 9 Apr 2024 21:48:32 +0200 Subject: [PATCH] arouteserver: update templates from arouteserver 1.22.1 --- arouteserver/templates/bird/clients.j2 | 112 ++++++++++++++++++------ arouteserver/templates/fingerprints.yml | 2 +- 2 files changed, 85 insertions(+), 29 deletions(-) diff --git a/arouteserver/templates/bird/clients.j2 b/arouteserver/templates/bird/clients.j2 index b8cd1cd..c982c4b 100644 --- a/arouteserver/templates/bird/clients.j2 +++ b/arouteserver/templates/bird/clients.j2 @@ -57,22 +57,28 @@ function origin_as_is_in_{{ client.id }}_as_set(){{ bird_fnc_type("bool") }} { # R-SET for {{ client.id }} function prefix_is_in_{{ client.id }}_as_set(){{ bird_fnc_type("bool") }} { {% if client.cfg.filtering.irrdb.as_set_bundle_ids %} -{% for as_set_bundle_id in client.cfg.filtering.irrdb.as_set_bundle_ids|sort %} -{% set this_ip_ver = client.ip|ipaddr_ver %} -{% set prefixes = irrdb_info[as_set_bundle_id].prefixes|selectattr("prefix", "is_ipver", this_ip_ver)|list %} -{% if prefixes %} -{% if "2.0"|target_version_ge %} +{% for as_set_bundle_id in client.cfg.filtering.irrdb.as_set_bundle_ids|sort %} +{% if "2.0"|target_version_ge and client.cfg.rfc8950 and client.ip|ipaddr_ver == 6 %} +{% set afis = [4, 6] %} +{% else %} +{% set afis = [ client.ip|ipaddr_ver ] %} +{% endif %} +{% for this_ip_ver in afis %} +{% set prefixes = irrdb_info[as_set_bundle_id].prefixes|selectattr("prefix", "is_ipver", this_ip_ver)|list %} +{% if prefixes %} +{% if "2.0"|target_version_ge %} if net.type = NET_IP{{ this_ip_ver }} then if net ~ AS_SET_{{ irrdb_info[as_set_bundle_id].name }}_prefixes_{{ this_ip_ver }} then return true; -{% else %} +{% else %} if net ~ AS_SET_{{ irrdb_info[as_set_bundle_id].name }}_prefixes_{{ this_ip_ver }} then return true; -{% endif %} -{% else %} +{% endif %} +{% else %} # AS-SET {{ irrdb_info[as_set_bundle_id].name }} referenced but empty. -{% endif %} -{% endfor %} +{% endif %} +{% endfor %} +{% endfor %} {% endif %} return false; } @@ -93,8 +99,15 @@ function next_hop_is_valid_for_{{ client.id }}(){{ bird_fnc_type("bool") }} {% endfor %} {% else %} {% for asn, same_as_clients in clients|groupby("asn") if asn == client.asn %} -{% for same_as_client in same_as_clients|sort(attribute="ip") if same_as_client.ip|ipaddr_ver == client.ip|ipaddr_ver %} +{% for same_as_client in same_as_clients|sort(attribute="ip") %} +{% if ( + "2.0"|target_version_ge and + client.cfg.rfc8950 + ) or ( + same_as_client.ip|ipaddr_ver == client.ip|ipaddr_ver + ) %} if bgp_next_hop = {{ same_as_client.ip }} then return true; # {{ same_as_client.id }} +{% endif %} {% endfor %} {% endfor %} {% endif %} @@ -104,12 +117,28 @@ function next_hop_is_valid_for_{{ client.id }}(){{ bird_fnc_type("bool") }} {% if client.cfg.filtering.black_list_pref %} function prefix_is_in_{{ client.id }}_blacklist(){{ bird_fnc_type("bool") }} -prefix set {{ client.id }}_blacklist; +{% for this_ip_ver in list_ip_vers %} +{% set prefixes = client.cfg.filtering.black_list_pref|selectattr("prefix", "is_ipver", this_ip_ver )|list %} +{% if prefixes|length > 0 %} +prefix set {{ client.id }}_blacklist_{{ this_ip_ver }}; +{% endif %} +{% endfor %} { - {{ client.id }}_blacklist = [ -{{ write_prefix_list(client.cfg.filtering.black_list_pref|selectattr("prefix", "is_ipver", client.ip|ipaddr_ver)) }} - ]; - return net ~ {{ client.id }}_blacklist; +{% for this_ip_ver in list_ip_vers %} +{% set prefixes = client.cfg.filtering.black_list_pref|selectattr("prefix", "is_ipver", this_ip_ver )|list %} +{% if prefixes|length > 0 %} + {{ client.id }}_blacklist_{{ this_ip_ver }} = [ +{{ write_prefix_list(prefixes) }} + ]; +{% if "2.0"|target_version_ge %} + if net.type = NET_IP{{ this_ip_ver }} then + if net ~ {{ client.id }}_blacklist_{{ this_ip_ver }} then return true; +{% else %} + if net ~ {{ client.id }}_blacklist_{{ this_ip_ver }} then return true; +{% endif %} +{% endif %} +{% endfor %} + return false; } {% endif %} @@ -186,7 +215,12 @@ bool validated; {% if client.cfg.filtering.irrdb.white_list_route %} # Client's white list -{% for route in client.cfg.filtering.irrdb.white_list_route|selectattr("prefix", "is_ipver", client.ip|ipaddr_ver)|sort(attribute="prefix") if route.prefix|ipaddr_ver == client.ip|ipaddr_ver %} +{% if "2.0"|target_version_ge and client.cfg.rfc8950 and client.ip|ipaddr_ver == 6 %} +{% set routes = client.cfg.filtering.irrdb.white_list_route|sort(attribute="prefix") %} +{% else %} +{% set routes = client.cfg.filtering.irrdb.white_list_route|selectattr("prefix", "is_ipver", client.ip|ipaddr_ver)|sort(attribute="prefix") %} +{% endif %} +{% for route in routes %} if !validated && net ~ [ {{ write_prefix_list_entry(route) }} ] then { {% if route.asn %} if bgp_path.last = {{ route.asn }} then { @@ -223,7 +257,11 @@ filter receive_from_{{ client.id }} { {{ reject(client, 65535, '"source != RTS_BGP - REJECTING ", net') }} {% if "2.0"|target_version_ge %} + {% if client.cfg.rfc8950 and client.ip|ipaddr_ver == 6%} + if !(net.type = NET_IP6 || net.type = NET_IP4) then + {% else %} if !(net.type = NET_IP{{ client.ip|ipaddr_ver }}) then + {% endif %} {{ reject(client, 65535, '"AFI not enabled for this peer - REJECTING ", net') }} {% endif %} @@ -279,8 +317,13 @@ filter receive_from_{{ client.id }} { {% if client.ip|ipaddr_ver == 6 %} # Prefix: only IPv6 Global Unicast space allowed + {% if "2.0"|target_version_ge %} + if net.type = NET_IP6 && !(net ~ [2000::/3+]) then + {{ reject(client, 10, '"prefix is not in IPv6 Global Unicast space - REJECTING ", net') }} + {% else %} if !(net ~ [2000::/3+]) then {{ reject(client, 10, '"prefix is not in IPv6 Global Unicast space - REJECTING ", net') }} + {% endif %} {% endif %} # Prefix: global blacklist @@ -325,15 +368,18 @@ filter receive_from_{{ client.id }} { {% endif %} # Prefix: length - {% if client.ip|ipaddr_ver == 4 %} - {% set min_pref_len = client.cfg.filtering.ipv4_pref_len.min %} - {% set max_pref_len = client.cfg.filtering.ipv4_pref_len.max %} + {% if "2.0.0"|target_version_ge and client.cfg.rfc8950 and client.ip|ipaddr_ver == 6 %} + {% set afis = [4, 6] %} {% else %} - {% set min_pref_len = client.cfg.filtering.ipv6_pref_len.min %} - {% set max_pref_len = client.cfg.filtering.ipv6_pref_len.max %} + {% set afis = [ client.ip|ipaddr_ver ] %} {% endif %} - if !prefix_len_is_valid({{ min_pref_len }}, {{ max_pref_len }}) then + {% for current_afi in afis %} + {% set min_pref_len = client.cfg.filtering["ipv" ~ current_afi ~ "_pref_len"].min %} + {% set max_pref_len = client.cfg.filtering["ipv" ~ current_afi ~ "_pref_len"].max %} + if {%- if "2.0"|target_version_ge %} net.type = NET_IP{{ current_afi }} && {% else %} {% endif -%} + !prefix_len_is_valid({{ min_pref_len }}, {{ max_pref_len }}) then {{ reject(client, 13, '"prefix len [", net.len, "] not in ' ~ min_pref_len ~ '-' ~ max_pref_len ~ ' - REJECTING ", net') }} + {% endfor %} {% if cfg.graceful_shutdown.enabled %} {% if client.cfg.graceful_shutdown.enabled %} @@ -457,24 +503,33 @@ protocol bgp {{ client.id }} { interpret communities off; {% endif %} + {% if "2.0.0"|target_version_ge and client.cfg.rfc8950 and client.ip|ipaddr_ver == 6 %} + {% set afis = [4, 6] %} + {% else %} + {% set afis = [ client.ip|ipaddr_ver ] %} + {% endif %} + {% for current_afi in afis %} {% if "2.0.0"|target_version_ge %} # --------------------------------------- - ipv{{ client.ip|ipaddr_ver }} { - table master{{ client.ip|ipaddr_ver }}; + ipv{{ current_afi }} { + table master{{ current_afi }}; {% endif %} {% if client.cfg.add_path %} add paths tx; {% endif %} + {% if client.cfg.rfc8950 and client.ip|ipaddr_ver == 6 and current_afi == 4 %} + extended next hop on; + {% endif %} {% if cfg.path_hiding %} secondary; {% endif %} {% if client.cfg.filtering.max_prefix.action %} - {% if client.ip|ipaddr_ver == 4 and client.cfg.filtering.max_prefix.limit_ipv4 %} + {% if current_afi == 4 and client.cfg.filtering.max_prefix.limit_ipv4 %} {% set max_pref_limit = client.cfg.filtering.max_prefix.limit_ipv4 %} - {% elif client.ip|ipaddr_ver == 6 and client.cfg.filtering.max_prefix.limit_ipv6 %} + {% elif current_afi == 6 and client.cfg.filtering.max_prefix.limit_ipv6 %} {% set max_pref_limit = client.cfg.filtering.max_prefix.limit_ipv6 %} {% else %} {% set max_pref_limit = 0 %} @@ -498,11 +553,12 @@ protocol bgp {{ client.id }} { export filter announce_to_{{ client.id }}; {%- if "2.0.0"|target_version_ge %} - {{- write_custom_config_lines(client, "ipv" ~ client.ip|ipaddr_ver, "channel")|indent(" ") }} + {{- write_custom_config_lines(client, "ipv" ~ current_afi, "channel")|indent(" ") }} {{- write_custom_config_lines(client, "any", "channel")|indent(" ") }} # --------------------------------------- }; {% endif %} + {% endfor %} {{- write_custom_config_lines(client, "ipv" ~ client.ip, "protocol")|indent(" ") }} {{- write_custom_config_lines(client, "any", "protocol")|indent(" ") }} diff --git a/arouteserver/templates/fingerprints.yml b/arouteserver/templates/fingerprints.yml index 304fd6e..10bd869 100644 --- a/arouteserver/templates/fingerprints.yml +++ b/arouteserver/templates/fingerprints.yml @@ -1,5 +1,5 @@ bird: - clients.j2: 87e945e73ea2fee187092b66aa3a7ef266ae655e2863d919e9c34f7d73f419418948caa217a73bc7f0c7a2b1a39313dbb8c3d2551e4b393983066def64eb00bd + clients.j2: 2b59e328f8f183a9d47af70d7a48b6ed573779696e23e1fa48049b0503d4d53daa5b29bd9e5047083d9d1f0f365f5d25ef1a6c14a43d7bb92452dd121368580a common.j2: 1888f590f24415b2df86b3f86f4a36ca8c348ae6e5ddfac664e1663928fd5093863b605d5165b4075da38df5bb041f1cbeebee9991efc1be02eb4a696d95e420 header.j2: 25f219ef4d0a4ee64c18b338bc557c246c4759b438f31865a7483ebef8a9a3795e09c85ba301da24d7036b474f7936f7a9ed758f93d66bca36e0624c23729170 irrdb.j2: 4ff9a0dba41a02737c17a2497613f2dcc179a80b79714f18d61162e9503907cfd53765ab426036119e8bcb716d9d24a5380d724235373ae4ab7340d6c6eb074a