From 3e10e21c48a7c2a5bc327e7298640de2850a0a3b Mon Sep 17 00:00:00 2001 From: Astrid Yu Date: Mon, 8 Apr 2024 18:35:20 -0700 Subject: [PATCH] reimplement dn42 stuff in racket --- netconf/asmodeus.rkt | 37 ++++++++++++++------ netconf/dn42.rkt | 83 ++++++++++++++++++++++++++++++++++++++++++-- netconf/util.rkt | 33 ++++++++++-------- 3 files changed, 127 insertions(+), 26 deletions(-) diff --git a/netconf/asmodeus.rkt b/netconf/asmodeus.rkt index d2de4933..605b75b9 100644 --- a/netconf/asmodeus.rkt +++ b/netconf/asmodeus.rkt @@ -1,14 +1,31 @@ #lang racket (require "util.rkt") +(require "dn42.rkt") -(commandtree->string - '(set firewall - (global-options state-policy [(established action accept) - (related action accept) - (invalid action accept)]) - (group network-group - (dn42-allowed-transit-v4 network - ("10.0.0.0/8") - ("172.20.0.0/14") - ("172.31.0.0/16"))))) \ No newline at end of file +(define wg-privkey "testkey") ; TODO: get from env + +(define commands + `(,(dn42/rpki) + ,(dn42/bgp-setup) + ,(dn42/bgp-group) + ,(dn42/route-collector) + ,(dn42/wireguard-ll-peer #:name "whojk" + #:our-ll-address "fe80::1846/64" + #:our-private-key wg-privkey + #:our-endpoint-port '() + #:peer-ll-address "fe80::2717" + #:peer-endpoint (cons "141.148.191.208" 24210) + #:peer-asn 4242422717 + #:peer-public-key "SpnH/BlVNDx5QiMxHhuF4i8hKr5qWMxnPYky6Mp4fEA=") + (set firewall + (global-options state-policy [(established action accept) + (related action accept) + (invalid action accept)]) + (group network-group + (dn42-allowed-transit-v4 network + ("10.0.0.0/8") + ("172.20.0.0/14") + ("172.31.0.0/16")))))) + +(displayln (commandtree->string commands)) \ No newline at end of file diff --git a/netconf/dn42.rkt b/netconf/dn42.rkt index 657fdd12..c3174f89 100644 --- a/netconf/dn42.rkt +++ b/netconf/dn42.rkt @@ -1,9 +1,23 @@ #lang racket +(require "util.rkt") + +(provide dn42/bgp-group + dn42/bgp-setup + dn42/route-collector + dn42/wireguard-ll-peer + dn42/rpki) + (define bgp-afs '(ipv4-unicast ipv6-unicast)) (define dn42-roa-route-map "dn42-roa") -(define (dn42-bgp-group) +(define (dn42/bgp-setup) + '(set protocols bgp [(parameters router-id "172.23.7.177") + (system-as 4242421846) + (address-family ipv4-unicast network "172.23.7.176/28") + (address-family ipv6-unicast network "fd00:ca7:b015::/48")])) + +(define (dn42/bgp-group) `[(delete protocols bgp peer-group dn42) (set protocols bgp peer-group dn42 [(capability extended-nexthop) @@ -12,7 +26,7 @@ (route-map import ,dn42-roa-route-map) (soft-reconfiguration inbound)]))])]) -(define (dn42-route-collector) +(define (dn42/route-collector) (define addr "fd42:4242:2601:ac12::1") (define routemap 'deny-all) @@ -26,3 +40,68 @@ (description "https://lg.collector.dn42") (ebgp-multihop 10) (remote-as 4242422602)])]) + +(define (dn42/wireguard-ll-peer #:name name + #:our-ll-address our-ll-address + #:our-private-key our-private-key + #:our-endpoint-port our-endpoint-port + #:peer-ll-address peer-ll-address + #:peer-asn peer-asn + #:peer-public-key peer-public-key + #:peer-endpoint peer-endpoint) + (define ifname (format "wg~a" peer-asn)) + (define tunnel + (wireguard/tunnel #:ifname ifname + #:description (format "dn42 peering tunnel for ~a (AS~a)" name peer-asn) + #:our-address our-ll-address + #:our-private-key our-private-key + #:our-endpoint-port our-endpoint-port + #:peers (list (wireguard/peer + #:name name + #:public-key peer-public-key + #:endpoint peer-endpoint)))) + (define bgp + (bgp/link-local #:ifname ifname + #:description (format "dn42 peer ~a (AS~a)" name peer-asn) + #:peer-address peer-ll-address + #:peer-asn peer-asn + #:peer-group 'dn42)) + + `(,(wireguard/tunnel:render-vyos tunnel) + ,(bgp/link-local:render-vyos bgp))) + +(define (dn42/rpki [nat-rulenum 10]) + (define container-addr "172.16.2.10") + (define subnet "172.16.2.0/24") + (define port 8082) + + (define gortr + `[(delete container [(name gortr) + (network rpki)]) + (set container name gortr + [(image "cloudflare/gortr") + (restart "on-failure") + (command ,(format "-cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :~a" port)) + (network rpki address ,container-addr)]) + (set container network rpki prefix ,subnet)]) + + (define nat + `[(delete nat source rule ,nat-rulenum) + (set nat source rule ,nat-rulenum [(outbound-interface name "eth0") + (translation address "masquerade") + (source address ,subnet)])]) + + (define point-rpki + `(set protocols rpki cache ,container-addr [(port ,port) + (preference 1)])) + + (define route-map + `(set policy route-map ,dn42-roa-route-map rule + [(10 (action permit) + (match rpki valid)) + (20 (action permit) + (match rpki notfound)) + (30 (action deny) + (match rpki invalid))])) + + `[,gortr ,nat ,point-rpki ,route-map]) diff --git a/netconf/util.rkt b/netconf/util.rkt index ff90ccf6..7fb90c3e 100644 --- a/netconf/util.rkt +++ b/netconf/util.rkt @@ -7,7 +7,6 @@ (require racket/symbol) (require (for-syntax racket/syntax)) - (provide command->string @@ -27,16 +26,19 @@ (match rpki invalid)))] @racket[expand-command-tree] will convert into this: @racketblock[ - '((set policy route-map dn42-roa rule 10 action permit) + '[(set policy route-map dn42-roa rule 10 action permit) (set policy route-map dn42-roa rule 10 match rpki valid) (set policy route-map dn42-roa rule 20 action permit) (set policy route-map dn42-roa rule 20 match rpki notfound) (set policy route-map dn42-roa rule 30 action deny) - (set policy route-map dn42-roa rule 30 match rpki invalid))]}) + (set policy route-map dn42-roa rule 30 match rpki invalid)]]}) wireguard/tunnel:render-vyos wireguard/tunnel wireguard/peer - commandtree->string) + commandtree->string + commandtree->strings + bgp/link-local + bgp/link-local:render-vyos) (define (command->string c) (string-join (map (match-lambda @@ -54,9 +56,12 @@ (expand-command-tree subtree))) lists))])) -(define (commandtree->string t) +(define (commandtree->strings t) (map command->string (expand-command-tree t))) +(define (commandtree->string t) + (string-join (commandtree->strings t) "\n")) + (define/match (split-at-first-list l) [((cons (? list? l) rest)) (cons '() (cons l rest))] [((cons obj rest)) (match-define (cons before after) (split-at-first-list rest)) @@ -105,15 +110,15 @@ peer-group)) (define-record-setter bgp/link-local) -(define (bgp/link-local-peer:render-vyos r) -`[(delete protocols bgp neighbor (bgp/link-local-peer-address r)) - (set protocols bgp neighbor ,(bgp/link-local-peer-address r) - [(description ,(bgp/link-local-description r)) - (interface source-interface ,(bgp/link-local-ifname r)) - (interface v6only) - (peer-group ,(bgp/link-local-ifname r)) - (remote-as ,(bgp/link-local-peer-asn r)) - (update-source ,(bgp/link-local-ifname r))])]) +(define (bgp/link-local:render-vyos r) + `[(delete protocols bgp neighbor (bgp/link-local-peer-address r)) + (set protocols bgp neighbor ,(bgp/link-local-peer-address r) + [(description ,(bgp/link-local-description r)) + (interface source-interface ,(bgp/link-local-ifname r)) + (interface v6only) + (peer-group ,(bgp/link-local-ifname r)) + (remote-as ,(bgp/link-local-peer-asn r)) + (update-source ,(bgp/link-local-ifname r))])]) (define-record-type firewall/rule (description