From 4ce00a6ac373fe454b59e329e81ad90a8bf58a5e Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Wed, 11 Oct 2017 06:52:24 +0200 Subject: [PATCH] Add role network-routing - move static routes from role service-rclocal to scripts run by systemd unit - mv routing specific sysctl settings --- playbooks/gateways.yml | 1 + roles/network-routing/README.md | 30 +++++++++ roles/network-routing/handlers/main.yml | 9 +++ roles/network-routing/tasks/main.yml | 34 ++++++++++ .../templates/ffmwu-add-static-routes.sh.j2 | 62 +++++++++++++++++ .../templates/ffmwu-del-static-routes.sh.j2 | 62 +++++++++++++++++ .../templates/ffmwu-static-routes.service.j2 | 12 ++++ roles/network-routing/vars/main.yml | 14 ++++ roles/service-rclocal/templates/rc.local.j2 | 67 ------------------- roles/system-sysctl-gateway/vars/main.yml | 12 ---- 10 files changed, 224 insertions(+), 79 deletions(-) create mode 100644 roles/network-routing/README.md create mode 100644 roles/network-routing/handlers/main.yml create mode 100644 roles/network-routing/tasks/main.yml create mode 100644 roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 create mode 100644 roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 create mode 100644 roles/network-routing/templates/ffmwu-static-routes.service.j2 create mode 100644 roles/network-routing/vars/main.yml diff --git a/playbooks/gateways.yml b/playbooks/gateways.yml index 7f9a8f9..b2303d5 100755 --- a/playbooks/gateways.yml +++ b/playbooks/gateways.yml @@ -26,5 +26,6 @@ - service-bird-icvpn - service-bird-ffrl - service-bind-slave + - network-routing - service-rclocal - system-sysctl-gateway diff --git a/roles/network-routing/README.md b/roles/network-routing/README.md new file mode 100644 index 0000000..7bb45f6 --- /dev/null +++ b/roles/network-routing/README.md @@ -0,0 +1,30 @@ +# Ansible role network-routing + +Diese Ansible role konfiguriert System Einstellung bzgl. IP Routing. + +- konfiguriert statische Routen (systemd Unit) + - Mesh Routen für die Routing Tabelle `mwu` + - Blackhole Routes für die Routing Tabellen `internet` + `main` +- konfiguriert sysctl Parameter + +## Benötigte Variablen + +- Dictionary `meshes` +´´´ +meshes: + - id: xx +... + site_name: + ipv4_network: + ipv6_ula + ipv6_public: +´´´ +- List `sysctl_settings_gateway` (Rollen-Variable) +``` +sysctl_settings_routing: + - name: # sysctl-Parameter + value: # zu setzender Wert +... + +´´´ +- Host Variable `magic` diff --git a/roles/network-routing/handlers/main.yml b/roles/network-routing/handlers/main.yml new file mode 100644 index 0000000..c18c7a6 --- /dev/null +++ b/roles/network-routing/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- name: reload systemd + systemd: + daemon_reload: yes + +- name: restart systemd unit ffmwu-static-routes + systemd: + name: ffmwu-static-routes + state: restarted diff --git a/roles/network-routing/tasks/main.yml b/roles/network-routing/tasks/main.yml new file mode 100644 index 0000000..923d366 --- /dev/null +++ b/roles/network-routing/tasks/main.yml @@ -0,0 +1,34 @@ +--- +- name: write systemd unit ffmwu-static-routes.service + template: + src: ffmwu-static-routes.service.j2 + dest: /etc/systemd/system/ffmwu-static-routes.service + owner: root + group: root + mode: 0644 + notify: reload systemd + +- name: write static route scripts + template: + src: "{{ item }}.j2" + dest: "/usr/local/bin/{{ item }}" + owner: root + group: root + mode: 0750 + with_items: + - ffmwu-add-static-routes.sh + - ffmwu-del-static-routes.sh + notify: restart systemd unit ffmwu-static-routes + +- name: enable systemd unit ffmwu-static-routes.service + systemd: + name: ffmwu-static-routes + enabled: yes + state: started + +- name: set freifunk gateway sysctl settings + sysctl: + name: "{{ item.name }}" + value: "{{ item.value }}" + state: present + with_items: "{{ sysctl_settings_routing }}" diff --git a/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 b/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 new file mode 100644 index 0000000..3f2cc03 --- /dev/null +++ b/roles/network-routing/templates/ffmwu-add-static-routes.sh.j2 @@ -0,0 +1,62 @@ +#!/bin/sh +{% for mesh in meshes %} +# static {{ mesh.site_name }} routes for rt_table mwu +/sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu +{% for ula in mesh.ipv6_ula %} +/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu +{% endfor %} +{% for public in mesh.ipv6_public %} +/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu +/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu +{% endfor %} +{% if not loop.last %} + +{% endif %} +{% endfor %} + +# static blackhole routes for rt_table internet +/sbin/ip -4 route add blackhole 0.0.0.0/8 table internet +/sbin/ip -4 route add blackhole 10.0.0.0/8 table internet +/sbin/ip -4 route add blackhole 100.64.0.0/10 table internet +/sbin/ip -4 route add blackhole 127.0.0.0/8 table internet +/sbin/ip -4 route add blackhole 169.254.0.0/16 table internet +/sbin/ip -4 route add blackhole 172.16.0.0/12 table internet +/sbin/ip -4 route add blackhole 192.0.0.0/24 table internet +/sbin/ip -4 route add blackhole 192.0.2.0/24 table internet +/sbin/ip -4 route add blackhole 192.88.99.0/24 table internet +/sbin/ip -4 route add blackhole 192.168.0.0/16 table internet +/sbin/ip -4 route add blackhole 198.18.0.0/15 table internet +/sbin/ip -4 route add blackhole 198.51.100.0/24 table internet +/sbin/ip -4 route add blackhole 203.0.113.0/24 table internet +/sbin/ip -4 route add blackhole 224.0.0.0/4 table internet +/sbin/ip -4 route add blackhole 240.0.0.0/4 table internet +/sbin/ip -4 route add blackhole 255.255.255.255/32 table internet +/sbin/ip -6 route add blackhole fec0::/10 table internet +/sbin/ip -6 route add blackhole fc00::/7 table internet +/sbin/ip -6 route add blackhole ff00::/8 table internet +/sbin/ip -6 route add blackhole ::/96 table internet +/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table internet + +# static blackhole routes for rt_table main +/sbin/ip -4 route add blackhole 0.0.0.0/8 table main +/sbin/ip -4 route add blackhole 10.0.0.0/8 table main +/sbin/ip -4 route add blackhole 100.64.0.0/10 table main +/sbin/ip -4 route add blackhole 127.0.0.0/8 table main +/sbin/ip -4 route add blackhole 169.254.0.0/16 table main +/sbin/ip -4 route add blackhole 172.16.0.0/12 table main +/sbin/ip -4 route add blackhole 192.0.0.0/24 table main +/sbin/ip -4 route add blackhole 192.0.2.0/24 table main +/sbin/ip -4 route add blackhole 192.88.99.0/24 table main +/sbin/ip -4 route add blackhole 192.168.0.0/16 table main +/sbin/ip -4 route add blackhole 198.18.0.0/15 table main +/sbin/ip -4 route add blackhole 198.51.100.0/24 table main +/sbin/ip -4 route add blackhole 203.0.113.0/24 table main +/sbin/ip -4 route add blackhole 224.0.0.0/4 table main +/sbin/ip -4 route add blackhole 240.0.0.0/4 table main +/sbin/ip -4 route add blackhole 255.255.255.255/32 table main +/sbin/ip -6 route add blackhole fec0::/10 table main +/sbin/ip -6 route add blackhole fc00::/7 table main +/sbin/ip -6 route add blackhole ff00::/8 table main +/sbin/ip -6 route add blackhole ::/96 table main +/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table main +/sbin/ip -6 route add blackhole ::/0 table main diff --git a/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 b/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 new file mode 100644 index 0000000..ac57aa0 --- /dev/null +++ b/roles/network-routing/templates/ffmwu-del-static-routes.sh.j2 @@ -0,0 +1,62 @@ +#!/bin/sh +{% for mesh in meshes %} +# static {{ mesh.site_name }} routes for rt_table mwu +/sbin/ip -4 route del {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu +{% for ula in mesh.ipv6_ula %} +/sbin/ip -6 route del {{ ula | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ mesh.id }}BR table mwu +{% endfor %} +{% for public in mesh.ipv6_public %} +/sbin/ip -6 route del {{ public | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ mesh.id }}BR table mwu +/sbin/ip -6 route del {{ public | ipaddr('net') | ipsubnet(64, magic) }} proto static dev {{ mesh.id }}BR table mwu +{% endfor %} +{% if not loop.last %} + +{% endif %} +{% endfor %} + +# static blackhole routes for rt_table internet +/sbin/ip -4 route del blackhole 0.0.0.0/8 table internet +/sbin/ip -4 route del blackhole 10.0.0.0/8 table internet +/sbin/ip -4 route del blackhole 100.64.0.0/10 table internet +/sbin/ip -4 route del blackhole 127.0.0.0/8 table internet +/sbin/ip -4 route del blackhole 169.254.0.0/16 table internet +/sbin/ip -4 route del blackhole 172.16.0.0/12 table internet +/sbin/ip -4 route del blackhole 192.0.0.0/24 table internet +/sbin/ip -4 route del blackhole 192.0.2.0/24 table internet +/sbin/ip -4 route del blackhole 192.88.99.0/24 table internet +/sbin/ip -4 route del blackhole 192.168.0.0/16 table internet +/sbin/ip -4 route del blackhole 198.18.0.0/15 table internet +/sbin/ip -4 route del blackhole 198.51.100.0/24 table internet +/sbin/ip -4 route del blackhole 203.0.113.0/24 table internet +/sbin/ip -4 route del blackhole 224.0.0.0/4 table internet +/sbin/ip -4 route del blackhole 240.0.0.0/4 table internet +/sbin/ip -4 route del blackhole 255.255.255.255/32 table internet +/sbin/ip -6 route del blackhole fec0::/10 table internet +/sbin/ip -6 route del blackhole fc00::/7 table internet +/sbin/ip -6 route del blackhole ff00::/8 table internet +/sbin/ip -6 route del blackhole ::/96 table internet +/sbin/ip -6 route del blackhole 0:0:0:0:0:ffff::/96 table internet + +# static blackhole routes for rt_table main +/sbin/ip -4 route del blackhole 0.0.0.0/8 table main +/sbin/ip -4 route del blackhole 10.0.0.0/8 table main +/sbin/ip -4 route del blackhole 100.64.0.0/10 table main +/sbin/ip -4 route del blackhole 127.0.0.0/8 table main +/sbin/ip -4 route del blackhole 169.254.0.0/16 table main +/sbin/ip -4 route del blackhole 172.16.0.0/12 table main +/sbin/ip -4 route del blackhole 192.0.0.0/24 table main +/sbin/ip -4 route del blackhole 192.0.2.0/24 table main +/sbin/ip -4 route del blackhole 192.88.99.0/24 table main +/sbin/ip -4 route del blackhole 192.168.0.0/16 table main +/sbin/ip -4 route del blackhole 198.18.0.0/15 table main +/sbin/ip -4 route del blackhole 198.51.100.0/24 table main +/sbin/ip -4 route del blackhole 203.0.113.0/24 table main +/sbin/ip -4 route del blackhole 224.0.0.0/4 table main +/sbin/ip -4 route del blackhole 240.0.0.0/4 table main +/sbin/ip -4 route del blackhole 255.255.255.255/32 table main +/sbin/ip -6 route del blackhole fec0::/10 table main +/sbin/ip -6 route del blackhole fc00::/7 table main +/sbin/ip -6 route del blackhole ff00::/8 table main +/sbin/ip -6 route del blackhole ::/96 table main +/sbin/ip -6 route del blackhole 0:0:0:0:0:ffff::/96 table main +/sbin/ip -6 route del blackhole ::/0 table main diff --git a/roles/network-routing/templates/ffmwu-static-routes.service.j2 b/roles/network-routing/templates/ffmwu-static-routes.service.j2 new file mode 100644 index 0000000..ad342f0 --- /dev/null +++ b/roles/network-routing/templates/ffmwu-static-routes.service.j2 @@ -0,0 +1,12 @@ +[Unit] +Description=Manage Freifunk MWU static routes +After=network-online.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/local/bin/ffmwu-add-static-routes.sh +ExecStop=/usr/local/bin/ffmwu-del-static-routes.sh + +[Install] +WantedBy=multi-user.target diff --git a/roles/network-routing/vars/main.yml b/roles/network-routing/vars/main.yml new file mode 100644 index 0000000..97dd4ea --- /dev/null +++ b/roles/network-routing/vars/main.yml @@ -0,0 +1,14 @@ +--- +sysctl_settings_routing: + - name: net.ipv4.ip_forward + value: 1 + - name: net.ipv4.conf.default.rp_filter + value: 0 + - name: net.ipv4.conf.all.rp_filter + value: 0 + - name: net.ipv6.conf.all.forwarding + value: 1 + - name: net.ipv6.conf.all.accept_ra + value: 0 + - name: net.ipv6.conf.default.accept_ra + value: 0 diff --git a/roles/service-rclocal/templates/rc.local.j2 b/roles/service-rclocal/templates/rc.local.j2 index 9acc716..53ec415 100644 --- a/roles/service-rclocal/templates/rc.local.j2 +++ b/roles/service-rclocal/templates/rc.local.j2 @@ -93,71 +93,4 @@ ip -4 rule add from all lookup icvpn priority 107 ip -6 rule add from all lookup mwu priority 107 ip -6 rule add from all lookup icvpn priority 107 - -# -# IP routes -# - -{% for mesh in meshes %} -# static {{ mesh.site_name }} routes for rt_table mwu -/sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu -{% for ula in mesh.ipv6_ula %} -/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu -{% endfor %} -{% for public in mesh.ipv6_public %} -/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu -/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu -{% endfor %} -{% if not loop.last %} - -{% endif %} -{% endfor %} - -# static blackhole routes for rt_table internet -/sbin/ip -4 route add blackhole 0.0.0.0/8 table internet -/sbin/ip -4 route add blackhole 10.0.0.0/8 table internet -/sbin/ip -4 route add blackhole 100.64.0.0/10 table internet -/sbin/ip -4 route add blackhole 127.0.0.0/8 table internet -/sbin/ip -4 route add blackhole 169.254.0.0/16 table internet -/sbin/ip -4 route add blackhole 172.16.0.0/12 table internet -/sbin/ip -4 route add blackhole 192.0.0.0/24 table internet -/sbin/ip -4 route add blackhole 192.0.2.0/24 table internet -/sbin/ip -4 route add blackhole 192.88.99.0/24 table internet -/sbin/ip -4 route add blackhole 192.168.0.0/16 table internet -/sbin/ip -4 route add blackhole 198.18.0.0/15 table internet -/sbin/ip -4 route add blackhole 198.51.100.0/24 table internet -/sbin/ip -4 route add blackhole 203.0.113.0/24 table internet -/sbin/ip -4 route add blackhole 224.0.0.0/4 table internet -/sbin/ip -4 route add blackhole 240.0.0.0/4 table internet -/sbin/ip -4 route add blackhole 255.255.255.255/32 table internet -/sbin/ip -6 route add blackhole fec0::/10 table internet -/sbin/ip -6 route add blackhole fc00::/7 table internet -/sbin/ip -6 route add blackhole ff00::/8 table internet -/sbin/ip -6 route add blackhole ::/96 table internet -/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table internet - -# static blackhole routes for rt_table main -/sbin/ip -4 route add blackhole 0.0.0.0/8 table main -/sbin/ip -4 route add blackhole 10.0.0.0/8 table main -/sbin/ip -4 route add blackhole 100.64.0.0/10 table main -/sbin/ip -4 route add blackhole 127.0.0.0/8 table main -/sbin/ip -4 route add blackhole 169.254.0.0/16 table main -/sbin/ip -4 route add blackhole 172.16.0.0/12 table main -/sbin/ip -4 route add blackhole 192.0.0.0/24 table main -/sbin/ip -4 route add blackhole 192.0.2.0/24 table main -/sbin/ip -4 route add blackhole 192.88.99.0/24 table main -/sbin/ip -4 route add blackhole 192.168.0.0/16 table main -/sbin/ip -4 route add blackhole 198.18.0.0/15 table main -/sbin/ip -4 route add blackhole 198.51.100.0/24 table main -/sbin/ip -4 route add blackhole 203.0.113.0/24 table main -/sbin/ip -4 route add blackhole 224.0.0.0/4 table main -/sbin/ip -4 route add blackhole 240.0.0.0/4 table main -/sbin/ip -4 route add blackhole 255.255.255.255/32 table main -/sbin/ip -6 route add blackhole fec0::/10 table main -/sbin/ip -6 route add blackhole fc00::/7 table main -/sbin/ip -6 route add blackhole ff00::/8 table main -/sbin/ip -6 route add blackhole ::/96 table main -/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table main -/sbin/ip -6 route add blackhole ::/0 table main - exit 0 diff --git a/roles/system-sysctl-gateway/vars/main.yml b/roles/system-sysctl-gateway/vars/main.yml index 648b476..77211d4 100644 --- a/roles/system-sysctl-gateway/vars/main.yml +++ b/roles/system-sysctl-gateway/vars/main.yml @@ -1,27 +1,15 @@ --- sysctl_settings_gateway: - - name: net.ipv4.ip_forward - value: 1 - - name: net.ipv4.conf.default.rp_filter - value: 0 - - name: net.ipv4.conf.all.rp_filter - value: 0 - name: net.ipv4.neigh.default.gc_thresh1 value: 1024 - name: net.ipv4.neigh.default.gc_thresh2 value: 2048 - name: net.ipv4.neigh.default.gc_thresh3 value: 4096 - - name: net.ipv6.conf.all.forwarding - value: 1 - name: net.ipv6.conf.all.autoconf value: 0 - name: net.ipv6.conf.default.autoconf value: 0 - - name: net.ipv6.conf.all.accept_ra - value: 0 - - name: net.ipv6.conf.default.accept_ra - value: 0 - name: net.ipv6.neigh.default.gc_thresh1 value: 1024 - name: net.ipv6.neigh.default.gc_thresh2