Move IP rules from role service-rclocal to role network-routing

- add scripts to configure and delete IP rules via a systemd unit - delete role `service-rclocal` - update README.md - add new handler
2017-10-13 07:59:43 +02:00 · 2017-10-13 07:59:43 +02:00 · 00307bc9be
parent dd03118c99
commit 00307bc9be
11 changed files with 139 additions and 53 deletions
--- a/playbooks/gateways.yml
+++ b/playbooks/gateways.yml
@ -28,5 +28,4 @@
    - service-bird-ffrl
    - service-bind-slave
    - network-routing
-    - service-rclocal
    - system-sysctl-gateway
--- a/roles/handlers/handlers/main.yml
+++ b/roles/handlers/handlers/main.yml
@ -71,6 +71,11 @@
  systemd:
    name: ffmwu-static-routes
    state: restarted
+
+- name: restart systemd unit ffmwu-ip-rules
+  systemd:
+    name: ffmwu-ip-rules
+    state: restarted
    
 - name: iptables-restore
  shell: iptables-restore < /etc/iptables/rules.v4
--- a/roles/network-routing/README.md
+++ b/roles/network-routing/README.md
@ -5,6 +5,7 @@ Diese Ansible role konfiguriert System Einstellung bzgl. IP Routing.
 - konfiguriert statische Routen (systemd Unit)
  - Mesh Routen für die Routing Tabelle `mwu`
  - Blackhole Routes für die Routing Tabellen `internet` + `main`
+- konfiguriert IP rules (systemd Unit)
 - konfiguriert sysctl Parameter

 ## Benötigte Variablen
@ -16,7 +17,7 @@ meshes:
 ...
    site_name:
    ipv4_network:
-    ipv6_ula
+    ipv6_ula:
    ipv6_public:
 ´´´
 - List `sysctl_settings_gateway` (Rollen-Variable)
@ -25,6 +26,8 @@ sysctl_settings_routing:
  - name:       # sysctl-Parameter
    value:      # zu setzender Wert
 ...
+- Host Variable `ffrl_public_ipv4_nat` # Format ip-adresse/prefix
+- Host Dictionary `ffrl_exit_server

 ´´´
 - Host Variable `magic`
--- a/roles/network-routing/tasks/main.yml
+++ b/roles/network-routing/tasks/main.yml
@ -26,6 +26,33 @@
    enabled: yes
    state: started

+- name: write systemd unit ffmwu-ip-rules.service
+  template:
+    src: ffmwu-ip-rules.service.j2
+    dest: /etc/systemd/system/ffmwu-ip-rules.service
+    owner: root
+    group: root
+    mode: 0644
+  notify: reload systemd
+
+- name: write ip rule scripts
+  template:
+    src: "{{ item }}.j2"
+    dest: "/usr/local/bin/{{ item }}"
+    owner: root
+    group: root
+    mode: 0750
+  with_items:
+    - ffmwu-add-ip-rules.sh
+    - ffmwu-del-ip-rules.sh
+  notify: restart systemd unit ffmwu-ip-rules
+
+- name: enable systemd unit ffmwu-ip-rules.service
+  systemd:
+    name: ffmwu-ip-rules
+    enabled: yes
+    state: started
+
 - name: set freifunk gateway sysctl settings
  sysctl:
    name: "{{ item.name }}"
--- a/roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2
+++ b/roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2
@ -1,21 +1,7 @@
-#!/bin/sh -e
+#!/bin/sh
 #
 # {{ ansible_managed }}
 #
-# rc.local
-#
-# This script is executed at the end of each multiuser runlevel.
-# Make sure that the script will "exit 0" on success or any other
-# value on error.
-#
-# In order to enable or disable this script just change the execution
-# bits.
-#
-# By default this script does nothing.
-
-#
-# IP rules
-#

 # Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
 {% for mesh in meshes %}
--- a/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2
+++ b/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2
@ -1,4 +1,8 @@
 #!/bin/sh
+#
+# {{ ansible_managed }}
+#
+
 {% for mesh in meshes %}
 # static {{ mesh.site_name }} routes for rt_table mwu
 /sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu
--- a/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2
+++ b/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2
@ -0,0 +1,82 @@
+#!/bin/sh
+#
+# {{ ansible_managed }}
+#
+
+# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
+{% for mesh in meshes %}
+ip -4 rule del from {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup mwu priority 7
+ip -4 rule del to {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup mwu priority 7
+ip -4 rule del from all oif {{ mesh.id }}BR lookup mwu priority 7
+{% for ula in mesh.ipv6_ula %}
+ip -6 rule del from {{ ula }} lookup mwu priority 7
+ip -6 rule del to {{ ula }} lookup mwu priority 7
+{% endfor %}
+{% for public in mesh.ipv6_public %}
+ip -6 rule del from {{ public }} lookup mwu priority 7
+ip -6 rule del to {{ public }} lookup mwu priority 7
+{% endfor %}
+ip -6 rule del from all oif {{ mesh.id }}BR lookup mwu priority 7
+{% endfor %}
+
+# Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges
+{% for mesh in meshes %}
+ip -4 rule del from {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup icvpn priority 23
+ip -4 rule del to {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup icvpn priority 23
+ip -4 rule del from all oif {{ mesh.id }}BR lookup icvpn priority 23
+{% for ula in mesh.ipv6_ula %}
+ip -6 rule del from {{ ula }} lookup icvpn priority 23
+ip -6 rule del to {{ ula }} lookup icvpn priority 23
+{% endfor %}
+{% for public in mesh.ipv6_public %}
+ip -6 rule del from {{ public }} lookup icvpn priority 23
+ip -6 rule del to {{ public }} lookup icvpn priority 23
+{% endfor %}
+ip -6 rule del from all oif {{ mesh.id }}BR lookup icvpn priority 23
+{% endfor %}
+ip -4 rule del from all oif icVPN lookup icvpn priority 23
+ip -6 rule del from all oif icVPN lookup icvpn priority 23
+
+# Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges
+{% for mesh in meshes %}
+ip -4 rule del from {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup internet priority 41
+{% for ula in mesh.ipv6_ula %}
+ip -6 rule del from {{ ula }} lookup internet priority 41
+ip -6 rule del to {{ ula }} lookup internet priority 41
+{% endfor %}
+{% for public in mesh.ipv6_public %}
+ip -6 rule del from {{ public }} lookup internet priority 41
+ip -6 rule del to {{ public }} lookup internet priority 41
+{% endfor %}
+ip -6 rule del from all oif {{ mesh.id }}BR lookup internet priority 41
+{% endfor %}
+ip -4 rule del from {{ ffrl_public_ipv4_nat | ipdelr('host') }} lookup internet priority 41
+ip -4 rule del to {{ ffrl_public_ipv4_nat | ipdelr('host') }} lookup internet priority 41
+
+# Priority 61 - at this point this is the end of policy routing for freifunk related routes
+{% for mesh in meshes %}
+ip -4 rule del from all iif {{ mesh.id }}BR type unreachable priority 61
+ip -6 rule del from all iif {{ mesh.id }}BR type unreachable priority 61
+{% endfor %}
+ip -4 rule del from all iif icVPN type unreachable priority 61
+ip -4 rule del from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61
+{% for server_id, server_value in ffrl_exit_server.iteritems() %}
+ip -4 rule del from all iif {{ server_id }} type unreachable priority 61
+ip -6 rule del from all iif {{ server_id }} type unreachable priority 61
+{% endfor %}
+ip -6 rule del from all iif icVPN type unreachable priority 61
+ip -6 rule del from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61
+{% for mesh in meshes %}
+{% for public in mesh.ipv6_public %}
+ip -6 rule del from {{ public }} type unreachable priority 61
+ip -6 rule del to {{ public }} type unreachable priority 61
+{% endfor %}
+{% endfor %}
+
+# Priority 107 - lookup policies for the gateway host self originating traffic
+ip -4 rule del from all lookup mwu priority 107
+ip -4 rule del from all lookup icvpn priority 107
+ip -6 rule del from all lookup mwu priority 107
+ip -6 rule del from all lookup icvpn priority 107
+
+exit 0
--- a/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2
+++ b/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2
@ -1,4 +1,8 @@
 #!/bin/sh
+#
+# {{ ansible_managed }}
+#
+
 {% for mesh in meshes %}
 # static {{ mesh.site_name }} routes for rt_table mwu
 /sbin/ip -4 route del {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu
--- a/roles/network-routing/templates/ffmwu-ip-rules.service.j2
+++ b/roles/network-routing/templates/ffmwu-ip-rules.service.j2
@ -0,0 +1,12 @@
+[Unit]
+Description=Manage Freifunk MWU IP rules
+After=network-online.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/bin/ffmwu-add-ip-rules.sh
+ExecStop=/usr/local/bin/ffmwu-del-ip-rules.sh
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/service-rclocal/README.md
+++ b/roles/service-rclocal/README.md
@ -1,25 +0,0 @@
-# Ansible role service-rclocal
-
-Diese Ansible role schreibt die rc.local.
-Über die rc.local werden im Moment noch sämtliche IP rules sowie statischen IP-Routen konfiguriert.
-
-All dieses sollte in Zukunft durch systemd units abgelöst werden.
-
-## Benötigte Variablen
-
- Dictionary `meshes`
-´´´
-meshes:
-  - id: xx
-...
-    site_name: # string
-    ipv4_network:
-    ipv6_ula:
-      - # string
-    ipv6_public:
-      - # string
-    iface_mtu: # integer
-´´´
- Host Variable `magic`
- Host Variable `ffrl_public_ipv4_nat` # Format ip-adresse/prefix
- Host Dictionary `ffrl_exit_server`
--- a/roles/service-rclocal/tasks/main.yml
+++ b/roles/service-rclocal/tasks/main.yml
@ -1,11 +0,0 @@
---
- name: write rc.local
-  template:
-    src: rc.local.j2
-    dest: /etc/rc.local
-    mode: 0755
-
- name: enable systemd unit rc.local
-  systemd:
-    name: rc.local
-    enabled: yes