From 00307bc9be3d810ba8bb9353e755ebd99dd78052 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Fri, 13 Oct 2017 07:59:43 +0200 Subject: [PATCH] Move IP rules from role `service-rclocal` to role `network-routing` - add scripts to configure and delete IP rules via a systemd unit - delete role `service-rclocal` - update README.md - add new handler --- playbooks/gateways.yml | 1 - roles/handlers/handlers/main.yml | 5 ++ roles/network-routing/README.md | 5 +- roles/network-routing/tasks/main.yml | 27 ++++++ .../templates/ffmwu-add-ip-rules.sh.j2} | 16 +--- .../templates/ffmwu-add-static-routes.sh.j2 | 4 + .../templates/ffmwu-del-ip-rules.sh.j2 | 82 +++++++++++++++++++ .../templates/ffmwu-del-static-routes.sh.j2 | 4 + .../templates/ffmwu-ip-rules.service.j2 | 12 +++ roles/service-rclocal/README.md | 25 ------ roles/service-rclocal/tasks/main.yml | 11 --- 11 files changed, 139 insertions(+), 53 deletions(-) rename roles/{service-rclocal/templates/rc.local.j2 => network-routing/templates/ffmwu-add-ip-rules.sh.j2} (92%) create mode 100644 roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2 create mode 100644 roles/network-routing/templates/ffmwu-ip-rules.service.j2 delete mode 100644 roles/service-rclocal/README.md delete mode 100644 roles/service-rclocal/tasks/main.yml diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index 84de721..015f1e8 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -28,5 +28,4 @@ - service-bird-ffrl - service-bind-slave - network-routing - - service-rclocal - system-sysctl-gateway diff --git a/roles/handlers/handlers/main.yml b/roles/handlers/handlers/main.yml index e666ba5..d91953f 100644 --- a/roles/handlers/handlers/main.yml +++ b/roles/handlers/handlers/main.yml @@ -71,6 +71,11 @@ systemd: name: ffmwu-static-routes state: restarted + +- name: restart systemd unit ffmwu-ip-rules + systemd: + name: ffmwu-ip-rules + state: restarted - name: iptables-restore shell: iptables-restore < /etc/iptables/rules.v4 diff --git a/roles/network-routing/README.md b/roles/network-routing/README.md index 7bb45f6..db00a5b 100644 --- a/roles/network-routing/README.md +++ b/roles/network-routing/README.md @@ -5,6 +5,7 @@ Diese Ansible role konfiguriert System Einstellung bzgl. IP Routing. - konfiguriert statische Routen (systemd Unit) - Mesh Routen für die Routing Tabelle `mwu` - Blackhole Routes für die Routing Tabellen `internet` + `main` +- konfiguriert IP rules (systemd Unit) - konfiguriert sysctl Parameter ## Benötigte Variablen @@ -16,7 +17,7 @@ meshes: ... site_name: ipv4_network: - ipv6_ula + ipv6_ula: ipv6_public: ´´´ - List `sysctl_settings_gateway` (Rollen-Variable) @@ -25,6 +26,8 @@ sysctl_settings_routing: - name: # sysctl-Parameter value: # zu setzender Wert ... +- Host Variable `ffrl_public_ipv4_nat` # Format ip-adresse/prefix +- Host Dictionary `ffrl_exit_server ´´´ - Host Variable `magic` diff --git a/roles/network-routing/tasks/main.yml b/roles/network-routing/tasks/main.yml index 923d366..8091636 100644 --- a/roles/network-routing/tasks/main.yml +++ b/roles/network-routing/tasks/main.yml @@ -26,6 +26,33 @@ enabled: yes state: started +- name: write systemd unit ffmwu-ip-rules.service + template: + src: ffmwu-ip-rules.service.j2 + dest: /etc/systemd/system/ffmwu-ip-rules.service + owner: root + group: root + mode: 0644 + notify: reload systemd + +- name: write ip rule scripts + template: + src: "{{ item }}.j2" + dest: "/usr/local/bin/{{ item }}" + owner: root + group: root + mode: 0750 + with_items: + - ffmwu-add-ip-rules.sh + - ffmwu-del-ip-rules.sh + notify: restart systemd unit ffmwu-ip-rules + +- name: enable systemd unit ffmwu-ip-rules.service + systemd: + name: ffmwu-ip-rules + enabled: yes + state: started + - name: set freifunk gateway sysctl settings sysctl: name: "{{ item.name }}" diff --git a/roles/service-rclocal/templates/rc.local.j2 b/roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2 similarity index 92% rename from roles/service-rclocal/templates/rc.local.j2 rename to roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2 index 53ec415..cd8e6a4 100644 --- a/roles/service-rclocal/templates/rc.local.j2 +++ b/roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2 @@ -1,21 +1,7 @@ -#!/bin/sh -e +#!/bin/sh # # {{ ansible_managed }} # -# rc.local -# -# This script is executed at the end of each multiuser runlevel. -# Make sure that the script will "exit 0" on success or any other -# value on error. -# -# In order to enable or disable this script just change the execution -# bits. -# -# By default this script does nothing. - -# -# IP rules -# # Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces {% for mesh in meshes %} diff --git a/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 b/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 index 3f2cc03..b5bc7d8 100644 --- a/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 +++ b/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 @@ -1,4 +1,8 @@ #!/bin/sh +# +# {{ ansible_managed }} +# + {% for mesh in meshes %} # static {{ mesh.site_name }} routes for rt_table mwu /sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu diff --git a/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2 b/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2 new file mode 100644 index 0000000..d6bee9f --- /dev/null +++ b/roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2 @@ -0,0 +1,82 @@ +#!/bin/sh +# +# {{ ansible_managed }} +# + +# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces +{% for mesh in meshes %} +ip -4 rule del from {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup mwu priority 7 +ip -4 rule del to {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup mwu priority 7 +ip -4 rule del from all oif {{ mesh.id }}BR lookup mwu priority 7 +{% for ula in mesh.ipv6_ula %} +ip -6 rule del from {{ ula }} lookup mwu priority 7 +ip -6 rule del to {{ ula }} lookup mwu priority 7 +{% endfor %} +{% for public in mesh.ipv6_public %} +ip -6 rule del from {{ public }} lookup mwu priority 7 +ip -6 rule del to {{ public }} lookup mwu priority 7 +{% endfor %} +ip -6 rule del from all oif {{ mesh.id }}BR lookup mwu priority 7 +{% endfor %} + +# Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges +{% for mesh in meshes %} +ip -4 rule del from {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup icvpn priority 23 +ip -4 rule del to {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup icvpn priority 23 +ip -4 rule del from all oif {{ mesh.id }}BR lookup icvpn priority 23 +{% for ula in mesh.ipv6_ula %} +ip -6 rule del from {{ ula }} lookup icvpn priority 23 +ip -6 rule del to {{ ula }} lookup icvpn priority 23 +{% endfor %} +{% for public in mesh.ipv6_public %} +ip -6 rule del from {{ public }} lookup icvpn priority 23 +ip -6 rule del to {{ public }} lookup icvpn priority 23 +{% endfor %} +ip -6 rule del from all oif {{ mesh.id }}BR lookup icvpn priority 23 +{% endfor %} +ip -4 rule del from all oif icVPN lookup icvpn priority 23 +ip -6 rule del from all oif icVPN lookup icvpn priority 23 + +# Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges +{% for mesh in meshes %} +ip -4 rule del from {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup internet priority 41 +{% for ula in mesh.ipv6_ula %} +ip -6 rule del from {{ ula }} lookup internet priority 41 +ip -6 rule del to {{ ula }} lookup internet priority 41 +{% endfor %} +{% for public in mesh.ipv6_public %} +ip -6 rule del from {{ public }} lookup internet priority 41 +ip -6 rule del to {{ public }} lookup internet priority 41 +{% endfor %} +ip -6 rule del from all oif {{ mesh.id }}BR lookup internet priority 41 +{% endfor %} +ip -4 rule del from {{ ffrl_public_ipv4_nat | ipdelr('host') }} lookup internet priority 41 +ip -4 rule del to {{ ffrl_public_ipv4_nat | ipdelr('host') }} lookup internet priority 41 + +# Priority 61 - at this point this is the end of policy routing for freifunk related routes +{% for mesh in meshes %} +ip -4 rule del from all iif {{ mesh.id }}BR type unreachable priority 61 +ip -6 rule del from all iif {{ mesh.id }}BR type unreachable priority 61 +{% endfor %} +ip -4 rule del from all iif icVPN type unreachable priority 61 +ip -4 rule del from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61 +{% for server_id, server_value in ffrl_exit_server.iteritems() %} +ip -4 rule del from all iif {{ server_id }} type unreachable priority 61 +ip -6 rule del from all iif {{ server_id }} type unreachable priority 61 +{% endfor %} +ip -6 rule del from all iif icVPN type unreachable priority 61 +ip -6 rule del from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61 +{% for mesh in meshes %} +{% for public in mesh.ipv6_public %} +ip -6 rule del from {{ public }} type unreachable priority 61 +ip -6 rule del to {{ public }} type unreachable priority 61 +{% endfor %} +{% endfor %} + +# Priority 107 - lookup policies for the gateway host self originating traffic +ip -4 rule del from all lookup mwu priority 107 +ip -4 rule del from all lookup icvpn priority 107 +ip -6 rule del from all lookup mwu priority 107 +ip -6 rule del from all lookup icvpn priority 107 + +exit 0 diff --git a/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 b/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 index ac57aa0..b09e9cc 100644 --- a/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 +++ b/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 @@ -1,4 +1,8 @@ #!/bin/sh +# +# {{ ansible_managed }} +# + {% for mesh in meshes %} # static {{ mesh.site_name }} routes for rt_table mwu /sbin/ip -4 route del {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu diff --git a/roles/network-routing/templates/ffmwu-ip-rules.service.j2 b/roles/network-routing/templates/ffmwu-ip-rules.service.j2 new file mode 100644 index 0000000..0ef051a --- /dev/null +++ b/roles/network-routing/templates/ffmwu-ip-rules.service.j2 @@ -0,0 +1,12 @@ +[Unit] +Description=Manage Freifunk MWU IP rules +After=network-online.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/local/bin/ffmwu-add-ip-rules.sh +ExecStop=/usr/local/bin/ffmwu-del-ip-rules.sh + +[Install] +WantedBy=multi-user.target diff --git a/roles/service-rclocal/README.md b/roles/service-rclocal/README.md deleted file mode 100644 index 74a820a..0000000 --- a/roles/service-rclocal/README.md +++ /dev/null @@ -1,25 +0,0 @@ -# Ansible role service-rclocal - -Diese Ansible role schreibt die rc.local. -Über die rc.local werden im Moment noch sämtliche IP rules sowie statischen IP-Routen konfiguriert. - -All dieses sollte in Zukunft durch systemd units abgelöst werden. - -## Benötigte Variablen - -- Dictionary `meshes` -´´´ -meshes: - - id: xx -... - site_name: # string - ipv4_network: - ipv6_ula: - - # string - ipv6_public: - - # string - iface_mtu: # integer -´´´ -- Host Variable `magic` -- Host Variable `ffrl_public_ipv4_nat` # Format ip-adresse/prefix -- Host Dictionary `ffrl_exit_server` diff --git a/roles/service-rclocal/tasks/main.yml b/roles/service-rclocal/tasks/main.yml deleted file mode 100644 index 1400aa1..0000000 --- a/roles/service-rclocal/tasks/main.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- name: write rc.local - template: - src: rc.local.j2 - dest: /etc/rc.local - mode: 0755 - -- name: enable systemd unit rc.local - systemd: - name: rc.local - enabled: yes