some mini-router rules

4112314f · nanahira · 78d85e26 · 4112314f · 4112314f · 4112314f
Commit 4112314f authored Jan 11, 2021 by nanahira
Showing with 48 additions and 2 deletions

ansible/migrate-mini-chnroute.yaml ansible/migrate-mini-chnroute.yaml +34 -0

ansible/scripts/global-postup.sh.j2 ansible/scripts/global-postup.sh.j2 +8 -1

src/inventory.ts src/inventory.ts +6 -1

No files found.
--- a/ansible/migrate-mini-chnroute.yaml
+++ b/ansible/migrate-mini-chnroute.yaml
+- hosts: switch
+  remote_user: root
+  tasks:
+    - name: load vars
+      include_vars:
+        file: '../result/{{item}}.yaml'
+      with_items:
+        - global-vars
+        - vars-{{inventory_hostname_short}}
+    - name: post scripts
+      template:
+        src: scripts/{{item}}.sh.j2
+        dest: '{{ansible_user_dir}}/nextgen-network/scripts/{{item}}.sh'
+        mode: a+x
+      with_items:
+        - postup
+        - predown
+        - global-postup
+        - utility
+        - switch-rules-up
+        - switch-rules-down
+        - ocserv-postup
+        - ocserv-predown
+    - name: migrate
+      become: true
+      shell: |
+        {% for interface in masqInterfaces %}
+        iptables -t mangle -A NEXTGEN_ORIGIN -i {{item.name}} ! -p ospf -m set ! --match-set mycard src -j CONNMARK --set-xmark {{interface.mark}}
+        iptables -t mangle -A NEXTGEN_ORIGIN -m connmark --mark {{item.mark}} -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
+        iptables -t mangle -A OUTPUT -m connmark --mark {{item.mark}} -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
+        # TODO: ip rule
+        # ip rule add pref 300 fwmark {{item.mark}} lookup {{item.mark}}
+        {% endfor %}
+      with_items: '{{masqInterfaces}}'
--- a/ansible/scripts/global-postup.sh.j2
+++ b/ansible/scripts/global-postup.sh.j2
@@ -17,12 +17,19 @@ ip rule add pref 81 to {{subnet}} lookup main || true

 # MASQ interfaces
 {% for interface in masqInterfaces %}
-iptables -t nat -A POSTROUTING -o {{interface}} -j MASQUERADE
+iptables -t nat -A POSTROUTING -o {{interface.name}} -j MASQUERADE
 {% endfor %}

 # chain for wg origin
 iptables -t mangle -N NEXTGEN_ORIGIN
 iptables -t mangle -I PREROUTING -m mark --mark 0x0 ! -p ospf -j NEXTGEN_ORIGIN
+{% for interface in masqInterfaces %}
+iptables -t mangle -A NEXTGEN_ORIGIN -i {{interface.name}} ! -p ospf -m set ! --match-set mycard src -j CONNMARK --set-xmark {{interface.mark}}
+iptables -t mangle -A NEXTGEN_ORIGIN -m connmark --mark {{interface.mark}} -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
+iptables -t mangle -A OUTPUT -m connmark --mark {{interface.mark}} -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
+# TODO: ip rule
+# ip rule add pref 300 fwmark {{interface.mark}} lookup {{interface.mark}}
+{% endfor %}
 iptables -t mangle -N NEXTGEN_SWITCH
 iptables -t mangle -A PREROUTING -m mark --mark 0x0 ! -p ospf -m set ! --match-set mycard dst -j NEXTGEN_SWITCH


--- a/src/inventory.ts
+++ b/src/inventory.ts
@@ -241,7 +241,12 @@ class InventoryBuilder {
    const lanInterfaces = host.lanInterfaces;
    const localSubnets = host.subnets;
    //console.log(localSubnets);
-    const masqInterfaces = host.masqInterfaces.length > 0 ? host.masqInterfaces.split(',') : [];
+    const masqInterfaces = host.masqInterfaces.length > 0 ? (host.masqInterfaces as string).split(',').map((interfaceName, interfaceIndex) => {
+      return {
+        name: interfaceName,
+        mark: 1900 + interfaceIndex
+      }
+    }) : [];
    const routePlans = this.getRoutePlansFromGatewayGroups(host);

    for (const h of this.connections) {