dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/estuary: Update networking config for iFog and new IXPs

Browse Source
This commit is contained in:
Jack O'Sullivan
2022-11-18 11:54:04 +00:00
parent 950bcb3055
commit 7c523633f4
2 changed files with 113 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
nixos/boxes/colony/vms/estuary/bgp.nix
View File

@@ -44,7 +44,7 @@ in
protocol device {}
protocol direct {
interface "wan", "frys-ix";
interface "wan", "frys-ix", "nl-ix", "fogixp", "ifog-transit";
ipv4;
ipv6;
}
@@ -64,7 +64,7 @@ in
import none;
export filter {
if net ~ OWNNETSET4 then reject;
krt_prefsrc = OWNIP4;
#krt_prefsrc = OWNIP4;
accept;
};
};
@@ -75,7 +75,7 @@ in
export filter {
if net = HOMENET6 then accept;
if net ~ OWNNETSET6 then reject;
krt_prefsrc = OWNIP6;
#krt_prefsrc = OWNIP6;
accept;
};
};
@@ -176,6 +176,11 @@ in
neighbor 2a02:898:0:20::e1 as 8283;
}
protocol bgp upstream6_ifog from upstream_bgp6 {
description "iFog transit (IPv6)";
neighbor 2a0c:9a40:100f:370::1 as 34927;
}
protocol bgp upstream6_frysix_he from upstream_bgp6 {
description "Hurricane Electric (on Frys-IX, IPv6)";
neighbor 2001:7f8:10f::1b1b:154 as 6939;
@@ -225,6 +230,55 @@ in
description "Hurricane Electric (on Frys-IX, IPv4)";
neighbor 185.1.203.154 as 6939;
}
protocol bgp ixp4_nlix_rs1 from ixp_bgp4 {
description "NL-ix route server 1 (IPv4)";
neighbor 193.239.116.255 as 34307;
}
protocol bgp ixp6_nlix_rs1 from ixp_bgp6 {
description "NL-ix route server 1 (IPv6)";
neighbor 2001:7f8:13::a503:4307:1 as 34307;
}
protocol bgp ixp4_nlix_rs2 from ixp_bgp4 {
description "NL-ix route server 2 (IPv4)";
neighbor 193.239.117.0 as 34307;
}
protocol bgp ixp6_nlix_rs2 from ixp_bgp6 {
description "NL-ix route server 2 (IPv6)";
neighbor 2001:7f8:13::a503:4307:2 as 34307;
}
protocol bgp peer6_nlix_cloudflare1 from peer_bgp6 {
description "Cloudflare NL-ix 1 (IPv6)";
neighbor 2001:7f8:13::a501:3335:1 as 13335;
}
protocol bgp peer6_nlix_cloudflare2 from peer_bgp6 {
description "Cloudflare NL-ix 2 (IPv6)";
neighbor 2001:7f8:13::a501:3335:2 as 13335;
}
protocol bgp peer6_nlix_cloudflare3 from peer_bgp6 {
description "Cloudflare NL-ix 3 (IPv6)";
neighbor 2001:7f8:13::a501:3335:3 as 13335;
}
protocol bgp ixp4_fogixp_rs1 from ixp_bgp4 {
description "FogIXP route server 1 (IPv4)";
neighbor 185.1.147.111 as 47498;
}
protocol bgp ixp6_fogixp_rs1 from ixp_bgp6 {
description "FogIXP route server 1 (IPv6)";
neighbor 2001:7f8:ca:1::111 as 47498;
}
protocol bgp ixp4_fogixp_rs2 from ixp_bgp4 {
description "FogIXP route server 2 (IPv4)";
neighbor 185.1.147.222 as 47498;
}
protocol bgp ixp6_fogixp_rs2 from ixp_bgp6 {
description "FogIXP route server 2 (IPv6)";
neighbor 2001:7f8:ca:1::222 as 47498;
}
'';
};
};

86
nixos/boxes/colony/vms/estuary/default.nix
View File

@@ -148,22 +148,26 @@ in
};
};
netdevs = {
"25-frys-ix-base" = {
netdevConfig = {
Name = "frys-ix-base";
Kind = "vlan";
netdevs =
let
mkVLAN = name: vid: {
"25-${name}" = {
netdevConfig = {
Name = name;
Kind = "vlan";
};
vlanConfig.Id = vid;
};
vlanConfig.Id = 409;
};
"25-frys-ix" = {
netdevConfig = {
Name = "frys-ix";
Kind = "vlan";
};
vlanConfig.Id = 2604;
};
};
in
mkMerge [
(mkVLAN "ifog" 409)
(mkVLAN "frys-ix" 701)
(mkVLAN "nl-ix" 1845)
(mkVLAN "fogixp" 1147)
(mkVLAN "ifog-transit" 702)
];
links = {
"10-wan" = {
@@ -192,10 +196,31 @@ in
};
};
networks = {
networks =
let
mkIXPConfig = name: ipv4: ipv6: {
"85-${name}" = {
matchConfig.Name = name;
address = [ ipv4 ipv6 ];
linkConfig.MTUBytes = "1500";
networkConfig = {
DHCP = "no";
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
};
};
};
in
mkMerge
[
(mkIXPConfig "frys-ix" "185.1.203.196/24" "2001:7f8:10f::3:3850:196/64")
(mkIXPConfig "nl-ix" "193.239.116.145/22" "2001:7f8:13::a521:1024:1/64")
(mkIXPConfig "fogixp" "185.1.147.159/24" "2001:7f8:ca:1::159/64")
{
"80-wan" = {
matchConfig.Name = "wan";
vlan = [ "frys-ix-base" ];
vlan = [ "ifog" ];
DHCP = "no";
address = with assignments.internal; [
(with ipv4; "${address}/${toString mask}")
@@ -212,12 +237,12 @@ in
IPv6AcceptRA = false;
};
};
"85-frys-ix-base" = {
"85-ifog" = {
matchConfig = {
Name = "frys-ix-base";
Name = "ifog";
Kind = "vlan";
};
vlan = [ "frys-ix" ];
vlan = [ "frys-ix" "nl-ix" "fogixp" "ifog-transit" ];
networkConfig = {
LinkLocalAddressing = "no";
DHCP = "no";
@@ -226,12 +251,10 @@ in
IPv6AcceptRA = false;
};
};
"85-frys-ix" = {
matchConfig.Name = "frys-ix";
address = [
"185.1.203.196/24"
"2001:7f8:10f::3:3850:196/64"
];
"85-ifog-transit" = {
matchConfig.Name = "ifog-transit";
address = [ "2a0c:9a40:100f:370::2/64" ];
linkConfig.MTUBytes = "1500";
networkConfig = {
DHCP = "no";
LLDP = false;
@@ -280,7 +303,7 @@ in
];
networkConfig.IPv6AcceptRA = false;
};
};
} ];
};
my = {
@@ -330,6 +353,8 @@ in
'';
in
''
define ixps = { frys-ix, nl-ix, fogixp, ifog-transit }
table inet filter {
chain routing-tcp {
# Safe enough to allow all SSH
@@ -354,13 +379,14 @@ in
}
chain forward {
iifname { wan, frys-ix } oifname base jump filter-routing
oifname frys-ix jump ixp
iifname wan oifname base jump filter-routing
iifname ixps oifname base jump filter-routing
oifname ixps jump ixp
oifname as211024 accept
}
chain output {
oifname frys-ix-base ether type != vlan reject
oifname frys-ix jump ixp
oifname ifog ether type != vlan reject
oifname ixps jump ixp
}
}
table inet nat {