update

ansible/configure.yaml

@@ -3,13 +3,13 @@
   become: true
   tasks:
     - name: postup
-      copy:
-        src: scripts/postup.sh
+      template:
+        src: scripts/postup.sh.j2
         dest: '/etc/wireguard/postup.sh'
         mode: a+x
     - name: predown
-      copy:
-        src: scripts/predown.sh
+      template:
+        src: scripts/predown.sh.j2
         dest: '/etc/wireguard/predown.sh'
         mode: a+x
 # 为了提高测试时候的性能，不改动wg的时候注释掉这段

ansible/scripts/postup.sh → ansible/scripts/postup.sh.j2

 #!/usr/bin/env bash
 #set -e
 
+if [ "$dev" == "mc-yangtze" ] ; then
+  # 初始化部分，mc-yangtze一定是第一个连接的
+
+  # 创建 ipset
+  ipset create mycard hash:net family inet
+{% for subnet in all_subnets %}
+  ipset add mycard {{subnet}}
+{% endfor %}
+
+  # 针对网关设置mark
+{% for gateway in gateways %}
+{% if gateway.route_tail != "" %}
+  ip route add default {{gateway.route_tail}} table {{gateway.mark}}
+  ip rule add pref 301 fwmark {{gateway.mark}} lookup {{gateway.mark}}
+{% endif %}
+{% endfor %}
+
+fi
+
 ip addr add "$localPeerAddress" peer "$remotePeerAddress" dev "$dev" scope link
 
 if [ "$outbound" == True ] ; then

ansible/scripts/predown.sh

 #!/usr/bin/env bash
 
+if [ "$dev" == "mc-yangtze" ] ; then
+  # 初始化部分，mc-yangtze一定是第一个连接的
+
+  # 删除ipset
+  #iptables-save | grep "match-set mycard"
+  #ipset destroy mycard
+
+  # 针对网关设置mark
+{% for gateway in gateways %}
+{% if gateway.route_tail != "" %}
+  ip route del default {{gateway.route_tail}} table {{gateway.mark}}
+  ip rule del pref 301 fwmark {{gateway.mark}} table {{gateway.mark}}
+{% endfor %}
+
+fi
+
 if [ "$outbound" == True ] ; then
   ip rule del fwmark "$remoteMark" table "$remoteMark" pref 300
 fi

ansible/scripts/predown.sh.j2

+#!/usr/bin/env bash
+
+if [ "$outbound" == True ] ; then
+  ip rule del fwmark "$remoteMark" table "$remoteMark" pref 300
+fi
+
+#if [ -z "${mtu}" ]; then
+#    mtu=$(cat /sys/class/net/"$dev"/mtu)
+#fi
+
+mss=$((mtu - 40))
+
+iptables -t mangle -D FORWARD -i "$dev" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss:1460 -j TCPMSS --set-mss $mss
+iptables -t mangle -D FORWARD -o "$dev" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss:1460 -j TCPMSS --set-mss $mss
+
+iptables -t mangle -D PREROUTING -i "$dev" -m set ! --match-set mycard src -j CONNMARK --set-xmark "$remoteMark"
+iptables -t mangle -D PREROUTING -m connmark --mark "$remoteMark" -j CONNMARK --restore-mark
+iptables -t mangle -D OUTPUT -m connmark --mark "$remoteMark" -j CONNMARK --restore-mark
+
+# predown 始终返回成功。
+true

src/inventory.ts

@@ -11,6 +11,7 @@ class InventoryBuilder {
   hosts: { [key: string]: any };
   gateways: any;
   connections: string[];
+  all_subnets: any;
 
   async load(sheetName) {
     const data = await fs.promises.readFile(path.join('data', `内网互联计划 - ${sheetName}.csv`));
@@ -22,6 +23,17 @@ class InventoryBuilder {
     this.hosts = _.keyBy(await this.load('nextgen links'), 'name');
     this.gateways = _.mapValues(_.groupBy(await this.load('gateways'), 'name'), g => _.keyBy(g, 'isp'));
     this.connections = _.intersection(Object.keys(this.hosts), Object.keys(_.find(this.hosts)));
+    this.all_subnets = ["10.199.0.0/16", "10.200.0.0/15"];
+    for (const h in this.hosts) { 
+      const host = this.hosts[h]
+      for (const c of host.subnets.split(",")) { 
+        if (!c.length) { 
+          continue;
+        }
+        this.all_subnets.push(c);
+      }
+    }
+
     for (const host of Object.values(this.hosts)) {
       host.wgPublickey = await this.wgPublickey(host.wgPrivateKey);
     }
@@ -62,9 +74,11 @@ class InventoryBuilder {
       key: host.wgPrivateKey,
       frpsPort: host.frpsPort,
       frpToken: host.frpToken,
-      gateways: _.mapValues(this.gateways[host.name], gw => _.pick(gw, ['mark_gateway'])),
+      //gateways: _.mapValues(this.gateways[host.name], gw => _.pick(gw, ['mark_gateway'])),
+      gateways: _.values(this.gateways[host.name]),
       connections,
-      lan_interfaces
+      lan_interfaces,
+      all_subnets: JSON.parse(JSON.stringify(this.all_subnets))
     };
   }