From 2805167c671f8984e8287dc4a8ab79213649b852 Mon Sep 17 00:00:00 2001 From: Jack O'Sullivan Date: Tue, 25 Oct 2022 00:14:35 +0100 Subject: [PATCH] nixos/estuary: Add config for Frys-IX --- nixos/boxes/colony/vms/estuary/bgp.nix | 30 +++++++++- nixos/boxes/colony/vms/estuary/default.nix | 65 +++++++++++++++++++++- 2 files changed, 92 insertions(+), 3 deletions(-) diff --git a/nixos/boxes/colony/vms/estuary/bgp.nix b/nixos/boxes/colony/vms/estuary/bgp.nix index b73a0ad..688fc4a 100644 --- a/nixos/boxes/colony/vms/estuary/bgp.nix +++ b/nixos/boxes/colony/vms/estuary/bgp.nix @@ -26,6 +26,9 @@ in define DUB1IP6 = 2a0e:97c0:4df:0:2::1; + define PREFIXP = 110; + define PREFPEER = 120; + #function should_export6() { # return net ~ OWNNETSET6 || (transit && net ~ TRANSSET6); #} @@ -156,18 +159,43 @@ in neighbor 2a02:898:0:20::e1 as 8283; } + protocol bgp peer4_frysix_rs1 from peer_bgp4 { + description "Frys-IX route server 1 (IPv4)"; + neighbor 185.1.203.253 as 56393; + ipv4 { preference PREFIXP; }; + } + protocol bgp peer6_frysix_rs1 from peer_bgp6 { + description "Frys-IX route server 1 (IPv6)"; + neighbor 2001:7f8:10f::dc49:253 as 56393; + ipv6 { preference PREFIXP; }; + } + + protocol bgp peer4_frysix_rs2 from peer_bgp4 { + description "Frys-IX route server 2 (IPv4)"; + neighbor 185.1.203.254 as 56393; + ipv4 { preference PREFIXP; }; + } + protocol bgp peer6_frysix_rs2 from peer_bgp6 { + description "Frys-IX route server 2 (IPv6)"; + neighbor 2001:7f8:10f::dc49:254 as 56393; + ipv6 { preference PREFIXP; }; + } + protocol bgp peer4_luje from peer_bgp4 { description "LUJE.net (IPv4)"; neighbor 94.142.240.20 as 212855; + ipv4 { preference PREFPEER; }; } protocol bgp peer6_luje from peer_bgp6 { description "LUJE.net (IPv6)"; neighbor 2a02:898:0:20::166:1 as 212855; + ipv6 { preference PREFPEER; }; } protocol bgp peer6_luje_labs from peer_bgp6 { description "LUJE.net labs (IPv6)"; - neighbor 2a07:cd40:1::9 as 202413; multihop 3; + neighbor 2a07:cd40:1::9 as 202413; + ipv6 { preference PREFPEER; }; } ''; }; diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix index e1c7d1e..366bd02 100644 --- a/nixos/boxes/colony/vms/estuary/default.nix +++ b/nixos/boxes/colony/vms/estuary/default.nix @@ -140,6 +140,7 @@ in }; }; + #systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug"; systemd.network = { config = { networkConfig = { @@ -147,9 +148,31 @@ in }; }; + netdevs = { + "25-frys-ix-base" = { + netdevConfig = { + Name = "frys-ix-base"; + Kind = "vlan"; + }; + vlanConfig.Id = 409; + }; + "25-frys-ix" = { + netdevConfig = { + Name = "frys-ix"; + Kind = "vlan"; + }; + vlanConfig.Id = 2605; + }; + }; + links = { "10-wan" = { - matchConfig.MACAddress = "d0:50:99:fa:a7:99"; + matchConfig = { + Driver = "igb"; + Path = "pci-0000:01:00.0"; + # Matching against MAC address seems to break VLAN interfaces (since they share the same MAC address) + #MACAddress = "d0:50:99:fa:a7:99"; + }; linkConfig = { Name = "wan"; RxBufferSize = 4096; @@ -171,6 +194,7 @@ in networks = { "80-wan" = { matchConfig.Name = "wan"; + vlan = [ "frys-ix-base" ]; DHCP = "no"; address = with assignments.internal; [ (with ipv4; "${address}/${toString mask}") @@ -187,6 +211,33 @@ in IPv6AcceptRA = false; }; }; + "85-frys-ix-base" = { + matchConfig = { + Name = "frys-ix-base"; + Kind = "vlan"; + }; + vlan = [ "frys-ix" ]; + networkConfig = { + LinkLocalAddressing = "no"; + DHCP = "no"; + LLDP = false; + EmitLLDP = false; + IPv6AcceptRA = false; + }; + }; + "85-frys-ix" = { + matchConfig.Name = "frys-ix"; + address = [ + "185.1.203.196/24" + "2001:7f8:10f::3:3850:196/64" + ]; + networkConfig = { + DHCP = "no"; + LLDP = false; + EmitLLDP = false; + IPv6AcceptRA = false; + }; + }; "80-base" = mkMerge [ (networkdAssignment "base" assignments.base) @@ -296,10 +347,20 @@ in meta l4proto udp ct state new jump routing-udp return } + chain ixp { + ether type != { ip, ip6, arp, vlan } reject + return + } + chain forward { - iifname wan oifname base jump filter-routing + iifname { wan, frys-ix } oifname base jump filter-routing + oifname frys-ix jump ixp oifname as211024 accept } + chain output { + oifname frys-ix-base ether type != vlan reject + oifname frys-ix jump ixp + } } table inet nat { chain prerouting {