reimplement dn42 stuff in racket

ifd3f · Apr 9, 2024 · 3e10e21 · 3e10e21
1 parent 18a8770
commit 3e10e21
Show file tree

Hide file tree

Showing 3 changed files with 127 additions and 26 deletions.
diff --git a/netconf/asmodeus.rkt b/netconf/asmodeus.rkt
@@ -1,14 +1,31 @@
 #lang racket
 
 (require "util.rkt")
+(require "dn42.rkt")
 
-(commandtree->string
- '(set firewall
-       (global-options state-policy [(established action accept)
-                                     (related action accept)
-                                     (invalid action accept)])
-       (group network-group
-              (dn42-allowed-transit-v4 network
-                                       ("10.0.0.0/8")
-                                       ("172.20.0.0/14")
-                                       ("172.31.0.0/16")))))
+(define wg-privkey "testkey") ; TODO: get from env
+
+(define commands
+  `(,(dn42/rpki)
+    ,(dn42/bgp-setup)
+    ,(dn42/bgp-group)
+    ,(dn42/route-collector)
+    ,(dn42/wireguard-ll-peer #:name "whojk"
+                             #:our-ll-address "fe80::1846/64"
+                             #:our-private-key wg-privkey
+                             #:our-endpoint-port '()
+                             #:peer-ll-address "fe80::2717"
+                             #:peer-endpoint (cons "141.148.191.208" 24210)
+                             #:peer-asn 4242422717
+                             #:peer-public-key "SpnH/BlVNDx5QiMxHhuF4i8hKr5qWMxnPYky6Mp4fEA=")
+    (set firewall
+         (global-options state-policy [(established action accept)
+                                       (related action accept)
+                                       (invalid action accept)])
+         (group network-group
+                (dn42-allowed-transit-v4 network
+                                         ("10.0.0.0/8")
+                                         ("172.20.0.0/14")
+                                         ("172.31.0.0/16"))))))
+
+(displayln (commandtree->string commands))
diff --git a/netconf/dn42.rkt b/netconf/dn42.rkt
@@ -1,9 +1,23 @@
 #lang racket
 
+(require "util.rkt")
+
+(provide dn42/bgp-group
+         dn42/bgp-setup
+         dn42/route-collector
+         dn42/wireguard-ll-peer
+         dn42/rpki)
+
 (define bgp-afs '(ipv4-unicast ipv6-unicast))
 (define dn42-roa-route-map "dn42-roa")
 
-(define (dn42-bgp-group)
+(define (dn42/bgp-setup)
+  '(set protocols bgp [(parameters router-id "172.23.7.177")
+                       (system-as 4242421846)
+                       (address-family ipv4-unicast network "172.23.7.176/28")
+                       (address-family ipv6-unicast network "fd00:ca7:b015::/48")]))
+
+(define (dn42/bgp-group)
   `[(delete protocols bgp peer-group dn42)
     (set protocols bgp peer-group dn42
          [(capability extended-nexthop)
@@ -12,7 +26,7 @@
                     (route-map import ,dn42-roa-route-map)
                     (soft-reconfiguration inbound)]))])])
 
-(define (dn42-route-collector)
+(define (dn42/route-collector)
   (define addr "fd42:4242:2601:ac12::1")
   (define routemap 'deny-all)
 
@@ -26,3 +40,68 @@
           (description "https://lg.collector.dn42")
           (ebgp-multihop 10)
           (remote-as 4242422602)])])
+
+(define (dn42/wireguard-ll-peer #:name name
+                                #:our-ll-address our-ll-address
+                                #:our-private-key our-private-key
+                                #:our-endpoint-port our-endpoint-port
+                                #:peer-ll-address peer-ll-address
+                                #:peer-asn peer-asn
+                                #:peer-public-key peer-public-key
+                                #:peer-endpoint peer-endpoint)
+  (define ifname (format "wg~a" peer-asn))
+  (define tunnel
+    (wireguard/tunnel #:ifname ifname
+                      #:description (format "dn42 peering tunnel for ~a (AS~a)" name peer-asn)
+                      #:our-address our-ll-address
+                      #:our-private-key our-private-key
+                      #:our-endpoint-port our-endpoint-port
+                      #:peers (list (wireguard/peer
+                                     #:name name
+                                     #:public-key peer-public-key
+                                     #:endpoint peer-endpoint))))
+  (define bgp
+    (bgp/link-local #:ifname ifname
+                    #:description (format "dn42 peer ~a (AS~a)" name peer-asn)
+                    #:peer-address peer-ll-address
+                    #:peer-asn peer-asn
+                    #:peer-group 'dn42))
+
+  `(,(wireguard/tunnel:render-vyos tunnel)
+    ,(bgp/link-local:render-vyos bgp)))
+
+(define (dn42/rpki [nat-rulenum 10])
+  (define container-addr "172.16.2.10")
+  (define subnet "172.16.2.0/24")
+  (define port 8082)
+
+  (define gortr
+    `[(delete container [(name gortr)
+                         (network rpki)])
+      (set container name gortr
+           [(image "cloudflare/gortr")
+            (restart "on-failure")
+            (command ,(format "-cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :~a" port))
+            (network rpki address ,container-addr)])
+      (set container network rpki prefix ,subnet)])
+
+  (define nat
+    `[(delete nat source rule ,nat-rulenum)
+      (set nat source rule ,nat-rulenum [(outbound-interface name "eth0")
+                                         (translation address "masquerade")
+                                         (source address ,subnet)])])
+
+  (define point-rpki
+    `(set protocols rpki cache ,container-addr [(port ,port)
+                                                (preference 1)]))
+
+  (define route-map
+    `(set policy route-map ,dn42-roa-route-map rule
+          [(10 (action permit)
+               (match rpki valid))
+           (20 (action permit)
+               (match rpki notfound))
+           (30 (action deny)
+               (match rpki invalid))]))
+
+  `[,gortr ,nat ,point-rpki ,route-map])
diff --git a/netconf/util.rkt b/netconf/util.rkt
@@ -7,7 +7,6 @@
 (require racket/symbol)
 (require (for-syntax racket/syntax))
 
-
 (provide
  command->string
 
@@ -27,16 +26,19 @@
            (match rpki invalid)))]
 @racket[expand-command-tree] will convert into this:
 @racketblock[
- '((set policy route-map dn42-roa rule 10 action permit)
+ '[(set policy route-map dn42-roa rule 10 action permit)
    (set policy route-map dn42-roa rule 10 match rpki valid)
    (set policy route-map dn42-roa rule 20 action permit)
    (set policy route-map dn42-roa rule 20 match rpki notfound)
    (set policy route-map dn42-roa rule 30 action deny)
-   (set policy route-map dn42-roa rule 30 match rpki invalid))]})
+   (set policy route-map dn42-roa rule 30 match rpki invalid)]]})
  wireguard/tunnel:render-vyos
  wireguard/tunnel
  wireguard/peer
- commandtree->string)
+ commandtree->string
+ commandtree->strings
+ bgp/link-local
+ bgp/link-local:render-vyos)
 
 (define (command->string c)
   (string-join (map (match-lambda
@@ -54,9 +56,12 @@
                              (expand-command-tree subtree)))
                       lists))]))
 
-(define (commandtree->string t)
+(define (commandtree->strings t)
   (map command->string (expand-command-tree t)))
 
+(define (commandtree->string t)
+  (string-join (commandtree->strings t) "\n"))
+
 (define/match (split-at-first-list l)
   [((cons (? list? l) rest)) (cons '() (cons l rest))]
   [((cons obj rest)) (match-define (cons before after) (split-at-first-list rest))
@@ -105,15 +110,15 @@
    peer-group))
 (define-record-setter bgp/link-local)
 
-(define (bgp/link-local-peer:render-vyos r)
-`[(delete protocols bgp neighbor (bgp/link-local-peer-address r))
-  (set protocols bgp neighbor ,(bgp/link-local-peer-address r)
-       [(description ,(bgp/link-local-description r))
-        (interface source-interface ,(bgp/link-local-ifname r))
-        (interface v6only)
-        (peer-group ,(bgp/link-local-ifname r))
-        (remote-as ,(bgp/link-local-peer-asn r))
-        (update-source ,(bgp/link-local-ifname r))])])
+(define (bgp/link-local:render-vyos r)
+  `[(delete protocols bgp neighbor (bgp/link-local-peer-address r))
+    (set protocols bgp neighbor ,(bgp/link-local-peer-address r)
+         [(description ,(bgp/link-local-description r))
+          (interface source-interface ,(bgp/link-local-ifname r))
+          (interface v6only)
+          (peer-group ,(bgp/link-local-ifname r))
+          (remote-as ,(bgp/link-local-peer-asn r))
+          (update-source ,(bgp/link-local-ifname r))])])
 
 (define-record-type firewall/rule
   (description