nixos-module/container/bird: don't export local nets as stubnets but

learn from kernel
2022-10-31 23:21:06 +01:00 · 2022-10-31 23:21:06 +01:00 · 761136bc61
parent 627c51e745
commit 761136bc61
1 changed files with 28 additions and 18 deletions
--- a/nix/nixos-module/container/bird.nix
+++ b/nix/nixos-module/container/bird.nix
@ -44,7 +44,19 @@ in
            ''
            else ''
              export all;
+              import filter {
+                ${lib.concatMapStrings (net:
+                  lib.optionalString (
+                    config.site.net.${net}.subnet4 or null != null
+                  ) ''
+                    if net ~ [ ${config.site.net.${net}.subnet4} ] then {
+                      # Learn route of local network ${net}
+                      accept;
+                    }
+                  '') (builtins.attrNames hostConf.interfaces)}
              ''}
+              reject;
+            };
        };
      }
      protocol kernel K6 {
@ -59,6 +71,18 @@ in
            ''
            else ''
              export all;
+              import filter {
+                ${lib.concatMapStrings (net:
+                  lib.optionalString (
+                    config.site.net.${net}.subnet4 or null != null
+                  ) ''
+                    if net ~ [ ${config.site.net.${net}.subnet4} ] then {
+                      # Learn route of local network ${net}
+                      accept;
+                    }
+                  '') (builtins.attrNames hostConf.interfaces)}
+                reject;
+              };
            ''}
        };
      }
@ -138,9 +162,7 @@ in
          ${builtins.concatStringsSep "\n" (
              builtins.attrValues (
                builtins.mapAttrs (net: _:
-                  # Enable OSPF only on networks with a secret. Others
-                  # are treated as a stubnet whose routes to
-                  # advertise.
+                  # Enable OSPF only on networks with a secret.
                  if config.site.net ? "${net}" && config.site.net.${net}.ospf.secret != null
                  then ''
                    interface "${net}" {
@ -151,11 +173,6 @@ in
                      password "${config.site.net.${net}.ospf.secret}";
                    };
                  ''
-                  else if config.site.net ? "${net}" && config.site.net.${net}.subnet4 != null
-                  then ''
-                    # Advertise route of network ${net}
-                    stubnet ${config.site.net.${net}.subnet4} {};
-                  ''
                  else ""
                ) hostConf.interfaces
              )
@ -255,9 +272,7 @@ in
          ${builtins.concatStringsSep "\n" (
              builtins.attrValues (
                builtins.mapAttrs (net: _:
-                  # Enable OSPF only on networks with a secret. Others
-                  # are treated as a stubnet whose routes to
-                  # advertise.
+                  # Enable OSPF only on networks with a secret.
                  if config.site.net.${net}.ospf.secret != null
                  then ''
                    interface "${net}" {
@ -268,12 +283,7 @@ in
                      password "${config.site.net.${net}.ospf.secret}";
                    };
                  ''
-                  else builtins.concatStringsSep "\n" (
-                    map (subnet6: ''
-                      # Advertise route of network ${net}
-                      stubnet ${subnet6} {};
-                    '') (builtins.attrValues config.site.net.${net}.subnets6)
-                  )
+                  else ""
                ) hostConf.physicalInterfaces
              )
          )}