{{ "firewall"|progress }} { {%- set bgp_multihop_prefixes_v4 = [] %} {%- set bgp_multihop_prefixes_v6 = [] %} {%- for prefix in 'bgp-multihop'|get_netbox_tagged_prefixes %} {%- if prefix|ipv4 %}{% do bgp_multihop_prefixes_v4.append( prefix ) %} {%- elif prefix|ipv6 %}{% do bgp_multihop_prefixes_v6.append( prefix ) %} {%- endif %} {%- endfor %} {%- set bgp_allowed_prefixes_v4 = [] %} {%- set bgp_allowed_prefixes_v6 = [] %} {%- for prefix in 'bgp-allowed'|get_netbox_tagged_prefixes %} {%- if prefix|ipv4 %}{% do bgp_allowed_prefixes_v4.append( prefix ) %} {%- elif prefix|ipv6 %}{% do bgp_allowed_prefixes_v6.append( prefix ) %} {%- endif %} {%- endfor %} {%- set ldp_allowed_prefixes_v4 = [] %} {%- set ldp_allowed_prefixes_v6 = [] %} {%- for prefix in 'ldp-allowed'|get_netbox_tagged_prefixes %} {%- if prefix|ipv4 %}{% do ldp_allowed_prefixes_v4.append( prefix ) %} {%- elif prefix|ipv6 %}{% do ldp_allowed_prefixes_v6.append( prefix ) %} {%- endif %} {%- endfor %} family inet { filter control-plane-protection-IPv4 { {% if bgp_multihop_prefixes_v4 %} term allow-multihop-bgp { from { source-address { {% for prefix in bgp_multihop_prefixes_v4 %} {{ prefix }}; /* {{ prefix.description }} */ {% endfor %} } protocol tcp; port 179; } then { accept; } } {% endif %} {% if bgp_allowed_prefixes_v4 %} term allow-gtsm-bgp { from { protocol tcp; source-address { {% for prefix in bgp_allowed_prefixes_v4 %} {{ prefix }}; /* {{ prefix.description }} */ {% endfor %} } tcp-initial; ttl 255; port 179; } then { accept; } } term allow-established-bgp { from { protocol tcp; source-address { {% for prefix in 'bgp-allowed'|get_netbox_tagged_prefixes %}{% if prefix|ipv4 %} {{ prefix }}; /* {{ prefix.description }} */ {% endif %}{% endfor %} } tcp-established; port 179; } then { accept; } } {% endif %} term reject-bgp { from { protocol tcp; port 179; } then { reject tcp-reset; } } {% if ldp_allowed_prefixes_v4 %} term allow-ldp { from { source-address { {% for prefix in ldp_allowed_prefixes_v4 %} {{ prefix }}; /* {{ prefix.description }} */ {% endfor %} } protocol tcp; port 646; } then { accept; } } {% endif %} term reject-ldp { from { protocol tcp; port 646; } then { reject tcp-reset; } } term else { then { accept; } } } } family inet6 { filter control-plane-protection-IPv6 { {% if bgp_multihop_prefixes_v6 %} term allow-multihop-bgp { from { source-address { {% for prefix in bgp_multihop_prefixes_v6 %} {{ prefix }}; /* {{ prefix.description }} */ {% endfor %} } next-header tcp; destination-port 179; } then { accept; } } {% endif %} {% if bgp_allowed_prefixes_v6 %} term allow-gtsm-bgp { from { next-header tcp; source-address { {% for prefix in bgp_allowed_prefixes_v6 %} {{ prefix }}; /* {{ prefix.description }} */ {% endfor %} } hop-limit 255; tcp-initial; destination-port 179; } then { accept; } } term allow-established-bgp { from { next-header tcp; source-address { {% for prefix in bgp_allowed_prefixes_v6 %} {{ prefix }}; /* {{ prefix.description }} */ {% endfor %} } tcp-established; destination-port 179; } then { accept; } } {% endif %} term reject-bgp { from { next-header tcp; destination-port 179; } then { reject tcp-reset; } } {% if ldp_allowed_prefixes_v6 %} term allow-ldp { from { next-header tcp; source-address { {% for prefix in ldp_allowed_prefixes_v6 %} {{ prefix }}; /* {{ prefix.description }} */ {% endfor %} } destination-port 646; } then { accept; } } {% endif %} term reject-ldp { from { next-header tcp; destination-port 646; } then { reject tcp-reset; } } term else { then { accept; } } } } }