temp ladder plan

e2a5300c · nanahira · 3ce036e7 · e2a5300c · e2a5300c · e2a5300c
Commit e2a5300c authored Mar 24, 2020 by nanahira
7 changed files
--- a/ansible/bird.conf.bak
+++ b/ansible/bird.conf.bak
+log syslog all;
+router id {{address}};
+
+protocol device {
+}
+protocol direct {
+  disabled;
+  ipv4;
+  ipv6;
+}
+
+protocol direct {
+  ipv4 {
+    import all;
+  };
+  ipv6;
+}
+
+protocol kernel {
+  ipv4 {
+    export all;
+  };
+  kernel table 300;
+}
+protocol kernel {
+  ipv6 { export all; };
+}
+
+{% for connection in connections %}
+{% if connection.protocol != "null" and connection.remoteLocalAddress != address %}
+ipv4 table {{connection.name.replace("-", "_")}};
+protocol static {
+  ipv4 {
+    table {{connection.name.replace("-", "_")}};
+  };
+  igp table master4;
+  route 0.0.0.0/0 recursive {{connection.remoteLocalAddress}};
+}
+protocol kernel {
+  ipv4 {
+    table {{connection.name.replace("-", "_")}};
+    export all;
+  };
+  kernel table {{connection.remoteMark}};
+}
+{% endif %}
+{% endfor %}
+
+
+{% for plan in route_plans %}
+ipv4 table {{plan.name}};
+{% for net in route_lists[plan.list] %}
+protocol static {
+  ipv4 {
+    table {{plan.name}};
+  };
+  igp table master4;
+  route {{net}} recursive {{plan.gatewayAddress}};
+}
+{% endfor %}
+protocol kernel {
+  ipv4 {
+    table {{plan.name}};
+    export all;
+  };
+  kernel table {{plan.table}};
+}
+{% endfor %}
+
+protocol ospf v2 {
+  ipv4 {
+    import all;
+    export where source ~ [ RTS_DEVICE, RTS_STATIC ];
+  };
+  area 0 {
+    networks {
+      10.0.0.0/8;
+    };
+#		interface "eth*" {
+#			type broadcast;		# Detected by default
+#			cost 10;		# Interface metric
+#			hello 5;		# Default hello perid 10 is too long
+#		};
+{% for connection in connections %}
+{% if connection.protocol != "null" and connection.remoteLocalAddress != address %}
+    interface "{{connection.name}}" {
+      type ptp;
+{% if connection.outbound %}
+      cost {{connection.metric}};
+{% else %}
+      cost 50000;
+{% endif %}
+      hello 5;
+    };
+{% endif %}
+{% endfor %}
+
+{% for interface in lan_interfaces %}
+    interface "{{interface}}" {
+      type broadcast;
+      cost 1;
+      hello 5;
+    };
+{% endfor %}
+
+    interface "dummy0" {
+      stub;			# Stub interface, just propagate it
+    };
+  };
+}
--- a/ansible/bird.conf.j2
+++ b/ansible/bird.conf.j2
@@ -39,34 +39,13 @@ protocol static {
 protocol kernel {
  ipv4 {
    table {{connection.name.replace("-", "_")}};
-     export all;
+    export all;
  };
  kernel table {{connection.remoteMark}};
 }
 {% endif %}
 {% endfor %}

-
-{% for plan in route_tables %}
-ipv4 table {{plan.name}};
-{% for net in plan.list %}
-protocol static {
-  ipv4 {
-    table {{plan.name}};
-  };
-  igp table master4;
-  route {{net}} recursive {{plan.gatewayAddress}};
-}
-{% endfor %}
-protocol kernel {
-  ipv4 {
-    table {{plan.name}};
-    export all;
-  };
-  kernel table {{plan.table}};
-}
-{% endfor %}
-
 protocol ospf v2 {
  ipv4 {
    import all;

--- a/ansible/configure.yaml
+++ b/ansible/configure.yaml
@@ -12,6 +12,11 @@
        - predown
        - global-postup
        - global-postdown
+    - name: ipset files
+      template:
+        src: scripts/ipset.j2
+        dest: '/etc/wireguard/{{item}}.ipset'
+      with_items: '{{route_list_names}}'
 # 为了提高测试时候的性能，不改动wg的时候注释掉这段
    #- name: 'clean up null connections first'
    #  include_tasks: 'protocols/{{item.protocol}}/configure.yaml'

--- a/ansible/scripts/global-postdown.sh.j2
+++ b/ansible/scripts/global-postdown.sh.j2
 #!/usr/bin/env bash
+# 针对网关设置mark
+{% for gateway in gateways %}

-# ipset
-ipset destroy mycard
+{% if gateway.dev_or_via != "" %}

-{% for gateway in gateways %}
-{% if gateway.route_tail != "" %}
-ip route del default {{gateway.route_tail}} table {{gateway.mark}}
+{% if gateway.isTun %}
+DEV={{gateway.dev_or_via}}
+IPTABLES_MARK_CONDITION="-i $DEV"
+ip route del default dev $DEV table {{gateway.mark}}
+{% else %}
+ping {{gateway.dev_or_via}} -c -
+NEIGH_LINE=$(ip neigh show {{gateway.dev_or_via}})
+DEV=$(echo $NEIGH_LINE | awk '{print $3}')
+MAC=$(echo $NEIGH_LINE | awk '{print $5}')
+IPTABLES_MARK_CONDITION="-i $DEV -m mac --mac-source $MAC"
+ip route del default via {{gateway.dev_or_via}} dev $DEV table {{gateway.mark}}
 {% endif %}
-{% if gateway.route_tail != "" or gateway.isp == "tr069" %}
-ip rule del pref 301 fwmark {{gateway.mark}} lookup {{gateway.mark}}
+
+bash -c "iptables -t mangle -D PREROUTING $IPTABLES_MARK_CONDITION -m set ! --match-set mycard src -j CONNMARK --set-xmark {{gateway.mark}} ; iptables -t mangle -D PREROUTING -m connmark --mark {{gateway.mark}} -j CONNMARK --restore-mark ; iptables -t mangle -D OUTPUT -m connmark --mark {{gateway.mark}} -j CONNMARK --restore-mark"
+
 {% endif %}
+
+{% endfor %}
+
+# 临时梯子
+iptables -t mangle -D PREROUTING -m set --match-set ladder_needed src -m set --match-set gfwiplist dst -j MARK --set-xmark 812/0xffffffff
+
+# ipset
+{% for list in route_list_names %}
+ipset destroy {{list}}
 {% endfor %}

 exit 0
--- a/ansible/scripts/global-postup.sh.j2
+++ b/ansible/scripts/global-postup.sh.j2
 #!/usr/bin/env bash

 # ipset
-ipset create mycard hash:net family inet
-{% for subnet in all_subnets %}
-ipset add mycard {{subnet}}
+{% for list in route_list_names %}
+ipset restore -f /etc/wireguard/{{list}}.ipset
 {% endfor %}

 # 针对网关设置mark
 {% for gateway in gateways %}
-{% if gateway.route_tail != "" %}
-ip route add default {{gateway.route_tail}} table {{gateway.mark}}
+
+{% if gateway.dev_or_via != "" %}
+
+{% if gateway.isTun %}
+DEV={{gateway.dev_or_via}}
+IPTABLES_MARK_CONDITION="-i $DEV"
+ip route add default dev $DEV table {{gateway.mark}}
+{% else %}
+ping {{gateway.dev_or_via}} -c 1
+NEIGH_LINE=$(ip neigh show {{gateway.dev_or_via}})
+DEV=$(echo $NEIGH_LINE | awk '{print $3}')
+MAC=$(echo $NEIGH_LINE | awk '{print $5}')
+IPTABLES_MARK_CONDITION="-i $DEV -m mac --mac-source $MAC"
+ip route add default via {{gateway.dev_or_via}} dev $DEV table {{gateway.mark}}
 {% endif %}
-{% if gateway.route_tail != "" or gateway.isp == "tr069" %}
-ip rule add pref 301 fwmark {{gateway.mark}} lookup {{gateway.mark}}
+
+bash -c "iptables -t mangle -A PREROUTING $IPTABLES_MARK_CONDITION -m set ! --match-set mycard src -j CONNMARK --set-xmark {{gateway.mark}} ; iptables -t mangle -A PREROUTING -m connmark --mark {{gateway.mark}} -j CONNMARK --restore-mark ; iptables -t mangle -A OUTPUT -m connmark --mark {{gateway.mark}} -j CONNMARK --restore-mark"
+
 {% endif %}
+
+ip rule add pref 301 fwmark {{gateway.mark}} lookup {{gateway.mark}}
+
 {% endfor %}

+# 临时梯子
+iptables -t mangle -A PREROUTING -m set --match-set ladder_needed src -m set --match-set gfwiplist dst -j MARK --set-xmark 812/0xffffffff
+
 exit 0
--- a/ansible/scripts/ipset.j2
+++ b/ansible/scripts/ipset.j2
+create {{item}} hash:net family inet
+{% for subnet in route_lists[item] %}
+add {{item}} {{subnet}}
+{% endfor %}
--- a/src/inventory.ts
+++ b/src/inventory.ts
@@ -11,7 +11,7 @@ class InventoryBuilder {
  hosts: { [key: string]: any };
  gateways: any;
  connections: string[];
-  all_subnets: any;
+  route_lists: any;

  async load(sheetName) {
    const data = await fs.promises.readFile(path.join('data', `内网互联计划 - ${sheetName}.csv`));
@@ -19,20 +19,21 @@ class InventoryBuilder {
    return (await util.promisify(parse)(data, { columns: true, cast: true })).filter(h => h.id);
  }

+  async loadGateways() { 
+    let gateways = await this.load('gateways');
+    for (let gateway of gateways) { 
+      if (!gateway.dev_or_via.length)
+        continue;
+      gateway.isTun = !gateway.dev_or_via.match(/^(\d{1,3}\.){1,3}\d{1,3}$/);
+    }
+    return gateways;
+  }
+
  async main() {
    this.hosts = _.keyBy(await this.load('nextgen links'), 'name');
-    this.gateways = _.mapValues(_.groupBy(await this.load('gateways'), 'name'), g => _.keyBy(g, 'isp'));
+    this.gateways = _.mapValues(_.groupBy(await this.loadGateways(), 'name'), g => _.keyBy(g, 'isp'));
+    //console.log(this.gateways);
    this.connections = _.intersection(Object.keys(this.hosts), Object.keys(_.find(this.hosts)));
-    this.all_subnets = ["10.199.0.0/16", "10.200.0.0/15"];
-    for (const h in this.hosts) { 
-      const host = this.hosts[h]
-      for (const c of host.subnets.split(",")) { 
-        if (!c.length) { 
-          continue;
-        }
-        this.all_subnets.push(c);
-      }
-    }

    for (const host of Object.values(this.hosts)) {
      host.wgPublickey = await this.wgPublickey(host.wgPrivateKey);
@@ -47,16 +48,30 @@ class InventoryBuilder {

  async loadUtilities(hosts) { 
    const raw_utility = _.keyBy(await this.load('configurations'), 'key');
-    let route_tables = await this.load('route tables')
-    const route_lists = YAML.parse(fs.readFileSync(path.join('lists', 'result.yaml'), "utf8"));
-    for (let plan of route_tables) { 
+    let route_plans = await this.load('route tables');
+    this.route_lists = YAML.parse(fs.readFileSync(path.join('lists', 'result.yaml'), "utf8"));
+    for (let plan of route_plans) { 
      plan.name = plan.list + "_" + plan.gateway.replace(/-/g, "_").split(".")[0]
-      plan.list = JSON.parse(JSON.stringify(route_lists[plan.list]));
+      //plan.list = JSON.parse(JSON.stringify(this.route_lists[plan.list]));
      plan.gatewayAddress = hosts[plan.gateway].address;
    }
+    // 所有内网网段
+    this.route_lists.mycard = ["10.199.0.0/16", "10.200.0.0/15"];
+    for (const h in this.hosts) { 
+      const host = this.hosts[h]
+      for (const c of host.subnets.split(",")) { 
+        if (!c.length) { 
+          continue;
+        }
+        this.route_lists.mycard.push(c);
+      }
+    }
+    // temp user before gateways
+    this.route_lists.ladder_needed = raw_utility.ladderNeeded.value.split(",").map((m) => { return m.trim() });
    const vars = {
-      all_subnets: this.all_subnets,
-      route_tables
+      route_lists: this.route_lists,
+      route_list_names: Object.keys(this.route_lists),
+      route_plans
    };
    for (let col in raw_utility) { 
      vars[col] = raw_utility[col].value;
@@ -116,7 +131,7 @@ class InventoryBuilder {
    const localGatewayMark = localGatewayName ? localGateway.mark : undefined;
    const remoteGatewayName = (cis ? params.rif : params.lif) || params.if;
    const remoteGateway = remoteGatewayName ? this.gateways[remote.name][remoteGatewayName] : _.find(this.gateways[remote.name]);
-    const remoteGatewayMark = remoteGatewayName ? remoteGateway.mark : undefined;
+    //const remoteGatewayMark = remoteGatewayName ? remoteGateway.mark : undefined;
    //console.log(remoteGateway.name);
    const remoteAddress = remoteGateway.address;
    const remoteLocalAddress = remote.address;
@@ -139,7 +154,7 @@ class InventoryBuilder {
      protocol,
      params,
      localGatewayMark,
-      remoteGatewayMark,
+      //remoteGatewayMark,
      remoteMark,
      remoteAddress,
      remoteLocalAddress,