add localnet

69f3f72e · nanahira · d6109922 · 69f3f72e · 69f3f72e · 69f3f72e
Commit 69f3f72e authored Dec 08, 2020 by nanahira
9 changed files
--- a/files/bridge-post-scripts/post-up.sh.j2
+++ b/files/bridge-post-scripts/post-up.sh.j2
@@ -26,7 +26,7 @@ handle_gateway() {
  GATEWAY_NEXT_HOP_MARK=$[$GATEWAY_ID + 1100]
  ip route add default via "$GATEWAY_ADDRESS" table "$GATEWAY_NEXT_HOP_MARK"
  ip route add default via "$GATEWAY_ADDRESS" metric "$GATEWAY_NEXT_HOP_MARK"
-  ip rule add pref 300 fwmark "$GATEWAY_NEXT_HOP_MARK" lookup "$GATEWAY_NEXT_HOP_MARK"
+  ip rule add pref 100 fwmark "$GATEWAY_NEXT_HOP_MARK" lookup "$GATEWAY_NEXT_HOP_MARK"
  eth_origin -A "$GATEWAY_ADDRESS" "$GATEWAY_ID"
 }

--- a/files/bridge-post-scripts/pre-down.sh.j2
+++ b/files/bridge-post-scripts/pre-down.sh.j2
@@ -16,7 +16,7 @@ handle_gateway() {
  GATEWAY_ID=$1
  GATEWAY_ADDRESS=$2
  GATEWAY_NEXT_HOP_MARK=$[$GATEWAY_ID + 1100]
-  ip rule del pref 300 fwmark "$GATEWAY_NEXT_HOP_MARK" lookup "$GATEWAY_NEXT_HOP_MARK"
+  ip rule del pref 100 fwmark "$GATEWAY_NEXT_HOP_MARK" lookup "$GATEWAY_NEXT_HOP_MARK"
  eth_origin -D "$GATEWAY_ADDRESS" "$GATEWAY_ID"
 }

--- a/files/localnet-ipset.j2
+++ b/files/localnet-ipset.j2
+create localnet hash:net family inet
+add localnet 172.16.0.0/12
+{% for subnet in localnets %}
+add localnet {{subnet}}
+{% endfor %}
--- a/files/ppp-post-scripts/postdown.sh.j2
+++ b/files/ppp-post-scripts/postdown.sh.j2
@@ -10,6 +10,6 @@ ip6tables -t mangle -D FORWARD -i "$PPP_IFACE" -p tcp -m tcp --tcp-flags SYN,RST
 iptables -t nat -o "$PPP_IFACE" -D POSTROUTING -j MASQUERADE
-ip rule del pref 300 fwmark $INIT_ID lookup $INIT_ID
+ip rule del pref 100 fwmark $INIT_ID lookup $INIT_ID
 ppp_origin -D "$PPP_IFACE"
--- a/files/ppp-post-scripts/postup.sh.j2
+++ b/files/ppp-post-scripts/postup.sh.j2
@@ -12,6 +12,6 @@ iptables -t nat -o "$PPP_IFACE" -A POSTROUTING -j MASQUERADE
 ip route add default dev "$PPP_IFACE" table $INIT_ID
 ip route add default dev "$PPP_IFACE" metric $INIT_ID
-ip rule add pref 300 fwmark $INIT_ID lookup $INIT_ID
+ip rule add pref 100 fwmark $INIT_ID lookup $INIT_ID
 ppp_origin -A "$PPP_IFACE"
--- a/files/utility.sh
+++ b/files/utility.sh
@@ -6,14 +6,25 @@ restore_mark() {
 }
 ppp_origin() {
+  initialize_ipset
  OPTION=$1
  INTERFACE=$2
  MARK=$[1000 + $(echo "$INTERFACE" | sed "s/ppp//g")]
-  iptables -t mangle "$OPTION" PREROUTING ! -p ospf -i "$INTERFACE" -j CONNMARK --set-xmark "$MARK"
+  iptables -t mangle "$OPTION" PREROUTING ! -p ospf -i "$INTERFACE" -m set ! --match-set localnet src -j CONNMARK --set-xmark "$MARK"
  restore_mark "$OPTION" "$MARK"
 }
+initialize_ipset() {
+  ipset restore -f {{ansible_user_dir}}/nextgen-router/localnet-ipset && \
+{% for subnet in localnets %}
+    ip rule add pref 80 to {{subnet}} lookup main && \
+{% endfor %}
+    ip rule add pref 80 172.16.0.0/12 lookup main
+  true
+}
 eth_origin() {
+  initialize_ipset
  OPTION=$1
  GATEWAY_ADDRESS=$2
  GATEWAY_ID=$3
@@ -22,6 +33,6 @@ eth_origin() {
  DEV=$(echo $NEIGH_LINE | awk '{print $3}')
  MAC=$(echo $NEIGH_LINE | awk '{print $5}')
  MARK=$[1100 + $GATEWAY_ID]
-  iptables -t mangle "$OPTION" PREROUTING ! -p ospf -i "$DEV" -m mac --mac-source "$MAC" -j CONNMARK --set-xmark "$MARK"
+  iptables -t mangle "$OPTION" PREROUTING ! -p ospf -i "$DEV" -m mac --mac-source "$MAC" -m set ! --match-set localnet src -j CONNMARK --set-xmark "$MARK"
  restore_mark "$OPTION" "$MARK"
 }
--- a/install.yaml
+++ b/install.yaml
@@ -10,7 +10,7 @@
    tasks:
      - name: apt
        apt:
-          name: net-tools,bridge-utils,ifenslave,vlan,pppoe,iproute2,iptables
+          name: net-tools,bridge-utils,ifenslave,vlan,pppoe,iproute2,iptables,ipset
          update_cache: true
      - name: pve things
        apt:

--- a/network.yaml
+++ b/network.yaml
@@ -8,8 +8,8 @@
          state: directory
          recurse: true
      - name: utility lib for post scripts
-        copy:
+        template:
-          src: ./files/utility.sh
+          src: ./files/utility.sh.j2
          dest: '{{ansible_user_dir}}/nextgen-router/scripts/utility.sh'
          mode: 0755
      - name: create /etc/ethers
@@ -49,6 +49,10 @@
        with_items: 
          - iptables-forward.sh
          - iptables-gateways-interpreter.sh
+      - name: localnet ipset file
+        template:
+          src: ./files/localnet-ipset.j2
+          dest: '{{ansible_user_dir}}/nextgen-router/localnet-ipset'
      - name: interfaces
        become: true
        template:

--- a/variables.yaml
+++ b/variables.yaml
 vars:
  ansible_ssh_user: root
-  pppoeUsers:
+  localnets:
-    - username: user
+    - 10.0.0.0/24
-      password: pass
  links:
    - name: eno1
  bonds:
@@ -57,6 +56,9 @@ vars:
      link: bond0.41 # 上行链路
      username: user # 拨号用户名，密码在上面的pppoeUsers给出
      mac: null # 给ISP看的mac地址，null为随机
+  pppoeUsers:
+    - username: user
+      password: pass
  smartdns:
    disable_ipv6: false
    tls_dns: