Add role service-bird-ffrl

2017-09-11 23:49:11 +02:00 · 2017-09-11 23:49:11 +02:00 · 6792950fca
commit 6792950fca
parent dd6d5b6ec5
8 changed files with 291 additions and 0 deletions
--- a/roles/service-bird-ffrl/README.md
+++ b/roles/service-bird-ffrl/README.md
@ -0,0 +1,71 @@
+# Ansible role service-bird-ffrl
+
+Diese Ansible role ergänzt die benötigte bird + bird6 Konfiguration für den Internet-Uplink über Freifunk Rheinland.
+
+- schreibt ffrl_ipv4.conf + ffrl_ipv6.conf
+- schreibt ffrl_ipv4_peers.conf + ffrl_ipv6_peers.conf
+
+## Benötigte Variablen
+
+- Variable `as_public_ffrl` # Public ASN Freifunk Rheinland
+- Dictionary `meshes`
+```
+meshes:
+  xx:
+...
+    ipv6:
+      public:
+        - # Public IPv6-Netzwerk
+```
+- Host Dictionary `ffrl_exit_server`
+´´´
+ffrl_exit_server:
+  ffrl-a-ak-ber:
+    public_ipv4_address: 185.66.195.0
+    tunnel_ipv4_network: # Tunnel-Netzwerk in CIDR
+    tunnel_ipv4_address: # Eigene Tunnel IPv4 Adresse
+    tunnel_ipv4_netmask: 255.255.255.254
+    tunnel_ipv6_network: # IPv6 Transfernetz
+    tunnel_ipv6_netmask: 64
+  ffrl-b-ak-ber:
+    public_ipv4_address: 185.66.195.1
+    tunnel_ipv4_network:
+    tunnel_ipv4_address:
+    tunnel_ipv4_netmask: 255.255.255.254
+    tunnel_ipv6_network:
+    tunnel_ipv6_netmask: 64
+  ffrl-a-ix-dus:
+    public_ipv4_address: 185.66.193.0
+    tunnel_ipv4_network:
+    tunnel_ipv4_address:
+    tunnel_ipv4_netmask: 255.255.255.254
+    tunnel_ipv6_network:
+    tunnel_ipv6_netmask: 64
+  ffrl-b-ix-dus:
+    public_ipv4_address: 185.66.193.1
+    tunnel_ipv4_network:
+    tunnel_ipv4_address:
+    tunnel_ipv4_netmask: 255.255.255.254
+    tunnel_ipv6_network:
+    tunnel_ipv6_netmask: 64
+  ffrl-a-fra2-fra:
+    public_ipv4_address: 185.66.194.0
+    tunnel_ipv4_network:
+    tunnel_ipv4_address:
+    tunnel_ipv4_netmask: 255.255.255.254
+    tunnel_ipv6_network:
+    tunnel_ipv6_netmask: 64
+  ffrl-b-fra2-fra:
+    public_ipv4_address: 185.66.194.1
+    tunnel_ipv4_network:
+    tunnel_ipv4_address:
+    tunnel_ipv4_netmask: 255.255.255.254
+    tunnel_ipv6_network:
+    tunnel_ipv6_netmask: 64
+´´´
+- Host Variable `ffrl_public_ipv4_nat` # IPv4 NAT Adresse für das Gateway
+- Host Variable `magic`
+
+## Benötigte roles
+
+- service-bird
--- a/roles/service-bird-ffrl/handlers/main.yml
+++ b/roles/service-bird-ffrl/handlers/main.yml
@ -0,0 +1,12 @@
+---
+- name: reload bird4
+  systemd:
+    name: bird
+    state: reloaded
+  become: true
+
+- name: reload bird6
+  systemd:
+    name: bird6
+    state: reloaded
+  become: true
--- a/roles/service-bird-ffrl/meta/main.yml
+++ b/roles/service-bird-ffrl/meta/main.yml
@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: service-bird }
--- a/roles/service-bird-ffrl/tasks/main.yml
+++ b/roles/service-bird-ffrl/tasks/main.yml
@ -0,0 +1,26 @@
+---
+- name: write ffrl bird configuration
+  template:
+    src: ffrl_ipv{{ item }}.conf.j2
+    dest: /etc/bird/ffrl_ipv{{ item }}.conf
+    mode: 0640
+    owner: bird
+    group: bird
+  notify: reload bird{{ item }}
+  with_items:
+    - 4
+    - 6
+  become: true
+
+- name: write ffrl peer configuration
+  template:
+    src: ffrl_ipv{{ item }}_peers.conf.j2
+    dest: /etc/bird/ffrl_ipv{{ item }}_peers.conf
+    mode: 0640
+    owner: bird
+    group: bird
+  notify: reload bird{{ item }}
+  with_items:
+    - 4
+    - 6
+  become: true
--- a/roles/service-bird-ffrl/templates/ffrl_ipv4.conf.j2
+++ b/roles/service-bird-ffrl/templates/ffrl_ipv4.conf.j2
@ -0,0 +1,73 @@
+#
+# {{ ansible_managed }}
+#
+
+# Variables
+define ffrl_as = {{ as_public_ffrl }};
+define ffrl_nat_address = {{ ffrl_public_ipv4_nat }};
+
+# Routing Table
+table ffrl;
+
+# Functions
+function is_ffrl_nat() {
+    return net ~ [
+        {{ ffrl_public_ipv4_nat }}
+    ];
+}
+
+function is_ffrl_tunnel_nets() {
+    return net ~ [
+{% for peer_id, peer_value in ffrl_exit_server.iteritems() %}
+        {{ peer_value.tunnel_ipv4_network }}{{ "," if not loop.last else "" }}
+{% endfor %}
+    ];
+}
+
+# Filters
+filter ebgp_ffrl_import_filter {
+    if is_default() then accept;
+    reject;
+}
+
+filter ebgp_ffrl_export_filter {
+    if is_ffrl_nat() then accept;
+    reject;
+}
+
+# Protocols
+protocol static ffrl_uplink_hostroute {
+    table ffrl;
+    route {{ ffrl_public_ipv4_nat }}/32 reject;
+}
+
+protocol direct ffrl_tunnels {
+    table ffrl;
+    interface "ffrl-*";
+    import where is_ffrl_tunnel_nets();
+}
+
+protocol kernel kernel_ffrl {
+    scan time 30;
+    import none;
+    export filter {
+        krt_prefsrc = ffrl_nat_address;
+        accept;
+    };
+    table ffrl;
+    kernel table ipt_internet;
+};
+
+# Templates
+template bgp ffrl_uplink {
+    table ffrl;
+    local as mwu_as;
+    import keep filtered;
+    import filter ebgp_ffrl_import_filter;
+    export filter ebgp_ffrl_export_filter;
+    next hop self;
+    direct;
+};
+
+# Include FFRL IPv4 peers
+include "ffrl_ipv4_peers.con?";
--- a/roles/service-bird-ffrl/templates/ffrl_ipv4_peers.conf.j2
+++ b/roles/service-bird-ffrl/templates/ffrl_ipv4_peers.conf.j2
@ -0,0 +1,13 @@
+#
+# {{ ansible_managed }}
+#
+
+{% for peer_id, peer_value in ffrl_exit_server.iteritems() %}
+protocol bgp {{ peer_id }} from ffrl_uplink {
+    source address {{ peer_value.tunnel_ipv4_address | ipaddr('address') }};
+    neighbor {{ peer_value.tunnel_ipv4_network | ipaddr('address') }} as ffrl_as;
+};
+{% if not loop.last %}
+
+{% endif %}
+{% endfor %}
--- a/roles/service-bird-ffrl/templates/ffrl_ipv6.conf.j2
+++ b/roles/service-bird-ffrl/templates/ffrl_ipv6.conf.j2
@ -0,0 +1,80 @@
+#
+# {{ ansible_managed }}
+#
+
+# Variables
+define ffrl_as = {{ as_public_ffrl }};
+
+# Routing Table
+table ffrl;
+
+# Functions
+function is_ffrl_public_nets() {
+    return net ~ [
+{% for mesh_id, mesh_value in meshes.iteritems() %}
+{% for prefix in mesh_value.ipv6.public %}
+        {{ prefix }}{48,56}{{ "," if not loop.last else "" }}{% endfor %}{{ "," if not loop.last else "" }}
+{% endfor %}
+    ];
+}
+
+function is_ffrl_tunnel_nets() {
+    return net ~ [
+{% for peer_id, peer_value in ffrl_exit_server.iteritems() %}
+        {{ peer_value.tunnel_ipv6_network }}{{ "," if not loop.last else "" }}
+{% endfor %}
+    ];
+}
+
+# Filters
+filter ebgp_ffrl_import_filter {
+    if is_default() then accept;
+    reject;
+}
+
+filter ebgp_ffrl_export_filter {
+    if is_ffrl_public_nets() then accept;
+    reject;
+}
+
+# Protocols
+protocol static ffrl_public_routes {
+    table ffrl;
+{% for mesh_id, mesh_value in meshes.iteritems() %}
+{% for prefix in mesh_value.ipv6.public %}
+    route {{ prefix }} reject;
+    route {{ prefix | ipaddr('net') | ipsubnet(56, magic) | ipaddr('network') }} reject;
+{% endfor %}
+{% endfor %}
+}
+
+protocol direct ffrl_tunnels {
+    table ffrl;
+    interface "ffrl-*";
+    import where is_ffrl_tunnel_nets();
+}
+
+protocol kernel kernel_ffrl {
+    scan time 30;
+    import none;
+    export filter {
+        if is_default() then accept;
+        reject;
+    };
+    table ffrl;
+    kernel table ipt_internet;
+};
+
+# Templates
+template bgp ffrl_uplink {
+    table ffrl;
+    local as mwu_as;
+    import keep filtered;
+    import filter ebgp_ffrl_import_filter;
+    export filter ebgp_ffrl_export_filter;
+    next hop self;
+    direct;
+};
+
+# Include FFRL IPv4 peers
+include "ffrl_ipv6_peers.con?";
--- a/roles/service-bird-ffrl/templates/ffrl_ipv6_peers.conf.j2
+++ b/roles/service-bird-ffrl/templates/ffrl_ipv6_peers.conf.j2
@ -0,0 +1,13 @@
+#
+# {{ ansible_managed }}
+#
+
+{% for peer_id, peer_value in ffrl_exit_server.iteritems() %}
+protocol bgp {{ peer_id }} from ffrl_uplink {
+    source address {{ peer_value.tunnel_ipv6_network | ipaddr('net') | ipaddr('2') | ipaddr('address') }};
+    neighbor {{ peer_value.tunnel_ipv6_network | ipaddr('net') | ipaddr('1') | ipaddr('address') }} as ffrl_as;
+};
+{% if not loop.last %}
+
+{% endif %}
+{% endfor %}