Merge pull request #60 from MattKobayashi/fullbogons

Add fullbogons
MattKobayashi · Jul 7, 2023 · 3695d3c · 3695d3c
2 parents d194265 + 64d8493
commit 3695d3c
Show file tree

Hide file tree

Showing 6 changed files with 220 additions and 0 deletions.
diff --git a/.github/workflows/ghcr-publish.yml b/.github/workflows/ghcr-publish.yml
@@ -251,6 +251,74 @@ jobs:
           rm -rf /tmp/.buildx-cache
           mv /tmp/.buildx-cache-new /tmp/.buildx-cache
 
+  build-fullbogons:
+
+    runs-on: self-hosted
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      # Login to Docker Hub to avoid pull rate limit
+      # https://github.com/docker/login-action
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # Add support for more platforms with QEMU (optional)
+      # https://github.com/docker/setup-qemu-action
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      # Set up Docker Buildx
+      # https://github.com/docker/setup-buildx-action
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      # Gives two env variables
+      # One with lowercase repo owner's name
+      # Another with the name of the image
+      - name: Set image name
+        run: |
+          echo "REPO_NAME=${GITHUB_REPOSITORY_OWNER,,}" >> ${GITHUB_ENV} &&
+          echo "IMAGE_NAME=${GITHUB_JOB#*-}" >> ${GITHUB_ENV}
+
+      # Checkout repository
+      # https://github.com/actions/checkout
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: |
+          github.event_name == 'push' ||
+          github.event_name == 'schedule'
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v4
+        with:
+          context: ./${{ env.IMAGE_NAME }}
+          push: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
+          tags: ${{ env.REGISTRY }}/${{ env.REPO_NAME }}/${{ env.IMAGE_NAME }}:latest
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
+
+      # Cycle the cache to prevent it from getting too large
+      - name: Cycle build cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+
   build-iperf2:
 
     runs-on: self-hosted

diff --git a/fullbogons/Dockerfile b/fullbogons/Dockerfile
@@ -0,0 +1,46 @@
+FROM alpine:3
+
+ENV SOURCE_FILE=bird.tar.gz \
+    SOURCE_URL=https://gitlab.nic.cz/labs/bird/-/archive/v2.13.1/bird-v2.13.1.tar.gz \
+    SOURCE_SHA1SUM=b2da703ea2fc68fec1e07c635a3c3301ccf291e4
+
+# Download source file, extract and compile
+WORKDIR /bird
+RUN apk --no-cache upgrade \
+    && apk --no-cache add tar build-base autoconf flex bison linux-headers ncurses-dev libssh-dev readline-dev \
+    && wget -O "$SOURCE_FILE" "$SOURCE_URL" \
+    && echo "${SOURCE_SHA1SUM}  ${SOURCE_FILE}" | sha1sum -c - \
+    && tar -xz --strip-components=1 --file="$SOURCE_FILE" \
+    && autoreconf \
+    && ./configure \
+    && make \
+    && make install
+
+# Post-install cleanup
+RUN apk del tar build-base autoconf \
+    && rm -rf /bird/*
+
+# Copy external files
+COPY requirements.txt .
+COPY fullbogons.py .
+COPY templates/* templates/
+COPY entrypoint.sh .
+
+# Set up image for running BIRD
+RUN adduser -D bird \
+    && chown -R bird /bird/ \
+    && apk --no-cache upgrade \
+    && apk add python3 \
+    && python3 -m ensurepip \
+    && pip3 install -r requirements.txt
+
+# Set expose ports
+# BGP: 179/tcp
+# RIP: 520/udp
+# RIP-ng: 521/udp
+EXPOSE 179/tcp 520/udp 521/udp
+
+# Set entrypoint
+ENTRYPOINT ["./entrypoint.sh"]
+
+LABEL org.opencontainers.image.authors="MattKobayashi <[email protected]>"
diff --git a/fullbogons/entrypoint.sh b/fullbogons/entrypoint.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+su bird -s /usr/bin/python3 fullbogons.py
+exec bird -u bird -c bird.conf
diff --git a/fullbogons/fullbogons.py b/fullbogons/fullbogons.py
@@ -0,0 +1,62 @@
+#!/usr/bin/env python3
+
+import requests
+import ipaddress
+import jinja2
+import os
+
+options = {}
+
+# Variables
+fullbogons_ipv4_url = 'https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt'
+fullbogons_ipv6_url = 'https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt'
+options["bird_router_id"] = os.environ['BIRD_ROUTER_ID']
+options["bird_asn"] = os.environ['BIRD_ASN']
+
+# Load jinja2 config
+templateLoader = jinja2.FileSystemLoader(searchpath="./templates/")
+templateEnv = jinja2.Environment(
+    loader=templateLoader,
+    trim_blocks=True,
+    lstrip_blocks=False,
+    keep_trailing_newline=True
+    )
+
+# Do stuff
+fullbogons_ipv4_raw = requests.get(fullbogons_ipv4_url).text
+fullbogons_ipv6_raw = requests.get(fullbogons_ipv6_url).text
+options["bird_peers"] = {}
+for peer in os.environ['BIRD_PEERS'].split(";"):
+    options["bird_peers"][peer.split(",")[0]] = peer.split(",")[1]
+
+# Create list of IPv4 fullbogons
+print("Creating IPv4 fullbogons list...")
+options["fullbogons_ipv4"] = []
+for line in fullbogons_ipv4_raw.split('\n'):
+    try:
+        options["fullbogons_ipv4"].append(str(ipaddress.ip_network(line)))
+    except ValueError:
+        print(line, 'is not a valid IPv4 subnet, skipping...')
+        continue
+
+# Create list of IPv6 fullbogons
+print("Creating IPv6 fullbogons list...")
+options["fullbogons_ipv6"] = []
+for line in fullbogons_ipv6_raw.split('\n'):
+    try:
+        options["fullbogons_ipv6"].append(str(ipaddress.ip_network(line)))
+    except ValueError:
+        print(line, 'is not a valid IPv6 subnet, skipping...')
+        continue
+
+# Generate BIRD config
+print("Generating BIRD configuration...")
+TEMPLATE_FILE = "bird.j2"
+template = templateEnv.get_template(TEMPLATE_FILE)
+birdconf = template.render(options)
+
+# Save BIRD config to file
+print("Saving BIRD configuration to bird.conf...")
+birdconf_file = open("./bird.conf", "w")
+birdconf_file.write(birdconf)
+birdconf_file.close()
diff --git a/fullbogons/requirements.txt b/fullbogons/requirements.txt
@@ -0,0 +1,2 @@
+requests
+jinja2
diff --git a/fullbogons/templates/bird.j2 b/fullbogons/templates/bird.j2
@@ -0,0 +1,38 @@
+log syslog all;
+
+router id {{ bird_router_id }};
+
+protocol static {
+	ipv4;
+{% for subnet in fullbogons_ipv4 %}
+	route {{ subnet }} blackhole;
+{% endfor %}
+}
+
+protocol static {
+	ipv6;
+{% for subnet in fullbogons_ipv6 %}
+	route {{ subnet }} blackhole;
+{% endfor %}
+}
+
+template bgp fullbogons_clients {
+	local {{ bird_router_id }} as {{ bird_asn }};
+	neighbor as {{ bird_asn }};
+	rr client;
+	ipv4 {
+		import none;
+		export all;
+	};
+
+	ipv6 {
+		import none;
+		export all;
+	};
+}
+
+{% for name, address in bird_peers.items() %}
+protocol bgp {{ name }} from fullbogons_clients {
+	neighbor {{ address }};
+	}
+{% endfor %}