show-01: basic routing setup

https://scrapbox.io/rknet/show-01
#186

Flow: client netns -> main netns -> backbone -> main netns -> server netns

main netns performs SNAT from client netns (IPv4 and IPv6 source address
randomization) and connects to cs-01, and DNAT to server netns (IPv4
public address conversion and IPv6 destination address randomization).

Author: sorah

itamae/hosts.yml

@@ -18,3 +18,10 @@ nat-62.venue.rubykaigi.net:
   properties:
     run_list:
       - hosts/nat-62.venue.rubykaigi.net/default.rb
+
+show-01.venue.rubykaigi.net:
+  properties:
+    run_list:
+      - hosts/show-01.venue.rubykaigi.net/default.rb
+
+

itamae/hosts/show-01.venue.rubykaigi.net/default.rb

@@ -0,0 +1,73 @@
+node.reverse_merge!(
+  bird: {
+    router_id: '10.33.100.75',
+  },
+  show: {
+    addresses: {
+      client4: '10.33.39.0/24',
+      client4_range: '10.33.39.1-10.33.39.254',
+      client6: '2001:df0:8500:ca5a::/64',
+      client6_range: '2001:df0:8500:ca5a:1000:0000:0000:0000-2001:df0:8500:ca5a:1fff:ffff:ffff:fffe',
+      client6_snat: '2001:df0:8500:ca5a:1::/68',
+
+      server4: '192.50.220.175',
+      server4_pref64n: '2001:df0:8500:ca64:a9:8200:' 'c032:dcaf',
+      server6: '2001:df0:8500:ca5b::ffff',
+      server6_cidr: '2001:df0:8500:ca5b::/64',
+      server6_dnat: '2001:df0:8500:ca5b:0::/68',
+
+      client4_internal: '169.254.0.75',
+      client6_internal: '2001:df0:8500:ca5a:1::e0ee',
+      server4_internal: '169.254.1.75',
+      server6_internal: '2001:df0:8500:ca5b:1::e1ee',
+    },
+    interfaces: {
+      management: {
+        name: 'enp11s0f0',
+        duid: '00:00:ba:2c:33:00:75',
+      },
+      servers: [
+        {
+          name: 'enp12s0f1',
+          local_as: 65075,
+          peer_as: 65010,
+          link4: {
+            peer: '10.33.22.80',
+            local: '10.33.22.81',
+          },
+          link6: {
+            peer: '2001:df0:8500:ca22:80::a',
+            local: '2001:df0:8500:ca22:80::b',
+          },
+        },
+        {
+          name: 'enp5s0',
+          local_as: 65075,
+          peer_as: 65010,
+          link4: {
+            peer: '10.33.22.82',
+            local: '10.33.22.83',
+          },
+          link6: {
+            peer: '2001:df0:8500:ca22:82::a',
+            local: '2001:df0:8500:ca22:82::b',
+          },
+        },
+      ],
+      client: {
+        name: 'enp2s0',
+        local_as: 65075,
+        peer_as: 65030,
+        link4: {
+          peer: '10.33.22.84',
+          local: '10.33.22.85',
+        },
+        link6: {
+          peer: '2001:df0:8500:ca22:84::a',
+          local: '2001:df0:8500:ca22:84::b',
+        },
+      },
+    },
+  },
+)
+include_role 'show'

itamae/roles/plat/templates/etc/bird/bird.conf.d/plat.conf

@@ -195,6 +195,7 @@ protocol bgp bgp_inside {
     import filter {
       filter_bgp_community();
       if bgp_path ~ [= * <%= inside.fetch(:peer_as) %> =] then accept; # accept only direct path
+      if bgp_path ~ [= * 65075 =] then accept; # accept show-01 path XXX:
       reject;
     };
     export filter {
@@ -209,6 +210,7 @@ protocol bgp bgp_inside {
     import filter {
       filter_bgp_community();
       if bgp_path ~ [= * <%= inside.fetch(:peer_as) %> =] then accept; # accept only direct path
+      if bgp_path ~ [= * 65075 =] then accept; # accept show-01 path XXX:
       reject;
     };
     export filter {

itamae/roles/show/default.rb

@@ -0,0 +1,75 @@
+node.reverse_merge!(
+  systemd_networkd: {
+    manage_foreign_routes: false,
+  },
+  show: {
+  },
+  bird: {
+    #router_id: 
+  },
+)
+include_role 'base'
+
+include_cookbook 'ruby'
+include_cookbook 'nftables'
+include_cookbook 'bird'
+
+file '/etc/rk-show.json' do
+  content "#{JSON.pretty_generate(node.fetch(:show))}\n"
+  owner 'root'
+  group 'root'
+  mode  '0644'
+end
+
+template '/usr/local/bin/rk-ensure-veth' do
+  owner 'root'
+  group 'root'
+  mode  '0755'
+end
+template '/etc/systemd/system/rk-ensure-veth.service' do
+  owner 'root'
+  group 'root'
+  mode  '0644'
+  notifies :run, 'execute[systemctl daemon-reload]', :immediately
+end
+service 'rk-ensure-veth.service' do
+  action [:enable, :start]
+end
+
+template '/etc/systemd/network/00-management.network' do
+  owner 'root'
+  group 'root'
+  mode  '0644'
+end
+
+
+node.dig(:show, :interfaces, :servers).each_with_index do |server, i|
+  template "/etc/systemd/network/00-server#{i}.network" do
+    variables(iface: server)
+    source 'templates/etc/systemd/network/00-server.network'
+    owner 'root'
+    group 'root'
+    mode  '0644'
+  end
+end
+
+template "/etc/systemd/network/00-client.network" do
+  variables(iface: node.dig(:show, :interfaces, :client))
+  owner 'root'
+  group 'root'
+  mode  '0644'
+end
+
+template '/etc/nftables/show.conf' do
+  owner 'root'
+  group 'root'
+  mode '0644'
+  notifies :reload, 'service[nftables]'
+end
+
+template "/etc/bird/bird.conf.d/show.conf" do
+  owner 'root'
+  group 'root'
+  mode  '0644'
+  notifies :reload, 'service[bird]'
+end

itamae/roles/show/templates/etc/bird/bird.conf.d/show.conf

@@ -0,0 +1,162 @@
+# vim: set ft=bird nofoldenable:
+ipv4 table main4;
+ipv6 table main6;
+ipv4 table client4;
+ipv6 table client6;
+ipv4 table server4;
+ipv6 table server6;
+
+protocol kernel kernel_main4 {
+  kernel table 254;
+  merge paths on;
+  ipv4 {
+    table main4;
+    export all;
+  };
+}
+
+protocol kernel kernel_main6 {
+  kernel table 254;
+  merge paths on;
+  ipv6 {
+    table main6;
+    export all;
+  };
+}
+
+protocol kernel kernel_client4 {
+  kernel table 100;
+  merge paths on;
+  ipv4 {
+    table client4;
+    export all;
+  };
+}
+protocol kernel kernel_client6 {
+  kernel table 100;
+  merge paths on;
+  ipv6 {
+    table client6;
+    export all;
+  };
+}
+
+protocol kernel kernel_server4 {
+  kernel table 101;
+  merge paths on;
+  ipv4 {
+    table server4;
+    export all;
+  };
+}
+
+protocol kernel kernel_server6 {
+  kernel table 101;
+  merge paths on;
+  ipv6 {
+    table server6;
+    export all;
+  };
+}
+
+protocol static static_main4 {
+  ipv4 {
+    table main4;
+  };
+  igp table main4;
+  igp table main6;
+
+  route <%= node.dig(:show, :addresses).fetch(:client4_internal) %>/32 via fe80::b%'veth_c0';
+  route <%= node.dig(:show, :addresses).fetch(:server4_internal) %>/32 via fe80::b%'veth_s0';
+}
+protocol static static_main6 {
+  ipv6 {
+    table main6;
+  };
+  igp table main4;
+  igp table main6;
+
+  route <%= node.dig(:show, :addresses).fetch(:client6_internal) %>/128 via fe80::b%'veth_c0';
+  route <%= node.dig(:show, :addresses).fetch(:server6_internal) %>/128 via fe80::b%'veth_s0';
+}
+
+protocol static static_client4 {
+  ipv4 {
+    table client4;
+  };
+
+  route <%= node.dig(:show, :addresses).fetch(:client4) %> blackhole;
+}
+protocol static static_client6 {
+  ipv6 {
+    table client6;
+  };
+
+  route <%= node.dig(:show, :addresses).fetch(:client6) %> blackhole;
+}
+
+protocol static static_server4 {
+  ipv4 {
+    table server4;
+  };
+
+  route <%= node.dig(:show, :addresses).fetch(:server4) %>/32 blackhole;
+}
+protocol static static_server6 {
+  ipv6 {
+    table server6;
+  };
+
+  route <%= node.dig(:show, :addresses).fetch(:server6) %>/128 blackhole;
+  route <%= node.dig(:show, :addresses).fetch(:server6_cidr) %> blackhole;
+}
+
+# er
+<%- servers = node.dig(:show, :interfaces).fetch(:servers); servers.each_with_index do |server, i| -%>
+protocol bgp bgp_server<%= i %> {
+  local as <%= server.fetch(:local_as) %>;
+  neighbor <%= server.fetch(:link6).fetch(:peer) %> as <%= server.fetch(:peer_as) %>;
+
+  ipv4 {
+    table server4;
+    import all;
+    export filter {
+      if proto = "static_server4" then accept;
+      reject;
+    };
+  };
+  ipv6 {
+    table server6;
+    import all;
+    export filter {
+      if proto = "static_server6" then accept;
+      reject;
+    };
+  };
+}
+<%- end -%>
+
+# cs
+<%- client = node.dig(:show, :interfaces).fetch(:client) -%>
+protocol bgp bgp_client {
+  local as <%= client.fetch(:local_as) %>;
+  neighbor <%= client.fetch(:link6).fetch(:peer) %> as <%= client.fetch(:peer_as) %>;
+
+  ipv4 {
+    table client4;
+    extended next hop on;
+    import all;
+    export filter {
+      if proto = "static_client4" then accept;
+      reject;
+    };
+  };
+  ipv6 {
+    table client6;
+    import all;
+    export filter {
+      if proto = "static_client6" then accept;
+      reject;
+    };
+  };
+}