Add role network-routing
- move static routes from role service-rclocal to scripts run by systemd unit - mv routing specific sysctl settings
This commit is contained in:
parent
f18e53e4e7
commit
4ce00a6ac3
10 changed files with 224 additions and 79 deletions
|
@ -26,5 +26,6 @@
|
||||||
- service-bird-icvpn
|
- service-bird-icvpn
|
||||||
- service-bird-ffrl
|
- service-bird-ffrl
|
||||||
- service-bind-slave
|
- service-bind-slave
|
||||||
|
- network-routing
|
||||||
- service-rclocal
|
- service-rclocal
|
||||||
- system-sysctl-gateway
|
- system-sysctl-gateway
|
||||||
|
|
30
roles/network-routing/README.md
Normal file
30
roles/network-routing/README.md
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
# Ansible role network-routing
|
||||||
|
|
||||||
|
Diese Ansible role konfiguriert System Einstellung bzgl. IP Routing.
|
||||||
|
|
||||||
|
- konfiguriert statische Routen (systemd Unit)
|
||||||
|
- Mesh Routen für die Routing Tabelle `mwu`
|
||||||
|
- Blackhole Routes für die Routing Tabellen `internet` + `main`
|
||||||
|
- konfiguriert sysctl Parameter
|
||||||
|
|
||||||
|
## Benötigte Variablen
|
||||||
|
|
||||||
|
- Dictionary `meshes`
|
||||||
|
´´´
|
||||||
|
meshes:
|
||||||
|
- id: xx
|
||||||
|
...
|
||||||
|
site_name:
|
||||||
|
ipv4_network:
|
||||||
|
ipv6_ula
|
||||||
|
ipv6_public:
|
||||||
|
´´´
|
||||||
|
- List `sysctl_settings_gateway` (Rollen-Variable)
|
||||||
|
```
|
||||||
|
sysctl_settings_routing:
|
||||||
|
- name: # sysctl-Parameter
|
||||||
|
value: # zu setzender Wert
|
||||||
|
...
|
||||||
|
|
||||||
|
´´´
|
||||||
|
- Host Variable `magic`
|
9
roles/network-routing/handlers/main.yml
Normal file
9
roles/network-routing/handlers/main.yml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
- name: reload systemd
|
||||||
|
systemd:
|
||||||
|
daemon_reload: yes
|
||||||
|
|
||||||
|
- name: restart systemd unit ffmwu-static-routes
|
||||||
|
systemd:
|
||||||
|
name: ffmwu-static-routes
|
||||||
|
state: restarted
|
34
roles/network-routing/tasks/main.yml
Normal file
34
roles/network-routing/tasks/main.yml
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
---
|
||||||
|
- name: write systemd unit ffmwu-static-routes.service
|
||||||
|
template:
|
||||||
|
src: ffmwu-static-routes.service.j2
|
||||||
|
dest: /etc/systemd/system/ffmwu-static-routes.service
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
notify: reload systemd
|
||||||
|
|
||||||
|
- name: write static route scripts
|
||||||
|
template:
|
||||||
|
src: "{{ item }}.j2"
|
||||||
|
dest: "/usr/local/bin/{{ item }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0750
|
||||||
|
with_items:
|
||||||
|
- ffmwu-add-static-routes.sh
|
||||||
|
- ffmwu-del-static-routes.sh
|
||||||
|
notify: restart systemd unit ffmwu-static-routes
|
||||||
|
|
||||||
|
- name: enable systemd unit ffmwu-static-routes.service
|
||||||
|
systemd:
|
||||||
|
name: ffmwu-static-routes
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: set freifunk gateway sysctl settings
|
||||||
|
sysctl:
|
||||||
|
name: "{{ item.name }}"
|
||||||
|
value: "{{ item.value }}"
|
||||||
|
state: present
|
||||||
|
with_items: "{{ sysctl_settings_routing }}"
|
|
@ -0,0 +1,62 @@
|
||||||
|
#!/bin/sh
|
||||||
|
{% for mesh in meshes %}
|
||||||
|
# static {{ mesh.site_name }} routes for rt_table mwu
|
||||||
|
/sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu
|
||||||
|
{% for ula in mesh.ipv6_ula %}
|
||||||
|
/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu
|
||||||
|
{% endfor %}
|
||||||
|
{% for public in mesh.ipv6_public %}
|
||||||
|
/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu
|
||||||
|
/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu
|
||||||
|
{% endfor %}
|
||||||
|
{% if not loop.last %}
|
||||||
|
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
# static blackhole routes for rt_table internet
|
||||||
|
/sbin/ip -4 route add blackhole 0.0.0.0/8 table internet
|
||||||
|
/sbin/ip -4 route add blackhole 10.0.0.0/8 table internet
|
||||||
|
/sbin/ip -4 route add blackhole 100.64.0.0/10 table internet
|
||||||
|
/sbin/ip -4 route add blackhole 127.0.0.0/8 table internet
|
||||||
|
/sbin/ip -4 route add blackhole 169.254.0.0/16 table internet
|
||||||
|
/sbin/ip -4 route add blackhole 172.16.0.0/12 table internet
|
||||||
|
/sbin/ip -4 route add blackhole 192.0.0.0/24 table internet
|
||||||
|
/sbin/ip -4 route add blackhole 192.0.2.0/24 table internet
|
||||||
|
/sbin/ip -4 route add blackhole 192.88.99.0/24 table internet
|
||||||
|
/sbin/ip -4 route add blackhole 192.168.0.0/16 table internet
|
||||||
|
/sbin/ip -4 route add blackhole 198.18.0.0/15 table internet
|
||||||
|
/sbin/ip -4 route add blackhole 198.51.100.0/24 table internet
|
||||||
|
/sbin/ip -4 route add blackhole 203.0.113.0/24 table internet
|
||||||
|
/sbin/ip -4 route add blackhole 224.0.0.0/4 table internet
|
||||||
|
/sbin/ip -4 route add blackhole 240.0.0.0/4 table internet
|
||||||
|
/sbin/ip -4 route add blackhole 255.255.255.255/32 table internet
|
||||||
|
/sbin/ip -6 route add blackhole fec0::/10 table internet
|
||||||
|
/sbin/ip -6 route add blackhole fc00::/7 table internet
|
||||||
|
/sbin/ip -6 route add blackhole ff00::/8 table internet
|
||||||
|
/sbin/ip -6 route add blackhole ::/96 table internet
|
||||||
|
/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table internet
|
||||||
|
|
||||||
|
# static blackhole routes for rt_table main
|
||||||
|
/sbin/ip -4 route add blackhole 0.0.0.0/8 table main
|
||||||
|
/sbin/ip -4 route add blackhole 10.0.0.0/8 table main
|
||||||
|
/sbin/ip -4 route add blackhole 100.64.0.0/10 table main
|
||||||
|
/sbin/ip -4 route add blackhole 127.0.0.0/8 table main
|
||||||
|
/sbin/ip -4 route add blackhole 169.254.0.0/16 table main
|
||||||
|
/sbin/ip -4 route add blackhole 172.16.0.0/12 table main
|
||||||
|
/sbin/ip -4 route add blackhole 192.0.0.0/24 table main
|
||||||
|
/sbin/ip -4 route add blackhole 192.0.2.0/24 table main
|
||||||
|
/sbin/ip -4 route add blackhole 192.88.99.0/24 table main
|
||||||
|
/sbin/ip -4 route add blackhole 192.168.0.0/16 table main
|
||||||
|
/sbin/ip -4 route add blackhole 198.18.0.0/15 table main
|
||||||
|
/sbin/ip -4 route add blackhole 198.51.100.0/24 table main
|
||||||
|
/sbin/ip -4 route add blackhole 203.0.113.0/24 table main
|
||||||
|
/sbin/ip -4 route add blackhole 224.0.0.0/4 table main
|
||||||
|
/sbin/ip -4 route add blackhole 240.0.0.0/4 table main
|
||||||
|
/sbin/ip -4 route add blackhole 255.255.255.255/32 table main
|
||||||
|
/sbin/ip -6 route add blackhole fec0::/10 table main
|
||||||
|
/sbin/ip -6 route add blackhole fc00::/7 table main
|
||||||
|
/sbin/ip -6 route add blackhole ff00::/8 table main
|
||||||
|
/sbin/ip -6 route add blackhole ::/96 table main
|
||||||
|
/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table main
|
||||||
|
/sbin/ip -6 route add blackhole ::/0 table main
|
|
@ -0,0 +1,62 @@
|
||||||
|
#!/bin/sh
|
||||||
|
{% for mesh in meshes %}
|
||||||
|
# static {{ mesh.site_name }} routes for rt_table mwu
|
||||||
|
/sbin/ip -4 route del {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu
|
||||||
|
{% for ula in mesh.ipv6_ula %}
|
||||||
|
/sbin/ip -6 route del {{ ula | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ mesh.id }}BR table mwu
|
||||||
|
{% endfor %}
|
||||||
|
{% for public in mesh.ipv6_public %}
|
||||||
|
/sbin/ip -6 route del {{ public | ipaddr('net') | ipsubnet(64, 0) }} proto static dev {{ mesh.id }}BR table mwu
|
||||||
|
/sbin/ip -6 route del {{ public | ipaddr('net') | ipsubnet(64, magic) }} proto static dev {{ mesh.id }}BR table mwu
|
||||||
|
{% endfor %}
|
||||||
|
{% if not loop.last %}
|
||||||
|
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
# static blackhole routes for rt_table internet
|
||||||
|
/sbin/ip -4 route del blackhole 0.0.0.0/8 table internet
|
||||||
|
/sbin/ip -4 route del blackhole 10.0.0.0/8 table internet
|
||||||
|
/sbin/ip -4 route del blackhole 100.64.0.0/10 table internet
|
||||||
|
/sbin/ip -4 route del blackhole 127.0.0.0/8 table internet
|
||||||
|
/sbin/ip -4 route del blackhole 169.254.0.0/16 table internet
|
||||||
|
/sbin/ip -4 route del blackhole 172.16.0.0/12 table internet
|
||||||
|
/sbin/ip -4 route del blackhole 192.0.0.0/24 table internet
|
||||||
|
/sbin/ip -4 route del blackhole 192.0.2.0/24 table internet
|
||||||
|
/sbin/ip -4 route del blackhole 192.88.99.0/24 table internet
|
||||||
|
/sbin/ip -4 route del blackhole 192.168.0.0/16 table internet
|
||||||
|
/sbin/ip -4 route del blackhole 198.18.0.0/15 table internet
|
||||||
|
/sbin/ip -4 route del blackhole 198.51.100.0/24 table internet
|
||||||
|
/sbin/ip -4 route del blackhole 203.0.113.0/24 table internet
|
||||||
|
/sbin/ip -4 route del blackhole 224.0.0.0/4 table internet
|
||||||
|
/sbin/ip -4 route del blackhole 240.0.0.0/4 table internet
|
||||||
|
/sbin/ip -4 route del blackhole 255.255.255.255/32 table internet
|
||||||
|
/sbin/ip -6 route del blackhole fec0::/10 table internet
|
||||||
|
/sbin/ip -6 route del blackhole fc00::/7 table internet
|
||||||
|
/sbin/ip -6 route del blackhole ff00::/8 table internet
|
||||||
|
/sbin/ip -6 route del blackhole ::/96 table internet
|
||||||
|
/sbin/ip -6 route del blackhole 0:0:0:0:0:ffff::/96 table internet
|
||||||
|
|
||||||
|
# static blackhole routes for rt_table main
|
||||||
|
/sbin/ip -4 route del blackhole 0.0.0.0/8 table main
|
||||||
|
/sbin/ip -4 route del blackhole 10.0.0.0/8 table main
|
||||||
|
/sbin/ip -4 route del blackhole 100.64.0.0/10 table main
|
||||||
|
/sbin/ip -4 route del blackhole 127.0.0.0/8 table main
|
||||||
|
/sbin/ip -4 route del blackhole 169.254.0.0/16 table main
|
||||||
|
/sbin/ip -4 route del blackhole 172.16.0.0/12 table main
|
||||||
|
/sbin/ip -4 route del blackhole 192.0.0.0/24 table main
|
||||||
|
/sbin/ip -4 route del blackhole 192.0.2.0/24 table main
|
||||||
|
/sbin/ip -4 route del blackhole 192.88.99.0/24 table main
|
||||||
|
/sbin/ip -4 route del blackhole 192.168.0.0/16 table main
|
||||||
|
/sbin/ip -4 route del blackhole 198.18.0.0/15 table main
|
||||||
|
/sbin/ip -4 route del blackhole 198.51.100.0/24 table main
|
||||||
|
/sbin/ip -4 route del blackhole 203.0.113.0/24 table main
|
||||||
|
/sbin/ip -4 route del blackhole 224.0.0.0/4 table main
|
||||||
|
/sbin/ip -4 route del blackhole 240.0.0.0/4 table main
|
||||||
|
/sbin/ip -4 route del blackhole 255.255.255.255/32 table main
|
||||||
|
/sbin/ip -6 route del blackhole fec0::/10 table main
|
||||||
|
/sbin/ip -6 route del blackhole fc00::/7 table main
|
||||||
|
/sbin/ip -6 route del blackhole ff00::/8 table main
|
||||||
|
/sbin/ip -6 route del blackhole ::/96 table main
|
||||||
|
/sbin/ip -6 route del blackhole 0:0:0:0:0:ffff::/96 table main
|
||||||
|
/sbin/ip -6 route del blackhole ::/0 table main
|
|
@ -0,0 +1,12 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Manage Freifunk MWU static routes
|
||||||
|
After=network-online.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
ExecStart=/usr/local/bin/ffmwu-add-static-routes.sh
|
||||||
|
ExecStop=/usr/local/bin/ffmwu-del-static-routes.sh
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
14
roles/network-routing/vars/main.yml
Normal file
14
roles/network-routing/vars/main.yml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
sysctl_settings_routing:
|
||||||
|
- name: net.ipv4.ip_forward
|
||||||
|
value: 1
|
||||||
|
- name: net.ipv4.conf.default.rp_filter
|
||||||
|
value: 0
|
||||||
|
- name: net.ipv4.conf.all.rp_filter
|
||||||
|
value: 0
|
||||||
|
- name: net.ipv6.conf.all.forwarding
|
||||||
|
value: 1
|
||||||
|
- name: net.ipv6.conf.all.accept_ra
|
||||||
|
value: 0
|
||||||
|
- name: net.ipv6.conf.default.accept_ra
|
||||||
|
value: 0
|
|
@ -93,71 +93,4 @@ ip -4 rule add from all lookup icvpn priority 107
|
||||||
ip -6 rule add from all lookup mwu priority 107
|
ip -6 rule add from all lookup mwu priority 107
|
||||||
ip -6 rule add from all lookup icvpn priority 107
|
ip -6 rule add from all lookup icvpn priority 107
|
||||||
|
|
||||||
|
|
||||||
#
|
|
||||||
# IP routes
|
|
||||||
#
|
|
||||||
|
|
||||||
{% for mesh in meshes %}
|
|
||||||
# static {{ mesh.site_name }} routes for rt_table mwu
|
|
||||||
/sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu
|
|
||||||
{% for ula in mesh.ipv6_ula %}
|
|
||||||
/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu
|
|
||||||
{% endfor %}
|
|
||||||
{% for public in mesh.ipv6_public %}
|
|
||||||
/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu
|
|
||||||
/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu
|
|
||||||
{% endfor %}
|
|
||||||
{% if not loop.last %}
|
|
||||||
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
# static blackhole routes for rt_table internet
|
|
||||||
/sbin/ip -4 route add blackhole 0.0.0.0/8 table internet
|
|
||||||
/sbin/ip -4 route add blackhole 10.0.0.0/8 table internet
|
|
||||||
/sbin/ip -4 route add blackhole 100.64.0.0/10 table internet
|
|
||||||
/sbin/ip -4 route add blackhole 127.0.0.0/8 table internet
|
|
||||||
/sbin/ip -4 route add blackhole 169.254.0.0/16 table internet
|
|
||||||
/sbin/ip -4 route add blackhole 172.16.0.0/12 table internet
|
|
||||||
/sbin/ip -4 route add blackhole 192.0.0.0/24 table internet
|
|
||||||
/sbin/ip -4 route add blackhole 192.0.2.0/24 table internet
|
|
||||||
/sbin/ip -4 route add blackhole 192.88.99.0/24 table internet
|
|
||||||
/sbin/ip -4 route add blackhole 192.168.0.0/16 table internet
|
|
||||||
/sbin/ip -4 route add blackhole 198.18.0.0/15 table internet
|
|
||||||
/sbin/ip -4 route add blackhole 198.51.100.0/24 table internet
|
|
||||||
/sbin/ip -4 route add blackhole 203.0.113.0/24 table internet
|
|
||||||
/sbin/ip -4 route add blackhole 224.0.0.0/4 table internet
|
|
||||||
/sbin/ip -4 route add blackhole 240.0.0.0/4 table internet
|
|
||||||
/sbin/ip -4 route add blackhole 255.255.255.255/32 table internet
|
|
||||||
/sbin/ip -6 route add blackhole fec0::/10 table internet
|
|
||||||
/sbin/ip -6 route add blackhole fc00::/7 table internet
|
|
||||||
/sbin/ip -6 route add blackhole ff00::/8 table internet
|
|
||||||
/sbin/ip -6 route add blackhole ::/96 table internet
|
|
||||||
/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table internet
|
|
||||||
|
|
||||||
# static blackhole routes for rt_table main
|
|
||||||
/sbin/ip -4 route add blackhole 0.0.0.0/8 table main
|
|
||||||
/sbin/ip -4 route add blackhole 10.0.0.0/8 table main
|
|
||||||
/sbin/ip -4 route add blackhole 100.64.0.0/10 table main
|
|
||||||
/sbin/ip -4 route add blackhole 127.0.0.0/8 table main
|
|
||||||
/sbin/ip -4 route add blackhole 169.254.0.0/16 table main
|
|
||||||
/sbin/ip -4 route add blackhole 172.16.0.0/12 table main
|
|
||||||
/sbin/ip -4 route add blackhole 192.0.0.0/24 table main
|
|
||||||
/sbin/ip -4 route add blackhole 192.0.2.0/24 table main
|
|
||||||
/sbin/ip -4 route add blackhole 192.88.99.0/24 table main
|
|
||||||
/sbin/ip -4 route add blackhole 192.168.0.0/16 table main
|
|
||||||
/sbin/ip -4 route add blackhole 198.18.0.0/15 table main
|
|
||||||
/sbin/ip -4 route add blackhole 198.51.100.0/24 table main
|
|
||||||
/sbin/ip -4 route add blackhole 203.0.113.0/24 table main
|
|
||||||
/sbin/ip -4 route add blackhole 224.0.0.0/4 table main
|
|
||||||
/sbin/ip -4 route add blackhole 240.0.0.0/4 table main
|
|
||||||
/sbin/ip -4 route add blackhole 255.255.255.255/32 table main
|
|
||||||
/sbin/ip -6 route add blackhole fec0::/10 table main
|
|
||||||
/sbin/ip -6 route add blackhole fc00::/7 table main
|
|
||||||
/sbin/ip -6 route add blackhole ff00::/8 table main
|
|
||||||
/sbin/ip -6 route add blackhole ::/96 table main
|
|
||||||
/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table main
|
|
||||||
/sbin/ip -6 route add blackhole ::/0 table main
|
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
|
|
@ -1,27 +1,15 @@
|
||||||
---
|
---
|
||||||
sysctl_settings_gateway:
|
sysctl_settings_gateway:
|
||||||
- name: net.ipv4.ip_forward
|
|
||||||
value: 1
|
|
||||||
- name: net.ipv4.conf.default.rp_filter
|
|
||||||
value: 0
|
|
||||||
- name: net.ipv4.conf.all.rp_filter
|
|
||||||
value: 0
|
|
||||||
- name: net.ipv4.neigh.default.gc_thresh1
|
- name: net.ipv4.neigh.default.gc_thresh1
|
||||||
value: 1024
|
value: 1024
|
||||||
- name: net.ipv4.neigh.default.gc_thresh2
|
- name: net.ipv4.neigh.default.gc_thresh2
|
||||||
value: 2048
|
value: 2048
|
||||||
- name: net.ipv4.neigh.default.gc_thresh3
|
- name: net.ipv4.neigh.default.gc_thresh3
|
||||||
value: 4096
|
value: 4096
|
||||||
- name: net.ipv6.conf.all.forwarding
|
|
||||||
value: 1
|
|
||||||
- name: net.ipv6.conf.all.autoconf
|
- name: net.ipv6.conf.all.autoconf
|
||||||
value: 0
|
value: 0
|
||||||
- name: net.ipv6.conf.default.autoconf
|
- name: net.ipv6.conf.default.autoconf
|
||||||
value: 0
|
value: 0
|
||||||
- name: net.ipv6.conf.all.accept_ra
|
|
||||||
value: 0
|
|
||||||
- name: net.ipv6.conf.default.accept_ra
|
|
||||||
value: 0
|
|
||||||
- name: net.ipv6.neigh.default.gc_thresh1
|
- name: net.ipv6.neigh.default.gc_thresh1
|
||||||
value: 1024
|
value: 1024
|
||||||
- name: net.ipv6.neigh.default.gc_thresh2
|
- name: net.ipv6.neigh.default.gc_thresh2
|
||||||
|
|
Loading…
Reference in a new issue