nearly finished

85fc17bd · nanahira · 8d504357 · 85fc17bd · 85fc17bd · 85fc17bd
Commit 85fc17bd authored Dec 11, 2020 by nanahira
13 changed files
--- a/ansible/bird.conf.j2
+++ b/ansible/bird.conf.j2
@@ -27,22 +27,21 @@ protocol kernel {
  ipv6 { export all; };
 }
-{% for connection in connections %}
+{% for plan in routePlans %}
-{% if connection.protocol != "null" and connection.remoteLocalAddress != address %}
+ipv4 table {{plan.name}};
-ipv4 table {{connection.name.replace("-", "_")}};
 protocol static {
  ipv4 {
-    table {{connection.name.replace("-", "_")}};
+    table {{plan.name}};
  };
  igp table master4;
-  route 0.0.0.0/0 recursive {{connection.remoteLocalAddress}};
+  route 0.0.0.0/0 recursive {{plan.address}};
 }
 protocol kernel {
  ipv4 {
-    table {{connection.name.replace("-", "_")}};
+    table {{plan.name}};
    export all;
  };
-  kernel table {{connection.remoteDestMark}};
+  kernel table {{plan.destMark}};
 }
 {% endif %}
 {% endfor %}

--- a/ansible/configure.yaml
+++ b/ansible/configure.yaml
@@ -21,6 +21,10 @@
        - postup
        - predown
        - global-postup
+        - utility
+        - switch-rules-up
+        - switch-rules-down
+      notify: reload_switch_rules
    - name: ipset files
      template:
        src: scripts/ipset.j2
@@ -54,9 +58,7 @@
 # end
    - name: services conf
      copy:
-        content: |
+        content: '{{dockerServices | to_yaml}}'
-          {{dockerServices | to_yaml}}
        dest: '{{ansible_user_dir}}/nextgen-network/services/docker-compose.yml'
    - name: bird conf
      template:
@@ -67,20 +69,16 @@
      template:
        src: protocols/wgfrp/frps.ini.j2
        dest: '{{ansible_user_dir}}/nextgen-network/services/frps.ini'
-      when: frpsNeeded is defined
+      when: frpsNeeded
      notify: restart_frps
-    - name: frpc conf
-      template:
-        src: protocols/wgfrp/frpc.ini.j2
-        dest: '{{ansible_user_dir}}/nextgen-network/services/frpc_{{item.name}}.ini'
-      with_items: '{{ connections }}'
-      when: item.type == "wgfrp" and item.frpType == "frpc"
-      notify:
    - name: start services
      docker_compose:
        project_src: '{{ansible_user_dir}}/nextgen-network/services'
        remove_orphans: true
  handlers:
+    - name: reload_switch_rules
+      become: true
+      shell: '{{ansible_user_dir}}/nextgen-network/scripts/switch-rules-down.sh ; {{ansible_user_dir}}/nextgen-network/scripts/switch-rules-up.sh'
    - name: restart_bird
      docker_compose:
        project_src: '{{ansible_user_dir}}/nextgen-network/services'

--- a/ansible/protocols/wg/configure.yaml
+++ b/ansible/protocols/wg/configure.yaml
 # 因为测试期间频繁改动参数，这里手动down掉
 # 调试wg的时候开这个，调试别的的时候注释掉
- name: '{{conn.name}}: clean frp service'
-  ignore_errors: true
-  systemd:
-    name: 'frpc@{{conn.name}}'
-    state: stopped
-    enabled: no
- name: '{{conn.name}}: clean frp'
-  file:
-    path: '/etc/frp/{{conn.name}}.conf'
-    state: absent
 - name: '{{conn.name}}: wg conf'
  template:
    src: wg.conf.j2

--- a/ansible/protocols/wg/wg.conf.j2
+++ b/ansible/protocols/wg/wg.conf.j2
@@ -8,8 +8,8 @@ FwMark = {{conn.localGatewayMark}}
 MTU = {{conn.mtu|int - 80}}
 Table = off
-PostUp = dev=%i localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} remoteNextMark={{conn.remoteNextMark}} remoteDestMark={{conn.remoteDestMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 80}} {{ansible_user_dir}}/nextgen-network/scripts/postup.sh
+PostUp = dev=%i localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 80}} {{ansible_user_dir}}/nextgen-network/scripts/postup.sh
-PreDown = dev=%i localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} remoteNextMark={{conn.remoteNextMark}} remoteDestMark={{conn.remoteDestMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 80}} {{ansible_user_dir}}/nextgen-network/scripts/predown.sh
+PreDown = dev=%i localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 80}} {{ansible_user_dir}}/nextgen-network/scripts/predown.sh
 [Peer]
 PublicKey = {{conn.wgPublicKey}}

--- a/ansible/protocols/wgfrp/wgfrp.conf.j2
+++ b/ansible/protocols/wgfrp/wgfrp.conf.j2
@@ -9,8 +9,8 @@ ListenPort = {{conn.localPort}}
 {% endif %}
 MTU = {{conn.mtu|int - 80}}
 Table = off
-PostUp = dev=%i localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} remoteNextMark={{conn.remoteNextMark}} remoteDestMark={{conn.remoteDestMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 80}} {{ansible_user_dir}}/nextgen-network/scripts/postup.sh
+PostUp = dev=%i localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 80}} {{ansible_user_dir}}/nextgen-network/scripts/postup.sh
-PreDown = dev=%i localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} remoteNextMark={{conn.remoteNextMark}} remoteDestMark={{conn.remoteDestMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 80}} {{ansible_user_dir}}/nextgen-network/scripts/predown.sh
+PreDown = dev=%i localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 80}} {{ansible_user_dir}}/nextgen-network/scripts/predown.sh
 [Peer]
 PublicKey = {{conn.wgPublicKey}}
 AllowedIPs = 0.0.0.0/0, ::/0

--- a/ansible/scripts/global-postup.sh.j2
+++ b/ansible/scripts/global-postup.sh.j2
 #!/usr/bin/env bash
+source {{ansible_user_dir}}/nextgen-network/scripts/utility.sh
 echo "running" > /tmp/mycard_global_postup_done
@@ -12,8 +13,12 @@ ipset restore -f {{ansible_user_dir}}/nextgen-network/ipsets/{{list}}.ipset || t
 ip rule add pref 81 to {{subnet}} lookup main || true
 {% endfor %}
-# gateway things
+# chain for wg origin
-{% for gateway in gateways %}
+iptables -t mangle -N NEXTGEN_ORIGIN
+iptables -t mangle -A PREROUTING ! -p ospf -m set ! --match-set mycard src -j NEXTGEN_ORIGIN
+# switch rules
+{{ansible_user_dir}}/nextgen-network/scripts/switch-rules-up.sh
 echo "finished" > /tmp/mycard_global_postup_done

--- a/ansible/scripts/postup.sh.j2
+++ b/ansible/scripts/postup.sh.j2
 #!/usr/bin/env bash
+source {{ansible_user_dir}}/nextgen-network/scripts/utility.sh
+wait_lock
 #set -e
 ip addr add "$localPeerAddress" peer "$remotePeerAddress" dev "$dev" scope link
@@ -6,7 +8,6 @@ ip addr add "$localPeerAddress" peer "$remotePeerAddress" dev "$dev" scope link
 if [ "$outbound" == True ] ; then
  ip route add default dev "$dev" table "$remoteNextMark"
  ip rule add fwmark "$remoteNextMark" table "$remoteNextMark" pref 300
-  ip rule add fwmark "$remoteDestMark" table "$remoteDestMark" pref 300
 fi
 #if [ -z "${mtu}" ]; then
@@ -19,9 +20,7 @@ iptables -t mangle -A FORWARD -i "$dev" -p tcp -m tcp --tcp-flags SYN,RST SYN -m
 iptables -t mangle -A FORWARD -o "$dev" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss:1460 -j TCPMSS --set-mss $mss
 if [ "$inbound" == True ] ; then
-  iptables -t mangle -A PREROUTING ! -p ospf -i "$dev" -m set ! --match-set mycard src -j CONNMARK --set-xmark "$remoteNextMark"
+  interface_origin -A "$dev" "$remoteNextMark"
-  iptables -t mangle -A PREROUTING -m connmark --mark "$remoteNextMark" -j CONNMARK --restore-mark
-  iptables -t mangle -A OUTPUT -m connmark --mark "$remoteNextMark" -j CONNMARK --restore-mark
 fi
 true
--- a/ansible/scripts/predown.sh.j2
+++ b/ansible/scripts/predown.sh.j2
 #!/usr/bin/env bash
+source {{ansible_user_dir}}/nextgen-network/scripts/utility.sh
 if [ "$outbound" == True ] ; then
  ip rule del fwmark "$remoteNextMark" table "$remoteNextMark" pref 300
-  ip rule del fwmark "$remoteDestMark" table "$remoteDestMark" pref 300
 fi
 #if [ -z "${mtu}" ]; then
@@ -15,9 +15,7 @@ iptables -t mangle -D FORWARD -i "$dev" -p tcp -m tcp --tcp-flags SYN,RST SYN -m
 iptables -t mangle -D FORWARD -o "$dev" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss:1460 -j TCPMSS --set-mss $mss
 if [ "$inbound" == True ] ; then
-  iptables -t mangle -D PREROUTING ! -p ospf -i "$dev" -m set ! --match-set mycard src -j CONNMARK --set-xmark "$remoteNextMark"
+  interface_origin -D "$dev" "$remoteNextMark"
-  iptables -t mangle -D PREROUTING -m connmark --mark "$remoteNextMark" -j CONNMARK --restore-mark
-  iptables -t mangle -D OUTPUT -m connmark --mark "$remoteNextMark" -j CONNMARK --restore-mark
 fi
 # predown 始终返回成功。

--- a/ansible/scripts/switch-rules-down.sh.j2
+++ b/ansible/scripts/switch-rules-down.sh.j2
+#!/bin/bash
+source {{ansible_user_dir}}/nextgen-network/scripts/utility.sh
+## chnroute
+{% for plan in routePlans %}
+interface_switch_chnroute -D u_{{plan.name}}_chnroute {{plan.destMark}}
+{% endfor %}
+{% for gateway in gateways %}
+interface_switch_chnroute -D u_{{gateway.isp}}_chnroute {{gateway.selectionMark}}
+{% endfor %}
+## all
+{% for plan in routePlans %}
+interface_switch -D u_{{plan.name}}_all {{plan.destMark}}
+{% endfor %}
+{% for gateway in gateways %}
+interface_switch -D u_{{gateway.isp}}_all {{gateway.selectionMark}}
+{% endfor %}
+## restore mark
+{% for plan in routePlans %}
+ip rule del pref 400 fwmark {{gateway.selectionMark}} lookup {{plan.destMark}}
+restore_mark -D {{plan.destMark}}
+{% endfor %}
+{% for gateway in gateways %}
+restore_mark -D {{gateway.selectionMark}}
+{% endfor %}
+true
--- a/ansible/scripts/switch-rules-up.sh.j2
+++ b/ansible/scripts/switch-rules-up.sh.j2
+#!/bin/bash
+source {{ansible_user_dir}}/nextgen-network/scripts/utility.sh
+## chnroute
+{% for plan in routePlans %}
+interface_switch_chnroute -A u_{{plan.name}}_chnroute {{plan.destMark}}
+{% endfor %}
+{% for gateway in gateways %}
+interface_switch_chnroute -A u_{{gateway.isp}}_chnroute {{gateway.selectionMark}}
+{% endfor %}
+## all
+{% for plan in routePlans %}
+interface_switch -A u_{{plan.name}}_all {{plan.destMark}}
+{% endfor %}
+{% for gateway in gateways %}
+interface_switch -A u_{{gateway.isp}}_all {{gateway.selectionMark}}
+{% endfor %}
+## restore mark
+{% for plan in routePlans %}
+ip rule add pref 400 fwmark {{gateway.selectionMark}} lookup {{plan.destMark}}
+restore_mark -A {{plan.destMark}}
+{% endfor %}
+{% for gateway in gateways %}
+restore_mark -A {{gateway.selectionMark}}
+{% endfor %}
+true
--- a/ansible/scripts/utility.sh.j2
+++ b/ansible/scripts/utility.sh.j2
+wait_lock() {
+  if [[ ! -f /tmp/mycard_global_postup_done ]]; then
+    {{ansible_user_dir}}/nextgen-network/scripts/global-postup.sh
+  fi
+  LOCK_RESULT=""
+  while [[ "$LOCK_RESULT" -ne "finished" ]]; do
+    LOCK_RESULT=$(cat /tmp/mycard_global_postup_done)
+  done
+}
+restore_mark_origin() {
+  OPTION=$1
+  MARK=$2
+  iptables -t mangle "$OPTION" NEXTGEN_ORIGIN -m connmark --mark "$MARK" -j CONNMARK --restore-mark
+  iptables -t mangle "$OPTION" OUTPUT -m connmark --mark "$MARK" -j CONNMARK --restore-mark
+}
+restore_mark() {
+  OPTION=$1
+  MARK=$2
+  iptables -t mangle "$OPTION" PREROUTING -m connmark --mark "$MARK" -j CONNMARK --restore-mark
+  iptables -t mangle "$OPTION" OUTPUT -m connmark --mark "$MARK" -j CONNMARK --restore-mark
+}
+interface_origin() {
+  OPTION=$1
+  INTERFACE=$2
+  MARK=$3
+  iptables -t mangle "$OPTION" NEXTGEN_ORIGIN ! -p ospf -i "$INTERFACE" -m set ! --match-set mycard src -j CONNMARK --set-xmark "$MARK"
+  restore_mark_origin "$OPTION" "$MARK"
+}
+interface_switch() {
+  OPTION=$1
+  IPSET=$2
+  MARK=$3
+  ipset create "$IPSET" hash:net maxelem 1000000 || true
+  iptables -t mangle "$OPTION" PREROUTING -m mark --mark 0 -m set --match-set "$IPSET" src -m set ! --match-set mycard dst -j CONNMARK --set-xmark "$MARK"
+}
+interface_switch_chnroute() {
+  OPTION=$1
+  IPSET=$2
+  MARK=$3
+  ipset create "$IPSET" hash:net maxelem 1000000 || true
+  iptables -t mangle "$OPTION" PREROUTING -m mark --mark 0 -m set --match-set "$IPSET" src -m set --match-set chnrouter dst -j CONNMARK --set-xmark "$MARK"
+}
--- a/ipset.sh
+++ b/ipset.sh
+#!/bin/bash
+OPERATION=$1
+IPSET=$2
+ADDRESS=$3
+cd ansible
+ansible all -i ../result/inventory.yaml -u root -m shell -b -a "ipset $OPERATION $IPSET $ADDRESS"
--- a/src/inventory.ts
+++ b/src/inventory.ts
@@ -63,7 +63,6 @@ class InventoryBuilder {
    const vars = {
      routeLists: this.routeLists,
      routeListNames: Object.keys(this.routeLists),
-      //route_plans
    };
    for (let col in raw_utility) {
      vars[col] = raw_utility[col].value;
@@ -88,6 +87,7 @@ class InventoryBuilder {
    host.frpsNeeded = false;
    const null_connection = "10000,null";
    const lanInterfaces = host.lanInterfaces.length > 0 ? host.lanInterfaces.split(",") : [];
+    const routePlans = [];
    for (const h of this.connections) {
      if (h != host.name) {
        const to = host[h];
@@ -105,6 +105,11 @@ class InventoryBuilder {
          connections.push(this.parse_connection(host, this.hosts[h], null_connection, true, false));
          connections.push(this.parse_connection(host, this.hosts[h], null_connection, false, true));
        }
+        routePlans.push({
+          name: h.replace(/-/g, "_"),
+          destMark: this.hosts[h].destMark,
+          address: this.hosts[h].address
+        });
      }
    }
@@ -119,6 +124,7 @@ class InventoryBuilder {
      connections,
      lanInterfaces,
      dockerServices: host.dockerServices,
+      routePlans
    };
  }