Skip to content

S
services
Commit f878c7de authored by nanahira's avatar nanahira
Browse files
Options

new

parent 16bd5924
Hide whitespace changes
Inline Side-by-side
Showing with 276 additions and 0 deletions
vdip-railgun-client/docker-compose.yml.j2 0 → 100644
View file @ f878c7de
version: '2.4'
services:
railgun:
restart: always
image: git-registry.moenext.com/railgun/tun:rust-v2-ext
network_mode: host
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun
command:
- -c
- /etc/railgun/config.json
volumes:
- ./templates/config.json:/etc/railgun/config.json:ro
- ./templates/up.sh:/etc/railgun/up.sh:ro
- ./templates/down.sh:/etc/railgun/down.sh:ro
vdip-railgun-client/templates/config.json.j2 0 → 100644
View file @ f878c7de
{# templates/config.json.j2 (client) #}
{# client local_id fixed 254 #}
{% set client_id = 254 %}
{
"routers": [
{% for s in servers %}
{% set schema_u = (s.schema | default('IP')) | upper %}
{% set family_v = (s.family | default(4)) | int %}
{% set dev = 'rgc-' ~ (s.id | int) %}
{% set mark = (s.mark | default(0)) | int %}
{
"schema": "{{ schema_u }}",
"local_id": {{ client_id }},
"local_secret": "{{ key }}",
"remote_id": {{ s.id | int }},
"remote_secret": "{{ s.key }}",
"family": {{ family_v }},
"dev": "{{ dev }}",
"mark": {{ mark }},
{% if schema_u == 'IP' %}
"endpoint": "{{ s.endpoint }}",
"proto": {{ s.proto | int }},
{% else %}
"endpoint": "{{ s.endpoint }}",
"dst_port": {{ s.port | int }},
{% endif %}
"up": "bash /etc/railgun/up.sh {{ s.id | int }} {{ s.target }} {{ schema_u }} {{ family_v }} {{ (s.link_mtu | default(1500)) | int }}",
"down": "/etc/railgun/down.sh {{ s.id | int }} {{ s.target }}"
}{% if not loop.last %},{% endif %}
{% endfor %}
]
}
vdip-railgun-client/templates/down.sh.j2 0 → 100755
View file @ f878c7de
#!/usr/bin/env bash
set -euo pipefail
SERVER_ID="${1:?server_id required}"
TARGET="${2:?target required}"
TABLE=$((2100 + SERVER_ID))
ip rule del pref 150 from "${TARGET}" lookup "${TABLE}" 2>/dev/null || true
# clean mss
_search_and_remove() {
iptables-save | grep -- "$2" | sed 's/^-A/-D/g' | xargs -I '{}' bash -c "$IPTABLES_EXEC -t $1 {}"
}
_search_and_remove "-A FORWARD -i $DEV -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss"
vdip-railgun-client/templates/up.sh.j2 0 → 100755
View file @ f878c7de
#!/usr/bin/env bash
set -euo pipefail
SERVER_ID="${1:?server_id required}"
TARGET="${2:?target required}"
SCHEMA="${3:-IP}"
FAMILY="${4:-4}"
LINK_MTU="${5:-1500}"
CLIENT_ID="254"
DEV="rgc-${SERVER_ID}"
CLIENT_IP="10.26.4.${CLIENT_ID}"
SERVER_IP="10.26.4.${SERVER_ID}"
# ---- MTU calc (rust-v2-ext: +4, v6: +20) ----
case "${SCHEMA^^}" in
IP) BASE_LOSS=24 ;;
UDP) BASE_LOSS=32 ;;
TCP) BASE_LOSS=44 ;;
*) BASE_LOSS=24 ;;
esac
EXTRA_V6=0
if [ "${FAMILY}" -eq 6 ]; then
EXTRA_V6=20
fi
MTU_LOSS=$((BASE_LOSS + 4 + EXTRA_V6))
TUN_MTU=$((LINK_MTU - MTU_LOSS))
# ---- Interface basics ----
ip address add "${CLIENT_IP}/32" peer "${SERVER_IP}/32" dev "${DEV}" 2>/dev/null || true
ip link set dev "${DEV}" up
ip link set dev "${DEV}" mtu "${TUN_MTU}"
# ---- clamp mss ----
MSS=$((TUN_MTU - 40))
if [ "${FAMILY}" -eq 6 ]; then
MSS=$((TUN_MTU - 60))
fi
iptables -t mangle -A FORWARD -o "${DEV}" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss "${MSS}"
iptables -t mangle -A FORWARD -i "${DEV}" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss "${MSS}"
# ---- Policy routing ----
# table = 2100 + server_id
TABLE=$((2100 + SERVER_ID))
ip -4 route replace default dev "${DEV}" table "${TABLE}"
ip -4 rule add pref 150 from "${TARGET}" lookup "${TABLE}" || true
vdip-railgun-server/docker-compose.yml.j2 0 → 100644
View file @ f878c7de
version: '2.4'
services:
railgun:
restart: always
image: git-registry.moenext.com/railgun/tun:rust-v2-ext
network_mode: host
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun
command:
- -c
- /etc/railgun/config.json
volumes:
- ./templates/config.json:/etc/railgun/config.json:ro
- ./templates/up.sh:/etc/railgun/up.sh:ro
- ./templates/down.sh:/etc/railgun/down.sh:ro
vdip-railgun-server/templates/config.json.j2 0 → 100644
View file @ f878c7de
{# templates/config.json.j2 #}
{% set schema_u = (schema | default('IP')) | upper %}
{% set family_v = (family | default(4)) | int %}
{% set client_id = 254 %}
{% set dev = 'rg-' ~ (id | int) %}
{
"routers": [
{
"schema": "{{ schema_u }}",
"local_id": {{ id | int }},
"local_secret": "{{ server_key }}",
"remote_id": {{ client_id }},
"remote_secret": "{{ client_key }}",
"family": {{ family_v }},
"dev": "{{ dev }}",
{% if schema_u == 'IP' %}
"endpoint": "{{ endpoint }}",
"proto": {{ proto | int }},
{% else %}
"src_port": {{ port | int }},
{% endif %}
"up": "bash /etc/railgun/up.sh",
"down": "bash /etc/railgun/down.sh"
}
]
}
vdip-railgun-server/templates/down.sh.j2 0 → 100755
View file @ f878c7de
#!/usr/bin/env bash
set -euo pipefail
ID="{{ id | int }}"
CLIENT_ID="254"
DEV="rg-${ID}"
LOCAL_IP="10.26.4.${ID}"
CLIENT_IP="10.26.4.${CLIENT_ID}"
TARGET="{{ target }}"
# Unhook NAT chain (ignore errors)
iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j VDIP 2>/dev/null || true
iptables -t nat -F VDIP 2>/dev/null || true
iptables -t nat -X VDIP 2>/dev/null || true
# masq_interface
{% if masq_interface is defined and masq_interface %}
iptables -t nat -D POSTROUTING -s "${TARGET}" -o "{{ masq_interface }}" -j MASQUERADE
{% endif %}
# clean mss
_search_and_remove() {
iptables-save | grep -- "$2" | sed 's/^-A/-D/g' | xargs -I '{}' bash -c "$IPTABLES_EXEC -t $1 {}"
}
_search_and_remove "-A FORWARD -i $DEV -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss"
vdip-railgun-server/templates/up.sh.j2 0 → 100755
View file @ f878c7de
#!/usr/bin/env bash
set -euo pipefail
SCHEMA="{{ (schema | default('IP')) | upper }}"
FAMILY="{{ (family | default(4)) | int }}"
ID="{{ id | int }}"
CLIENT_ID="254"
DEV="rg-${ID}"
LOCAL_IP="10.26.4.${ID}"
CLIENT_IP="10.26.4.${CLIENT_ID}"
TARGET="{{ target }}"
SSH_PORT="{{ ansible_ssh_port | int }}"
LINK_MTU="{{ (link_mtu | default(1500)) | int }}"
# rust-v2-ext MTU loss (+4), v6 (+20)
# base loss: IP 24, UDP 32, TCP 44
case "$SCHEMA" in
IP) BASE_LOSS=24 ;;
UDP) BASE_LOSS=32 ;;
TCP) BASE_LOSS=44 ;;
*) BASE_LOSS=24 ;;
esac
EXTRA_V6=0
if [ "$FAMILY" -eq 6 ]; then
EXTRA_V6=20
fi
MTU_LOSS=$((BASE_LOSS + 4 + EXTRA_V6))
TUN_MTU=$((LINK_MTU - MTU_LOSS))
# Bring up interface + MTU
ip address add "${LOCAL_IP}/32" peer "${CLIENT_IP}/32" dev "${DEV}" || true
ip link set dev "${DEV}" up
ip link set dev "${DEV}" mtu "${TUN_MTU}"
# Routes (/32)
ip route add "${TARGET}/32" dev "${DEV}" || true
# ---- clamp mss ----
MSS=$((TUN_MTU - 40))
if [ "${FAMILY}" -eq 6 ]; then
MSS=$((TUN_MTU - 60))
fi
iptables -t mangle -A FORWARD -o "${DEV}" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss "${MSS}"
iptables -t mangle -A FORWARD -i "${DEV}" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss "${MSS}"
# NAT chain
iptables -t nat -N VDIP 2>/dev/null || true
iptables -t nat -F VDIP
# Keep SSH on server itself
iptables -t nat -A VDIP -p tcp -m multiport --dports "${SSH_PORT}" -j RETURN
iptables -t nat -A VDIP -p icmp -j RETURN
# Keep railgun listening port on server itself (only for UDP/TCP schema)
if [ "$SCHEMA" = "UDP" ]; then
PORT="{{ port | default(0) | int }}"
iptables -t nat -A VDIP -p udp -m multiport --dports "${PORT}" -j RETURN
elif [ "$SCHEMA" = "TCP" ]; then
PORT="{{ port | default(0) | int }}"
iptables -t nat -A VDIP -p tcp -m multiport --dports "${PORT}" -j RETURN
elif [ "$SCHEMA" = "IP" ]; then
PROTO="{{ proto | default(0) | int }}"
iptables -t nat -A VDIP -p "${PROTO}" -j RETURN
fi
# DNAT everything else to target (preserve port)
iptables -t nat -A VDIP -j DNAT --to-destination "${TARGET}"
# Hook into PREROUTING (only for local dest)
iptables -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j VDIP 2>/dev/null \
|| iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j VDIP
# add masq_interface
{% if masq_interface is defined and masq_interface %}
iptables -t nat -A POSTROUTING -s "${TARGET}" -o "{{ masq_interface }}" -j MASQUERADE
{% endif %}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment