configurable prefix length limitv0.1.1

2 files changed, 26 insertions, 3 deletions

diff --git a/nhrp-events b/nhrp-events
index 834c851..317c197 100755
--- a/nhrp-events
+++ b/nhrp-events
@@ -166,13 +166,25 @@ end
 local function bgp_create_spoke_rules(msg, remote_cert, local_cert)
 	if not local_cert.hub then return end
 
+	if not config then
+		local conf_file = io.open("/etc/nhrp-events.conf")
+		config = require("lyaml").load(conf_file:read("*a"))
+		conf_file:close()
+	end
+
 	local bgpcfg = {}
 	for afi, family in ipairs{"ip", "ipv6"} do
 		for seq, net in ipairs(remote_cert.NET[afi]) do
+			local len = tonumber(net:match('/(%d+)$'))
+			local limit = remote_cert.hub and ({32, 128})[afi] or config['max-prefix-length'][family]
 			table.insert(
 				bgpcfg,
-				("%s prefix-list net-%s-in seq %d permit %s"):format(
-					family, msg.remote_addr, seq * 5, net
+				("%s prefix-list net-%s-in seq %d permit %s%s"):format(
+					family,
+					msg.remote_addr,
+					seq * 5,
+					net,
+					limit > len and (" le %d"):format(limit) or ""
 				)
 			)
 		end
diff --git a/setup-dmvpn b/setup-dmvpn
index d862472..4d4ceb7 100755
--- a/setup-dmvpn
+++ b/setup-dmvpn
@@ -251,5 +251,16 @@ EOF
 	awall enable dmvpn-hub
 	awall translate
 	enable_firewall iptables
-	[ "$SITE_PREFIX_LEN_IPV6" ] && enable_firewall ip6tables
+
+	cat > /etc/nhrp-events.conf <<EOF
+max-prefix-length:
+  ip: $SITE_PREFIX_LEN_IPV4
+EOF
+
+	if [ "$SITE_PREFIX_LEN_IPV6" ]; then
+		enable_firewall ip6tables
+		cat >> /etc/nhrp-events.conf <<EOF
+  ipv6: $SITE_PREFIX_LEN_IPV6
+EOF
+	fi
 fi