Move IP rules from role service-rclocal
to role network-routing
- add scripts to configure and delete IP rules via a systemd unit - delete role `service-rclocal` - update README.md - add new handler
This commit is contained in:
parent
dd03118c99
commit
00307bc9be
11 changed files with 139 additions and 53 deletions
|
@ -28,5 +28,4 @@
|
|||
- service-bird-ffrl
|
||||
- service-bind-slave
|
||||
- network-routing
|
||||
- service-rclocal
|
||||
- system-sysctl-gateway
|
||||
|
|
|
@ -72,6 +72,11 @@
|
|||
name: ffmwu-static-routes
|
||||
state: restarted
|
||||
|
||||
- name: restart systemd unit ffmwu-ip-rules
|
||||
systemd:
|
||||
name: ffmwu-ip-rules
|
||||
state: restarted
|
||||
|
||||
- name: iptables-restore
|
||||
shell: iptables-restore < /etc/iptables/rules.v4
|
||||
|
||||
|
|
|
@ -5,6 +5,7 @@ Diese Ansible role konfiguriert System Einstellung bzgl. IP Routing.
|
|||
- konfiguriert statische Routen (systemd Unit)
|
||||
- Mesh Routen für die Routing Tabelle `mwu`
|
||||
- Blackhole Routes für die Routing Tabellen `internet` + `main`
|
||||
- konfiguriert IP rules (systemd Unit)
|
||||
- konfiguriert sysctl Parameter
|
||||
|
||||
## Benötigte Variablen
|
||||
|
@ -16,7 +17,7 @@ meshes:
|
|||
...
|
||||
site_name:
|
||||
ipv4_network:
|
||||
ipv6_ula
|
||||
ipv6_ula:
|
||||
ipv6_public:
|
||||
´´´
|
||||
- List `sysctl_settings_gateway` (Rollen-Variable)
|
||||
|
@ -25,6 +26,8 @@ sysctl_settings_routing:
|
|||
- name: # sysctl-Parameter
|
||||
value: # zu setzender Wert
|
||||
...
|
||||
- Host Variable `ffrl_public_ipv4_nat` # Format ip-adresse/prefix
|
||||
- Host Dictionary `ffrl_exit_server
|
||||
|
||||
´´´
|
||||
- Host Variable `magic`
|
||||
|
|
|
@ -26,6 +26,33 @@
|
|||
enabled: yes
|
||||
state: started
|
||||
|
||||
- name: write systemd unit ffmwu-ip-rules.service
|
||||
template:
|
||||
src: ffmwu-ip-rules.service.j2
|
||||
dest: /etc/systemd/system/ffmwu-ip-rules.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: reload systemd
|
||||
|
||||
- name: write ip rule scripts
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/usr/local/bin/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0750
|
||||
with_items:
|
||||
- ffmwu-add-ip-rules.sh
|
||||
- ffmwu-del-ip-rules.sh
|
||||
notify: restart systemd unit ffmwu-ip-rules
|
||||
|
||||
- name: enable systemd unit ffmwu-ip-rules.service
|
||||
systemd:
|
||||
name: ffmwu-ip-rules
|
||||
enabled: yes
|
||||
state: started
|
||||
|
||||
- name: set freifunk gateway sysctl settings
|
||||
sysctl:
|
||||
name: "{{ item.name }}"
|
||||
|
|
|
@ -1,21 +1,7 @@
|
|||
#!/bin/sh -e
|
||||
#!/bin/sh
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
# rc.local
|
||||
#
|
||||
# This script is executed at the end of each multiuser runlevel.
|
||||
# Make sure that the script will "exit 0" on success or any other
|
||||
# value on error.
|
||||
#
|
||||
# In order to enable or disable this script just change the execution
|
||||
# bits.
|
||||
#
|
||||
# By default this script does nothing.
|
||||
|
||||
#
|
||||
# IP rules
|
||||
#
|
||||
|
||||
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
|
||||
{% for mesh in meshes %}
|
|
@ -1,4 +1,8 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
|
||||
{% for mesh in meshes %}
|
||||
# static {{ mesh.site_name }} routes for rt_table mwu
|
||||
/sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu
|
||||
|
|
82
roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2
Normal file
82
roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2
Normal file
|
@ -0,0 +1,82 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
|
||||
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule del from {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup mwu priority 7
|
||||
ip -4 rule del to {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup mwu priority 7
|
||||
ip -4 rule del from all oif {{ mesh.id }}BR lookup mwu priority 7
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
ip -6 rule del from {{ ula }} lookup mwu priority 7
|
||||
ip -6 rule del to {{ ula }} lookup mwu priority 7
|
||||
{% endfor %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule del from {{ public }} lookup mwu priority 7
|
||||
ip -6 rule del to {{ public }} lookup mwu priority 7
|
||||
{% endfor %}
|
||||
ip -6 rule del from all oif {{ mesh.id }}BR lookup mwu priority 7
|
||||
{% endfor %}
|
||||
|
||||
# Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule del from {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup icvpn priority 23
|
||||
ip -4 rule del to {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup icvpn priority 23
|
||||
ip -4 rule del from all oif {{ mesh.id }}BR lookup icvpn priority 23
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
ip -6 rule del from {{ ula }} lookup icvpn priority 23
|
||||
ip -6 rule del to {{ ula }} lookup icvpn priority 23
|
||||
{% endfor %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule del from {{ public }} lookup icvpn priority 23
|
||||
ip -6 rule del to {{ public }} lookup icvpn priority 23
|
||||
{% endfor %}
|
||||
ip -6 rule del from all oif {{ mesh.id }}BR lookup icvpn priority 23
|
||||
{% endfor %}
|
||||
ip -4 rule del from all oif icVPN lookup icvpn priority 23
|
||||
ip -6 rule del from all oif icVPN lookup icvpn priority 23
|
||||
|
||||
# Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule del from {{ mesh.ipv4_network | ipdelr('network') }}/16 lookup internet priority 41
|
||||
{% for ula in mesh.ipv6_ula %}
|
||||
ip -6 rule del from {{ ula }} lookup internet priority 41
|
||||
ip -6 rule del to {{ ula }} lookup internet priority 41
|
||||
{% endfor %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule del from {{ public }} lookup internet priority 41
|
||||
ip -6 rule del to {{ public }} lookup internet priority 41
|
||||
{% endfor %}
|
||||
ip -6 rule del from all oif {{ mesh.id }}BR lookup internet priority 41
|
||||
{% endfor %}
|
||||
ip -4 rule del from {{ ffrl_public_ipv4_nat | ipdelr('host') }} lookup internet priority 41
|
||||
ip -4 rule del to {{ ffrl_public_ipv4_nat | ipdelr('host') }} lookup internet priority 41
|
||||
|
||||
# Priority 61 - at this point this is the end of policy routing for freifunk related routes
|
||||
{% for mesh in meshes %}
|
||||
ip -4 rule del from all iif {{ mesh.id }}BR type unreachable priority 61
|
||||
ip -6 rule del from all iif {{ mesh.id }}BR type unreachable priority 61
|
||||
{% endfor %}
|
||||
ip -4 rule del from all iif icVPN type unreachable priority 61
|
||||
ip -4 rule del from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61
|
||||
{% for server_id, server_value in ffrl_exit_server.iteritems() %}
|
||||
ip -4 rule del from all iif {{ server_id }} type unreachable priority 61
|
||||
ip -6 rule del from all iif {{ server_id }} type unreachable priority 61
|
||||
{% endfor %}
|
||||
ip -6 rule del from all iif icVPN type unreachable priority 61
|
||||
ip -6 rule del from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61
|
||||
{% for mesh in meshes %}
|
||||
{% for public in mesh.ipv6_public %}
|
||||
ip -6 rule del from {{ public }} type unreachable priority 61
|
||||
ip -6 rule del to {{ public }} type unreachable priority 61
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
|
||||
# Priority 107 - lookup policies for the gateway host self originating traffic
|
||||
ip -4 rule del from all lookup mwu priority 107
|
||||
ip -4 rule del from all lookup icvpn priority 107
|
||||
ip -6 rule del from all lookup mwu priority 107
|
||||
ip -6 rule del from all lookup icvpn priority 107
|
||||
|
||||
exit 0
|
|
@ -1,4 +1,8 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# {{ ansible_managed }}
|
||||
#
|
||||
|
||||
{% for mesh in meshes %}
|
||||
# static {{ mesh.site_name }} routes for rt_table mwu
|
||||
/sbin/ip -4 route del {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu
|
||||
|
|
12
roles/network-routing/templates/ffmwu-ip-rules.service.j2
Normal file
12
roles/network-routing/templates/ffmwu-ip-rules.service.j2
Normal file
|
@ -0,0 +1,12 @@
|
|||
[Unit]
|
||||
Description=Manage Freifunk MWU IP rules
|
||||
After=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/local/bin/ffmwu-add-ip-rules.sh
|
||||
ExecStop=/usr/local/bin/ffmwu-del-ip-rules.sh
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -1,25 +0,0 @@
|
|||
# Ansible role service-rclocal
|
||||
|
||||
Diese Ansible role schreibt die rc.local.
|
||||
Über die rc.local werden im Moment noch sämtliche IP rules sowie statischen IP-Routen konfiguriert.
|
||||
|
||||
All dieses sollte in Zukunft durch systemd units abgelöst werden.
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
- id: xx
|
||||
...
|
||||
site_name: # string
|
||||
ipv4_network:
|
||||
ipv6_ula:
|
||||
- # string
|
||||
ipv6_public:
|
||||
- # string
|
||||
iface_mtu: # integer
|
||||
´´´
|
||||
- Host Variable `magic`
|
||||
- Host Variable `ffrl_public_ipv4_nat` # Format ip-adresse/prefix
|
||||
- Host Dictionary `ffrl_exit_server`
|
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
- name: write rc.local
|
||||
template:
|
||||
src: rc.local.j2
|
||||
dest: /etc/rc.local
|
||||
mode: 0755
|
||||
|
||||
- name: enable systemd unit rc.local
|
||||
systemd:
|
||||
name: rc.local
|
||||
enabled: yes
|
Loading…
Reference in a new issue