Benutzer-Werkzeuge

Webseiten-Werkzeuge

infrastruktur:host:dobby-setup

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen der Seite angezeigt.

Link zu der Vergleichsansicht

Beide Seiten, vorherige ÜberarbeitungVorherige Überarbeitung
Nächste Überarbeitung		Vorherige Überarbeitung
infrastruktur:host:dobby-setup [17.12.2025 11:43] – [Peer hinzufügen] Linus Lüssinginfrastruktur:host:dobby-setup [28.12.2025 02:22] (aktuell) – [pim6sd] Linus Lüssing
Zeile 96: Zeile 96:
  
   * zwischen dn42 peers immer routen/forwarden erlauben   * zwischen dn42 peers immer routen/forwarden erlauben
-  * eingehend ins nbsp Netz nur bei established/related erlauben+  * eingehend unicast ins nbsp Netz nur bei established/related erlauben 
 +  * Routebares IPv6 multicast zwischen dn42 und nbsp erlauben
  
 <code> <code>
Zeile 106: Zeile 107:
 nft add rule inet filter forward iifname "eth0" oifname "dn42_*" accept nft add rule inet filter forward iifname "eth0" oifname "dn42_*" accept
 nft add rule inet filter forward iifname "dn42_*" oifname "eth0" ct state established,related accept nft add rule inet filter forward iifname "dn42_*" oifname "eth0" ct state established,related accept
 +nft add rule inet filter forward ip6 daddr ff00::/8 iifname "dn42_*" oifname "eth0" accept
 +nft add rule inet filter forward ip6 daddr ff00::/8 iifname "eth0" oifname "dn42_*" accept
 nft add rule inet filter forward counter reject with icmpx type admin-prohibited nft add rule inet filter forward counter reject with icmpx type admin-prohibited
 </code> </code>
Zeile 732: Zeile 735:
 # Add more interfaces as required below # Add more interfaces as required below
 phyint dn42_tx_wg nolistener enable; phyint dn42_tx_wg nolistener enable;
 +phyint dn42_ffhl_wg nolistener enable;
  
 # configure rendezvous point for the personal multicast prefix # configure rendezvous point for the personal multicast prefix
Zeile 751: Zeile 755:
 Type=exec Type=exec
 ExecStart=pim6sd -n -f /etc/pim6sd.conf ExecStart=pim6sd -n -f /etc/pim6sd.conf
 +RestartSteps=10
 +RestartMaxDelaySec=30
 +Restart=always
  
 [Install] [Install]
 WantedBy=multi-user.target WantedBy=multi-user.target
 +EOF
 +</code>
 +
 +bird BGP/MLD watchdog:
 +
 +<code>
 +#!/bin/sh
 +# /usr/local/sbin/bird-bgp-pim-watchdog.sh
 +
 +# Ignore route collector AS for instance
 +EXCLUDED_ASNS="4242422602"
 +FILTERS_CONF="/etc/bird/dn42_v6_filters.conf"
 +PIM6SD_PIDFILE="/var/run/pim6sd.pid"
 +BIRD_PEERS_DIR="/etc/bird/peers/"
 +
 +get_pim6sd_neighbors() {
 + local pid
 +
 + if [ ! -f "${PIM6SD_PIDFILE}" ]; then
 + return 0
 + fi
 +
 + pid="$(grep '^[0-9]*$' "${PIM6SD_PIDFILE}")"
 + if [ -z "$pid" ] || ! ps -p "$pid" > /dev/null; then
 + return 0
 + fi
 +
 + pim6stat -p "${PIM6SD_PIDFILE}" | awk -v RS= '/^PIM Neighbor List/' | tail -n+3 | awk '{ print $3"%"$2 }'
 +}
 +
 +has_bgp_mc_channel() {
 + local neighinfo="$1"
 +
 + echo "$neighinfo" | grep -q '^[ ]*Channel ipv6-mc$'
 +}
 +
 +is_excluded_as() {
 + local neighinfo="$1"
 + local asn=""
 +
 + for asn in ${EXCLUDED_ASNS}; do
 + echo "$neighinfo" | grep -q "^[ ]*Neighbor AS:[ ]*$asn" && return 0
 + done
 +
 + return 1
 +# birdc show protocol all ROUTE_COLLECTOR | grep -q "^[ ]*Neighbor AS:[ ]*4242422602"
 +}
 +
 +get_birdc_bgpmc_neigh_addr() {
 + local info="$1"
 +
 + echo "$info" | sed -n "s/^[ ]*Neighbor address:[ ]*\(.*\)$/\1/p"
 +}
 +
 +get_bird_bgmc_conf_toggle() {
 + local conf="$1"
 + local file
 +
 + # get filename in an include in an "ipv6 multicast" section
 + file="$(cat "$conf" | \
 + grep -v '^[[:space:]]*#' | \
 + tr '\n' ' ' | \
 + sed -n 's/.*ipv6 multicast[[:space:]]*{[^}]*include[[:space:]]*"\([^"]*\)".*/\1/p')"
 +
 + [ -L "$file" ] && echo "$file"
 +}
 +
 +get_bird_bgmc_conf() {
 + local neigh="$1"
 +
 + grep -Ilr "$neigh" "${BIRD_PEERS_DIR}" | head -n1
 +}
 +
 +check_pim_neighbors() {
 + local addr="$1"
 + local neigh
 +
 + echo "$pimneighbors" | grep -q "^$addr\$"
 +}
 +
 +update_conftoggle() {
 + local conftoggle="$1"
 + local source="$2"
 + local rconftoggle="$(realpath "$conftoggle")"
 + local rsource="$(realpath "$source")"
 +
 +
 + echo "Updating $conftoggle to $source"
 + if [ "$rconftoggle" = "$rsource" ]; then
 + # nothing changed
 + return 0
 + fi
 +
 + if [ -z "$conftoggle" ]; then
 + return 1
 + fi
 +
 + ln -sf "$source" "$conftoggle" && echo "CHANGED"
 +}
 +
 +enable_bird_bgpmc_neighbor() {
 + local conftoggle="$1"
 +
 + update_conftoggle "$conftoggle" "${FILTERS_CONF}"
 +}
 +
 +disable_bird_bgpmc_neighbor() {
 + local conftoggle="$1"
 +
 + update_conftoggle "$conftoggle" "/dev/null"
 +}
 +
 +update_bird_bgpmc_neighbor() {
 + local neigh="$1"
 + local info="$2"
 + local addr="$(get_birdc_bgpmc_neigh_addr "$info")"
 + local conf="$(get_bird_bgmc_conf "$neigh")"
 + local conftoggle="$(get_bird_bgmc_conf_toggle "$conf")"
 +
 + if [ -z "$addr" ]; then
 + echo "Error: Could not find BGP neighbor address for neighbor \"$neigh\""
 + return 1
 + fi
 + if [ -z "$conf" ]; then
 + echo "Error: Could not find config for neighbor \"$neigh\""
 + return 1
 + fi
 + if [ -z "$conftoggle" ]; then
 + echo "Error: Could not find config toggle for neighbor \"$neigh\""
 + return 1
 + fi
 +
 + echo "neigh: $neigh, addr: $addr"
 + if check_pim_neighbors "$addr"; then
 + enable_bird_bgpmc_neighbor "$conftoggle"
 + else
 + disable_bird_bgpmc_neighbor "$conftoggle"
 + fi
 +
 + return $?
 +}
 +
 +update_bird_bgpmc_neighbors() {
 + local neigh
 +
 + birdc show protocols | \
 + sed -n "s/^\([^ ]*\) BGP .*/\1/p" | \
 + while read neigh; do \
 + local neighinfo="$(birdc show protocols all "$neigh")"
 +
 + is_excluded_as "$neighinfo" && continue
 + has_bgp_mc_channel "$neighinfo" || continue
 +
 + update_bird_bgpmc_neighbor "$neigh" "$neighinfo"
 + done
 +}
 +
 +pimneighbors="$(get_pim6sd_neighbors)"
 +
 +CHANGED="$(update_bird_bgpmc_neighbors)"
 +
 +if [ -n "$CHANGED" ]; then
 + echo "CHANGED, calling birdc configure"
 + if ! birdc configure; then
 + echo "Error: Could not (re)configure bird" >&2
 + exit 1
 + fi
 +else
 + echo "nothing changed"
 +fi
 +</code>
 +
 +<code>
 +$ cat << EOF > /etc/systemd/system/bird-bgp-pim-watchdog.service
 +# /etc/systemd/system/bird-bgp-pim-watchdog.service
 +[Unit]
 +Description=bird BGP route import/export watchdog for PIM/multicast
 +After=bird.service
 +
 +[Service]
 +Type=oneshot
 +ExecStart=bird-bgp-pim-watchdog.sh
 +EOF
 +$ cat << EOF > /etc/systemd/system/bird-bgp-pim-watchdog.timer
 +# /etc/systemd/system/bird-bgp-pim-watchdog.timer
 +[Unit]
 +Description=Run the bird BGP/PIM watchdog periodically
 +
 +[Timer]
 +OnBootSec=2m
 +OnUnitActiveSec=5m
 +AccuracySec=1m
 +
 +[Install]
 +WantedBy=timers.target
 +EOF
 +</code>
 +
 +<code>
 +mkdir /etc/bird/peersmods/
 +</code>
 +
 +For a new PIM peer:
 +
 +<code>
 +ln -s /dev/null /etc/bird/peersmods/dn42-tx-mc6-filters.conf
 +</code>
 +
 +<code>
 +$ cat << EOF > /etc/bird/peers/dn42-${PEERNAME}.conf
 +protocol bgp dn42_${PEERNAME}_v6 from dnpeersmc {
 +        neighbor ${PEERIP6}%dn42_${PEERNAME}_wg as ${PEERASN};
 +        
 +        ipv4 {
 +                extended next hop on;
 +        };
 +        
 +        ipv6 multicast {
 +                include "/etc/bird/peersmods/dn42-${PEERNAME}-mc6-filters.conf";
 +        };
 +}
 EOF EOF
 </code> </code>
  
 <code> <code>
 +systemctl daemon-reload
 systemctl start pim6sd systemctl start pim6sd
 systemctl enable pim6sd systemctl enable pim6sd
 +systemctl enable bird-bgp-pim-watchdog.timer
 +systemctl start bird-bgp-pim-watchdog.service
 +systemctl start bird-bgp-pim-watchdog.timer
 </code> </code>
infrastruktur/host/dobby-setup.1765971832.txt.gz · Zuletzt geändert: von Linus Lüssing

Seiten-Werkzeuge

Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution 4.0 International