| Age | Commit message (Collapse) | Author |
|---|
|
Duplicate all customer BGP sessions, so that there
is one with the old prefix, and one with the new one.
This enables everyone to migrate to the new IP addresses
at their own pace.
Once the migration has been completed, we will remove the
old sessions.
Applied on 2025-04-25.
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
Prefix kindly provided by FreeTransit / OpenFactory
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
Prefix kindly provided by Kracon ApS (Svenne)
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
Prefix kindly provided by Toke
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
|
|
|
|
This completes the split of Labicolo into two networks.
Henceforth we have two Labicolo network, and any two
Labicolo nodes on different parts of the network will
have to join LabIX, if they want to peer.
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
I want to split Labicolo up in two networks, since
it is a bit silly that we have a internet exchange
prefix allocation, when all members of the IX are
already connected to the same layer 2 network, when
they all have transit through the same network.
Therefore by splitting Labicolo into 2 networks,
we ensure that there is a need for the internet
exchange, since not all nodes are able to talk
directly to eachother over the transit layer 2
network.
Since it would be a bit excessive to allocate another
/26 to Labicolo, thereby using half of our IPv4 space
for Labicolo.
This patch reduces the the current Labicolo network to
a /27 network, a subsequent patch will then add a
second Labicolo network with the other /27 network.
The only issue here is that Labicolo machines, which
haven't been updated to have a /27 netmask, will not
be able to reach endpoints in 185.38.175.96/27, before
they fix their netmask.
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
[esmil: call the script just reboot-graceful]
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
Signed-off-by: Emil Renner Berthing <esmil@labitat.dk>
|
|
Finally got around to recreate #51
Co-authored-by: DBras danielbrasholt@gmail.com
|
|
|
|
|
|
|
|
|
|
RIP :(
|
|
|
|
|
|
|
|
|
|
|
|
|
|
..and add Fiberby's time server as backup too.
|
|
Mushbie reports that Windows complains about out of date certificates
even when certbot is running fine, so try restarting radiusd on new
certificates rather than just telling it to reload its configuration.
|
|
systemd mechanics reworked by Esmil
Co-developed-by: Emil Renner Berthing <esmil@labitat.dk>
|
|
Just so that Esmil can test his Ansible changes.
|
|
Use ipaddress/pxlen{low,high} syntax to allow all
/48 prefixes that are covered by 2a10:2a80::/29.
https://bird.network.cz/?get_doc&v=20&f=bird-5.html#type-set
|
|
|
|
..to make sure we keep ip addresses in sync everywhere
|
|
Add new prefix 2a0e:8f02:2190::/48
|
|
..which doesn't work now that wan is a vlan on
bonded interface.
|
|
Before:
- enp1s0: wan
- enp2s0: lan (with VLANs)
- enp3s0: mgt
Changes in this patch:
- wan is moved to VLAN id 5
- bond0 is created, replacing lan as lower device for VLANs
- mgt config is removed (could be reconfigured as a VLAN, and
made a available on a switch port)
- all 3 ports are enslaved in bond0
From the switch towards the space server load-balance algorithm
src-dst-ip* is used.
From the space server towards the switch L3+L4 is used.
Therefore a single IP pair will always use the same 1G
from the swith to the space server, a client therefore
needs to multiplex over multiple IPs in order to
*) The src-dst-ip algorithm on the switch hasn't been
tested with IPv6 yet. Hopefully we can find a better
switch at some point, so we can include the L4 ports in
the hashing on the switch.
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
Move the Tor exit nodes to their own VLAN, and
their own address space.
Background for move
-------------------
For the first Tor exit node, we where able to
create inet6num object 2a01:4262:1ab:20::71/128.
So we could assign a specific Tor abuse contact.
When we added the second node it was no longer
possible to create /128 inet6num objects, but
only up to /64. We therefore need to move our
Tor exit nodes to a dedicated address space.
Connection tracking
-------------------
Connection tracking is quite expensive, so
it's better to only do it for Tor traffic,
when we actually need it, which is only when
internal clients need to access the servers.
In the future conntrack could also be disabled
for labicolo in general.
Current stats
~~~~~~~~~~~~~
[root@space ~]# grep -v '185\.38\.175\.7[12] ' /proc/net/nf_conntrack |
grep -v '2a01:4262:01ab:0020:0000:0000:0000:007[12]' | wc -l
4071
[root@space ~]# wc -l /proc/net/nf_conntrack
39138 /proc/net/nf_conntrack
Currently 4071 out of 39138 connections are not Tor related.
Also reading /proc/net/nf_conntrack is quite slow atm.:
[root@space ~]# time cat /proc/net/nf_conntrack > /dev/null
real 0m35.097s
user 0m0.010s
sys 0m28.114s
Signed-off-by: Asbjørn Sloth Tønnesen <asbjorn@labitat.dk>
|
|
Until now BGP connections have only been established
when the space server has initiated the connection to
the peer.
It's best practice for both BGP speakers to be able to
connect to one another, lowering recovery time.
|
|
This patch changes the reverse path filtering of the labicolo VLAN
to take place in the prerouting hook, using the kernel routing
table, and removes the need to maintain a static prefix list.
Labicolo routes are exported to the kernel routing table by BIRD,
hence it should be sufficient to only have prefix lists there.
This change has been tested, and it's only possible to spoof
fellow labicolo members address space (same as before).
Esmil: prerouting before input/forward makes more sense to me
|
|
Now that we use communities, we don't need this prefix filter
anymore, only the per-customer prefix filters.
|
|
We only announce a prefix, if we have recieved it from a customer
connection or if we originate it our self.
This way we avoid announcing prefixes matching the earlier used,
prefix list if we haven't recieved it via the customer connection.
This is important for multi-homed labicolo customers.
Esmil: consistent brace placement
|
|
Assign large communities on prefix import.
Later we can then use the community, to decide if we should
announce it to our peers.
|
|
This patch prepares us for adopting Large BGP Communities (RFC 8092).
Basic format of Large BGP Communities:
<uint32_t asn>:<uint32_t function>:<uint32_t value>
We use function 1 for storing prefix type (or relation).
We then assign a value to transit, peering, customer and originated
prefixes.
Large BGP Communities
http://largebgpcommunities.net/
https://tools.ietf.org/html/rfc8092
https://tools.ietf.org/html/rfc8195
Esmil: consistent brace placement
|
|
|
|
This protects us amount otherthings against 3rd parties
resetting the TCP connection underneat our BGP sessions.
This has been enabled in both ends, and this
_MUST_ remain enabled, otherwise these sessions
will go down.
If this needs to be disabled for some reason
then it must be coordinated with Fiberby.
RFC 5082 - The Generalized TTL Security Mechanism
https://datatracker.ietf.org/doc/html/rfc5082
|
|
The prefix was only routeable on the intern network, not the whole
internet, as it was not added in local_prefix_v6.
The 2a0e:8f02:f034::/48 is attached to my ASN, AS211153
Commit message fixed up by Esmil
|
|
Commit message and nftables rule fixed up by Esmil
|
|
|
|
|
|
|
|
|
|
|
