Merge branch 'fw-bgp' into 'master'

Install and configure bird See merge request !35

Merge branch 'fw-bgp' into 'master'
f8acaf5c · Tom Teichler · 6b2c67a5 · bb6e5c4d · f8acaf5c · f8acaf5c
Commit f8acaf5c authored 2 years ago by Tom Teichler
--- a/roles/firewall/files/shorewall/macro.BGP
+++ b/roles/firewall/files/shorewall/macro.BGP
+PARAM	-	-	tcp	179
--- a/roles/firewall/files/shorewall/rules
+++ b/roles/firewall/files/shorewall/rules
@@ -47,6 +47,8 @@ SNMP/ACCEPT		intern:$MONITORING	all!wan
 ACCEPT			intern:$MONITORING	all!wan
 Icinga/ACCEPT		all!wan				intern:$MONITORING
 Icinga/ACCEPT		intern:$MONITORING	all!wan
+ACCEPT                 mgmt:$MONITORING        all!wan
+Icinga/ACCEPT          all!wan                         mgmt:$MONITORING
 Icinga/ACCEPT		all:$EXTERNAL_HOSTS  	  	intern:$MONITORING
 Icinga/ACCEPT		intern:$MONITORING	all:$EXTERNAL_HOSTS
 Qnetd/ACCEPT		all!wan				intern:$MONITORING
@@ -160,6 +162,9 @@ ACCEPT                         all                     kube:$METALLB_RADIUS
 # API
 Web/ACCEPT			public:$GITLAB01	fw:$KUBE_API_PUBLIC
+# BGP
+BGP/ACCEPT			kube			fw
 ##### Kubernetes end
 # HAProxy

--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@@ -17,6 +17,7 @@
      - haproxy
      - shorewall
      - shorewall6
+      - bird2
    state: present
 - name: Copy static config files
  ansible.builtin.copy:

--- a/roles/firewall/templates/bird.conf.j2
+++ b/roles/firewall/templates/bird.conf.j2
+log syslog all;
+protocol device {
+}
+protocol direct {
+	ipv4;			# Connect to default IPv4 table
+	ipv6;			# ... and to default IPv6 table
+}
+protocol kernel {
+	ipv4 {			# Connect protocol to IPv4 table by channel
+	      export all;	# Export to protocol. default is export none
+	};
+}
+protocol bgp k8s {
+    router id {{ bird_router_id }};
+    local as 64567;
+    ipv4 {
+        import all;
+        export none;
+    };
+    neighbor range 10.98.1.0/24 as 64512;
+};