diff --git a/debian/wit-network-config.postinst b/debian/wit-network-config.postinst index a675697..5f9670e 100755 --- a/debian/wit-network-config.postinst +++ b/debian/wit-network-config.postinst @@ -3,7 +3,7 @@ # # see: dh_installdeb(1) -set -e +set -xe # summary of how this script can be called: # * `configure' @@ -17,20 +17,34 @@ set -e # for details, see https://www.debian.org/doc/debian-policy/ or # the debian-policy package +HOSTNAME=edge2.usw2.admin.wit.com case "$1" in configure) + IFCONFIG="/etc/network/interfaces" + UDEVCONFIG="/etc/udev/rules.d/70-persistent-net.rules" + FRRCONFIG="/etc/frr/frr.conf.wit" + + IFCONFIG="/tmp/interfaces" + UDEVCONFIG="/tmp/70-persistent-net.rules" + FRRCONFIG="/tmp/frr.conf.wit" + cp files/frr.conf.wit /tmp + + ## START gather all the info from the box and generate the variabels + dig_txt() { + TMPDIG=$(dig txt +short $1.${HOSTNAME}) + [ -z $TMPDIG ] && exit 2 + echo ${TMPDIG//\"/} + } - export LOOPBACKv4=$(dig a +short ${HOSTNAME}) - export LOOPBACKv6=$(dig aaaa +short ${HOSTNAME}) - NODEASN=$(dig txt +short asn.${HOSTNAME}) - NODEASN="${NODEASN%\"}" - NODEASN="${NODEASN#\"}" - export NODEASN + + LOOPBACKv4=$(dig a +short ${HOSTNAME}) + LOOPBACKv6=$(dig aaaa +short ${HOSTNAME}) + NODEASN=$(dig_txt asn) if [ -z $LOOPBACKv4 ] || [ -z $LOOPBACKv6 ] || [ -z $NODEASN ]; then echo "unable to find my LOOPBACK IP and/or ASN: $LOOPBACKv4/$LOOPBACKv6/$NODEASN" @@ -41,31 +55,19 @@ case "$1" in ## END variables - ## START nic config compile - IFCONFIG="/etc/network/interfaces" - UDEVCONFIG="/etc/udev/rules.d/70-persistent-net.rules" - - # gathering supported interfaces - declare -A MACS - MACS["mgmt1"]=$(dig txt +short mac.mgmt.${HOSTNAME}) - for if in feth up ibgp - do - for i in {1..9} - do - MACS["${if}${i}"]=$(dig txt +short mac.${if}${i}.${HOSTNAME}) - done - done - # wiping existing config in prep for de-deploying it mv -f ${IFCONFIG} ${IFCONFIG}.dpkg-old || true mv -f ${UDEVCONFIG} ${UDEVCONFIG}.dpkg-old || true + + + # write loopback config - cat <<-EOF >/etc/network/interfaces + cat <<-EOF >>$IFCONFIG auto lo iface lo inet loopback @@ -79,17 +81,103 @@ case "$1" in EOF - for if in ${!MACS[@]} - do - [ -z ${MACS[$if]} ] && continue ## skip undefined interfaces - echo 'SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=='${MACS[$if]}', ATTR{type}=="1", NAME="'${if}'"' >>$UDEVCONFIG + # gathering defined interfaces + FRR_IFS="!" + FRR_NEIGH="!" + for if in mgmt feth up ibgp gre; do + for i in {1..2}; do #### for now we support/cound only to 2 interfaces of each type, we can just raise this to whatever number we want (exeption mgmt) + ifname=${if}${i} + ifalias=$(dig_txt name.${ifname}) || true ## still thinking how to do this cleaner + + if [[ $ifname = gre? ]] && [[ ! -z $ifalias ]]; then + ifmtu=$(dig_txt mtu.${ifname}) + local=$(dig_txt local.${ifname}) + remote=$(dig_txt remote.${ifname}) + + ## build FRR interface config to enable ND adv for ipv6 unmanaged + FRR_IFS="$FRR_IFS\ninterface $ifname" + FRR_IFS="$FRR_IFS\n description $ifalias" + FRR_IFS="$FRR_IFS\n ipv6 nd ra-interval 10" + FRR_IFS="$FRR_IFS\n no ipv6 nd suppress-ra\n!" - if [[ $if = feth? ]]; then + ## build FRR neightbor interfaces + FRR_NEIGH="$FRR_NEIGH\n neighbor $ifname interface peer-group GRE" + + + ## build regular linux network interface config cat <<-EOF >>$IFCONFIG - auto $if - iface $if inet manual + auto $ifname + iface $ifname inet manual + ## $ifalias + pre-up ip tunnel add $ifname mode gre local $local remote $remote + down ip tunnel del $ifname + mtu $ifmtu + + + EOF + + fi + + + ## physical interfaces + ifmac=$(dig_txt mac.${ifname/mgmt1/mgmt}) || continue ## skip undefined interfaces + + + echo 'SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=='${ifmac}', ATTR{type}=="1", NAME="'${ifname}'"' >>$UDEVCONFIG + + + if [[ $ifname = up? ]]; then + + ipv4=$(dig_txt ipv4.$ifname) + ipv6=$(dig_txt ipv6.$ifname) + peerv4=$(dig_txt peerv4.$ifname) || true ## we don't know if we will always have both available + peerv6=$(dig_txt peerv6.$ifname) || true ## we don't know if we will always have both available + + ## if this code gets executed even once we have a upX interface, meaning we're dealing with an edge box + FRR_IPV4_EDGE_EXTRA=" neighbor fabric default-originate" + FRR_IPV4_EDGE_EXTRA="$FRR_IPV4_EDGE_EXTRA\n neighbor fabric route-map FABRICv4-OUT out" + FRR_IPV4_EDGE_EXTRA="$FRR_IPV4_EDGE_EXTRA\n aggregate-address 168.245.146.0/24" + FRR_IPV4_EDGE_EXTRA="$FRR_IPV4_EDGE_EXTRA\n aggregate-address 170.199.210.0/24" + FRR_IPV4_EDGE_EXTRA="$FRR_IPV4_EDGE_EXTRA\n aggregate-address 170.199.211.0/24" + FRR_IPV4_EDGE_EXTRA="$FRR_IPV4_EDGE_EXTRA\n aggregate-address 170.199.212.0/24" + FRR_IPV4_EDGE_EXTRA="$FRR_IPV4_EDGE_EXTRA\n aggregate-address 170.199.213.0/24" + FRR_IPV4_EDGE_EXTRA="$FRR_IPV4_EDGE_EXTRA\n aggregate-address 170.199.214.0/24" + FRR_IPV4_EDGE_EXTRA="$FRR_IPV4_EDGE_EXTRA\n aggregate-address 170.199.215.0/24" + FRR_IPV4_EDGE_EXTRA="$FRR_IPV4_EDGE_EXTRA\n aggregate-address 170.199.216.0/24" + FRR_IPV4_EDGE_EXTRA="$FRR_IPV4_EDGE_EXTRA\n aggregate-address 170.199.217.0/24" + + + + FRR_IPV6_EDGE_EXTRA=" neighbor fabric default-originate" + FRR_IPV6_EDGE_EXTRA="$FRR_IPV6_EDGE_EXTRA\n neighbor fabric route-map FABRICv6-OUT out" + FRR_IPV6_EDGE_EXTRA="$FRR_IPV6_EDGE_EXTRA\n aggregate-address 2604:bbc0::/32" + + + [ -z $peerv4 ] || FRR_NEIGH="$FRR_NEIGH\n neighbor $peerv4 peer-group eBGPv4" + [ -z $peerv6 ] || FRR_NEIGH="$FRR_NEIGH\n neighbor $peerv6 peer-group eBGPv6" + + + cat <<-EOF >>$IFCONFIG + auto $ifname + iface $ifname inet static + address $ipv4 + mtu 9000 + + iface $ifname inet6 static + address $ipv6 + + + EOF + + fi + + + if [[ $ifname = ibgp? ]]; then + cat <<-EOF >>$IFCONFIG + auto $ifname + iface $ifname inet manual mtu 9000 @@ -97,14 +185,25 @@ case "$1" in fi - if [[ $if = mgmt? ]]; then + if [[ $ifname = feth? ]]; then cat <<-EOF >>$IFCONFIG - auto $if - iface $if inet6 auto - iface $if inet dhcp + auto $ifname + iface $ifname inet manual + mtu 9000 + + + EOF + fi + + + if [[ $ifname = mgmt? ]]; then + cat <<-EOF >>$IFCONFIG + auto $ifname + iface $ifname inet6 auto + iface $ifname inet dhcp pre-up /bin/ip link add mgmt type vrf table mgmt pre-up /bin/ip link set up dev mgmt - pre-up /bin/ip link set master mgmt dev $if + pre-up /bin/ip link set master mgmt dev $ifname post-down /bin/ip link del dev mgmt @@ -112,35 +211,10 @@ case "$1" in fi - if [[ $if = ibgp? ]]; then - cat <<-EOF >>$IFCONFIG - auto $if - iface $if inet manual - mtu 9000 - - - EOF - fi - - - if [[ $if = up? ]]; then - cat <<-EOF >>$IFCONFIG - auto $if - iface $if inet static - address $(dig txt +short ipv4.$if.$HOSTNAME) - mtu 9000 - iface $if inet6 static - address $(dig txt +short ipv6.$if.$HOSTNAME) - - - EOF - fi - - + done done - - ## START nic config compile + ## STOP nic config compile @@ -149,8 +223,16 @@ case "$1" in # set frr config - sed -i -e "s/FRRROUTERID/${LOOPBACKv4}/" -e "s/NODEASN/${NODEASN}/" /etc/frr/frr.conf.wit - chown frr.frr /etc/frr/frr.conf.wit /etc/frr/daemons.wit + sed -i \ + -e "s/^!!! FRR_IFS/$FRR_IFS/" \ + -e "s/^!!! FRR_NEIGH/$FRR_NEIGH/" \ + -e "s/^!!! FRR_IPV4_EDGE_EXTRA/$FRR_IPV4_EDGE_EXTRA/" \ + -e "s/^!!! FRR_IPV6_EDGE_EXTRA/$FRR_IPV6_EDGE_EXTRA/" \ + -e "s/FRRROUTERID/${LOOPBACKv4}/" \ + -e "s/NODEASN/${NODEASN}/" \ + $FRRCONFIG +exit 2 + chown frr.frr $FRRCONFIG /etc/frr/daemons.wit diff --git a/files/frr.conf.wit b/files/frr.conf.wit index d39a83b..cdbdf13 100644 --- a/files/frr.conf.wit +++ b/files/frr.conf.wit @@ -13,6 +13,8 @@ interface feth2 ipv6 nd ra-interval 10 no ipv6 nd suppress-ra ! +!!! FRR_IFS +! router bgp NODEASN bgp router-id FRRROUTERID no bgp default ipv4-unicast @@ -23,24 +25,80 @@ router bgp NODEASN neighbor fabric remote-as external neighbor feth1 interface peer-group fabric neighbor feth2 interface peer-group fabric +!!! neighbor GRE peer-group +!!! neighbor GRE remote-as external +!!! neighbor GRE local-as NODEDEFAULTASN +!!! neighbor GRE password wIt2Go +!!! neighbor GRE ebgp-multihop 255 +!!! neighbor eBGPv4 peer-group +!!! neighbor eBGPv4 remote-as external +!!! neighbor eBGPv6 peer-group +!!! neighbor eBGPv6 remote-as external +!!! neighbor iBGP peer-group +!!! neighbor iBGP remote-as internal +!!! FRR_NEIGH ! address-family ipv4 unicast redistribute kernel route-map EIPv4 redistribute connected route-map LOCALNETSv4 neighbor fabric activate - neighbor fabric addpath-tx-all-paths neighbor fabric soft-reconfiguration inbound +!!! FRR_IPV4_EDGE_EXTRA +!!! neighbor fabric default-originate +!!! neighbor fabric route-map FABRICv4-OUT out +!!! aggregate-address 168.245.146.0/24 +!!! aggregate-address 170.199.210.0/24 +!!! aggregate-address 170.199.211.0/24 +!!! aggregate-address 170.199.212.0/24 +!!! aggregate-address 170.199.213.0/24 +!!! aggregate-address 170.199.214.0/24 +!!! aggregate-address 170.199.215.0/24 +!!! aggregate-address 170.199.216.0/24 +!!! aggregate-address 170.199.217.0/24 +!!! neighbor GRE activate +!!! neighbor GRE default-originate +!!! neighbor GRE soft-reconfiguration inbound +!!! neighbor GRE allowas-in 1 +!!! neighbor GRE route-map GREv4-IN in +!!! neighbor GRE route-map FABRICv4-OUT out +!!! neighbor eBGPv4 activate +!!! neighbor eBGPv4 next-hop-self +!!! neighbor eBGPv4 remove-private-AS +!!! neighbor eBGPv4 soft-reconfiguration inbound +!!! neighbor eBGPv4 route-map eBGPv4-IN in +!!! neighbor eBGPv4 route-map eBGPv4-OUT out +!!! neighbor iBGP activate +!!! neighbor iBGP next-hop-self +!!! neighbor iBGP soft-reconfiguration inbound exit-address-family ! address-family ipv6 unicast redistribute kernel route-map EIPv6 redistribute connected route-map LOCALNETSv6 neighbor fabric activate - neighbor fabric addpath-tx-all-paths neighbor fabric soft-reconfiguration inbound +!!! FRR_IPV6_EDGE_EXTRA +!!! neighbor fabric default-originate +!!! neighbor fabric route-map FABRICv6-OUT out +!!! aggregate-address 2604:bbc0::/32 +!!! neighbor GRE activate +!!! neighbor GRE default-originate +!!! neighbor GRE soft-reconfiguration inbound +!!! neighbor GRE allowas-in 1 +!!! neighbor GRE route-map GREv6-IN in +!!! neighbor GRE route-map FABRICv6-OUT out +!!! neighbor eBGPv6 activate +!!! neighbor eBGPv6 soft-reconfiguration inbound +!!! neighbor eBGPv6 route-map eBGPv6-IN in +!!! neighbor eBGPv6 route-map eBGPv6-OUT out +!!! neighbor iBGP activate +!!! neighbor iBGP next-hop-self +!!! neighbor iBGP soft-reconfiguration inbound exit-address-family ! address-family l2vpn evpn +!!! neighbor GRE activate +!!! neighbor GRE allowas-in 1 neighbor fabric activate advertise-all-vni exit-address-family @@ -55,11 +113,43 @@ ip prefix-list WIT-CUSTOMERS seq 30 permit 170.199.214.0/24 ge 25 ip prefix-list WIT-CUSTOMERS seq 35 permit 170.199.215.0/24 ge 25 ip prefix-list WIT-CUSTOMERS seq 40 permit 170.199.216.0/24 ge 25 ip prefix-list WIT-CUSTOMERS seq 45 permit 170.199.217.0/24 ge 25 +!!! ip prefix-list ALL seq 5 permit 0.0.0.0/0 le 32 +!!! ip prefix-list DEFAULT seq 5 permit 0.0.0.0/0 +!!! ip prefix-list WITV4-EXACT seq 15 permit 170.199.211.0/24 +!!! ip prefix-list WITV4-EXACT seq 20 permit 170.199.212.0/24 +!!! ip prefix-list WITV4-EXACT seq 25 permit 170.199.213.0/24 +!!! ip prefix-list WITV4-EXACT seq 30 permit 170.199.214.0/24 +!!! ip prefix-list WITV4-EXACT seq 35 permit 170.199.215.0/24 +!!! ip prefix-list WITV4-EXACT seq 40 permit 170.199.216.0/24 +!!! ip prefix-list WITV4-EXACT seq 45 permit 170.199.217.0/24 +!!! ip prefix-list rfc1918 seq 5 permit 0.0.0.0/8 le 32 +!!! ip prefix-list rfc1918 seq 10 permit 10.0.0.0/8 le 32 +!!! ip prefix-list rfc1918 seq 15 permit 127.0.0.0/8 le 32 +!!! ip prefix-list rfc1918 seq 20 permit 169.254.0.0/16 le 32 +!!! ip prefix-list rfc1918 seq 25 permit 172.16.0.0/12 le 32 +!!! ip prefix-list rfc1918 seq 30 permit 192.168.0.0/16 le 32 +!!! ip prefix-list rfc1918 seq 35 permit 224.0.0.0/3 le 32 +!!! ip prefix-list rfc1918 seq 40 permit 100.64.0.0/10 le 32 ! ipv6 prefix-list LOOPBACK seq 5 permit 2604:bbc0:0:100::/56 ge 128 ipv6 prefix-list WIT-CUSTOMERS seq 10 permit 2604:bbc0:1::/48 ge 64 ipv6 prefix-list WIT-CUSTOMERS seq 20 permit 2604:bbc0:2::/48 ge 64 ipv6 prefix-list WIT-CUSTOMERS seq 30 permit 2604:bbc0:3::/48 ge 64 +!!! ipv6 prefix-list ALL seq 5 permit ::/0 le 128 +!!! ipv6 prefix-list DEFAULT seq 5 permit ::/0 +!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 5 deny 3ffe::/16 le 128 +!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 10 deny 2001:db8::/32 le 128 +!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 15 permit 2001::/32 +!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 20 deny 2001::/32 le 128 +!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 25 permit 2002::/16 +!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 30 deny 2002::/16 le 128 +!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 35 deny ::/8 le 128 +!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 40 deny fe00::/9 le 128 +!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 45 deny ff00::/8 le 128 +!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 50 permit 2000::/3 le 48 +!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 55 deny ::/0 le 128 +!!! ipv6 prefix-list WITV6 seq 10 permit 2604:bbc0::/32 ge 48 +!!! ipv6 prefix-list WITV6-SUMMARIES seq 10 permit 2604:bbc0::/32 le 44 ! route-map EIPv4 permit 5 match ip address prefix-list WIT-CUSTOMERS @@ -75,5 +165,86 @@ route-map LOCALNETSv6 permit 5 description "permit ipv6 loopback ips" match ipv6 address prefix-list LOOPBACK ! + + +!!! route-map eBGPv4-IN deny 5 +!!! description "deny any incoming private IP blocks" +!!! match ip address prefix-list rfc1918 +!!! ! +!!! route-map eBGPv4-IN permit 10 +!!! description "Accept all routes advertised to us" +!!! match ip address prefix-list ALL +!!! ! + + +!!! route-map eBGPv4-OUT deny 5 +!!! description "deny advertising private IP space" +!!! match ip address prefix-list rfc1918 +!!! ! +!!! route-map eBGPv4-OUT permit 10 +!!! description "match IP block owned by WIT" +!!! match ip address prefix-list WITV4-EXACT +!!! ! + + +!!! route-map eBGPv6-IN permit 5 +!!! description "Accept all routes advertised to us" +!!! match ipv6 address prefix-list IPV6-EBGP-RELAXED +!!! ! + + +!!! route-map eBGPv6-OUT permit 5 +!!! description "match IP block owned by WIT" +!!! match ipv6 address prefix-list WITV6-SUMMARIES +!!! ! + + +!!! route-map FABRICv4-OUT permit 5 +!!! description "allow default route" +!!! match ip address prefix-list DEFAULT +!!! ! +!!! route-map FABRICv4-OUT permit 10 +!!! description "allow loopback IPs" +!!! match ip address prefix-list LOOPBACK +!!! ! +!!! route-map FABRICv4-OUT permit 15 +!!! description "allow WIT public IPs" +!!! match ip address prefix-list WITV4 +!!! ! + + +!!! route-map FABRICv6-OUT permit 5 +!!! description "allow default route" +!!! match ipv6 address prefix-list DEFAULT +!!! ! +!!! route-map FABRICv6-OUT permit 10 +!!! description "allow loopback IPs" +!!! match ipv6 address prefix-list LOOPBACK +!!! ! +!!! route-map FABRICv6-OUT permit 15 +!!! description "allow WIT public IPs" +!!! match ipv6 address prefix-list WITV6 +!!! ! + + +!!! route-map GREv4-IN deny 5 +!!! description "deny default route in" +!!! match ip address prefix-list DEFAULT +!!! ! +!!! route-map GREv4-IN permit 10 +!!! description "accept all the rest" +!!! match ip address prefix-list ALL +!!! ! + + +!!! route-map GREv6-IN deny 5 +!!! description "deny default route in" +!!! match ipv6 address prefix-list DEFAULT +!!! ! +!!! route-map GREv6-IN permit 10 +!!! description "accept all the rest" +!!! match ipv6 address prefix-list ALL +!!! ! +! line vty !