From ca467c55d8bbd633870c1fcaff0677bc2c6eaa9f Mon Sep 17 00:00:00 2001 From: Emil Renner Berthing Date: Sat, 29 Feb 2020 14:09:39 +0100 Subject: space_server: update to Fedora 31 --- roles/space_server/files/bird.conf | 231 +++++++++++++++++++++ roles/space_server/files/bird/bird.conf | 7 - roles/space_server/files/bird/bird6.conf | 7 - roles/space_server/files/bird/filter.conf | 31 --- roles/space_server/files/bird/peers4.conf | 11 - roles/space_server/files/bird/peers6.conf | 11 - roles/space_server/files/bird/protocols.conf | 18 -- roles/space_server/files/bird/symbol4.conf | 7 - roles/space_server/files/bird/symbol6.conf | 7 - roles/space_server/files/bird/templates.conf | 18 -- roles/space_server/files/networkd/10-lo.network | 8 - roles/space_server/files/radius/assha.py | 4 +- .../files/radius/mods-available/python-assha | 17 -- .../files/radius/mods-available/python3-assha | 15 ++ roles/space_server/files/radius/pythonpath.conf | 2 + .../files/radius/sites-available/labitat-inner | 4 +- 16 files changed, 252 insertions(+), 146 deletions(-) create mode 100644 roles/space_server/files/bird.conf delete mode 100644 roles/space_server/files/bird/bird.conf delete mode 100644 roles/space_server/files/bird/bird6.conf delete mode 100644 roles/space_server/files/bird/filter.conf delete mode 100644 roles/space_server/files/bird/peers4.conf delete mode 100644 roles/space_server/files/bird/peers6.conf delete mode 100644 roles/space_server/files/bird/protocols.conf delete mode 100644 roles/space_server/files/bird/symbol4.conf delete mode 100644 roles/space_server/files/bird/symbol6.conf delete mode 100644 roles/space_server/files/bird/templates.conf delete mode 100644 roles/space_server/files/radius/mods-available/python-assha create mode 100644 roles/space_server/files/radius/mods-available/python3-assha create mode 100755 roles/space_server/files/radius/pythonpath.conf (limited to 'roles/space_server/files') diff --git a/roles/space_server/files/bird.conf b/roles/space_server/files/bird.conf new file mode 100644 index 0000000..acc191c --- /dev/null +++ b/roles/space_server/files/bird.conf @@ -0,0 +1,231 @@ +# +# BIRD 2 configuration for AS205235 Labitat +# + +log syslog all; +#debug protocols all; +debug protocols { events, states }; + +watchdog warning 5 s; +watchdog timeout 30 s; + +timeformat base iso long; +timeformat log iso long; +timeformat protocol iso long; +timeformat route iso long; + +router id 185.38.175.0; + +# functions and filters + +define local_asn = 205235; +define fiberby_asn = 42541; +define asbjorn_asn = 207727; + +define local_prefixes_v4 = [ + 185.38.175.0/24, + 194.165.56.0/24, + 194.165.58.0/24 +]; + +define local_prefixes_v6 = [ + 2a01:4262:1ab::/48, + 2a10:2a80:ac::/48, + 2a10:2a80:1ab::/48 +]; + +define asbjorn_prefixes_v4 = [ + 194.165.56.0/24, + 194.165.58.0/24 +]; + +define asbjorn_prefixes_v6 = [ + 2a10:2a80:ac::/48, + 2a10:2a80:1ab::/48 +]; + +# functions and filters + +function is_default_route() { + case net.type { + NET_IP4: if net = 0.0.0.0/0 then return true; + NET_IP6: if net = ::/0 then return true; + } + return false; +} + +function is_customer_route() { + case net.type { + NET_IP4: if net ~ local_prefixes_v4 then return true; + NET_IP6: if net ~ local_prefixes_v6 then return true; + } + return false; +} + +filter kernel_export { + if source !~ [ RTS_BGP, RTS_STATIC ] then reject; + if is_default_route() then accept; + if is_customer_route() then accept; + reject; +} + +function honor_graceful_shutdown() +{ + # RFC 8326 Graceful BGP Session Shutdown + if (65535, 0) ~ bgp_community then { + bgp_local_pref = 0; + } +} + +filter transit_import { + honor_graceful_shutdown(); + accept; +} + +filter transit_export { + if is_customer_route() then accept; + reject; +} + +# generate local routes +protocol static static4 { + ipv4; + route 185.38.175.0/24 unreachable; +} + +protocol static static6 { + ipv6; + route 2a01:4262:1ab::/48 unreachable; +} + +# customer import +function customer_import(int peer_asn; prefix set peer_prefixes) { + if net !~ peer_prefixes then reject; + if bgp_path.first != peer_asn then reject; + accept; +} + +# customer export functions +function customer_export_default_only() { + if !is_default_route() then reject; + accept; +} + +function customer_export_dfz() { + if source !~ [ RTS_BGP, RTS_STATIC ] then reject; + if is_default_route() then reject; + accept; +} + +function customer_export_and_default() { + if is_default_route() then { + customer_export_default_only(); + } else { + customer_export_dfz(); + } +} + + +# define basic protocols +protocol device {} + +protocol direct { + ipv4; + ipv6; +} + +protocol kernel kernel4 { + ipv4 { + import none; + export filter kernel_export; + }; + learn; + persist; + graceful restart; + merge paths; +} + +protocol kernel kernel6 { + ipv6 { + import none; + export filter kernel_export; + }; + learn; + persist; + graceful restart; + merge paths; +} + + +# templates +template bgp bgp_customer { + default bgp_local_pref 150; +} + +template bgp bgp_transit_v4 { + default bgp_local_pref 100; + ipv4 { + import limit off; + receive limit off; + import keep filtered on; + import filter transit_import; + export filter transit_export; + }; +} + +template bgp bgp_transit_v6 { + default bgp_local_pref 100; + ipv6 { + import limit off; + receive limit off; + import keep filtered on; + import filter transit_import; + export filter transit_export; + }; +} + +# Transit +protocol bgp fiberby_tgc_v4 from bgp_transit_v4 { + local 193.106.167.41 as local_asn; + neighbor 193.106.167.40 as fiberby_asn; +} + +protocol bgp fiberby_inx_v4 from bgp_transit_v4 { + local 193.106.167.43 as local_asn; + neighbor 193.106.167.42 as fiberby_asn; +} + +protocol bgp fiberby_tgc_v6 from bgp_transit_v6 { + local 2a03:5440:1:2935:1ab:1::2 as local_asn; + neighbor 2a03:5440:1:2935:1ab:1::1 as fiberby_asn; +} + +protocol bgp fiberby_inx_v6 from bgp_transit_v6 { + local 2a03:5440:1:2935:1ab:2::2 as local_asn; + neighbor 2a03:5440:1:2935:1ab:2::1 as fiberby_asn; +} + +# BGP customer: asbjorn +protocol bgp asbjorn_ipv4 from bgp_customer { + local 185.38.175.65 as local_asn; + neighbor 185.38.175.75 as asbjorn_asn; + ipv4 { + import limit 10 action block; + receive limit 20 action disable; + import keep filtered on; + import filter { customer_import(asbjorn_asn, asbjorn_prefixes_v4); }; + export filter { customer_export_default_only(); }; + }; +} + +protocol bgp asbjorn_ipv6 from bgp_customer { + local 2a01:4262:1ab:20::1 as local_asn; + neighbor 2a01:4262:1ab:20::75 as asbjorn_asn; + ipv6 { + import limit 10 action block; + receive limit 20 action disable; + import keep filtered on; + import filter { customer_import(asbjorn_asn, asbjorn_prefixes_v6); }; + export filter { customer_export_default_only(); }; + }; +} diff --git a/roles/space_server/files/bird/bird.conf b/roles/space_server/files/bird/bird.conf deleted file mode 100644 index 2ae72f0..0000000 --- a/roles/space_server/files/bird/bird.conf +++ /dev/null @@ -1,7 +0,0 @@ -router id 185.38.175.0; - -include "bird/symbol4.conf"; -include "bird/filter.conf"; -include "bird/protocols.conf"; -include "bird/templates.conf"; -include "bird/peers4.conf"; diff --git a/roles/space_server/files/bird/bird6.conf b/roles/space_server/files/bird/bird6.conf deleted file mode 100644 index 91b5405..0000000 --- a/roles/space_server/files/bird/bird6.conf +++ /dev/null @@ -1,7 +0,0 @@ -router id 185.38.175.0; - -include "bird/symbol6.conf"; -include "bird/filter.conf"; -include "bird/protocols.conf"; -include "bird/templates.conf"; -include "bird/peers6.conf"; diff --git a/roles/space_server/files/bird/filter.conf b/roles/space_server/files/bird/filter.conf deleted file mode 100644 index 3edc053..0000000 --- a/roles/space_server/files/bird/filter.conf +++ /dev/null @@ -1,31 +0,0 @@ -function accept_default_route() -{ - if net = DEFAULT_ROUTE then { - accept; - } -} - -function accept_prefixes(prefix set prefixes) -{ - if net ~ prefixes then { - accept; - } -} - -filter fallback_filter { - reject "WARNING!! no filter set, all routes will be rejected"; -} - -filter transit_import -{ - accept_default_route(); - - reject; -} - -filter transit_export -{ - accept_prefixes(LABITAT_PREFIXES); - - reject; -} diff --git a/roles/space_server/files/bird/peers4.conf b/roles/space_server/files/bird/peers4.conf deleted file mode 100644 index ac4fa69..0000000 --- a/roles/space_server/files/bird/peers4.conf +++ /dev/null @@ -1,11 +0,0 @@ -template bgp fiberby from bgp_transit { -} - -protocol bgp fiberby_tgc from fiberby { - preference 90; - neighbor 193.106.167.40 as 42541; -} - -protocol bgp fiberby_inx from fiberby { - neighbor 193.106.167.42 as 42541; -} diff --git a/roles/space_server/files/bird/peers6.conf b/roles/space_server/files/bird/peers6.conf deleted file mode 100644 index a78d8c6..0000000 --- a/roles/space_server/files/bird/peers6.conf +++ /dev/null @@ -1,11 +0,0 @@ -template bgp fiberby from bgp_transit { -} - -protocol bgp fiberby_tgc from fiberby { - preference 90; - neighbor 2a03:5440:1:2935:1ab:1::1 as 42541; -} - -protocol bgp fiberby_inx from fiberby { - neighbor 2a03:5440:1:2935:1ab:2::1 as 42541; -} diff --git a/roles/space_server/files/bird/protocols.conf b/roles/space_server/files/bird/protocols.conf deleted file mode 100644 index f5cc85f..0000000 --- a/roles/space_server/files/bird/protocols.conf +++ /dev/null @@ -1,18 +0,0 @@ -protocol device { - scan time 10; -} - -protocol direct { -} - -protocol kernel { - metric 64; - learn; - persist; - scan time 20; - import all; - export filter { - krt_prefsrc = PREFSRC; - accept; - }; -} diff --git a/roles/space_server/files/bird/symbol4.conf b/roles/space_server/files/bird/symbol4.conf deleted file mode 100644 index a23c865..0000000 --- a/roles/space_server/files/bird/symbol4.conf +++ /dev/null @@ -1,7 +0,0 @@ -define DEFAULT_ROUTE = 0.0.0.0/0; - -define LABITAT_PREFIXES = [ - 185.38.175.0/24 -]; - -define PREFSRC = 185.38.175.0; diff --git a/roles/space_server/files/bird/symbol6.conf b/roles/space_server/files/bird/symbol6.conf deleted file mode 100644 index fd142c9..0000000 --- a/roles/space_server/files/bird/symbol6.conf +++ /dev/null @@ -1,7 +0,0 @@ -define DEFAULT_ROUTE = ::/0; - -define LABITAT_PREFIXES = [ - 2a01:4262:1ab::/48 -]; - -define PREFSRC = 2a01:4262:1ab::; diff --git a/roles/space_server/files/bird/templates.conf b/roles/space_server/files/bird/templates.conf deleted file mode 100644 index 4334bd8..0000000 --- a/roles/space_server/files/bird/templates.conf +++ /dev/null @@ -1,18 +0,0 @@ -template bgp bgp_peer { - local as 205235; - import keep filtered; - import filter fallback_filter; - export filter fallback_filter; - import limit 1000 action block; - receive limit 1500 action disable; - export limit 100 action block; - hold time 60; -} - -template bgp bgp_transit from bgp_peer { - preference 100; - import limit off; - receive limit off; - import filter transit_import; - export filter transit_export; -} diff --git a/roles/space_server/files/networkd/10-lo.network b/roles/space_server/files/networkd/10-lo.network index 6457f55..ce9fdbe 100644 --- a/roles/space_server/files/networkd/10-lo.network +++ b/roles/space_server/files/networkd/10-lo.network @@ -5,11 +5,3 @@ Name=lo Address=185.38.175.0/32 Address=185.38.175.1/32 Address=2a01:4262:1ab::/128 - -[Route] -Type=unreachable -Destination=185.38.175.0/24 - -[Route] -Type=unreachable -Destination=2a01:4262:1ab::/48 diff --git a/roles/space_server/files/radius/assha.py b/roles/space_server/files/radius/assha.py index e34c382..6d81be1 100755 --- a/roles/space_server/files/radius/assha.py +++ b/roles/space_server/files/radius/assha.py @@ -10,7 +10,7 @@ REXP = re.compile('^([^ ]+) ASSHA-Password := "(.*)"$') def authorize(p): #radiusd.radlog(radiusd.L_INFO, '*** radlog call in authorize ***') reply = ( ('Reply-Message', 'Welcome to Labitat!'), ) - config = ( ('Auth-Type', 'python'), ) + config = ( ('Auth-Type', 'python3'), ) return (radiusd.RLM_MODULE_OK, reply, config) def load_users(): @@ -30,7 +30,7 @@ def check_pwd(user, pw): assha = users[user] crypted = assha[:40] salt = assha[40:] - h = hashlib.sha1('--%s--%s--' % (salt, pw)).hexdigest() + h = hashlib.sha1('--{}--{}--'.format(salt, pw).encode('utf-8')).hexdigest() return h == crypted def authenticate(p): diff --git a/roles/space_server/files/radius/mods-available/python-assha b/roles/space_server/files/radius/mods-available/python-assha deleted file mode 100644 index fa48e01..0000000 --- a/roles/space_server/files/radius/mods-available/python-assha +++ /dev/null @@ -1,17 +0,0 @@ -python { - python_path="/usr/lib/python27.zip:/usr/lib64/python2.7:/usr/lib64/python2.7/plat-linux2:/usr/lib64/python2.7/lib-tk:/usr/lib64/python2.7/lib-old:/usr/lib64/python2.7/lib-dynload:/usr/lib64/python2.7/site-packages:/usr/lib/python2.7/site-packages:/etc/raddb/mods-config/python/" - - module = assha - - #mod_instantiate = ${.module} - #func_instantiate = instantiate - - #mod_detach = ${.module} - #func_detach = instantiate - - mod_authorize = ${.module} - func_authorize = authorize - - mod_authenticate = ${.module} - func_authenticate = authenticate -} diff --git a/roles/space_server/files/radius/mods-available/python3-assha b/roles/space_server/files/radius/mods-available/python3-assha new file mode 100644 index 0000000..af3cf8c --- /dev/null +++ b/roles/space_server/files/radius/mods-available/python3-assha @@ -0,0 +1,15 @@ +python3 { + module = assha + + #mod_instantiate = ${.module} + #func_instantiate = instantiate + + #mod_detach = ${.module} + #func_detach = instantiate + + mod_authorize = ${.module} + func_authorize = authorize + + mod_authenticate = ${.module} + func_authenticate = authenticate +} diff --git a/roles/space_server/files/radius/pythonpath.conf b/roles/space_server/files/radius/pythonpath.conf new file mode 100755 index 0000000..6a7f6ba --- /dev/null +++ b/roles/space_server/files/radius/pythonpath.conf @@ -0,0 +1,2 @@ +[Service] +Environment=PYTHONPATH='/etc/raddb/mods-config/python3' diff --git a/roles/space_server/files/radius/sites-available/labitat-inner b/roles/space_server/files/radius/sites-available/labitat-inner index 8c099fc..d3ef9c2 100644 --- a/roles/space_server/files/radius/sites-available/labitat-inner +++ b/roles/space_server/files/radius/sites-available/labitat-inner @@ -13,7 +13,7 @@ server labitat-inner { ok = return } - python + python3 expiration logintime pap @@ -24,7 +24,7 @@ server labitat-inner { pap } - python + python3 eap } -- cgit v1.2.1