Skip to content

T
tun
Commit 2a1b4210 authored by nanahira's avatar nanahira
Browse files
Options

add NEXTGEN_SWITCH

parent 5070a959
Hide whitespace changes
Inline Side-by-side
Showing with 28 additions and 10 deletions
ansible/migrate-switch.yaml 0 → 100644
View file @ 2a1b4210
- hosts: wg
remote_user: root
tasks:
- name: remove old rules
become: true
shell: '{{ansible_user_dir}}/nextgen-network/scripts/switch-rules-down.sh'
- name: install conntrack
become: true
apt:
name: conntrack
- name: future rules
become: true
shell: |
iptables -t mangle -N NEXTGEN_SWITCH
iptables -t mangle -A PREROUTING -m mark --mark 0x0 ! -p ospf -m set ! --match-set mycard src -j NEXTGEN_SWITCH
iptables -t mangle -I PREROUTING -m mark ! --mark 0x0 -j ACCEPT
ansible/protocols/wg/wg.conf.j2
View file @ 2a1b4210
...@@ -19,4 +19,4 @@ Endpoint = {{conn.remoteAddress}}:{{conn.remotePort}} ...@@ -19,4 +19,4 @@ Endpoint = {{conn.remoteAddress}}:{{conn.remotePort}}
PersistentKeepalive = 1 PersistentKeepalive = 1
{% endif %} {% endif %}
# forced change 12.11 2 # forced change 12.12
ansible/scripts/global-postup.sh.j2
View file @ 2a1b4210
...@@ -16,7 +16,9 @@ ip rule add pref 81 to {{subnet}} lookup main || true ...@@ -16,7 +16,9 @@ ip rule add pref 81 to {{subnet}} lookup main || true
# chain for wg origin # chain for wg origin
iptables -t mangle -N NEXTGEN_ORIGIN iptables -t mangle -N NEXTGEN_ORIGIN
iptables -t mangle -A PREROUTING ! -d 224.0.0.0/3 ! -p ospf -m set ! --match-set mycard src -j NEXTGEN_ORIGIN iptables -t mangle -A PREROUTING -m mark --mark 0x0 ! -d 224.0.0.0/3 ! -p ospf -m set ! --match-set mycard src -j NEXTGEN_ORIGIN
iptables -t mangle -N NEXTGEN_SWITCH
iptables -t mangle -A PREROUTING -m mark --mark 0x0 ! -p ospf -m set ! --match-set mycard src -j NEXTGEN_SWITCH
# switch rules # switch rules
{{ansible_user_dir}}/nextgen-network/scripts/switch-rules-up.sh {{ansible_user_dir}}/nextgen-network/scripts/switch-rules-up.sh
......
ansible/scripts/switch-rules-down.sh.j2
View file @ 2a1b4210
...@@ -20,10 +20,10 @@ interface_switch -D u_{{gw.isp}}_all {{gw.selectionMark}} ...@@ -20,10 +20,10 @@ interface_switch -D u_{{gw.isp}}_all {{gw.selectionMark}}
## restore mark ## restore mark
{% for plan in routePlans %} {% for plan in routePlans %}
ip rule del pref 400 fwmark {{plan.destMark}} lookup {{plan.destMark}} ip rule del pref 400 fwmark {{plan.destMark}} lookup {{plan.destMark}}
restore_mark -D {{plan.destMark}} restore_mark_switch -D {{plan.destMark}}
{% endfor %} {% endfor %}
{% for gw in gateways %} {% for gw in gateways %}
restore_mark -D {{gw.selectionMark}} restore_mark_switch -D {{gw.selectionMark}}
{% endfor %} {% endfor %}
true true
ansible/scripts/switch-rules-up.sh.j2
View file @ 2a1b4210
...@@ -20,10 +20,10 @@ interface_switch -A u_{{gw.isp}}_all {{gw.selectionMark}} ...@@ -20,10 +20,10 @@ interface_switch -A u_{{gw.isp}}_all {{gw.selectionMark}}
## restore mark ## restore mark
{% for plan in routePlans %} {% for plan in routePlans %}
ip rule add pref 400 fwmark {{plan.destMark}} lookup {{plan.destMark}} ip rule add pref 400 fwmark {{plan.destMark}} lookup {{plan.destMark}}
restore_mark -A {{plan.destMark}} restore_mark_switch -A {{plan.destMark}}
{% endfor %} {% endfor %}
{% for gw in gateways %} {% for gw in gateways %}
restore_mark -A {{gw.selectionMark}} restore_mark_switch -A {{gw.selectionMark}}
{% endfor %} {% endfor %}
true true
ansible/scripts/utility.sh.j2
View file @ 2a1b4210
...@@ -15,10 +15,10 @@ restore_mark_origin() { ...@@ -15,10 +15,10 @@ restore_mark_origin() {
iptables -t mangle "$OPTION" OUTPUT -m connmark --mark "$MARK" -j CONNMARK --restore-mark iptables -t mangle "$OPTION" OUTPUT -m connmark --mark "$MARK" -j CONNMARK --restore-mark
} }
restore_mark() { restore_mark_switch() {
OPTION=$1 OPTION=$1
MARK=$2 MARK=$2
iptables -t mangle "$OPTION" PREROUTING -m connmark --mark "$MARK" -j CONNMARK --restore-mark iptables -t mangle "$OPTION" NEXTGEN_SWITCH -m connmark --mark "$MARK" -j CONNMARK --restore-mark
iptables -t mangle "$OPTION" OUTPUT -m connmark --mark "$MARK" -j CONNMARK --restore-mark iptables -t mangle "$OPTION" OUTPUT -m connmark --mark "$MARK" -j CONNMARK --restore-mark
} }
...@@ -36,7 +36,7 @@ interface_switch() { ...@@ -36,7 +36,7 @@ interface_switch() {
IPSET=$2 IPSET=$2
MARK=$3 MARK=$3
ipset create "$IPSET" hash:net maxelem 1000000 || true ipset create "$IPSET" hash:net maxelem 1000000 || true
iptables -t mangle "$OPTION" PREROUTING -m mark --mark 0 -m set --match-set "$IPSET" src -m set ! --match-set mycard dst -j CONNMARK --set-xmark "$MARK" iptables -t mangle "$OPTION" NEXTGEN_SWITCH -m mark --mark 0 -m set --match-set "$IPSET" src -m set ! --match-set mycard dst -j CONNMARK --set-xmark "$MARK"
} }
interface_switch_chnroute() { interface_switch_chnroute() {
...@@ -44,5 +44,5 @@ interface_switch_chnroute() { ...@@ -44,5 +44,5 @@ interface_switch_chnroute() {
IPSET=$2 IPSET=$2
MARK=$3 MARK=$3
ipset create "$IPSET" hash:net maxelem 1000000 || true ipset create "$IPSET" hash:net maxelem 1000000 || true
iptables -t mangle "$OPTION" PREROUTING -m mark --mark 0 -m set --match-set "$IPSET" src -m set --match-set chnrouter dst -j CONNMARK --set-xmark "$MARK" iptables -t mangle "$OPTION" NEXTGEN_SWITCH -m mark --mark 0 -m set --match-set "$IPSET" src -m set --match-set chnrouter dst -j CONNMARK --set-xmark "$MARK"
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment