nixos-module/container/bird: bgp fixups

2023-01-22 01:42:19 +01:00 · 2023-01-22 01:42:19 +01:00 · f2bb5a2735
parent 8869681b28
commit f2bb5a2735
3 changed files with 38 additions and 11 deletions
--- a/config/net/flpk.nix
+++ b/config/net/flpk.nix
@ -51,8 +51,10 @@
      };
    };
    bgp = {
-      allowedUpstreams = [ "upstream4" "upstream3" "freifunk" ];
      upstreamTable = "vpn_table";
+      allowedUpstreams = [ "upstream4" "upstream3" "freifunk" ];
+      # IPv6 ::/0 via wireguard tunnel
+      allowedUpstreams6 = [];
      peers.${config.site.net.core.subnets6.dn42} = {
        type = "upstream";
        name = "up";
--- a/config/net/upstream.nix
+++ b/config/net/upstream.nix
@ -353,8 +353,10 @@ in
        };
      };
      bgp = {
-        allowedUpstreams = [ "upstream3" "upstream4" "freifunk" ];
        upstreamTable = "vpn_table";
+        allowedUpstreams = [ "upstream3" "upstream4" "freifunk" ];
+        # IPv6 ::/0 via wireguard tunnel
+        allowedUpstreams6 = [];
        peers.${config.site.net.core.subnets6.dn42} = {
          asn = config.site.hosts.upstream3.bgp.asn;
          type = "upstream";
--- a/nix/nixos-module/container/bird.nix
+++ b/nix/nixos-module/container/bird.nix
@ -166,23 +166,43 @@ in
              preference = preference + 200;
              accept;
            };
-            ${lib.optionalString (nets4 != []) ''
-              export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets4} ];
-            ''}
+            export filter {
+              if net ~ [ ${config.site.net.core.subnet4} ] then {
+                reject;
+              }
+              ${lib.optionalString (nets4 != []) ''
+                if net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}+") nets4} ] then {
+                  accept;
+                }
+              ''}
+              reject;
+            };
          };
          ipv6 {
            import filter {
              preference = preference + 200;
              accept;
            };
-            ${lib.optionalString (nets6 != []) ''
-              export where net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}") nets6} ];
-            ''}
+            export filter {
+              if net ~ [ ${lib.concatStringsSep ", " (builtins.attrValues config.site.net.core.subnets6)} ] then {
+                reject;
+              }
+              ${lib.optionalString (nets6 != []) ''
+                if net ~ [ ${lib.concatMapStringsSep ", " (n: "${n}+") nets6} ] then {
+                  accept;
+                }
+              ''}
+              reject;
+            };
          };
        }
        template bgp bgp_rr_client {
          local as ${toString hostConf.bgp.asn};
          direct;
+          connect delay time 1;
+          connect retry time 3;
+          error wait time 1 5;
+          error forget time 5;

          ipv4 {
            next hop self on;
@ -260,6 +280,10 @@ in
            local as ${toString hostConf.bgp.asn};
            neighbor ${config.site.net.core.hosts6.dn42.${upstream}} as ${toString hostConf.bgp.asn};
            direct;
+            connect delay time 1;
+            connect retry time 3;
+            error wait time 1 5;
+            error forget time 5;

            ipv4 {
              ${if (upstream4Order ? ${upstream})
@ -329,8 +353,7 @@ in
        ];
      };
      instance = {
-        ipv4 = "ZW4_${hostNameEscaped}";
-        ipv6 = "ZW6_${hostNameEscaped}";
+        ipv4 = "bgp_up";
      };
      checkService = addressFamily: {
        description = "Check connectivity for ${addressFamily}";
@ -369,6 +392,6 @@ in
      };
    in lib.mkIf isUpstream {
      check-upstream-ipv4 = checkService "ipv4";
-      check-upstream-ipv6 = checkService "ipv6";
+      #check-upstream-ipv6 = checkService "ipv6";
    };
 }