nixos-module/container/bird: use protocol direct to learn iface routes
This commit is contained in:
parent
ead4199b3f
commit
e61da5cd17
|
@ -44,19 +44,7 @@ in
|
|||
''
|
||||
else ''
|
||||
export all;
|
||||
import filter {
|
||||
${lib.concatMapStrings (net:
|
||||
lib.optionalString (
|
||||
config.site.net.${net}.subnet4 or null != null
|
||||
) ''
|
||||
if net ~ [ ${config.site.net.${net}.subnet4} ] then {
|
||||
# Learn route of local network ${net}
|
||||
accept;
|
||||
}
|
||||
'') (builtins.attrNames hostConf.interfaces)}
|
||||
''}
|
||||
reject;
|
||||
};
|
||||
''}
|
||||
};
|
||||
}
|
||||
protocol kernel K6 {
|
||||
|
@ -71,41 +59,33 @@ in
|
|||
''
|
||||
else ''
|
||||
export all;
|
||||
import filter {
|
||||
${lib.concatMapStrings (net: ''
|
||||
if net ~ [ ${lib.concatStringsSep " " (builtins.attrValues config.site.net.${net}.subnets6)} ] then {
|
||||
# Learn route of local network ${net}
|
||||
accept;
|
||||
}
|
||||
'') (builtins.attrNames hostConf.interfaces)}
|
||||
reject;
|
||||
};
|
||||
''}
|
||||
''}
|
||||
};
|
||||
}
|
||||
protocol device {
|
||||
scan time 10;
|
||||
}
|
||||
${lib.optionalString isUpstream ''
|
||||
# Import address ranges of upstream interfaces so that
|
||||
# internal traffic to local public services take no detours
|
||||
# if the default router takes another upstream gateway.
|
||||
protocol direct {
|
||||
ipv4 {
|
||||
# No RFC6598
|
||||
import where net !~ 100.64.0.0/10
|
||||
# No RFC1918
|
||||
&& net !~ 10.0.0.0/8
|
||||
&& net !~ 172.16.0.0/12
|
||||
&& net !~ 192.168.0.0/16;
|
||||
};
|
||||
ipv6;
|
||||
interface ${lib.concatMapStringsSep ", " (iface:
|
||||
''"${iface}"''
|
||||
)(builtins.attrNames upstreamInterfaces)};
|
||||
check link yes;
|
||||
}
|
||||
''}
|
||||
# Import address ranges of upstream interfaces so that
|
||||
# internal traffic to local public services take no detours
|
||||
# if the default router takes another upstream gateway.
|
||||
protocol direct {
|
||||
ipv4 {
|
||||
${if isUpstream
|
||||
then ''
|
||||
# No RFC1918, RFC6598
|
||||
import where net !~ [ 100.64.0.0/10 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ];
|
||||
'' else ''
|
||||
import all;
|
||||
''}
|
||||
};
|
||||
ipv6 {
|
||||
import all;
|
||||
};
|
||||
interface ${lib.concatMapStringsSep ", " (iface:
|
||||
''"${iface}"''
|
||||
)(builtins.attrNames hostConf.interfaces)};
|
||||
check link yes;
|
||||
}
|
||||
|
||||
${lib.optionalString (
|
||||
builtins.match "anon.*" hostName != null ||
|
||||
|
|
Loading…
Reference in New Issue