diff --git a/README.md b/README.md index a96aa74..d1d6c0c 100644 --- a/README.md +++ b/README.md @@ -37,14 +37,57 @@ All options are supplied in the `name=value` format on individual lines, i.e. `n You **MUST** specify these options, or Lixonet will not work. -#### Network options - * `git` - The Git clone repository URL, used for peer configurations. * `tinc_peer_name` - The global neighbor name. Tinc and Bird use this to identify a peer in the network, and to exclude your own pre-packed config automagically from Tinc and BIRD dialing out so you don't connect to yourself over and over again. * `tinc_peer_address` - The *router* address to use. This is your Lixonet routing layer address: 172.xxx.0.xxx * `network_address` - The *network* address to use. This is your Lixonet routing layer address: 172.xxx.0.0 (especially take note of the last two 0's: `0.0` -- it _MUST_ end with zeros corresponding to the network size) * `bgp_asn` - The BGP ASN to use. We usually follow the format `4206969XXX` where _XXX_ is the last octet of your `address`, zero-padded (i.e. 008 or 212) +#### Configuration example + +A copy of the live configuration (`/etc/lixonet/teamlixo/lixonet.conf`) used by `denco_mane_lixo`: + +``` +git=http://git.team.lixo/lixonet/teamlixo.mesh.git +tinc_peer_name=denco_mane_lixo +tinc_peer_address=172.31.0.8 +tinc_bind_address=172.31.8.2 +bgp_asn=4206969008 +bgp_routes=172.31.8.0/21,172.31.254.0/24 +network_address=172.31.0.0 +netmask=255.255.255.0 +``` + +(A key exists at `/etc/lixonet/teamlixo/tinc.key`) + +`cat /etc/network/interfaces`: +``` +auto lo +iface lo inet loopback + +auto eth0 +iface eth0 inet dhcp + hostname lixonet +``` + +`ifconfig eth0`: +``` +lixonet:/home/manevolent# ifconfig eth0 +eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx + inet addr:172.31.8.2 Bcast:0.0.0.0 Mask:255.255.255.0 + UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 + RX packets:313268 errors:0 dropped:0 overruns:0 frame:0 + TX packets:266835 errors:0 dropped:0 overruns:0 carrier:0 + collisions:0 txqueuelen:1000 + RX bytes:223824994 (213.4 MiB) TX bytes:145971829 (139.2 MiB) +``` + +`docker ps -a | grep teamlixo` (built by `./build.sh`): +``` +646e3b6b5456 teamlixo_tinc "sh -c '/usr/sbin/ti…" 17 minutes ago Up 15 minutes teamlixo_tinc_1 +84fda16f829b teamlixo_bird "/bin/sh -c 'bird -c…" 17 minutes ago Up 9 minutes teamlixo_bird_1 +``` + ## Non-required options: #### General network options diff --git a/bird/bird.conf.tmpl b/bird/bird.conf.tmpl index 5d16e92..42ecdad 100644 --- a/bird/bird.conf.tmpl +++ b/bird/bird.conf.tmpl @@ -67,6 +67,13 @@ function is_rpki_invalid_v4 () { return roa_check(r4, net, bgp_path.last_nonaggregated) = ROA_INVALID; } +# Returns TRUE if the given tested network is the exact global network prefix for +# Lixonet. Used to filter the "unreachable" static route we typically static. +function is_exact_lixonet_global_v4() +{ + return net ~ [ ${network_address}/${global_prefix:-16} ]; +} + # Returns TRUE if the given tested network is within the global network prefix for # Lixonet. Used to filter networks outside of this range as they are not within # the global mesh network. @@ -103,6 +110,7 @@ filter bgp_import_filter_v4 filter bgp_export_filter_v4 { if is_lixonet_router_v4() then reject; # Reject poisons + if is_exact_lixonet_global_v4() then reject; # Reject the unreachable route if is_lixonet_global_v4() then accept; # Accept anything else reject; # Reject anything else (non-Lixonet) } @@ -125,6 +133,11 @@ protocol static { export none; }; + # Announce the whole network as unreachable; this returns packets that reach + # this router as unreachable (ICMP type=3, code=0) if no more specific route + # is defined for the network subnet + range ${network_address}/${global_prefix:-16}+ unreachable; + # Announced networks {{ if len "${bgp_routes:-}" }}{{ range "$bgp_routes" | split "," }}route {{.}} reject; {{ end }}{{ end }}