ensure ipset and iptables chain

ef4a146f · nanahira · 95417936 · ef4a146f · ef4a146f
Commit ef4a146f authored Mar 26, 2021 by nanahira
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 12 deletions

ansible/scripts/global-postup.sh.j2 ansible/scripts/global-postup.sh.j2 +10 -12

ansible/scripts/utility.sh.j2 ansible/scripts/utility.sh.j2 +11 -0

No files found.
--- a/ansible/scripts/global-postup.sh.j2
+++ b/ansible/scripts/global-postup.sh.j2
@@ -5,9 +5,7 @@ source {{ansible_user_dir}}/nextgen-network/scripts/utility.sh
 echo "running" > /tmp/mycard_global_postup_done
 # ipset
-{% for list in routeListNames %}
+ensure_ipset_and_chain
-ipset restore -f {{ansible_user_dir}}/nextgen-network/ipsets/{{list}}.ipset || true
-{% endfor %}
 # ip rule
 ipset create localnet hash:net maxelem 1000000 || true
@@ -18,23 +16,23 @@ ip rule add pref 81 to {{subnet}} lookup main || true
 # MASQ interfaces
 {% for interface in masqInterfaces %}
-iptables -t nat -A POSTROUTING -m set --match-set mycard src -m set ! --match-set mycard dst -o {{interface.name}} -j MASQUERADE
+$IPTABLES_EXEC -t nat -A POSTROUTING -m set --match-set mycard src -m set ! --match-set mycard dst -o {{interface.name}} -j MASQUERADE
 {% endfor %}
 # chain for wg origin
-iptables -t mangle -N NEXTGEN_ORIGIN
+# $IPTABLES_EXEC -t mangle -N NEXTGEN_ORIGIN
-iptables -t mangle -I PREROUTING -m mark --mark 0x0 ! -p ospf -j NEXTGEN_ORIGIN
+$IPTABLES_EXEC -t mangle -I PREROUTING -m mark --mark 0x0 ! -p ospf -j NEXTGEN_ORIGIN
 {% for interface in masqInterfaces %}
-iptables -t mangle -A NEXTGEN_ORIGIN -i {{interface.name}} ! -p ospf -m set ! --match-set mycard src -j CONNMARK --set-xmark {{interface.mark}}
+$IPTABLES_EXEC -t mangle -A NEXTGEN_ORIGIN -i {{interface.name}} ! -p ospf -m set ! --match-set mycard src -j CONNMARK --set-xmark {{interface.mark}}
-iptables -t mangle -A NEXTGEN_ORIGIN -m connmark --mark {{interface.mark}} -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
+$IPTABLES_EXEC -t mangle -A NEXTGEN_ORIGIN -m connmark --mark {{interface.mark}} -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-iptables -t mangle -A OUTPUT -m connmark --mark {{interface.mark}} -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
+$IPTABLES_EXEC -t mangle -A OUTPUT -m connmark --mark {{interface.mark}} -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
 # TODO: ip rule
 # ip rule add pref 300 fwmark {{interface.mark}} lookup {{interface.mark}}
 {% endfor %}
-iptables -t mangle -N NEXTGEN_SWITCH
+# $IPTABLES_EXEC -t mangle -N NEXTGEN_SWITCH
-iptables -t mangle -A PREROUTING -m mark --mark 0x0 ! -p ospf -m set ! --match-set mycard dst -j NEXTGEN_SWITCH
+$IPTABLES_EXEC -t mangle -A PREROUTING -m mark --mark 0x0 ! -p ospf -m set ! --match-set mycard dst -j NEXTGEN_SWITCH
-iptables -t mangle -I OUTPUT -m mark ! --mark 0 -j RETURN
+$IPTABLES_EXEC -t mangle -I OUTPUT -m mark ! --mark 0 -j RETURN
 # switch rules
 {{ansible_user_dir}}/nextgen-network/scripts/switch-rules-up.sh

--- a/ansible/scripts/utility.sh.j2
+++ b/ansible/scripts/utility.sh.j2
@@ -10,6 +10,16 @@ wait_lock() {
  done
 }
+ensure_ipset_and_chain() {
+{% for list in routeListNames %}
+  ipset restore -f {{ansible_user_dir}}/nextgen-network/ipsets/{{list}}.ipset || true
+{% endfor %}
+  $IPTABLES_EXEC -t mangle -N NEXTGEN_ORIGIN
+  $IPTABLES_EXEC -t mangle -N NEXTGEN_SWITCH
+  true
+}
 restore_mark_origin() {
  OPTION=$1
  MARK=$2
@@ -26,6 +36,7 @@ restore_mark_switch() {
 interface_origin() {
+  ensure_ipset_and_chain
  OPTION=$1
  INTERFACE=$2
  MARK=$3