diff options
author | Mike Crute <mike@crute.us> | 2019-12-10 22:05:00 +0000 |
---|---|---|
committer | Mike Crute <mike@crute.us> | 2019-12-10 22:07:25 +0000 |
commit | a376a82fb3c986c0aa5799a740365c8a362f44d4 (patch) | |
tree | e2c52183232fc9bfa78caaafc515172da8a6f2c2 /bird | |
parent | 34306c78d76fe0cc0885f528f37e100352e426d6 (diff) | |
download | dockerfiles-a376a82fb3c986c0aa5799a740365c8a362f44d4.tar.bz2 dockerfiles-a376a82fb3c986c0aa5799a740365c8a362f44d4.tar.xz dockerfiles-a376a82fb3c986c0aa5799a740365c8a362f44d4.zip |
bird: Add common configuration to container
Diffstat (limited to 'bird')
-rw-r--r-- | bird/Dockerfile | 9 | ||||
-rw-r--r-- | bird/bird_common.conf | 90 | ||||
-rwxr-xr-x | bird/entrypoint.sh | 15 |
3 files changed, 111 insertions, 3 deletions
diff --git a/bird/Dockerfile b/bird/Dockerfile index 93d6352..c8dfd65 100644 --- a/bird/Dockerfile +++ b/bird/Dockerfile | |||
@@ -1,8 +1,11 @@ | |||
1 | FROM alpine:edge | 1 | FROM alpine:edge |
2 | LABEL maintainer="Mike Crute <mike@crute.us>" | 2 | LABEL maintainer="Mike Crute <mike@crute.us>" |
3 | 3 | ||
4 | RUN \ | 4 | RUN set -euxo pipefail; \ |
5 | echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories; \ | 5 | echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories; \ |
6 | apk add --no-cache bird | 6 | apk add --no-cache bird; |
7 | 7 | ||
8 | CMD [ "/usr/sbin/bird", "-f", "-c", "/srv/bird/bird.conf" ] | 8 | ADD entrypoint.sh / |
9 | ADD bird_common.conf /etc | ||
10 | |||
11 | ENTRYPOINT [ "/entrypoint.sh" ] | ||
diff --git a/bird/bird_common.conf b/bird/bird_common.conf new file mode 100644 index 0000000..2f7f9ac --- /dev/null +++ b/bird/bird_common.conf | |||
@@ -0,0 +1,90 @@ | |||
1 | protocol device { | ||
2 | }; | ||
3 | |||
4 | function is_self_net() { | ||
5 | return net ~ OWNNETS; | ||
6 | }; | ||
7 | |||
8 | function is_valid_network() { | ||
9 | return net ~ [ | ||
10 | 172.16.0.0/12+, | ||
11 | 192.168.0.0/16+, | ||
12 | 10.0.0.0/8+, | ||
13 | 100.64.0.0/10+, | ||
14 | 2000::/3+, | ||
15 | fd00::/8+ | ||
16 | ]; | ||
17 | }; | ||
18 | |||
19 | protocol kernel { | ||
20 | ipv4 { | ||
21 | import none; | ||
22 | export filter { | ||
23 | if source = RTS_STATIC && proto != "vpnras_v4" && proto != "hack_v4" then reject; | ||
24 | krt_prefsrc = OWNIP4; | ||
25 | accept; | ||
26 | }; | ||
27 | }; | ||
28 | }; | ||
29 | |||
30 | protocol kernel { | ||
31 | ipv6 { | ||
32 | import none; | ||
33 | export filter { | ||
34 | if source = RTS_STATIC && proto != "vpnras_v6" && proto != "hack_v6" then reject; | ||
35 | krt_prefsrc = OWNIP6; | ||
36 | accept; | ||
37 | }; | ||
38 | }; | ||
39 | }; | ||
40 | |||
41 | template bgp v4peers { | ||
42 | local as OWNAS; | ||
43 | |||
44 | ipv4 { | ||
45 | # this lines allows debugging filter rules | ||
46 | # filtered routes can be looked up in birdc using the "show route filtered" command | ||
47 | import keep filtered; | ||
48 | import filter { | ||
49 | # accept every subnet, except our own advertised subnet | ||
50 | # filtering is important, because some guys try to advertise routes like 0.0.0.0 | ||
51 | if is_valid_network() && !is_self_net() then { | ||
52 | accept; | ||
53 | } | ||
54 | reject; | ||
55 | }; | ||
56 | export filter { | ||
57 | if is_valid_network() then { | ||
58 | accept; | ||
59 | } | ||
60 | reject; | ||
61 | }; | ||
62 | import limit 1000 action block; | ||
63 | }; | ||
64 | }; | ||
65 | |||
66 | template bgp v6peers { | ||
67 | local as OWNAS; | ||
68 | |||
69 | ipv6 { | ||
70 | # this lines allows debugging filter rules | ||
71 | # filtered routes can be looked up in birdc using the "show route filtered" command | ||
72 | import keep filtered; | ||
73 | import filter { | ||
74 | # accept every subnet, except our own advertised subnet | ||
75 | # filtering is important, because some guys try to advertise routes like 0.0.0.0 | ||
76 | if is_valid_network() && !is_self_net() then { | ||
77 | accept; | ||
78 | } | ||
79 | reject; | ||
80 | }; | ||
81 | export filter { | ||
82 | if is_valid_network() then { | ||
83 | accept; | ||
84 | } | ||
85 | reject; | ||
86 | }; | ||
87 | import limit 1000 action block; | ||
88 | }; | ||
89 | }; | ||
90 | |||
diff --git a/bird/entrypoint.sh b/bird/entrypoint.sh new file mode 100755 index 0000000..54aab0d --- /dev/null +++ b/bird/entrypoint.sh | |||
@@ -0,0 +1,15 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | PROFILE="$1" | ||
4 | |||
5 | if [ -z "$PROFILE" ]; then | ||
6 | echo "Profile must be specified on the command line" | ||
7 | exit 1 | ||
8 | fi | ||
9 | |||
10 | if [ ! -e "/srv/bird/${PROFILE}.conf" ]; then | ||
11 | echo "Profile '$PROFILE' does not exist" | ||
12 | exit 1 | ||
13 | fi | ||
14 | |||
15 | exec /usr/sbin/bird -d -f -c /srv/bird/${PROFILE}.conf | ||