nixos-module/container/bird: use protocol direct to learn iface routes

This commit is contained in:
Astro 2022-10-31 23:42:03 +01:00
parent ead4199b3f
commit e61da5cd17
1 changed files with 23 additions and 43 deletions

View File

@ -44,19 +44,7 @@ in
''
else ''
export all;
import filter {
${lib.concatMapStrings (net:
lib.optionalString (
config.site.net.${net}.subnet4 or null != null
) ''
if net ~ [ ${config.site.net.${net}.subnet4} ] then {
# Learn route of local network ${net}
accept;
}
'') (builtins.attrNames hostConf.interfaces)}
''}
reject;
};
''}
};
}
protocol kernel K6 {
@ -71,41 +59,33 @@ in
''
else ''
export all;
import filter {
${lib.concatMapStrings (net: ''
if net ~ [ ${lib.concatStringsSep " " (builtins.attrValues config.site.net.${net}.subnets6)} ] then {
# Learn route of local network ${net}
accept;
}
'') (builtins.attrNames hostConf.interfaces)}
reject;
};
''}
''}
};
}
protocol device {
scan time 10;
}
${lib.optionalString isUpstream ''
# Import address ranges of upstream interfaces so that
# internal traffic to local public services take no detours
# if the default router takes another upstream gateway.
protocol direct {
ipv4 {
# No RFC6598
import where net !~ 100.64.0.0/10
# No RFC1918
&& net !~ 10.0.0.0/8
&& net !~ 172.16.0.0/12
&& net !~ 192.168.0.0/16;
};
ipv6;
interface ${lib.concatMapStringsSep ", " (iface:
''"${iface}"''
)(builtins.attrNames upstreamInterfaces)};
check link yes;
}
''}
# Import address ranges of upstream interfaces so that
# internal traffic to local public services take no detours
# if the default router takes another upstream gateway.
protocol direct {
ipv4 {
${if isUpstream
then ''
# No RFC1918, RFC6598
import where net !~ [ 100.64.0.0/10 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ];
'' else ''
import all;
''}
};
ipv6 {
import all;
};
interface ${lib.concatMapStringsSep ", " (iface:
''"${iface}"''
)(builtins.attrNames hostConf.interfaces)};
check link yes;
}
${lib.optionalString (
builtins.match "anon.*" hostName != null ||