forked from hswaw/hscloud
76 lines
2.8 KiB
Plaintext
76 lines
2.8 KiB
Plaintext
# This is forked from bird.cfg.template from calico running on k0.hswaw.net on 2020/09/21.
|
|
# Changed vs. upstream (C-f HSCLOUD):
|
|
# - do not pass over RTD_UNREACHABLE routes obtained from mesh peers, to
|
|
# prevent them from being then passed over to ToRs. This prevents route leaks
|
|
# of metallb routes into ToRs from nodes that do not actually run that
|
|
# particular metallb service.
|
|
# - do not program RTD_UNREACHABLE routes into the kernel (these come from metallb, and
|
|
# programming them seems to break things)
|
|
# Generated by confd
|
|
|
|
filter calico_export_to_bgp_peers {
|
|
calico_aggr();
|
|
{{- $static_key := "/staticroutes"}}
|
|
{{- if ls $static_key}}
|
|
|
|
if ( proto ~ "Mesh_*" ) && ( dest = RTD_UNREACHABLE ) then { # HSCLOUD
|
|
reject;
|
|
}
|
|
|
|
# Export static routes.
|
|
{{- range ls $static_key}}
|
|
{{- $parts := split . "-"}}
|
|
{{- $cidr := join $parts "/"}}
|
|
if ( net ~ {{$cidr}} ) then { accept; }
|
|
{{- end}}
|
|
{{- end}}
|
|
{{range ls "/v1/ipam/v4/pool"}}{{$data := json (getv (printf "/v1/ipam/v4/pool/%s" .))}}
|
|
if ( net ~ {{$data.cidr}} ) then {
|
|
accept;
|
|
}
|
|
{{- end}}
|
|
reject;
|
|
}
|
|
|
|
{{$network_key := printf "/bgp/v1/host/%s/network_v4" (getenv "NODENAME")}}
|
|
filter calico_kernel_programming {
|
|
{{- $reject_key := "/rejectcidrs"}}
|
|
{{- if ls $reject_key}}
|
|
|
|
if ( dest = RTD_UNREACHABLE ) then { # HSCLOUD
|
|
reject;
|
|
}
|
|
|
|
# Don't program static routes into kernel.
|
|
{{- range ls $reject_key}}
|
|
{{- $parts := split . "-"}}
|
|
{{- $cidr := join $parts "/"}}
|
|
if ( net ~ {{$cidr}} ) then { reject; }
|
|
{{- end}}
|
|
|
|
{{- end}}
|
|
{{- if exists $network_key}}{{$network := getv $network_key}}
|
|
{{range ls "/v1/ipam/v4/pool"}}{{$data := json (getv (printf "/v1/ipam/v4/pool/%s" .))}}
|
|
if ( net ~ {{$data.cidr}} ) then {
|
|
{{- if $data.vxlan_mode}}
|
|
# Don't program VXLAN routes into the kernel - these are handled by Felix.
|
|
reject;
|
|
}
|
|
{{- else if $data.ipip_mode}}{{if eq $data.ipip_mode "cross-subnet"}}
|
|
if defined(bgp_next_hop) && ( bgp_next_hop ~ {{$network}} ) then
|
|
krt_tunnel = ""; {{- /* Destination in ipPool, mode is cross sub-net, route from-host on subnet, do not use IPIP */}}
|
|
else
|
|
krt_tunnel = "{{$data.ipip}}"; {{- /* Destination in ipPool, mode is cross sub-net, route from-host off subnet, set the tunnel (if IPIP not enabled, value will be "") */}}
|
|
accept;
|
|
} {{- else}}
|
|
krt_tunnel = "{{$data.ipip}}"; {{- /* Destination in ipPool, mode not cross sub-net, set the tunnel (if IPIP not enabled, value will be "") */}}
|
|
accept;
|
|
} {{- end}} {{- else}}
|
|
krt_tunnel = "{{$data.ipip}}"; {{- /* Destination in ipPool, mode field is not present, set the tunnel (if IPIP not enabled, value will be "") */}}
|
|
accept;
|
|
} {{- end}}
|
|
{{end}}
|
|
{{- end}}{{/* End of 'exists $network_key' */}}
|
|
accept; {{- /* Destination is not in any ipPool, accept */}}
|
|
}
|