Network-routing

roles/network-routing/README.md

@@ -0,0 +1,39 @@
+# Ansible role network-routing
+
+Diese Ansible role konfiguriert System Einstellung bzgl. IP Routing.
+
+- konfiguriert statische Routen (systemd Unit)
+  - Mesh Routen für die Routing Tabelle `mwu`
+  - Blackhole Routes für die Routing Tabellen `internet` + `main`
+- konfiguriert IP rules (systemd Unit)
+- konfiguriert sysctl Parameter
+
+## Benötigte Variablen
+
+- Dictionary `meshes`
+
+```
+meshes:
+  - id: xx
+...
+    site_name:
+    ipv4_network:
+    ipv6_ula:
+    ipv6_public:
+```
+
+- Listen `sysctl_settings_routing_basic` und `sysctl_settings_routing_gateway` (Rollen-Variablen)
+
+```
+sysctl_settings_routing_(basic|gateway):
+  - name:       # sysctl-Parameter
+    value:      # zu setzender Wert
+...
+```
+- Host Variable `ffrl_public_ipv4_nat` # Format ip-adresse/prefix
+
+- Host Dictionary `ffrl_exit_server`
+
+- Host Variable `magic`
+
+- Host Variable `server_type`

roles/network-routing/handlers/main.yml

@@ -0,0 +1,14 @@
+---
+- name: reload systemd
+  systemd:
+    daemon_reload: yes
+
+- name: restart systemd unit ffmwu-static-routes
+  systemd:
+    name: ffmwu-static-routes
+    state: restarted
+
+- name: restart systemd unit ffmwu-ip-rules
+  systemd:
+    name: ffmwu-ip-rules
+    state: restarted

roles/network-routing/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - wireguard

roles/network-routing/tasks/main.yml

@@ -0,0 +1,69 @@
+---
+- name: write systemd unit ffmwu-static-routes.service
+  template:
+    src: ffmwu-static-routes.service.j2
+    dest: /etc/systemd/system/ffmwu-static-routes.service
+    owner: root
+    group: root
+    mode: 0644
+  notify: reload systemd
+
+- name: write static route scripts
+  template:
+    src: "{{ item }}.j2"
+    dest: "/usr/local/bin/{{ item }}"
+    owner: root
+    group: root
+    mode: 0750
+  loop:
+    - ffmwu-add-static-routes.sh
+    - ffmwu-del-static-routes.sh
+  notify: restart systemd unit ffmwu-static-routes
+
+- name: enable systemd unit ffmwu-static-routes.service
+  systemd:
+    name: ffmwu-static-routes
+    enabled: yes
+    state: started
+
+- name: write systemd unit ffmwu-ip-rules.service
+  template:
+    src: ffmwu-ip-rules.service.j2
+    dest: /etc/systemd/system/ffmwu-ip-rules.service
+    owner: root
+    group: root
+    mode: 0644
+  notify: reload systemd
+
+- name: write ip rule scripts
+  template:
+    src: "{{ item }}.j2"
+    dest: "/usr/local/bin/{{ item }}"
+    owner: root
+    group: root
+    mode: 0750
+  loop:
+    - ffmwu-add-ip-rules.sh
+    - ffmwu-del-ip-rules.sh
+  notify: restart systemd unit ffmwu-ip-rules
+
+- name: enable systemd unit ffmwu-ip-rules.service
+  systemd:
+    name: ffmwu-ip-rules
+    enabled: yes
+    state: started
+
+- name: set basic sysctl settings for routing
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+  loop: "{{ sysctl_settings_routing_basic }}"
+
+- name: set sysctl settings for ip forwarding
+  when: server_type == "gateway" or server_type == "service" or server_type == "monitoring"
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+  loop: "{{ sysctl_settings_routing_forwarding }}"

roles/network-routing/templates/ffmwu-add-ip-rules.sh.j2

@@ -0,0 +1,90 @@
+#!/bin/sh
+#
+# {{ ansible_managed }}
+#
+
+# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
+{% if server_type == 'gateway' or server_type == 'monitoring' %}
+{% for mesh in meshes %}
+ip -4 rule add from all oif {{ mesh.id }}br lookup mwu priority 7
+ip -6 rule add from all oif {{ mesh.id }}br lookup mwu priority 7
+{% endfor %}
+{% endif %}
+{% for network in my_wireguard_networks %}
+ip -4 rule add from all iif wg-{{ network.remote[:11] }} lookup mwu priority 7
+ip -6 rule add from all iif wg-{{ network.remote[:11] }} lookup mwu priority 7
+ip -4 rule add from all oif wg-{{ network.remote[:11] }} lookup mwu priority 7
+ip -6 rule add from all oif wg-{{ network.remote[:11] }} lookup mwu priority 7
+{% endfor %}
+{% for prefix in internal_prefixes %}
+ip -4 rule add from {{ prefix.ipv4 }} lookup mwu priority 7
+ip -4 rule add to {{ prefix.ipv4 }} lookup mwu priority 7
+ip -6 rule add from {{ prefix.ipv6 }} lookup mwu priority 7
+ip -6 rule add to {{ prefix.ipv6 }} lookup mwu priority 7
+{% endfor %}
+{% for prefix in public_prefixes %}
+ip -6 rule add from {{ prefix.ipv6 }} lookup mwu priority 7
+ip -6 rule add to {{ prefix.ipv6 }} lookup mwu priority 7
+{% endfor %}
+
+{% if server_type == 'gateway' %}
+# Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges
+{% for mesh in meshes %}
+ip -4 rule add from all oif {{ mesh.id }}br lookup icvpn priority 23
+ip -6 rule add from all oif {{ mesh.id }}br lookup icvpn priority 23
+{% endfor %}
+{% for prefix in internal_prefixes %}
+ip -4 rule add from {{ prefix.ipv4 }} lookup icvpn priority 23
+ip -4 rule add to {{ prefix.ipv4 }} lookup icvpn priority 23
+ip -6 rule add from {{ prefix.ipv6 }} lookup icvpn priority 23
+ip -6 rule add to {{ prefix.ipv6 }} lookup icvpn priority 23
+{% endfor %}
+{% for prefix in public_prefixes %}
+ip -6 rule add from {{ prefix.ipv6 }} lookup icvpn priority 23
+ip -6 rule add to {{ prefix.ipv6 }} lookup icvpn priority 23
+{% endfor %}
+ip -4 rule add from all oif icvpn lookup icvpn priority 23
+ip -6 rule add from all oif icvpn lookup icvpn priority 23
+
+# Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges
+{% for mesh in meshes %}
+ip -6 rule add from all oif {{ mesh.id }}br lookup internet priority 41
+{% endfor %}
+{% for prefix in internal_prefixes %}
+ip -4 rule add from {{ prefix.ipv4 }} lookup internet priority 41
+ip -6 rule add from {{ prefix.ipv6 }} lookup internet priority 41
+ip -6 rule add to {{ prefix.ipv6 }} lookup internet priority 41
+{% endfor %}
+{% for prefix in public_prefixes %}
+ip -6 rule add from {{ prefix.ipv6 }} lookup internet priority 41
+ip -6 rule add to {{ prefix.ipv6 }} lookup internet priority 41
+{% endfor %}
+ip -4 rule add from {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
+ip -4 rule add to {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
+
+# Priority 61 - at this point this is the end of policy routing for freifunk related routes
+{% for mesh in meshes %}
+ip -4 rule add from all iif {{ mesh.id }}br type unreachable priority 61
+ip -6 rule add from all iif {{ mesh.id }}br type unreachable priority 61
+{% endfor %}
+ip -4 rule add from all iif icvpn type unreachable priority 61
+ip -4 rule add from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61
+{% for server_id, server_value in ffrl_exit_server.items() %}
+ip -4 rule add from all iif {{ server_id }} type unreachable priority 61
+ip -6 rule add from all iif {{ server_id }} type unreachable priority 61
+{% endfor %}
+ip -6 rule add from all iif icvpn type unreachable priority 61
+ip -6 rule add from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61
+{% for prefix in public_prefixes %}
+ip -6 rule add from {{ prefix.ipv6 }} type unreachable priority 61
+ip -6 rule add to {{ prefix.ipv6 }} type unreachable priority 61
+{% endfor %}
+
+# Priority 107 - lookup policies for the gateway host self originating traffic
+ip -4 rule add from all lookup mwu priority 107
+ip -4 rule add from all lookup icvpn priority 107
+ip -6 rule add from all lookup mwu priority 107
+ip -6 rule add from all lookup icvpn priority 107
+{% endif %}
+
+exit 0

roles/network-routing/templates/ffmwu-add-static-routes.sh.j2

@@ -0,0 +1,81 @@
+#!/bin/sh
+#
+# {{ ansible_managed }}
+#
+
+{% for network in my_wireguard_networks %}
+{% if magic < network.remote_magic %}
+/sbin/ip -4 route add {{ network.ipv4 | ipaddr('network/prefix') }} dev wg-{{ network.remote[:11] }} scope link src {{ network.ipv4 | ipaddr('address') }} table mwu
+{% else %}
+/sbin/ip -4 route add {{ network.ipv4 | ipaddr('network/prefix') }} dev wg-{{ network.remote[:11] }} scope link src {{ network.ipv4 | ipaddr('1') | ipaddr('address') }} table mwu
+{% endif %}
+{% endfor %}
+{% if server_type == 'gateway' or server_type == 'monitoring' %}
+{% for mesh in meshes %}
+# static {{ mesh.domain_name }} routes for rt_table mwu
+/sbin/ip -4 route add {{ mesh.ipv4_network }} proto static dev {{ mesh.id }}br table mwu
+{% for ula in mesh.ipv6_ula %}
+/sbin/ip -6 route add {{ ula | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu
+{% endfor %}
+{% for public in mesh.ipv6_public %}
+/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu
+{% endfor %}
+{% if mesh_gw_prefixes is defined %}
+{% for public in mesh_gw_prefixes[mesh.id].ipv6_public %}
+/sbin/ip -6 route add {{ public | ipaddr('net') | ipsubnet(64, 0) | ipaddr('subnet') }} proto static dev {{ mesh.id }}br table mwu
+{% endfor %}
+{% endif %}
+{% if not loop.last %}
+
+{% endif %}
+{% endfor %}
+{% endif %}
+
+{% if server_type == 'gateway' %}
+# static blackhole routes for rt_table internet
+/sbin/ip -4 route add blackhole 0.0.0.0/8 table internet
+/sbin/ip -4 route add blackhole 10.0.0.0/8 table internet
+/sbin/ip -4 route add blackhole 100.64.0.0/10 table internet
+/sbin/ip -4 route add blackhole 127.0.0.0/8 table internet
+/sbin/ip -4 route add blackhole 169.254.0.0/16 table internet
+/sbin/ip -4 route add blackhole 172.16.0.0/12 table internet
+/sbin/ip -4 route add blackhole 192.0.0.0/24 table internet
+/sbin/ip -4 route add blackhole 192.0.2.0/24 table internet
+/sbin/ip -4 route add blackhole 192.88.99.0/24 table internet
+/sbin/ip -4 route add blackhole 192.168.0.0/16 table internet
+/sbin/ip -4 route add blackhole 198.18.0.0/15 table internet
+/sbin/ip -4 route add blackhole 198.51.100.0/24 table internet
+/sbin/ip -4 route add blackhole 203.0.113.0/24 table internet
+/sbin/ip -4 route add blackhole 224.0.0.0/4 table internet
+/sbin/ip -4 route add blackhole 240.0.0.0/4 table internet
+/sbin/ip -4 route add blackhole 255.255.255.255/32 table internet
+/sbin/ip -6 route add blackhole fec0::/10 table internet
+/sbin/ip -6 route add blackhole fc00::/7 table internet
+/sbin/ip -6 route add blackhole ff00::/8 table internet
+/sbin/ip -6 route add blackhole ::/96 table internet
+/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table internet
+
+# static blackhole routes for rt_table main
+/sbin/ip -4 route add blackhole 0.0.0.0/8 table main
+/sbin/ip -4 route add blackhole 10.0.0.0/8 table main
+/sbin/ip -4 route add blackhole 100.64.0.0/10 table main
+/sbin/ip -4 route add blackhole 127.0.0.0/8 table main
+/sbin/ip -4 route add blackhole 169.254.0.0/16 table main
+/sbin/ip -4 route add blackhole 172.16.0.0/12 table main
+/sbin/ip -4 route add blackhole 192.0.0.0/24 table main
+/sbin/ip -4 route add blackhole 192.0.2.0/24 table main
+/sbin/ip -4 route add blackhole 192.88.99.0/24 table main
+/sbin/ip -4 route add blackhole 192.168.0.0/16 table main
+/sbin/ip -4 route add blackhole 198.18.0.0/15 table main
+/sbin/ip -4 route add blackhole 198.51.100.0/24 table main
+/sbin/ip -4 route add blackhole 203.0.113.0/24 table main
+/sbin/ip -4 route add blackhole 224.0.0.0/4 table main
+/sbin/ip -4 route add blackhole 240.0.0.0/4 table main
+/sbin/ip -4 route add blackhole 255.255.255.255/32 table main
+/sbin/ip -6 route add blackhole fec0::/10 table main
+/sbin/ip -6 route add blackhole fc00::/7 table main
+/sbin/ip -6 route add blackhole ff00::/8 table main
+/sbin/ip -6 route add blackhole ::/96 table main
+/sbin/ip -6 route add blackhole 0:0:0:0:0:ffff::/96 table main
+/sbin/ip -6 route add blackhole ::/0 table main
+{% endif %}

roles/network-routing/templates/ffmwu-del-ip-rules.sh.j2

@@ -0,0 +1,90 @@
+#!/bin/sh
+#
+# {{ ansible_managed }}
+#
+
+# Priority 7 - lookup rt_table mwu for all incoming traffic of freifunk related interfaces
+{% if server_type == 'gateway' or server_type == 'monitoring' %}
+{% for mesh in meshes %}
+ip -4 rule del from all oif {{ mesh.id }}br lookup mwu priority 7
+ip -6 rule del from all oif {{ mesh.id }}br lookup mwu priority 7
+{% endfor %}
+{% endif %}
+{% for network in my_wireguard_networks %}
+ip -4 rule del from all iif wg-{{ network.remote[:11] }} lookup mwu priority 7
+ip -6 rule del from all iif wg-{{ network.remote[:11] }} lookup mwu priority 7
+ip -4 rule del from all oif wg-{{ network.remote[:11] }} lookup mwu priority 7
+ip -6 rule del from all oif wg-{{ network.remote[:11] }} lookup mwu priority 7
+{% endfor %}
+{% for prefix in internal_prefixes %}
+ip -4 rule del from {{ prefix.ipv4 }} lookup mwu priority 7
+ip -4 rule del to {{ prefix.ipv4 }} lookup mwu priority 7
+ip -6 rule del from {{ prefix.ipv6 }} lookup mwu priority 7
+ip -6 rule del to {{ prefix.ipv6 }} lookup mwu priority 7
+{% endfor %}
+{% for prefix in public_prefixes %}
+ip -6 rule del from {{ prefix.ipv6 }} lookup mwu priority 7
+ip -6 rule del to {{ prefix.ipv6 }} lookup mwu priority 7
+{% endfor %}
+
+{% if server_type == 'gateway' %}
+# Priority 23 - lookup rt_table icvpn for all incoming traffic of freifunk bridges
+{% for mesh in meshes %}
+ip -4 rule del from all oif {{ mesh.id }}br lookup icvpn priority 23
+ip -6 rule del from all oif {{ mesh.id }}br lookup icvpn priority 23
+{% endfor %}
+{% for prefix in internal_prefixes %}
+ip -4 rule del from {{ prefix.ipv4 }} lookup icvpn priority 23
+ip -4 rule del to {{ prefix.ipv4 }} lookup icvpn priority 23
+ip -6 rule del from {{ prefix.ipv6 }} lookup icvpn priority 23
+ip -6 rule del to {{ prefix.ipv6 }} lookup icvpn priority 23
+{% endfor %}
+{% for prefix in public_prefixes %}
+ip -6 rule del from {{ prefix.ipv6 }} lookup icvpn priority 23
+ip -6 rule del to {{ prefix.ipv6 }} lookup icvpn priority 23
+{% endfor %}
+ip -4 rule del from all oif icvpn lookup icvpn priority 23
+ip -6 rule del from all oif icvpn lookup icvpn priority 23
+
+# Priority 41 - lookup rt_table internet for all incoming traffic of freifunk bridges
+{% for mesh in meshes %}
+ip -6 rule del from all oif {{ mesh.id }}br lookup internet priority 41
+{% endfor %}
+{% for prefix in internal_prefixes %}
+ip -4 rule del from {{ prefix.ipv4 }} lookup internet priority 41
+ip -6 rule del from {{ prefix.ipv6 }} lookup internet priority 41
+ip -6 rule del to {{ prefix.ipv6 }} lookup internet priority 41
+{% endfor %}
+{% for prefix in public_prefixes %}
+ip -6 rule del from {{ prefix.ipv6 }} lookup internet priority 41
+ip -6 rule del to {{ prefix.ipv6 }} lookup internet priority 41
+{% endfor %}
+ip -4 rule del from {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
+ip -4 rule del to {{ ffrl_public_ipv4_nat | ipaddr('host') }} lookup internet priority 41
+
+# Priority 61 - at this point this is the end of policy routing for freifunk related routes
+{% for mesh in meshes %}
+ip -4 rule del from all iif {{ mesh.id }}br type unreachable priority 61
+ip -6 rule del from all iif {{ mesh.id }}br type unreachable priority 61
+{% endfor %}
+ip -4 rule del from all iif icvpn type unreachable priority 61
+ip -4 rule del from all iif {{ ansible_default_ipv4.interface }} type unreachable priority 61
+{% for server_id, server_value in ffrl_exit_server.items() %}
+ip -4 rule del from all iif {{ server_id }} type unreachable priority 61
+ip -6 rule del from all iif {{ server_id }} type unreachable priority 61
+{% endfor %}
+ip -6 rule del from all iif icvpn type unreachable priority 61
+ip -6 rule del from all iif {{ ansible_default_ipv6.interface }} type unreachable priority 61
+{% for prefix in public_prefixes %}
+ip -6 rule del from {{ prefix.ipv6 }} type unreachable priority 61
+ip -6 rule del to {{ prefix.ipv6 }} type unreachable priority 61
+{% endfor %}
+
+# Priority 107 - lookup policies for the gateway host self originating traffic
+ip -4 rule del from all lookup mwu priority 107
+ip -4 rule del from all lookup icvpn priority 107
+ip -6 rule del from all lookup mwu priority 107
+ip -6 rule del from all lookup icvpn priority 107
+{% endif %}
+
+exit 0