From 49d02ab309e499578022c49567703d664f17746d Mon Sep 17 00:00:00 2001 From: root Date: Mon, 7 Sep 2020 13:15:44 +1000 Subject: [PATCH] bgp-contd, prior to redundancy for branch office --- R0/config | 14 ++++ R0/rootfs/etc/bird/bird6.conf | 82 ++++++++++++++++++++-- R0/rootfs/etc/hosts | 27 +++++++ R0/rootfs/etc/network/interfaces | 34 ++++----- R1/config | 21 ++++++ R1/rootfs/etc/bird/bird6.conf | 111 +++++++++++++++++++++++++++-- R1/rootfs/etc/hosts | 27 +++++++ R1/rootfs/etc/network/interfaces | 41 +++++------ R10/config | 14 ++++ R10/rootfs/etc/bird/bird6.conf | 103 +++++++++++++++++---------- R10/rootfs/etc/hosts | 27 +++++++ R10/rootfs/etc/network/interfaces | 34 ++++----- R11/config | 21 ++++++ R11/rootfs/etc/bird/bird6.conf | 113 +++++++++++++++++++++++++++--- R11/rootfs/etc/hosts | 27 +++++++ R11/rootfs/etc/network/interfaces | 41 +++++------ R12/config | 7 ++ R12/rootfs/etc/bird/bird6.conf | 31 +++++--- R12/rootfs/etc/hosts | 27 +++++++ R12/rootfs/etc/network/interfaces | 29 +++----- R2/config | 7 ++ R2/rootfs/etc/bird/bird6.conf | 47 ++++++++----- R2/rootfs/etc/hosts | 27 +++++++ R2/rootfs/etc/network/interfaces | 11 ++- R20/config | 38 ++++++++++ R20/rootfs/etc/bird/bird.conf | 0 R20/rootfs/etc/bird/bird6.conf | 103 +++++++++++++++++++++++++++ R20/rootfs/etc/hosts | 32 +++++++++ R20/rootfs/etc/network/interfaces | 18 +++++ R20/rootfs/etc/sysctl.conf | 79 +++++++++++++++++++++ 30 files changed, 1003 insertions(+), 190 deletions(-) create mode 100644 R20/config create mode 100644 R20/rootfs/etc/bird/bird.conf create mode 100644 R20/rootfs/etc/bird/bird6.conf create mode 100644 R20/rootfs/etc/hosts create mode 100644 R20/rootfs/etc/network/interfaces create mode 100644 R20/rootfs/etc/sysctl.conf diff --git a/R0/config b/R0/config index 47c7378..9e103dc 100644 --- a/R0/config +++ b/R0/config @@ -31,3 +31,17 @@ lxc.net.1.veth.pair = r0.2 lxc.net.1.script.up = /etc/lxc/lxc-openvswitch lxc.net.1.script.down = /etc/lxc/lxc-openvswitch lxc.net.1.hwaddr = 02:00:0a:28:02:01 + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.name = lan +lxc.net.0.veth.pair = r0.1 +lxc.net.0.script.up = /etc/lxc/lxc-openvswitch +lxc.net.0.script.down = /etc/lxc/lxc-openvswitch + +lxc.net.1.type = veth +lxc.net.1.flags = up +lxc.net.1.name = ebgp_r11 +lxc.net.1.veth.pair = r0.3 +lxc.net.1.script.up = /etc/lxc/lxc-openvswitch +lxc.net.1.script.down = /etc/lxc/lxc-openvswitch diff --git a/R0/rootfs/etc/bird/bird6.conf b/R0/rootfs/etc/bird/bird6.conf index 36880f5..649bcc7 100644 --- a/R0/rootfs/etc/bird/bird6.conf +++ b/R0/rootfs/etc/bird/bird6.conf @@ -1,4 +1,4 @@ -router id 10.40.217.0; +router id 10.0.0.0; log "/var/log/bird/bird6.log" all; debug protocols { states, routes, filters, interfaces } @@ -15,16 +15,84 @@ protocol device { protocol ospf { area 0 { # BIRD ignores the IPv6 lo because it has no link local address - stubnet 2001:db8:40::/128; - interface "vlan216" { + stubnet 2001:db8::ff/128; + interface "lan" { }; - interface "vlan2" { + interface "ebgp_r11" { stub; }; }; } -protocol bgp ibgp_r0 { - neighbor 2001:db8:40:d8::1 as 64080; - local 2001:db8:40:d8::2 as 64080; +protocol static { + import all; + route 2001:db8::/48 blackhole; +} + +############################################################################## +# BGP table +# + +# Use this routing table to gather external routes received via BGP which we +# want push to the kernel via our master table and to other routers in our AS +# via iBGP or even to other routers outside our AS again (transit), which can +# be connected here or to a router elsewhere on the border of our AS. + +table t_bgp; + +protocol pipe p_master_to_bgp { + table master; + peer table t_bgp; + import all; # default + export none; # default +} + +############################################################################## +# eBGP R11 +# + +table t_r11; + +protocol static originate_to_r11 { + table t_r11; + import all; # originate here + route 2001:db8::/48 blackhole; +} + +protocol bgp ebgp_r11 { + table t_r11; + local 2001:db8:0:3::ff as 65000; + neighbor 2001:db8:0:3::11 as 65010; + import all; + export all; +} + +protocol pipe p_bgp_to_r11 { + table t_bgp; + peer table t_r11; + import where proto = "ebgp_r11"; + export none; +} + +############################################################################## +# iBGP +# + +protocol bgp ibgp_r2 { + table t_bgp; + igp table master; + import none; + export all; + local 2001:db8::ff as 65000; + neighbor 2001:db8::2 as 65000; +} + + +protocol bgp ibgp_r1 { + table t_bgp; + igp table master; + import all; + export all; + local 2001:db8::ff as 65000; + neighbor 2001:db8::1 as 65000; } diff --git a/R0/rootfs/etc/hosts b/R0/rootfs/etc/hosts index 72e1fd8..dd153e1 100644 --- a/R0/rootfs/etc/hosts +++ b/R0/rootfs/etc/hosts @@ -3,3 +3,30 @@ ff02::1 ip6-allnodes ff02::2 ip6-allrouters +2001:db8::ff lo.r0 r0 +2001:db8:0:1::ff lan.r0 +2001:db8:0:3::ff ebgp_r11.r0 + +2001:db8:10::10 lo.r10 r10 +2001:db8:10:2::10 lan.r10 +2001:db8:10:4::10 ebgp_r1.r10 + +2001:db8:10::11 lo.r11 r11 +2001:db8:10:2::11 lan.r11 +2001:db8:0:3::11 ebgp_r0.r11 +2001:db8:10:6::11 ebgp_r20.r11 + +2001:db8:10::12 lo.r12 r12 +2001:db8:10:2::12 lan.r12 + +2001:db8::1 lo.r1 r1 +2001:db8:0:1::1 lan.r1 +2001:db8:10:4::1 ebgp_r10.r1 +2001:db8:0:5::1 ebgp_r20.r1 + +2001:db8:20::20 lo.r20 r20 +2001:db8:0:5::20 ebgp_r1.r20 +2001:db8:10:6::20 ebgp_r11.r20 + +2001:db8::2 lo.r2 r2 +2001:db8:0:1::2 lan.r2 diff --git a/R0/rootfs/etc/network/interfaces b/R0/rootfs/etc/network/interfaces index 5e322c2..1509bc5 100644 --- a/R0/rootfs/etc/network/interfaces +++ b/R0/rootfs/etc/network/interfaces @@ -1,24 +1,18 @@ auto lo iface lo inet loopback - up ip addr add 10.40.217.0/32 dev lo - up ip addr add 2001:db8:40:: dev lo - down ip addr del 2001:db8:40:: dev lo - down ip addr del 10.40.217.0/32 dev lo + up ip addr add 2001:db8::ff/128 dev lo + down ip addr del 2001:db8::ff/128 dev lo -auto vlan2 -iface vlan2 inet manual - up ip link set up dev vlan2 - up ip addr add 10.40.2.1/24 brd + dev vlan2 - up ip addr add 2001:db8:40:2::1/120 dev vlan2 - down ip addr del 2001:db8:40:2::1/120 dev vlan2 - down ip addr del 10.40.2.1/24 dev vlan2 - down up link set down dev vlan2 +auto lan +iface lan inet manual + up ip link set up dev lan + up ip addr add 2001:db8:0:1::ff/120 dev lan + down ip addr del 2001:db8:0:1::ff/120 dev lan + down ip link set down dev lan -auto vlan216 -iface vlan216 inet manual - up ip link set up dev vlan216 - up ip addr add 10.40.216.2/28 brd + dev vlan216 - up ip addr add 2001:db8:40:d8::2/120 dev vlan216 - down ip addr del 2001:db8:40:d8::2/120 dev vlan216 - down ip addr del 10.40.216.2/28 dev vlan216 - down up link set down dev vlan216 +auto ebgp_r11 +iface ebgp_r11 inet manual + up ip link set up dev ebgp_r11 + up ip addr add 2001:db8:0:3::ff/120 dev ebgp_r11 + down ip addr del 2001:db8:0:3::ff/120 dev ebgp_r11 + down ip link set down dev ebgp_r11 diff --git a/R1/config b/R1/config index 91ef9f6..cc2dfe1 100644 --- a/R1/config +++ b/R1/config @@ -34,3 +34,24 @@ lxc.net.1.veth.pair = r1.3 lxc.net.1.script.up = /etc/lxc/lxc-openvswitch lxc.net.1.script.down = /etc/lxc/lxc-openvswitch lxc.net.1.hwaddr = 02:00:0a:28:03:01 + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.name = lan +lxc.net.0.veth.pair = r1.1 +lxc.net.0.script.up = /etc/lxc/lxc-openvswitch +lxc.net.0.script.down = /etc/lxc/lxc-openvswitch + +lxc.net.1.type = veth +lxc.net.1.flags = up +lxc.net.1.name = ebgp_r10 +lxc.net.1.veth.pair = r1.4 +lxc.net.1.script.up = /etc/lxc/lxc-openvswitch +lxc.net.1.script.down = /etc/lxc/lxc-openvswitch + +lxc.net.2.type = veth +lxc.net.2.flags = up +lxc.net.2.name = ebgp_r20 +lxc.net.2.veth.pair = r1.5 +lxc.net.2.script.up = /etc/lxc/lxc-openvswitch +lxc.net.2.script.down = /etc/lxc/lxc-openvswitch diff --git a/R1/rootfs/etc/bird/bird6.conf b/R1/rootfs/etc/bird/bird6.conf index 2884961..629d1e5 100644 --- a/R1/rootfs/etc/bird/bird6.conf +++ b/R1/rootfs/etc/bird/bird6.conf @@ -1,4 +1,4 @@ -router id 10.40.217.1; +router id 10.0.0.1; log "/var/log/bird/bird6.log" all; debug protocols { states, routes, filters, interfaces } @@ -15,16 +15,113 @@ protocol device { protocol ospf { area 0 { # BIRD ignores the IPv6 lo because it has no link local address - stubnet 2001:db8:40::1/128; - interface "vlan216" { + stubnet 2001:db8::1/128; + interface "lan" { }; - interface "vlan3" { + interface "ebgp_r10" { + stub; + }; + interface "ebgp_r20" { stub; }; }; } -protocol bgp ibgp_r3 { - local 2001:db8:40::1 as 64080; - neighbor 2001:db8:40::3 as 64080; +protocol static { + import all; + route 2001:db8::/48 blackhole; +} + +############################################################################## +# BGP table +# + +# Use this routing table to gather external routes received via BGP which we +# want push to the kernel via our master table and to other routers in our AS +# via iBGP or even to other routers outside our AS again (transit), which can +# be connected here or to a router elsewhere on the border of our AS. + +table t_bgp; + +protocol pipe p_master_to_bgp { + table master; + peer table t_bgp; + import all; # default + export none; # default +} + +############################################################################## +# eBGP R10 +# + +table t_r10; + +protocol static originate_to_r10 { + table t_r10; + import all; # originate here + route 2001:db8::/48 blackhole; +} + +protocol bgp ebgp_r10 { + table t_r10; + local 2001:db8:10:4::1 as 65000; + neighbor 2001:db8:10:4::10 as 65010; + import all; + export all; +} + +protocol pipe p_bgp_to_r10 { + table t_bgp; + peer table t_r10; + import where proto = "ebgp_r10"; + export none; +} + +############################################################################## +# eBGP R20 +# + +table t_r20; + +protocol static originate_to_r20 { + table t_r20; + import all; # originate here + route 2001:db8::/48 blackhole; +} + +protocol bgp ebgp_r20 { + table t_r20; + local 2001:db8:0:5::1 as 65000; + neighbor 2001:db8:0:5::20 as 65020; + import all; + export all; +} + +protocol pipe p_bgp_to_r20 { + table t_bgp; + peer table t_r20; + import where proto = "ebgp_r20"; + export none; +} + +############################################################################## +# iBGP +# + +protocol bgp ibgp_r2 { + table t_bgp; + igp table master; + import none; + export all; + local 2001:db8::1 as 65000; + neighbor 2001:db8::2 as 65000; +} + +protocol bgp ibgp_r0 { + table t_bgp; + igp table master; + import all; + export all; + local 2001:db8::1 as 65000; + neighbor 2001:db8::ff as 65000; } diff --git a/R1/rootfs/etc/hosts b/R1/rootfs/etc/hosts index 72e1fd8..dd153e1 100644 --- a/R1/rootfs/etc/hosts +++ b/R1/rootfs/etc/hosts @@ -3,3 +3,30 @@ ff02::1 ip6-allnodes ff02::2 ip6-allrouters +2001:db8::ff lo.r0 r0 +2001:db8:0:1::ff lan.r0 +2001:db8:0:3::ff ebgp_r11.r0 + +2001:db8:10::10 lo.r10 r10 +2001:db8:10:2::10 lan.r10 +2001:db8:10:4::10 ebgp_r1.r10 + +2001:db8:10::11 lo.r11 r11 +2001:db8:10:2::11 lan.r11 +2001:db8:0:3::11 ebgp_r0.r11 +2001:db8:10:6::11 ebgp_r20.r11 + +2001:db8:10::12 lo.r12 r12 +2001:db8:10:2::12 lan.r12 + +2001:db8::1 lo.r1 r1 +2001:db8:0:1::1 lan.r1 +2001:db8:10:4::1 ebgp_r10.r1 +2001:db8:0:5::1 ebgp_r20.r1 + +2001:db8:20::20 lo.r20 r20 +2001:db8:0:5::20 ebgp_r1.r20 +2001:db8:10:6::20 ebgp_r11.r20 + +2001:db8::2 lo.r2 r2 +2001:db8:0:1::2 lan.r2 diff --git a/R1/rootfs/etc/network/interfaces b/R1/rootfs/etc/network/interfaces index c91200d..4e4c0a8 100644 --- a/R1/rootfs/etc/network/interfaces +++ b/R1/rootfs/etc/network/interfaces @@ -1,24 +1,25 @@ auto lo iface lo inet loopback - up ip addr add 10.40.217.1/32 dev lo - up ip addr add 2001:db8:40::1 dev lo - down ip addr del 2001:db8:40::1 dev lo - down ip addr del 10.40.217.1/32 dev lo + up ip addr add 2001:db8::1/128 dev lo + down ip addr del 2001:db8::1/128 dev lo -auto vlan3 -iface vlan3 inet manual - up ip link set up dev vlan3 - up ip addr add 10.40.3.1/24 brd + dev vlan3 - up ip addr add 2001:db8:40:3::1/120 dev vlan3 - down ip addr del 2001:db8:40:3::1/120 dev vlan3 - down ip addr del 10.40.3.1/24 dev vlan3 - down up link set down dev vlan3 +auto lan +iface lan inet manual + up ip link set up dev lan + up ip addr add 2001:db8:0:1::1/120 dev lan + down ip addr del 2001:db8:0:1::1/120 dev lan + down ip link set down dev lan -auto vlan216 -iface vlan216 inet manual - up ip link set up dev vlan216 - up ip addr add 10.40.216.3/28 brd + dev vlan216 - up ip addr add 2001:db8:40:d8::3/120 dev vlan216 - down ip addr del 2001:db8:40:d8::3/120 dev vlan216 - down ip addr del 10.40.216.3/28 dev vlan216 - down up link set down dev vlan216 +auto ebgp_r10 +iface ebgp_r10 inet manual + up ip link set up dev ebgp_r10 + up ip addr add 2001:db8:10:4::1/120 dev ebgp_r10 + down ip addr del 2001:db8:10:4::1/120 dev ebgp_r10 + down ip link set down dev ebgp_r10 + +auto ebgp_r20 +iface ebgp_r20 inet manual + up ip link set up dev ebgp_r20 + up ip addr add 2001:db8:0:5::1/120 dev ebgp_r20 + down ip addr del 2001:db8:0:5::1/120 dev ebgp_r20 + down ip link set down dev ebgp_r20 diff --git a/R10/config b/R10/config index 251c4a9..b88364e 100644 --- a/R10/config +++ b/R10/config @@ -31,3 +31,17 @@ lxc.net.1.veth.pair = r10.217 lxc.net.1.script.up = /etc/lxc/lxc-openvswitch lxc.net.1.script.down = /etc/lxc/lxc-openvswitch lxc.net.1.hwaddr = 02:00:0a:28:d9:11 + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.name = lan +lxc.net.0.veth.pair = r10.2 +lxc.net.0.script.up = /etc/lxc/lxc-openvswitch +lxc.net.0.script.down = /etc/lxc/lxc-openvswitch + +lxc.net.1.type = veth +lxc.net.1.flags = up +lxc.net.1.name = ebgp_r1 +lxc.net.1.veth.pair = r10.4 +lxc.net.1.script.up = /etc/lxc/lxc-openvswitch +lxc.net.1.script.down = /etc/lxc/lxc-openvswitch diff --git a/R10/rootfs/etc/bird/bird6.conf b/R10/rootfs/etc/bird/bird6.conf index 2fe4c66..cafe7de 100644 --- a/R10/rootfs/etc/bird/bird6.conf +++ b/R10/rootfs/etc/bird/bird6.conf @@ -1,4 +1,4 @@ -router id 10.40.32.10; +router id 10.0.0.10; log "/var/log/bird/bird6.log" all; debug protocols { states, routes, filters, interfaces } @@ -15,58 +15,85 @@ protocol device { protocol ospf { area 0 { # BIRD ignores the IPv6 lo because it has no link local address - stubnet 2001:db8:10:6::a/128; - interface "vlan33" { + stubnet 2001:db8:10::10/128; + interface "lan" { }; - interface "vlan217" { + interface "ebgp_r1" { stub; }; }; } +protocol static { + import all; + route 2001:db8:10::/48 blackhole; +} + ############################################################################## -# eBGP R3 +# BGP table # -table t_r3; +# Use this routing table to gather external routes received via BGP which we +# want push to the kernel via our master table and to other routers in our AS +# via iBGP or even to other routers outside our AS again (transit), which can +# be connected here or to a router elsewhere on the border of our AS. -protocol static originate_to_r3 { - table t_r3; - import all; # originate here - route 2001:db8:10::/48 blackhole; +table t_bgp; + +protocol pipe p_master_to_bgp { + table master; + peer table t_bgp; + import all; # default + export none; # default } -protocol bgp ebgp_r3 { - table t_r3; - neighbor 2001:db8:40:d910::1 as 64080; - local 2001:db8:40:d910::2 as 65033; - import all; - import keep filtered on; - export where source = RTS_STATIC; -} - -protocol pipe p_master_to_r3 { - table master; - peer table t_r3; - import where source = RTS_BGP; - export none; -} - - -### -# iBGP R11 +############################################################################## +# eBGP R1 # -protocol bgp ibgp_r11 { - import none; - export where source = RTS_BGP; - local 2001:db8:10:6::a as 65033; - neighbor 2001:db8:10:6::b as 65033; +table t_r1; + +protocol static originate_to_r1 { + table t_r1; + import all; # originate here + route 2001:db8:10::/48 blackhole; } +protocol bgp ebgp_r1 { + table t_r1; + local 2001:db8:10:4::10 as 65010; + neighbor 2001:db8:10:4::1 as 65000; + import all; + export all; +} + +protocol pipe p_bgp_to_r1 { + table t_bgp; + peer table t_r1; + import where proto = "ebgp_r1"; + export none; +} + +############################################################################## +# iBGP +# + protocol bgp ibgp_r12 { - import none; - export where source = RTS_BGP; - local 2001:db8:10:6::a as 65033; - neighbor 2001:db8:10:6::c as 65033; + table t_bgp; + igp table master; + import none; + export all; + local 2001:db8:10::10 as 65010; + neighbor 2001:db8:10::12 as 65010; } + + +protocol bgp ibgp_r10 { + table t_bgp; + igp table master; + import all; + export all; + local 2001:db8:10::10 as 65010; + neighbor 2001:db8:10::11 as 65010; +} + diff --git a/R10/rootfs/etc/hosts b/R10/rootfs/etc/hosts index 72e1fd8..dd153e1 100644 --- a/R10/rootfs/etc/hosts +++ b/R10/rootfs/etc/hosts @@ -3,3 +3,30 @@ ff02::1 ip6-allnodes ff02::2 ip6-allrouters +2001:db8::ff lo.r0 r0 +2001:db8:0:1::ff lan.r0 +2001:db8:0:3::ff ebgp_r11.r0 + +2001:db8:10::10 lo.r10 r10 +2001:db8:10:2::10 lan.r10 +2001:db8:10:4::10 ebgp_r1.r10 + +2001:db8:10::11 lo.r11 r11 +2001:db8:10:2::11 lan.r11 +2001:db8:0:3::11 ebgp_r0.r11 +2001:db8:10:6::11 ebgp_r20.r11 + +2001:db8:10::12 lo.r12 r12 +2001:db8:10:2::12 lan.r12 + +2001:db8::1 lo.r1 r1 +2001:db8:0:1::1 lan.r1 +2001:db8:10:4::1 ebgp_r10.r1 +2001:db8:0:5::1 ebgp_r20.r1 + +2001:db8:20::20 lo.r20 r20 +2001:db8:0:5::20 ebgp_r1.r20 +2001:db8:10:6::20 ebgp_r11.r20 + +2001:db8::2 lo.r2 r2 +2001:db8:0:1::2 lan.r2 diff --git a/R10/rootfs/etc/network/interfaces b/R10/rootfs/etc/network/interfaces index 1b6078a..cdc7db0 100644 --- a/R10/rootfs/etc/network/interfaces +++ b/R10/rootfs/etc/network/interfaces @@ -1,24 +1,18 @@ auto lo iface lo inet loopback - up ip addr add 10.40.32.10/32 dev lo - up ip addr add 2001:db8:10:6::a dev lo - down ip addr del 2001:db8:10:6::a dev lo - down ip addr del 10.40.32.10/32 dev lo + up ip addr add 2001:db8:10::10/128 dev lo + down ip addr del 2001:db8:10::10/128 dev lo -auto vlan33 -iface vlan33 inet manual - up ip link set up dev vlan33 - up ip addr add 10.40.33.1/26 brd + dev vlan33 - up ip addr add 2001:db8:10:21::1/120 dev vlan33 - down ip addr del 2001:db8:10:21::1/120 dev vlan33 - down ip addr del 10.40.33.1/26 dev vlan33 - down up link set down dev vlan33 +auto lan +iface lan inet manual + up ip link set up dev lan + up ip addr add 2001:db8:10:2::10/120 dev lan + down ip addr del 2001:db8:10:2::10/120 dev lan + down ip link set down dev lan -auto vlan217 -iface vlan217 inet manual - up ip link set up dev vlan217 - up ip addr add 10.40.217.18/30 brd + dev vlan217 - up ip addr add 2001:db8:40:d910::2/120 dev vlan217 - down ip addr del 2001:db8:40:d910::2/120 dev vlan217 - down ip addr del 10.40.217.18/30 dev vlan217 - down up link set down dev vlan217 +auto ebgp_r1 +iface ebgp_r1 inet manual + up ip link set up dev ebgp_r1 + up ip addr add 2001:db8:10:4::10/120 dev ebgp_r1 + down ip addr del 2001:db8:10:4::10/120 dev ebgp_r1 + down ip link set down dev ebgp_r1 diff --git a/R11/config b/R11/config index 803efd9..946083b 100644 --- a/R11/config +++ b/R11/config @@ -31,3 +31,24 @@ lxc.net.1.veth.pair = r11.48 lxc.net.1.script.up = /etc/lxc/lxc-openvswitch lxc.net.1.script.down = /etc/lxc/lxc-openvswitch lxc.net.1.hwaddr = 02:00:0a:28:30:01 + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.name = lan +lxc.net.0.veth.pair = r11.2 +lxc.net.0.script.up = /etc/lxc/lxc-openvswitch +lxc.net.0.script.down = /etc/lxc/lxc-openvswitch + +lxc.net.1.type = veth +lxc.net.1.flags = up +lxc.net.1.name = ebgp_r0 +lxc.net.1.veth.pair = r11.3 +lxc.net.1.script.up = /etc/lxc/lxc-openvswitch +lxc.net.1.script.down = /etc/lxc/lxc-openvswitch + +lxc.net.2.type = veth +lxc.net.2.flags = up +lxc.net.2.name = ebgp_r20 +lxc.net.2.veth.pair = r11.6 +lxc.net.2.script.up = /etc/lxc/lxc-openvswitch +lxc.net.2.script.down = /etc/lxc/lxc-openvswitch diff --git a/R11/rootfs/etc/bird/bird6.conf b/R11/rootfs/etc/bird/bird6.conf index 55572e6..d7545e1 100644 --- a/R11/rootfs/etc/bird/bird6.conf +++ b/R11/rootfs/etc/bird/bird6.conf @@ -1,4 +1,4 @@ -router id 10.40.32.11; +router id 10.0.0.11; log "/var/log/bird/bird6.log" all; debug protocols { states, routes, filters, interfaces } @@ -15,20 +15,115 @@ protocol device { protocol ospf { area 0 { # BIRD ignores the IPv6 lo because it has no link local address - stubnet 2001:db8:10:6::b/128; - interface "vlan33" { + stubnet 2001:db8:10::11/128; + interface "lan" { }; - interface "vlan48" { + interface "ebgp_r0" { + stub; + }; + interface "ebgp_r20" { stub; }; }; } -# -# iBGP R10 +protocol static { + import all; + route 2001:db8:10::/48 blackhole; +} + +############################################################################## +# BGP table # -protocol bgp ibgpR10 { - local 2001:db8:10:6::b as 65033; - neighbor 2001:db8:10:6::a as 65033; +# Use this routing table to gather external routes received via BGP which we +# want push to the kernel via our master table and to other routers in our AS +# via iBGP or even to other routers outside our AS again (transit), which can +# be connected here or to a router elsewhere on the border of our AS. + +table t_bgp; + +protocol pipe p_master_to_bgp { + table master; + peer table t_bgp; + import all; # default + export none; # default } + +############################################################################## +# eBGP R0 +# + +table t_r0; + +protocol static originate_to_r0 { + table t_r0; + import all; # originate here + route 2001:db8:10::/48 blackhole; +} + +protocol bgp ebgp_r0 { + table t_r0; + local 2001:db8:0:3::11 as 65010; + neighbor 2001:db8:0:3::ff as 65000; + import all; + export all; +} + +protocol pipe p_bgp_to_r0 { + table t_bgp; + peer table t_r0; + import where proto = "ebgp_r0"; + export none; +} + +############################################################################## +# eBGP R20 +# + +table t_r20; + +protocol static originate_to_r20 { + table t_r20; + import all; # originate here + route 2001:db8:10::/48 blackhole; +} + +protocol bgp ebgp_r20 { + table t_r20; + local 2001:db8:10:6::11 as 65010; + neighbor 2001:db8:10:6::20 as 65020; + import all; + export all; +} + +protocol pipe p_bgp_to_r20 { + table t_bgp; + peer table t_r20; + import where proto = "ebgp_r20"; + export none; +} + +############################################################################## +# iBGP +# + +protocol bgp ibgp_r12 { + table t_bgp; + igp table master; + import none; + export all; + local 2001:db8:10::11 as 65010; + neighbor 2001:db8:10::12 as 65010; +} + + +protocol bgp ibgp_r10 { + table t_bgp; + igp table master; + import all; + export all; + local 2001:db8:10::11 as 65010; + neighbor 2001:db8:10::10 as 65010; +} + diff --git a/R11/rootfs/etc/hosts b/R11/rootfs/etc/hosts index 72e1fd8..dd153e1 100644 --- a/R11/rootfs/etc/hosts +++ b/R11/rootfs/etc/hosts @@ -3,3 +3,30 @@ ff02::1 ip6-allnodes ff02::2 ip6-allrouters +2001:db8::ff lo.r0 r0 +2001:db8:0:1::ff lan.r0 +2001:db8:0:3::ff ebgp_r11.r0 + +2001:db8:10::10 lo.r10 r10 +2001:db8:10:2::10 lan.r10 +2001:db8:10:4::10 ebgp_r1.r10 + +2001:db8:10::11 lo.r11 r11 +2001:db8:10:2::11 lan.r11 +2001:db8:0:3::11 ebgp_r0.r11 +2001:db8:10:6::11 ebgp_r20.r11 + +2001:db8:10::12 lo.r12 r12 +2001:db8:10:2::12 lan.r12 + +2001:db8::1 lo.r1 r1 +2001:db8:0:1::1 lan.r1 +2001:db8:10:4::1 ebgp_r10.r1 +2001:db8:0:5::1 ebgp_r20.r1 + +2001:db8:20::20 lo.r20 r20 +2001:db8:0:5::20 ebgp_r1.r20 +2001:db8:10:6::20 ebgp_r11.r20 + +2001:db8::2 lo.r2 r2 +2001:db8:0:1::2 lan.r2 diff --git a/R11/rootfs/etc/network/interfaces b/R11/rootfs/etc/network/interfaces index 49508a2..92591d4 100644 --- a/R11/rootfs/etc/network/interfaces +++ b/R11/rootfs/etc/network/interfaces @@ -1,24 +1,25 @@ auto lo iface lo inet loopback - up ip addr add 10.40.32.11/32 dev lo - up ip addr add 2001:db8:10:6::b dev lo - down ip addr del 2001:db8:10:6::b dev lo - down ip addr del 10.40.32.11/32 dev lo + up ip addr add 2001:db8:10::11/128 dev lo + down ip addr del 2001:db8:10::11/128 dev lo -auto vlan48 -iface vlan48 inet manual - up ip link set up dev vlan48 - up ip addr add 10.40.48.1/21 brd + dev vlan48 - up ip addr add 2001:db8:10:30::1/117 dev vlan48 - down ip addr del 2001:db8:10:30::1/117 dev vlan48 - down ip addr del 10.40.48.1/21 dev vlan48 - down up link set down dev vlan48 +auto lan +iface lan inet manual + up ip link set up dev lan + up ip addr add 2001:db8:10:2::11/120 dev lan + down ip addr del 2001:db8:10:2::11/120 dev lan + down ip link set down dev lan -auto vlan33 -iface vlan33 inet manual - up ip link set up dev vlan33 - up ip addr add 10.40.33.2/26 brd + dev vlan33 - up ip addr add 2001:db8:10:21::2/120 dev vlan33 - down ip addr del 2001:db8:10:21::2/120 dev vlan33 - down ip addr del 10.40.33.2/26 dev vlan33 - down up link set down dev vlan33 +auto ebgp_r0 +iface ebgp_r0 inet manual + up ip link set up dev ebgp_r0 + up ip addr add 2001:db8:0:3::11/120 dev ebgp_r0 + down ip addr del 2001:db8:0:3::11/120 dev ebgp_r0 + down ip link set down dev ebgp_r0 + +auto ebgp_r20 +iface ebgp_r20 inet manual + up ip link set up dev ebgp_r20 + up ip addr add 2001:db8:10:6::11/120 dev ebgp_r20 + down ip addr del 2001:db8:10:6::11/120 dev ebgp_r20 + down ip link set down dev ebgp_r20 diff --git a/R12/config b/R12/config index a393f64..3f50968 100644 --- a/R12/config +++ b/R12/config @@ -31,3 +31,10 @@ lxc.net.1.veth.pair = r12.36 lxc.net.1.script.up = /etc/lxc/lxc-openvswitch lxc.net.1.script.down = /etc/lxc/lxc-openvswitch lxc.net.1.hwaddr = 02:00:0a:28:24:01 + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.name = lan +lxc.net.0.veth.pair = r12.2 +lxc.net.0.script.up = /etc/lxc/lxc-openvswitch +lxc.net.0.script.down = /etc/lxc/lxc-openvswitch diff --git a/R12/rootfs/etc/bird/bird6.conf b/R12/rootfs/etc/bird/bird6.conf index adeb9e8..010922b 100644 --- a/R12/rootfs/etc/bird/bird6.conf +++ b/R12/rootfs/etc/bird/bird6.conf @@ -1,4 +1,4 @@ -router id 10.40.32.12; +router id 10.0.0.12; log "/var/log/bird/bird6.log" all; debug protocols { states, routes, filters, interfaces } @@ -15,20 +15,31 @@ protocol device { protocol ospf { area 0 { # BIRD ignores the IPv6 lo because it has no link local address - stubnet 2001:db8:10:6::c/128; - interface "vlan33" { - }; - interface "vlan36" { - stub; + stubnet 2001:db8:10::12/128; + interface "lan" { }; }; } -# -# iBGP R10 +protocol static { + import all; + route 2001:db8:10::/48 blackhole; +} + +############################################################################## +# iBGP # protocol bgp ibgp_r10 { - local 2001:db8:10:6::c as 65033; - neighbor 2001:db8:10:6::a as 65033; + import all; + export none; + local 2001:db8:10::12 as 65010; + neighbor 2001:db8:10::10 as 65010; +} + +protocol bgp ibgp_r11 { + import all; + export none; + local 2001:db8:10::12 as 65010; + neighbor 2001:db8:10::11 as 65010; } diff --git a/R12/rootfs/etc/hosts b/R12/rootfs/etc/hosts index 72e1fd8..dd153e1 100644 --- a/R12/rootfs/etc/hosts +++ b/R12/rootfs/etc/hosts @@ -3,3 +3,30 @@ ff02::1 ip6-allnodes ff02::2 ip6-allrouters +2001:db8::ff lo.r0 r0 +2001:db8:0:1::ff lan.r0 +2001:db8:0:3::ff ebgp_r11.r0 + +2001:db8:10::10 lo.r10 r10 +2001:db8:10:2::10 lan.r10 +2001:db8:10:4::10 ebgp_r1.r10 + +2001:db8:10::11 lo.r11 r11 +2001:db8:10:2::11 lan.r11 +2001:db8:0:3::11 ebgp_r0.r11 +2001:db8:10:6::11 ebgp_r20.r11 + +2001:db8:10::12 lo.r12 r12 +2001:db8:10:2::12 lan.r12 + +2001:db8::1 lo.r1 r1 +2001:db8:0:1::1 lan.r1 +2001:db8:10:4::1 ebgp_r10.r1 +2001:db8:0:5::1 ebgp_r20.r1 + +2001:db8:20::20 lo.r20 r20 +2001:db8:0:5::20 ebgp_r1.r20 +2001:db8:10:6::20 ebgp_r11.r20 + +2001:db8::2 lo.r2 r2 +2001:db8:0:1::2 lan.r2 diff --git a/R12/rootfs/etc/network/interfaces b/R12/rootfs/etc/network/interfaces index 6c58ccf..5f089da 100644 --- a/R12/rootfs/etc/network/interfaces +++ b/R12/rootfs/etc/network/interfaces @@ -1,24 +1,11 @@ auto lo iface lo inet loopback - up ip addr add 10.40.32.12/32 dev lo - up ip addr add 2001:db8:10:6::c dev lo - down ip addr del 2001:db8:10:6::c dev lo - down ip addr del 10.40.32.12/32 dev lo + up ip addr add 2001:db8:10::12/128 dev lo + down ip addr del 2001:db8:10::12/128 dev lo -auto vlan36 -iface vlan36 inet manual - up ip link set up dev vlan36 - up ip addr add 10.40.36.1/24 brd + dev vlan36 - up ip addr add 2001:db8:10:24::1/120 dev vlan36 - down ip addr del 2001:db8:10:24::1/120 dev vlan36 - down ip addr del 10.40.36.1/24 dev vlan36 - down up link set down dev vlan36 - -auto vlan33 -iface vlan33 inet manual - up ip link set up dev vlan33 - up ip addr add 10.40.33.3/26 brd + dev vlan33 - up ip addr add 2001:db8:10:21::3/120 dev vlan33 - down ip addr del 2001:db8:10:21::3/120 dev vlan33 - down ip addr del 10.40.33.3/26 dev vlan33 - down up link set down dev vlan33 +auto lan +iface lan inet manual + up ip link set up dev lan + up ip addr add 2001:db8:10:2::12/120 dev lan + down ip addr del 2001:db8:10:2::12/120 dev lan + down ip link set down dev lan diff --git a/R2/config b/R2/config index 5040067..167ca1a 100644 --- a/R2/config +++ b/R2/config @@ -15,3 +15,10 @@ lxc.arch = amd64 lxc.pty.max = 1024 lxc.rootfs.path = btrfs:/var/lib/lxc/R2/rootfs lxc.uts.name = R2 + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.name = lan +lxc.net.0.veth.pair = r2.1 +lxc.net.0.script.up = /etc/lxc/lxc-openvswitch +lxc.net.0.script.down = /etc/lxc/lxc-openvswitch diff --git a/R2/rootfs/etc/bird/bird6.conf b/R2/rootfs/etc/bird/bird6.conf index ed1cc94..d9064a0 100644 --- a/R2/rootfs/etc/bird/bird6.conf +++ b/R2/rootfs/etc/bird/bird6.conf @@ -1,6 +1,6 @@ -router id 10.9.99.2; +router id 10.0.0.2; -log "/var/log/bird/bird.log" all; +log "/var/log/bird/bird6.log" all; debug protocols { states, routes, filters, interfaces } protocol kernel { @@ -13,18 +13,33 @@ protocol device { } protocol ospf { - area 0 { - interface "lo" { - stub; - }; - interface "vlan1082" { - stub; - }; - interface "vlan1050" { - stub; - }; - interface "vlan1012" { - }; - }; -}; + area 0 { + # BIRD ignores the IPv6 lo because it has no link local address + stubnet 2001:db8::2/128; + interface "lan" { + }; + }; +} +protocol static { + import all; + route 2001:db8::/48 blackhole; +} + +############################################################################## +# iBGP +# + +protocol bgp ibgp_r0 { + import all; + export none; + local 2001:db8::2 as 65000; + neighbor 2001:db8::ff as 65000; +} + +protocol bgp ibgp_r1 { + import all; + export none; + local 2001:db8::2 as 65000; + neighbor 2001:db8::1 as 65000; +} diff --git a/R2/rootfs/etc/hosts b/R2/rootfs/etc/hosts index 72e1fd8..dd153e1 100644 --- a/R2/rootfs/etc/hosts +++ b/R2/rootfs/etc/hosts @@ -3,3 +3,30 @@ ff02::1 ip6-allnodes ff02::2 ip6-allrouters +2001:db8::ff lo.r0 r0 +2001:db8:0:1::ff lan.r0 +2001:db8:0:3::ff ebgp_r11.r0 + +2001:db8:10::10 lo.r10 r10 +2001:db8:10:2::10 lan.r10 +2001:db8:10:4::10 ebgp_r1.r10 + +2001:db8:10::11 lo.r11 r11 +2001:db8:10:2::11 lan.r11 +2001:db8:0:3::11 ebgp_r0.r11 +2001:db8:10:6::11 ebgp_r20.r11 + +2001:db8:10::12 lo.r12 r12 +2001:db8:10:2::12 lan.r12 + +2001:db8::1 lo.r1 r1 +2001:db8:0:1::1 lan.r1 +2001:db8:10:4::1 ebgp_r10.r1 +2001:db8:0:5::1 ebgp_r20.r1 + +2001:db8:20::20 lo.r20 r20 +2001:db8:0:5::20 ebgp_r1.r20 +2001:db8:10:6::20 ebgp_r11.r20 + +2001:db8::2 lo.r2 r2 +2001:db8:0:1::2 lan.r2 diff --git a/R2/rootfs/etc/network/interfaces b/R2/rootfs/etc/network/interfaces index 723f775..e2f7fee 100644 --- a/R2/rootfs/etc/network/interfaces +++ b/R2/rootfs/etc/network/interfaces @@ -1,4 +1,11 @@ auto lo iface lo inet loopback - up ip addr add 10.9.99.2/32 dev lo - down ip addr del 10.9.99.2/32 dev lo + up ip addr add 2001:db8::2/128 dev lo + down ip addr del 2001:db8::2/128 dev lo + +auto lan +iface lan inet manual + up ip link set up dev lan + up ip addr add 2001:db8:0:1::2/120 dev lan + down ip addr del 2001:db8:0:1::2/120 dev lan + down ip link set down dev lan diff --git a/R20/config b/R20/config new file mode 100644 index 0000000..1f26c79 --- /dev/null +++ b/R20/config @@ -0,0 +1,38 @@ +# Template used to create this container: /usr/share/lxc/templates/lxc-debian +# Parameters passed to the template: -r stretch +# Template script checksum (SHA-1): d5aa397522e36a17c64c014dd63c70d8607c9873 +# For additional config options, please look at lxc.container.conf(5) +# Uncomment the following line to support nesting containers: +#lxc.include = /usr/share/lxc/config/nesting.conf +# (Be aware this has security implications) +lxc.net.0.type = veth +#lxc.net.0.link = vlan10 +lxc.net.0.name = vlan10 +lxc.net.0.veth.pair = birdbase.10 +lxc.net.0.flags = up +lxc.net.0.script.up = /etc/lxc/lxc-openvswitch +lxc.net.0.script.down = /etc/lxc/lxc-openvswitch +lxc.apparmor.profile = generated +lxc.apparmor.allow_nesting = 1 +# Common configuration +lxc.include = /usr/share/lxc/config/debian.common.conf +# Container specific configuration +lxc.tty.max = 4 +lxc.arch = amd64 +lxc.pty.max = 1024 +lxc.rootfs.path = btrfs:/var/lib/lxc/R20/rootfs +lxc.uts.name = R20 + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.name = ebgp_r1 +lxc.net.0.veth.pair = r20.5 +lxc.net.0.script.up = /etc/lxc/lxc-openvswitch +lxc.net.0.script.down = /etc/lxc/lxc-openvswitch + +lxc.net.1.type = veth +lxc.net.1.flags = up +lxc.net.1.name = ebgp_r11 +lxc.net.1.veth.pair = r20.6 +lxc.net.1.script.up = /etc/lxc/lxc-openvswitch +lxc.net.1.script.down = /etc/lxc/lxc-openvswitch diff --git a/R20/rootfs/etc/bird/bird.conf b/R20/rootfs/etc/bird/bird.conf new file mode 100644 index 0000000..e69de29 diff --git a/R20/rootfs/etc/bird/bird6.conf b/R20/rootfs/etc/bird/bird6.conf new file mode 100644 index 0000000..3ce8629 --- /dev/null +++ b/R20/rootfs/etc/bird/bird6.conf @@ -0,0 +1,103 @@ +router id 10.0.0.20; + +log "/var/log/bird/bird6.log" all; +debug protocols { states, routes, filters, interfaces } + +protocol kernel { + import none; + export all; +} + +protocol device { + # defaults... +} + +protocol ospf { + area 0 { + # BIRD ignores the IPv6 lo because it has no link local address + stubnet 2001:db8:20::20/128; + interface "ebgp_r1" { + stub; + }; + interface "ebgp_r11" { + stub; + }; + }; +} + +protocol static { + import all; + route 2001:db8:20::/48 blackhole; +} + +############################################################################## +# BGP table +# + +# Use this routing table to gather external routes received via BGP which we +# want push to the kernel via our master table and to other routers in our AS +# via iBGP or even to other routers outside our AS again (transit), which can +# be connected here or to a router elsewhere on the border of our AS. + +table t_bgp; + +protocol pipe p_master_to_bgp { + table master; + peer table t_bgp; + import all; # default + export none; # default +} + +############################################################################## +# eBGP R1 +# + +table t_r1; + +protocol static originate_to_r1 { + table t_r1; + import all; # originate here + route 2001:db8:20::/48 blackhole; +} + +protocol bgp ebgp_r1 { + table t_r1; + local 2001:db8:0:5::20 as 65020; + neighbor 2001:db8:0:5::1 as 65000; + import all; + export all; +} + +protocol pipe p_bgp_to_r1 { + table t_bgp; + peer table t_r1; + import where proto = "ebgp_r1"; + export none; +} + +############################################################################## +# eBGP R11 +# + +table t_r11; + +protocol static originate_to_r11 { + table t_r11; + import all; # originate here + route 2001:db8:20::/48 blackhole; +} + +protocol bgp ebgp_r11 { + table t_r11; + local 2001:db8:10:6::20 as 65020; + neighbor 2001:db8:10:6::11 as 65010; + import all; + export all; +} + +protocol pipe p_bgp_to_r11 { + table t_bgp; + peer table t_r11; + import where proto = "ebgp_r11"; + export none; +} diff --git a/R20/rootfs/etc/hosts b/R20/rootfs/etc/hosts new file mode 100644 index 0000000..dd153e1 --- /dev/null +++ b/R20/rootfs/etc/hosts @@ -0,0 +1,32 @@ +127.0.0.1 localhost +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters + +2001:db8::ff lo.r0 r0 +2001:db8:0:1::ff lan.r0 +2001:db8:0:3::ff ebgp_r11.r0 + +2001:db8:10::10 lo.r10 r10 +2001:db8:10:2::10 lan.r10 +2001:db8:10:4::10 ebgp_r1.r10 + +2001:db8:10::11 lo.r11 r11 +2001:db8:10:2::11 lan.r11 +2001:db8:0:3::11 ebgp_r0.r11 +2001:db8:10:6::11 ebgp_r20.r11 + +2001:db8:10::12 lo.r12 r12 +2001:db8:10:2::12 lan.r12 + +2001:db8::1 lo.r1 r1 +2001:db8:0:1::1 lan.r1 +2001:db8:10:4::1 ebgp_r10.r1 +2001:db8:0:5::1 ebgp_r20.r1 + +2001:db8:20::20 lo.r20 r20 +2001:db8:0:5::20 ebgp_r1.r20 +2001:db8:10:6::20 ebgp_r11.r20 + +2001:db8::2 lo.r2 r2 +2001:db8:0:1::2 lan.r2 diff --git a/R20/rootfs/etc/network/interfaces b/R20/rootfs/etc/network/interfaces new file mode 100644 index 0000000..c116560 --- /dev/null +++ b/R20/rootfs/etc/network/interfaces @@ -0,0 +1,18 @@ +auto lo +iface lo inet loopback + up ip addr add 2001:db8:20::20/128 dev lo + down ip addr del 2001:db8:20::20/128 dev lo + +auto ebgp_r1 +iface ebgp_r1 inet manual + up ip link set up dev ebgp_r1 + up ip addr add 2001:db8:0:5::20/120 dev ebgp_r1 + down ip addr del 2001:db8:0:5::20/120 dev ebgp_r1 + down ip link set down dev ebgp_r1 + +auto ebgp_r11 +iface ebgp_r11 inet manual + up ip link set up dev ebgp_r11 + up ip addr add 2001:db8:10:6::20/120 dev ebgp_r11 + down ip addr del 2001:db8:10:6::20/120 dev ebgp_r11 + down ip link set down dev ebgp_r11 diff --git a/R20/rootfs/etc/sysctl.conf b/R20/rootfs/etc/sysctl.conf new file mode 100644 index 0000000..25809a1 --- /dev/null +++ b/R20/rootfs/etc/sysctl.conf @@ -0,0 +1,79 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additional system variables. +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +net.ipv6.conf.all.forwarding=1 + +net.ipv4.icmp_ratelimit = 0 +net.ipv6.icmp.ratelimit = 0 + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# + +################################################################### +# Magic system request Key +# 0=disable, 1=enable all +# Debian kernels have this set to 0 (disable the key) +# See https://www.kernel.org/doc/Documentation/sysrq.txt +# for what other values do +#kernel.sysrq=1 + +################################################################### +# Protected links +# +# Protects against creating or following links under certain conditions +# Debian kernels have both set to 1 (restricted) +# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt +#fs.protected_hardlinks=0 +#fs.protected_symlinks=0