migrate oc mtu

b8b6a2da · nanahira · a31132c4 · b8b6a2da · b8b6a2da · b8b6a2da
Commit b8b6a2da authored Apr 03, 2022 by nanahira
6 changed files
--- a/ansible/migrate-oc-mtu.yaml
+++ b/ansible/migrate-oc-mtu.yaml
+---
+- hosts: wg
+  tasks:
+    - name: prepare
+      import_tasks: ./tasks/prepare.yaml
+    - name: post scripts
+      template:
+        src: scripts/{{item}}.sh.j2
+        dest: '{{ansible_user_dir}}/nextgen-network/scripts/{{item}}.sh'
+        mode: a+x
+      with_items:
+        - predown
+        - utility
+    - name: 'update oc things'
+      include_tasks: 'protocols/{{item.protocol}}/configure.yaml'
+      vars:
+        conn: '{{item}}'
+      with_items: '{{ connections }}'
+      when: "not noUpdateLinks and item.protocol == 'oc' and not item.noUpdate"
+    - name: start services
+      docker_compose:
+        project_src: '{{ansible_user_dir}}/nextgen-network/services'
+        remove_orphans: true
+        # pull: true
+      when: not noBird
+    - name: restart_openconnect
+      docker_compose:
+        project_src: '{{ansible_user_dir}}/nextgen-network/services'
+        restarted: true
+        services: '{{ocRestarts}}'
+      when: ocRestarts
--- a/ansible/protocols/oc/ocserv-user-env.j2
+++ b/ansible/protocols/oc/ocserv-user-env.j2
@@ -9,7 +9,7 @@ export localRubbishAddress=10.199.{{id}}.1
 export remoteNextMark={{conn.remoteNextMark}}
 export inbound={{conn.inbound}}
 export outbound={{conn.outbound}}
-export mtu={{conn.mtu|int - 58}}
+export mtu={{conn.mtu|int - 66}}
 {% if conn.inbound %}
 export metric={{conn.metric}}
 {% else %}

--- a/ansible/protocols/oc/openconnect-post-scripts/disconnect.sh.j2
+++ b/ansible/protocols/oc/openconnect-post-scripts/disconnect.sh.j2
 #!/bin/bash
-dev="$TUNDEV" localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} localPeerAddress6={{conn.localPeerAddress6}} remotePeerAddress6={{conn.remotePeerAddress6}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 58}} {{ansible_user_dir}}/nextgen-network/scripts/predown.sh
+dev="$TUNDEV" localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} localPeerAddress6={{conn.localPeerAddress6}} remotePeerAddress6={{conn.remotePeerAddress6}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 66}} {{ansible_user_dir}}/nextgen-network/scripts/predown.sh

 true
--- a/ansible/protocols/oc/openconnect-post-scripts/post-connect.sh.j2
+++ b/ansible/protocols/oc/openconnect-post-scripts/post-connect.sh.j2
 #!/bin/bash
 # Force reload at 12.23

-dev="$TUNDEV" localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} localPeerAddress6={{conn.localPeerAddress6}} remotePeerAddress6={{conn.remotePeerAddress6}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 58}} {{ansible_user_dir}}/nextgen-network/scripts/predown.sh
-dev="$TUNDEV" localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} localPeerAddress6={{conn.localPeerAddress6}} remotePeerAddress6={{conn.remotePeerAddress6}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 58}} {{ansible_user_dir}}/nextgen-network/scripts/postup.sh
+dev="$TUNDEV" localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} localPeerAddress6={{conn.localPeerAddress6}} remotePeerAddress6={{conn.remotePeerAddress6}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 66}} {{ansible_user_dir}}/nextgen-network/scripts/predown.sh
+dev="$TUNDEV" localPeerAddress={{conn.localPeerAddress}} remotePeerAddress={{conn.remotePeerAddress}} localPeerAddress6={{conn.localPeerAddress6}} remotePeerAddress6={{conn.remotePeerAddress6}} remoteNextMark={{conn.remoteNextMark}} inbound={{conn.inbound}} outbound={{conn.outbound}} mtu={{conn.mtu|int - 66}} {{ansible_user_dir}}/nextgen-network/scripts/postup.sh

 true
--- a/ansible/scripts/predown.sh.j2
+++ b/ansible/scripts/predown.sh.j2
@@ -9,10 +9,8 @@ fi
 #    mtu=$(cat /sys/class/net/"$dev"/mtu)
 #fi

-mss=$((mtu - 40))
-
-$IPTABLES_EXEC -t mangle -D FORWARD -i "$dev" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss:1460 -j TCPMSS --set-mss $mss
-$IPTABLES_EXEC -t mangle -D FORWARD -o "$dev" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss:1460 -j TCPMSS --set-mss $mss
+_search_and_remove mangle "-A FORWARD -o $dev -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss" 
+_search_and_remove mangle "-A FORWARD -i $dev -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss"

 if [ "$inbound" == True ] ; then
  interface_origin -D "$dev" "$remoteNextMark"

--- a/ansible/scripts/utility.sh.j2
+++ b/ansible/scripts/utility.sh.j2
@@ -86,3 +86,7 @@ interface_switch_redirect() {
  $IPTABLES_EXEC -t nat "$OPTION" NEXTGEN_SWITCH -m mark --mark $MARK -i mc+ -m set --match-set mycard src -m set ! --match-set mycard dst -p tcp -m multiport --dports $REDIR_TARGET_PORTS -m multiport ! --dports {{allRedirectServerPorts}} -j DNAT --to-destination {{address}}:$REDIR_SERVER_PORT
  $IPTABLES_EXEC -t nat "$OPTION" NEXTGEN_SWITCH -m mark --mark $MARK -i ocs+ -m set --match-set mycard src -m set ! --match-set mycard dst -p tcp -m multiport --dports $REDIR_TARGET_PORTS -m multiport ! --dports {{allRedirectServerPorts}} -j DNAT --to-destination {{address}}:$REDIR_SERVER_PORT
 }
+
+_search_and_remove() {
+  $IPTABLES_EXEC-save | grep -- "$2" | sed 's/^-A/-D/g' | xargs -I '{}' bash -c "$IPTABLES_EXEC -t $1 {}"
+}