waaa more firewall hell

netconf/asmodeus.rkt

@@ -4,10 +4,11 @@
 (require "dn42.rkt")
 (require "vyos-firewall.rkt")
 
-(define wg-privkey "testkey") ; TODO: get from env
+(define wg-privkey (getenv "WG_PRIVKEY")) ; TODO: get from env
 
 (define commands
-  `(,(dn42/rpki)
+  `((delete protocols bgp)
+    ,(dn42/rpki)
     ,(dn42/bgp-setup)
     ,(dn42/bgp-group)
     ,(dn42/route-collector)
@@ -19,6 +20,8 @@
                              #:peer-endpoint (cons "141.148.191.208" 24210)
                              #:peer-asn 4242422717
                              #:peer-public-key "SpnH/BlVNDx5QiMxHhuF4i8hKr5qWMxnPYky6Mp4fEA=")
+    ,(firewall/network-group "dn42-allowed-transit" dn42-allowed-transit-addrs)
+    ,(firewall/network-group "ifd3f-dn42" ifd3f-dn42-addrs)
     ,(router-rules)
     ,(afall (dn42-tunnels-in))))
 

netconf/dn42.rkt

@@ -21,18 +21,18 @@
   `[(delete protocols bgp peer-group dn42)
     (set protocols bgp peer-group dn42
          [(capability extended-nexthop)
-          ,(for/list ([af bgp-afs])
-             `(,af [(route-map export ,dn42-roa-route-map)
-                    (route-map import ,dn42-roa-route-map)
-                    (soft-reconfiguration inbound)]))])])
+          (address-family ,(for/list ([af bgp-afs])
+                             `(,af [(route-map export ,dn42-roa-route-map)
+                                    (route-map import ,dn42-roa-route-map)
+                                    (soft-reconfiguration inbound)])))])])
 
 (define (dn42/route-collector)
   (define addr "fd42:4242:2601:ac12::1")
   (define routemap 'deny-all)
-  
+
   `[(delete policy route-map ,routemap)
     (set policy route-map ,routemap rule 1 action deny)
-    
+
     (delete protocols bgp neighbor ,addr)
     (set protocols bgp neighbor ,addr
          [(capability extended-nexthop)

netconf/util.rkt

@@ -8,7 +8,7 @@
 
 (provide
  command->string
- 
+
  (proc-doc/names
   expand-command-tree
   (-> list list)
@@ -34,6 +34,7 @@
  dual-stack
  afmap
  afall
+ dsmap
  extract-v4
  extract-v6
  extract-all
@@ -93,6 +94,8 @@
     [other other]))
 (define (afall t)
   `(,(afmap extract-v4 t) ,(afmap extract-v6 t)))
+(define/match (dsmap f t)
+  [(f (dual-stack v4 v6)) (dual-stack (f v4) (f v6))])
 
 (define-record-type wireguard/tunnel
   (ifname
@@ -108,6 +111,10 @@
     (set interfaces wireguard ,(wireguard/tunnel-ifname r)
          [(address ,(wireguard/tunnel-our-address r))
           (description ,(wireguard/tunnel-description r))
+          (private-key ,(wireguard/tunnel-our-private-key r))
+          ,@(match (wireguard/tunnel-our-endpoint-port r)
+              ['() '()]
+              [port `(port ,port)])
           ,@(map wireguard/peer:render-vyos (wireguard/tunnel-peers r))])))
 
 (define-record-type wireguard/peer
@@ -118,7 +125,7 @@
 
 (define (wireguard/peer:render-vyos r)
   `(peer ,(wireguard/peer-name r)
-         [(public-key (wireguard/peer-public-key r))
+         [(public-key ,(wireguard/peer-public-key r))
           (allowed-ips "::/0")
           (allowed-ips "0.0.0.0/0")
           ,@(match (wireguard/peer-endpoint r)
@@ -135,12 +142,12 @@
 (define-record-setter bgp/link-local)
 
 (define (bgp/link-local:render-vyos r)
-  `[(delete protocols bgp neighbor (bgp/link-local-peer-address r))
+  `[(delete protocols bgp neighbor ,(bgp/link-local-peer-address r))
     (set protocols bgp neighbor ,(bgp/link-local-peer-address r)
          [(description ,(bgp/link-local-description r))
           (interface source-interface ,(bgp/link-local-ifname r))
           (interface v6only)
-          (peer-group ,(bgp/link-local-ifname r))
+          (peer-group ,(bgp/link-local-peer-group r))
           (remote-as ,(bgp/link-local-peer-asn r))
           (update-source ,(bgp/link-local-ifname r))])])
 

netconf/vyos-firewall.rkt

@@ -5,9 +5,12 @@
 (require "util.rkt")
 
 (provide
+ dn42-allowed-transit-addrs
+ ifd3f-dn42-addrs
  dn42-tunnels-in
  router-rules
- vyos-firewall-ds)
+ vyos-firewall-ds
+ firewall/network-group)
 
 (define dn42-allowed-transit-addrs
   (dual-stack '("10.0.0.0/8"
@@ -22,16 +25,27 @@
 (define vyos-firewall-ds
   (dual-stack 'ipv4 'ipv6))
 
+(define vyos-firewall-group-ds
+  (dual-stack 'network-group 'ipv6-network-group))
+
+(define (firewall/network-group name dsaddrs)
+  (afall
+   `[(delete firewall group ,vyos-firewall-group-ds ,(dual-stacked-suffix name))
+     (set firewall group ,vyos-firewall-group-ds ,(dual-stacked-suffix name))
+     (set firewall group ,vyos-firewall-group-ds ,(dual-stacked-suffix name)
+          network ,(dsmap (lambda (nets) (map list nets)) dsaddrs))]))
+
 (define (dn42-tunnels-in)
-   `[set firewall ,vyos-firewall-ds name ,(dual-stacked-suffix "dn42-tunnels-in")
+  `[(delete firewall ,vyos-firewall-ds name ,(dual-stacked-suffix "dn42-tunnels-in"))
+    (set firewall ,vyos-firewall-ds name ,(dual-stacked-suffix "dn42-tunnels-in")
          [(rule 10 [(description "Block traffic to operator-assigned IP space")
-                    (src ,(dual-stacked-suffix "dn42-allowed-transit"))
-                    (dst ,(dual-stacked-suffix "ifd3f-dn42"))
+                    (source group network-group ,(dual-stacked-suffix "dn42-allowed-transit"))
+                    (destination group network-group ,(dual-stacked-suffix "ifd3f-dn42"))
                     (action drop)])
           (rule 20 [(description "Allow peer transit")
-                    (src ,(dual-stacked-suffix "dn42-allowed-transit"))
-                    (dst ,(dual-stacked-suffix "dn42-allowed-transit"))
-                    (action accept)])]])
+                    (source group network-group  ,(dual-stacked-suffix "dn42-allowed-transit"))
+                    (destination group network-group ,(dual-stacked-suffix "dn42-allowed-transit"))
+                    (action accept)])])])
 
 (define (router-rules)
   '(set firewall