| Serge Bazanski | a5ed644 | 2020-09-20 22:52:57 +0000 | [diff] [blame] | 1 | # This is forked from bird.cfg.template from calico running on k0.hswaw.net on 2020/09/21. |
| 2 | # Changed vs. upstream (C-f HSCLOUD): |
| Serge Bazanski | c7de7e5 | 2020-10-03 14:42:36 +0200 | [diff] [blame] | 3 | # - do not pass over RTD_UNREACHABLE routes obtained from mesh peers, to |
| 4 | # prevent them from being then passed over to ToRs. This prevents route leaks |
| 5 | # of metallb routes into ToRs from nodes that do not actually run that |
| 6 | # particular metallb service. |
| Serge Bazanski | a5ed644 | 2020-09-20 22:52:57 +0000 | [diff] [blame] | 7 | # - do not program RTD_UNREACHABLE routes into the kernel (these come from metallb, and |
| 8 | # programming them seems to break things) |
| 9 | # Generated by confd |
| Serge Bazanski | c7de7e5 | 2020-10-03 14:42:36 +0200 | [diff] [blame] | 10 | |
| Serge Bazanski | a5ed644 | 2020-09-20 22:52:57 +0000 | [diff] [blame] | 11 | filter calico_export_to_bgp_peers { |
| 12 | calico_aggr(); |
| 13 | {{- $static_key := "/staticroutes"}} |
| 14 | {{- if ls $static_key}} |
| 15 | |
| Serge Bazanski | c7de7e5 | 2020-10-03 14:42:36 +0200 | [diff] [blame] | 16 | if ( proto ~ "Mesh_*" ) && ( dest = RTD_UNREACHABLE ) then { # HSCLOUD |
| 17 | reject; |
| 18 | } |
| 19 | |
| Serge Bazanski | a5ed644 | 2020-09-20 22:52:57 +0000 | [diff] [blame] | 20 | # Export static routes. |
| 21 | {{- range ls $static_key}} |
| 22 | {{- $parts := split . "-"}} |
| 23 | {{- $cidr := join $parts "/"}} |
| 24 | if ( net ~ {{$cidr}} ) then { accept; } |
| 25 | {{- end}} |
| 26 | {{- end}} |
| 27 | {{range ls "/v1/ipam/v4/pool"}}{{$data := json (getv (printf "/v1/ipam/v4/pool/%s" .))}} |
| 28 | if ( net ~ {{$data.cidr}} ) then { |
| 29 | accept; |
| 30 | } |
| 31 | {{- end}} |
| 32 | reject; |
| 33 | } |
| 34 | |
| 35 | {{$network_key := printf "/bgp/v1/host/%s/network_v4" (getenv "NODENAME")}} |
| 36 | filter calico_kernel_programming { |
| 37 | {{- $reject_key := "/rejectcidrs"}} |
| 38 | {{- if ls $reject_key}} |
| 39 | |
| 40 | if ( dest = RTD_UNREACHABLE ) then { # HSCLOUD |
| 41 | reject; |
| 42 | } |
| 43 | |
| 44 | # Don't program static routes into kernel. |
| 45 | {{- range ls $reject_key}} |
| 46 | {{- $parts := split . "-"}} |
| 47 | {{- $cidr := join $parts "/"}} |
| 48 | if ( net ~ {{$cidr}} ) then { reject; } |
| 49 | {{- end}} |
| 50 | |
| 51 | {{- end}} |
| 52 | {{- if exists $network_key}}{{$network := getv $network_key}} |
| 53 | {{range ls "/v1/ipam/v4/pool"}}{{$data := json (getv (printf "/v1/ipam/v4/pool/%s" .))}} |
| 54 | if ( net ~ {{$data.cidr}} ) then { |
| 55 | {{- if $data.vxlan_mode}} |
| 56 | # Don't program VXLAN routes into the kernel - these are handled by Felix. |
| 57 | reject; |
| 58 | } |
| 59 | {{- else if $data.ipip_mode}}{{if eq $data.ipip_mode "cross-subnet"}} |
| 60 | if defined(bgp_next_hop) && ( bgp_next_hop ~ {{$network}} ) then |
| 61 | krt_tunnel = ""; {{- /* Destination in ipPool, mode is cross sub-net, route from-host on subnet, do not use IPIP */}} |
| 62 | else |
| 63 | krt_tunnel = "{{$data.ipip}}"; {{- /* Destination in ipPool, mode is cross sub-net, route from-host off subnet, set the tunnel (if IPIP not enabled, value will be "") */}} |
| 64 | accept; |
| 65 | } {{- else}} |
| 66 | krt_tunnel = "{{$data.ipip}}"; {{- /* Destination in ipPool, mode not cross sub-net, set the tunnel (if IPIP not enabled, value will be "") */}} |
| 67 | accept; |
| 68 | } {{- end}} {{- else}} |
| 69 | krt_tunnel = "{{$data.ipip}}"; {{- /* Destination in ipPool, mode field is not present, set the tunnel (if IPIP not enabled, value will be "") */}} |
| 70 | accept; |
| 71 | } {{- end}} |
| 72 | {{end}} |
| 73 | {{- end}}{{/* End of 'exists $network_key' */}} |
| 74 | accept; {{- /* Destination is not in any ipPool, accept */}} |
| 75 | } |