Move IP rules from role service-rclocal
to role network-routing
- add scripts to configure and delete IP rules via a systemd unit - delete role `service-rclocal` - update README.md - add new handler
This commit is contained in:
parent
dd03118c99
commit
00307bc9be
11 changed files with 139 additions and 53 deletions
|
@ -28,5 +28,4 @@
|
||||||
- service-bird-ffrl
|
- service-bird-ffrl
|
||||||
- service-bind-slave
|
- service-bind-slave
|
||||||
- network-routing
|
- network-routing
|
||||||
- service-rclocal
|
|
||||||
- system-sysctl-gateway
|
- system-sysctl-gateway
|
||||||
|
|
|
@ -71,6 +71,11 @@
|
||||||
systemd:
|
systemd:
|
||||||
name: ffmwu-static-routes
|
name: ffmwu-static-routes
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
|
- name: restart systemd unit ffmwu-ip-rules
|
||||||
|
systemd:
|
||||||
|
name: ffmwu-ip-rules
|
||||||
|
state: restarted
|
||||||
|
|
||||||
- name: iptables-restore
|
- name: iptables-restore
|
||||||
shell: iptables-restore < /etc/iptables/rules.v4
|
shell: iptables-restore < /etc/iptables/rules.v4
|
||||||
|
|
|
@ -5,6 +5,7 @@ Diese Ansible role konfiguriert System Einstellung bzgl. IP Routing.
|
||||||
- konfiguriert statische Routen (systemd Unit)
|
- konfiguriert statische Routen (systemd Unit)
|
||||||
- Mesh Routen für die Routing Tabelle `mwu`
|
- Mesh Routen für die Routing Tabelle `mwu`
|
||||||
- Blackhole Routes für die Routing Tabellen `internet` + `main`
|
- Blackhole Routes für die Routing Tabellen `internet` + `main`
|
||||||
|
- konfiguriert IP rules (systemd Unit)
|
||||||
- konfiguriert sysctl Parameter
|
- konfiguriert sysctl Parameter
|
||||||
|
|
||||||
## Benötigte Variablen
|
## Benötigte Variablen
|
||||||
|
@ -16,7 +17,7 @@ meshes:
|
||||||
...
|
...
|
||||||
site_name:
|
site_name:
|
||||||
ipv4_network:
|
ipv4_network:
|
||||||
ipv6_ula
|
ipv6_ula:
|
||||||
ipv6_public:
|
ipv6_public:
|
||||||
´´´
|
´´´
|
||||||
- List `sysctl_settings_gateway` (Rollen-Variable)
|
- List `sysctl_settings_gateway` (Rollen-Variable)
|
||||||
|
@ -25,6 +26,8 @@ sysctl_settings_routing:
|
||||||
- name: # sysctl-Parameter
|
- name: # sysctl-Parameter
|
||||||
value: # zu setzender Wert
|
value: # zu setzender Wert
|
||||||
...
|
...
|
||||||
|
- Host Variable `ffrl_public_ipv4_nat` # Format ip-adresse/prefix
|
||||||
|
- Host Dictionary `ffrl_exit_server
|
||||||
|
|
||||||
´´´
|
´´´
|
||||||
- Host Variable `magic`
|
- Host Variable `magic`
|
||||||
|
|
|
@ -26,6 +26,33 @@
|
||||||
enabled: yes
|
enabled: yes
|
||||||
state: started
|
state: started
|
||||||
|
|
||||||
|
- name: write systemd unit ffmwu-ip-rules.service
|
||||||
|
template:
|
||||||
|
src: ffmwu-ip-rules.service.j2
|
||||||
|
dest: /etc/systemd/system/ffmwu-ip-rules.service
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
notify: reload systemd
|
||||||
|
|
||||||
|
- name: write ip rule scripts
|
||||||
|
template:
|
||||||
|
src: "{{ item }}.j2"
|
||||||
|
dest: "/usr/local/bin/{{ item }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0750
|
||||||
|
with_items:
|
||||||
|
- ffmwu-add-ip-rules.sh
|
||||||
|
- ffmwu-del-ip-rules.sh
|
||||||
|
notify: restart systemd unit ffmwu-ip-rules
|
||||||
|
|
||||||
|
- name: enable systemd unit ffmwu-ip-rules.service
|
||||||
|
systemd:
|
||||||
|
name: ffmwu-ip-rules
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
||||||
|
|
||||||
- name: set freifunk gateway sysctl settings
|
- name: set freifunk gateway sysctl settings
|
||||||
sysctl:
|
sysctl:
|
||||||
name: "{{ item.name }}"
|
name: "{{ item.name }}"
|
||||||
|
|
|
@ -1,21 +1,7 @@
|
||||||
#!/bin/sh -e
|
#!/bin/sh
|
||||||
#
|
#
|
||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
#
|
#
|
||||||
# rc.local
|
|
||||||
#
|
|
||||||
# This script is executed at the end of each multiuser runlevel.
|
|
||||||
# Make sure that the script will "exit 0" on success or any other
|
|
||||||
# value on error.
|
|
||||||
#
|
|
||||||
# In order to enable or disable this script just change the execution
|
|
||||||
# bits.
|
|
||||||
#
|
|
||||||
# By default this script does nothing.
|
|
||||||
|
|
||||||
#
|
|
||||||
# IP rules
|
|
||||||
#
|
|
||||||
|
|
||||||
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
|
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
|
||||||
{% for mesh in meshes %}
|
{% for mesh in meshes %}
|
|
@ -1,4 +1,8 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
#
|
||||||
|
|
||||||
{% for mesh in meshes %}
|
{% for mesh in meshes %}
|
||||||
# static {{ mesh.site_name }} routes for rt_table mwu
|
# static {{ mesh.site_name }} routes for rt_table mwu
|
||||||
/sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu
|
/sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu
|
||||||
|
|
82
roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2
Normal file
82
roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2
Normal file
|
@ -0,0 +1,82 @@
|
||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
#
|
||||||
|
|
||||||
|
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
|
||||||
|
{% for mesh in meshes %}
|
||||||
|
ip -4 rule del from {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup mwu priority 7
|
||||||
|
ip -4 rule del to {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup mwu priority 7
|
||||||
|
ip -4 rule del from all oif {{ mesh.id }}BR lookup mwu priority 7
|
||||||
|
{% for ula in mesh.ipv6_ula %}
|
||||||
|
ip -6 rule del from {{ ula }} lookup mwu priority 7
|
||||||
|
ip -6 rule del to {{ ula }} lookup mwu priority 7
|
||||||
|
{% endfor %}
|
||||||
|
{% for public in mesh.ipv6_public %}
|
||||||
|
ip -6 rule del from {{ public }} lookup mwu priority 7
|
||||||
|
ip -6 rule del to {{ public }} lookup mwu priority 7
|
||||||
|
{% endfor %}
|
||||||
|
ip -6 rule del from all oif {{ mesh.id }}BR lookup mwu priority 7
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
# Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges
|
||||||
|
{% for mesh in meshes %}
|
||||||
|
ip -4 rule del from {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup icvpn priority 23
|
||||||
|
ip -4 rule del to {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup icvpn priority 23
|
||||||
|
ip -4 rule del from all oif {{ mesh.id }}BR lookup icvpn priority 23
|
||||||
|
{% for ula in mesh.ipv6_ula %}
|
||||||
|
ip -6 rule del from {{ ula }} lookup icvpn priority 23
|
||||||
|
ip -6 rule del to {{ ula }} lookup icvpn priority 23
|
||||||
|
{% endfor %}
|
||||||
|
{% for public in mesh.ipv6_public %}
|
||||||
|
ip -6 rule del from {{ public }} lookup icvpn priority 23
|
||||||
|
ip -6 rule del to {{ public }} lookup icvpn priority 23
|
||||||
|
{% endfor %}
|
||||||
|
ip -6 rule del from all oif {{ mesh.id }}BR lookup icvpn priority 23
|
||||||
|
{% endfor %}
|
||||||
|
ip -4 rule del from all oif icVPN lookup icvpn priority 23
|
||||||
|
ip -6 rule del from all oif icVPN lookup icvpn priority 23
|
||||||
|
|
||||||
|
# Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges
|
||||||
|
{% for mesh in meshes %}
|
||||||
|
ip -4 rule del from {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup internet priority 41
|
||||||
|
{% for ula in mesh.ipv6_ula %}
|
||||||
|
ip -6 rule del from {{ ula }} lookup internet priority 41
|
||||||
|
ip -6 rule del to {{ ula }} lookup internet priority 41
|
||||||
|
{% endfor %}
|
||||||
|
{% for public in mesh.ipv6_public %}
|
||||||
|
ip -6 rule del from {{ public }} lookup internet priority 41
|
||||||
|
ip -6 rule del to {{ public }} lookup internet priority 41
|
||||||
|
{% endfor %}
|
||||||
|
ip -6 rule del from all oif {{ mesh.id }}BR lookup internet priority 41
|
||||||
|
{% endfor %}
|
||||||
|
ip -4 rule del from {{ ffrl_public_ipv4_nat | ipdelr('host') }} lookup internet priority 41
|
||||||
|
ip -4 rule del to {{ ffrl_public_ipv4_nat | ipdelr('host') }} lookup internet priority 41
|
||||||
|
|
||||||
|
# Priority 61 - at this point this is the end of policy routing for freifunk related routes
|
||||||
|
{% for mesh in meshes %}
|
||||||
|
ip -4 rule del from all iif {{ mesh.id }}BR type unreachable priority 61
|
||||||
|
ip -6 rule del from all iif {{ mesh.id }}BR type unreachable priority 61
|
||||||
|
{% endfor %}
|
||||||
|
ip -4 rule del from all iif icVPN type unreachable priority 61
|
||||||
|
ip -4 rule del from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61
|
||||||
|
{% for server_id, server_value in ffrl_exit_server.iteritems() %}
|
||||||
|
ip -4 rule del from all iif {{ server_id }} type unreachable priority 61
|
||||||
|
ip -6 rule del from all iif {{ server_id }} type unreachable priority 61
|
||||||
|
{% endfor %}
|
||||||
|
ip -6 rule del from all iif icVPN type unreachable priority 61
|
||||||
|
ip -6 rule del from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61
|
||||||
|
{% for mesh in meshes %}
|
||||||
|
{% for public in mesh.ipv6_public %}
|
||||||
|
ip -6 rule del from {{ public }} type unreachable priority 61
|
||||||
|
ip -6 rule del to {{ public }} type unreachable priority 61
|
||||||
|
{% endfor %}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
# Priority 107 - lookup policies for the gateway host self originating traffic
|
||||||
|
ip -4 rule del from all lookup mwu priority 107
|
||||||
|
ip -4 rule del from all lookup icvpn priority 107
|
||||||
|
ip -6 rule del from all lookup mwu priority 107
|
||||||
|
ip -6 rule del from all lookup icvpn priority 107
|
||||||
|
|
||||||
|
exit 0
|
|
@ -1,4 +1,8 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
#
|
||||||
|
|
||||||
{% for mesh in meshes %}
|
{% for mesh in meshes %}
|
||||||
# static {{ mesh.site_name }} routes for rt_table mwu
|
# static {{ mesh.site_name }} routes for rt_table mwu
|
||||||
/sbin/ip -4 route del {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu
|
/sbin/ip -4 route del {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu
|
||||||
|
|
12
roles/network-routing/templates/ffmwu-ip-rules.service.j2
Normal file
12
roles/network-routing/templates/ffmwu-ip-rules.service.j2
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Manage Freifunk MWU IP rules
|
||||||
|
After=network-online.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
ExecStart=/usr/local/bin/ffmwu-add-ip-rules.sh
|
||||||
|
ExecStop=/usr/local/bin/ffmwu-del-ip-rules.sh
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
|
@ -1,25 +0,0 @@
|
||||||
# Ansible role service-rclocal
|
|
||||||
|
|
||||||
Diese Ansible role schreibt die rc.local.
|
|
||||||
Über die rc.local werden im Moment noch sämtliche IP rules sowie statischen IP-Routen konfiguriert.
|
|
||||||
|
|
||||||
All dieses sollte in Zukunft durch systemd units abgelöst werden.
|
|
||||||
|
|
||||||
## Benötigte Variablen
|
|
||||||
|
|
||||||
- Dictionary `meshes`
|
|
||||||
´´´
|
|
||||||
meshes:
|
|
||||||
- id: xx
|
|
||||||
...
|
|
||||||
site_name: # string
|
|
||||||
ipv4_network:
|
|
||||||
ipv6_ula:
|
|
||||||
- # string
|
|
||||||
ipv6_public:
|
|
||||||
- # string
|
|
||||||
iface_mtu: # integer
|
|
||||||
´´´
|
|
||||||
- Host Variable `magic`
|
|
||||||
- Host Variable `ffrl_public_ipv4_nat` # Format ip-adresse/prefix
|
|
||||||
- Host Dictionary `ffrl_exit_server`
|
|
|
@ -1,11 +0,0 @@
|
||||||
---
|
|
||||||
- name: write rc.local
|
|
||||||
template:
|
|
||||||
src: rc.local.j2
|
|
||||||
dest: /etc/rc.local
|
|
||||||
mode: 0755
|
|
||||||
|
|
||||||
- name: enable systemd unit rc.local
|
|
||||||
systemd:
|
|
||||||
name: rc.local
|
|
||||||
enabled: yes
|
|
Loading…
Reference in a new issue