Migrate nested dictionary meshes into a list of dictionaries

- migrate dictionary `ipv6` into two simple lists
 - migrate dictionary `forward_zones` into a list
This commit is contained in:
Tobias Hachmer 2017-10-06 22:58:00 +02:00
parent 2bbd39009c
commit 63ca114c95
44 changed files with 263 additions and 272 deletions

View file

@ -20,19 +20,18 @@ Die Server werden mit ihren FQDNs im Ansible Inventory hinterlegt, bedenkt das f
## Variablen für jedes Mesh ## Variablen für jedes Mesh
Viele Rollen brauchen spezifische Informationen, wie IP-Adresse, Masken, Interface-Namen, etc. Viele Rollen brauchen spezifische Informationen, wie IP-Adresse, Masken, Interface-Namen, etc.
Wir verwalten diese Mesh-Informationen in einem Dictionary unter `inventory/group_vars/all`: Wir verwalten diese Mesh-Informationen in einer Liste von Dictionaries unter `inventory/group_vars/all`:
``` ```
meshes: meshes:
mz: - id: mz
site_number: 37 site_number: 37
site_code: ffmz site_code: ffmz
site_name: Mainz site_name: Mainz
ipv4_network: 10.37.0.0/18 ipv4_network: 10.37.0.0/18
ipv6: ipv6_ula:
ula:
- fd37:b4dc:4b1e::/48 - fd37:b4dc:4b1e::/48
public: ipv6_public:
- 2a03:2260:11a::/48 - 2a03:2260:11a::/48
dnssl: dnssl:
- ffmz.org - ffmz.org
@ -53,22 +52,21 @@ meshes:
dns: dns:
master: fd37:b4dc:4b1e::a25:103 master: fd37:b4dc:4b1e::a25:103
forward_zones: forward_zones:
ffmz.org: - name: ffmz.org
user.ffmz.org: - name: user.ffmz.org
bb.ffmz.org: - name: bb.ffmz.org
nodes.ffmz.org: - name: nodes.ffmz.org
ffbin: - name: ffbin
master: fd37:b4dc:4b1e::a25:10c master: fd37:b4dc:4b1e::a25:10c
wi: - id: wi
site_number: 56 site_number: 56
site_code: ffwi site_code: ffwi
site_name: Wiesbaden site_name: Wiesbaden
ipv4_network: 10.56.0.0/18 ipv4_network: 10.56.0.0/18
ipv6: ipv6_ula:
ula:
- fd56:b4dc:4b1e::/48 - fd56:b4dc:4b1e::/48
public: ipv6_public:
- 2a03:2260:11b::/48 - 2a03:2260:11b::/48
dnssl: dnssl:
- ffwi.org - ffwi.org
@ -88,10 +86,10 @@ meshes:
dns: dns:
master: fd56:b4dc:4b1e::a38:103 master: fd56:b4dc:4b1e::a38:103
forward_zones: forward_zones:
ffwi.org: - name: ffwi.org
user.ffwi.org: - name: user.ffwi.org
bb.ffwi.org: - name: bb.ffwi.org
nodes.ffwi.org: - name: nodes.ffwi.org
``` ```
## Sensible Informationen ## Sensible Informationen

View file

@ -17,15 +17,14 @@ bgp_ipv4_transfer_net: 10.37.0.0/18
bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64 bgp_ipv6_transfer_net: fd37:b4dc:4b1e::/64
meshes: meshes:
mz: - id: mz
site_number: 37 site_number: 37
site_code: ffmz site_code: ffmz
site_name: Mainz site_name: Mainz
ipv4_network: 10.37.0.0/18 ipv4_network: 10.37.0.0/18
ipv6: ipv6_ula:
ula:
- fd37:b4dc:4b1e::/48 - fd37:b4dc:4b1e::/48
public: ipv6_public:
- 2a03:2260:11a::/48 - 2a03:2260:11a::/48
dnssl: dnssl:
- ffmz.org - ffmz.org
@ -46,22 +45,21 @@ meshes:
dns: dns:
master: fd37:b4dc:4b1e::a25:103 master: fd37:b4dc:4b1e::a25:103
forward_zones: forward_zones:
ffmz.org: - name: ffmz.org
user.ffmz.org: - name: user.ffmz.org
bb.ffmz.org: - name: bb.ffmz.org
nodes.ffmz.org: - name: nodes.ffmz.org
ffbin: - name: ffbin
master: fd37:b4dc:4b1e::a25:10c master: fd37:b4dc:4b1e::a25:10c
wi: - id: wi
site_number: 56 site_number: 56
site_code: ffwi site_code: ffwi
site_name: Wiesbaden site_name: Wiesbaden
ipv4_network: 10.56.0.0/18 ipv4_network: 10.56.0.0/18
ipv6: ipv6_ula:
ula:
- fd56:b4dc:4b1e::/48 - fd56:b4dc:4b1e::/48
public: ipv6_public:
- 2a03:2260:11b::/48 - 2a03:2260:11b::/48
dnssl: dnssl:
- ffwi.org - ffwi.org
@ -82,10 +80,10 @@ meshes:
dns: dns:
master: fd56:b4dc:4b1e::a38:103 master: fd56:b4dc:4b1e::a38:103
forward_zones: forward_zones:
ffwi.org: - name: ffwi.org
user.ffwi.org: - name: user.ffwi.org
bb.ffwi.org: - name: bb.ffwi.org
nodes.ffwi.org: - name: nodes.ffwi.org
icvpn: icvpn:
prefix: mwu prefix: mwu

View file

@ -12,7 +12,7 @@ Diese Ansible role konfiguriert batman-adv Netzwerk Interfaces.
- Dictionary `meshes` - Dictionary `meshes`
´´´ ´´´
meshes: meshes:
xx: - id: xx
... ...
ipv4_network: ipv4_network:
... ...

View file

@ -2,13 +2,13 @@
- name: create dummy interfaces - name: create dummy interfaces
template: template:
src: dummy.j2 src: dummy.j2
dest: "/etc/network/interfaces.d/{{ item.key }}0" dest: "/etc/network/interfaces.d/{{ item.id }}0"
notify: reload network interfaces notify: reload network interfaces
with_dict: "{{ meshes }}" with_items: "{{ meshes }}"
- name: create batman interfaces - name: create batman interfaces
template: template:
src: batman.j2 src: batman.j2
dest: "/etc/network/interfaces.d/{{ item.key }}BAT" dest: "/etc/network/interfaces.d/{{ item.id }}BAT"
notify: reload network interfaces notify: reload network interfaces
with_dict: "{{ meshes }}" with_items: "{{ meshes }}"

View file

@ -1,14 +1,14 @@
{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
{% set mac = '0201' + ip4hex -%} {% set mac = '0201' + ip4hex -%}
# #
# {{ ansible_managed }} # {{ ansible_managed }}
# #
auto {{ item.key }}BAT auto {{ item.id }}BAT
iface {{ item.key }}BAT iface {{ item.id }}BAT
hwaddress {{ mac | hwaddr('linux') }} hwaddress {{ mac | hwaddr('linux') }}
batman-ifaces {{ item.key }}0 {{ item.key }}VPN {{ item.key }}igVPN batman-ifaces {{ item.id }}0 {{ item.id }}VPN {{ item.id }}igVPN
batman-hop-penalty {{ item.value.batman.hop_penalty }} batman-hop-penalty {{ item.batman.hop_penalty }}
post-up /usr/sbin/batctl -m $IFACE it {{ item.value.batman.it }} post-up /usr/sbin/batctl -m $IFACE it {{ item.batman.it }}
post-up /usr/sbin/batctl -m $IFACE gw {{ item.value.batman.gw }} post-up /usr/sbin/batctl -m $IFACE gw {{ item.batman.gw }}
post-up /usr/sbin/batctl -m $IFACE mm {{ item.value.batman.mm }} post-up /usr/sbin/batctl -m $IFACE mm {{ item.batman.mm }}
post-up /usr/sbin/batctl -m $IFACE dat {{ item.value.batman.dat }} post-up /usr/sbin/batctl -m $IFACE dat {{ item.batman.dat }}

View file

@ -1,9 +1,9 @@
{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
{% set mac = '0200' + ip4hex -%} {% set mac = '0200' + ip4hex -%}
# #
# {{ ansible_managed }} # {{ ansible_managed }}
# #
auto {{ item.key }}0 auto {{ item.id }}0
iface {{ item.key }}0 iface {{ item.id }}0
link-type dummy link-type dummy
hwaddress {{ mac | hwaddr('linux') }} hwaddress {{ mac | hwaddr('linux') }}

View file

@ -10,7 +10,7 @@ Diese Ansible role konfiguriert Netzwerk Interfaces für fastd.
- Dictionary `meshes` - Dictionary `meshes`
´´´ ´´´
meshes: meshes:
xx: - id: xx
... ...
ipv4_network: ipv4_network:
... ...

View file

@ -2,13 +2,13 @@
- name: create fastd mesh interfaces - name: create fastd mesh interfaces
template: template:
src: fastd-mesh.j2 src: fastd-mesh.j2
dest: "/etc/network/interfaces.d/{{ item.key }}VPN" dest: "/etc/network/interfaces.d/{{ item.id }}VPN"
notify: reload network interfaces notify: reload network interfaces
with_dict: "{{ meshes }}" with_items: "{{ meshes }}"
- name: create fastd intragate interfaces - name: create fastd intragate interfaces
template: template:
src: fastd-intragate.j2 src: fastd-intragate.j2
dest: "/etc/network/interfaces.d/{{ item.key }}igVPN" dest: "/etc/network/interfaces.d/{{ item.id }}igVPN"
notify: reload network interfaces notify: reload network interfaces
with_dict: "{{ meshes }}" with_items: "{{ meshes }}"

View file

@ -1,8 +1,8 @@
{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
{% set mac = '0212' + ip4hex -%} {% set mac = '0212' + ip4hex -%}
# #
# {{ ansible_managed }} # {{ ansible_managed }}
# #
auto {{ item.key }}igVPN auto {{ item.id }}igVPN
iface {{ item.key }}igVPN iface {{ item.id }}igVPN
hwaddress {{ mac | hwaddr('linux') }} hwaddress {{ mac | hwaddr('linux') }}

View file

@ -1,8 +1,8 @@
{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
{% set mac = '0211' + ip4hex -%} {% set mac = '0211' + ip4hex -%}
# #
# {{ ansible_managed }} # {{ ansible_managed }}
# #
auto {{ item.key }}VPN auto {{ item.id }}VPN
iface {{ item.key }}VPN iface {{ item.id }}VPN
hwaddress {{ mac | hwaddr('linux') }} hwaddress {{ mac | hwaddr('linux') }}

View file

@ -18,7 +18,7 @@ sysctl_settings_netfilter:
- Dictionary `meshes` - Dictionary `meshes`
´´´ ´´´
meshes: meshes:
xx: - id: xx
... ...
ipv4_network: ipv4_network:
... ...

View file

@ -8,8 +8,8 @@
-A INPUT -d {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT -A INPUT -d {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
{% for mesh_id, mesh_value in meshes.iteritems() %} {% for mesh in meshes %}
-A FORWARD -i {{ mesh_id }}BR -o {{ mesh_id }}BR -j ACCEPT -A FORWARD -i {{ mesh.id }}BR -o {{ mesh.id }}BR -j ACCEPT
{% endfor %} {% endfor %}
-A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
@ -31,8 +31,8 @@ COMMIT
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
:ffrl-nat - [0:0] :ffrl-nat - [0:0]
{% for mesh_id, mesh_value in meshes.iteritems() %} {% for mesh in meshes %}
-A POSTROUTING -s {{ mesh_value.ipv4_network | ipaddr('private') | ipaddr('net') }} -o ffrl+ -j ffrl-nat -A POSTROUTING -s {{ mesh.ipv4_network | ipaddr('private') | ipaddr('net') }} -o ffrl+ -j ffrl-nat
{% endfor %} {% endfor %}
-A ffrl-nat -o ffrl+ -j SNAT --to-source {{ ffrl_public_ipv4_nat | ipaddr('address') }} -A ffrl-nat -o ffrl+ -j SNAT --to-source {{ ffrl_public_ipv4_nat | ipaddr('address') }}
COMMIT COMMIT

View file

@ -7,8 +7,8 @@
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
{% for mesh_id, mesh_value in meshes.iteritems() %} {% for mesh in meshes %}
-A FORWARD -i {{ mesh_id }}BR -o {{ mesh_id }}BR -j ACCEPT -A FORWARD -i {{ mesh.id }}BR -o {{ mesh.id }}BR -j ACCEPT
{% endfor %} {% endfor %}
-A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

View file

@ -11,14 +11,13 @@ Diese Ansible role konfiguriert die Linux Bridges für die Freifunk Meshes.
- Dictionary `meshes` - Dictionary `meshes`
´´´ ´´´
meshes: meshes:
xx: -id: xx
... ...
ipv4_network: ipv4_network:
... ...
ipv6: ipv6_ula:
ula:
- fdxx.../48 # ipv6 ula prefix - fdxx.../48 # ipv6 ula prefix
public: ipv6_public:
- 2xxx.../48 # ipv6 public prefix - 2xxx.../48 # ipv6 public prefix
´´´ ´´´

View file

@ -2,13 +2,13 @@
- name: create mesh bridges - name: create mesh bridges
template: template:
src: bridge.j2 src: bridge.j2
dest: "/etc/network/interfaces.d/{{ item.key }}BR" dest: "/etc/network/interfaces.d/{{ item.id }}BR"
notify: reload network interfaces notify: reload network interfaces
with_dict: "{{ meshes }}" with_items: "{{ meshes }}"
- name: set sysfs variables - name: set sysfs variables
template: template:
src: sysfs.j2 src: sysfs.j2
dest: "/etc/sysfs.d/99-{{ item.key }}BR.conf" dest: "/etc/sysfs.d/99-{{ item.id }}BR.conf"
with_dict: "{{ meshes }}" with_items: "{{ meshes }}"
notify: activate sysfs variables notify: activate sysfs variables

View file

@ -1,15 +1,16 @@
{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
{% set mac = '0210' + ip4hex -%} {% set mac = '0210' + ip4hex -%}
# #
# {{ ansible_managed }} # {{ ansible_managed }}
# #
auto {{ item.key }}BR auto {{ item.id }}BR
iface {{ item.key }}BR iface {{ item.id }}BR
hwaddress {{ mac | hwaddr('linux') }} hwaddress {{ mac | hwaddr('linux') }}
address {{ item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }} address {{ item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('ip/prefix') }}
{% for ip_type, ip_list in item.value.ipv6.iteritems() %} {% for prefix in item.ipv6_ula %}
{% for ip in ip_list %} address {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }}
address {{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }}
{% endfor %} {% endfor %}
{% for prefix in item.ipv6_public %}
address {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('ip/prefix') }}
{% endfor %} {% endfor %}
bridge-ports {{ item.key }}BAT bridge-ports {{ item.id }}BAT

View file

@ -1,4 +1,4 @@
# #
# {{ ansible_managed }} # {{ ansible_managed }}
# #
class/net/{{ item.key }}BR/bridge/hash_max = 16384 class/net/{{ item.id }}BR/bridge/hash_max = 16384

View file

@ -15,18 +15,17 @@ Die Gateways agieren lediglich als Slave-DNS Server.
- Dictionary `meshes` - Dictionary `meshes`
´´´ ´´´
meshes: meshes:
xx: - id: xx
... ...
site_code: # string site_code: # string
ipv4_network: ipv4_network:
ipv6: ipv6_ula:
ula:
- # ULA-Prefix - # ULA-Prefix
- ... - ...
dns: dns:
master: # IP-Adresse des DNS Masters master: # IP-Adresse des DNS Masters
forward_zones: forward_zones:
$zone: # DNS-Domain - name: $zone # DNS-Domain
master: # optional: IP-Adresse des DNS Masters, wenn die vom übergeordneten abweicht. master: # optional: IP-Adresse des DNS Masters, wenn die vom übergeordneten abweicht.
´´´ ´´´

View file

@ -44,12 +44,12 @@
- name: write named.conf for meshes - name: write named.conf for meshes
template: template:
src: named.conf.mesh.j2 src: named.conf.mesh.j2
dest: /etc/bind/named.conf.{{ item.value.site_code }} dest: /etc/bind/named.conf.{{ item.site_code }}
owner: root owner: root
group: bind group: bind
mode: 0644 mode: 0644
notify: restart bind9 notify: restart bind9
with_dict: "{{ meshes }}" with_items: "{{ meshes }}"
- name: write initial icvpn bind config - name: write initial icvpn bind config
shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkdns -f bind -x mwu -x bingen -s /home/admin/clones/icvpn-meta > /etc/bind/named.conf.icvpn shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkdns -f bind -x mwu -x bingen -s /home/admin/clones/icvpn-meta > /etc/bind/named.conf.icvpn

View file

@ -5,7 +5,7 @@
include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.default-zones"; include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.logging"; include "/etc/bind/named.conf.logging";
{% for mesh_id, mesh_value in meshes.iteritems() %} {% for mesh in meshes %}
include "/etc/bind/named.conf.{{ mesh_value.site_code }}"; include "/etc/bind/named.conf.{{ mesh.site_code }}";
{% endfor %} {% endfor %}
include "/etc/bind/named.conf.icvpn"; include "/etc/bind/named.conf.icvpn";

View file

@ -3,35 +3,35 @@
// //
// ACLs // ACLs
masters "ns-master-{{ item.value.site_code }}" { masters "ns-master-{{ item.site_code }}" {
{{ item.value.dns.master }}; {{ item.dns.master }};
}; };
{% for zone_id, zone_value in item.value.dns.forward_zones.iteritems() %} {% for zone in item.dns.forward_zones %}
{% if zone_value.master is defined %} {% if zone.master is defined %}
masters "ns-master-{{ zone_id }}" { masters "ns-master-{{ zone.name }}" {
{{ zone_value.master }}; {{ zone.master }};
}; };
{% endif %} {% endif %}
{% endfor %} {% endfor %}
acl "intern-{{ item.value.site_code }}" { acl "intern-{{ item.site_code }}" {
{{ item.value.ipv4_network | ipaddr('net') | ipaddr('network/prefix') }}; {{ item.ipv4_network | ipaddr('net') | ipaddr('network/prefix') }};
{% for prefix in item.value.ipv6.ula %} {% for prefix in item.ipv6_ula %}
{{ prefix | ipaddr('net') | ipaddr('network/prefix') }}; {{ prefix | ipaddr('net') | ipaddr('network/prefix') }};
{% endfor %} {% endfor %}
}; };
// DNS forward zones for {{ item.value.site_code }} // DNS forward zones for {{ item.site_code }}
{% for zone_id, zone_value in item.value.dns.forward_zones.iteritems() %} {% for zone in item.dns.forward_zones %}
zone "{{ zone_id }}." { zone "{{ zone.name }}." {
type slave; type slave;
file "{{ zone_id }}.db"; file "{{ zone.name }}.db";
{% if zone_value.master is defined %} {% if zone.master is defined %}
masters { ns-master-{{ zone_id }}; }; masters { ns-master-{{ zone.name }}; };
{% else %} {% else %}
masters { ns-master-{{ item.value.site_code }}; }; masters { ns-master-{{ item.site_code }}; };
{% endif %} {% endif %}
}; };
{% if not loop.last %} {% if not loop.last %}
@ -39,18 +39,18 @@ zone "{{ zone_id }}." {
{% endif %} {% endif %}
{% endfor %} {% endfor %}
// DNS reverse zones for {{ item.value.site_code }} // DNS reverse zones for {{ item.site_code }}
zone "{{ item.value.ipv4_network | ipaddr('net') | ipaddr('revdns') }}" { zone "{{ item.ipv4_network | ipaddr('net') | ipaddr('revdns') }}" {
type slave; type slave;
file "{{ item.value.ipv4_network | ipaddr('net') | ipaddr('revdns') }}"; file "{{ item.ipv4_network | ipaddr('net') | ipaddr('revdns') }}";
masters { ns-master-{{ item.value.site_code }}; }; masters { ns-master-{{ item.site_code }}; };
}; };
{% for prefix in item.value.ipv6.ula %} {% for prefix in item.ipv6_ula %}
zone "{{ prefix | ipaddr('net') | ipaddr('revdns') }}" { zone "{{ prefix | ipaddr('net') | ipaddr('revdns') }}" {
type slave; type slave;
file "{{ prefix | ipaddr('net') | ipaddr('revdns') }}"; file "{{ prefix | ipaddr('net') | ipaddr('revdns') }}";
masters { ns-master-{{ item.value.site_code }}; }; masters { ns-master-{{ item.site_code }}; };
}; };
{% if not loop.last %} {% if not loop.last %}

View file

@ -11,25 +11,25 @@ options {
allow-recursion { allow-recursion {
127.0.0.1; 127.0.0.1;
::1; ::1;
{% for mesh_id, mesh_value in meshes.iteritems() %} {% for mesh in meshes %}
intern-{{ mesh_value.site_code }}; intern-{{ mesh.site_code }};
{% endfor %} {% endfor %}
}; };
allow-transfer { any; }; allow-transfer { any; };
listen-on { listen-on {
127.0.0.1; 127.0.0.1;
{% for mesh_id, mesh_value in meshes.iteritems() %} {% for mesh in meshes %}
{{ mesh_value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }}; {{ mesh.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }};
{% endfor %} {% endfor %}
{{ icvpn_ipv4_transfer_net | ipaddr('net') | ipsubnet(24, 37) | ipaddr(magic) | ipaddr('address') }}; {{ icvpn_ipv4_transfer_net | ipaddr('net') | ipsubnet(24, 37) | ipaddr(magic) | ipaddr('address') }};
}; };
listen-on-v6 { listen-on-v6 {
::1; ::1;
{% for mesh_id, mesh_value in meshes.iteritems() %} {% for mesh in meshes %}
{% for ip in mesh_value.ipv6.ula %} {% for ip in mesh.ipv6_ula %}
{{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) }}; {{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('address') }};
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
{{ icvpn_ipv6_transfer_net | ipaddr('net') | ipsubnet(112, 37) | ipaddr(magic) | ipaddr('address') }}; {{ icvpn_ipv6_transfer_net | ipaddr('net') | ipsubnet(112, 37) | ipaddr(magic) | ipaddr('address') }};

View file

@ -11,10 +11,9 @@ Diese Ansible role ergänzt die benötigte bird + bird6 Konfiguration für den I
- Dictionary `meshes` - Dictionary `meshes`
``` ```
meshes: meshes:
xx: - id: xx
... ...
ipv6: ipv6_public:
public:
- # Public IPv6-Netzwerk - # Public IPv6-Netzwerk
``` ```
- Host Dictionary `ffrl_exit_server` - Host Dictionary `ffrl_exit_server`

View file

@ -11,8 +11,8 @@ table ffrl;
# Functions # Functions
function is_ffrl_public_nets() { function is_ffrl_public_nets() {
return net ~ [ return net ~ [
{% for mesh_id, mesh_value in meshes.iteritems() %} {% for mesh in meshes %}
{% for prefix in mesh_value.ipv6.public %} {% for prefix in mesh.ipv6_public %}
{{ prefix }}{48,56}{{ "," if not loop.last else "" }}{% endfor %}{{ "," if not loop.last else "" }} {{ prefix }}{48,56}{{ "," if not loop.last else "" }}{% endfor %}{{ "," if not loop.last else "" }}
{% endfor %} {% endfor %}
]; ];
@ -40,8 +40,8 @@ filter ebgp_ffrl_export_filter {
# Protocols # Protocols
protocol static ffrl_public_routes { protocol static ffrl_public_routes {
table ffrl; table ffrl;
{% for mesh_id, mesh_value in meshes.iteritems() %} {% for mesh in meshes %}
{% for prefix in mesh_value.ipv6.public %} {% for prefix in mesh.ipv6_public %}
route {{ prefix }} reject; route {{ prefix }} reject;
route {{ prefix | ipaddr('net') | ipsubnet(56, magic) | ipaddr('network/prefix') }} reject; route {{ prefix | ipaddr('net') | ipsubnet(56, magic) | ipaddr('network/prefix') }} reject;
{% endfor %} {% endfor %}

View file

@ -26,11 +26,10 @@ Im iBGP peeren wir mangels separatem Transfernetz (im Moment) im Mainzer Mesh Ne
- Dictionary `meshes` - Dictionary `meshes`
´´´ ´´´
meshes: meshes:
xx: - id: xx
... ...
ipv4_network: ipv4_network:
ipv6: ipv6_ula:
ula:
- # IPv6-ULA Network - # IPv6-ULA Network
´´´ ´´´
- Host Variable `magic` - Host Variable `magic`

View file

@ -38,8 +38,8 @@ function is_chaosvpn() {
function is_mwu_self_nets() { function is_mwu_self_nets() {
return net ~ [ return net ~ [
{% for item, value in meshes.iteritems() %} {% for mesh in meshes %}
{{ value.ipv4_network | ipaddr('net') }}+{{ "," if not loop.last else "" }} {{ mesh.ipv4_network | ipaddr('net') }}+{{ "," if not loop.last else "" }}
{% endfor %} {% endfor %}
]; ];
} }
@ -50,8 +50,8 @@ protocol device {
}; };
protocol direct mwu_subnets { protocol direct mwu_subnets {
{% for item, value in meshes.iteritems() %} {% for mesh in meshes %}
interface "{{ item }}BR"; interface "{{ mesh.id }}BR";
{% endfor %} {% endfor %}
import where is_mwu_self_nets(); import where is_mwu_self_nets();
}; };

View file

@ -26,8 +26,8 @@ function is_ula() {
function is_mwu_self_nets() { function is_mwu_self_nets() {
return net ~ [ return net ~ [
{% for item, value in meshes.iteritems() %} {% for mesh in meshes %}
{% for ula in value.ipv6.ula %} {% for ula in mesh.ipv6_ula %}
{{ ula | ipaddr('net') }}+{{ "," if not loop.last else "" }}{% endfor %}{{ "," if not loop.last else "" }} {{ ula | ipaddr('net') }}+{{ "," if not loop.last else "" }}{% endfor %}{{ "," if not loop.last else "" }}
{% endfor %} {% endfor %}
]; ];
@ -39,8 +39,8 @@ protocol device {
}; };
protocol direct mwu_subnets { protocol direct mwu_subnets {
{% for item, value in meshes.iteritems() %} {% for mesh in meshes %}
interface "{{ item }}BR"; interface "{{ mesh.id }}BR";
{% endfor %} {% endfor %}
import where is_mwu_self_nets(); import where is_mwu_self_nets();
}; };

View file

@ -12,7 +12,7 @@ Wir nutzen diesen nur zur Verteilung von IPv4-Adressen.
- Dictionary `meshes` - Dictionary `meshes`
´´´ ´´´
meshes: meshes:
xx: - id: xx
... ...
site_name: # string site_name: # string
site_code: # string site_code: # string

View file

@ -12,7 +12,7 @@
- name: concatenate meshbridge interfaces - name: concatenate meshbridge interfaces
set_fact: set_fact:
dhcp_interfaces: "{% for mesh_id, mesh_value in meshes.iteritems() %}{{ mesh_id }}BR{% if not loop.last %} {% endif %}{% endfor %}" dhcp_interfaces: "{% for mesh in meshes %}{{ mesh.id }}BR{% if not loop.last %} {% endif %}{% endfor %}"
- name: set ipv4 interfaces isc dhcp should listen on - name: set ipv4 interfaces isc dhcp should listen on
lineinfile: lineinfile:

View file

@ -12,7 +12,7 @@ default-lease-time 300;
min-lease-time 300; min-lease-time 300;
max-lease-time 300; max-lease-time 300;
{% for mesh in meshes.values() %} {% for mesh in meshes %}
# DHCP subnet for site {{ mesh.site_name }} ({{ mesh.site_code }}) # DHCP subnet for site {{ mesh.site_name }} ({{ mesh.site_code }})
subnet {{ mesh.ipv4_network | ipaddr('network') }} netmask {{ mesh.ipv4_network | ipaddr('netmask') }} { subnet {{ mesh.ipv4_network | ipaddr('network') }} netmask {{ mesh.ipv4_network | ipaddr('netmask') }} {
range {{ mesh.ipv4_network | ipsubnet(22, ipv4_dhcp_range) | ipaddr('net') | ipaddr('network') }} {{ mesh.ipv4_network | ipsubnet(22, ipv4_dhcp_range) | ipaddr('net') | ipaddr('broadcast') }}; range {{ mesh.ipv4_network | ipsubnet(22, ipv4_dhcp_range) | ipaddr('net') | ipaddr('network') }} {{ mesh.ipv4_network | ipsubnet(22, ipv4_dhcp_range) | ipaddr('net') | ipaddr('broadcast') }};

View file

@ -15,7 +15,7 @@ Diese Ansible role konfiguriert die fastd-Instanz für die Intra-Server Kommunik
- Dictionary `meshes` - Dictionary `meshes`
´´´ ´´´
meshes: meshes:
xx: - id: xx
... ...
site_number: # integer site_number: # integer
peers_mesh_repo: # String - https Link zum Github Repository peers_mesh_repo: # String - https Link zum Github Repository

View file

@ -1,6 +1,6 @@
--- ---
- name: restart fastd intragate instances - name: restart fastd intragate instances
systemd: systemd:
name: "fastd@{{ item.key }}igVPN" name: "fastd@{{ item.id }}igVPN"
state: restarted state: restarted
with_dict: "{{ meshes }}" with_dict: "{{ meshes }}"

View file

@ -1,45 +1,45 @@
--- ---
- name: configure systemd unit fastd@ - name: configure systemd unit fastd@
systemd: systemd:
name: "fastd@{{ item.key }}igVPN" name: "fastd@{{ item.id }}igVPN"
enabled: yes enabled: yes
with_dict: "{{ meshes }}" with_items: "{{ meshes }}"
- name: create fastd intragate directories - name: create fastd intragate directories
file: file:
path: "/etc/fastd/{{ item.key }}igVPN" path: "/etc/fastd/{{ item.id }}igVPN"
state: directory state: directory
mode: 0755 mode: 0755
with_dict: "{{ meshes }}" with_items: "{{ meshes }}"
- name: create fastd peer intragate directories - name: create fastd peer intragate directories
file: file:
path: "/etc/fastd/{{ item.key }}igVPN/peers" path: "/etc/fastd/{{ item.id }}igVPN/peers"
state: directory state: directory
mode: 0755 mode: 0755
owner: admin owner: admin
group: admin group: admin
with_dict: "{{ meshes }}" with_items: "{{ meshes }}"
- name: clone fastd peer intragate repos - name: clone fastd peer intragate repos
git: git:
repo: "{{ item.value.peers_intragate_repo }}" repo: "{{ item.peers_intragate_repo }}"
dest: "/etc/fastd/{{ item.key }}igVPN/peers" dest: "/etc/fastd/{{ item.id }}igVPN/peers"
version: master version: master
update: no update: no
with_dict: "{{ meshes }}" with_items: "{{ meshes }}"
become: false become: false
- name: template fastd mesh config - name: template fastd mesh config
template: template:
src: fastd-intragate.conf.j2 src: fastd-intragate.conf.j2
dest: "/etc/fastd/{{ item.key }}igVPN/fastd.conf" dest: "/etc/fastd/{{ item.id }}igVPN/fastd.conf"
notify: restart fastd intragate instances notify: restart fastd intragate instances
with_dict: "{{ meshes }}" with_items: "{{ meshes }}"
- name: write fastd intragate secret - name: write fastd intragate secret
template: template:
src: fastd-secret.conf.j2 src: fastd-secret.conf.j2
dest: "/etc/fastd/{{ item.key }}igVPN/secret.conf" dest: "/etc/fastd/{{ item.id }}igVPN/secret.conf"
notify: restart fastd intragate instances notify: restart fastd intragate instances
with_dict: "{{ meshes }}" with_items: "{{ meshes }}"

View file

@ -1,4 +1,4 @@
{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
{% set mac = '0212' + ip4hex -%} {% set mac = '0212' + ip4hex -%}
# #
# {{ ansible_managed }} # {{ ansible_managed }}
@ -9,10 +9,10 @@ hide mac addresses yes;
method "aes128-ctr+umac"; method "aes128-ctr+umac";
interface "{{ item.key }}igVPN"; interface "{{ item.id }}igVPN";
bind {{ ansible_default_ipv4.address | ipaddr('public') }}:101{{ item.value.site_number }}; bind {{ ansible_default_ipv4.address | ipaddr('public') }}:101{{ item.site_number }};
bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:101{{ item.value.site_number }}; bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:101{{ item.site_number }};
include "secret.conf"; include "secret.conf";
mtu 1406; mtu 1406;
@ -27,11 +27,11 @@ on up "
ip link set address {{ mac | hwaddr('linux') }} dev $INTERFACE ip link set address {{ mac | hwaddr('linux') }} dev $INTERFACE
ip link set $INTERFACE up ip link set $INTERFACE up
batctl -m {{ item.key }}BAT if add $INTERFACE batctl -m {{ item.id }}BAT if add $INTERFACE
"; ";
on down " on down "
batctl -m {{ item.key }}BAT if del $INTERFACE batctl -m {{ item.id }}BAT if del $INTERFACE
"; ";
status socket "/var/run/fastd-{{ item.key }}igVPN.status"; status socket "/var/run/fastd-{{ item.id }}igVPN.status";

View file

@ -1,4 +1,4 @@
{% set local_interface = item.key + 'igVPN' -%} {% set local_interface = item.id + 'igVPN' -%}
# #
# {{ ansible_managed }} # {{ ansible_managed }}
# #

View file

@ -16,7 +16,7 @@ Diese Ansible role konfiguriert die fastd-Instanz für die Knoten Kommunikation.
- Dictionary `meshes` - Dictionary `meshes`
´´´ ´´´
meshes: meshes:
xx: - id: xx
... ...
site_number: # integer site_number: # integer
peers_mesh_repo: # String - https Link zum Github Repository peers_mesh_repo: # String - https Link zum Github Repository

View file

@ -1,6 +1,6 @@
--- ---
- name: restart fastd mesh instances - name: restart fastd mesh instances
systemd: systemd:
name: "fastd@{{ item.key }}VPN" name: "fastd@{{ item.id }}VPN"
state: restarted state: restarted
with_dict: "{{ meshes }}" with_dict: "{{ meshes }}"

View file

@ -1,25 +1,25 @@
--- ---
- name: configure systemd unit fastd@ - name: configure systemd unit fastd@
systemd: systemd:
name: "fastd@{{ item.key }}VPN" name: "fastd@{{ item.id }}VPN"
enabled: yes enabled: yes
with_dict: "{{ meshes }}" with_items: "{{ meshes }}"
- name: create fastd directories - name: create fastd directories
file: file:
path: "/etc/fastd/{{ item.key }}VPN" path: "/etc/fastd/{{ item.id }}VPN"
state: directory state: directory
mode: 0755 mode: 0755
with_dict: "{{ meshes }}" with_items: "{{ meshes }}"
- name: create fastd peer mesh directories - name: create fastd peer mesh directories
file: file:
path: "/etc/fastd/{{ item.key }}VPN/peers" path: "/etc/fastd/{{ item.id }}VPN/peers"
state: directory state: directory
mode: 0755 mode: 0755
owner: admin owner: admin
group: admin group: admin
with_dict: "{{ meshes }}" with_items: "{{ meshes }}"
- name: create fastd peer mesh directories for ffbin - name: create fastd peer mesh directories for ffbin
file: file:
@ -31,11 +31,11 @@
- name: clone fastd peer mesh repos - name: clone fastd peer mesh repos
git: git:
repo: "{{ item.value.peers_mesh_repo }}" repo: "{{ item.peers_mesh_repo }}"
dest: "/etc/fastd/{{ item.key }}VPN/peers" dest: "/etc/fastd/{{ item.id }}VPN/peers"
version: master version: master
update: no update: no
with_dict: "{{ meshes }}" with_items: "{{ meshes }}"
become: false become: false
- name: clone fastd peer mesh repo for ffbin - name: clone fastd peer mesh repo for ffbin
@ -49,36 +49,36 @@
- name: template fastd mesh config - name: template fastd mesh config
template: template:
src: fastd-mesh.conf.j2 src: fastd-mesh.conf.j2
dest: "/etc/fastd/{{ item.key }}VPN/fastd.conf" dest: "/etc/fastd/{{ item.id }}VPN/fastd.conf"
notify: restart fastd mesh instances notify: restart fastd mesh instances
with_dict: "{{ meshes }}" with_items: "{{ meshes }}"
- name: write fastd mesh secret - name: write fastd mesh secret
template: template:
src: fastd-secret.conf.j2 src: fastd-secret.conf.j2
dest: "/etc/fastd/{{ item.key }}VPN/secret.conf" dest: "/etc/fastd/{{ item.id }}VPN/secret.conf"
notify: restart fastd mesh instances notify: restart fastd mesh instances
with_dict: "{{ meshes }}" with_items: "{{ meshes }}"
- name: copy peer_limit.conf if not exist - name: copy peer_limit.conf if not exist
copy: copy:
src: peer_limit.conf src: peer_limit.conf
dest: "/etc/fastd/{{ item.key }}VPN/peer_limit.conf" dest: "/etc/fastd/{{ item.id }}VPN/peer_limit.conf"
owner: admin owner: admin
group: admin group: admin
mode: 0640 mode: 0640
force: no force: no
notify: restart fastd mesh instances notify: restart fastd mesh instances
with_dict: "{{ meshes }}" with_items: "{{ meshes }}"
- name: set file attributes for peer_limit.conf - name: set file attributes for peer_limit.conf
file: file:
path: "/etc/fastd/{{ item.key }}VPN/peer_limit.conf" path: "/etc/fastd/{{ item.id }}VPN/peer_limit.conf"
mode: 0640 mode: 0640
owner: admin owner: admin
group: admin group: admin
notify: restart fastd mesh instances notify: restart fastd mesh instances
with_dict: "{{ meshes }}" with_items: "{{ meshes }}"
- name: write systemd unit fastd-sync-meshkeys.service - name: write systemd unit fastd-sync-meshkeys.service
template: template:

View file

@ -1,4 +1,4 @@
{% set ip4hex = item.value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%} {% set ip4hex = item.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') | ip4_hex() -%}
{% set mac = '0211' + ip4hex -%} {% set mac = '0211' + ip4hex -%}
# #
# {{ ansible_managed }} # {{ ansible_managed }}
@ -9,10 +9,10 @@ hide mac addresses yes;
method "salsa2012+umac"; method "salsa2012+umac";
interface "{{ item.key }}VPN"; interface "{{ item.id }}VPN";
bind {{ ansible_default_ipv4.address | ipaddr('public') }}:100{{ item.value.site_number }}; bind {{ ansible_default_ipv4.address | ipaddr('public') }}:100{{ item.site_number }};
bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:100{{ item.value.site_number }}; bind {{ ansible_default_ipv6.address | ipaddr('public') | ipwrap }}:100{{ item.site_number }};
include "secret.conf"; include "secret.conf";
mtu 1406; mtu 1406;
@ -20,7 +20,7 @@ mtu 1406;
peer group "vpn_nodes" { peer group "vpn_nodes" {
include "peer_limit.conf"; include "peer_limit.conf";
include peers from "peers"; include peers from "peers";
{% if item.key == "mz" %} {% if item.id == "mz" %}
include peers from "peers_bingen"; include peers from "peers_bingen";
{% endif %} {% endif %}
} }
@ -34,11 +34,11 @@ on up "
ip link set address {{ mac | hwaddr('linux') }} dev $INTERFACE ip link set address {{ mac | hwaddr('linux') }} dev $INTERFACE
ip link set $INTERFACE up ip link set $INTERFACE up
batctl -m {{ item.key }}BAT if add $INTERFACE batctl -m {{ item.id }}BAT if add $INTERFACE
"; ";
on down " on down "
batctl -m {{ item.key }}BAT if del $INTERFACE batctl -m {{ item.id }}BAT if del $INTERFACE
"; ";
status socket "/var/run/fastd-{{ item.key }}VPN.status"; status socket "/var/run/fastd-{{ item.id }}VPN.status";

View file

@ -1,4 +1,4 @@
{% set local_interface = item.key + 'VPN' -%} {% set local_interface = item.id + 'VPN' -%}
# #
# {{ ansible_managed }} # {{ ansible_managed }}
# #

View file

@ -11,12 +11,11 @@ Diese Ansible role installiert und konfiguriert den radvd daemon.
- Dictionary `meshes` - Dictionary `meshes`
´´´ ´´´
meshes: meshes:
xx: - id: xx
... ...
ipv6: ipv6_ula:
ula:
- # ULA-Prefix - String - # ULA-Prefix - String
public: ipv6_public:
- # Public-Prefix - String - # Public-Prefix - String
iface_mtu: # Integer iface_mtu: # Integer
´´´ ´´´

View file

@ -2,37 +2,37 @@
# #
# {{ ansible_managed }} # {{ ansible_managed }}
# #
{% for mesh_id, mesh_value in meshes.iteritems() %} {% for mesh in meshes %}
interface {{ mesh_id }}BR interface {{ mesh.id }}BR
{ {
AdvSendAdvert on; AdvSendAdvert on;
IgnoreIfMissing on; IgnoreIfMissing on;
MaxRtrAdvInterval {{ mesh_value.radvd.maxrtradvinterval }}; MaxRtrAdvInterval {{ mesh.radvd.maxrtradvinterval }};
AdvLinkMTU {{ mesh_value.iface_mtu }}; AdvLinkMTU {{ mesh.iface_mtu }};
{% for ip_type, ip_list in mesh_value.ipv6.iteritems() %} RDNSS {% for prefix in mesh.ipv6_ula %}{{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('address') }}
{% for prefix in ip_list %} {% endfor %}
{% if ip_type == "ula" %}
RDNSS {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) | ipaddr('address') }}
{ {
FlushRDNSS off; FlushRDNSS off;
}; };
{% endif %}
{% endfor %}
{% endfor %}
{% for ip_type, ip_list in mesh_value.ipv6.iteritems() %} {% for prefix in mesh.ipv6_ula %}
{% for prefix in ip_list %}
{% if ip_type == "public" %}
prefix {{ prefix | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }}
{% else %}
prefix {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} prefix {{ prefix | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }}
{% endif %}
{ {
AdvValidLifetime {{ mesh_value.radvd.advvalidlifetime }}; AdvValidLifetime {{ mesh.radvd.advvalidlifetime }};
AdvPreferredLifetime {{ mesh_value.radvd.advpreferredlifetime }}; AdvPreferredLifetime {{ mesh.radvd.advpreferredlifetime }};
}; };
{% if not loop.last %}
{% endif %}
{% endfor %} {% endfor %}
{% for prefix in mesh.ipv6_public %}
prefix {{ prefix | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }}
{
AdvValidLifetime {{ mesh.radvd.advvalidlifetime }};
AdvPreferredLifetime {{ mesh.radvd.advpreferredlifetime }};
};
{% if not loop.last %} {% if not loop.last %}
{% endif %} {% endif %}

View file

@ -10,14 +10,13 @@ All dieses sollte in Zukunft durch systemd units abgelöst werden.
- Dictionary `meshes` - Dictionary `meshes`
´´´ ´´´
meshes: meshes:
xx: - id: xx
... ...
site_name: # string site_name: # string
ipv4_network: ipv4_network:
ipv6: ipv6_ula:
ula:
- # string - # string
public: ipv6_public:
- # string - # string
iface_mtu: # integer iface_mtu: # integer
´´´ ´´´

View file

@ -18,59 +18,59 @@
# #
# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces # Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
{% for mesh_id, mesh_value in meshes.iteritems() %} {% for mesh in meshes %}
ip -4 rule add from {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
ip -4 rule add to {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7 ip -4 rule add to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup mwu priority 7
ip -4 rule add from all oif {{ mesh_id }}BR lookup mwu priority 7 ip -4 rule add from all oif {{ mesh.id }}BR lookup mwu priority 7
{% for ula in mesh_value.ipv6.ula %} {% for ula in mesh.ipv6_ula %}
ip -6 rule add from {{ ula }} lookup mwu priority 7 ip -6 rule add from {{ ula }} lookup mwu priority 7
ip -6 rule add to {{ ula }} lookup mwu priority 7 ip -6 rule add to {{ ula }} lookup mwu priority 7
{% endfor %} {% endfor %}
{% for public in mesh_value.ipv6.public %} {% for public in mesh.ipv6_public %}
ip -6 rule add from {{ public }} lookup mwu priority 7 ip -6 rule add from {{ public }} lookup mwu priority 7
ip -6 rule add to {{ public }} lookup mwu priority 7 ip -6 rule add to {{ public }} lookup mwu priority 7
{% endfor %} {% endfor %}
ip -6 rule add from all oif {{ mesh_id }}BR lookup mwu priority 7 ip -6 rule add from all oif {{ mesh.id }}BR lookup mwu priority 7
{% endfor %} {% endfor %}
# Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges # Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges
{% for mesh_id, mesh_value in meshes.iteritems() %} {% for mesh in meshes %}
ip -4 rule add from {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
ip -4 rule add to {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23 ip -4 rule add to {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup icvpn priority 23
ip -4 rule add from all oif {{ mesh_id }}BR lookup icvpn priority 23 ip -4 rule add from all oif {{ mesh.id }}BR lookup icvpn priority 23
{% for ula in mesh_value.ipv6.ula %} {% for ula in mesh.ipv6_ula %}
ip -6 rule add from {{ ula }} lookup icvpn priority 23 ip -6 rule add from {{ ula }} lookup icvpn priority 23
ip -6 rule add to {{ ula }} lookup icvpn priority 23 ip -6 rule add to {{ ula }} lookup icvpn priority 23
{% endfor %} {% endfor %}
{% for public in mesh_value.ipv6.public %} {% for public in mesh.ipv6_public %}
ip -6 rule add from {{ public }} lookup icvpn priority 23 ip -6 rule add from {{ public }} lookup icvpn priority 23
ip -6 rule add to {{ public }} lookup icvpn priority 23 ip -6 rule add to {{ public }} lookup icvpn priority 23
{% endfor %} {% endfor %}
ip -6 rule add from all oif {{ mesh_id }}BR lookup icvpn priority 23 ip -6 rule add from all oif {{ mesh.id }}BR lookup icvpn priority 23
{% endfor %} {% endfor %}
ip -4 rule add from all oif icVPN lookup icvpn priority 23 ip -4 rule add from all oif icVPN lookup icvpn priority 23
ip -6 rule add from all oif icVPN lookup icvpn priority 23 ip -6 rule add from all oif icVPN lookup icvpn priority 23
# Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges # Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges
{% for mesh_id, mesh_value in meshes.iteritems() %} {% for mesh in meshes %}
ip -4 rule add from {{ mesh_value.ipv4_network | ipaddr('network') }}/16 lookup internet priority 41 ip -4 rule add from {{ mesh.ipv4_network | ipaddr('network') }}/16 lookup internet priority 41
{% for ula in mesh_value.ipv6.ula %} {% for ula in mesh.ipv6_ula %}
ip -6 rule add from {{ ula }} lookup internet priority 41 ip -6 rule add from {{ ula }} lookup internet priority 41
ip -6 rule add to {{ ula }} lookup internet priority 41 ip -6 rule add to {{ ula }} lookup internet priority 41
{% endfor %} {% endfor %}
{% for public in mesh_value.ipv6.public %} {% for public in mesh.ipv6_public %}
ip -6 rule add from {{ public }} lookup internet priority 41 ip -6 rule add from {{ public }} lookup internet priority 41
ip -6 rule add to {{ public }} lookup internet priority 41 ip -6 rule add to {{ public }} lookup internet priority 41
{% endfor %} {% endfor %}
ip -6 rule add from all oif {{ mesh_id }}BR lookup internet priority 41 ip -6 rule add from all oif {{ mesh.id }}BR lookup internet priority 41
{% endfor %} {% endfor %}
ip -4 rule add from {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41 ip -4 rule add from {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
ip -4 rule add to {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41 ip -4 rule add to {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
# Priority 61 - at this point this is the end of policy routing for freifunk related routes # Priority 61 - at this point this is the end of policy routing for freifunk related routes
{% for mesh_id, mesh_value in meshes.iteritems() %} {% for mesh in meshes %}
ip -4 rule add from all iif {{ mesh_id }}BR type unreachable priority 61 ip -4 rule add from all iif {{ mesh.id }}BR type unreachable priority 61
ip -6 rule add from all iif {{ mesh_id }}BR type unreachable priority 61 ip -6 rule add from all iif {{ mesh.id }}BR type unreachable priority 61
{% endfor %} {% endfor %}
ip -4 rule add from all iif icVPN type unreachable priority 61 ip -4 rule add from all iif icVPN type unreachable priority 61
ip -4 rule add from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61 ip -4 rule add from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61
@ -80,8 +80,8 @@ ip -6 rule add from all iif {{ server_id }} type unreachable priority 61
{% endfor %} {% endfor %}
ip -6 rule add from all iif icVPN type unreachable priority 61 ip -6 rule add from all iif icVPN type unreachable priority 61
ip -6 rule add from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61 ip -6 rule add from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61
{% for mesh_id, mesh_value in meshes.iteritems() %} {% for mesh in meshes %}
{% for public in mesh_value.ipv6.public %} {% for public in mesh.ipv6_public %}
ip -6 rule add from {{ public }} type unreachable priority 61 ip -6 rule add from {{ public }} type unreachable priority 61
ip -6 rule add to {{ public }} type unreachable priority 61 ip -6 rule add to {{ public }} type unreachable priority 61
{% endfor %} {% endfor %}
@ -98,15 +98,15 @@ ip -6 rule add from all lookup icvpn priority 107
# IP routes # IP routes
# #
{% for mesh_id, mesh_value in meshes.iteritems() %} {% for mesh in meshes %}
# static {{ mesh_value.site_name }} routes for rt_table mwu # static {{ mesh.site_name }} routes for rt_table mwu
/sbin/ip -4 route add {{ mesh_value.ipv4_network }} proto static dev {{ mesh_id }}BR table mwu /sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}BR table mwu
{% for ula in mesh_value.ipv6.ula %} {% for ula in mesh.ipv6_ula %}
/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh_id }}BR table mwu /sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu
{% endfor %} {% endfor %}
{% for public in mesh_value.ipv6.public %} {% for public in mesh.ipv6_public %}
/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh_id }}BR table mwu /sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu
/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh_id }}BR table mwu /sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(56, magic) | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}BR table mwu
{% endfor %} {% endfor %}
{% if not loop.last %} {% if not loop.last %}