Add Babel routing, fixup ROA

2025-03-06 09:47:12 +01:00 · 2025-03-06 09:47:12 +01:00 · 78a693b2e0
commit 78a693b2e0
parent 02ab53f8b3
6 changed files with 53 additions and 5 deletions
--- a/roles/bird_edge/tasks/main.yml
+++ b/roles/bird_edge/tasks/main.yml
@ -19,8 +19,10 @@
    src: 'bird/{{ item }}.conf.j2'
    dest: '/etc/bird/{{ item }}.conf'
  loop:
+    - conf.d/25-edge-routing
    - conf.d/30-bgp
    - filter.d/25-community_filters
+    - filter.d/30-edge-filters
    - filter.d/30-bgp_filters
    - bgp-peers.d/00-dummy

--- a/roles/bird_edge/templates/bird/conf.d/25-edge-routing.conf.j2
+++ b/roles/bird_edge/templates/bird/conf.d/25-edge-routing.conf.j2
@ -0,0 +1,13 @@
+{{ ansible_managed | comment }}
+
+protocol babel dn42_edge_neighbour {
+    interface "wg-dn42-edge";
+    ipv4 {
+        export none;
+        import none;
+    };
+    ipv6 {
+        import where edge_dn42_import();
+        export where edge_dn42_export();
+    };
+}
--- a/roles/bird_edge/templates/bird/filter.d/30-bgp_filters.conf.j2
+++ b/roles/bird_edge/templates/bird/filter.d/30-bgp_filters.conf.j2
@ -14,11 +14,15 @@ function dn42_update_geo() {
    }
 }

-function dn42_reject_roa() {
-    if (roa_check(dn42_roa6, net, bgp_path.last) != ROA_VALID) then {
-        print "Reject: bad ROA";
-        reject;
-    }
+function dn42_reject_roa()
+int orig_asn;
+{
+    if (source != RTS_BGP )
+        then orig_asn = MY_ASN;
+        else orig_asn = bgp_path.last;
+
+    if (roa_check(dn42_roa6, net, orig_asn) != ROA_VALID)
+        then reject "Reject: bad ROA for ", net, " ASN ", orig_asn;
 }

 function bgp_dn42_import(
@ -68,6 +72,8 @@ function bgp_dn42_export(
    # Restrict networks to DN42
    if (!is_valid_network()) then reject;

+    dn42_reject_roa();
+
    update_flags(link_latency, link_bw, link_crypto);
    dn42_update_geo();

--- a/roles/bird_edge/templates/bird/filter.d/30-edge-filters.conf.j2
+++ b/roles/bird_edge/templates/bird/filter.d/30-edge-filters.conf.j2
@ -0,0 +1,25 @@
+function edge_dn42_import() {
+    # weird routes are not accepted
+    if is_default() || is_martians() || is_rfc1918() then reject;
+
+    # Restrict networks to DN42
+    if (!is_valid_network()) then reject;
+
+    # Our full own network is not accepted
+    if is_self_net() then reject;
+
+    krt_prefsrc = MY_IP;
+    accept;
+}
+
+function edge_dn42_export() {
+    if (source !~ [RTS_STATIC, RTS_BABEL, RTS_BGP]) then reject;
+
+    # weird routes are not accepted
+    if is_default() || is_martians() || is_rfc1918() then reject;
+
+    # Restrict networks to DN42
+    if (!is_valid_network()) then reject;
+
+    accept;
+}
--- a/roles/bird_edge/templates/nftables/filter-input.d/30-edge-rtr.conf.j2
+++ b/roles/bird_edge/templates/nftables/filter-input.d/30-edge-rtr.conf.j2
@ -1,3 +1,4 @@
 {{ ansible_managed | comment }}

 iifname "wg-dn42-p-*" tcp dport 179 accept comment "BGP"
+iifname "wg-dn42-edge" udp dport 6696 accept comment "Babel"
--- a/roles/wireguard_edge_tunnels/tasks/main.yml
+++ b/roles/wireguard_edge_tunnels/tasks/main.yml
@ -42,6 +42,7 @@
    wg_extra_hosts: []
    wg_globally_allowed_ips:
      - 'fd00::/8'
+      - 'ff00::/8'  # Multicast -- needed for Babel operation
    wg_add_routes: false

 - name: Create Wireguard peering keypair