Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.

--- infrastruktur:host:dobby-setup [17.12.2025 11:04] – [pim6sd] Linus Lüssing
+++ infrastruktur:host:dobby-setup [28.12.2025 02:22] (aktuell) – [pim6sd] Linus Lüssing
@@ Zeile 96: / Zeile 96: @@
   * zwischen dn42 peers immer routen/forwarden erlauben
-  * eingehend ins nbsp Netz nur bei established/related erlauben
+  * eingehend unicast ins nbsp Netz nur bei established/related erlauben
+  * Routebares IPv6 multicast zwischen dn42 und nbsp erlauben
 <code>
@@ Zeile 106: / Zeile 107: @@
 nft add rule inet filter forward iifname "eth0" oifname "dn42_*" accept
 nft add rule inet filter forward iifname "dn42_*" oifname "eth0" ct state established,related accept
+nft add rule inet filter forward ip6 daddr ff00::/8 iifname "dn42_*" oifname "eth0" accept
+nft add rule inet filter forward ip6 daddr ff00::/8 iifname "eth0" oifname "dn42_*" accept
 nft add rule inet filter forward counter reject with icmpx type admin-prohibited
 </code>
@@ Zeile 289: / Zeile 292: @@
 roa4 table dn42_roa;
 roa6 table dn42_roa_v6;
+ipv6 table mcast6;
 protocol static {
@@ Zeile 310: / Zeile 315: @@
     ipv6 {
+        import none;
+        export filter {
+            if source = RTS_STATIC then reject;
+            krt_prefsrc = OWNIPv6;
+            accept;
+        };
+    };
+};
+protocol kernel {
+    scan time 20;
+    kernel table 20;
+    ipv6 {
+        table mcast6;
         import none;
         export filter {
@@ Zeile 345: / Zeile 366: @@
     ipv6 {
+        import all;
+        export none;
+    };
+}
+protocol static {
+    route OWNNETv6 reject;
+    ipv6 {
+        table mcast6;
         import all;
         export none;
@@ Zeile 377: / Zeile 408: @@
   ipv6 {
     # export all available paths to the collector
+    add paths tx;
+    # import/export filters
+    import none;
+    export filter {
+      # export all valid routes
+      if ( is_valid_network_v6() && source ~ [ RTS_STATIC, RTS_BGP ] )
+      then {
+        accept;
+      }
+      reject;
+    };
+  };
+  ipv6 multicast {
+    table mcast6;
+    # export all available paths to the collector
     add paths tx;
@@ Zeile 411: / Zeile 459: @@
     ipv6 {
+        include "/etc/bird/dn42_v6_filters.conf";
         import filter {
           if is_valid_network_v6() && !is_self_net_v6() then {
@@ Zeile 424: / Zeile 473: @@
 }
+template bgp dnpeersmc from dnpeers {
+    ipv6 multicast {
+        table mcast6;
+        import filter { reject; };
+        export filter { reject; };
+        import limit 9000 action block;
+        import table on;
+        export table on;
+    };
+}
 include "/etc/bird/peers/*";
+</code>
+/etc/bird/dn42_v6_filters.conf:
+<code>
+import filter {
+  if is_valid_network_v6() && !is_self_net_v6() then {
+    if (roa_check(dn42_roa_v6, net, bgp_path.last) != ROA_VALID) then {
+      print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
+      reject;
+    } else accept;
+  } else reject;
+};
+export filter { if is_valid_network_v6() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; };
 </code>
@@ Zeile 494: / Zeile 569: @@
 AllowedIPs=fe80::/64
 AllowedIPs=fd00::/8
+#Add ff00::/8 if using PIM/multicast, too:
+#AllowedIPs=ff00::/8
 AllowedIPs=172.16.0.0/12
 AllowedIPs=10.0.0.0/8
@@ Zeile 519: / Zeile 596: @@
 Address=172.20.240.$(for i in `seq 0 255`; do grep -q "^Address=172\.20\.240\.$i/32\$" dn42-*.network && continue; echo "$i"; break; done)/32
 #Peer=
+#Add below if using PIM/multicast, too:
+#[Link]
+#Multicast=true
 EOF
 </code>
@@ Zeile 626: / Zeile 707: @@
 Type=unreachable
 Metric=4278198272
+EOF
 </code>
@@ Zeile 653: / Zeile 735: @@
 # Add more interfaces as required below
 phyint dn42_tx_wg nolistener enable;
+phyint dn42_ffhl_wg nolistener enable;
 # configure rendezvous point for the personal multicast prefix
@@ Zeile 660: / Zeile 743: @@
 source_outgoing_interface dn42_mc6_vrf;
 EOF
+</code>
+<code>
+$ cat << EOF > /etc/systemd/system/pim6sd.service
+# /etc/systemd/system/pim6sd.service
+[Unit]
+Description=pim6sd - PIM-SM daemon for IPv6
+After=network-online.target
+[Service]
+Type=exec
+ExecStart=pim6sd -n -f /etc/pim6sd.conf
+RestartSteps=10
+RestartMaxDelaySec=30
+Restart=always
+[Install]
+WantedBy=multi-user.target
+EOF
+</code>
+bird BGP/MLD watchdog:
+<code>
+#!/bin/sh
+# /usr/local/sbin/bird-bgp-pim-watchdog.sh
+# Ignore route collector AS for instance
+EXCLUDED_ASNS="4242422602"
+FILTERS_CONF="/etc/bird/dn42_v6_filters.conf"
+PIM6SD_PIDFILE="/var/run/pim6sd.pid"
+BIRD_PEERS_DIR="/etc/bird/peers/"
+get_pim6sd_neighbors() {
+	local pid
+	if [ ! -f "${PIM6SD_PIDFILE}" ]; then
+		return 0
+	fi
+	pid="$(grep '^[0-9]*$' "${PIM6SD_PIDFILE}")"
+	if [ -z "$pid" ] || ! ps -p "$pid" > /dev/null; then
+		return 0
+	fi
+	pim6stat -p "${PIM6SD_PIDFILE}" | awk -v RS= '/^PIM Neighbor List/' | tail -n+3 | awk '{ print $3"%"$2 }'
+}
+has_bgp_mc_channel() {
+	local neighinfo="$1"
+	echo "$neighinfo" | grep -q '^[ ]*Channel ipv6-mc$'
+}
+is_excluded_as() {
+	local neighinfo="$1"
+	local asn=""
+	for asn in ${EXCLUDED_ASNS}; do
+		echo "$neighinfo" | grep -q "^[ ]*Neighbor AS:[ ]*$asn" && return 0
+	done
+	return 1
+#	birdc show protocol all ROUTE_COLLECTOR | grep -q "^[ ]*Neighbor AS:[ ]*4242422602"
+}
+get_birdc_bgpmc_neigh_addr() {
+	local info="$1"
+	echo "$info" | sed -n "s/^[ ]*Neighbor address:[ ]*\(.*\)$/\1/p"
+}
+get_bird_bgmc_conf_toggle() {
+	local conf="$1"
+	local file
+	# get filename in an include in an "ipv6 multicast" section
+	file="$(cat "$conf" | \
+			grep -v '^[[:space:]]*#' | \
+			tr '\n' ' ' | \
+			sed -n 's/.*ipv6 multicast[[:space:]]*{[^}]*include[[:space:]]*"\([^"]*\)".*/\1/p')"
+	[ -L "$file" ] && echo "$file"
+}
+get_bird_bgmc_conf() {
+	local neigh="$1"
+	grep -Ilr "$neigh" "${BIRD_PEERS_DIR}" | head -n1
+}
+check_pim_neighbors() {
+	local addr="$1"
+	local neigh
+	echo "$pimneighbors" | grep -q "^$addr\$"
+}
+update_conftoggle() {
+	local conftoggle="$1"
+	local source="$2"
+	local rconftoggle="$(realpath "$conftoggle")"
+	local rsource="$(realpath "$source")"
+	echo "Updating $conftoggle to $source"
+	if [ "$rconftoggle" = "$rsource" ]; then
+		# nothing changed
+		return 0
+	fi
+	if [ -z "$conftoggle" ]; then
+		return 1
+	fi
+	ln -sf "$source" "$conftoggle" && echo "CHANGED"
+}
+enable_bird_bgpmc_neighbor() {
+	local conftoggle="$1"
+	update_conftoggle "$conftoggle" "${FILTERS_CONF}"
+}
+disable_bird_bgpmc_neighbor() {
+	local conftoggle="$1"
+	update_conftoggle "$conftoggle" "/dev/null"
+}
+update_bird_bgpmc_neighbor() {
+	local neigh="$1"
+	local info="$2"
+	local addr="$(get_birdc_bgpmc_neigh_addr "$info")"
+	local conf="$(get_bird_bgmc_conf "$neigh")"
+	local conftoggle="$(get_bird_bgmc_conf_toggle "$conf")"
+	if [ -z "$addr" ]; then
+		echo "Error: Could not find BGP neighbor address for neighbor \"$neigh\""
+		return 1
+	fi
+	if [ -z "$conf" ]; then
+		echo "Error: Could not find config for neighbor \"$neigh\""
+		return 1
+	fi
+	if [ -z "$conftoggle" ]; then
+		echo "Error: Could not find config toggle for neighbor \"$neigh\""
+		return 1
+	fi
+	echo "neigh: $neigh, addr: $addr"
+	if check_pim_neighbors "$addr"; then
+		enable_bird_bgpmc_neighbor "$conftoggle"
+	else
+		disable_bird_bgpmc_neighbor "$conftoggle"
+	fi
+	return $?
+}
+update_bird_bgpmc_neighbors() {
+	local neigh
+	birdc show protocols | \
+		sed -n "s/^\([^ ]*\) BGP .*/\1/p" | \
+			while read neigh; do \
+				local neighinfo="$(birdc show protocols all "$neigh")"
+				is_excluded_as "$neighinfo" && continue
+				has_bgp_mc_channel "$neighinfo" || continue
+				update_bird_bgpmc_neighbor "$neigh" "$neighinfo"
+			done
+}
+pimneighbors="$(get_pim6sd_neighbors)"
+CHANGED="$(update_bird_bgpmc_neighbors)"
+if [ -n "$CHANGED" ]; then
+	echo "CHANGED, calling birdc configure"
+	if ! birdc configure; then
+		echo "Error: Could not (re)configure bird" >&2
+		exit 1
+	fi
+else
+	echo "nothing changed"
+fi
+</code>
+<code>
+$ cat << EOF > /etc/systemd/system/bird-bgp-pim-watchdog.service
+# /etc/systemd/system/bird-bgp-pim-watchdog.service
+[Unit]
+Description=bird BGP route import/export watchdog for PIM/multicast
+After=bird.service
+[Service]
+Type=oneshot
+ExecStart=bird-bgp-pim-watchdog.sh
+EOF
+$ cat << EOF > /etc/systemd/system/bird-bgp-pim-watchdog.timer
+# /etc/systemd/system/bird-bgp-pim-watchdog.timer
+[Unit]
+Description=Run the bird BGP/PIM watchdog periodically
+[Timer]
+OnBootSec=2m
+OnUnitActiveSec=5m
+AccuracySec=1m
+[Install]
+WantedBy=timers.target
+EOF
+</code>
+<code>
+mkdir /etc/bird/peersmods/
+</code>
+For a new PIM peer:
+<code>
+ln -s /dev/null /etc/bird/peersmods/dn42-tx-mc6-filters.conf
+</code>
+<code>
+$ cat << EOF > /etc/bird/peers/dn42-${PEERNAME}.conf
+protocol bgp dn42_${PEERNAME}_v6 from dnpeersmc {
+        neighbor ${PEERIP6}%dn42_${PEERNAME}_wg as ${PEERASN};
+        ipv4 {
+                extended next hop on;
+        };
+        ipv6 multicast {
+                include "/etc/bird/peersmods/dn42-${PEERNAME}-mc6-filters.conf";
+        };
+}
+EOF
+</code>
+<code>
+systemctl daemon-reload
+systemctl start pim6sd
+systemctl enable pim6sd
+systemctl enable bird-bgp-pim-watchdog.timer
+systemctl start bird-bgp-pim-watchdog.service
+systemctl start bird-bgp-pim-watchdog.timer
 </code>

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Unterschiede

Seiten-Werkzeuge