jcarr
/
wit-network-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

first major commit for edge boxes support, not nearly done yet

This commit is contained in:
toby 2018-10-16 22:44:57 +02:00
parent fc2e803533
commit 0e9142c15e
2 changed files with 319 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

210
debian/wit-network-config.postinst vendored
View File

@ -3,7 +3,7 @@
#
# see: dh_installdeb(1)
set -e
set -xe
# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
@ -17,20 +17,34 @@ set -e
# for details, see https://www.debian.org/doc/debian-policy/ or
# the debian-policy package
HOSTNAME=edge2.usw2.admin.wit.com
case "$1" in
configure)
IFCONFIG="/etc/network/interfaces"
UDEVCONFIG="/etc/udev/rules.d/70-persistent-net.rules"
FRRCONFIG="/etc/frr/frr.conf.wit"
IFCONFIG="/tmp/interfaces"
UDEVCONFIG="/tmp/70-persistent-net.rules"
FRRCONFIG="/tmp/frr.conf.wit"
cp files/frr.conf.wit /tmp
## START gather all the info from the box and generate the variabels
dig_txt() {
TMPDIG=$(dig txt +short $1.${HOSTNAME})
[ -z $TMPDIG ] && exit 2
echo ${TMPDIG//\"/}
}
export LOOPBACKv4=$(dig a +short ${HOSTNAME})
export LOOPBACKv6=$(dig aaaa +short ${HOSTNAME})
NODEASN=$(dig txt +short asn.${HOSTNAME})
NODEASN="${NODEASN%\"}"
NODEASN="${NODEASN#\"}"
export NODEASN
LOOPBACKv4=$(dig a +short ${HOSTNAME})
LOOPBACKv6=$(dig aaaa +short ${HOSTNAME})
NODEASN=$(dig_txt asn)
if [ -z $LOOPBACKv4 ] || [ -z $LOOPBACKv6 ] || [ -z $NODEASN ]; then
echo "unable to find my LOOPBACK IP and/or ASN: $LOOPBACKv4/$LOOPBACKv6/$NODEASN"
@ -41,31 +55,19 @@ case "$1" in
## END variables
## START nic config compile
IFCONFIG="/etc/network/interfaces"
UDEVCONFIG="/etc/udev/rules.d/70-persistent-net.rules"
# gathering supported interfaces
declare -A MACS
MACS["mgmt1"]=$(dig txt +short mac.mgmt.${HOSTNAME})
for if in feth up ibgp
do
for i in {1..9}
do
MACS["${if}${i}"]=$(dig txt +short mac.${if}${i}.${HOSTNAME})
done
done
# wiping existing config in prep for de-deploying it
mv -f ${IFCONFIG} ${IFCONFIG}.dpkg-old || true
mv -f ${UDEVCONFIG} ${UDEVCONFIG}.dpkg-old || true
# write loopback config
cat <<-EOF >/etc/network/interfaces
cat <<-EOF >>$IFCONFIG
auto lo
iface lo inet loopback
@ -79,17 +81,103 @@ case "$1" in
EOF
for if in ${!MACS[@]}
do
[ -z ${MACS[$if]} ] && continue ## skip undefined interfaces
echo 'SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=='${MACS[$if]}', ATTR{type}=="1", NAME="'${if}'"' >>$UDEVCONFIG
# gathering defined interfaces
FRR_IFS="!"
FRR_NEIGH="!"
for if in mgmt feth up ibgp gre; do
for i in {1..2}; do #### for now we support/cound only to 2 interfaces of each type, we can just raise this to whatever number we want (exeption mgmt)
ifname=${if}${i}
ifalias=$(dig_txt name.${ifname}) || true ## still thinking how to do this cleaner
if [[ $ifname = gre? ]] && [[ ! -z $ifalias ]]; then
ifmtu=$(dig_txt mtu.${ifname})
local=$(dig_txt local.${ifname})
remote=$(dig_txt remote.${ifname})
## build FRR interface config to enable ND adv for ipv6 unmanaged
FRR_IFS="$FRR_IFS\ninterface $ifname"
FRR_IFS="$FRR_IFS\n description $ifalias"
FRR_IFS="$FRR_IFS\n ipv6 nd ra-interval 10"
FRR_IFS="$FRR_IFS\n no ipv6 nd suppress-ra\n!"
if [[ $if = feth? ]]; then
## build FRR neightbor interfaces
FRR_NEIGH="$FRR_NEIGH\n neighbor $ifname interface peer-group GRE"
## build regular linux network interface config
cat <<-EOF >>$IFCONFIG
auto $if
iface $if inet manual
auto $ifname
iface $ifname inet manual
## $ifalias
pre-up ip tunnel add $ifname mode gre local $local remote $remote
down ip tunnel del $ifname
mtu $ifmtu
EOF
fi
## physical interfaces
ifmac=$(dig_txt mac.${ifname/mgmt1/mgmt}) || continue ## skip undefined interfaces
echo 'SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=='${ifmac}', ATTR{type}=="1", NAME="'${ifname}'"' >>$UDEVCONFIG
if [[ $ifname = up? ]]; then
ipv4=$(dig_txt ipv4.$ifname)
ipv6=$(dig_txt ipv6.$ifname)
peerv4=$(dig_txt peerv4.$ifname) || true ## we don't know if we will always have both available
peerv6=$(dig_txt peerv6.$ifname) || true ## we don't know if we will always have both available
## if this code gets executed even once we have a upX interface, meaning we're dealing with an edge box
FRR_IPV4_EDGE_EXTRA=" neighbor fabric default-originate"
FRR_IPV4_EDGE_EXTRA="$FRR_IPV4_EDGE_EXTRA\n neighbor fabric route-map FABRICv4-OUT out"
FRR_IPV4_EDGE_EXTRA="$FRR_IPV4_EDGE_EXTRA\n aggregate-address 168.245.146.0/24"
FRR_IPV4_EDGE_EXTRA="$FRR_IPV4_EDGE_EXTRA\n aggregate-address 170.199.210.0/24"
FRR_IPV4_EDGE_EXTRA="$FRR_IPV4_EDGE_EXTRA\n aggregate-address 170.199.211.0/24"
FRR_IPV4_EDGE_EXTRA="$FRR_IPV4_EDGE_EXTRA\n aggregate-address 170.199.212.0/24"
FRR_IPV4_EDGE_EXTRA="$FRR_IPV4_EDGE_EXTRA\n aggregate-address 170.199.213.0/24"
FRR_IPV4_EDGE_EXTRA="$FRR_IPV4_EDGE_EXTRA\n aggregate-address 170.199.214.0/24"
FRR_IPV4_EDGE_EXTRA="$FRR_IPV4_EDGE_EXTRA\n aggregate-address 170.199.215.0/24"
FRR_IPV4_EDGE_EXTRA="$FRR_IPV4_EDGE_EXTRA\n aggregate-address 170.199.216.0/24"
FRR_IPV4_EDGE_EXTRA="$FRR_IPV4_EDGE_EXTRA\n aggregate-address 170.199.217.0/24"
FRR_IPV6_EDGE_EXTRA=" neighbor fabric default-originate"
FRR_IPV6_EDGE_EXTRA="$FRR_IPV6_EDGE_EXTRA\n neighbor fabric route-map FABRICv6-OUT out"
FRR_IPV6_EDGE_EXTRA="$FRR_IPV6_EDGE_EXTRA\n aggregate-address 2604:bbc0::/32"
[ -z $peerv4 ] || FRR_NEIGH="$FRR_NEIGH\n neighbor $peerv4 peer-group eBGPv4"
[ -z $peerv6 ] || FRR_NEIGH="$FRR_NEIGH\n neighbor $peerv6 peer-group eBGPv6"
cat <<-EOF >>$IFCONFIG
auto $ifname
iface $ifname inet static
address $ipv4
mtu 9000
iface $ifname inet6 static
address $ipv6
EOF
fi
if [[ $ifname = ibgp? ]]; then
cat <<-EOF >>$IFCONFIG
auto $ifname
iface $ifname inet manual
mtu 9000
@ -97,14 +185,25 @@ case "$1" in
fi
if [[ $if = mgmt? ]]; then
if [[ $ifname = feth? ]]; then
cat <<-EOF >>$IFCONFIG
auto $if
iface $if inet6 auto
iface $if inet dhcp
auto $ifname
iface $ifname inet manual
mtu 9000
EOF
fi
if [[ $ifname = mgmt? ]]; then
cat <<-EOF >>$IFCONFIG
auto $ifname
iface $ifname inet6 auto
iface $ifname inet dhcp
pre-up /bin/ip link add mgmt type vrf table mgmt
pre-up /bin/ip link set up dev mgmt
pre-up /bin/ip link set master mgmt dev $if
pre-up /bin/ip link set master mgmt dev $ifname
post-down /bin/ip link del dev mgmt
@ -112,35 +211,10 @@ case "$1" in
fi
if [[ $if = ibgp? ]]; then
cat <<-EOF >>$IFCONFIG
auto $if
iface $if inet manual
mtu 9000
EOF
fi
if [[ $if = up? ]]; then
cat <<-EOF >>$IFCONFIG
auto $if
iface $if inet static
address $(dig txt +short ipv4.$if.$HOSTNAME)
mtu 9000
iface $if inet6 static
address $(dig txt +short ipv6.$if.$HOSTNAME)
EOF
fi
done
done
## START nic config compile
## STOP nic config compile
@ -149,8 +223,16 @@ case "$1" in
# set frr config
sed -i -e "s/FRRROUTERID/${LOOPBACKv4}/" -e "s/NODEASN/${NODEASN}/" /etc/frr/frr.conf.wit
chown frr.frr /etc/frr/frr.conf.wit /etc/frr/daemons.wit
sed -i \
-e "s/^!!! FRR_IFS/$FRR_IFS/" \
-e "s/^!!! FRR_NEIGH/$FRR_NEIGH/" \
-e "s/^!!! FRR_IPV4_EDGE_EXTRA/$FRR_IPV4_EDGE_EXTRA/" \
-e "s/^!!! FRR_IPV6_EDGE_EXTRA/$FRR_IPV6_EDGE_EXTRA/" \
-e "s/FRRROUTERID/${LOOPBACKv4}/" \
-e "s/NODEASN/${NODEASN}/" \
$FRRCONFIG
exit 2
chown frr.frr $FRRCONFIG /etc/frr/daemons.wit

175
files/frr.conf.wit
View File

@ -13,6 +13,8 @@ interface feth2
ipv6 nd ra-interval 10
no ipv6 nd suppress-ra
!
!!! FRR_IFS
!
router bgp NODEASN
bgp router-id FRRROUTERID
no bgp default ipv4-unicast
@ -23,24 +25,80 @@ router bgp NODEASN
neighbor fabric remote-as external
neighbor feth1 interface peer-group fabric
neighbor feth2 interface peer-group fabric
!!! neighbor GRE peer-group
!!! neighbor GRE remote-as external
!!! neighbor GRE local-as NODEDEFAULTASN
!!! neighbor GRE password wIt2Go
!!! neighbor GRE ebgp-multihop 255
!!! neighbor eBGPv4 peer-group
!!! neighbor eBGPv4 remote-as external
!!! neighbor eBGPv6 peer-group
!!! neighbor eBGPv6 remote-as external
!!! neighbor iBGP peer-group
!!! neighbor iBGP remote-as internal
!!! FRR_NEIGH
!
address-family ipv4 unicast
redistribute kernel route-map EIPv4
redistribute connected route-map LOCALNETSv4
neighbor fabric activate
neighbor fabric addpath-tx-all-paths
neighbor fabric soft-reconfiguration inbound
!!! FRR_IPV4_EDGE_EXTRA
!!! neighbor fabric default-originate
!!! neighbor fabric route-map FABRICv4-OUT out
!!! aggregate-address 168.245.146.0/24
!!! aggregate-address 170.199.210.0/24
!!! aggregate-address 170.199.211.0/24
!!! aggregate-address 170.199.212.0/24
!!! aggregate-address 170.199.213.0/24
!!! aggregate-address 170.199.214.0/24
!!! aggregate-address 170.199.215.0/24
!!! aggregate-address 170.199.216.0/24
!!! aggregate-address 170.199.217.0/24
!!! neighbor GRE activate
!!! neighbor GRE default-originate
!!! neighbor GRE soft-reconfiguration inbound
!!! neighbor GRE allowas-in 1
!!! neighbor GRE route-map GREv4-IN in
!!! neighbor GRE route-map FABRICv4-OUT out
!!! neighbor eBGPv4 activate
!!! neighbor eBGPv4 next-hop-self
!!! neighbor eBGPv4 remove-private-AS
!!! neighbor eBGPv4 soft-reconfiguration inbound
!!! neighbor eBGPv4 route-map eBGPv4-IN in
!!! neighbor eBGPv4 route-map eBGPv4-OUT out
!!! neighbor iBGP activate
!!! neighbor iBGP next-hop-self
!!! neighbor iBGP soft-reconfiguration inbound
exit-address-family
!
address-family ipv6 unicast
redistribute kernel route-map EIPv6
redistribute connected route-map LOCALNETSv6
neighbor fabric activate
neighbor fabric addpath-tx-all-paths
neighbor fabric soft-reconfiguration inbound
!!! FRR_IPV6_EDGE_EXTRA
!!! neighbor fabric default-originate
!!! neighbor fabric route-map FABRICv6-OUT out
!!! aggregate-address 2604:bbc0::/32
!!! neighbor GRE activate
!!! neighbor GRE default-originate
!!! neighbor GRE soft-reconfiguration inbound
!!! neighbor GRE allowas-in 1
!!! neighbor GRE route-map GREv6-IN in
!!! neighbor GRE route-map FABRICv6-OUT out
!!! neighbor eBGPv6 activate
!!! neighbor eBGPv6 soft-reconfiguration inbound
!!! neighbor eBGPv6 route-map eBGPv6-IN in
!!! neighbor eBGPv6 route-map eBGPv6-OUT out
!!! neighbor iBGP activate
!!! neighbor iBGP next-hop-self
!!! neighbor iBGP soft-reconfiguration inbound
exit-address-family
!
address-family l2vpn evpn
!!! neighbor GRE activate
!!! neighbor GRE allowas-in 1
neighbor fabric activate
advertise-all-vni
exit-address-family
@ -55,11 +113,43 @@ ip prefix-list WIT-CUSTOMERS seq 30 permit 170.199.214.0/24 ge 25
ip prefix-list WIT-CUSTOMERS seq 35 permit 170.199.215.0/24 ge 25
ip prefix-list WIT-CUSTOMERS seq 40 permit 170.199.216.0/24 ge 25
ip prefix-list WIT-CUSTOMERS seq 45 permit 170.199.217.0/24 ge 25
!!! ip prefix-list ALL seq 5 permit 0.0.0.0/0 le 32
!!! ip prefix-list DEFAULT seq 5 permit 0.0.0.0/0
!!! ip prefix-list WITV4-EXACT seq 15 permit 170.199.211.0/24
!!! ip prefix-list WITV4-EXACT seq 20 permit 170.199.212.0/24
!!! ip prefix-list WITV4-EXACT seq 25 permit 170.199.213.0/24
!!! ip prefix-list WITV4-EXACT seq 30 permit 170.199.214.0/24
!!! ip prefix-list WITV4-EXACT seq 35 permit 170.199.215.0/24
!!! ip prefix-list WITV4-EXACT seq 40 permit 170.199.216.0/24
!!! ip prefix-list WITV4-EXACT seq 45 permit 170.199.217.0/24
!!! ip prefix-list rfc1918 seq 5 permit 0.0.0.0/8 le 32
!!! ip prefix-list rfc1918 seq 10 permit 10.0.0.0/8 le 32
!!! ip prefix-list rfc1918 seq 15 permit 127.0.0.0/8 le 32
!!! ip prefix-list rfc1918 seq 20 permit 169.254.0.0/16 le 32
!!! ip prefix-list rfc1918 seq 25 permit 172.16.0.0/12 le 32
!!! ip prefix-list rfc1918 seq 30 permit 192.168.0.0/16 le 32
!!! ip prefix-list rfc1918 seq 35 permit 224.0.0.0/3 le 32
!!! ip prefix-list rfc1918 seq 40 permit 100.64.0.0/10 le 32
!
ipv6 prefix-list LOOPBACK seq 5 permit 2604:bbc0:0:100::/56 ge 128
ipv6 prefix-list WIT-CUSTOMERS seq 10 permit 2604:bbc0:1::/48 ge 64
ipv6 prefix-list WIT-CUSTOMERS seq 20 permit 2604:bbc0:2::/48 ge 64
ipv6 prefix-list WIT-CUSTOMERS seq 30 permit 2604:bbc0:3::/48 ge 64
!!! ipv6 prefix-list ALL seq 5 permit ::/0 le 128
!!! ipv6 prefix-list DEFAULT seq 5 permit ::/0
!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 5 deny 3ffe::/16 le 128
!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 10 deny 2001:db8::/32 le 128
!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 15 permit 2001::/32
!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 20 deny 2001::/32 le 128
!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 25 permit 2002::/16
!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 30 deny 2002::/16 le 128
!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 35 deny ::/8 le 128
!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 40 deny fe00::/9 le 128
!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 45 deny ff00::/8 le 128
!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 50 permit 2000::/3 le 48
!!! ipv6 prefix-list IPV6-EBGP-RELAXED seq 55 deny ::/0 le 128
!!! ipv6 prefix-list WITV6 seq 10 permit 2604:bbc0::/32 ge 48
!!! ipv6 prefix-list WITV6-SUMMARIES seq 10 permit 2604:bbc0::/32 le 44
!
route-map EIPv4 permit 5
match ip address prefix-list WIT-CUSTOMERS
@ -75,5 +165,86 @@ route-map LOCALNETSv6 permit 5
description "permit ipv6 loopback ips"
match ipv6 address prefix-list LOOPBACK
!
!!! route-map eBGPv4-IN deny 5
!!! description "deny any incoming private IP blocks"
!!! match ip address prefix-list rfc1918
!!! !
!!! route-map eBGPv4-IN permit 10
!!! description "Accept all routes advertised to us"
!!! match ip address prefix-list ALL
!!! !
!!! route-map eBGPv4-OUT deny 5
!!! description "deny advertising private IP space"
!!! match ip address prefix-list rfc1918
!!! !
!!! route-map eBGPv4-OUT permit 10
!!! description "match IP block owned by WIT"
!!! match ip address prefix-list WITV4-EXACT
!!! !
!!! route-map eBGPv6-IN permit 5
!!! description "Accept all routes advertised to us"
!!! match ipv6 address prefix-list IPV6-EBGP-RELAXED
!!! !
!!! route-map eBGPv6-OUT permit 5
!!! description "match IP block owned by WIT"
!!! match ipv6 address prefix-list WITV6-SUMMARIES
!!! !
!!! route-map FABRICv4-OUT permit 5
!!! description "allow default route"
!!! match ip address prefix-list DEFAULT
!!! !
!!! route-map FABRICv4-OUT permit 10
!!! description "allow loopback IPs"
!!! match ip address prefix-list LOOPBACK
!!! !
!!! route-map FABRICv4-OUT permit 15
!!! description "allow WIT public IPs"
!!! match ip address prefix-list WITV4
!!! !
!!! route-map FABRICv6-OUT permit 5
!!! description "allow default route"
!!! match ipv6 address prefix-list DEFAULT
!!! !
!!! route-map FABRICv6-OUT permit 10
!!! description "allow loopback IPs"
!!! match ipv6 address prefix-list LOOPBACK
!!! !
!!! route-map FABRICv6-OUT permit 15
!!! description "allow WIT public IPs"
!!! match ipv6 address prefix-list WITV6
!!! !
!!! route-map GREv4-IN deny 5
!!! description "deny default route in"
!!! match ip address prefix-list DEFAULT
!!! !
!!! route-map GREv4-IN permit 10
!!! description "accept all the rest"
!!! match ip address prefix-list ALL
!!! !
!!! route-map GREv6-IN deny 5
!!! description "deny default route in"
!!! match ipv6 address prefix-list DEFAULT
!!! !
!!! route-map GREv6-IN permit 10
!!! description "accept all the rest"
!!! match ipv6 address prefix-list ALL
!!! !
!
line vty
!